From be9f6da72a7cb52309a56d0ef3661d47b9945706 Mon Sep 17 00:00:00 2001 From: Misha Sugakov <537715+msugakov@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:28:55 +0100 Subject: [PATCH 1/5] ROX-31146: Reduce spam of Konflux PRs, releasers can approve (#2387) --- .github/CODEOWNERS | 15 ++++++------ .github/workflows/tag-more-reviewers.yaml | 30 +++++++++++++++++++++++ 2 files changed, 38 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/tag-more-reviewers.yaml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index fa60011c6..36d2d0958 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,11 +4,12 @@ * @stackrox/scanner -# The RHTAP maintainers for ACS review all changes related to the Konflux pipelines, such as new +# The Konflux maintainers for ACS review all changes related to the Konflux pipelines, such as new # pipelines, parameter changes or automated task updates as well as Dockerfile updates. -# rhacs-bot auto-approves MintMaker PRs for automated task and security updates. -**/konflux.*Dockerfile @stackrox/rhtap-maintainers @rhacs-bot -/.konflux/ @stackrox/rhtap-maintainers @rhacs-bot -/.tekton/ @stackrox/rhtap-maintainers @rhacs-bot -rpms.* @stackrox/rhtap-maintainers @rhacs-bot -.github/renovate.json5 @stackrox/rhtap-maintainers +# Release engineers need to merge MintMaker PRs at the time of release. +# rhacs-bot needs ability to auto-approve MintMaker PRs for automated task and security updates. +**/konflux.*Dockerfile @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +/.konflux/ @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +/.tekton/ @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +rpms.* @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +.github/renovate.json5 @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email diff --git a/.github/workflows/tag-more-reviewers.yaml b/.github/workflows/tag-more-reviewers.yaml new file mode 100644 index 000000000..f4233751c --- /dev/null +++ b/.github/workflows/tag-more-reviewers.yaml @@ -0,0 +1,30 @@ +name: Tag more reviewers + +on: + pull_request: + types: + - review_requested + +jobs: + tag-konflux-maintainers: + # We have lots of PR traffic from MintMaker (acting as `red-hat-konflux[bot]`), and so it's unsustainable to go + # through these emails every day. Therefore, the notifications are disabled for `konflux-maintainers-no-email` + # team that's set as owner in CODEOWNERS for the Konflux stuff. + # At the same time, we want to be notified when humans, not the bot, request reviews (which happens automatically + # again through CODEOWNERS) for the Konflux-related files. This job invites `konflux-maintainers` team for review + # for such cases. + if: | + github.event.requested_team.name == 'konflux-maintainers-no-email' && + github.event.pull_request.user.login != 'red-hat-konflux[bot]' + env: + GH_TOKEN: ${{ secrets.RHACS_BOT_GITHUB_TOKEN }} + runs-on: ubuntu-latest + steps: + - name: Tag Konflux Maintainers for review + run: | + exec gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers" \ + --input - <<< '{ "team_reviewers": [ "konflux-maintainers" ] }' From e56ab164a23a66ae7369bbc7d0fb4ee60f456a7a Mon Sep 17 00:00:00 2001 From: Misha Sugakov <537715+msugakov@users.noreply.github.com> Date: Mon, 24 Nov 2025 12:47:39 +0100 Subject: [PATCH 2/5] chore: Restore blank lines and auto-formatting (#2425) --- .tekton/scanner-component-pipeline.yaml | 75 +++++++++++++++++-------- 1 file changed, 52 insertions(+), 23 deletions(-) diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml index 758ed0395..13150e239 100644 --- a/.tekton/scanner-component-pipeline.yaml +++ b/.tekton/scanner-component-pipeline.yaml @@ -2,8 +2,11 @@ apiVersion: tekton.dev/v1 kind: Pipeline metadata: name: scanner-component-pipeline + spec: + finally: + - name: slack-notification params: - name: message @@ -11,10 +14,10 @@ spec: - name: key-name value: 'acs-konflux-notifications' when: - # Run when any task has Failed + # Run when any task has Failed - input: $(tasks.status) operator: in - values: ["Failed"] + values: [ "Failed" ] taskRef: params: - name: name @@ -24,6 +27,7 @@ spec: - name: kind value: task resolver: bundles + - name: show-sbom params: - name: IMAGE_URL @@ -37,6 +41,7 @@ spec: - name: kind value: task resolver: bundles + - name: post-metric-end params: - name: AGGREGATE_TASKS_STATUS @@ -50,6 +55,7 @@ spec: - name: kind value: task resolver: bundles + params: - description: Source Repository URL name: git-url @@ -108,7 +114,7 @@ spec: description: Build stage to target in container build name: build-target-stage type: string - - default: [] + - default: [ ] description: List of scanner-data file names to fetch to include in the container build. name: blobs-to-fetch type: array @@ -134,6 +140,7 @@ spec: - name: extra-labels type: array description: Additional labels to put on the built containers. + results: - description: "" name: IMAGE_URL @@ -147,17 +154,21 @@ spec: - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) + workspaces: - name: git-auth + tasks: + - name: post-metric-start taskRef: *post-bigquery-metrics-ref + - name: init params: - name: image-url - # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.) - # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with - # its expected input. We later actually add this tag on a built image with the apply-index-image-tag task. + # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.) + # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with + # its expected input. We later actually add this tag on a built image with the apply-index-image-tag task. value: $(params.output-image-repo):konflux-$(params.revision) - name: rebuild value: $(params.rebuild) @@ -172,6 +183,7 @@ spec: - name: kind value: task resolver: bundles + - name: clone-repository params: - name: url @@ -198,10 +210,11 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] workspaces: - name: basic-auth workspace: git-auth + - name: determine-image-expiration params: - name: DEFAULT_IMAGE_EXPIRES_AFTER @@ -217,6 +230,7 @@ spec: - name: kind value: task resolver: bundles + - name: determine-image-tag params: - name: TAG_SUFFIX @@ -232,10 +246,11 @@ spec: - name: kind value: task resolver: bundles + - name: fetch-scanner-data params: - name: BLOBS_TO_FETCH - value: ["$(params.blobs-to-fetch[*])"] + value: [ "$(params.blobs-to-fetch[*])" ] - name: TARGET_DIR value: .konflux/scanner-data - name: SOURCE_ARTIFACT @@ -253,6 +268,7 @@ spec: - name: kind value: task resolver: bundles + - name: prefetch-dependencies params: - name: input @@ -265,7 +281,7 @@ spec: value: $(params.oci-artifact-expires-after) - name: ACTIVATION_KEY value: subscription-manager-activation-key-prod - # Required for RPM prefetching support + # Required for RPM prefetching support - name: dev-package-managers value: "true" taskRef: @@ -280,6 +296,7 @@ spec: workspaces: - name: git-basic-auth workspace: git-auth + - name: build-images matrix: params: @@ -315,7 +332,7 @@ spec: - name: BUILDAH_FORMAT value: $(params.buildah-format) - name: LABELS - value: ["$(params.extra-labels[*])"] + value: [ "$(params.extra-labels[*])" ] - name: BUILD_TIMESTAMP value: "$(tasks.clone-repository.results.commit-timestamp)" taskRef: @@ -330,7 +347,8 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] + - name: build-image-index params: - name: IMAGE @@ -357,7 +375,8 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] + - name: apply-index-image-tag params: - name: IMAGE_URL @@ -379,7 +398,8 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] + - name: build-source-image params: - name: BINARY_IMAGE @@ -402,10 +422,11 @@ spec: when: - input: $(tasks.init.results.build) operator: in - values: ["true"] + values: [ "true" ] - input: $(params.build-source-image) operator: in - values: ["true"] + values: [ "true" ] + - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -424,7 +445,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: clair-scan matrix: params: @@ -448,7 +470,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: ecosystem-cert-preflight-checks matrix: params: @@ -470,7 +493,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: sast-shell-check params: - name: image-digest @@ -493,7 +517,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: sast-unicode-check params: - name: image-digest @@ -516,7 +541,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: sast-snyk-check params: - name: SOURCE_ARTIFACT @@ -539,7 +565,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: clamav-scan matrix: params: @@ -563,7 +590,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: rpms-signature-scan params: - name: image-digest @@ -582,7 +610,8 @@ spec: when: - input: $(params.skip-checks) operator: in - values: ["false"] + values: [ "false" ] + - name: push-dockerfile params: - name: IMAGE From 1a67ac5e07d85f440b3e8d00584cdc1ccb38faae Mon Sep 17 00:00:00 2001 From: Misha Sugakov <537715+msugakov@users.noreply.github.com> Date: Tue, 25 Nov 2025 19:51:48 +0100 Subject: [PATCH 3/5] ROX-31146: Cosmetic fixups (#2431) --- .github/CODEOWNERS | 5 ++--- .github/workflows/auto-approve.yml | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 36d2d0958..bab095cb2 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,12 +4,11 @@ * @stackrox/scanner -# The Konflux maintainers for ACS review all changes related to the Konflux pipelines, such as new -# pipelines, parameter changes or automated task updates as well as Dockerfile updates. +# The Konflux maintainers for ACS review all changes related to the Konflux pipelines, Dockerfiles, etc. # Release engineers need to merge MintMaker PRs at the time of release. # rhacs-bot needs ability to auto-approve MintMaker PRs for automated task and security updates. **/konflux.*Dockerfile @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot /.konflux/ @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot /.tekton/ @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot rpms.* @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot -.github/renovate.json5 @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email +.github/renovate.json5 @stackrox/konflux-maintainers diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index 5277bbace..85579a05d 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -1,7 +1,7 @@ name: auto-merge on: - pull_request_target: + pull_request: types: - labeled From b65f85c9be9c99d32ba4c3df910337a7bcf7aaea Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 26 Nov 2025 10:44:48 +0100 Subject: [PATCH 4/5] Format comment better --- .tekton/scanner-component-pipeline.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml index 13150e239..f80aafd07 100644 --- a/.tekton/scanner-component-pipeline.yaml +++ b/.tekton/scanner-component-pipeline.yaml @@ -166,8 +166,8 @@ spec: - name: init params: - name: image-url - # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.) - # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with + # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.) + # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with # its expected input. We later actually add this tag on a built image with the apply-index-image-tag task. value: $(params.output-image-repo):konflux-$(params.revision) - name: rebuild From bcc3430250247c88fd8fc051592f0a16cd041765 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 26 Nov 2025 12:15:31 +0100 Subject: [PATCH 5/5] Move `/.konflux/` out of "bot coverage" because this directory is not changed by bots, only humans. --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index bab095cb2..7753caa21 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -8,7 +8,7 @@ # Release engineers need to merge MintMaker PRs at the time of release. # rhacs-bot needs ability to auto-approve MintMaker PRs for automated task and security updates. **/konflux.*Dockerfile @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot -/.konflux/ @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot /.tekton/ @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot rpms.* @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot +/.konflux/ @stackrox/konflux-maintainers .github/renovate.json5 @stackrox/konflux-maintainers