Backport konflux changes to 3.21 (stackrox 4.7) (#2174)

* Ensure ctest fails if no unit tests are found (#2027)

* chore(deps): update konflux references (#2026)

* chore(deps): update konflux references (#2037)

* chore(deps): update konflux references to 752230a (#2040)

* ROX-27831: set image expiration based on event type and target branch (#2035)

* ROX-27831: set image expiration based on event type and target branch

* update task digest and name

* fix task digest

* chore(deps): update konflux references to b78123a (#2045)

* chore(deps): update konflux references to a3f3a4d (#2047)

* chore(deps): update konflux references to 5bc6129 (#2049)

* ROX-27905: Exclude sample rpmbdbs from Konflux SBOMs (#2052)

* chore(deps): update konflux references (#2053)

* chore: Mark more places to be reviewed by `rhtap-maintainers` (#2054)

* Fix QA tag missing collector version in konflux tests (#2057)

The QA tag being used for konflux tests on PRs is malformed, leading to weird errors. This should fix it.

When running on a PR that bumps the QA_TAG, the test containers include the collector tag as a suffix in order to prevent collisions with other PRs that might be bumping the version, so they would look something like this: 2.0.3-3.21.x-26-g5a61d712ab-fast

However, on konflux, the collector tag was not being properly set and the tags looked like this: 2.0.3-

* chore(deps): update konflux references (#2060)

* ROX-27856: Post Konflux metrics to BigQuery (#2071)

* chore(deps): update konflux references (#2062)

* ROX-20234: Add rpms prefetch, set build to hermetic (#2109)

Co-authored-by: Tom Martensen <tmartens@redhat.com>

* chore(deps): update quay.io/rhacs-eng/konflux-tasks:latest docker digest to 3d1fbc3 (#2117)

* chore(deps): update konflux references (#2088)

* chore(deps): update quay.io/rhacs-eng/konflux-tasks:latest docker digest to fa86065 (#2119)

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>

* chore(deps): update konflux references (#2118)

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>

* ROX-29078: switch to per component service account (#2120)

* ROX-29078: switch to per component service account

* move SA def to PipelineRun

* ROX-28568: Add required tasks sast-shell-check and sast-unicode-check to Konflux pipelines (#2115)

* ROX-26148: Announce ./rpms.* files ownership (#2127)

* chore(deps): update konflux references (#2121)

* chore: Bump memory limit in TA download (#2129)

* chore(deps): rpm updates (#2128)

* chore(deps): rpm updates [security] (#2131)

* chore(deps): update quay.io/rhacs-eng/konflux-tasks:latest docker digest to f1362c6 (#2122)

* build(fix): Bump TA steps memory from 4 to 6Gi (#2134)

* chore(deps): update quay.io/rhacs-eng/konflux-tasks:latest docker digest to b4f8de3 (#2136)

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>

* ROX-29479: Use custom repos for Konflux built product (#2139)

* ROX-28973: update image tagging and expiration in Konflux (#2141)

* chore(deps): rpm updates [security] (#2143)

* chore(deps): update quay.io/rhacs-eng/konflux-tasks:latest docker digest to f251565 (#2148)

* chore(deps): update konflux references (#2133)

* chore(deps): [security] (#2153)

* ROX-29602: Use updated `determine-image-tag` task (#2154)

* chore(deps): update konflux references (#2156)

* chore(deps): update all dependencies (#2155)

* chore(deps): update quay.io/rhacs-eng/konflux-tasks:latest docker digest to d5c4939 (#2152)

* build: Fix Konflux builds (#2166)

* ROX-18384: removes slim and latest images from konflux build (#2028)

* ROX-18384: removes slim and latest images from konflux build
* Removes matrix from extra tags step

---------

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: Tom Martensen <tmartens@redhat.com>
Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
Co-authored-by: Giles Hutton <ghutton@redhat.com>

Author: 5 people

.github/CODEOWNERS

@@ -8,7 +8,8 @@
 RELEASED_VERSIONS               @stackrox/collector-team
 RELEASED_VERSIONS.unsupported   @stackrox/collector-team
 
-# The RHTAP maintainers for ACS review all changes related to the RHTAP pipelines, such as new pipelines,
-# parameter changes or automated task updates.
-/.tekton/   @stackrox/rhtap-maintainers
-/.konflux/  @stackrox/rhtap-maintainers
+# The RHTAP maintainers for ACS review all changes related to the Konflux (f.k.a. RHTAP) pipelines, such as new
+# pipelines, parameter changes or automated task updates as well as Dockerfile updates.
+**/konflux.*Dockerfile  @stackrox/rhtap-maintainers
+/.tekton/               @stackrox/rhtap-maintainers
+rpms.*                  @stackrox/rhtap-maintainers

.github/renovate.json5

@@ -3,16 +3,18 @@
 
   // After making changes to this file, you can validate it by running something like this in the root of the repo:
   // $ docker run --rm -it --entrypoint=renovate-config-validator -v "$(pwd)":/mnt -w /mnt renovate/renovate --strict
+  // Note: ignore errors about the config for `rpm`. This is to be addressed with https://issues.redhat.com/browse/CWFHEALTH-4117
   // There are more validation options, see https://docs.renovatebot.com/config-validation/
 
