-
Notifications
You must be signed in to change notification settings - Fork 2
fix(ci): retarget Konflux deploy-tag to fleet-apps on GitLab #780
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -615,9 +615,9 @@ spec: | |
| value: $(params.git-url) | ||
| workspaces: | ||
| - name: basic-auth | ||
| workspace: hp-fleet-gitops-auth | ||
| workspace: fleet-apps-auth | ||
| - name: netrc | ||
| workspace: hp-fleet-gitops-auth | ||
| workspace: fleet-apps-auth | ||
| taskSpec: | ||
| params: | ||
| - name: COMMIT_SHA | ||
|
|
@@ -658,8 +658,8 @@ spec: | |
| mkdir -p "$HOME" | ||
|
|
||
| if [ ! -f "${WORKSPACE_BASIC_AUTH_PATH}/.git-credentials" ] && [ ! -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then | ||
| echo "ERROR: Secret kartograph-hp-fleet-gitops-auth is missing or empty." | ||
| echo "Apply .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml in kartograph-tenant." | ||
| echo "ERROR: Secret kartograph-fleet-apps-auth is missing or empty." | ||
| echo "Apply .tekton/kartograph-fleet-apps-auth.secret.example.yaml in kartograph-tenant." | ||
| exit 1 | ||
| fi | ||
|
|
||
|
|
@@ -677,8 +677,9 @@ spec: | |
|
|
||
| SHORT_SHA="${COMMIT_SHA:0:12}" | ||
| BRANCH="konflux/deploy-tag-${DEPLOY_COMPONENT}-${SHORT_SHA}" | ||
| FLEET_APPS_REPO="https://gitlab.cee.redhat.com/hybrid-platforms-gitops/tenant-apps/fleet-apps.git" | ||
|
|
||
| git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo | ||
| git clone --depth 1 --branch main "${FLEET_APPS_REPO}" /tmp/repo | ||
| cd /tmp/repo | ||
|
|
||
| FILE="apps/kartograph/overlays/stage/kustomization.yaml" | ||
|
|
@@ -700,70 +701,13 @@ spec: | |
|
|
||
| git checkout -b "$BRANCH" | ||
| git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" | ||
| git push origin "$BRANCH" | ||
| git push -u origin "$BRANCH" \ | ||
| -o merge_request.create \ | ||
| -o merge_request.target=main \ | ||
| -o "merge_request.title=chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" \ | ||
| -o "merge_request.description=Auto-generated by Konflux push pipeline. Updates newTag for ${IMAGE_SELECTOR} to ${COMMIT_SHA}." | ||
| echo "Merge request created for branch ${BRANCH}" | ||
|
|
||
|
Comment on lines
+704
to
710
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win Make the deploy push idempotent on retries. Line 704 pushes a deterministic branch name. A rerun for the same commit can collide with an existing deploy branch and fail the final task. CWE/CVE: N/A. Proposed retry-safe guard+ if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
+ echo "Deploy branch ${BRANCH} already exists; assuming merge request was already created"
+ exit 0
+ fi
+
git checkout -b "$BRANCH"
git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}"
git push -u origin "$BRANCH" \🤖 Prompt for AI Agents |
||
| mkdir -p /tekton/run | ||
| printf '%s\n' "$BRANCH" > /tekton/run/deploy-branch | ||
| printf '%s\n' "$COMMIT_SHA" > /tekton/run/commit-sha | ||
| printf '%s\n' "$DEPLOY_COMPONENT" > /tekton/run/deploy-component | ||
| printf '%s\n' "$SHORT_SHA" > /tekton/run/short-sha | ||
| - name: create-pull-request | ||
| image: docker.io/curlimages/curl:8.12.1@sha256:94e9e444bcba979c2ea12e27ae39bee4cd10bc7041a472c4727a558e213744e6 | ||
| env: | ||
| - name: WORKSPACE_NETRC_PATH | ||
| value: /workspace/netrc | ||
| script: | | ||
| #!/bin/sh | ||
| set -eu | ||
|
|
||
| if [ ! -f /tekton/run/deploy-branch ]; then | ||
| echo "No deploy branch metadata, skipping PR creation" | ||
| exit 0 | ||
| fi | ||
|
|
||
| BRANCH=$(cat /tekton/run/deploy-branch) | ||
| COMMIT_SHA=$(cat /tekton/run/commit-sha) | ||
| DEPLOY_COMPONENT=$(cat /tekton/run/deploy-component) | ||
| SHORT_SHA=$(cat /tekton/run/short-sha) | ||
| REPO="openshift-online/hp-fleet-gitops" | ||
|
|
||
| export HOME=/tekton/home | ||
| mkdir -p "$HOME" | ||
| if [ ! -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then | ||
| echo "WARNING: netrc not available, PR must be created manually" | ||
| echo "Branch pushed: $BRANCH" | ||
| exit 0 | ||
| fi | ||
| cp "${WORKSPACE_NETRC_PATH}/.netrc" "$HOME/.netrc" | ||
| chmod 600 "$HOME/.netrc" | ||
|
|
||
| PAYLOAD=$(mktemp) | ||
| chmod 600 "$PAYLOAD" | ||
| printf '{"title":"chore(deploy): update %s stage image tag to %s","head":"%s","base":"main","body":"Auto-generated by Konflux push pipeline.\n\nUpdates `newTag` in stage kustomization to `%s`."}' \ | ||
| "$DEPLOY_COMPONENT" "$SHORT_SHA" "$BRANCH" "$COMMIT_SHA" > "$PAYLOAD" | ||
|
|
||
| PR_RESPONSE=$(curl -sS --netrc \ | ||
| -H "Content-Type: application/json" \ | ||
| -d @"$PAYLOAD" \ | ||
| "https://api.github.com/repos/${REPO}/pulls") || true | ||
| rm -f "$PAYLOAD" | ||
|
|
||
| PR_URL=$(echo "$PR_RESPONSE" | grep -o '"html_url":"[^"]*"' | head -1 | cut -d'"' -f4) | ||
| echo "PR created: ${PR_URL:-none}" | ||
|
|
||
| PR_NODE_ID=$(echo "$PR_RESPONSE" | grep -o '"node_id":"[^"]*"' | head -1 | cut -d'"' -f4) | ||
| if [ -n "$PR_NODE_ID" ]; then | ||
| GRAPHQL_PAYLOAD=$(mktemp) | ||
| chmod 600 "$GRAPHQL_PAYLOAD" | ||
| printf '{"query":"mutation { enablePullRequestAutoMerge(input: { pullRequestId: \\"%s\\", mergeMethod: SQUASH }) { pullRequest { autoMergeRequest { enabledAt } } } }"}' \ | ||
| "$PR_NODE_ID" > "$GRAPHQL_PAYLOAD" | ||
| curl -sS --netrc \ | ||
| -H "Content-Type: application/json" \ | ||
| -d @"$GRAPHQL_PAYLOAD" \ | ||
| "https://api.github.com/graphql" > /dev/null 2>&1 || true | ||
| rm -f "$GRAPHQL_PAYLOAD" | ||
| echo "Auto-merge enabled" | ||
| fi | ||
| workspaces: | ||
| - name: git-auth | ||
| optional: true | ||
|
|
@@ -775,7 +719,7 @@ spec: | |
| - name: git-auth | ||
| secret: | ||
| secretName: "{{ git_auth_secret }}" | ||
| - name: hp-fleet-gitops-auth | ||
| - name: fleet-apps-auth | ||
| secret: | ||
| secretName: kartograph-hp-fleet-gitops-auth | ||
| secretName: kartograph-fleet-apps-auth | ||
| status: {} | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -615,9 +615,9 @@ spec: | |
| value: $(params.git-url) | ||
| workspaces: | ||
| - name: basic-auth | ||
| workspace: hp-fleet-gitops-auth | ||
| workspace: fleet-apps-auth | ||
| - name: netrc | ||
| workspace: hp-fleet-gitops-auth | ||
| workspace: fleet-apps-auth | ||
| taskSpec: | ||
| params: | ||
| - name: COMMIT_SHA | ||
|
|
@@ -658,8 +658,8 @@ spec: | |
| mkdir -p "$HOME" | ||
|
|
||
| if [ ! -f "${WORKSPACE_BASIC_AUTH_PATH}/.git-credentials" ] && [ ! -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then | ||
