Verify dependency build is in buildroot before proceeding with rebuild#562
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a buildroot verification step for rebuild tasks to ensure that a dependency's fixed build is available in the target buildroot before proceeding. It adds the verify_rebuild_buildroot step to the triage workflow, queries Koji/BrewHub buildroots, and postpones triage if dependencies are missing. A review comment suggests using indexing instead of list unpacking when retrieving the latest build to prevent potential ValueError exceptions.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| logger.info(f"No builds of {dep_component} found in {build_tag}") | ||
| return False | ||
|
|
||
| [latest] = builds |
There was a problem hiding this comment.
Using list unpacking [latest] = builds is fragile because it will raise a ValueError if builds contains more than one element. It is safer and more robust to use indexing to retrieve the first element.
| [latest] = builds | |
| latest = builds[0] |
lbarcziova
force-pushed
the
rebuild-buildroot-check
branch
from
b4ba479 to
6e5ff50
Compare
|
@nforro implemented the suggestions, PTAL |
Before triggering a rebuild, check that the dependency's fixed build has
actually landed in the target buildroot (Koji build tag). Without this,
a rebuild could link against the old dependency and silently not fix the
CVE. If the build is not yet in the buildroot, postpone the rebuild.
The check queries the appropriate Koji instance(s) based on target branch
and fix version:
- CentOS Stream (c9s, c10s) Y-stream → c{N}s-build on CentOS Stream Koji
- CentOS Stream Z-stream → c{N}s-build AND rhel-X.Y.0-z-build on BrewHub
(CentOS Stream-first approach produces two builds)
- Internal RHEL branches → rhel-X.Y.0-z-build on BrewHub
The epoch for EVR comparison is fetched via getBuild (always from
BrewHub, since the NVR in Jira is a BrewHub NVR that doesn't exist
in CentOS Stream Koji), not parsed from the NVR string.
The verification runs for both the primary rebuild issue (new
verify_rebuild_buildroot workflow step) and for sibling issues during
rebuild consolidation.
Also fixes the source-prep-failure path in check_cve_applicability to
route rebuilds through the buildroot check instead of skipping directly
to comment_in_jira.
Fixes: https://redhat.atlassian.net/browse/PACKIT-5072
Assisted-by: Claude Opus 4.6
lbarcziova
force-pushed
the
rebuild-buildroot-check
branch
from
6e5ff50 to
9ff93fc
Compare
| @@ -189,3 +202,76 @@ def get_latest_build(tag): | |||
| metadata = await asyncio.to_thread(session.getBuild, build_id, strict=True) | |||
There was a problem hiding this comment.
It would be great to use _get_koji_build() here, but that would require more changes as the lookup here is by build ID, not NVR.
2 participants
Before triggering a rebuild, check that the dependency's fixed build has actually landed in the target buildroot (Koji build tag). Without this, a rebuild could link against the old dependency and silently not fix the CVE. If the build is not yet in the buildroot, postpone the rebuild.
The check queries the appropriate Koji instance(s) based on target branch and fix version:
The epoch for EVR comparison is fetched via getBuild (always from BrewHub, since the NVR in Jira is a BrewHub NVR that doesn't exist in CentOS Stream Koji), not parsed from the NVR string.
The verification runs for both the primary rebuild issue (new verify_rebuild_buildroot workflow step) and for sibling issues during rebuild consolidation.
Also fixes the source-prep-failure path in check_cve_applicability to route rebuilds through the buildroot check instead of skipping directly to comment_in_jira.
Fixes: https://redhat.atlassian.net/browse/PACKIT-5072
Assisted-by: Claude Opus 4.6