Apply Global Hub Konflux config and CVE fixes to release-1.7#190
Merged
clyang82 merged 17 commits intoJan 27, 2026
Merged
Conversation
- Remove ACM tekton pipelines (grafana-acm-216-*) - Remove Containerfile.operator - Add Global Hub tekton pipelines (glo-grafana-globalhub-1-7-*) - Add Containerfile.konflux - Add renovate.json Signed-off-by: Meng Yan <myan@redhat.com>
Signed-off-by: clyang82 <chuyang@redhat.com>
…tolostron#185) * Fix CVE-2025-64756 and CVE-2025-66031: Upgrade glob and node-forge This commit addresses two security vulnerabilities in dependencies: 1. CVE-2025-64756 (ACM-27068): glob command injection vulnerability - Upgraded glob from 10.4.1 to 11.1.0 - Vulnerability allowed arbitrary command execution via malicious filenames - Fixed by upgrading to glob 11.1.0+ 2. CVE-2025-66031 (ACM-27062): node-forge ASN.1 unbounded recursion - Upgraded node-forge from ^1.3.1 to ^1.3.2 - Vulnerability could cause DoS via stack exhaustion - Fixed by upgrading to node-forge 1.3.2+ Changes: - Updated package.json with new dependency versions - Updated yarn.lock with resolved dependencies Fixes: ACM-27068, ACM-27062 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: clyang82 <chuyang@redhat.com> * Update build artifacts after dependency upgrades This commit updates the build artifacts after upgrading glob and node-forge dependencies for CVE fixes (ACM-27068, ACM-27062). Changes: - Rebuilt AngularApp bundle with new hash - Rebuilt runtime bundle with new hash - Updated assets manifest 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: clyang82 <chuyang@redhat.com> * rerun in linux --------- Signed-off-by: clyang82 <chuyang@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* Fix CVE-2024-25621: Upgrade containerd to v1.7.29 This commit fixes CVE-2024-25621, a local privilege escalation vulnerability in containerd versions up to 1.7.28. The issue involved overly broad default permissions for directory paths in containerd. Changes: - Added replace directive to force containerd v1.7.29 - Updated go.mod and go.sum with new containerd version - Also updated transitive dependencies (go-jose, golang.org/x/crypto) Fixes: ACM-27214 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: clyang82 <chuyang@redhat.com> * Fix k8s.io dependency resolution for go work vendor Add replace directives in go.mod for k8s.io components to resolve v0.0.0 dependency issues that prevented go work vendor from running successfully. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Signed-off-by: clyang82 <chuyang@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
The glob and node-forge version upgrades require yarn.lock regeneration which cannot be done from a fork PR. Reverting to original versions to maintain consistency between package.json and yarn.lock. The containerd CVE fix (via go.mod replace directive) is still in place. Signed-off-by: Meng Yan <myan@redhat.com>
yanmxa
force-pushed
the
apply-globalhub-konflux-to-release-1.7
branch
from
54cdf0b to
df41156
Compare
Update Containerfile.konflux to match the release-1.7 directory structure: - Remove references to non-existent directories (plugins-bundled, .bingo) - Add kindsv2, apps, .citools directories - Add stolostron-patches and apply them during build - Use ubi:latest instead of ubi-minimal (matches Dockerfile.ocp) - Fix binary copy path Signed-off-by: Meng Yan <myan@redhat.com>
- Remove stolostron-patches and git apply (not compatible with hermetic build) - Add GOFLAGS="-mod=readonly" for hermetic build compatibility - Use ubi-minimal as base image (matches original Konflux config) - Use relative path for binary copy (./bin/ instead of $GOPATH/...) - Keep kindsv2, apps, .citools directories for release-1.7 compatibility Signed-off-by: Meng Yan <myan@redhat.com>
- Use 'git init && git apply' to apply stolostron patches - Use 'go run build.go -build-tags=strictfipsruntime build' instead of make build-go - This matches the ACM build approach which works with Konflux Signed-off-by: Meng Yan <myan@redhat.com>
Addresses HIGH severity vulnerability in github.com/expr-lang/expr: - Denial of Service via uncontrolled recursion in expression evaluation - Affected files: .citools/src/cog/go.mod, pkg/codegen/go.mod, pkg/plugins/codegen/go.mod Signed-off-by: Meng Yan <myan@redhat.com>
yanmxa
force-pushed
the
apply-globalhub-konflux-to-release-1.7
branch
from
08c5838 to
e958ae1
Compare
Author
|
/retest |
Add pkg/codegen and pkg/plugins/codegen to cachi2 prefetch-input so that their dependencies (including expr-lang/expr v1.17.7) are properly prefetched for hermetic builds. Signed-off-by: Meng Yan <myan@redhat.com>
Align sub-module Go versions with the workspace (go.work): - pkg/codegen/go.mod: 1.24.6 -> 1.25.3 - pkg/plugins/codegen/go.mod: 1.24.6 -> 1.25.3 - .citools/src/cog/go.mod: 1.24.5 -> 1.25.3 Signed-off-by: Meng Yan <myan@redhat.com>
Author
|
/retest |
Increase EventuallyWithT timeout from 5ms to 5s and poll interval from 1ms to 10ms to avoid flaky test failures in CI environments. Signed-off-by: Meng Yan <myan@redhat.com>
Delete GitHub Actions workflows that require large runners (ubuntu-x64-large, ubuntu-x64-large-io) which are not available in the stolostron/glo-grafana fork. Removed workflows: - backend-unit-tests.yml (Grafana unit tests) - pr-test-integration.yml (MySQL/Postgres/Sqlite tests) - pr-e2e-tests.yml (E2E tests) - pr-frontend-unit-tests.yml (Frontend tests) - pr-test-docker.yml (Docker build tests) - release-build.yml (Release builds) Signed-off-by: Meng Yan <myan@redhat.com>
Delete additional workflows using large runners: - run-schema-v2-e2e.yml (ubuntu-latest-8-cores) - storybook-a11y.yml (ubuntu-latest-8-cores) Signed-off-by: Meng Yan <myan@redhat.com>
Fix PostgreSQL datasource plugin 404 error by adding frontend build stage. The previous Containerfile only copied source code without building, causing Grafana to fail loading plugins that require compiled JS modules. Reference: https://github.com/grafana/grafana/blob/main/Dockerfile Changes: - Add js-builder stage using ubi9/nodejs-22 base image - Run yarn install and yarn build for frontend compilation - Copy built public directory from js-builder instead of source code Signed-off-by: Meng Yan <myan@redhat.com>
Generate compiled frontend assets including plugin dist directories. This fixes the PostgreSQL datasource 404 error in Grafana 12.x. Reference: stolostron@4ae4713e Signed-off-by: Meng Yan <myan@redhat.com> Signed-off-by: myan <myan@redhat.com>
yanmxa
force-pushed
the
apply-globalhub-konflux-to-release-1.7
branch
from
694ea19 to
aa73fbf
Compare
Fix Konflux hermetic build failure by ensuring all transitive dependency checksums are present in go.work.sum. Signed-off-by: Meng Yan <myan@redhat.com> Signed-off-by: myan <myan@redhat.com>
2 tasks
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: clyang82, yanmxa The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
ldpliu
added a commit
to ldpliu/glo-grafana
that referenced
this pull request
Apr 1, 2026
This commit applies all Global Hub specific changes on top of stolostron/grafana release-2.17 (Grafana v12.4.0): - Apply Global Hub Konflux config and CVE fixes (stolostron#190) - Remove failing upstream Grafana workflows (stolostron#197, stolostron#198) - Upgrade golang to 1.25.7 and use common-base.yaml (stolostron#199) - Update glo-grafana for release-1.8 (Global Hub v1.8.0) (stolostron#203) Signed-off-by: Deping Liu <dpliu@redhat.com> Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: root <daliu@redhat.com>
ldpliu
added a commit
that referenced
this pull request
Apr 1, 2026
This commit applies all Global Hub specific changes on top of stolostron/grafana release-2.17 (Grafana v12.4.0): - Apply Global Hub Konflux config and CVE fixes (#190) - Remove failing upstream Grafana workflows (#197, #198) - Upgrade golang to 1.25.7 and use common-base.yaml (#199) - Update glo-grafana for release-1.8 (Global Hub v1.8.0) (#203) Signed-off-by: Deping Liu <dpliu@redhat.com> Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: root <daliu@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Jira Issue
https://issues.redhat.com/browse/ACM-26554
Summary
This PR applies Global Hub Konflux configuration and CVE fixes from the
release-1.7-branchto therelease-1.7branch.Changes
Konflux Configuration:
CVE Fixes:
Note: The glob and node-forge CVE fixes (CVE-2025-64756/66031) were reverted because they require yarn.lock regeneration which cannot be done from a fork PR. These should be applied separately by a maintainer with write access who can run
yarn installto regenerate the lockfile.Test plan
🤖 Generated with Claude Code