Skip to content

feat: s390x and arm64 fedora image publish#5464

Open
nestoracunablanco wants to merge 6 commits into
RedHatQE:mainfrom
nestoracunablanco:refactor/componentBuilderCommonCode
Open

feat: s390x and arm64 fedora image publish#5464
nestoracunablanco wants to merge 6 commits into
RedHatQE:mainfrom
nestoracunablanco:refactor/componentBuilderCommonCode

Conversation

@nestoracunablanco

@nestoracunablanco nestoracunablanco commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Commit 1:
fix: architecture suffix for the fedora-container-image artifact

This change introduces a suffix to the built artifact to facilitate
multi-architecture image testing. Without this modification, a race
condition occurs when the jobs for s390x and x86_64 run in parallel.

Commit 2:
feat: build s390x and arm64 images in the component builder workflow

Uses a matrix approach in order to reduce code duplication.

After the job runs, the artifacts should be published.

Commit 3:
Refactor: preparation work for Fedora image multiarch publish

The build.sh script primarily utilizes environment variables. To
generate an image for a new architecture, these variables must be
adjusted. This change relocates the generic environment variables
to specific steps, facilitating the transition to multiarch building.

Commit 4:
feat: component Builder Publish s390x and arm64 enablement

This change enables the publication of the Fedora s390x and arm images,
alongside the amd64 image in a single manifest. To achieve this,
the following steps must be taken:

  1. Install qemu-system-s390x.
  2. Execute build.sh twice with different environment variables.

After completing these steps, both all the images should be added
to the manifest.

Commit 5:
refactor: extract fedora image builder config into a shared file

Move hardcoded Fedora version, image base, and architecture
matrix out of both workflow files and into a single source of
truth.

Both component-builder and component-builder-publish now read
their matrix, and variables from its config file via a
dedicate 'prepare' job step.

jira-ticket:

NONE

Summary by CodeRabbit

  • New Features

    • Added Fedora 43 build configuration with multi-architecture support.
    • Enhanced container image workflows to build and publish per-architecture images, including improved multi-arch publishing.
  • Bug Fixes

    • Improved build reliability by increasing the VM creation wait time.
  • Refactor

    • Consolidated build settings into a single shared configuration source.
    • Split multi-architecture manifest creation into a dedicated workflow step.
    • Standardized artifact naming and image tags per architecture.

This change introduces a suffix to the built artifact to facilitate
multi-architecture image testing. Without this modification, a race
condition occurs when the jobs for s390x and x86_64 run in parallel.

Signed-off-by: Nestor Acuna Blanco <nestor.acuna@ibm.com>
Uses a matrix approach in order to reduce code duplication.

After the job runs, the artifacts should be published.

Signed-off-by: Nestor Acuna Blanco <nestor.acuna@ibm.com>
The build.sh script primarily utilizes environment variables. To
generate an image for a new architecture, these variables must be
adjusted. This change relocates the generic environment variables
to specific steps, facilitating the transition to multiarch building.

Signed-off-by: Nestor Acuna Blanco <nestor.acuna@ibm.com>
This change enables the publication of the Fedora s390x and arm images,
alongside the amd64 image in a single manifest. To achieve this,
the following steps must be taken:

1. Install qemu-system-s390x.
2. Execute build.sh twice with different environment variables.

After completing these steps, both all the images should be added
to the manifest.

Signed-off-by: Nestor Acuna Blanco <nestor.acuna@ibm.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@nestoracunablanco, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 31 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 600943db-4afa-4b24-aebd-89aaeb165fb0

📥 Commits

Reviewing files that changed from the base of the PR and between 1e6904c and 1c6aa60.

📒 Files selected for processing (4)
  • .github/component-builder-config.json
  • .github/workflows/component-builder-publish.yml
  • .github/workflows/component-builder.yml
  • containers/fedora/build.sh

Walkthrough

Adds Fedora 43 matrix-driven build inputs, updates both component-builder workflows to consume shared architecture data, and separates multi-arch manifest publishing from per-architecture image builds. Also increases the VM install wait timeout.

Changes

Fedora 43 Multi-Arch Build Pipeline

Layer / File(s) Summary
Build matrix configuration
.github/component-builder-config.json
New config defines Fedora 43 version, base image, and per-architecture (amd64, arm64, s390x) QEMU package names and download URLs.
Publish workflow: prepare and multi-arch build/push
.github/workflows/component-builder-publish.yml
Adds read-only permissions and REMOTE_REPOSITORY, a prepare job parsing the config into matrix outputs, and a matrix-based build-images job that fetches per-arch base images, builds, and pushes arch-specific tags.
Publish workflow: multi-arch manifest job
.github/workflows/component-builder-publish.yml
Adds a create-manifest job depending on prepare and build-images that assembles arch-specific images into a pushed multi-arch manifest tagged ${FEDORA_VERSION}-dev.
Component-builder workflow: matrix build and artifact publishing
.github/workflows/component-builder.yml
Adds permissions and REMOTE_REPOSITORY, a prepare job, and converts the fixed guest-fedora-amd64 job into a matrix-based guest-fedora job with architecture-suffixed artifact naming.
Build script wait timing
containers/fedora/build.sh
Increases virt-install --wait from 30 to 60.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related issues

Possibly related PRs

Suggested reviewers: rnetser, vsibirsk, RoniKishner, yossisegev, servolkov

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise, under 120 characters, and accurately reflects the multi-architecture Fedora image publish change.
Description check ✅ Passed The description covers the PR purpose and Jira status, though it omits explicit issue and special-notes sections from the template.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stp Link Required ✅ Passed PASS: The PR only adds config/workflow/build-script changes; no new tests/ files or test functions are introduced, so STP/RFE/Jira links aren’t required.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Linked repositories: Your configuration references 1 linked repositories, but your current plan allows 0. Analyzed ``, skipped RedHatQE/openshift-virtualization-tests-design-docs.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-virtualization-qe-bot-2

Copy link
Copy Markdown
Contributor

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

  • Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
  • Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
  • Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
  • Branch Labeling: Branch-specific labels are applied to track the target branch
  • Auto-verification: Auto-verified users have their PRs automatically marked as verified
  • Labels: Enabled categories: branch, can-be-merged, cherry-pick, has-conflicts, hold, needs-rebase, size, verified, wip

📋 Available Commands

PR Status Management

  • /wip - Mark PR as work in progress (adds WIP: prefix to title)
  • /wip cancel - Remove work in progress status
  • /hold - Block PR merging (approvers only)
  • /hold cancel - Unblock PR merging
  • /verified - Mark PR as verified
  • /verified cancel - Remove verification status
  • /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
  • /regenerate-welcome - Regenerate this welcome message
  • /security-override - Set security check runs to pass (maintainers only)
  • /security-override cancel - Re-run security checks

Review & Approval

  • /lgtm - Approve changes (looks good to me)
  • /approve - Approve PR (approvers only)
  • /assign-reviewers - Assign reviewers based on OWNERS file
  • /assign-reviewer @username - Assign specific reviewer
  • /check-can-merge - Check if PR meets merge requirements

Testing & Validation

  • /retest tox - Run Python test suite with tox
  • /retest build-container - Rebuild and test container image
  • /retest verify-bugs-are-open - verify-bugs-are-open
  • /retest all - Run all available tests

Container Operations

  • /build-and-push-container - Build and push container image (tagged with PR number)
    • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

  • /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
    • Multiple branches: /cherry-pick branch1 branch2 branch3
  • /cherry-pick-retry <branch> - Retry a failed cherry-pick (merged PRs only)

Branch Management

  • /rebase - Rebase this PR branch onto its base branch

Custom Commands

  • /test-plan - Triggers CodeRabbit to analyze the PR's changed files and post a test execution plan
  • /rerun-smoke - Adds `retest-smoke` label on the PR to trigger smoke tests exectuion

Label Management

  • /<label-name> - Add a label to the PR
  • /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

  1. Approval: /approve from at least one approver
  2. LGTM Count: Minimum 2 /lgtm from reviewers
  3. Status Checks: All required status checks must pass
  4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
  5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

  • dshchedr
  • myakove
  • rnetser
  • vsibirsk

Reviewers:

  • RoniKishner
  • dshchedr
  • rnetser
  • vsibirsk
Available Labels
  • hold
  • verified
  • wip
  • lgtm
  • approve
AI Features
  • Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6-1m)
Security Checks
  • Suspicious Path Detection: Monitors paths: .claude/, .vscode/, .cursor/, .devcontainer/, .pi/, .github/workflows/, .github/actions/
  • Committer Identity Check: Verifies last committer matches PR author
  • Mandatory: Security checks block merge (use /security-override to bypass — maintainers only)

💡 Tips

  • WIP Status: Use /wip when your PR is not ready for review
  • Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
  • Cherry-picking: Cherry-pick labels are processed when the PR is merged
  • Container Builds: Container images are automatically tagged with the PR number
  • Permission Levels: Some commands require approver permissions
  • Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

@nestoracunablanco

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/component-builder-publish.yml:
- Line 151: The manifest creation step is using debug logging unnecessarily,
which is too noisy for CI and may expose registry details. Update the podman
manifest create invocation in the workflow to use Podman’s default log level by
removing the --log-level=debug flag, keeping the existing REMOTE_REPOSITORY,
remote_tag, and ARCH_IMAGES behavior unchanged.
- Around line 79-83: The Fedora base image fetch step currently downloads the
QCOW2 without integrity verification, so add a checksum/signature validation
step around the “Fetch base Fedora image” job in component-builder-publish.yml
before the image is used or published. Update the workflow to download the
matching Fedora CHECKSUM file for the same architecture, verify the downloaded
QCOW2 against it, and fail the job if the digest does not match; keep the
existing FEDORA_IMAGE and matrix.url_arch references so the validation is tied
to the exact artifact being fetched.
- Around line 107-111: The Quay login steps in the workflow currently pass
QUAY_TOKEN directly as a command-line argument in the podman login invocation,
which exposes the secret in process arguments. Update both logging steps to use
stdin-based authentication instead of the -p flag, and keep the secret only in
the environment so the existing Logging to quay.io and the other Quay login step
remain secure.

In @.github/workflows/component-builder.yml:
- Around line 55-72: Template-expanded matrix values are being used directly
inside shell scripts in the component-builder workflow, which can lead to unsafe
shell interpretation. Update the affected steps to pass values from
matrix.qemu_package, matrix.url_arch, and matrix.fedora_url through env on the
step, then reference those shell variables in the install and Fedora image
download commands with proper quoting. Use the existing workflow steps around
the apt-get install block and Fetch base Fedora image block as the place to make
the change.
- Around line 85-93: The Save container image as tarball step is expanding
matrix-derived CPU_ARCH directly inside the run script, which violates the
shell-variable guard used elsewhere. Update the podman save and echo commands in
the Save container image as tarball step to use the existing quoted shell
variables (local_repository, arch_tag, and a shell-held CPU_ARCH value if
needed) instead of interpolating env.CPU_ARCH inline, so the artifact/image
names are fully handled through shell variables.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c1e8ab76-3059-4b1c-b4dc-2ea3e9a3cc93

📥 Commits

Reviewing files that changed from the base of the PR and between b42eb1e and de3e8c2.

📒 Files selected for processing (4)
  • .github/component-builder-config.json
  • .github/workflows/component-builder-publish.yml
  • .github/workflows/component-builder.yml
  • containers/fedora/build.sh
📜 Review details
⏰ Context from checks skipped due to timeout. (3)
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

**: # AI Review and Development Standards

Assisted-by: Claude noreply@anthropic.com

Coding standards, conventions, and review guidelines for openshift-virtualization-tests.

These rules apply to ALL contributors and review tools — human and AI alike.

Strict Rules (MANDATORY)

Linter Suppressions PROHIBITED

  • NEVER add # noqa, # type: ignore, # pylint: disable
  • NEVER disable linter/mypy rules to work around issues
  • FIX THE CODE - If linter complains, the code is wrong
  • If you think a rule is wrong: ASK the user for explicit approval

Code Reuse (Search-First Development)

Before writing ANY new code:

  1. SEARCH codebase for existing implementations
  2. CHECK utilities/ for shared functions
  3. CHECK libs/ for shared libraries
  4. CHECK tests/ for shared fixtures and helper functions
  5. CHECK pyproject.toml dependencies — project packages (e.g., pyhelper-utils, ocp-resources, openshift-python-wrapper) may already provide the functionality
  6. VERIFY no similar logic exists elsewhere
  7. NEVER duplicate logic - extract to shared module
  8. REUSE existing code and patterns — only write new when nothing exists

External package examples:

  • Shell commands — use pyhelper_utils.shell.run_command, NEVER use subprocess.run directly in test/utility code
  • OpenShift resources — use ocp-resources classes, NEVER construct raw YAML dicts

Python Requirements

  • Type hints MANDATORY - mypy strict mode in libs/, all new public functions under utilities MUST be typed
  • Use TYPE_CHECKING for type-only imports - wrap imports needed solely for type hints in if TYPE_CHECKING: to avoid runtime overhead and circular imports
  • Google-format docstrings REQUIRED - for all public functions with non-obvious return values OR side effects
  • No defensive programming - fail-fast, don't hide bugs with fake defaults (see exceptions below)
  • ALWAYS use uv run -...

Files:

  • containers/fedora/build.sh

⚙️ CodeRabbit configuration file

**: ## PR Template Validation
Check the PR description for required sections from .github/pull_request_template.md.
Required sections (must be present, even if empty):

  • ##### What this PR does / why we need it: — MUST be present AND have meaningful content.
    Flag as HIGH if the section is missing, empty, whitespace-only, contains only HTML comments,
    or contains only placeholder tokens such as TBD, TBA, N/A, -, , none, or ..
  • ##### Which issue(s) this PR fixes: — must be present (may be empty)
  • ##### Special notes for reviewer: — must be present (may be empty)
  • ##### jira-ticket: — must be present (may be empty)
    If any required section is absent, or What this PR does / why we need it: has no content,
    flag it as HIGH severity and ask the author to restore the missing template section(s).

Approval Policy

You may approve the PR when ALL of the following are true:

  • All your review comments have been addressed with either:
    • a code/doc change that fixes the issue, or
    • a substantive author response that justifies no code change.
      Thread "resolved" state alone is not sufficient.
      OR you had no review comments.
  • If you posted a test execution plan comment requesting tests, and the PR author replied
    with a comment explaining why the requested tests are not needed or were already covered,
    treat that as an acceptable response — do not block approval on the test plan alone.
  • The author's explanation must be reasonable and specific (not just "N/A" or "not needed").
    Accept explanations like: "these tests were already run in CI", "this change is docs-only",
    "the affected tests are quarantined", or "verified manually on cluster X".

Files:

  • containers/fedora/build.sh
🧠 Learnings (3)
📚 Learning: 2026-05-19T10:17:37.060Z
Learnt from: Anatw
Repo: RedHatQE/openshift-virtualization-tests PR: 4833
File: tests/network/localnet/migration_stuntime/libstuntime.py:13-13
Timestamp: 2026-05-19T10:17:37.060Z
Learning: In RedHatQE/openshift-virtualization-tests, when the PR template validation rule is triggered, avoid posting the PR template violation comment if the PR description already contains the required sections with meaningful content:
- `##### What this PR does / why we need it:`
- `##### Which issue(s) this PR fixes:`
- `##### Special notes for reviewer:`
- `##### jira-ticket:`
Because the current implementation can use a broad `**` path glob and re-run the check per diff context/file, reviewers/automation should verify the actual PR description content before flagging it as a violation or duplicating the comment.

Applied to files:

  • .github/component-builder-config.json
  • .github/workflows/component-builder.yml
  • .github/workflows/component-builder-publish.yml
📚 Learning: 2026-05-20T11:18:31.677Z
Learnt from: Anatw
Repo: RedHatQE/openshift-virtualization-tests PR: 4867
File: tests/network/libs/stuntime.py:1-1
Timestamp: 2026-05-20T11:18:31.677Z
Learning: In RedHatQE/openshift-virtualization-tests, make the PR template validation (HIGH-severity) heuristic more conservative: if the author explicitly rebuts the “missing template section” finding and confirms the required sections are present with meaningful content, treat the original finding as a false positive and do not re-raise it. Only raise the HIGH-severity flag when a required PR section header (e.g., "##### What this PR does / why we need it:") is clearly absent or its content can be verified as empty/placeholder-only.

Applied to files:

  • .github/workflows/component-builder.yml
  • .github/workflows/component-builder-publish.yml
📚 Learning: 2026-06-03T15:08:46.871Z
Learnt from: geetikakay
Repo: RedHatQE/openshift-virtualization-tests PR: 5101
File: .github/workflows/request-coderabbit-test-instructions.yml:39-39
Timestamp: 2026-06-03T15:08:46.871Z
Learning: In RedHatQE/openshift-virtualization-tests, GitHub Actions workflow reviewers should follow the repo convention of allowing `uses:` references that are pinned to mutable version tags (e.g., `owner/actionv4`, `owner/actionv5`) and should NOT flag these as security issues. Full commit-SHA pinning for third-party actions is explicitly out of scope for this repository, so do not treat non-SHA `uses:` references as violations.

Applied to files:

  • .github/workflows/component-builder.yml
  • .github/workflows/component-builder-publish.yml
🪛 zizmor (1.26.1)
.github/workflows/component-builder.yml

[warning] 58-58: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 70-70: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 71-71: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 51-51: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 17-17: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[info] 38-38: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 91-91: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 92-92: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 92-92: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 93-93: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[error] 96-96: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/component-builder-publish.yml

[warning] 70-70: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 82-82: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 83-83: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[error] 35-35: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 62-62: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 20-20: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[info] 47-47: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[info] 122-122: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🔇 Additional comments (4)
.github/component-builder-config.json (1)

1-26: LGTM!

.github/workflows/component-builder-publish.yml (1)

2-5: LGTM!

Also applies to: 17-78, 104-105, 113-120, 122-132, 139-150, 152-152

.github/workflows/component-builder.yml (1)

10-53: LGTM!

Also applies to: 82-83, 95-99

containers/fedora/build.sh (1)

87-87: 🩺 Stability & Availability

--wait 60 is already a 60-minute timeout. The Fedora install step is long-running, so this value looks intentional and doesn’t need changing.

			> Likely an incorrect or invalid review comment.

Comment thread .github/workflows/component-builder-publish.yml Outdated
Comment on lines +107 to +111
- name: Logging to quay.io
run: podman login -u ${{ secrets.QUAY_USER }} -p ${{ secrets.QUAY_TOKEN }} quay.io
env:
QUAY_USER: ${{ secrets.QUAY_USER }}
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
run: podman login -u "$QUAY_USER" -p "$QUAY_TOKEN" quay.io

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant workflow sections with line numbers.
sed -n '90,150p' .github/workflows/component-builder-publish.yml | cat -n

# Find every podman login usage in the workflow.
rg -n "podman login|password-stdin|QUAY_TOKEN|QUAY_USER" .github/workflows/component-builder-publish.yml

Repository: RedHatQE/openshift-virtualization-tests

Length of output: 3301


HIGH: don’t pass QUAY_TOKEN on the command line.
podman login -p "$QUAY_TOKEN" puts the secret in process arguments, where it can leak through ps/job introspection. Use stdin auth instead on both Quay login steps.

Proposed fix
- run: podman login -u "$QUAY_USER" -p "$QUAY_TOKEN" quay.io
+ run: printf '%s' "$QUAY_TOKEN" | podman login -u "$QUAY_USER" --password-stdin quay.io
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Logging to quay.io
run: podman login -u ${{ secrets.QUAY_USER }} -p ${{ secrets.QUAY_TOKEN }} quay.io
env:
QUAY_USER: ${{ secrets.QUAY_USER }}
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
run: podman login -u "$QUAY_USER" -p "$QUAY_TOKEN" quay.io
- name: Logging to quay.io
env:
QUAY_USER: ${{ secrets.QUAY_USER }}
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
run: printf '%s' "$QUAY_TOKEN" | podman login -u "$QUAY_USER" --password-stdin quay.io
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/component-builder-publish.yml around lines 107 - 111, The
Quay login steps in the workflow currently pass QUAY_TOKEN directly as a
command-line argument in the podman login invocation, which exposes the secret
in process arguments. Update both logging steps to use stdin-based
authentication instead of the -p flag, and keep the secret only in the
environment so the existing Logging to quay.io and the other Quay login step
remain secure.

ARCH_IMAGES="${ARCH_IMAGES} ${REMOTE_REPOSITORY}:${FEDORA_VERSION}-${arch}"
done
# Create and push the multi-arch manifest
podman manifest create --log-level=debug "${REMOTE_REPOSITORY}":"${remote_tag}" ${ARCH_IMAGES}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

MEDIUM: remove debug logging from manifest creation.

Debug output is too noisy for CI and can include registry/request details. Use Podman’s default log level here. As per coding guidelines, “NEVER use DEBUG level - if a log is needed, use INFO.”

Proposed fix
-          podman manifest create --log-level=debug "${REMOTE_REPOSITORY}":"${remote_tag}" ${ARCH_IMAGES}
+          podman manifest create "${REMOTE_REPOSITORY}":"${remote_tag}" ${ARCH_IMAGES}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
podman manifest create --log-level=debug "${REMOTE_REPOSITORY}":"${remote_tag}" ${ARCH_IMAGES}
podman manifest create "${REMOTE_REPOSITORY}":"${remote_tag}" ${ARCH_IMAGES}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/component-builder-publish.yml at line 151, The manifest
creation step is using debug logging unnecessarily, which is too noisy for CI
and may expose registry details. Update the podman manifest create invocation in
the workflow to use Podman’s default log level by removing the --log-level=debug
flag, keeping the existing REMOTE_REPOSITORY, remote_tag, and ARCH_IMAGES
behavior unchanged.

Source: Coding guidelines

Comment on lines 55 to +72
run: |
sudo apt-get update
sudo apt-get install -y \
qemu-system-x86 \
${{ matrix.qemu_package }} \
libvirt-daemon-system \
virtinst cloud-image-utils \
libguestfs-tools

- name: Tweak hosted runner to enable 'virt-sysprep'
# https://bugs.launchpad.net/ubuntu/+source/linux/+bug/759725
run: sudo chmod 0644 /boot/vmlinuz*

- name: Fetch base Fedora image
working-directory: ./containers/fedora
run: wget -q "https://download.fedoraproject.org/pub/fedora/linux/releases/43/Cloud/x86_64/images/${{ env.FEDORA_IMAGE }}"
run: |
FEDORA_IMAGE="${FEDORA_IMAGE_BASE}.${{ matrix.url_arch }}.qcow2"
wget -q "${{ matrix.fedora_url }}/${FEDORA_IMAGE}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

HIGH: avoid template-expanded matrix values inside shell scripts.

${{ matrix.qemu_package }}, ${{ matrix.url_arch }}, and ${{ matrix.fedora_url }} are injected into the script before shell parsing, so a config change with shell metacharacters can execute unintended commands. Bind them through env and quote shell variables instead.

Proposed fix
       - name: Install dependencies for VM build
+        env:
+          QEMU_PACKAGE: ${{ matrix.qemu_package }}
         run: |
           sudo apt-get update
           sudo apt-get install -y \
-            ${{ matrix.qemu_package }} \
+            "$QEMU_PACKAGE" \
             libvirt-daemon-system \
             virtinst cloud-image-utils \
             libguestfs-tools
@@
       - name: Fetch base Fedora image
         working-directory: ./containers/fedora
+        env:
+          FEDORA_URL: ${{ matrix.fedora_url }}
+          URL_ARCH: ${{ matrix.url_arch }}
         run: |
-          FEDORA_IMAGE="${FEDORA_IMAGE_BASE}.${{ matrix.url_arch }}.qcow2"
-          wget -q "${{ matrix.fedora_url }}/${FEDORA_IMAGE}"
+          fedora_image="${FEDORA_IMAGE_BASE}.${URL_ARCH}.qcow2"
+          wget -q "${FEDORA_URL}/${fedora_image}"

As per coding guidelines, “FIX THE CODE - If linter complains, the code is wrong.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
run: |
sudo apt-get update
sudo apt-get install -y \
qemu-system-x86 \
${{ matrix.qemu_package }} \
libvirt-daemon-system \
virtinst cloud-image-utils \
libguestfs-tools
- name: Tweak hosted runner to enable 'virt-sysprep'
# https://bugs.launchpad.net/ubuntu/+source/linux/+bug/759725
run: sudo chmod 0644 /boot/vmlinuz*
- name: Fetch base Fedora image
working-directory: ./containers/fedora
run: wget -q "https://download.fedoraproject.org/pub/fedora/linux/releases/43/Cloud/x86_64/images/${{ env.FEDORA_IMAGE }}"
run: |
FEDORA_IMAGE="${FEDORA_IMAGE_BASE}.${{ matrix.url_arch }}.qcow2"
wget -q "${{ matrix.fedora_url }}/${FEDORA_IMAGE}"
env:
QEMU_PACKAGE: ${{ matrix.qemu_package }}
run: |
sudo apt-get update
sudo apt-get install -y \
"$QEMU_PACKAGE" \
libvirt-daemon-system \
virtinst cloud-image-utils \
libguestfs-tools
- name: Tweak hosted runner to enable 'virt-sysprep'
# https://bugs.launchpad.net/ubuntu/+source/linux/+bug/759725
run: sudo chmod 0644 /boot/vmlinuz*
- name: Fetch base Fedora image
working-directory: ./containers/fedora
env:
FEDORA_URL: ${{ matrix.fedora_url }}
URL_ARCH: ${{ matrix.url_arch }}
run: |
fedora_image="${FEDORA_IMAGE_BASE}.${URL_ARCH}.qcow2"
wget -q "${FEDORA_URL}/${fedora_image}"
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 58-58: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 70-70: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 71-71: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/component-builder.yml around lines 55 - 72,
Template-expanded matrix values are being used directly inside shell scripts in
the component-builder workflow, which can lead to unsafe shell interpretation.
Update the affected steps to pass values from matrix.qemu_package,
matrix.url_arch, and matrix.fedora_url through env on the step, then reference
those shell variables in the install and Fedora image download commands with
proper quoting. Use the existing workflow steps around the apt-get install block
and Fetch base Fedora image block as the place to make the change.

Sources: Coding guidelines, Linters/SAST tools

Comment thread .github/workflows/component-builder.yml
@openshift-virtualization-qe-bot-5

Copy link
Copy Markdown

Clean rebase detected — no code changes compared to previous head (de3e8c2).

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/component-builder.yml (1)

67-82: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

MEDIUM: FEDORA_IMAGE filename formula is computed twice.

${FEDORA_IMAGE_BASE}.<url_arch>.qcow2 is built once locally in "Fetch base Fedora image" (line 70) and again independently as an env value in "Create VM" (line 82). Same formula, two places — a future edit to one (e.g. adding a checksum suffix) without the other will silently break the build by fetching one filename and referencing another.

Compute it once (e.g. as a step output in "Fetch base Fedora image") and reuse it in "Create VM" instead of re-deriving it.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/component-builder.yml around lines 67 - 82, The Fedora
image filename is being derived twice with the same formula, once in the “Fetch
base Fedora image” step and again in the “Create VM” step, which can drift over
time. Update the workflow so the image name is computed once in the Fedora fetch
step and passed forward as a shared value (for example via a step output or env
var), then have the “Create VM” step reuse that value instead of rebuilding
${FEDORA_IMAGE_BASE}.${{ matrix.url_arch }}.qcow2 independently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/component-builder-publish.yml:
- Around line 87-88: The checksum download in the workflow is using a hardcoded
CHECKSUM path and never uses the computed FEDORA_CHECKSUM value, so update the
Fedora publish step to fetch the configured per-architecture checksum file
derived from fedora_checksum_base and matrix.url_arch. Make sure the download
command references the constructed FEDORA_CHECKSUM name in the same
component-builder-publish workflow step so the later verification uses the
intended file.

---

Outside diff comments:
In @.github/workflows/component-builder.yml:
- Around line 67-82: The Fedora image filename is being derived twice with the
same formula, once in the “Fetch base Fedora image” step and again in the
“Create VM” step, which can drift over time. Update the workflow so the image
name is computed once in the Fedora fetch step and passed forward as a shared
value (for example via a step output or env var), then have the “Create VM” step
reuse that value instead of rebuilding ${FEDORA_IMAGE_BASE}.${{ matrix.url_arch
}}.qcow2 independently.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e489a395-d42b-4e13-b1a3-1b2c31a771b5

📥 Commits

Reviewing files that changed from the base of the PR and between de3e8c2 and 1e6904c.

📒 Files selected for processing (4)
  • .github/component-builder-config.json
  • .github/workflows/component-builder-publish.yml
  • .github/workflows/component-builder.yml
  • containers/fedora/build.sh
📜 Review details
⏰ Context from checks skipped due to timeout. (10)
⚠️ CI failures not shown inline (1)

GitHub Check: can-be-merged: Check if can be merged

Conclusion: failure

View job details

Some check runs not started: tox, build-container, security-committer-identity, verified, cnv-smoke/validation, verify-bugs-are-open, security-suspicious-paths
PR has 3 unresolved review conversation(s):
  - .github/workflows/component-builder-publish.yml:130 (https://github.com/RedHatQE/openshift-virtualization-tests/pull/5464#discussion_r3513322355)
  - .github/workflows/component-builder-publish.yml:170 (https://github.com/RedHatQE/openshift-virtualization-tests/pull/5464#discussion_r3513322369)
  - .github/workflows/component-builder.yml:72 (https://github.com/RedHatQE/openshift-virtualization-tests/pull/5464#discussion_r3513322375)
Missing approved from approvers: rnetser, vsibirsk, dshchedr, myakove
Missing lgtm from reviewers. Minimum 2 required, (0 given). Reviewers: rnetser, vsibirsk, dshchedr, RoniKishner, myakove.
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

**: # AI Review and Development Standards

Assisted-by: Claude noreply@anthropic.com

Coding standards, conventions, and review guidelines for openshift-virtualization-tests.

These rules apply to ALL contributors and review tools — human and AI alike.

Strict Rules (MANDATORY)

Linter Suppressions PROHIBITED

  • NEVER add # noqa, # type: ignore, # pylint: disable
  • NEVER disable linter/mypy rules to work around issues
  • FIX THE CODE - If linter complains, the code is wrong
  • If you think a rule is wrong: ASK the user for explicit approval

Code Reuse (Search-First Development)

Before writing ANY new code:

  1. SEARCH codebase for existing implementations
  2. CHECK utilities/ for shared functions
  3. CHECK libs/ for shared libraries
  4. CHECK tests/ for shared fixtures and helper functions
  5. CHECK pyproject.toml dependencies — project packages (e.g., pyhelper-utils, ocp-resources, openshift-python-wrapper) may already provide the functionality
  6. VERIFY no similar logic exists elsewhere
  7. NEVER duplicate logic - extract to shared module
  8. REUSE existing code and patterns — only write new when nothing exists

External package examples:

  • Shell commands — use pyhelper_utils.shell.run_command, NEVER use subprocess.run directly in test/utility code
  • OpenShift resources — use ocp-resources classes, NEVER construct raw YAML dicts

Python Requirements

  • Type hints MANDATORY - mypy strict mode in libs/, all new public functions under utilities MUST be typed
  • Use TYPE_CHECKING for type-only imports - wrap imports needed solely for type hints in if TYPE_CHECKING: to avoid runtime overhead and circular imports
  • Google-format docstrings REQUIRED - for all public functions with non-obvious return values OR side effects
  • No defensive programming - fail-fast, don't hide bugs with fake defaults (see exceptions below)
  • ALWAYS use uv run -...

Files:

  • containers/fedora/build.sh

⚙️ CodeRabbit configuration file

**: ## PR Template Validation
Check the PR description for required sections from .github/pull_request_template.md.
Required sections (must be present, even if empty):

  • ##### What this PR does / why we need it: — MUST be present AND have meaningful content.
    Flag as HIGH if the section is missing, empty, whitespace-only, contains only HTML comments,
    or contains only placeholder tokens such as TBD, TBA, N/A, -, , none, or ..
  • ##### Which issue(s) this PR fixes: — must be present (may be empty)
  • ##### Special notes for reviewer: — must be present (may be empty)
  • ##### jira-ticket: — must be present (may be empty)
    If any required section is absent, or What this PR does / why we need it: has no content,
    flag it as HIGH severity and ask the author to restore the missing template section(s).

Approval Policy

You may approve the PR when ALL of the following are true:

  • All your review comments have been addressed with either:
    • a code/doc change that fixes the issue, or
    • a substantive author response that justifies no code change.
      Thread "resolved" state alone is not sufficient.
      OR you had no review comments.
  • If you posted a test execution plan comment requesting tests, and the PR author replied
    with a comment explaining why the requested tests are not needed or were already covered,
    treat that as an acceptable response — do not block approval on the test plan alone.
  • The author's explanation must be reasonable and specific (not just "N/A" or "not needed").
    Accept explanations like: "these tests were already run in CI", "this change is docs-only",
    "the affected tests are quarantined", or "verified manually on cluster X".

Files:

  • containers/fedora/build.sh
🧠 Learnings (3)
📚 Learning: 2026-05-19T10:17:37.060Z
Learnt from: Anatw
Repo: RedHatQE/openshift-virtualization-tests PR: 4833
File: tests/network/localnet/migration_stuntime/libstuntime.py:13-13
Timestamp: 2026-05-19T10:17:37.060Z
Learning: In RedHatQE/openshift-virtualization-tests, when the PR template validation rule is triggered, avoid posting the PR template violation comment if the PR description already contains the required sections with meaningful content:
- `##### What this PR does / why we need it:`
- `##### Which issue(s) this PR fixes:`
- `##### Special notes for reviewer:`
- `##### jira-ticket:`
Because the current implementation can use a broad `**` path glob and re-run the check per diff context/file, reviewers/automation should verify the actual PR description content before flagging it as a violation or duplicating the comment.

Applied to files:

  • .github/component-builder-config.json
  • .github/workflows/component-builder.yml
  • .github/workflows/component-builder-publish.yml
📚 Learning: 2026-05-20T11:18:31.677Z
Learnt from: Anatw
Repo: RedHatQE/openshift-virtualization-tests PR: 4867
File: tests/network/libs/stuntime.py:1-1
Timestamp: 2026-05-20T11:18:31.677Z
Learning: In RedHatQE/openshift-virtualization-tests, make the PR template validation (HIGH-severity) heuristic more conservative: if the author explicitly rebuts the “missing template section” finding and confirms the required sections are present with meaningful content, treat the original finding as a false positive and do not re-raise it. Only raise the HIGH-severity flag when a required PR section header (e.g., "##### What this PR does / why we need it:") is clearly absent or its content can be verified as empty/placeholder-only.

Applied to files:

  • .github/workflows/component-builder.yml
  • .github/workflows/component-builder-publish.yml
📚 Learning: 2026-06-03T15:08:46.871Z
Learnt from: geetikakay
Repo: RedHatQE/openshift-virtualization-tests PR: 5101
File: .github/workflows/request-coderabbit-test-instructions.yml:39-39
Timestamp: 2026-06-03T15:08:46.871Z
Learning: In RedHatQE/openshift-virtualization-tests, GitHub Actions workflow reviewers should follow the repo convention of allowing `uses:` references that are pinned to mutable version tags (e.g., `owner/actionv4`, `owner/actionv5`) and should NOT flag these as security issues. Full commit-SHA pinning for third-party actions is explicitly out of scope for this repository, so do not treat non-SHA `uses:` references as violations.

Applied to files:

  • .github/workflows/component-builder.yml
  • .github/workflows/component-builder-publish.yml
🪛 GitHub Check: can-be-merged
.github/workflows/component-builder.yml

[error] 72-72: PR has an unresolved review conversation at line 72: #5464 (comment).

.github/workflows/component-builder-publish.yml

[error] 130-130: PR has an unresolved review conversation at line 130: #5464 (comment).


[error] 170-170: PR has an unresolved review conversation at line 170: #5464 (comment).

🪛 GitHub Check: security-suspicious-paths
.github/workflows/component-builder.yml

[warning] 1-1: Suspicious path detection: PR modifies security-sensitive CI/CD workflow file under configured prefix '.github/workflows/'. Please review carefully for supply-chain risks.

.github/workflows/component-builder-publish.yml

[warning] 1-1: Suspicious path detection: PR modifies security-sensitive CI/CD workflow file under configured prefix '.github/workflows/'. Please review carefully for supply-chain risks.

🪛 zizmor (1.26.1)
.github/workflows/component-builder.yml

[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 17-17: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[info] 38-38: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

.github/workflows/component-builder-publish.yml

[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 87-87: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 88-88: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 93-93: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🔇 Additional comments (7)
.github/workflows/component-builder.yml (4)

55-61: CRITICAL (recurring): matrix.qemu_package still interpolated raw into run:.

This is the same template-injection pattern already flagged in a prior review round — ${{ matrix.qemu_package }} is expanded before the shell parses the script, so a change to the config JSON containing shell metacharacters could execute arbitrary code on the runner. The fix (bind through env:, reference as a quoted shell variable) still hasn't landed here.

