fix(ci): retarget Konflux deploy-tag to fleet-apps on GitLab#780
Conversation
ArgoCD stage reads fleet-apps, not hp-fleet-gitops. The finally task was failing with 403 when pushing to openshift-online/hp-fleet-gitops, marking successful image builds as Failed. Use kartograph-fleet-apps-auth (GitLab PAT) and git push merge_request options to open MRs against hybrid-platforms-gitops/tenant-apps/fleet-apps. Co-authored-by: Cursor <cursoragent@cursor.com>
📝 WalkthroughSummary by CodeRabbit
WalkthroughFour Tekton PipelineRun definitions (agent-runtime, api, dev-ui, openshell-gateway pushes) had their Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes CWE-798 (Use of Hard-coded Credentials): CWE-295/CWE-300 (Improper Certificate/Channel Validation, MITM): verify the new GitLab clone URL ( CWE-862 (Missing Authorization): the merge-request creation push options ( CWE-668 (Exposure of Resource to Wrong Sphere): removal of the old 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.tekton/kartograph-agent-runtime-push.yaml:
- Around line 712-718: The deploy push in the branch creation step is not
idempotent, because a retry can fail when the same deterministic branch already
exists on origin. Update the push logic around the git push invocation in the
deploy/MR creation flow so it first checks whether $BRANCH already exists
remotely and skips or safely reuses it on retries, while keeping the existing
merge request creation behavior in the same script section. Ensure the guard is
tied to the branch-handling logic near the git push command so repeated
PipelineRun executions for the same commit do not fail.
In @.tekton/kartograph-api-push.yaml:
- Around line 704-710: The deploy push in the push step is not retry-safe
because it always reuses the same deterministic branch name and can fail if that
branch already exists. Update the push flow around the git push invocation and
branch creation logic so retries become idempotent: before pushing, detect
whether the deploy branch already exists for the same commit and reuse or
refresh it instead of blindly creating a conflicting branch. Keep the fix
localized to the deploy push step that uses BRANCH/SHORT_SHA/COMMIT_SHA and the
merge_request options.
In @.tekton/kartograph-dev-ui-push.yaml:
- Around line 704-710: The deploy push in the git push block is not retry-safe
because the deterministic branch name can already exist on reruns. Update the
push logic around the existing git push command to make it idempotent for the
same commit, using the branch name and commit SHA to detect an already-created
deploy branch/MR and skip or safely reuse it instead of failing. Keep the change
local to this deploy push step so retries in the pipeline complete successfully.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 6bef8a22-1611-4b5e-b652-e64cd4d34c9a
📒 Files selected for processing (6)
.tekton/kartograph-agent-runtime-push.yaml.tekton/kartograph-api-push.yaml.tekton/kartograph-dev-ui-push.yaml.tekton/kartograph-fleet-apps-auth.secret.example.yaml.tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml.tekton/kartograph-openshell-gateway-push.yaml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift-hyperfleet/architecture(manual)openshift-hyperfleet/hyperfleet-api(manual)openshift-hyperfleet/hyperfleet-sentinel(manual)openshift-hyperfleet/hyperfleet-adapter(manual)openshift-hyperfleet/hyperfleet-broker(manual)
| git push -u origin "$BRANCH" \ | ||
| -o merge_request.create \ | ||
| -o merge_request.target=main \ | ||
| -o "merge_request.title=chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" \ | ||
| -o "merge_request.description=Auto-generated by Konflux push pipeline. Updates newTag for ${IMAGE_SELECTOR} to ${COMMIT_SHA}." | ||
| echo "Merge request created for branch ${BRANCH}" | ||
|
|
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Make the deploy push idempotent on retries.
Line 712 pushes a deterministic branch name. If this PipelineRun is retried for the same commit while the prior deploy branch still exists, git push can fail and mark the build failed again. CWE/CVE: N/A.
