ROX-28955: Konflux Patches for 4.7 (#1947)

Author: ajheflin

.github/CODEOWNERS

@@ -2,6 +2,9 @@
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#about-code-owners
 # This will automatically assign a team / people as reviewers for PRs based on the files changed within the PR.
 
-# The RHTAP maintainers for ACS review all changes related to the Konflux/RHTAP pipelines, such as new pipelines,
-# parameter changes or automated task updates.
-/.tekton/   @stackrox/rhtap-maintainers
+# The RHTAP maintainers for ACS review all changes related to the Konflux (f.k.a. RHTAP) pipelines, such as new
+# pipelines, parameter changes or automated task updates as well as Dockerfile updates.
+**/konflux.*Dockerfile  @stackrox/rhtap-maintainers
+/.konflux/              @stackrox/rhtap-maintainers
+/.tekton/               @stackrox/rhtap-maintainers
+rpms.*                  @stackrox/rhtap-maintainers

.github/renovate.json5

@@ -3,16 +3,18 @@
 
   // After making changes to this file, you can validate it by running something like this in the root of the repo:
   // $ docker run --rm -it --entrypoint=renovate-config-validator -v "$(pwd)":/mnt -w /mnt renovate/renovate --strict
+  // Note: ignore errors about the config for `rpm`. This is to be addressed with https://issues.redhat.com/browse/CWFHEALTH-4117
   // There are more validation options, see https://docs.renovatebot.com/config-validation/
 
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    // This inherits the base Konflux config.
-    // Clickable link https://github.com/konflux-ci/mintmaker/blob/main/config/renovate/renovate.json
-    // The following was used as example (we may want to check it if the base config gets suddenly moved):
+    // Note that the base Konflux's MintMaker config gets inherited/included automatically per
+    // https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1745492139282819?thread_ts=1745309786.090319&cid=C04PZ7H0VA8
+    // The config is: https://github.com/konflux-ci/mintmaker/blob/main/config/renovate/renovate.json
+    // We found out about it here (we may want to check that location if the base config gets suddenly moved):
     // https://github.com/enterprise-contract/ec-cli/blob/407847910ad420850385eea1db78e2a2e49c7e25/renovate.json#L1C1-L7C2
-    "github>konflux-ci/mintmaker//config/renovate/renovate.json",
-    // This tells Renovate to combine all updates in one PR so that we have less PRs to deal with.
+
+    // This tells Renovate to combine all updates in one PR so that we have fewer PRs to deal with.
     "group:all",
   ],
   "timezone": "Etc/UTC",
@@ -27,21 +29,46 @@
   "updateNotScheduled": false,
   "tekton": {
     "schedule": [
-      // For some reason, Konflux config defines custom schedule on each type of dependency manager and that takes
-      // precedence over the global/default schedule. We want our own schedule and hence need to make this override.
+      // Override Konflux custom schedule for this manager to our intended one.
       "after 3am and before 7am",
     ],
+    "packageRules": [
+      // Note: the packageRules from the Konflux config (find URL in comments above) get merged with these.
+      {
+        "groupName": "StackRox custom Konflux Tasks",
+        "matchPackageNames": [
+          "/^quay.io/rhacs-eng/konflux-tasks/",
+        ],
+      },
+    ],
   },
   "dockerfile": {
     "includePaths": [
       // Instruct Renovate not try to update Dockerfiles other than konflux.Dockerfile (or konflux.anything.Dockerfile)
       // to have less PR noise.
       "**/*konflux*.Dockerfile",
     ],
+    "schedule": [
+      // Override Konflux custom schedule for this manager to our intended one.
+      "after 3am and before 7am",
+    ],
+    "postUpgradeTasks": {
+      "commands": [
+        // Refresh the rpm lockfile after updating image references in the dockerfile.
+        "rpm-lockfile-prototype rpms.in.yaml",
+      ],
+    },
+  },
+  "rpm": {
+    "schedule": [
+      // Override Konflux custom schedule for this manager to our intended one.
+      "after 3am and before 7am",
+    ],
   },
   "enabledManagers": [
     // Restrict Renovate focus on Konflux things since we rely on GitHub's dependabot for everything else.
     "tekton",
     "dockerfile",
+    "rpm",
   ],
 }

.syft.yaml

@@ -0,0 +1,8 @@
+# Konflux uses Syft to generate container SBOMs.
+# Syft config docs https://github.com/anchore/syft/wiki/configuration
+
+# Here we exclude files checked in this repo for testing purposes from being parsed and merged into SBOM.
+# This is in particular to prevent rpm packages from `./pkg/rhelv2/rpm/testdata/rpmdb.sqlite` and similar to be included
+# in the SBOMs of built containers.
+exclude:
+- ./**/testdata/**

.tekton/scanner-build.yaml

@@ -36,18 +36,21 @@ spec:
   - name: image-expires-after
     value: '13w'
   - name: output-image-repo
-    value: quay.io/rhacs-eng/scanner
+    value: quay.io/rhacs-eng/release-scanner
   - name: path-context
     value: .
   - name: revision
     value: '{{revision}}'
   - name: rebuild
     value: 'true'
-  # TODO(ROX-20234): Enable hermetic builds
-  # - name: hermetic
-  #   value: "true"
+  - name: hermetic
+    value: "true"
   - name: prefetch-input
-    value: '{"type": "gomod", "path": "."}'
+    value: |
+      [
+        { "type": "gomod", "path": "." },
+        { "type": "rpm", "path": "." }
+      ]
   - name: build-source-image
     value: 'true'
   - name: build-target-stage
@@ -76,6 +79,9 @@ spec:
         requests:
           cpu: 2
 
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-scanner
+
   # Multiarch builds sometimes make the pipeline timeout after 1h.
   # Tagged builds wait for blobs to be published which takes about 1h.
   timeouts: