[WIP] GH action update lockfiles #4163
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This will enforce Konflux to prefetch the dependencies defined in the lock.yaml files with [1]. Then during the build, Konflux will 1. inject the repositories where the deps are stored, 2. configure the clients to pull the deps from there, 3. build without network. As rpm is still not fully supported [2], we have to enable `dev-package-managers` for now in the pipeline. All specific files enabling hermetic builds are located in the `ci/hermetic/` folder. You can find the helper scripts that automate the process of generating the lock YAML files, replacing the manual steps. The automation streamlines the workflow, reduces the chance of human error, and ensures consistency in the generated lock files. More details can be found in the updated README. This required adaptations to `build.sh` and the Dockerfile to support both hermetic and non-hermetic build processes. [1] https://github.com/konflux-ci/build-definitions/tree/main/task/prefetch-dependencies-oci-ta/0.2 [2] https://github.com/hermetoproject/hermeto?tab=readme-ov-file#package-managers
In 'rpms.in.yaml' file, we configured the rpm lockfile CLI tool to extract installed packages from the main Dockerfile which use the standard base image of Fedora. For consistency, we have to rbase all the container images of the project on the same image. Otherwise, we may end up with missing packages during the build (i.e tzdata is available in standard image, but not in minimal one, making the targetcli fail as tzdata was not add to the lock YAML file).
This is temporary while awaiting [1] to be merged and push in quay.io. [1] konflux-ci/build-definitions#2421
... because we need to have the CI/CD jobs ready to update automatically the lock files. Otherwise the Konflux pipelines will start failing because the Fedora RPMs defined in the lockfiles won't be available in remote repos a couple of days after (i.e Fedora update repos remove older RPMs).
|
Skipping CI for Draft Pull Request. |
jcapiitao
force-pushed
the
gh_action_update_lockfiles
branch
from
18e8e99 to
c321795
Compare
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@jcapiitao: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.