USHIFT-7406: feat: add crypto scan step to Microshift rebase periodic job for 5.0+#82024
USHIFT-7406: feat: add crypto scan step to Microshift rebase periodic job for 5.0+#82024fracappa wants to merge 1 commit into
Conversation
|
@fracappa: This pull request references USHIFT-7406 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughMicroShift release configuration now builds a ChangesMicroShift cryptoscan integration
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant PeriodicJob
participant CombinedWorkflow
participant RebaseChain
participant CryptoscanStep
participant CryptoscanSource
PeriodicJob->>CombinedWorkflow: start scheduled rebase-with-cryptoscan workflow
CombinedWorkflow->>RebaseChain: run MicroShift rebase
CombinedWorkflow->>CryptoscanStep: run cryptoscan
CryptoscanStep->>CryptoscanSource: consume cryptoscan-src
CryptoscanStep->>CryptoscanStep: invoke rebase_job_entrypoint.sh with CRYPTO_SCAN=true
🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: fracappa The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
[REHEARSALNOTIFIER]
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals. Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
ci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/openshift-microshift-rebase-with-cryptoscan-workflow.yaml (1)
3-6: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueConsider explicitly adding
preandpostphases and verify workflow uniqueness.As per coding guidelines:
- New workflows should define
pre,test, andpostphases. Consider explicitly definingpreandpostphases (even if empty) to strictly align with this structure, and ensure the workflow is validated viamake validate-step-registry.- Always use
/step-finderbefore creating new step-registry components to avoid duplicating existing steps, workflows, or chains.💡 Proposed explicit phases
workflow: as: openshift-microshift-rebase-with-cryptoscan steps: + pre: [] test: - chain: openshift-microshift-rebase - ref: openshift-microshift-cryptoscan + post: []🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/openshift-microshift-rebase-with-cryptoscan-workflow.yaml` around lines 3 - 6, Update the workflow definition containing the test chain and ref to explicitly include empty pre and post phases alongside test, preserving the existing test entries. Before finalizing, use step-finder to verify no equivalent workflow, chain, or step already exists, then validate the registry with make validate-step-registry.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In
`@ci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/openshift-microshift-rebase-with-cryptoscan-workflow.yaml`:
- Around line 3-6: Update the workflow definition containing the test chain and
ref to explicitly include empty pre and post phases alongside test, preserving
the existing test entries. Before finalizing, use step-finder to verify no
equivalent workflow, chain, or step already exists, then validate the registry
with make validate-step-registry.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 025ccc4a-268f-4614-b07a-167dd3b572ed
⛔ Files ignored due to path filters (2)
ci-operator/jobs/openshift/microshift/openshift-microshift-release-5.0-periodics.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/microshift/openshift-microshift-release-5.0-presubmits.yamlis excluded by!ci-operator/jobs/**
📒 Files selected for processing (8)
ci-operator/config/openshift/microshift/openshift-microshift-release-5.0__periodics.yamlci-operator/step-registry/openshift/microshift/cryptoscan/OWNERSci-operator/step-registry/openshift/microshift/cryptoscan/openshift-microshift-cryptoscan-commands.shci-operator/step-registry/openshift/microshift/cryptoscan/openshift-microshift-cryptoscan-ref.metadata.jsonci-operator/step-registry/openshift/microshift/cryptoscan/openshift-microshift-cryptoscan-ref.yamlci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/OWNERSci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/openshift-microshift-rebase-with-cryptoscan-workflow.metadata.jsonci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/openshift-microshift-rebase-with-cryptoscan-workflow.yaml
|
@fracappa: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Introduce a new step-registry workflow (openshift-microshift-rebase-with-cryptoscan) that chains the existing rebase with a crypto scan step. The scan runs in a nested-podman container with intranet access to pull the rh-crypto-scanner-imagefrom images.paas.redhat.com. Scan logic is delegated to the upstream microshift repo via the CRYPTO_SCAN env var
Summary by CodeRabbit