[konflux-agent] Fix: replace npm dist-tags with exact versions for hermetic build#29
Open
raptorsun wants to merge 2 commits into
Open
[konflux-agent] Fix: replace npm dist-tags with exact versions for hermetic build#29raptorsun wants to merge 2 commits into
raptorsun wants to merge 2 commits into
Conversation
The Enterprise Contract check fails with 3 violations: non-hermetic build, missing source image, and missing source-build task. Enable hermetic mode, source image building, and npm/rpm prefetch in both push and pull-request pipeline configs. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Vimal Kumar <vimal78@gmail.com>
…rmetic build During hermetic builds (network isolated), npm ci resolves dist-tags by querying registry.npmjs.org metadata API, which fails when the network is blocked. The dist-tags '4.21-latest' for both @openshift-console packages caused npm to reach out to the registry even though cachi2 had pre-fetched all tarballs. Replace '4.21-latest' with the equivalent exact version '4.21.0' (verified: dist-tag '4.21-latest' resolves to '4.21.0' in npm registry). This allows npm ci to use the lockfile exclusively without any network calls during hermetic Konflux builds. Fixes: openshift#28
|
/lgtm |
Contributor
Author
|
/approve |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: raptorsun The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Auto-fix by Konflux Agent
Fixes build failure in #28.
Original PR: #28
Failed PipelineRun: lightspeed-agentic-console-on-pull-request-kc4rn
Root Cause
During hermetic builds (network isolated),
npm citries to resolve npm dist-tags ("4.21-latest") by querying theregistry.npmjs.orgmetadata API to confirm which version the tag maps to. This network request fails in hermetic mode because the cachi2 local proxy only serves tarball downloads — not registry metadata/dist-tag resolution.The specific error was:
Both
@openshift-console/dynamic-plugin-sdkand@openshift-console/dynamic-plugin-sdk-webpackwere specified as"4.21-latest"(a dist-tag) inpackage.json. Theprefetch-dependenciesstep succeeded correctly, butnpm cistill failed because it needed to resolve the dist-tag from the registry.Changes
package.json: Replace"4.21-latest"→"4.21.0"for both packages (verified: dist-tag4.21-latestmaps to exactly4.21.0in the npm registry)package-lock.json: Update the root package'sdependenciesentries to matchThe resolved package versions, integrity hashes, and tarball URLs in
package-lock.jsonare unchanged — only the version specifier in the root entry changes from the dist-tag to the equivalent exact semver version.Validation
"4.21-latest"→"4.21.0"mapping via npm registry API4.21.0is the only version in the4.21-latestdist-tag lineThis PR was automatically created by konflux-agent to fix a build failure. Please review the changes and merge if correct.