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    // This inherits the base Konflux config.
-    // Clickable link https://github.com/konflux-ci/mintmaker/blob/main/config/renovate/renovate.json
-    // The following was used as example (we may want to check it if the base config gets suddenly moved):
+    // Note that the base Konflux's MintMaker config gets inherited/included automatically per
+    // https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1745492139282819?thread_ts=1745309786.090319&cid=C04PZ7H0VA8
+    // The config is: https://github.com/konflux-ci/mintmaker/blob/main/config/renovate/renovate.json
+    // We found out about it here (we may want to check that location if the base config gets suddenly moved):
     // https://github.com/enterprise-contract/ec-cli/blob/407847910ad420850385eea1db78e2a2e49c7e25/renovate.json#L1C1-L7C2
-    "github>konflux-ci/mintmaker//config/renovate/renovate.json",
-    // This tells Renovate to combine all updates in one PR so that we have less PRs to deal with.
+
+    // This tells Renovate to combine all updates in one PR so that we have fewer PRs to deal with.
     "group:all",
   ],
   "timezone": "Etc/UTC",
@@ -27,21 +29,46 @@
   "updateNotScheduled": false,
   "tekton": {
     "schedule": [
-      // For some reason, Konflux config defines custom schedule on each type of dependency manager and that takes
-      // precedence over the global/default schedule. We want our own schedule and hence need to make this override.
+      // Override Konflux custom schedule for this manager to our intended one.
       "after 3am and before 7am",
     ],
+    "packageRules": [
+      // Note: the packageRules from the Konflux config (find URL in comments above) get merged with these.
+      {
+        "groupName": "StackRox custom Konflux Tasks",
+        "matchPackageNames": [
+          "/^quay.io/rhacs-eng/konflux-tasks/",
+        ],
+      },
+    ],
   },
   "dockerfile": {
     "includePaths": [
       // Instruct Renovate not try to update Dockerfiles other than konflux.Dockerfile (or konflux.anything.Dockerfile)
       // to have less PR noise.
       "**/*konflux*.Dockerfile",
     ],
+    "schedule": [
+      // Override Konflux custom schedule for this manager to our intended one.
+      "after 3am and before 7am",
+    ],
+    "postUpgradeTasks": {
+      "commands": [
+        // Refresh the rpm lockfile after updating image references in the dockerfile.
+        "rpm-lockfile-prototype rpms.in.yaml",
+      ],
+    },
+  },
+  "rpm": {
+    "schedule": [
+      // Override Konflux custom schedule for this manager to our intended one.
+      "after 3am and before 7am",
+    ],
   },
   "enabledManagers": [
     // Restrict Renovate focus on Konflux things since we rely on GitHub's dependabot for everything else.
     "tekton",
     "dockerfile",
+    "rpm",
   ],
 }

.github/workflows/integration-test-containers.yml

@@ -175,6 +175,8 @@ jobs:
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:qemu-v9.2.2
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

.github/workflows/k8s-integration-tests.yml

@@ -3,6 +3,11 @@ name: K8S based integration tests
 on:
   workflow_call:
    inputs:
+      collector-repo:
+        description: |
+          Optional repository to use for the collector image
+        type: string
+        default: "quay.io/rhacs-eng/collector"
       collector-tag:
         description: |
           Tag used for running the integration tests
@@ -22,7 +27,7 @@ on:
 env:
   ANSIBLE_CONFIG: ${{ github.workspace }}/ansible/ansible.cfg
   COLLECTOR_TESTS_IMAGE: quay.io/rhacs-eng/collector-tests:${{ inputs.collector-tests-tag }}
-  COLLECTOR_IMAGE: quay.io/rhacs-eng/collector:${{ inputs.collector-tag }}
+  COLLECTOR_IMAGE: ${{ inputs.collector-repo }}:${{ inputs.collector-tag }}
 
 jobs:
   k8s-integration-tests:

.github/workflows/konflux.yml

@@ -45,7 +45,8 @@ jobs:
 
       - id: generate-tag
         run: |
-          echo "collector-tag=$(make tag)-fast" >> "$GITHUB_OUTPUT"
+          COLLECTOR_TAG="$(make tag)-fast"
+          echo "collector-tag=${COLLECTOR_TAG}" >> "$GITHUB_OUTPUT"
 
           COLLECTOR_QA_TAG="$(cat ${{ github.workspace }}/integration-tests/container/QA_TAG)"
           if [[ "${GITHUB_EVENT_NAME}" == "pull_request" && "${{ steps.filter.outputs.container }}" == "true" ]]; then
@@ -62,7 +63,7 @@ jobs:
       - uses: stackrox/actions/release/wait-for-image@v1
         with:
           token: ${{ secrets.QUAY_RHACS_ENG_BEARER_TOKEN }}
-          image: rhacs-eng/collector:${{ needs.init.outputs.collector-tag }}
+          image: rhacs-eng/release-collector:${{ needs.init.outputs.collector-tag }}
           limit: 9000 # 2h30m
 
   integration-tests-containers:
@@ -83,6 +84,7 @@ jobs:
     - wait-for-images
     - integration-tests-containers
     with:
+      collector-repo: quay.io/rhacs-eng/release-collector
       collector-tag: ${{ needs.init.outputs.collector-tag }}
       collector-qa-tag: ${{ needs.init.outputs.collector-qa-tag }}
       collector-tests-tag: ${{ needs.integration-tests-containers.outputs.collector-tests-tag }}
@@ -94,6 +96,7 @@ jobs:
   k8s-integration-tests:
     uses: ./.github/workflows/k8s-integration-tests.yml
     with:
+      collector-repo: quay.io/rhacs-eng/release-collector
       collector-tag: ${{ needs.init.outputs.collector-tag }}
       collector-qa-tag: ${{ needs.init.outputs.collector-qa-tag }}
       collector-tests-tag: ${{ needs.integration-tests-containers.outputs.collector-tests-tag }}

.github/workflows/main.yml

@@ -89,7 +89,7 @@ jobs:
 
       - name: Run unit tests
         run: |
-          ctest -V --test-dir cmake-build
+          ctest --no-tests=error -V --test-dir cmake-build
 
   integration-tests:
     uses: ./.github/workflows/integration-tests.yml