Conversation
|
Skipping CI for Draft Pull Request. |
There was a problem hiding this comment.
Hey - I've found 2 issues
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location path=".github/workflows/ci-failures-report.yml" line_range="18" />
<code_context>
runs-on: ubuntu-latest
container:
- image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.3@sha256:39fd328dcc903b7d8a2f3eb6d9e5ddbf79569227a5667296b4b927f74c11b32a # ratchet:quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.3
+ image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.2@sha256:39fd328dcc903b7d8a2f3eb6d9e5ddbf79569227a5667296b4b927f74c11b32a # ratchet:quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.3
steps:
- name: Checkout
</code_context>
<issue_to_address>
**issue (bug_risk):** Image tag and ratchet reference are inconsistent with the digest and may point to different image versions.
The tag was updated to `stackrox-test-0.5.2`, but the digest and ratchet comment still reference `0.5.3`. If these don’t all point to the same pushed image, future digest updates could pull an unexpected version. Please align the tag, digest, and ratchet reference to the same image version.
</issue_to_address>
### Comment 2
<location path="image/roxctl/konflux.Dockerfile" line_range="7" />
<code_context>
# - https://issues.redhat.com/browse/RHTAPBUGS-865 - openshift-golang-builder is not considered to be a valid base image.
#
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25@sha256:bd531796aacb86e4f97443797262680fbf36ca048717c00b6f4248465e1a7c0c AS builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.26@sha256:bd531796aacb86e4f97443797262680fbf36ca048717c00b6f4248465e1a7c0c AS builder
WORKDIR /go/src/github.com/stackrox/rox/app
</code_context>
<issue_to_address>
**issue (bug_risk):** Updated Go builder tag may not match the pinned digest, which can break reproducibility.
The base image tag was changed to `rhel_9_golang_1.26`, but the digest is still the one used for `rhel_9_golang_1.25`. Unless Red Hat re-tagged the exact same image, the tag and digest now point to different images, undermining digest pinning and reproducibility. Please either update the digest to match the new tag’s image or keep the tag consistent with the pinned digest.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| runs-on: ubuntu-latest | ||
| container: | ||
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.3@sha256:39fd328dcc903b7d8a2f3eb6d9e5ddbf79569227a5667296b4b927f74c11b32a # ratchet:quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.3 | ||
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.2@sha256:39fd328dcc903b7d8a2f3eb6d9e5ddbf79569227a5667296b4b927f74c11b32a # ratchet:quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.3 |
There was a problem hiding this comment.
issue (bug_risk): Image tag and ratchet reference are inconsistent with the digest and may point to different image versions.
The tag was updated to stackrox-test-0.5.2, but the digest and ratchet comment still reference 0.5.3. If these don’t all point to the same pushed image, future digest updates could pull an unexpected version. Please align the tag, digest, and ratchet reference to the same image version.
| # - https://issues.redhat.com/browse/RHTAPBUGS-865 - openshift-golang-builder is not considered to be a valid base image. | ||
| # | ||
| FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25@sha256:bd531796aacb86e4f97443797262680fbf36ca048717c00b6f4248465e1a7c0c AS builder | ||
| FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.26@sha256:bd531796aacb86e4f97443797262680fbf36ca048717c00b6f4248465e1a7c0c AS builder |
There was a problem hiding this comment.
issue (bug_risk): Updated Go builder tag may not match the pinned digest, which can break reproducibility.
The base image tag was changed to rhel_9_golang_1.26, but the digest is still the one used for rhel_9_golang_1.25. Unless Red Hat re-tagged the exact same image, the tag and digest now point to different images, undermining digest pinning and reproducibility. Please either update the digest to match the new tag’s image or keep the tag consistent with the pinned digest.
|
/konflux-retest scanner-v4-on-push |
1 similar comment
|
/konflux-retest scanner-v4-on-push |
|
/konflux-retest central-db-on-push |
🚀 Build Images ReadyImages are ready for commit 01942b0. To use with deploy scripts: export MAIN_IMAGE_TAG=4.11.x-721-g01942b0e27 |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## check_builder_image #20110 +/- ##
=======================================================
- Coverage 49.68% 49.67% -0.01%
=======================================================
Files 2766 2765 -1
Lines 209299 209049 -250
=======================================================
- Hits 103995 103853 -142
+ Misses 97612 97518 -94
+ Partials 7692 7678 -14
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
/konflux-retest operator-on-push |
|
/konflux-retest scanner-v4-on-push |
|
/konflux-retest main-on-push |
2 similar comments
|
/konflux-retest main-on-push |
|
/konflux-retest main-on-push |
Testing for #19024