ci(GitHub): RHINENG-15637 fix checksum for installed packages #2366

romanblanco · 2025-01-29T17:44:33Z

Secure Coding Practices Checklist GitHub Link

https://github.com/RedHatInsights/secure-coding-checklist

Secure Coding Checklist

codecov · 2025-01-29T18:06:52Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.25%. Comparing base (0c1640d) to head (ed93a7b).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2366   +/-   ##
=======================================
  Coverage   98.25%   98.25%           
=======================================
  Files         200      200           
  Lines        4461     4461           
=======================================
  Hits         4383     4383           
  Misses         78       78

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

vkrizan · 2025-01-30T10:09:02Z

.github/workflows/checkimage.yaml

@@ -17,7 +17,7 @@ jobs:
          base=$(grep -Po '(?<=FROM )([^\s]*)(?= AS build)' Dockerfile)
          skopeo inspect "docker://$base" | jq .Digest --raw-output > .baseimagedigest
          docker run --rm -u 0 quay.io/cloudservices/compliance-backend:latest sh -c \
-            'microdnf update -y $(cat /opt/installedpackages) > /dev/null; rpm -q $(cat /opt/installedpackages) | sort | sha256sum | cut -d " " -f 1' \
+            'microdnf update -y $(rpm -qa | grep -v 'gpg-pubkey') > /dev/null; rpm -q $(rpm -qa | grep -v 'gpg-pubkey') | sort | sha256sum | cut -d " " -f 1' \


Wouldn't it be better to update the /opt/installedpackages file or use a parameter that would hold list of packages that are being installed outside of the base for this automation to track only those specific ones, not all?

vkrizan · 2025-02-05T09:40:02Z

.github/workflows/checkimage.yaml

@@ -17,7 +17,7 @@ jobs:
          base=$(grep -Po '(?<=FROM )([^\s]*)(?= AS build)' Dockerfile)
          skopeo inspect "docker://$base" | jq .Digest --raw-output > .baseimagedigest
          docker run --rm -u 0 quay.io/cloudservices/compliance-backend:latest sh -c \
-            'microdnf update -y $(cat /opt/installedpackages) > /dev/null; rpm -q $(cat /opt/installedpackages) | sort | sha256sum | cut -d " " -f 1' \
+            'rpm -qa | grep -v "gpg-pubkey" > /opt/installedpackages; microdnf update -y $(cat /opt/installedpackages) > /dev/null; rpm -q $(cat /opt/installedpackages) | sort | sha256sum | cut -d " " -f 1' \


Please review these container build arguments that include packages that are being installed, that also might be used for tracking changes:

compliance-backend/Dockerfile

Lines 1 to 2 in e90e917

ARG deps="findutils hostname jq libpq openssl procps-ng ruby shared-mime-info tzdata"

ARG devDeps="gcc gcc-c++ gzip libffi-devel libyaml-devel make openssl-devel patch postgresql postgresql-devel redhat-rpm-config ruby-devel tar which util-linux xz"

ping @romanblanco

Currently fails with: cat: /opt/installedpackages: No such file or directory

romanblanco force-pushed the RHINENG-15637-fix-install-package-sha branch from a5c6ad8 to 4cd559d Compare January 30, 2025 08:29

romanblanco changed the title ~~ci: RHINENG-15637 fix checksum for installed packages~~ ci(GitHub): RHINENG-15637 fix checksum for installed packages Jan 30, 2025

romanblanco force-pushed the RHINENG-15637-fix-install-package-sha branch 2 times, most recently from 797f2ed to 99c95e5 Compare January 30, 2025 08:58

romanblanco marked this pull request as ready for review January 30, 2025 09:00

romanblanco requested a review from a team as a code owner January 30, 2025 09:00

romanblanco requested a review from vkrizan January 30, 2025 09:21

vkrizan reviewed Jan 30, 2025

View reviewed changes

romanblanco force-pushed the RHINENG-15637-fix-install-package-sha branch from 99c95e5 to ce81cae Compare January 30, 2025 13:22

romanblanco requested a review from vkrizan January 30, 2025 13:23

romanblanco force-pushed the RHINENG-15637-fix-install-package-sha branch 2 times, most recently from e58b5bc to 62f2d93 Compare January 31, 2025 05:35

vkrizan reviewed Feb 5, 2025

View reviewed changes

romanblanco force-pushed the RHINENG-15637-fix-install-package-sha branch 3 times, most recently from c565137 to 4ea00eb Compare February 11, 2025 16:40

ci(GitHub): RHINENG-15637 fix checksum for installed packages

ed93a7b

Currently fails with: cat: /opt/installedpackages: No such file or directory

romanblanco force-pushed the RHINENG-15637-fix-install-package-sha branch from 4ea00eb to ed93a7b Compare March 5, 2025 15:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci(GitHub): RHINENG-15637 fix checksum for installed packages #2366

ci(GitHub): RHINENG-15637 fix checksum for installed packages #2366

romanblanco commented Jan 29, 2025

codecov bot commented Jan 29, 2025 •

edited

Loading

vkrizan Jan 30, 2025

vkrizan Feb 5, 2025

vkrizan Feb 12, 2025

	ARG deps="findutils hostname jq libpq openssl procps-ng ruby shared-mime-info tzdata"
	ARG devDeps="gcc gcc-c++ gzip libffi-devel libyaml-devel make openssl-devel patch postgresql postgresql-devel redhat-rpm-config ruby-devel tar which util-linux xz"

ci(GitHub): RHINENG-15637 fix checksum for installed packages #2366

Are you sure you want to change the base?

ci(GitHub): RHINENG-15637 fix checksum for installed packages #2366

Conversation

romanblanco commented Jan 29, 2025

Secure Coding Practices Checklist GitHub Link

Secure Coding Checklist

codecov bot commented Jan 29, 2025 • edited Loading

Codecov Report

vkrizan Jan 30, 2025

Choose a reason for hiding this comment

vkrizan Feb 5, 2025

Choose a reason for hiding this comment

vkrizan Feb 12, 2025

Choose a reason for hiding this comment

codecov bot commented Jan 29, 2025 •

edited

Loading