| echo "ERROR: Secret kartograph-hp-fleet-gitops-auth is missing or empty." | ||
| echo "Apply .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml in kartograph-tenant." | ||
| echo "ERROR: Secret kartograph-fleet-apps-auth is missing or empty." | ||
| echo "Apply .tekton/kartograph-fleet-apps-auth.secret.example.yaml in kartograph-tenant." | ||
| exit 1 | ||
| fi | ||
|
|
||
|
|
@@ -677,8 +677,9 @@ spec: | |
|
|
||
| SHORT_SHA="${COMMIT_SHA:0:12}" | ||
| BRANCH="konflux/deploy-tag-${DEPLOY_COMPONENT}-${SHORT_SHA}" | ||
| FLEET_APPS_REPO="https://gitlab.cee.redhat.com/hybrid-platforms-gitops/tenant-apps/fleet-apps.git" | ||
|
|
||
| git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo | ||
| git clone --depth 1 --branch main "${FLEET_APPS_REPO}" /tmp/repo | ||
| cd /tmp/repo | ||
|
|
||
| FILE="apps/kartograph/overlays/stage/kustomization.yaml" | ||
|
|
@@ -700,70 +701,13 @@ spec: | |
|
|
||
| git checkout -b "$BRANCH" | ||
| git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" | ||
| git push origin "$BRANCH" | ||
| git push -u origin "$BRANCH" \ | ||
| -o merge_request.create \ | ||
| -o merge_request.target=main \ | ||
| -o "merge_request.title=chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" \ | ||
| -o "merge_request.description=Auto-generated by Konflux push pipeline. Updates newTag for ${IMAGE_SELECTOR} to ${COMMIT_SHA}." | ||
| echo "Merge request created for branch ${BRANCH}" | ||
|
|
||
|
Comment on lines
+704
to
710
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win Make the deploy push idempotent on retries. Line 704 pushes a deterministic branch name. A rerun for the same commit can collide with an existing deploy branch and fail the final task. CWE/CVE: N/A. Proposed retry-safe guard+ if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
+ echo "Deploy branch ${BRANCH} already exists; assuming merge request was already created"
+ exit 0
+ fi
+
git checkout -b "$BRANCH"
git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}"
git push -u origin "$BRANCH" \🤖 Prompt for AI Agents |
||
| mkdir -p /tekton/run | ||
| printf '%s\n' "$BRANCH" > /tekton/run/deploy-branch | ||
| printf '%s\n' "$COMMIT_SHA" > /tekton/run/commit-sha | ||
| printf '%s\n' "$DEPLOY_COMPONENT" > /tekton/run/deploy-component | ||
| printf '%s\n' "$SHORT_SHA" > /tekton/run/short-sha | ||
| - name: create-pull-request | ||
| image: docker.io/curlimages/curl:8.12.1@sha256:94e9e444bcba979c2ea12e27ae39bee4cd10bc7041a472c4727a558e213744e6 | ||
| env: | ||
| - name: WORKSPACE_NETRC_PATH | ||
| value: /workspace/netrc | ||
| script: | | ||
| #!/bin/sh | ||
| set -eu | ||
|
|
||
| if [ ! -f /tekton/run/deploy-branch ]; then | ||
| echo "No deploy branch metadata, skipping PR creation" | ||
| exit 0 | ||
| fi | ||
|
|
||
| BRANCH=$(cat /tekton/run/deploy-branch) | ||
| COMMIT_SHA=$(cat /tekton/run/commit-sha) | ||
| DEPLOY_COMPONENT=$(cat /tekton/run/deploy-component) | ||
| SHORT_SHA=$(cat /tekton/run/short-sha) | ||
| REPO="openshift-online/hp-fleet-gitops" | ||
|
|
||
| export HOME=/tekton/home | ||
| mkdir -p "$HOME" | ||
| if [ ! -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then | ||
| echo "WARNING: netrc not available, PR must be created manually" | ||
| echo "Branch pushed: $BRANCH" | ||
| exit 0 | ||
| fi | ||
| cp "${WORKSPACE_NETRC_PATH}/.netrc" "$HOME/.netrc" | ||
| chmod 600 "$HOME/.netrc" | ||
|
|
||
| PAYLOAD=$(mktemp) | ||
| chmod 600 "$PAYLOAD" | ||
| printf '{"title":"chore(deploy): update %s stage image tag to %s","head":"%s","base":"main","body":"Auto-generated by Konflux push pipeline.\n\nUpdates `newTag` in stage kustomization to `%s`."}' \ | ||
| "$DEPLOY_COMPONENT" "$SHORT_SHA" "$BRANCH" "$COMMIT_SHA" > "$PAYLOAD" | ||
|
|
||
| PR_RESPONSE=$(curl -sS --netrc \ | ||
| -H "Content-Type: application/json" \ | ||
| -d @"$PAYLOAD" \ | ||
| "https://api.github.com/repos/${REPO}/pulls") || true | ||
| rm -f "$PAYLOAD" | ||
|
|
||
| PR_URL=$(echo "$PR_RESPONSE" | grep -o '"html_url":"[^"]*"' | head -1 | cut -d'"' -f4) | ||
| echo "PR created: ${PR_URL:-none}" | ||
|
|
||
| PR_NODE_ID=$(echo "$PR_RESPONSE" | grep -o '"node_id":"[^"]*"' | head -1 | cut -d'"' -f4) | ||
| if [ -n "$PR_NODE_ID" ]; then | ||
| GRAPHQL_PAYLOAD=$(mktemp) | ||
| chmod 600 "$GRAPHQL_PAYLOAD" | ||
| printf '{"query":"mutation { enablePullRequestAutoMerge(input: { pullRequestId: \\"%s\\", mergeMethod: SQUASH }) { pullRequest { autoMergeRequest { enabledAt } } } }"}' \ | ||
| "$PR_NODE_ID" > "$GRAPHQL_PAYLOAD" | ||
| curl -sS --netrc \ | ||
| -H "Content-Type: application/json" \ | ||
| -d @"$GRAPHQL_PAYLOAD" \ | ||
| "https://api.github.com/graphql" > /dev/null 2>&1 || true | ||
| rm -f "$GRAPHQL_PAYLOAD" | ||
| echo "Auto-merge enabled" | ||
| fi | ||
| workspaces: | ||
| - name: git-auth | ||
| optional: true | ||
|
|
@@ -775,7 +719,7 @@ spec: | |
| - name: git-auth | ||
| secret: | ||
| secretName: "{{ git_auth_secret }}" | ||
| - name: hp-fleet-gitops-auth | ||
| - name: fleet-apps-auth | ||
| secret: | ||
| secretName: kartograph-hp-fleet-gitops-auth | ||
| secretName: kartograph-fleet-apps-auth | ||
| status: {} | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| # Apply in Konflux tenant namespace (kartograph-tenant) after replacing placeholders. | ||
| # | ||
| # GitLab PAT needs api + write_repository on: | ||
| # hybrid-platforms-gitops/tenant-apps/fleet-apps | ||
| # Do not commit real tokens. | ||
| # | ||
| # oc project kartograph-tenant | ||
| # oc create -f kartograph-fleet-apps-auth.secret.yaml | ||
| # | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: kartograph-fleet-apps-auth | ||
| namespace: kartograph-tenant | ||
| type: Opaque | ||
| stringData: | ||
| .gitconfig: | | ||
| [credential] | ||
| helper = store | ||
| .git-credentials: https://oauth2:REPLACE_WITH_GITLAB_PAT@gitlab.cee.redhat.com | ||
| .netrc: | | ||
| machine gitlab.cee.redhat.com | ||
| login oauth2 | ||
| password REPLACE_WITH_GITLAB_PAT |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Make the deploy push idempotent on retries.
Line 712 pushes a deterministic branch name. If this PipelineRun is retried for the same commit while the prior deploy branch still exists,
git pushcan fail and mark the build failed again. CWE/CVE: N/A.Proposed retry-safe guard
🤖 Prompt for AI Agents