-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ISV-5128): add new Tekton task to update component sboms #656
base: development
Are you sure you want to change the base?
Conversation
Hi @wcheang. Thanks for your PR. I'm waiting for a konflux-ci member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"wip" is not a valid commit title prefix. This should probably be "feat". If you want to say that it's not ready for review yet, you can change the PR to Draft. (If a PR is created as Draft from the start, the reviewers won't be added until it's changed to Ready - maybe for next time.)
@mmalina the CONTRIBUTING.md says Tekton task tests are not required, but the check is failing due to missing |
This recently came up in a PR: #656 We definitely do require tests for all new tasks. For existing tasks, we mostly do as well, but there are still three tasks without tests: - base64-encode-checksum - create-internal-request - prepare-validation Signed-off-by: Martin Malina <[email protected]>
The doc is not correct. Fix here: #664 To explain, when we came up with the mechanism to write task tests, none of the tasks had tests, but there would be a tests directory and a sample run.yaml which was a taskrun definition using the task. So the reason for that sentence was that if you changed an existing task, you wouldn't be required to write tests for it. I understand that in your case the task will not do much besides running the script, but it's still nice have some basic test to ensure there is no error in the task definition or something like that. I would recommend using a mock for the python script and just check that it was called with the parameters it was expected to be called with. |
69b389f
to
642b662
Compare
This recently came up in a PR: konflux-ci#656 We definitely do require tests for all new tasks. For existing tasks, we mostly do as well, but there are still three tasks without tests: - base64-encode-checksum - create-internal-request - prepare-validation Signed-off-by: Martin Malina <[email protected]>
This recently came up in a PR: #656 We definitely do require tests for all new tasks. For existing tasks, we mostly do as well, but there are still three tasks without tests: - base64-encode-checksum - create-internal-request - prepare-validation Signed-off-by: Martin Malina <[email protected]>
24058f6
to
121ab41
Compare
The symlink appears to be set up with the wrong path in my previous change in the utils repos. PR to fix it here: konflux-ci/release-service-utils#295 |
335ea29
to
35ac838
Compare
@mmalina Could you please help me figure out why the Tekton task tests are running into "permission denied" errors on all the scripts ( |
The script doesn't have execute permissions:
That's something that's typically not shown in Github UI. It has the permissions it had when it was added. You can |
6ef7541
to
76e2c2c
Compare
Signed-off-by: Wai Cheang <[email protected]>
@@ -54,8 +54,8 @@ spec: | |||
|
|||
NUM_COMPONENTS=$(jq '.components | length' "${PYXIS_FILE}") | |||
|
|||
mkdir /workdir/sboms | |||
cd /workdir/sboms | |||
mkdir "$(workspaces.data.path)/downloaded-sboms" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should use a subdir for this like https://github.com/konflux-ci/release-service-catalog/blob/development/tasks/collect-mrrc-params/collect-mrrc-params.yaml#L37
The reason is just in case we have concurrent runs using the same workspace, we want to use subdirs per pipelinerun to prevent collisions
metadata: | ||
name: update-component-sbom | ||
labels: | ||
app.kubernetes.io/version: "0.0.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No real way of knowing this, but we typically do 0.1.0 to start. Can you switch to this?
set -eux | ||
|
||
INPUT_PATH="$(workspaces.data.path)/$(params.downloadedSbomPath)" | ||
OUTPUT_PATH="$(workspaces.data.path)/updated-sboms" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not rewrite them in place?
@@ -92,6 +92,8 @@ spec: | |||
echo "ERROR: Expected to fetch sbom for $PYXIS_IMAGES images, but only $SBOM_COUNT were saved" | |||
exit 1 | |||
fi | |||
|
|||
echo -n "$(workspaces.data.path)/downloaded-sboms" > "$(results.downloadedSbomPath.path)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You don't want the workspace in the result. You use this
INPUT_PATH="$(workspaces.data.path)/$(params.downloadedSbomPath)"
so this is going to end up evaluating to /workspace/workspace/downloaded-sboms
currently, which doesn't exist
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to also test that update_component_sbom was called the proper number of times. All this currently does is test echo -n "$OUTPUT_PATH" > "$(results.sbomPath.path)"
from the task, which is only one line of multiple that exist
No description provided.