From a3dddd27212e40482589214bf3e533e1cd0814df Mon Sep 17 00:00:00 2001 From: Vimal Kumar Date: Mon, 1 Jun 2026 17:19:44 +0530 Subject: [PATCH 1/2] Enable hermetic builds and source image for EC compliance The Enterprise Contract check fails with 3 violations: non-hermetic build, missing source image, and missing source-build task. Enable hermetic mode, source image building, and npm/rpm prefetch in both push and pull-request pipeline configs. Co-Authored-By: Claude Sonnet 4.6 (1M context) Signed-off-by: Vimal Kumar --- .tekton/lightspeed-agentic-console-pull-request.yaml | 6 ++++++ .tekton/lightspeed-agentic-console-push.yaml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/.tekton/lightspeed-agentic-console-pull-request.yaml b/.tekton/lightspeed-agentic-console-pull-request.yaml index 397a06b..7828ed9 100644 --- a/.tekton/lightspeed-agentic-console-pull-request.yaml +++ b/.tekton/lightspeed-agentic-console-pull-request.yaml @@ -28,6 +28,12 @@ spec: value: 5d - name: dockerfile value: Dockerfile + - name: hermetic + value: "true" + - name: build-source-image + value: "true" + - name: prefetch-input + value: '[{"type": "npm", "path": "."}, {"type": "rpm", "path": "."}]' pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. diff --git a/.tekton/lightspeed-agentic-console-push.yaml b/.tekton/lightspeed-agentic-console-push.yaml index d15662d..0b7934b 100644 --- a/.tekton/lightspeed-agentic-console-push.yaml +++ b/.tekton/lightspeed-agentic-console-push.yaml @@ -25,6 +25,12 @@ spec: value: quay.io/redhat-user-workloads/crt-nshift-lightspeed-tenant/lightspeed-agentic-console:{{revision}} - name: dockerfile value: Dockerfile + - name: hermetic + value: "true" + - name: build-source-image + value: "true" + - name: prefetch-input + value: '[{"type": "npm", "path": "."}, {"type": "rpm", "path": "."}]' pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. From fe98b78ee3340333706b9e514844607ecc3e219a Mon Sep 17 00:00:00 2001 From: Haoyu Sun Date: Mon, 1 Jun 2026 15:28:05 +0200 Subject: [PATCH 2/2] [konflux-agent] fix: replace npm dist-tags with exact versions for hermetic build During hermetic builds (network isolated), npm ci resolves dist-tags by querying registry.npmjs.org metadata API, which fails when the network is blocked. The dist-tags '4.21-latest' for both @openshift-console packages caused npm to reach out to the registry even though cachi2 had pre-fetched all tarballs. Replace '4.21-latest' with the equivalent exact version '4.21.0' (verified: dist-tag '4.21-latest' resolves to '4.21.0' in npm registry). This allows npm ci to use the lockfile exclusively without any network calls during hermetic Konflux builds. Fixes: openshift/lightspeed-agentic-console#28 --- package-lock.json | 4 ++-- package.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index fb87563..94d0b0a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,8 +9,8 @@ "version": "0.0.1", "license": "Apache-2.0", "dependencies": { - "@openshift-console/dynamic-plugin-sdk": "4.21-latest", - "@openshift-console/dynamic-plugin-sdk-webpack": "4.21-latest", + "@openshift-console/dynamic-plugin-sdk": "4.21.0", + "@openshift-console/dynamic-plugin-sdk-webpack": "4.21.0", "@patternfly/react-charts": "^8.4.1", "@patternfly/react-core": "^6.2.2", "@patternfly/react-icons": "^6.2.2", diff --git a/package.json b/package.json index f5d9625..962903d 100644 --- a/package.json +++ b/package.json @@ -26,8 +26,8 @@ "webpack": "node -r ts-node/register ./node_modules/.bin/webpack" }, "dependencies": { - "@openshift-console/dynamic-plugin-sdk": "4.21-latest", - "@openshift-console/dynamic-plugin-sdk-webpack": "4.21-latest", + "@openshift-console/dynamic-plugin-sdk": "4.21.0", + "@openshift-console/dynamic-plugin-sdk-webpack": "4.21.0", "@patternfly/react-charts": "^8.4.1", "@patternfly/react-core": "^6.2.2", "@patternfly/react-icons": "^6.2.2",