ROX-30730: Scan Konflux images with GHA #17985
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Skipping CI for Draft Pull Request. |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Contributor
|
Images are ready for the commit at 753bb58. To use with deploy scripts, first |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #17985 +/- ##
==========================================
+ Coverage 49.34% 49.37% +0.03%
==========================================
Files 2711 2722 +11
Lines 200204 200943 +739
==========================================
+ Hits 98792 99219 +427
- Misses 93762 94056 +294
- Partials 7650 7668 +18
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
tommartensen
changed the title
…x/stackrox into tm/check-konflux-vulnerabilities
Contributor
There was a problem hiding this comment.
Hey there - I've reviewed your changes and found some issues that need to be addressed.
- The new
pushtrigger doesn’t provideinputs.version, so the workflow (includingrun-nameand the composite action input) will likely see an empty or undefined version on tag pushes; consider derivingversionfromgithub.ref_name(forpush) and usinginputs.versiononly forworkflow_dispatch. - Both upstream and Konflux jobs upload artifacts with the same
scan-result-${{ matrix.image }}naming pattern, which can cause artifact name collisions/merging and make it unclear which scan corresponds to which build; consider including the source (e.g.-upstream/-konfluxor the tag) in the artifact name. - The composite action is referenced by a feature branch (
@tm/ROX-image-vuln-check); once the action is finalized, pin it to a stable tag or commit SHA to avoid unexpected behavior changes in this workflow.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The new `push` trigger doesn’t provide `inputs.version`, so the workflow (including `run-name` and the composite action input) will likely see an empty or undefined version on tag pushes; consider deriving `version` from `github.ref_name` (for `push`) and using `inputs.version` only for `workflow_dispatch`.
- Both upstream and Konflux jobs upload artifacts with the same `scan-result-${{ matrix.image }}` naming pattern, which can cause artifact name collisions/merging and make it unclear which scan corresponds to which build; consider including the source (e.g. `-upstream` / `-konflux` or the tag) in the artifact name.
- The composite action is referenced by a feature branch (`@tm/ROX-image-vuln-check`); once the action is finalized, pin it to a stable tag or commit SHA to avoid unexpected behavior changes in this workflow.
## Individual Comments
### Comment 1
<location> `.github/workflows/check-image-vulnerabilities.yml:13` </location>
<code_context>
+ push:
+ tags: ['*']
run-name: ${{ format('Check image vulnerabilities for {0}', inputs.version) }}
</code_context>
<issue_to_address>
**issue (bug_risk):** Using `inputs.version` for push tag runs will break because `workflow_dispatch.inputs` are not defined on `push` events.
With the new `push: tags: ['*']` trigger, this workflow now runs in contexts where `inputs.version` is undefined. Using `inputs.version` in `run-name` and job/action inputs will fail on tag pushes. Either restrict this workflow to `workflow_dispatch` only, derive the version from the tag (e.g. `github.ref_name`) for `push` runs, or conditionally use `inputs.version` only when `github.event_name == 'workflow_dispatch'`.
</issue_to_address>
### Comment 2
<location> `.github/workflows/check-image-vulnerabilities.yml:64-70` </location>
<code_context>
- - name: Install roxctl
- uses: stackrox/roxctl-installer-action@v1
+ - name: Upload scan result artifact
+ if: always()
+ uses: actions/upload-artifact@v4
with:
- central-endpoint: ${{ vars.ACS_DOGFOODING_CENTRAL_URL }}
- central-token: ${{ env.ROX_API_TOKEN }}
+ name: scan-result-${{ matrix.image }}
+ path: scan-result.json
+ retention-days: 30
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Uploading `scan-result.json` unconditionally may fail if the check action exits before creating the file.
Because this step runs even when `Check image vulnerabilities` fails, it can error if `scan-result.json` was never created, obscuring the original failure. Please either condition this step on the prior step having succeeded, or add a guard like `if: always() && hashFiles('scan-result.json') != ''` or `continue-on-error: true` so missing artifacts don’t cause a secondary failure.
```suggestion
- name: Upload scan result artifact
if: always() && hashFiles('scan-result.json') != ''
uses: actions/upload-artifact@v4
with:
name: scan-result-${{ matrix.image }}
path: scan-result.json
retention-days: 30
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
tommartensen
force-pushed
the
tm/check-konflux-vulnerabilities
branch
from
e5503e3 to
9e14a3b
Compare
tommartensen
force-pushed
the
tm/check-konflux-vulnerabilities
branch
from
9e14a3b to
dd0e993
Compare
Contributor
There was a problem hiding this comment.
Hey there - I've reviewed your changes - here's some feedback:
- Before merging, update the
stackrox/actions/release/check-image-vulnerabilitiesreference from the feature branch (@tm/ROX-image-vuln-check) to a stable tag or commit SHA to avoid depending on an ephemeral branch. - The
pushtrigger currently runs on all tags ('*'); if this workflow is intended only for release tags, consider tightening the pattern (e.g.,v*or*.*.*) to avoid unnecessary scans for non-release tags.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Before merging, update the `stackrox/actions/release/check-image-vulnerabilities` reference from the feature branch (`@tm/ROX-image-vuln-check`) to a stable tag or commit SHA to avoid depending on an ephemeral branch.
- The `push` trigger currently runs on all tags (`'*'`); if this workflow is intended only for release tags, consider tightening the pattern (e.g., `v*` or `*.*.*`) to avoid unnecessary scans for non-release tags.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
msugakov
reviewed
Dec 16, 2025
| central-endpoint: ${{ vars.ACS_DOGFOODING_CENTRAL_URL }} | ||
| central-token: ${{ env.ROX_API_TOKEN }} | ||
| name: scan-result-quay.io_rhacs-eng_${{ matrix.image }}_${{ inputs.version || github.ref_name }}.json | ||
| path: scan-result.json |
Contributor
There was a problem hiding this comment.
scan-result.json filename seems like escaped from the action implementation (stackrox/actions#72). Is it possible to get that via result-path?
| with: | ||
| image: rhacs-eng/${{ matrix.image }} | ||
| version: ${{ inputs.version || github.ref_name }} | ||
| wait-limit: "11400" |
Contributor
There was a problem hiding this comment.
As compared to the old implementation, wait-limit is added to pick up images from tagged builds.
Do you think we should have auto-triggering for tagged builds given Konflux instability?
If this is manually triggered run, it would be nice to not wait for images but rather let the step fail right away if its image is absent. Is there a way to conditionally set zero waiting time in this case?
| steps: | ||
| - name: Central login | ||
| uses: stackrox/central-login@v1 | ||
| - name: Check image vulnerabilities |
Contributor
There was a problem hiding this comment.
Suggestion:
Suggested change
| - name: Check image vulnerabilities | |
| - name: Scan image for vulnerabilities |
Would it make sense to s/check/scan/g in this file?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Companion to stackrox/actions#72.
TODO
User-facing documentation
Testing and quality
Automated testing
Change to GHA, manual testing required, see below.
How I validated my change
Manual testing with https://github.com/stackrox/stackrox/actions/runs/20034440769.