Skip to content

[release-4.22] COS-4051: tree: add labels.json and security OCI labels for Clair scanning#1933

Open
openshift-cherrypick-robot wants to merge 3 commits intoopenshift:release-4.22from
openshift-cherrypick-robot:cherry-pick-1919-to-release-4.22
Open

[release-4.22] COS-4051: tree: add labels.json and security OCI labels for Clair scanning#1933
openshift-cherrypick-robot wants to merge 3 commits intoopenshift:release-4.22from
openshift-cherrypick-robot:cherry-pick-1919-to-release-4.22

Conversation

@openshift-cherrypick-robot
Copy link
Copy Markdown

@openshift-cherrypick-robot openshift-cherrypick-robot commented May 1, 2026

This is an automated cherry-pick of #1919

/assign jlebon

jlebon added 3 commits May 1, 2026 15:10
@jlebon
tree: drop (c9s) node image support
2c1b822 
OKD doesn't care about this anymore and we don't either. So this is
essentially dead code.

Nuke all c9s-related bits.

Assisted-by: OpenCode (Claude Opus 4.6)
@jlebon
tree: add labels.json and security OCI labels for Clair scanning
85242b4 
As part of container-first reporting (KONFLUX-6210), security scanners
like Clair expect metadata at the OCI level (as labels) _and_ in the
rootfs itself (as a JSON file at `/usr/share/buildinfo/labels.json`).

To accommodate this, each variant now has a `build-args-*.conf` file
that specifies the image name and CPE, but also while we're here, the
image `FROM` to use which nicely cleans up the building docs. For the
architecture, we use buildah's built-in `TARGETARCH`.

This is only relevant on OCP, not OKD. So skip it there.

Once we start building the node image through Konflux, this should
in theory no longer be necessary because the Konflux pipeline itself
automatically adds this information (though there's still details
there to figure out on where that information comes from/whether it's
correct).

Closes: https://redhat.atlassian.net/browse/COS-4051
Assisted-by: OpenCode (Claude Opus 4.6)
@jlebon
ci/get-ocp-repo: use base-4-22-rhel9 for 9.8 pre-release content
6b42281 
ART is no longer populating the 98 repo currently. To get pre-release
content, we need to use the 9 repo directly.
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented May 1, 2026
edited by openshift-ci Bot
Loading

@openshift-cherrypick-robot: Ignoring requests to cherry-pick non-bug issues: COS-4051

Details

In response to this:

This is an automated cherry-pick of #1919

/assign jlebon

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request May 1, 2026
Merged
@openshift-ci openshift-ci Bot requested review from c4rt0 and prestist May 1, 2026 15:10
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 1, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-cherrypick-robot
Once this PR has been reviewed and has the lgtm label, please assign madhu-pillai for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 1, 2026

@openshift-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/images 6b42281 link true /test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jlebon
Copy link
Copy Markdown
Member

jlebon commented May 1, 2026

/hold

Let's hold this until the pipeline has stabilized and we've confirmed the new labels work in 4.23.

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@c4rt0 c4rt0 Awaiting requested review from c4rt0

@prestist prestist Awaiting requested review from prestist

Assignees

@jlebon jlebon

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@openshift-cherrypick-robot @openshift-ci-robot @jlebon