feat(RELEASE-1400): add references in populate-release-notes task

This commit renames the populate-release-notes-images task to populate-release-notes. The new version of the task adds references if the type is RHSA. One is a static reference and there is also a reference added per CVE listed in releaseNotes. Because references will no longer need to be passed for RHBA or RHEA as part of this work, this commit also updates the schema to not require references when using releaseNotes. Signed-off-by: Johnny Bieren <[email protected]>
konflux-ci · Feb 4, 2025 · 0dc48cb · 0dc48cb
1 parent b9a01d9
commit 0dc48cb
Show file tree

Hide file tree

Showing 15 changed files with 319 additions and 32 deletions.
diff --git a/pipelines/managed/rh-advisories/README.md b/pipelines/managed/rh-advisories/README.md
@@ -23,6 +23,9 @@ the rh-push-to-registry-redhat-io pipeline.
 | taskGitUrl                      | The url to the git repo where the release-service-catalog tasks to be used are stored                                              | Yes      | https://github.com/konflux-ci/release-service-catalog.git |
 | taskGitRevision                 | The revision in the taskGitUrl repo to be used                                                                                     | No       | -                                                         |
 
+## Changes in 1.9.0
+* Task `populate-release-notes-images` renamed to `populate-release-notes`
+
 ## Changes in 1.8.4
 * Pass taskGitUrl and taskGitRevision to create-advisory task
 

diff --git a/pipelines/managed/rh-advisories/rh-advisories.yaml b/pipelines/managed/rh-advisories/rh-advisories.yaml
@@ -4,7 +4,7 @@ kind: Pipeline
 metadata:
   name: rh-advisories
   labels:
-    app.kubernetes.io/version: "1.8.4"
+    app.kubernetes.io/version: "1.9.0"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
@@ -226,7 +226,7 @@ spec:
           workspace: release-workspace
       runAfter:
         - apply-mapping
-    - name: populate-release-notes-images
+    - name: populate-release-notes
       params:
         - name: dataPath
           value: "$(tasks.collect-data.results.data)"
@@ -239,7 +239,7 @@ spec:
           - name: revision
             value: $(params.taskGitRevision)
           - name: pathInRepo
-            value: tasks/managed/populate-release-notes-images/populate-release-notes-images.yaml
+            value: tasks/managed/populate-release-notes/populate-release-notes.yaml
         resolver: git
       runAfter:
         - apply-mapping
@@ -269,7 +269,7 @@ spec:
         - name: data
           workspace: release-workspace
       runAfter:
-        - populate-release-notes-images
+        - populate-release-notes
     - name: collect-cosign-params
       taskRef:
         resolver: "git"
@@ -504,14 +504,14 @@ spec:
           workspace: release-workspace
       params:
         - name: sbomJsonPath
-          value: "$(tasks.populate-release-notes-images.results.sbomDataPath)"
+          value: "$(tasks.populate-release-notes.results.sbomDataPath)"
         - name: downloadedSbomPath
           value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
       runAfter:
         - collect-data
         - collect-atlas-params
         - push-rpm-data-to-pyxis
-        - populate-release-notes-images
+        - populate-release-notes
     - name: upload-component-sbom
       when:
         - input: "$(tasks.collect-atlas-params.results.secretName)"
@@ -596,7 +596,7 @@ spec:
         - name: data
           workspace: release-workspace
       runAfter:
-        - populate-release-notes-images
+        - populate-release-notes
     - name: collect-atlas-params
       taskRef:
         resolver: "git"
@@ -637,7 +637,7 @@ spec:
           workspace: release-workspace
       runAfter:
         - collect-atlas-params
-        - populate-release-notes-images
+        - populate-release-notes
     - name: upload-product-sbom
       when:
         - input: "$(tasks.collect-atlas-params.results.secretName)"

diff --git a/schema/dataKeys.json b/schema/dataKeys.json
@@ -642,7 +642,6 @@
               "topic",
               "description",
               "solution",
-              "references",
               "content"
             ],
             "properties": {

diff --git a/...d/populate-release-notes-images/README.md → .../managed/populate-release-notes/README.md b/...d/populate-release-notes-images/README.md → .../managed/populate-release-notes/README.md
@@ -1,6 +1,6 @@
-# populate-release-notes-images
+# populate-release-notes
 
-Tekton task to populate the releaseNotes.content.images key in the data.json
+Tekton task to populate fields of the releaseNotes  key in the data.json
 file. It will update the data.json in place so that downstream tasks relying on
 the releaseNotes data can use it. Additionally, it outputs a result with the
 path to a file containing data used in component SBOM generation.
@@ -12,6 +12,10 @@ path to a file containing data used in component SBOM generation.
 | dataPath     | Path to the JSON string of the merged data to update                 | No       | -             |
 | snapshotPath | Path to the JSON string of the mapped Snapshot in the data workspace | No       | -             |
 
+## Changes in 3.0.0
+* Task renamed from `populate-release-notes-images` to `populate-release-notes`
+* Task will now inject references if the `releaseNotes.type` is `RHSA`
+
 ## Changes in 2.3.1
 * Fix shellcheck/checkton linting issues in the task and tests
 

diff --git a/...images/populate-release-notes-images.yaml → ...release-notes/populate-release-notes.yaml b/...images/populate-release-notes-images.yaml → ...release-notes/populate-release-notes.yaml
@@ -2,15 +2,15 @@
 apiVersion: tekton.dev/v1
 kind: Task
 metadata:
-  name: populate-release-notes-images
+  name: populate-release-notes
   labels:
-    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/version: "3.0.0"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
 spec:
   description: >-
-    Tekton task to populate the releaseNotes.content.images key in the data.json file
+    Tekton task to populate releaseNotes keys in the data.json file
   params:
     - name: dataPath
       description: Path to the JSON string of the merged data to use
@@ -141,3 +141,35 @@ spec:
                     /tmp/sbomData.tmp && mv /tmp/sbomData.tmp "${sbomDataPath}"
             done
         done
+    - name: populate-release-notes-references
+      image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
+      script: |
+        #!/usr/bin/env bash
+        set -ex
+
+        DATA_FILE="$(workspaces.data.path)/$(params.dataPath)"
+        if [ ! -f "${DATA_FILE}" ] ; then
+            echo "No data JSON was provided."
+            exit 1
+        fi
+
+        if [ "$(jq -r '.releaseNotes.type' "${DATA_FILE}")" != "RHSA" ] ; then
+            echo "Type is not RHSA. Not adding references"
+            exit 0
+        fi
+
+        # Inject classification link into data.json references
+        jq '.releaseNotes.references += ["https://access.redhat.com/security/updates/classification/"]' \
+            "${DATA_FILE}" > /tmp/data.tmp && mv /tmp/data.tmp "${DATA_FILE}"
+
+        NUM_CVES=$(jq '.releaseNotes.cves | length' "${DATA_FILE}")
+        for ((i = 0; i < NUM_CVES; i++))
+        do
+            cve=$(jq -r --argjson i "$i" '.releaseNotes.cves[$i].key' "${DATA_FILE}")
+            # Inject cve link into data.json references
+            jq --arg cve "$cve" '.releaseNotes.references += ["https://access.redhat.com/security/cve/\($cve)"]' \
+                "${DATA_FILE}" > /tmp/data.tmp && mv /tmp/data.tmp "${DATA_FILE}"
+        done
+
+        # Remove duplicate references
+        jq '.releaseNotes.references |= unique' "${DATA_FILE}" > /tmp/data.tmp && mv /tmp/data.tmp "${DATA_FILE}"
diff --git a/...ulate-release-notes-images/tests/mocks.sh → ...ged/populate-release-notes/tests/mocks.sh b/...ulate-release-notes-images/tests/mocks.sh → ...ged/populate-release-notes/tests/mocks.sh
diff --git a/...notes-images/tests/pre-apply-task-hook.sh → ...elease-notes/tests/pre-apply-task-hook.sh b/...notes-images/tests/pre-apply-task-hook.sh → ...elease-notes/tests/pre-apply-task-hook.sh
diff --git a/...late-release-notes-images-cves-added.yaml → ...st-populate-release-notes-cves-added.yaml b/...late-release-notes-images-cves-added.yaml → ...st-populate-release-notes-cves-added.yaml
@@ -2,10 +2,10 @@
 apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
-  name: test-populate-release-notes-images-cves-added
+  name: test-populate-release-notes-cves-added
 spec:
   description: |
-    Run the populate-release-notes-images task and ensure CVE information present in the data.json
+    Run the populate-release-notes task and ensure CVE information present in the data.json
     is properly included in the releaseNotes.content.images.
   workspaces:
     - name: tests-workspace
@@ -104,7 +104,7 @@ spec:
               EOF
     - name: run-task
       taskRef:
-        name: populate-release-notes-images
+        name: populate-release-notes
       params:
         - name: dataPath
           value: "data.json"

diff --git a/...lease-notes-images-fail-missing-data.yaml → ...late-release-notes-fail-missing-data.yaml b/...lease-notes-images-fail-missing-data.yaml → ...late-release-notes-fail-missing-data.yaml
@@ -2,12 +2,12 @@
 apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
-  name: test-populate-release-notes-images-fail-missing-data
+  name: test-populate-release-notes-fail-missing-data
   annotations:
     test/assert-task-failure: "run-task"
 spec:
   description: |
-    Run the populate-release-notes-images task without a data JSON and verify that the task fails as expected.
+    Run the populate-release-notes task without a data JSON and verify that the task fails as expected.
   workspaces:
     - name: tests-workspace
   tasks:
@@ -44,7 +44,7 @@ spec:
               EOF
     - name: run-task
       taskRef:
-        name: populate-release-notes-images
+        name: populate-release-notes
       params:
         - name: dataPath
           value: "missing.json"

diff --git a/...e-notes-images-fail-missing-snapshot.yaml → ...-release-notes-fail-missing-snapshot.yaml b/...e-notes-images-fail-missing-snapshot.yaml → ...-release-notes-fail-missing-snapshot.yaml
@@ -2,12 +2,12 @@
 apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
-  name: test-populate-release-notes-images-fail-missing-snapshot
+  name: test-populate-release-notes-fail-missing-snapshot
   annotations:
     test/assert-task-failure: "run-task"
 spec:
   description: |
-    Run the populate-release-notes-images task without a snapshot JSON and verify that the task fails as expected.
+    Run the populate-release-notes task without a snapshot JSON and verify that the task fails as expected.
   workspaces:
     - name: tests-workspace
   tasks:
@@ -57,7 +57,7 @@ spec:
               EOF
     - name: run-task
       taskRef:
-        name: populate-release-notes-images
+        name: populate-release-notes
       params:
         - name: dataPath
           value: "data.json"

diff --git a/...release-notes-images-multiple-images.yaml → ...pulate-release-notes-multiple-images.yaml b/...release-notes-images-multiple-images.yaml → ...pulate-release-notes-multiple-images.yaml
@@ -2,10 +2,10 @@
 apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
-  name: test-populate-release-notes-images-multiple-images
+  name: test-populate-release-notes-multiple-images
 spec:
   description: |
-    Run the populate-release-notes-images task with multiple images in the snapshot JSON and verify
+    Run the populate-release-notes task with multiple images in the snapshot JSON and verify
     the data JSON has the proper content
   workspaces:
     - name: tests-workspace
@@ -86,7 +86,7 @@ spec:
               EOF
     - name: run-task
       taskRef:
-        name: populate-release-notes-images
+        name: populate-release-notes
       params:
         - name: dataPath
           value: "data.json"

diff --git a/...te-release-notes-images-no-overwrite.yaml → ...-populate-release-notes-no-overwrite.yaml b/...te-release-notes-images-no-overwrite.yaml → ...-populate-release-notes-no-overwrite.yaml
@@ -2,10 +2,10 @@
 apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
-  name: test-populate-release-notes-images-no-overwrite
+  name: test-populate-release-notes-no-overwrite
 spec:
   description: |
-    Run the populate-release-notes-images task and ensure existing information in the
+    Run the populate-release-notes task and ensure existing information in the
     releaseNotes.content.images section of the data JSON is not overwritten
   workspaces:
     - name: tests-workspace
@@ -81,7 +81,7 @@ spec:
               EOF
     - name: run-task
       taskRef:
-        name: populate-release-notes-images
+        name: populate-release-notes
       params:
         - name: dataPath
           value: "data.json"

diff --git a/...managed/populate-release-notes/tests/test-populate-release-notes-non-rhsa-references.yaml b/...managed/populate-release-notes/tests/test-populate-release-notes-non-rhsa-references.yaml
@@ -0,0 +1,103 @@
+---
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: test-populate-release-notes-non-rhsa-references
+spec:
+  description: |
+    Run the populate-release-notes task with a type that is RHSA. Ensure that no additional references
+    are added
+  workspaces:
+    - name: tests-workspace
+  tasks:
+    - name: setup
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      taskSpec:
+        workspaces:
+          - name: data
+        steps:
+          - name: setup
+            image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
+            script: |
+              #!/usr/bin/env sh
+              set -eux
+
+              cat > "$(workspaces.data.path)/data.json" << EOF
+              {
+                "releaseNotes": {
+                  "product_id": 123,
+                  "product_name": "Red Hat Openstack Product",
+                  "product_version": "123",
+                  "cpe": "cpe:/a:example:openstack:el8",
+                  "type": "RHBA",
+                  "issues": {
+                    "fixed": [
+                      {
+                        "id": "RHOSP-12345",
+                        "source": "issues.example.com"
+                      },
+                      {
+                        "id": 1234567,
+                        "source": "bugzilla.example.com"
+                      }
+                    ]
+                  },
+                  "synopsis": "test synopsis",
+                  "topic": "test topic",
+                  "description": "test description",
+                  "solution": "test solution",
+                  "references": []
+                }
+              }
+              EOF
+
+              cat > "$(workspaces.data.path)/snapshot.json" << EOF
+              {
+                "application": "myapp",
+                "components": [
+                  {
+                    "name": "comp",
+                    "containerImage": "registry.io/image@sha256:123456",
+                    "repository": "quay.io/redhat-prod/product----repo",
+                    "rh-registry-repo": "registry.redhat.io/product/repo",
+                    "tags": [
+                      "foo",
+                      "bar"
+                    ]
+                  }
+                ]
+              }
+              EOF
+    - name: run-task
+      taskRef:
+        name: populate-release-notes
+      params:
+        - name: dataPath
+          value: "data.json"
+        - name: snapshotPath
+          value: "snapshot.json"
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      runAfter:
+        - setup
+    - name: check-result
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      taskSpec:
+        workspaces:
+          - name: data
+        steps:
+          - name: check-result
+            image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
+            script: |
+              #!/usr/bin/env sh
+              set -eux
+
+              test "$(jq '.releaseNotes.references | length' "$(workspaces.data.path)/data.json")" \
+                == 0
+      runAfter:
+        - run-task