Backport konflux changes to 3.20 (stackrox 4.6)

.github/CODEOWNERS

@@ -8,7 +8,8 @@
 RELEASED_VERSIONS               @stackrox/collector-team
 RELEASED_VERSIONS.unsupported   @stackrox/collector-team
 
-# The RHTAP maintainers for ACS review all changes related to the RHTAP pipelines, such as new pipelines,
-# parameter changes or automated task updates.
-/.tekton/   @stackrox/rhtap-maintainers
-/.konflux/  @stackrox/rhtap-maintainers
+# The RHTAP maintainers for ACS review all changes related to the Konflux (f.k.a. RHTAP) pipelines, such as new
+# pipelines, parameter changes or automated task updates as well as Dockerfile updates.
+**/konflux.*Dockerfile  @stackrox/rhtap-maintainers
+/.tekton/               @stackrox/rhtap-maintainers
+rpms.*                  @stackrox/rhtap-maintainers

.github/renovate.json5

@@ -2,37 +2,73 @@
   // This configures Konflux Renovate bot, the thing that keeps our pipelines use up-to-date tasks.
 
   // After making changes to this file, you can validate it by running something like this in the root of the repo:
-  // $ docker run --rm -it --entrypoint=/usr/local/bin/renovate-config-validator -v "$(pwd)":/mnt -w /mnt renovate/renovate --strict
+  // $ docker run --rm -it --entrypoint=renovate-config-validator -v "$(pwd)":/mnt -w /mnt renovate/renovate --strict
+  // Note: ignore errors about the config for `rpm`. This is to be addressed with https://issues.redhat.com/browse/CWFHEALTH-4117
   // There are more validation options, see https://docs.renovatebot.com/config-validation/
 
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    // This inherits the base Konflux config.
-    // Clickable link https://github.com/konflux-ci/mintmaker/blob/main/config/renovate/renovate.json
-    // The following was used as example (we may want to check it if the base config gets suddenly moved):
+    // Note that the base Konflux's MintMaker config gets inherited/included automatically per
+    // https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1745492139282819?thread_ts=1745309786.090319&cid=C04PZ7H0VA8
+    // The config is: https://github.com/konflux-ci/mintmaker/blob/main/config/renovate/renovate.json
+    // We found out about it here (we may want to check that location if the base config gets suddenly moved):
     // https://github.com/enterprise-contract/ec-cli/blob/407847910ad420850385eea1db78e2a2e49c7e25/renovate.json#L1C1-L7C2
-    "github>konflux-ci/mintmaker//config/renovate/renovate.json"
+
+    // This tells Renovate to combine all updates in one PR so that we have fewer PRs to deal with.
+    "group:all",
   ],
   "timezone": "Etc/UTC",
   "schedule": [
     // Allowed syntax: https://docs.renovatebot.com/configuration-options/#schedule
     // The time was selected (with the help of https://time.fyi/timezones) so that Renovate isn't active during business
     // hours from Germany to US West Coast. This way, after we merge a PR, a new one does not pop up immediately after
     // that.
-    "after 3am and before 7am"
+    "after 3am and before 7am",
   ],
   // Tell Renovate not to update PRs when outside of schedule.
   "updateNotScheduled": false,
+  "tekton": {
+    "schedule": [
+      // Override Konflux custom schedule for this manager to our intended one.
+      "after 3am and before 7am",
+    ],
+    "packageRules": [
+      // Note: the packageRules from the Konflux config (find URL in comments above) get merged with these.
+      {
+        "groupName": "StackRox custom Konflux Tasks",
+        "matchPackageNames": [
+          "/^quay.io/rhacs-eng/konflux-tasks/",
+        ],
+      },
+    ],
+  },
   "dockerfile": {
     "includePaths": [
       // Instruct Renovate not try to update Dockerfiles other than konflux.Dockerfile (or konflux.anything.Dockerfile)
       // to have less PR noise.
       "**/*konflux*.Dockerfile",
     ],
+    "schedule": [
+      // Override Konflux custom schedule for this manager to our intended one.
+      "after 3am and before 7am",
+    ],
+    "postUpgradeTasks": {
+      "commands": [
+        // Refresh the rpm lockfile after updating image references in the dockerfile.
+        "rpm-lockfile-prototype rpms.in.yaml",
+      ],
+    },
+  },
+  "rpm": {
+    "schedule": [
+      // Override Konflux custom schedule for this manager to our intended one.
+      "after 3am and before 7am",
+    ],
   },
   "enabledManagers": [
     // Restrict Renovate focus on Konflux things since we rely on GitHub's dependabot for everything else.
     "tekton",
     "dockerfile",
+    "rpm",
   ],
 }

.github/workflows/integration-test-containers.yml

@@ -16,6 +16,10 @@ on:
         type: boolean
         required: true
         description: Whether the QA containers should be rebuilt
+      is-konflux:
+        type: boolean
+        default: false
+        description: The current workflow is tied to konflux
     outputs:
       collector-tests-tag:
         description: The tag used for the integration test image
@@ -75,11 +79,11 @@ jobs:
 
