diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index fa60011c6..7753caa21 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,11 +4,11 @@ * @stackrox/scanner -# The RHTAP maintainers for ACS review all changes related to the Konflux pipelines, such as new -# pipelines, parameter changes or automated task updates as well as Dockerfile updates. -# rhacs-bot auto-approves MintMaker PRs for automated task and security updates. -**/konflux.*Dockerfile @stackrox/rhtap-maintainers @rhacs-bot -/.konflux/ @stackrox/rhtap-maintainers @rhacs-bot -/.tekton/ @stackrox/rhtap-maintainers @rhacs-bot -rpms.* @stackrox/rhtap-maintainers @rhacs-bot -.github/renovate.json5 @stackrox/rhtap-maintainers +# The Konflux maintainers for ACS review all changes related to the Konflux pipelines, Dockerfiles, etc. +# Release engineers need to merge MintMaker PRs at the time of release. +# rhacs-bot needs ability to auto-approve MintMaker PRs for automated task and security updates. +**/konflux.*Dockerfile @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +/.tekton/ @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +rpms.* @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +/.konflux/ @stackrox/konflux-maintainers +.github/renovate.json5 @stackrox/konflux-maintainers diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index 5277bbace..85579a05d 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -1,7 +1,7 @@ name: auto-merge on: - pull_request_target: + pull_request: types: - labeled diff --git a/.github/workflows/tag-more-reviewers.yaml b/.github/workflows/tag-more-reviewers.yaml new file mode 100644 index 000000000..f4233751c --- /dev/null +++ b/.github/workflows/tag-more-reviewers.yaml @@ -0,0 +1,30 @@ +name: Tag more reviewers + +on: + pull_request: + types: + - review_requested + +jobs: + tag-konflux-maintainers: + # We have lots of PR traffic from MintMaker (acting as `red-hat-konflux[bot]`), and so it's unsustainable to go + # through these emails every day. Therefore, the notifications are disabled for `konflux-maintainers-no-email` + # team that's set as owner in CODEOWNERS for the Konflux stuff. + # At the same time, we want to be notified when humans, not the bot, request reviews (which happens automatically + # again through CODEOWNERS) for the Konflux-related files. This job invites `konflux-maintainers` team for review + # for such cases. + if: | + github.event.requested_team.name == 'konflux-maintainers-no-email' && + github.event.pull_request.user.login != 'red-hat-konflux[bot]' + env: + GH_TOKEN: ${{ secrets.RHACS_BOT_GITHUB_TOKEN }} + runs-on: ubuntu-latest + steps: + - name: Tag Konflux Maintainers for review + run: | + exec gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers" \ + --input - <<< '{ "team_reviewers": [ "konflux-maintainers" ] }' diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml index 758ed0395..f80aafd07 100644 --- a/.tekton/scanner-component-pipeline.yaml +++ b/.tekton/scanner-component-pipeline.yaml @@ -2,8 +2,11 @@ apiVersion: tekton.dev/v1 kind: Pipeline metadata: name: scanner-component-pipeline + spec: + finally: + - name: slack-notification params: - name: message @@ -11,10 +14,10 @@ spec: - name: key-name value: 'acs-konflux-notifications' when: - # Run when any task has Failed + # Run when any task has Failed - input: $(tasks.status) operator: in - values: ["Failed"] + values: [ "Failed" ] taskRef: params: - name: name @@ -24,6 +27,7 @@ spec: - name: kind value: task resolver: bundles + - name: show-sbom params: - name: IMAGE_URL @@ -37,6 +41,7 @@ spec: - name: kind value: task resolver: bundles + - name: post-metric-end params: - name: AGGREGATE_TASKS_STATUS @@ -50,6 +55,7 @@ spec: - name: kind value: task resolver: bundles + params: - description: Source Repository URL name: git-url @@ -108,7 +114,7 @@ spec: description: Build stage to target in container build name: build-target-stage type: string - - default: [] + - default: [ ] description: List of scanner-data file names to fetch to include in the container build. name: blobs-to-fetch type: array @@ -134,6 +140,7 @@ spec: - name: extra-labels type: array description: Additional labels to put on the built containers. + results: - description: "" name: IMAGE_URL @@ -147,17 +154,21 @@ spec: - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) + workspaces: - name: git-auth + tasks: + - name: post-metric-start taskRef: *post-bigquery-metrics-ref + - name: init params: - name: image-url - # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.) - # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with - # its expected input. We later actually add this tag on a built image with the apply-index-image-tag task. + # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.) + # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with + # its expected input. We later actually add this tag on a built image with the apply-index-image-tag task. value: $(params.output-image-repo):konflux-$(params.revision) - name: rebuild value: $(params.rebuild) @@ -172,6 +183,7 @@ spec: - name: kind value: task resolver: bundles + - name: clone-repository params: - name: url @@ -198,10 +210,11 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] workspaces: - name: basic-auth workspace: git-auth + - name: determine-image-expiration params: - name: DEFAULT_IMAGE_EXPIRES_AFTER @@ -217,6 +230,7 @@ spec: - name: kind value: task resolver: bundles + - name: determine-image-tag params: - name: TAG_SUFFIX @@ -232,10 +246,11 @@ spec: - name: kind value: task resolver: bundles + - name: fetch-scanner-data params: - name: BLOBS_TO_FETCH - value: ["$(params.blobs-to-fetch[*])"] + value: [ "$(params.blobs-to-fetch[*])" ] - name: TARGET_DIR value: .konflux/scanner-data - name: SOURCE_ARTIFACT @@ -253,6 +268,7 @@ spec: - name: kind value: task resolver: bundles + - name: prefetch-dependencies params: - name: input @@ -265,7 +281,7 @@ spec: value: $(params.oci-artifact-expires-after) - name: ACTIVATION_KEY value: subscription-manager-activation-key-prod - # Required for RPM prefetching support + # Required for RPM prefetching support - name: dev-package-managers value: "true" taskRef: @@ -280,6 +296,7 @@ spec: workspaces: - name: git-basic-auth workspace: git-auth + - name: build-images matrix: params: @@ -315,7 +332,7 @@ spec: - name: BUILDAH_FORMAT value: $(params.buildah-format) - name: LABELS - value: ["$(params.extra-labels[*])"] + value: [ "$(params.extra-labels[*])" ] - name: BUILD_TIMESTAMP value: "$(tasks.clone-repository.results.commit-timestamp)" taskRef: @@ -330,7 +347,8 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] + - name: build-image-index params: - name: IMAGE @@ -357,7 +375,8 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] + - name: apply-index-image-tag params: - name: IMAGE_URL @@ -379,7 +398,8 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] + - name: build-source-image params: - name: BINARY_IMAGE @@ -402,10 +422,11 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] - input: $(params.build-source-image) operator: in - values: ["true"] + values: [ "true" ] + - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -424,7 +445,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: clair-scan matrix: params: @@ -448,7 +470,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: ecosystem-cert-preflight-checks matrix: params: @@ -470,7 +493,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: sast-shell-check params: - name: image-digest @@ -493,7 +517,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: sast-unicode-check params: - name: image-digest @@ -516,7 +541,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: sast-snyk-check params: - name: SOURCE_ARTIFACT @@ -539,7 +565,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: clamav-scan matrix: params: @@ -563,7 +590,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: rpms-signature-scan params: - name: image-digest @@ -582,7 +610,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: push-dockerfile params: - name: IMAGE