Containerbuild / konflux

[rnc]

No description provided.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[rnc]

@vibe13 To discuss ; Previously JBS handled SBOM after the build - I suspect now Konflux should handle that?

[vibe13]

Mmmm no sure about Konflux handling java SBOMs. Rather, SBOMer could be used because it can generate good quality manifests. But, JBS has the capability to manifest the contaminated GAVs and contaminants, so we can think of JBS creating a skeleton SBOM to be later enriched by SBOMer. I would keep it in for now, then we will discuss with Marek and see how to design this. Good point!

[vibe13]

But, I would like to see the content of SBOMs generated by Konflux regardless. There were discussions about merging our generated SBOMs with Konflux generated ones.

[rnc]

At the moment we don't have any way of handling / storing the sbom - this was handled by BuildVerifyCommand but as we don't have a way as far as I know in the buildah based task to access the .m2/gradle repositories (as we don't have a shared workspace) I think this now needs to be handled specifically by Konflux.

[rnc]

Currently I haven't figured out how (if at all) we can pass the setting.xml/tls shared workspaces - I suspect we'll need a different approach.

[vibe13]

ok

[codecov]

Codecov Report

Attention: Patch coverage is 75.00000% with 66 lines in your changes missing coverage. Please review.

Project coverage is 39.51%. Comparing base (18b09dd) to head (739d5ee).
Report is 20 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/reconciler/dependencybuild/buildrecipeyaml.go	75.59%	58 Missing and 4 partials ⚠️
...edhat/hacbs/container/deploy/TagDeployCommand.java	0.00%	2 Missing ⚠️
...hat/hacbs/container/deploy/BuildVerifyCommand.java	0.00%	1 Missing ⚠️
pkg/reconciler/dependencybuild/dependencybuild.go	80.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #1977      +/-   ##
============================================
+ Coverage     39.38%   39.51%   +0.13%     
+ Complexity      812      811       -1     
============================================
  Files           301      301              
  Lines         14040    14145     +105     
  Branches       1469     1467       -2     
============================================
+ Hits           5529     5589      +60     
- Misses         7861     7907      +46     
+ Partials        650      649       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[vibe13]

I have put some more questions for the sake of my understanding but overall it makes sense to me, thanks Nick!

[vibe13]

Mmmm no sure about Konflux handling java SBOMs. Rather, SBOMer could be used because it can generate good quality manifests. But, JBS has the capability to manifest the contaminated GAVs and contaminants, so we can think of JBS creating a skeleton SBOM to be later enriched by SBOMer. I would keep it in for now, then we will discuss with Marek and see how to design this. Good point!

[vibe13]

But, I would like to see the content of SBOMs generated by Konflux regardless. There were discussions about merging our generated SBOMs with Konflux generated ones.

[vibe13]

ok

[openshift-ci]

New changes are detected. LGTM label has been removed.

[rnc]

/retest