Proposed retry-safe guard
+ if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
+ echo "Deploy branch ${BRANCH} already exists; assuming merge request was already created"
+ exit 0
+ fi
+
git checkout -b "$BRANCH"
git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}"
git push -u origin "$BRANCH" \🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.tekton/kartograph-agent-runtime-push.yaml around lines 712 - 718, The
deploy push in the branch creation step is not idempotent, because a retry can
fail when the same deterministic branch already exists on origin. Update the
push logic around the git push invocation in the deploy/MR creation flow so it
first checks whether $BRANCH already exists remotely and skips or safely reuses
it on retries, while keeping the existing merge request creation behavior in the
same script section. Ensure the guard is tied to the branch-handling logic near
the git push command so repeated PipelineRun executions for the same commit do
not fail.
| git push -u origin "$BRANCH" \ | ||
| -o merge_request.create \ | ||
| -o merge_request.target=main \ | ||
| -o "merge_request.title=chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" \ | ||
| -o "merge_request.description=Auto-generated by Konflux push pipeline. Updates newTag for ${IMAGE_SELECTOR} to ${COMMIT_SHA}." | ||
| echo "Merge request created for branch ${BRANCH}" | ||
|
|
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Make the deploy push idempotent on retries.
Line 704 pushes a deterministic branch name. A rerun for the same commit can collide with an existing deploy branch and fail the final task. CWE/CVE: N/A.
Proposed retry-safe guard
+ if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
+ echo "Deploy branch ${BRANCH} already exists; assuming merge request was already created"
+ exit 0
+ fi
+
git checkout -b "$BRANCH"
git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}"
git push -u origin "$BRANCH" \🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.tekton/kartograph-api-push.yaml around lines 704 - 710, The deploy push in
the push step is not retry-safe because it always reuses the same deterministic
branch name and can fail if that branch already exists. Update the push flow
around the git push invocation and branch creation logic so retries become
idempotent: before pushing, detect whether the deploy branch already exists for
the same commit and reuse or refresh it instead of blindly creating a
conflicting branch. Keep the fix localized to the deploy push step that uses
BRANCH/SHORT_SHA/COMMIT_SHA and the merge_request options.
| git push -u origin "$BRANCH" \ | ||
| -o merge_request.create \ | ||
| -o merge_request.target=main \ | ||
| -o "merge_request.title=chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" \ | ||
| -o "merge_request.description=Auto-generated by Konflux push pipeline. Updates newTag for ${IMAGE_SELECTOR} to ${COMMIT_SHA}." | ||
| echo "Merge request created for branch ${BRANCH}" | ||
|
|
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Make the deploy push idempotent on retries.
Line 704 pushes a deterministic branch name. A rerun for the same commit can collide with an existing deploy branch and fail the final task. CWE/CVE: N/A.
Proposed retry-safe guard
+ if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
+ echo "Deploy branch ${BRANCH} already exists; assuming merge request was already created"
+ exit 0
+ fi
+
git checkout -b "$BRANCH"
git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}"
git push -u origin "$BRANCH" \🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.tekton/kartograph-dev-ui-push.yaml around lines 704 - 710, The deploy push
in the git push block is not retry-safe because the deterministic branch name
can already exist on reruns. Update the push logic around the existing git push
command to make it idempotent for the same commit, using the branch name and
commit SHA to detect an already-created deploy branch/MR and skip or safely
reuse it instead of failing. Keep the change local to this deploy push step so
retries in the pipeline complete successfully.
Summary
finallydeploy-tag task at fleet-apps (GitLab), which is what ArgoCD deploys for stage — not hp-fleet-gitops on GitHubkartograph-fleet-apps-authwith GitLab PAT (see.tekton/kartograph-fleet-apps-auth.secret.example.yaml)git push -o merge_request.createinstead of GitHub PR APIkartograph-hp-fleet-gitops-auth.secret.example.yaml(GitHub hp-fleet-gitops)Fixes Konflux "Build failed" when
kartograph-agent-runtime-build(and other build tasks) succeed butupdate-deploy-tagfails with 403.Prerequisites
kartograph-fleet-apps-authmust exist in Konflux namespacekartograph-tenant(Konflux UI → Secrets → Key/value secret with.gitconfig,.git-credentials,.netrc).Test plan
update-deploy-tagopens MR on fleet-apps GitLabMade with Cursor