🔒 Proposed fix
       - name: Install dependencies for VM build
+        env:
+          QEMU_PACKAGE: ${{ matrix.qemu_package }}
         run: |
           sudo apt-get update
           sudo apt-get install -y \
-            ${{ matrix.qemu_package }} \
+            "$QEMU_PACKAGE" \
             libvirt-daemon-system \
             virtinst cloud-image-utils \
             libguestfs-tools

67-71: CRITICAL (recurring): matrix.url_arch/matrix.fedora_url still injected directly into run:.

Same template-injection concern raised previously — ${{ matrix.url_arch }} and ${{ matrix.fedora_url }} are expanded before the wget script runs. Route through env: with quoted shell vars.

🔒 Proposed fix
       - name: Fetch base Fedora image
         working-directory: ./containers/fedora
+        env:
+          FEDORA_URL: ${{ matrix.fedora_url }}
+          URL_ARCH: ${{ matrix.url_arch }}
         run: |
-          FEDORA_IMAGE="${FEDORA_IMAGE_BASE}.${{ matrix.url_arch }}.qcow2"
-          wget -q "${{ matrix.fedora_url }}/${FEDORA_IMAGE}"
+          fedora_image="${FEDORA_IMAGE_BASE}.${URL_ARCH}.qcow2"
+          wget -q "${FEDORA_URL}/${fedora_image}"

85-93: CRITICAL (recurring, appears regressed): env.REMOTE_REPOSITORY/env.CPU_ARCH still raw-interpolated into run:.

This exact block was previously flagged and marked "Addressed in commits dd085d6 to 1e6904c," but the current code still expands ${{ env.REMOTE_REPOSITORY }} and ${{ env.CPU_ARCH }} directly inside the podman tag/podman save/echo commands (lines 91-93) instead of via already-defined shell variables (local_repository, arch_tag). Please confirm whether the fix was reverted, or re-apply it.

🔒 Proposed fix
         run: |
           mkdir -p artifacts
-          podman tag "${local_repository}":"${arch_tag}" "${{ env.REMOTE_REPOSITORY }}":"${arch_tag}"
-          podman save -o artifacts/fedora-image-${{ env.CPU_ARCH }}.tar "${{ env.REMOTE_REPOSITORY }}":"${arch_tag}"
-          echo "Saved image to artifacts/fedora-image-${{ env.CPU_ARCH }}.tar"
+          artifact_path="artifacts/fedora-image-${CPU_ARCH}.tar"
+          podman tag "${local_repository}:${arch_tag}" "${REMOTE_REPOSITORY}:${arch_tag}"
+          podman save -o "${artifact_path}" "${REMOTE_REPOSITORY}:${arch_tag}"
+          echo "Saved image to ${artifact_path}"

17-46: LGTM!

.github/workflows/component-builder-publish.yml (1)

27-47: LGTM!

Also applies to: 57-59, 90-102, 160-160

.github/component-builder-config.json (1)

1-27: LGTM!

containers/fedora/build.sh (1)

87-87: LGTM!

Comment on lines +87 to +88
FEDORA_CHECKSUM="${FEDORA_CHECKSUM_BASE}.-${{ matrix.url_arch }}-CHECKSUM"
wget -q "${{ matrix.fedora_url }}/CHECKSUM" -O CHECKSUM

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

HIGH: fetch the configured checksum file, not hardcoded CHECKSUM.

Line 87 builds an unused, malformed name (.-${{ matrix.url_arch }}), then Line 88 ignores it and downloads ${{ matrix.fedora_url }}/CHECKSUM. The config provides fedora_checksum_base specifically to construct per-arch files like Fedora-Cloud-43-1.6-x86_64-CHECKSUM; using the hardcoded path can fail before verification.

Proposed fix
-          FEDORA_CHECKSUM="${FEDORA_CHECKSUM_BASE}.-${{ matrix.url_arch }}-CHECKSUM"
-          wget -q "${{ matrix.fedora_url }}/CHECKSUM" -O CHECKSUM
+          FEDORA_CHECKSUM="${FEDORA_CHECKSUM_BASE}-${{ matrix.url_arch }}-CHECKSUM"
+          wget -q "${{ matrix.fedora_url }}/${FEDORA_CHECKSUM}" -O CHECKSUM
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FEDORA_CHECKSUM="${FEDORA_CHECKSUM_BASE}.-${{ matrix.url_arch }}-CHECKSUM"
wget -q "${{ matrix.fedora_url }}/CHECKSUM" -O CHECKSUM
FEDORA_CHECKSUM="${FEDORA_CHECKSUM_BASE}-${{ matrix.url_arch }}-CHECKSUM"
wget -q "${{ matrix.fedora_url }}/${FEDORA_CHECKSUM}" -O CHECKSUM
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 87-87: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 88-88: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/component-builder-publish.yml around lines 87 - 88, The
checksum download in the workflow is using a hardcoded CHECKSUM path and never
uses the computed FEDORA_CHECKSUM value, so update the Fedora publish step to
fetch the configured per-architecture checksum file derived from
fedora_checksum_base and matrix.url_arch. Make sure the download command
references the constructed FEDORA_CHECKSUM name in the same
component-builder-publish workflow step so the later verification uses the
intended file.

Move hardcoded Fedora version, image base, and architecture
matrix out of both workflow files and into a single source of
truth.

Both component-builder and component-builder-publish now read
their matrix, and variables from its config file via a
dedicate 'prepare' job step.

Assisted-by: IBM Bob
Signed-off-by: Nestor Acuna Blanco <nestor.acuna@ibm.com>
Signed-off-by: Nestor Acuna Blanco <nestor.acuna@ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants