-
Notifications
You must be signed in to change notification settings - Fork 41
OAPE-520: 4.22 chore: Rebase openshift/ocp-release-operator-sdk to upstream operator-framework/operator-sdk v1.42.1 #451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
95d8509
daa2cd3
d4adf28
bea0fcc
079bf66
d7979db
f905c5b
6483dd5
f6829d4
db1c807
2e318d5
a63e383
8575496
c790107
6d13354
3768615
1cc650e
fe8a366
d30cc01
4f52d1b
15f34ea
55498de
3d5ab21
0aa9e9b
074b347
9de5bfb
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| build_root_image: | ||
| name: release | ||
| namespace: openshift | ||
| tag: rhel-9-release-golang-1.24-openshift-4.22 | ||
| tag: rhel-9-release-golang-1.25-openshift-4.22 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| # SDK GPG Keys | ||
|
|
||
| ## Current *key*pers | ||
|
|
||
| The keys are currently in the hands of [Joe Lanford](https://github.com/joelanford/). | ||
|
|
||
| ## Transferring keys | ||
|
|
||
| In order to transfer the keys to other members of the Operator SDK admins, following the following: | ||
|
|
||
| 1. get public GPG key from the person(s) you will transfer to | ||
| 2. import their key into your keyring | ||
|
|
||
| ``` | ||
| gpg --import KEY | ||
| ``` | ||
|
|
||
| 3. verify their identity, is this really their key. Video call can be useful for this. | ||
| 4. sign their key | ||
|
|
||
| ``` | ||
| gpg --sign-key EMAIL-OF-USERS-KEY | ||
| ``` | ||
|
|
||
| 5. export the SDK public key | ||
|
|
||
| ``` | ||
| gpg --export --armor -o 3B2F1481D146238080B346BB052996E2A20B5C7E.pub .asc 3B2F1481D146238080B346BB052996E2A20B5C7 | ||
| ``` | ||
| 6. export the SDK private key | ||
|
|
||
| ``` | ||
| gpg --export-secret-key --armor -o 3B2F1481D146238080B346BB052996E2A2 0B5C7E.priv.asc 3B2F1481D146238080B346BB052996E2A20B5C7E | ||
| ``` | ||
| 7. export the SDK sub key | ||
|
|
||
| ``` | ||
| gpg --export-secret-subkeys --armor -o 3B2F1481D146238080B346BB052996 E2A20B5C7E.sub_priv.asc 3B2F1481D146238080B346BB052996E2A20B5C7E | ||
| ``` | ||
|
|
||
| 8. encrypt each key for the person | ||
|
|
||
| ``` | ||
| gpg --encrypt --sign --armor -r EMAIL-OF-USERS-KEY --output 052996E2A20B5C7E.subkey.private.asc.enc 052996E2A20B5C7E.subkey.private.asc | ||
| ``` | ||
|
|
||
| 9. send them the encrypted key to the user | ||
|
|
||
| 10. user should be able to decrypt with their key. | ||
|
|
||
| ## Updating expiration date | ||
|
|
||
| There will be a few people that have the keys. Those people should be able to update the expiration date. This won't have to be done until November 8, 2025. | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Expiration date appears to be outdated. The documentation states the expiration update "won't have to be done until November 8, 2025" but this date has already passed. Consider updating this reference or verifying that the key expiration has been extended. 🧰 Tools🪛 LanguageTool[style] ~53-~53: Consider using “who” when you are referring to people instead of objects. (THAT_WHO) 🤖 Prompt for AI Agents |
||
|
|
||
| You will want to update the date of the key: | ||
|
|
||
| ``` | ||
| gpg --edit-key (key id) | ||
| ``` | ||
|
|
||
| Once you're in the gpg console select the key , there are 2, you need to update both. I just pick a 3 year term. | ||
|
|
||
| ``` | ||
| gpg> expire | ||
| (follow prompts) | ||
| 3y | ||
| gpg> save | ||
| ``` | ||
|
|
||
| You can use whatever term the team wants. | ||
|
|
||
| One of the resources I used: [How to change the expiration date of a GPG key](https://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/) | ||
|
|
||
| ## Sending keys to keyserver | ||
|
|
||
| Once you have the keys updated, you should send them to a keyserver. I have a couple examples, not sure if both are needed. | ||
|
|
||
| ``` | ||
| gpg --keyserver keyserver.ubuntu.com --send-key 3B2F1481D146238080B346BB052996E2A20B5C7E | ||
| gpg --keyserver pgp.mit.edu --send-key 3B2F1481D146238080B346BB052996E2A20B5C7E | ||
| ``` | ||
|
|
||
| I *think* you only need to send it to one server, most of the commands in my shell history use `pgp.mit.edu` | ||
|
|
||
| ## Updating secring.auto.gpg | ||
|
|
||
| Once you have the keys updated, you need to regenerate the keyrings that are stored in the [SDK repo](https://github.com/operator-framework/operator-sdk/tree/master/.ci/gpg). | ||
|
|
||
| Use the SDK key to sign and encrypt it. You need to use `--local-user` to avoid GPG from using your own key. | ||
|
|
||
| ``` | ||
| gpg --cipher-algo AES256 --output secring.auto.gpg --local-user "cncf-operator-sdk@cncf.io" --sign --symmetric 3B2F1481D146238080B346BB052996E2A20B5C7E.sub_priv.asc | ||
| ``` | ||
|
|
||
| ## Updating pubring.auto | ||
|
|
||
| This is the public keyring. It's simply the public key. Export the public key then rename it as `pubring.auto` | ||
|
|
||
| ``` | ||
| gpg --export --armor -o 3B2F1481D146238080B346BB052996E2A20B5C7E.pub.asc 3B2F1481D146238080B346BB052996E2A20B5C7E | ||
| cp 3B2F1481D146238080B346BB052996E2A20B5C7E.pub.asc pubring.auto | ||
| ``` | ||
|
|
||
| ## CI usage of keys | ||
|
|
||
| The GPG keys are stored in [.ci/gpg](https://github.com/operator-framework/operator-sdk/tree/master/.ci/gpg) of the Operator SDK repo. | ||
|
|
||
| In Github settings, there is a `GPG_PASSWORD` environment variable. It is set here in the [Environments](https://github.com/operator-framework/operator-sdk/settings/environments/172302554/edit) tab. You need to be admin. | ||
|
|
||
| The `GPG_PASSWORD` has been encrypted and handed to a few people. These people are the keepers of the password. | ||
|
|
||
| ## Original process | ||
|
|
||
| The original keys were setup using the following article. | ||
|
|
||
| https://blogs.itemis.com/en/secure-your-travis-ci-releases-part-2-signature-with-openpgp | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,7 +18,7 @@ jobs: | |
| git_tags: ${{ steps.tags.outputs.git_tags }} | ||
| steps: | ||
| - name: checkout | ||
| uses: actions/checkout@v5 | ||
| uses: actions/checkout@v6 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Verify the updated GitHub Action versions exist
echo "Checking actions/checkout@v6..."
gh api repos/actions/checkout/git/refs/tags/v6 --jq '.ref' 2>/dev/null && echo "✓ exists" || echo "✗ not found"
echo "Checking docker/setup-qemu-action@v4..."
gh api repos/docker/setup-qemu-action/git/refs/tags/v4 --jq '.ref' 2>/dev/null && echo "✓ exists" || echo "✗ not found"
echo "Checking docker/setup-buildx-action@v4..."
gh api repos/docker/setup-buildx-action/git/refs/tags/v4 --jq '.ref' 2>/dev/null && echo "✓ exists" || echo "✗ not found"
echo "Checking docker/login-action@v4..."
gh api repos/docker/login-action/git/refs/tags/v4 --jq '.ref' 2>/dev/null && echo "✓ exists" || echo "✗ not found"Repository: openshift/ocp-release-operator-sdk Length of output: 722 🌐 Web query:
💡 Result: The latest
Sources: [1] [2] 🌐 Web query:
💡 Result:
Key changes in v4.0.0 include: Node 24 as the default runtime (requires GitHub Actions Runner v2.327.1+), migration to ESM, and dependency updates such as @actions/core to 3.0.0 and @docker/actions-toolkit to 0.77.0. [1] 🌐 Web query:
💡 Result:
Source: [1] 🌐 Web query:
💡 Result:
Key changes in v4.0.0:
GitHub Action major version bumps require runner compatibility verification. All three docker actions (setup-qemu-action, setup-buildx-action, login-action) upgraded to v4.0.0 introduce a critical requirement: GitHub Actions Runner v2.327.1 or later (due to Node 24 as the default runtime). Verify that your CI/CD environment runs this runner version or later. Additionally, these v4 releases include breaking changes (ESM migration, dependency updates) beyond typical security patches. The checkout@v6 upgrade appears unaffected by these constraints. 🤖 Prompt for AI Agents |
||
| with: | ||
| fetch-depth: 0 | ||
| - id: tags | ||
|
|
@@ -35,17 +35,17 @@ jobs: | |
| id: ["operator-sdk", "helm-operator", "scorecard-test"] | ||
| steps: | ||
| - name: set up qemu | ||
| uses: docker/setup-qemu-action@v3 | ||
| uses: docker/setup-qemu-action@v4 | ||
| - name: set up buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| uses: docker/setup-buildx-action@v4 | ||
| - name: quay.io login | ||
| uses: docker/login-action@v3 | ||
| uses: docker/login-action@v4 | ||
| with: | ||
| username: ${{ secrets.QUAY_USERNAME }} | ||
| password: ${{ secrets.QUAY_PASSWORD }} | ||
| registry: quay.io | ||
| - name: checkout | ||
| uses: actions/checkout@v5 | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 1 | ||
| - name: build and push | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,7 +12,7 @@ jobs: | |
| outputs: | ||
| skip: ${{ steps.check_docs_only.outputs.skip }} | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: actions/checkout@v6 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "Non-SHA pinned actions in this workflow:"
rg -nP '^\s*-\s*uses:\s*[^@]+@(?![0-9a-f]{40}$)[^ ]+' .github/workflows/test-go.yml
echo
echo "Non-SHA pinned actions across workflows:"
rg -nP '^\s*-\s*uses:\s*[^@]+@(?![0-9a-f]{40}$)[^ ]+' .github/workflows/*.ymlRepository: openshift/ocp-release-operator-sdk Length of output: 2044 Pin GitHub Actions to immutable commit SHAs instead of mutable version tags. Mutable tags like 🤖 Prompt for AI Agents |
||
| with: | ||
| fetch-depth: 0 | ||
| - id: check_docs_only | ||
|
|
@@ -29,7 +29,7 @@ jobs: | |
| needs: check_docs_only | ||
| if: needs.check_docs_only.outputs.skip != 'true' | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
|
|
@@ -49,7 +49,7 @@ jobs: | |
| needs: check_docs_only | ||
| if: needs.check_docs_only.outputs.skip != 'true' | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix malformed GPG key IDs in export commands.
The GPG export commands have line-wrapped key IDs that would cause command failures. The key ID
3B2F1481D146238080B346BB052996E2A20B5C7Eis split incorrectly across multiple lines with extra spaces and characters inserted.Lines 28, 33, and 38 need correction.
🔧 Proposed fixes for the malformed commands
-gpg --export --armor -o 3B2F1481D146238080B346BB052996E2A20B5C7E.pub .asc 3B2F1481D146238080B346BB052996E2A20B5C7
+gpg --export --armor -o 3B2F1481D146238080B346BB052996E2A20B5C7E.pub.asc 3B2F1481D146238080B346BB052996E2A20B5C7E
-gpg --export-secret-key --armor -o 3B2F1481D146238080B346BB052996E2A2 0B5C7E.priv.asc 3B2F1481D146238080B346BB052996E2A20B5C7E
+gpg --export-secret-key --armor -o 3B2F1481D146238080B346BB052996E2A20B5C7E.priv.asc 3B2F1481D146238080B346BB052996E2A20B5C7E
-gpg --export-secret-subkeys --armor -o 3B2F1481D146238080B346BB052996 E2A20B5C7E.sub_priv.asc 3B2F1481D146238080B346BB052996E2A20B5C7E
+gpg --export-secret-subkeys --armor -o 3B2F1481D146238080B346BB052996E2A20B5C7E.sub_priv.asc 3B2F1481D146238080B346BB052996E2A20B5C7E
Verify each finding against the current code and only fix it if needed.
In @.ci/gpg/README.md around lines 27 - 39, Fix the malformed GPG export
commands that have the split/space-inserted key ID by replacing the three
affected lines containing the commands "gpg --export --armor", "gpg
--export-secret-key --armor", and "gpg --export-secret-subkeys --armor" so the
full key ID 3B2F1481D146238080B346BB052996E2A20B5C7E appears contiguous and the
output filenames are concatenated correctly (e.g., .pub.asc, .priv.asc,
.sub_priv.asc) with no stray spaces or broken tokens; update each command to use
the single contiguous key ID and correct output filename syntax.