Skip to content

Commit c091e5d

Browse files
committed
Add index audit Github workflow
This commit adds a workflow which audits the project.yaml and CSV to validate that all images exist and that all images which share a source repository were built off of the same revision
1 parent 2d5a876 commit c091e5d

2 files changed

Lines changed: 122 additions & 0 deletions

File tree

.github/audit-project.sh

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
#!/usr/bin/bash
2+
3+
set -euo pipefail
4+
5+
6+
function check_images() {
7+
context=${1}
8+
source_file="${PWD}/${2}"
9+
images_file="${PWD}/${3}"
10+
11+
errors="$PWD/errors.txt"
12+
[[ -e "${errors}" ]] && rm "${errors}"
13+
[[ -d repos ]] && rm -r repos
14+
[[ -d images ]] && rm -r images
15+
mkdir repos
16+
mkdir images
17+
18+
while read -r image; do
19+
echo "Checking ${image}"
20+
if [[ "${image}" != *"openshift-pipeline"* ]] && [[ "${image}" != *"tekton"* ]]; then
21+
echo "Skipping ${image}, not an openshift pipelines image"
22+
continue
23+
fi
24+
25+
image_data=$(skopeo inspect --config "docker://${image}" || echo '{}')
26+
if [[ "${image_data}" == '{}' ]]; then
27+
grep -n "${image}" "${source_file}" | cut -d ':' -f1| while read -r line_no; do
28+
echo "::error file=${source_file},line=${line_no},title=Missing image in ${context}::Could not fetch ${image}"
29+
done
30+
31+
echo "- Image ${image} not found" >> "${errors}"
32+
continue
33+
fi
34+
labels=$(echo "${image_data}" | jq '.config.Labels')
35+
repository=$(echo -n "${labels}" | jq -r '.["io.openshift.build.source-location"]')
36+
revision=$(echo -n "${labels}" | jq -r '.["io.openshift.build.commit.id"]')
37+
if [[ -z "${repository}" ]]; then
38+
echo "Unable to find source location for ${image}"
39+
else
40+
repository=$(echo "${repository}" | cut -d '/' -f 4- | tr '/' '_')
41+
fi
42+
echo "${revision}" >> "repos/${repository}"
43+
echo "${image}" >> "images/${revision}"
44+
done < "${images_file}"
45+
46+
# Separate fetching errors from validation errors
47+
[[ -e "${errors}" ]] && echo -e "\n---\n" >> "${errors}"
48+
49+
pushd repos
50+
trap "popd" RETURN
51+
for repo in *; do
52+
revisions="$(sort "${repo}"| uniq)"
53+
54+
if [[ "$(echo "${revisions}" | wc -l)" -ne "1" ]]; then
55+
echo "## ${repo} has images from multiple revisions:" | tee -a "$errors"
56+
echo "${revisions}" | while read -r revision; do
57+
all_images=$(sort "../images/${revision}" | uniq)
58+
all_revisions_oneline=$(echo "${revisions}" | xargs)
59+
echo -e "### Revision ${revision}:" | tee -a "$errors"
60+
echo "${all_images}" | sed 's/^/- image `/g; s/$/`/g' | tee -a "${errors}"
61+
echo "${all_images}" | while read -r image; do
62+
grep -n "${image}" "${source_file}" | cut -d ':' -f1 | while read -r line_no; do
63+
echo "::warning file=${source_file},line=${line_no},title=Inconsistent source commits::repository: ${repo}, revision: ${revision}, images reference revisions: ${all_revisions_oneline}"
64+
done
65+
done
66+
done
67+
fi
68+
done
69+
70+
if [[ -e "${errors}" ]]; then
71+
echo "# Errors detected in ${context}" | tee -a "${GITHUB_STEP_SUMMARY}"
72+
tee -a "${GITHUB_STEP_SUMMARY}" < "${errors}"
73+
fi
74+
}
75+
76+
echo "::group:: Checking project.yaml"
77+
yq eval '.images[].value' project.yaml | sort | uniq > images.txt
78+
check_images "project.yaml" project.yaml images.txt
79+
echo "::endgroup::"
80+
81+
82+
echo "::group:: Checking Cluster Service Version"
83+
yq eval '.spec.relatedImages[].image' .konflux/olm-catalog/bundle/manifests/openshift-pipelines-operator-rh.clusterserviceversion.yaml | sort | uniq > csv_images.txt
84+
check_images "cluster service version" .konflux/olm-catalog/bundle/manifests/openshift-pipelines-operator-rh.clusterserviceversion.yaml csv_images.txt
85+
echo "::endgroup::"
86+
87+
if [ -s "${GITHUB_STEP_SUMMARY}" ]; then
88+
exit 1
89+
fi

.github/workflows/audit-index.yaml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
name: Audit bundle
2+
3+
on:
4+
pull_request:
5+
branches:
6+
- next
7+
- release-*
8+
paths:
9+
- '.github/workflows/audit-index.yaml'
10+
- '.konflux/olm-catalog/bundle/manifests/openshift-pipelines-operator-rh.clusterserviceversion.yaml'
11+
- 'project.yaml'
12+
push:
13+
branches:
14+
- next
15+
- release-*
16+
paths:
17+
- '.github/workflows/audit-index.yaml'
18+
- '.konflux/olm-catalog/bundle/manifests/openshift-pipelines-operator-rh.clusterserviceversion.yaml'
19+
- 'project.yaml'
20+
workflow_dispatch:
21+
jobs:
22+
# Detect when a repository has multiple images but not
23+
# all images were built off the same revision
24+
audit-repositories-in-sync:
25+
runs-on: ubuntu-latest
26+
steps:
27+
- name: Checkout repository
28+
uses: actions/checkout@v4
29+
with:
30+
fetch-depth: 0
31+
- name: Collect images per repo
32+
run: .github/audit-project.sh
33+

0 commit comments

Comments
 (0)