Skip to content

OCPBUGS-87407: Updating oauth-server-container image to be consistent with ART for 5.0#235

Open
openshift-bot wants to merge 1 commit into
openshift:masterfrom
openshift-bot:art-consistency-openshift-5.0-oauth-server
Open

OCPBUGS-87407: Updating oauth-server-container image to be consistent with ART for 5.0#235
openshift-bot wants to merge 1 commit into
openshift:masterfrom
openshift-bot:art-consistency-openshift-5.0-oauth-server

Conversation

@openshift-bot

@openshift-bot openshift-bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

Updating oauth-server-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
oauth-server.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

@openshift-bot openshift-bot force-pushed the art-consistency-openshift-5.0-oauth-server branch from d01dbd8 to d6559c9 Compare June 7, 2026 02:15
@openshift-bot

Copy link
Copy Markdown
Contributor Author

@coderabbitai

coderabbitai Bot commented Jun 7, 2026

Copy link
Copy Markdown

Walkthrough

This PR upgrades the build infrastructure for the OAuth server project from OpenShift 4.21 with Go 1.24 to OpenShift 5.0 with Go 1.26. The CI operator configuration and multi-stage Dockerfile are updated to reference the newer base images, while build and runtime workflows remain unchanged.

Changes

Build Infrastructure Upgrade

Layer / File(s) Summary
Base image and Go version upgrade to OpenShift 5.0
.ci-operator.yaml, images/Dockerfile.rhel
CI operator build_root_image and Dockerfile builder and base stages are updated from rhel-9-golang-1.24 on openshift-4.21 to rhel-9-golang-1.26 on openshift-5.0. Build commands and artifact handling remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Weak-Crypto ❌ Error PR adds MD5 cryptographic algorithm in pkg/authenticator/password/htpasswd/md5.go for htpasswd password hashing, which is flagged as weak crypto usage per the check requirements. Replace MD5-based htpasswd support with stronger alternatives (bcrypt/scrypt), or use an alternative password file format that doesn't rely on MD5.
✅ Passed checks (14 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The custom check for Ginkgo test name stability is not applicable. The PR changes build configuration files only, and the codebase uses Go's standard testing package, not Ginkgo.
Test Structure And Quality ✅ Passed No Ginkgo tests modified in this PR. Changes are limited to infrastructure configuration (.ci-operator.yaml, images/Dockerfile.rhel) updating build image versions for OpenShift 5.0 compatibility.
Microshift Test Compatibility ✅ Passed PR does not add new Ginkgo e2e tests. Changes are limited to build configuration updates (.ci-operator.yaml, Dockerfile.rhel) and existing unit tests. Check not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR contains only build config and container image updates (golang 1.24→1.26, openshift-4.21→5.0), not new Ginkgo e2e tests, so SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility ✅ Passed This PR updates CI build images only. It does not add or modify deployment manifests, operator code, or scheduling constraints that would affect topology compatibility.
Ote Binary Stdout Contract ✅ Passed PR only updates build image tags in .ci-operator.yaml and images/Dockerfile.rhel, not source code. OTE Binary Stdout Contract check is not applicable.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests added. PR updates build config files only; the 41 unit tests are standard Go tests, not Ginkgo e2e tests.
Container-Privileges ✅ Passed No K8s manifests or container privilege settings found. PR updates build configuration and Dockerfile only, with no privileged, hostPID, hostNetwork, SYS_ADMIN, or allowPrivilegeEscalation.
No-Sensitive-Data-In-Logs ✅ Passed The PR only modifies CI configuration files (.ci-operator.yaml and images/Dockerfile.rhel). Neither contains logging statements or sensitive data like passwords, tokens, API keys, PII, or session IDs.
Title check ✅ Passed The title clearly identifies the main objective: updating the oauth-server-container image configuration for OpenShift 5.0 consistency with ART, which directly matches the changeset modifications to .ci-operator.yaml and Dockerfile.rhel.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-bot openshift-bot changed the title Updating oauth-server-container image to be consistent with ART for 5.0 OCPBUGS-87407: Updating oauth-server-container image to be consistent with ART for 5.0 Jun 7, 2026
@openshift-ci openshift-ci Bot requested review from ibihim and liouk June 7, 2026 02:16
@openshift-ci

openshift-ci Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-bot
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jun 7, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@openshift-bot: This pull request references Jira Issue OCPBUGS-87407, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating oauth-server-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
oauth-server.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@openshift-bot: This pull request references Jira Issue OCPBUGS-87407, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Updating oauth-server-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
oauth-server.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

  • Chores
  • Updated build infrastructure to use Go 1.26 and OpenShift 5.0 base container images for improved compatibility and performance.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
images/Dockerfile.rhel (1)

8-14: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a non-root USER directive.

The final stage does not specify a USER, so the container runs as root. Per the container security guidelines, you must run as non-root. This is especially critical for the OAuth server, which handles authentication and is a high-value security target.

🔒 Suggested fix

Add a USER directive before the ENTRYPOINT:

 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/oauth-server/oauth-server /usr/bin/
+USER 1001
 ENTRYPOINT ["/usr/bin/oauth-server"]

Ensure the base image provides a non-root user (UID 1001 is conventional for OpenShift) or create one explicitly if needed.

As per coding guidelines: "USER non-root; never run as root".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.rhel` around lines 8 - 14, The final image currently has no
USER set so it runs as root; update the final stage of this Dockerfile by adding
a non-root USER directive prior to ENTRYPOINT (e.g., use an existing non-root
user/UID 1001 or create one in the image) so that the oauth-server binary copied
by COPY --from=builder /go/src/github.com/openshift/oauth-server/oauth-server
/usr/bin/ runs as non-root; ensure the chosen user exists in the base image or
add user creation steps earlier in the Dockerfile and then set USER before
ENTRYPOINT ["/usr/bin/oauth-server"].