       - name: Create Ansible Vars (inc. Secrets)
         run: |
-          {
-            echo "---"
-            echo "rhacs_eng_username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}"
-            echo "rhacs_eng_password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}"
-          } > ${{ github.workspace }}/ansible/secrets.yml
+          cat << EOF > ${{ github.workspace }}/ansible/secrets.yml
+          ---
+          rhacs_eng_username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
+          rhacs_eng_password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
+          EOF
 
           if [[ "${RUNNER_DEBUG}" == "1" ]]; then
             echo "ANSIBLE_STDOUT_CALLBACK=debug" >> "${GITHUB_ENV}"
@@ -98,12 +102,32 @@ jobs:
           echo "COLLECTOR_TESTS_TAG=${COLLECTOR_TESTS_TAG}" >> "$GITHUB_ENV"
           echo "collector-tests-tag=${COLLECTOR_TESTS_TAG}" >> "$GITHUB_OUTPUT"
 
+      - name: Check if multiarch is needed
+        run: |
+          BUILD_MULTI_ARCH="false"
+
+          if [[ "${GITHUB_EVENT_NAME}" != "pull_request" ]]; then
+            BUILD_MULTI_ARCH="true"
+          fi
+
+          if [[ "${{ inputs.is-konflux }}" == "true" ]]; then
+            BUILD_MULTI_ARCH="true"
+          fi
+
+          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') }}" == "true" ]]; then
+            BUILD_MULTI_ARCH="true"
+          fi
+
+          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'run-cpaas-steps') }}" == "true" ]]; then
+            BUILD_MULTI_ARCH="true"
+          fi
+
+          echo "BUILD_MULTI_ARCH=${BUILD_MULTI_ARCH}" >> "$GITHUB_ENV"
+
       - name: Build images
         run: |
           ansible-galaxy install -r ansible/requirements.yml
 
-          BUILD_MULTI_ARCH="${{ contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') || contains(github.event.pull_request.labels.*.name, 'run-cpaas-steps') || github.event_name == 'push' || github.event_name == 'schedule' }}"
-
           # build_multi_arch passed in as json to ensure boolean type
           ansible-playbook \
             --connection local -i localhost, --limit localhost \
@@ -151,6 +175,8 @@ jobs:
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:qemu-v9.2.2
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

.github/workflows/k8s-integration-tests.yml

@@ -3,6 +3,11 @@ name: K8S based integration tests
 on:
   workflow_call:
    inputs:
+      collector-repo:
+        description: |
+          Optional repository to use for the collector image
+        type: string
+        default: "quay.io/rhacs-eng/collector"
       collector-tag:
         description: |
           Tag used for running the integration tests
@@ -22,7 +27,7 @@ on:
 env:
   ANSIBLE_CONFIG: ${{ github.workspace }}/ansible/ansible.cfg
   COLLECTOR_TESTS_IMAGE: quay.io/rhacs-eng/collector-tests:${{ inputs.collector-tests-tag }}
-  COLLECTOR_IMAGE: quay.io/rhacs-eng/collector:${{ inputs.collector-tag }}
+  COLLECTOR_IMAGE: ${{ inputs.collector-repo }}:${{ inputs.collector-tag }}
 
 jobs:
   k8s-integration-tests:

.github/workflows/konflux.yml

@@ -45,7 +45,8 @@ jobs:
 
       - id: generate-tag
         run: |
-          echo "collector-tag=$(make tag)-fast" >> "$GITHUB_OUTPUT"
+          COLLECTOR_TAG="$(make tag)-fast"
+          echo "collector-tag=${COLLECTOR_TAG}" >> "$GITHUB_OUTPUT"
 
           COLLECTOR_QA_TAG="$(cat ${{ github.workspace }}/integration-tests/container/QA_TAG)"
           if [[ "${GITHUB_EVENT_NAME}" == "pull_request" && "${{ steps.filter.outputs.container }}" == "true" ]]; then
@@ -62,7 +63,7 @@ jobs:
       - uses: stackrox/actions/release/wait-for-image@v1
         with:
           token: ${{ secrets.QUAY_RHACS_ENG_BEARER_TOKEN }}
-          image: rhacs-eng/collector:${{ needs.init.outputs.collector-tag }}
+          image: rhacs-eng/release-collector:${{ needs.init.outputs.collector-tag }}
           limit: 9000 # 2h30m
 
   integration-tests-containers:
@@ -73,6 +74,7 @@ jobs:
       collector-tag: ${{ needs.init.outputs.collector-tag }}
       collector-qa-tag: ${{ needs.init.outputs.collector-qa-tag }}
       rebuild-qa-containers: ${{ needs.init.outputs.rebuild-qa-containers == 'true' }}
+      is-konflux: true
     secrets: inherit
 
   run-konflux-tests:
@@ -82,6 +84,7 @@ jobs:
     - wait-for-images
     - integration-tests-containers
     with:
+      collector-repo: quay.io/rhacs-eng/release-collector
       collector-tag: ${{ needs.init.outputs.collector-tag }}
       collector-qa-tag: ${{ needs.init.outputs.collector-qa-tag }}
       collector-tests-tag: ${{ needs.integration-tests-containers.outputs.collector-tests-tag }}
@@ -93,6 +96,7 @@ jobs:
   k8s-integration-tests:
     uses: ./.github/workflows/k8s-integration-tests.yml
     with:
+      collector-repo: quay.io/rhacs-eng/release-collector
       collector-tag: ${{ needs.init.outputs.collector-tag }}
       collector-qa-tag: ${{ needs.init.outputs.collector-qa-tag }}
       collector-tests-tag: ${{ needs.integration-tests-containers.outputs.collector-tests-tag }}

.github/workflows/main.yml

@@ -89,7 +89,7 @@ jobs:
 
       - name: Run unit tests
         run: |
-          ctest -V --test-dir cmake-build
+          ctest --no-tests=error -V --test-dir cmake-build
 
   integration-tests:
     uses: ./.github/workflows/integration-tests.yml