diff --git a/.github/renovate.json5 b/.github/renovate.json5 index d574704bf..615d4bc0d 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,9 +1,9 @@ { - // This configures Konflux Renovate bot, the thing that keeps our pipelines use up-to-date tasks. + // This configures Konflux Renovate bot a.k.a. MintMaker, the thing that keeps our pipelines use up-to-date tasks. // After making changes to this file, you can validate it by running something like this in the root of the repo: // $ docker run --rm -it --entrypoint=renovate-config-validator -v "$(pwd)":/mnt -w /mnt renovate/renovate --strict - // Note: ignore errors about the config for `rpm`. This is to be addressed with https://issues.redhat.com/browse/CWFHEALTH-4117 + // Note: ignore errors about the config for `rpm-lockfile`. This is to be addressed with https://issues.redhat.com/browse/CWFHEALTH-4117 // There are more validation options, see https://docs.renovatebot.com/config-validation/ "$schema": "https://docs.renovatebot.com/renovate-schema.json", @@ -59,9 +59,10 @@ ], }, }, - "rpm": { + "rpm-lockfile": { "schedule": [ // Override Konflux custom schedule for this manager to our intended one. + // Note that MintMaker will create security updates outside of schedule. "after 3am and before 7am", ], }, @@ -69,7 +70,7 @@ // Restrict Renovate focus on Konflux things since we rely on GitHub's dependabot for everything else. "tekton", "dockerfile", - "rpm", + "rpm-lockfile", ], "packageRules": [{ "matchPackageNames": ["*"], diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml index f8e54a845..da47c8ec7 100644 --- a/.tekton/scanner-component-pipeline.yaml +++ b/.tekton/scanner-component-pipeline.yaml @@ -152,7 +152,7 @@ spec: - name: image-url # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.) # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with - # its expected input. We later actually add this tag on a built image with the build-image-index-konflux task. + # its expected input. We later actually add this tag on a built image with the apply-index-image-tag task. value: $(params.output-image-repo):konflux-$(params.revision) - name: rebuild value: $(params.rebuild) @@ -471,26 +471,21 @@ spec: operator: in values: [ "true" ] - - name: build-image-index-konflux + - name: apply-index-image-tag params: - - name: IMAGE - value: $(params.output-image-repo):konflux-$(params.revision) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: IMAGES + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: ADDITIONAL_TAGS value: - - $(tasks.build-container-amd64.results.IMAGE_REF) - - $(tasks.build-container-s390x.results.IMAGE_REF) - - $(tasks.build-container-ppc64le.results.IMAGE_REF) - - $(tasks.build-container-arm64.results.IMAGE_REF) - - name: IMAGE_EXPIRES_AFTER - value: $(tasks.determine-image-expiration.results.IMAGE_EXPIRES_AFTER) + - konflux-$(params.revision) taskRef: params: - name: name - value: build-image-index + value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:ba7fbed5c4862968c1a77d6b90d5bdd497925ab1de41b859c027dd5c3069cd3e + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:f44be1bf0262471f2f503f5e19da5f0628dcaf968c86272a2ad6b4871e708448 - name: kind value: task resolver: bundles