Skip to content

(maint) Update automation for minio image build#5

Open
abottchen wants to merge 3 commits into
masterfrom
maint/update-automation
Open

(maint) Update automation for minio image build#5
abottchen wants to merge 3 commits into
masterfrom
maint/update-automation

Conversation

@abottchen

@abottchen abottchen commented Jun 14, 2022
edited
Loading

Copy link
Copy Markdown

Prior to this commit, we were scanning the minio image, but it was left
as a separate action to go out and look for the results.

With this change, we now just update the image daily to ensure it is at
the latest. Also adds in a CODEOWNERS to be consistent with our
policies and updates the base image to the latest RHEL UBI image.

Also removed a GO test that was unrelated to the release process we are
working with here. Since we are not upstream minio devs.

abottchen added 3 commits April 5, 2022 16:21
@abottchen
(maint) Add PR trivy check
1ab15ad
@abottchen
(maint) Update automation for minio image build
5fec4d6 
Prior to this commit, we were scanning the minio image, but it was left
as a separate action to go out and look for the results.

With this change, we now just update the image daily to ensure it is at
the latest.  Also adds in a CODEOWNERS to be consistent with our
policies and updates the base image to the latest RHEL UBI image.
@abottchen
fix up
dd6bc10
@jpartlow

jpartlow commented Jun 16, 2022

Copy link
Copy Markdown

What's the relationship between what we build here and what we scan? We always push whatever comes from a rebuild. But we scan what? That image that gets pushed? And the results of the scan go where?

(Also there's a fix commit to squash.)

@abottchen

abottchen commented Jun 16, 2022

Copy link
Copy Markdown
Author

The scans end up in the "Security" tab in the github project. For some reason, the cron has not been triggering for the last 11 days, though. Need to look into that.

The scan is the current image that is up in gcr. So the daily rebuilds will catch updates to the base image automatically so we don't get caught on that. The daily scans will be to catch when we need to update the version of the base image (say from ubi-minimal:8.5 to ubi-minimal:8.6 when one is no longer getting security updates.

I think it would be better to have the scan ping the slack channel when there is a problem, though, as that has better visibility than the security tab in the repo. I can add that.

@jpartlow

jpartlow commented Jun 16, 2022

Copy link
Copy Markdown

👍 I think I'm following. Right now to see if there's an issue we have to come to look at the security tab?

@abottchen

abottchen commented Jun 16, 2022

Copy link
Copy Markdown
Author

Right now to see if there's an issue we have to come to look at the security tab?

Correct. Which is not a great design, so I'll update it to ping the channel.

@abottchen

abottchen commented Jun 16, 2022

Copy link
Copy Markdown
Author

What do you think of just pulling this over to holodeck manifests? https://github.com/puppetlabs/holodeck-manifests/pull/1571

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@abottchen @jpartlow