ROX-20753: Add scanner RHTAP build pipeline
#1334
Conversation
|
Images are ready for the commit at 6360f8f. To use the images, use the tag |
kylape
force-pushed
the
klape/rhtap-scanner-onboarding
branch
from
71899f4 to
52eef4b
Compare
|
I removed all the commits from this PR branch committed since I had switched from downloading the vuln dump to generating it. In other words, I just switched back to downloading the vuln dump from GCS. |
kylape
force-pushed
the
klape/rhtap-scanner-onboarding
branch
2 times, most recently
from
e921ec1 to
91e999b
Compare
|
/retest |
kylape
force-pushed
the
klape/rhtap-scanner-onboarding
branch
from
b4f63b9 to
6360f8f
Compare
A few differences from the standard RHTAP build pipeline: * Use of 6GB buildah image to avoid OOMs during container build task * There is an extra step to fetch the vuln feed data. This is done outside of the build step to make hermetic builds easier. The vuln feed data script pulls the definitions from the Google storage location and writes them to the "source" folder of the "source" workspace which is shared by the build-container task. This task will build using `image/scanner/rhtap/Dockerfile`, which expects the vuln files to be in the buildah working directory. I decided to create a separate dockerfile for RHTAP to avoid any regressions with modifying the existing ones. The dockerfile was created using a combination of the upstream and downstream dockerfiles. Current RHTAP build trigger config: * PRs will only build in RHTAP when "rhtap" is in the branch name * Pushes to master will trigger an RHTAP build
This will hopefully fix an intermittent issue where the vuln feed zip files disappear from the workspace before they make it to the build step.
It's actually stolen from #1334 with small modifications.
It's actually stolen from #1334 with small modifications.
msugakov
changed the title
scanner RHTAP build pipeline
|
@kylape Here's what I meant by unifying the script - #1395. Note that I had to rebase on I suggest you merge this #1334 as-is, and then either of us can refresh #1395 and publish for review. This way we don't hold #1334 from merging. |
|
@kylape: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Co-authored-by: red-hat-konflux <123456+red-hat-konflux[bot]@users.noreply.github.com>
A few differences from the standard RHTAP build pipeline:
The vuln feed data script pulls the definitions from the Google storage location and writes them to the "source" folder of the "source" workspace which is shared by the build-container task. This task will build using
image/scanner/rhtap/Dockerfile, which expects the vuln files to be in the buildah working directory.I decided to create a separate dockerfile for RHTAP to avoid any regressions with modifying the existing ones. The dockerfile was created using a combination of the upstream and downstream dockerfiles.
Current RHTAP build trigger config: