Skip to content

[release-1.8] chore(backstage): bump orchestrator plugins to 1.8.2 prod release (#265)#266

Merged
openshift-merge-bot[bot] merged 1 commit intoredhat-developer:release-1.8from
rm3l:cherry-pick/release-1.8/265--bump-orchestrator-plugins-to-1.8.2
Nov 6, 2025
Merged

[release-1.8] chore(backstage): bump orchestrator plugins to 1.8.2 prod release (#265)#266
openshift-merge-bot[bot] merged 1 commit intoredhat-developer:release-1.8from
rm3l:cherry-pick/release-1.8/265--bump-orchestrator-plugins-to-1.8.2

Conversation

@rm3l
Copy link
Copy Markdown
Member

@rm3l rm3l commented Nov 6, 2025

manual cherry-pick of #265

#265 (comment)

@lholmquist @github-actions @rm3l
chore(backstage): bump orchestrator plugins to 1.8.2 prod release (re…
39b99ad 
…dhat-developer#265)

Co-authored-by: lholmquist <lholmquist@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@qodo-code-review
Copy link
Copy Markdown

qodo-code-review Bot commented Nov 6, 2025

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🔒 Security concerns

Supply chain integrity:
The chart references external tarballs over HTTPS with provided sha512 integrity hashes. Confirm these hashes are correct and that the registry is trusted. If the registry changes or is intercepted, tampered packages could be fetched. Consider documenting how these hashes are validated in CI.

⚡ Recommended focus areas for review

Consistency Check

Verify all orchestrator plugin URLs and integrity hashes correspond to the exact 1.8.2 tarballs and are reachable; mismatches will break dynamic plugin fetch at runtime.

 
  package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-orchestrator-backend-dynamic/-/backstage-plugin-orchestrator-backend-dynamic-1.8.2.tgz"
  integrity: sha512-6G0YguzCM5nCDpOrIGJpLTXVMr6EBdIVqSXtsLH9RvBH25RTuFpfJ7q6eEp26DqveaiqUCfBpJ51smdjcsEzFQ==
  pluginConfig:
    orchestrator:
      dataIndexService:
        url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }}
- disabled: false
  package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-orchestrator/-/backstage-plugin-orchestrator-1.8.2.tgz"
  integrity: sha512-rnUA6iZ2JVAyASfwS4P9HeFmpqCgH6FQouzzg4s6lCPAsYUFvu6tifJ3df5lThXPUTJ2cDvvQgamU+4DiHP2jw==
  pluginConfig:
    dynamicPlugins:
      frontend:
        red-hat-developer-hub.backstage-plugin-orchestrator:
          appIcons:
            - name: orchestratorIcon
              importName: OrchestratorIcon
          dynamicRoutes:
            - path: /orchestrator
              importName: OrchestratorPage
              menuItem:
                icon: orchestratorIcon
                text: Orchestrator
          entityTabs:
            - path: /workflows
              title: Workflows
              mountPoint: entity.page.workflows
          mountPoints:
            - mountPoint: entity.page.workflows/cards
              importName: OrchestratorCatalogTab
              config:
                layout:
                  gridColumn: "1 / -1"
                if:
                  anyOf:
                    - IsOrchestratorCatalogTabAvailable
- disabled: false
  package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-scaffolder-backend-module-orchestrator-dynamic/-/backstage-plugin-scaffolder-backend-module-orchestrator-dynamic-1.8.2.tgz"
  integrity: sha512-N2hCn9RI/QVEoK56FAkGkSDbvfQCOIzVsJTwDX0kf//npO++2crRSJpB1Lr/m2UtYxfaXZX53p8sPcK3g8yWkQ==
  pluginConfig:
    orchestrator:
      dataIndexService:
        url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }}
- disabled: false
  package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-orchestrator-form-widgets/-/backstage-plugin-orchestrator-form-widgets-1.8.2.tgz"
  integrity: sha512-Pe0dn3g+YTK3jbl36E8nt4zdyH/3w+MWgRyFWPc2B0eV4/L/aRfRC4KxcktmHPdamRGXTIaXL6cFae8TZl8Htw==
  pluginConfig:
Docs Sync

Ensure the README version badge and install command match the chart version in Chart.yaml to avoid user confusion when installing a specific version.

 
![Version: 4.5.13](https://img.shields.io/badge/Version-4.5.13-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

A Helm chart for deploying Red Hat Developer Hub, which is a Red Hat supported version of Backstage.

The telemetry data collection feature is enabled by default. Red Hat Developer Hub sends telemetry data to Red Hat by using the `backstage-plugin-analytics-provider-segment` plugin. To disable this and to learn what data is being collected, see https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.6/html-single/telemetry_data_collection_and_analysis/index

**Homepage:** <https://red.ht/rhdh>

## Productized RHDH

This repository now provides the productized RHDH chart.
For the **Generally Available** version of this chart, see:

* https://github.com/openshift-helm-charts/charts - official releases to https://charts.openshift.io/

## Maintainers

| Name | Email | Url |
| ---- | ------ | --- |
| Red Hat |  | <https://redhat.com> |

## TL;DR

```console
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add backstage https://backstage.github.io/charts
helm repo add redhat-developer https://redhat-developer.github.io/rhdh-chart

helm install my-backstage redhat-developer/backstage --version 4.5.13

</details>

</td></tr>
<tr><td>

<details><summary>📄 References</summary><ol><li>No matching references available</li>

</ol></details>

</td></tr>
</table>

@qodo-code-review qodo-code-review Bot added the enhancement New feature or request label Nov 6, 2025
@qodo-code-review
Copy link
Copy Markdown

qodo-code-review Bot commented Nov 6, 2025
edited by rhdh-qodo-merge Bot
Loading

PR Type

(Describe updated until commit 39b99ad)

Enhancement

Description

  • Bump orchestrator plugins from 1.7.1 to 1.8.2 production release

  • Update chart version from 4.5.12 to 4.5.13

  • Update plugin package integrity hashes for all four orchestrator plugins

  • Update documentation and README with new chart version

File Walkthrough
Relevant files
Configuration changes
Chart.yaml
Update chart version to 4.5.13                                                     

charts/backstage/Chart.yaml

  • Increment chart version from 4.5.12 to 4.5.13
 +1/-1     
Documentation
README.md
Update documentation with new chart version                           

charts/backstage/README.md

  • Update version badge from 4.5.12 to 4.5.13
  • Update helm install command example with new chart version
 +3/-3     
Dependencies
values.yaml
Upgrade all orchestrator plugins to 1.8.2                               

charts/backstage/values.yaml

  • Update orchestrator-backend-dynamic plugin from 1.7.1 to 1.8.2 with
    new integrity hash
  • Update orchestrator plugin from 1.7.1 to 1.8.2 with new integrity hash
  • Update scaffolder-backend-module-orchestrator-dynamic plugin from
    1.7.1 to 1.8.2 with new integrity hash
  • Update orchestrator-form-widgets plugin from 1.7.1 to 1.8.2 with new
    integrity hash
 +8/-8     

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Nov 6, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@rhdh-qodo-merge
Copy link
Copy Markdown

rhdh-qodo-merge Bot commented Nov 6, 2025

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🔒 No security concerns identified
⚡ Recommended focus areas for review

Consistency

The README table and values.yaml both define orchestrator plugin lists; ensure all bumped versions, package URLs, and integrity hashes match across README and values to avoid drift between documentation and defaults.

 
  dataIndexImage: ""

# -- Orchestrator plugins and their configuration
plugins:
  # RHDHBUGS-1464: Note that the plugins here fetch the packages from their direct HTTP download URLs from the (official) Red Hat NPM Registry.
  # Previously, we were using the "@redhat/plugin@version" form along with injecting a .npmrc Secret to resolve the "@redhat" scope,
  # but this caused conflicting issues with user-provided .npmrc secrets.
  - disabled: false
    package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-orchestrator-backend-dynamic/-/backstage-plugin-orchestrator-backend-dynamic-1.8.2.tgz"
    integrity: sha512-6G0YguzCM5nCDpOrIGJpLTXVMr6EBdIVqSXtsLH9RvBH25RTuFpfJ7q6eEp26DqveaiqUCfBpJ51smdjcsEzFQ==
    pluginConfig:
      orchestrator:
        dataIndexService:
          url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }}
  - disabled: false
    package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-orchestrator/-/backstage-plugin-orchestrator-1.8.2.tgz"
    integrity: sha512-rnUA6iZ2JVAyASfwS4P9HeFmpqCgH6FQouzzg4s6lCPAsYUFvu6tifJ3df5lThXPUTJ2cDvvQgamU+4DiHP2jw==
    pluginConfig:
      dynamicPlugins:
        frontend:
          red-hat-developer-hub.backstage-plugin-orchestrator:
            appIcons:
              - name: orchestratorIcon
                importName: OrchestratorIcon
            dynamicRoutes:
              - path: /orchestrator
                importName: OrchestratorPage
                menuItem:
                  icon: orchestratorIcon
                  text: Orchestrator
            entityTabs:
              - path: /workflows
                title: Workflows
                mountPoint: entity.page.workflows
            mountPoints:
              - mountPoint: entity.page.workflows/cards
                importName: OrchestratorCatalogTab
                config:
                  layout:
                    gridColumn: "1 / -1"
                  if:
                    anyOf:
                      - IsOrchestratorCatalogTabAvailable
  - disabled: false
    package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-scaffolder-backend-module-orchestrator-dynamic/-/backstage-plugin-scaffolder-backend-module-orchestrator-dynamic-1.8.2.tgz"
    integrity: sha512-N2hCn9RI/QVEoK56FAkGkSDbvfQCOIzVsJTwDX0kf//npO++2crRSJpB1Lr/m2UtYxfaXZX53p8sPcK3g8yWkQ==
    pluginConfig:
      orchestrator:
        dataIndexService:
          url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }}
  - disabled: false
    package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-orchestrator-form-widgets/-/backstage-plugin-orchestrator-form-widgets-1.8.2.tgz"
    integrity: sha512-Pe0dn3g+YTK3jbl36E8nt4zdyH/3w+MWgRyFWPc2B0eV4/L/aRfRC4KxcktmHPdamRGXTIaXL6cFae8TZl8Htw==
    pluginConfig:
      dynamicPlugins:
        frontend:
          red-hat-developer-hub.backstage-plugin-orchestrator-form-widgets: {}
Version Sync

Chart version was bumped to 4.5.13; verify that any additional references in docs, examples, and badges reflect the same version and that the chart appVersion (if used elsewhere) remains accurate.

 
# RHDH Backstage Helm Chart for OpenShift

![Version: 4.5.13](https://img.shields.io/badge/Version-4.5.13-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

A Helm chart for deploying Red Hat Developer Hub, which is a Red Hat supported version of Backstage.

The telemetry data collection feature is enabled by default. Red Hat Developer Hub sends telemetry data to Red Hat by using the `backstage-plugin-analytics-provider-segment` plugin. To disable this and to learn what data is being collected, see https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.6/html-single/telemetry_data_collection_and_analysis/index

**Homepage:** <https://red.ht/rhdh>

## Productized RHDH

This repository now provides the productized RHDH chart.
For the **Generally Available** version of this chart, see:

* https://github.com/openshift-helm-charts/charts - official releases to https://charts.openshift.io/

## Maintainers

| Name | Email | Url |
| ---- | ------ | --- |
| Red Hat |  | <https://redhat.com> |

## TL;DR

```console
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add backstage https://backstage.github.io/charts
helm repo add redhat-developer https://redhat-developer.github.io/rhdh-chart

helm install my-backstage redhat-developer/backstage --version 4.5.13

Introduction


</details>

</td></tr>
<tr><td>📚&nbsp;<strong>Focus areas based on broader codebase context</strong><br><br>

<details><summary><a href='https://github.com/redhat-developer/rhdh-chart/pull/266/files#diff-8060d9a38501197eddb026fced7fe56f104f4f5143210c6d47781b831a7097f4R411-R456'><strong>Data Index URL Consistency</strong></a>

The `dataIndexService.url` uses `sonataflow-platform-data-index-service.{{ .Release.Namespace }}` while other references and environment notes use service names without explicit namespace suffixing. Please validate that the service DNS matches the expected form for the target cluster to avoid resolution issues. (<a href="https://github.com/redhat-developer/rhdh-operator/blob/505adbe/examples/orchestrator.yaml/#L1-L22">Ref 1</a>, <a href="https://github.com/redhat-developer/rhdh-chart/blob/6b0b2ac/charts/backstage/values.yaml/#L210-L215">Ref 6</a>)
</summary>

```yaml
  package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-orchestrator-backend-dynamic/-/backstage-plugin-orchestrator-backend-dynamic-1.8.2.tgz"
  integrity: sha512-6G0YguzCM5nCDpOrIGJpLTXVMr6EBdIVqSXtsLH9RvBH25RTuFpfJ7q6eEp26DqveaiqUCfBpJ51smdjcsEzFQ==
  pluginConfig:
    orchestrator:
      dataIndexService:
        url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }}
- disabled: false
  package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-orchestrator/-/backstage-plugin-orchestrator-1.8.2.tgz"
  integrity: sha512-rnUA6iZ2JVAyASfwS4P9HeFmpqCgH6FQouzzg4s6lCPAsYUFvu6tifJ3df5lThXPUTJ2cDvvQgamU+4DiHP2jw==
  pluginConfig:
    dynamicPlugins:
      frontend:
        red-hat-developer-hub.backstage-plugin-orchestrator:
          appIcons:
            - name: orchestratorIcon
              importName: OrchestratorIcon
          dynamicRoutes:
            - path: /orchestrator
              importName: OrchestratorPage
              menuItem:
                icon: orchestratorIcon
                text: Orchestrator
          entityTabs:
            - path: /workflows
              title: Workflows
              mountPoint: entity.page.workflows
          mountPoints:
            - mountPoint: entity.page.workflows/cards
              importName: OrchestratorCatalogTab
              config:
                layout:
                  gridColumn: "1 / -1"
                if:
                  anyOf:
                    - IsOrchestratorCatalogTabAvailable
- disabled: false
  package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-scaffolder-backend-module-orchestrator-dynamic/-/backstage-plugin-scaffolder-backend-module-orchestrator-dynamic-1.8.2.tgz"
  integrity: sha512-N2hCn9RI/QVEoK56FAkGkSDbvfQCOIzVsJTwDX0kf//npO++2crRSJpB1Lr/m2UtYxfaXZX53p8sPcK3g8yWkQ==
  pluginConfig:
    orchestrator:
      dataIndexService:
        url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }}
- disabled: false
  package: "https://npm.registry.redhat.com/@redhat/backstage-plugin-orchestrator-form-widgets/-/backstage-plugin-orchestrator-form-widgets-1.8.2.tgz"
  integrity: sha512-Pe0dn3g+YTK3jbl36E8nt4zdyH/3w+MWgRyFWPc2B0eV4/L/aRfRC4KxcktmHPdamRGXTIaXL6cFae8TZl8Htw==
  pluginConfig:

Reference reasoning: The operator example config uses http://sonataflow-platform-data-index-service without a namespace suffix, and the chart values highlight a required env for orchestrator startup, indicating established conventions for service addressing. Aligning with these patterns helps prevent mismatched service DNS names.

📄 References
  1. redhat-developer/rhdh-operator/examples/orchestrator.yaml [1-22]
  2. redhat-developer/rhdh-operator/bundle/rhdh/manifests/rhdh-default-config_v1_configmap.yaml [376-385]
  3. redhat-developer/rhdh-operator/dist/rhdh/install.yaml [2492-2501]
  4. redhat-developer/rhdh-chart/charts/backstage/ci/with-orchestrator-values.yaml [1-21]
  5. redhat-developer/rhdh-chart/charts/backstage/ci/with-orchestrator-and-dynamic-plugins-npmrc-values.yaml [1-24]
  6. redhat-developer/rhdh-chart/charts/backstage/values.yaml [210-215]
  7. redhat-developer/rhdh-chart/charts/backstage/values.yaml [399-405]
  8. redhat-developer/rhdh-chart/charts/orchestrator-software-templates/values.yaml [1-12]

@qodo-code-review
Copy link
Copy Markdown

qodo-code-review Bot commented Nov 6, 2025

PR Code Suggestions ✨

No code suggestions found for the PR.

@rhdh-qodo-merge
Copy link
Copy Markdown

rhdh-qodo-merge Bot commented Nov 6, 2025

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
General
Make service URL scheme configurable

The dataIndexService.url has a hardcoded http scheme. Make the scheme
configurable to support https for secure environments by introducing a new
value.

charts/backstage/values.yaml [414-416]

 orchestrator:
   dataIndexService:
-    url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }}
+    # -- The scheme to use for the dataIndexService URL. Can be 'http' or 'https'.
+    scheme: http
+    url: {{ .Values.orchestrator.dataIndexService.scheme | default "http" }}://sonataflow-platform-data-index-service.{{ .Release.Namespace }}

[To ensure code accuracy, apply this suggestion manually]

Suggestion importance[1-10]: 7

__

Why: The suggestion correctly identifies a hardcoded http scheme that can cause issues in secure environments and proposes a valid improvement to make the URL scheme configurable, enhancing the chart's flexibility.

Medium
  • More

@rm3l rm3l added the lgtm label Nov 6, 2025
@openshift-merge-bot openshift-merge-bot Bot merged commit 370fb9c into redhat-developer:release-1.8 Nov 6, 2025
8 checks passed
@rm3l rm3l deleted the cherry-pick/release-1.8/265--bump-orchestrator-plugins-to-1.8.2 branch November 6, 2025 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Fortune-Ndlovu Fortune-Ndlovu Awaiting requested review from Fortune-Ndlovu

@gazarenkov gazarenkov Awaiting requested review from gazarenkov

Assignees

No one assigned

Labels

enhancement New feature or request lgtm Possible security concern Review effort 2/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rm3l @lholmquist