Skip to content

feat: migrate cli-yq BuildConfig to MultiArchBuildConfig #78301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Prucek wants to merge 1 commit into
base: main
Choose a base branch
from
+39 −30
Open

feat: migrate cli-yq BuildConfig to MultiArchBuildConfig #78301

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 0 additions & 30 deletions clusters/app.ci/supplemental-ci-images/cli-yq.yaml
View file
Open in desktop

This file was deleted.

39 changes: 39 additions & 0 deletions clusters/build-clusters/multiarch_builds/supplemental-ci-images/cli-yq_mabc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
apiVersion: ci.openshift.io/v1
kind: MultiArchBuildConfig
metadata:
name: cli-yq
namespace: ocp
spec:
external_registries:
- quay.io/openshift/ci
build_spec:
successfulBuildsHistoryLimit: 1
failedBuildsHistoryLimit: 2
output:
pushSecret:
name: registry-push-credentials-ci-images-mirror
to:
kind: ImageStreamTag
namespace: ocp
name: cli-yq:latest
source:
dockerfile: |
FROM ocp/4.12:cli
RUN ARCH=$(uname -m) && \
case "$ARCH" in \
x86_64*) ARCH='amd64' ;; \
aarch64*) ARCH='arm64' ;; \
*) echo "Unsupported architecture: $ARCH" && exit 1 ;; \
esac && \
curl -L "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /tmp/yq && \
chmod +x /tmp/yq
Comment on lines +28 to +29
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Install yq into PATH; /tmp/yq will not be callable as yq.

At Line 28–29, the binary is only placed in /tmp and chmodded. Consumers typically execute yq by name, so this can ship an image with no usable yq on PATH.

💡 Proposed fix 
-            curl -L "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /tmp/yq && \
-            chmod +x /tmp/yq
+            curl -fsSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /usr/local/bin/yq && \
+            chmod 0755 /usr/local/bin/yq
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
curl -L "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /tmp/yq && \
chmod +x /tmp/yq
curl -fsSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /usr/local/bin/yq && \
chmod 0755 /usr/local/bin/yq
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@clusters/build-clusters/multiarch_builds/supplemental-ci-images/cli-yq_mabc.yaml`
around lines 28 - 29, The script currently downloads yq to /tmp/yq and makes it
executable, but doesn't place it on PATH; update the download/install step to
write the binary into a directory on PATH (e.g., /usr/local/bin/yq) and set
executable permissions there so callers can run yq by name; specifically replace
references to /tmp/yq with a PATH location and ensure chmod +x is applied to
that target (and optionally verify installation with a --version check).

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="clusters/build-clusters/multiarch_builds/supplemental-ci-images/cli-yq_mabc.yaml"

echo "Inspect current download/install stanza:"
sed -n '22,32p' "$FILE"

echo
echo "Expected after fix:"
echo "- no 'releases/latest' URL"
echo "- checksum verification step present (e.g., sha256sum -c)"
echo "- fail-fast curl flags (e.g., -f)"
rg -n 'releases/latest|sha256sum -c|curl -f|curl -fsSL' "$FILE"

Repository: openshift/release

Length of output: 811

Avoid floating latest binary downloads without integrity verification.

Using releases/latest at line 28 makes builds non-reproducible and increases supply-chain risk. Pin a yq version and verify the checksum before installation.

Proposed hardening 
-            curl -L "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /tmp/yq && \
-            chmod +x /tmp/yq
+            YQ_VERSION=v4.44.6 && \
+            curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/checksums" -o /tmp/yq.checksums && \
+            curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${ARCH}" -o /usr/local/bin/yq && \
+            grep " yq_linux_${ARCH}$" /tmp/yq.checksums | sed 's# yq_linux_# /usr/local/bin/yq#' | sha256sum -c - && \
+            chmod 0755 /usr/local/bin/yq
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
curl -L "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /tmp/yq && \
chmod +x /tmp/yq
YQ_VERSION=v4.44.6 && \
curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/checksums" -o /tmp/yq.checksums && \
curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${ARCH}" -o /usr/local/bin/yq && \
grep " yq_linux_${ARCH}$" /tmp/yq.checksums | sed 's# yq_linux_# /usr/local/bin/yq#' | sha256sum -c - && \
chmod 0755 /usr/local/bin/yq
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@clusters/build-clusters/multiarch_builds/supplemental-ci-images/cli-yq_mabc.yaml`
around lines 28 - 29, The curl invocation that downloads "releases/latest" for
yq should be changed to a pinned release and an integrity check added: replace
the dynamic URL used in the curl that writes to /tmp/yq with a fixed versioned
release (keep ${ARCH} for arch-specific binary), download the corresponding
checksum (or signature) for that specific version, verify the binary against the
checksum (e.g., sha256) before chmod +x and installing, and fail the build if
verification does not match; update the comments near the curl and /tmp/yq usage
so the pinned VERSION and checksum verification steps are clear.

RUN yum install -y jq
type: Dockerfile
strategy:
dockerStrategy:
from:
kind: ImageStreamTag
name: 4.12:cli
namespace: ocp
imageOptimizationPolicy: SkipLayers
type: Docker