Add index audit Github workflow#19248
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aThorp96 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
e6dac66 to
c091e5d
Compare
|
@aThorp96 |
|
instead of this workflow can we do something in konflux so where we can make sure that project.yaml is updated with all images from latest push snapshot. |
c091e5d to
ab0088d
Compare
|
Thanks for the review @pramodbindal. I had considered putting this in Konflux but I wasn't sure exactly where. If there is a good place to put it in the Konflux lets do that. Maybe it could even just be a standalone pipelinerun? Fast feedback would be helpful I think so a release captain can see early when the an image is expired or a component didn't get nudged Regarding the race condition, that makes sense to me. If the images are red-hat-private as well this automation will fail to pull them. For nightlies I don't think this is a concern. |
This commit adds a workflow which audits the project.yaml and CSV to validate that all images exist and that all images which share a source repository were built off of the same revision
ab0088d to
08113f2
Compare
There was a problem hiding this comment.
Pull request overview
This PR introduces a GitHub Actions workflow to audit project.yaml and the operator CSV for (a) referenced image existence and (b) consistency of source revisions across images that originate from the same source repository, helping detect expired/missing images and partial rebuilds in component repos.
Changes:
- Add a new GitHub Actions workflow to run the index/image audit on PRs and pushes to
nextandrelease-*branches. - Add a Bash audit script that enumerates images from
project.yamland the CSV, inspects them viaskopeo, and reports missing images / revision mismatches via annotations and the step summary.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/workflows/audit-index.yaml | Adds the CI workflow entrypoint that checks out the repo and runs the audit script. |
| .github/audit-project.sh | Implements the audit logic: collect image references, inspect images, and report missing images or inconsistent source revisions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Collect images per repo | ||
| run: .github/audit-project.sh |
| echo "Checking ${image}" | ||
| if [[ "${image}" != *"openshift-pipeline"* ]] && [[ "${image}" != *"tekton"* ]]; then | ||
| echo "Skipping ${image}, not an openshift pipelines image" | ||
| continue | ||
| fi | ||
|
|
||
| image_data=$(skopeo inspect --config "docker://${image}" || echo '{}') | ||
| if [[ "${image_data}" == '{}' ]]; then | ||
| grep -n "${image}" "${source_file}" | cut -d ':' -f1| while read -r line_no; do | ||
| echo "::error file=${source_file},line=${line_no},title=Missing image in ${context}::Could not fetch ${image}" | ||
| done | ||
|
|
||
| echo "- Image ${image} not found" >> "${errors}" | ||
| continue | ||
| fi | ||
| labels=$(echo "${image_data}" | jq '.config.Labels') | ||
| repository=$(echo -n "${labels}" | jq -r '.["io.openshift.build.source-location"]') | ||
| revision=$(echo -n "${labels}" | jq -r '.["io.openshift.build.commit.id"]') | ||
| if [[ -z "${repository}" ]]; then | ||
| echo "Unable to find source location for ${image}" | ||
| else | ||
| repository=$(echo "${repository}" | cut -d '/' -f 4- | tr '/' '_') | ||
| fi | ||
| echo "${revision}" >> "repos/${repository}" | ||
| echo "${image}" >> "images/${revision}" |
| pushd repos | ||
| trap "popd" RETURN | ||
| for repo in *; do |
| echo "${all_images}" | while read -r image; do | ||
| grep -n "${image}" "${source_file}" | cut -d ':' -f1 | while read -r line_no; do | ||
| echo "::warning file=${source_file},line=${line_no},title=Inconsistent source commits::repository: ${repo}, revision: ${revision}, images reference revisions: ${all_revisions_oneline}" | ||
| done |
This commit adds a workflow which audits the project.yaml and CSV to validate that all images exist and that all images which share a source repository were built off of the same revision.
This check is useful to detect when an image in
project.yamlexpires, or when a component repository's Konflux CI fails to build/nudge all of the component's images leaving some images out of date.If this is approved and merged, I will also copy it to the
mainbranch and all release branches, and updatehackautomation to ensure it's propagated to new release branches automatically