Sources: Coding guidelines, Linters/SAST tools

🧹 Nitpick comments (1)
images/Dockerfile.rhel (1)

8-14: ⚡ Quick win

Define a HEALTHCHECK.

The Dockerfile does not include a HEALTHCHECK instruction. Health checks enable orchestrators to detect and restart unhealthy containers, improving reliability.

🏥 Suggested addition

Add a HEALTHCHECK before the ENTRYPOINT that validates the OAuth server endpoint:

 COPY --from=builder /go/src/github.com/openshift/oauth-server/oauth-server /usr/bin/
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD ["/usr/bin/oauth-server", "healthz"] || exit 1
 ENTRYPOINT ["/usr/bin/oauth-server"]

Adjust the command/endpoint based on the actual health check interface exposed by the oauth-server binary.

As per coding guidelines: "HEALTHCHECK defined".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.rhel` around lines 8 - 14, Add a HEALTHCHECK instruction to
the Dockerfile before the ENTRYPOINT to probe the oauth-server process (the
binary referenced by ENTRYPOINT ["/usr/bin/oauth-server"]) — implement a short
command that queries the server's health endpoint (e.g., via curl or wget
against localhost:<port>/health or the appropriate oauth-server health path),
set sensible --interval/--timeout/--retries, and ensure the HEALTHCHECK exits 0
for healthy and non‑zero for unhealthy so orchestrators can detect and restart
the container.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/Dockerfile.rhel`:
- Line 3: The Dockerfile currently uses a broad COPY . . which pulls the entire
build context into the image; replace that with explicit COPY lines listing only
required artifacts (e.g., COPY <build-output> <dest>, COPY package.json
package-lock.json ./) or otherwise restrict included files and patterns, and
add/update a .dockerignore to exclude secrets, config, .git, node_modules, and
other unnecessary paths; update the Dockerfile COPY commands (the COPY
instruction) to reference those specific files/directories instead of "." to
minimize attack surface.

---

Outside diff comments:
In `@images/Dockerfile.rhel`:
- Around line 8-14: The final image currently has no USER set so it runs as
root; update the final stage of this Dockerfile by adding a non-root USER
directive prior to ENTRYPOINT (e.g., use an existing non-root user/UID 1001 or
create one in the image) so that the oauth-server binary copied by COPY
--from=builder /go/src/github.com/openshift/oauth-server/oauth-server /usr/bin/
runs as non-root; ensure the chosen user exists in the base image or add user
creation steps earlier in the Dockerfile and then set USER before ENTRYPOINT
["/usr/bin/oauth-server"].

---

Nitpick comments:
In `@images/Dockerfile.rhel`:
- Around line 8-14: Add a HEALTHCHECK instruction to the Dockerfile before the
ENTRYPOINT to probe the oauth-server process (the binary referenced by
ENTRYPOINT ["/usr/bin/oauth-server"]) — implement a short command that queries
the server's health endpoint (e.g., via curl or wget against
localhost:<port>/health or the appropriate oauth-server health path), set
sensible --interval/--timeout/--retries, and ensure the HEALTHCHECK exits 0 for
healthy and non‑zero for unhealthy so orchestrators can detect and restart the
container.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2a0ecdb5-5a32-4274-b469-bf5c08689eaa

📥 Commits

Reviewing files that changed from the base of the PR and between f892602 and d6559c9.

📒 Files selected for processing (2)
  • .ci-operator.yaml
  • images/Dockerfile.rhel

Comment thread images/Dockerfile.rhel
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS builder
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder
WORKDIR /go/src/github.com/openshift/oauth-server
COPY . .

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Avoid copying the entire build context.

Line 3 copies the entire repository context (. .) into the builder image. Per the container security guidelines, you should copy only specific required files to minimize the attack surface and prevent accidental inclusion of secrets or unnecessary files.

📦 Suggested approach

Replace the broad context copy with explicit file/directory patterns:

-COPY . .
+COPY go.mod go.sum ./
+COPY vendor/ vendor/
+COPY cmd/ cmd/
+COPY pkg/ pkg/
+# Add other required source directories

Alternatively, use a .dockerignore file to exclude sensitive or unnecessary paths if the full context is genuinely required.

As per coding guidelines: "COPY specific files, not entire context".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
COPY . .
COPY go.mod go.sum ./
COPY vendor/ vendor/
COPY cmd/ cmd/
COPY pkg/ pkg/
# Add other required source directories
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.rhel` at line 3, The Dockerfile currently uses a broad COPY
. . which pulls the entire build context into the image; replace that with
explicit COPY lines listing only required artifacts (e.g., COPY <build-output>
<dest>, COPY package.json package-lock.json ./) or otherwise restrict included
files and patterns, and add/update a .dockerignore to exclude secrets, config,
.git, node_modules, and other unnecessary paths; update the Dockerfile COPY
commands (the COPY instruction) to reference those specific files/directories
instead of "." to minimize attack surface.

Source: Coding guidelines

@openshift-ci

openshift-ci Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

@openshift-bot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify d6559c9 link true /test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-bot

Copy link
Copy Markdown
Contributor Author

ART wants to connect issue OCPBUGS-87692 to this PR, but found it is currently hooked up to ['OCPBUGS-87407']. Please consult with #forum-ocp-art if it is not clear what there is to do.

@openshift-bot openshift-bot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants