You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/RELEASE_BRANCHES.md
+12-61Lines changed: 12 additions & 61 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,45 +33,22 @@ A GitHub ruleset already protects all branches matching `release/**` with the sa
33
33
34
34
The GitLab mirror at `gitlab.cee.redhat.com/rhel-lightspeed/enhanced-shell/okp-mcp` automatically pulls `main` and any branch matching `release/*` from GitHub. New release branches will appear on GitLab after the next mirror sync (typically within minutes).
35
35
36
-
**Note:** "Mirror only protected branches" does not reliably detect GitHub ruleset-based protection. Use "Mirror specific branches" with a regex instead.
36
+
### 4. Konflux
37
37
38
-
### 4. Konflux component
38
+
The `okp-mcp` Konflux component watches `main`, but its custom pipeline (`.tekton/push.yaml`) has a CEL expression that also matches `release/` branches. Every push to a release branch triggers a build under the `okp-mcp` component, pushing images to `quay.io/redhat-user-workloads/rhel-lightspeed-tenant/okp-mcp:<sha>` — the same quay repo as main builds. No additional Konflux component is needed.
39
39
40
-
Konflux watches one branch per Component. The `okp-mcp` component watches `main`. A separate component is needed for the release branch to ensure Konflux triggers builds on release branch pushes.
41
-
42
-
**First time setup (already done):**
43
-
44
-
1. Go to [Konflux UI](https://konflux-ui.apps.stone-prod-p02.hjvn.p1.openshiftapps.com/)
6. Konflux will auto-commit Tekton pipeline files to the release branch for the new component — this is expected
56
-
57
-
**For subsequent release branches:**
58
-
59
-
Konflux components are immutable — you cannot edit the branch. You must delete the old `okp-mcp-rel` component and create a new one pointing to the new release branch. The component name must be unique; if the old name hasn't been freed yet, use a variation (e.g., `okp-mcp-rel-2`).
60
-
61
-
**Important:** The component must point to the **GitLab** mirror URL, not GitHub. The original `okp-mcp` component uses GitLab, and the Tekton pipeline annotations reference GitLab URLs.
2. Wait for GitLab mirror to sync (or manually trigger sync via the 🔄 button)
45
+
2. Wait for GitLab mirror to sync (or manually trigger sync via the 🔄 button in GitLab Settings > Repository > Mirroring repositories)
67
46
3. Check Konflux Activity tab — a build should appear for the release branch
68
47
4. The image will be tagged with the commit SHA in quay.io
69
48
70
-
**Note:** Both the `okp-mcp` and `okp-mcp-rel` components may build from the release branch. The `okp-mcp` component's custom pipeline (`.tekton/push.yaml`) has a CEL expression that matches `release/` branches, so it builds images to `quay.io/redhat-user-workloads/rhel-lightspeed-tenant/okp-mcp:<sha>`. This is the same quay repo as main — no `IMAGE` change is needed in app-interface.
71
-
72
49
### 6. Deploy to staging via app-interface
73
50
74
-
The saas-file schema only allows `ref` values matching `^([0-9a-f]{40}|master|main|internal|stable)$`. Branch names like `release/2026-04-01` are **not permitted**. Use commit SHAs instead.
51
+
The saas-file schema only allows `ref` values matching `^([0-9a-f]{40}|master|main|internal|stable)$`. Branch names like `release/2026-04-01` are not permitted. Use commit SHAs instead.
75
52
76
53
Update `data/services/insights/rhel-lightspeed/cicd/saas.yml` in app-interface:
77
54
@@ -111,33 +88,14 @@ oc get pods -n rhel-lightspeed-stage --sort-by=.metadata.creationTimestamp
111
88
112
89
### 7. Production
113
90
114
-
Production is only configured for `rlsapi` in the saas.yml (SHA-pinned, 10 replicas). `lightspeed-stack`, `redhat-okp`, and `okp-mcp` do **not** have production targets in app-interface — they are staging-only as of 2026-04-02.
115
-
116
-
## CI/CD Configuration
117
-
118
-
### GitHub Actions
119
-
120
-
Already configured to run on `release/**` branches (see `.github/workflows/build.yml`).
121
-
122
-
### Tekton / Pipelines-as-Code
123
-
124
-
The CEL expressions in `.tekton/push.yaml` and `.tekton/pull_request.yaml` already include `release/` branches. These were added to `main` in PR #136 and exist on all release branches created after that.
125
-
126
-
### Konflux Components
127
-
128
-
| Component | Watches | Quay Image |
129
-
|-----------|---------|------------|
130
-
|`okp-mcp`|`main` (but CEL matches `release/` too) |`quay.io/redhat-user-workloads/rhel-lightspeed-tenant/okp-mcp`|
For deployment, use images from the `okp-mcp` quay repo (same as main). The `okp-mcp-rel` component is needed to ensure Konflux recognizes the release branch, but the deployable images come from the existing `okp-mcp` component's custom pipeline.
91
+
Only `rlsapi` has a production target in app-interface (SHA-pinned, 10 replicas). `lightspeed-stack`, `redhat-okp`, and `okp-mcp` are staging-only as of 2026-04-02.
-**`ref` only accepts SHAs or `main`/`master`/`internal`/`stable`** — the saas-file schema rejects branch names like `release/2026-04-01`. Use commit SHAs to pin to a release branch
153
-
-**`IMAGE_TAG` must differ from `ref`** — when both are the same SHA, the saas-file-validator rejects it because IMAGE_TAG is auto-derived from ref. Remove IMAGE_TAG for okp-mcp when ref is a SHA
154
-
-**SHAs are static** — if you push a bugfix to the release branch, you must update the SHA in app-interface manually
155
-
-**Konflux components are immutable** — you can't change the branch, you have to delete and recreate
156
-
-**GitLab mirror must include the branch** — if the mirror regex doesn't match, Konflux never sees the push. Use regex `(main|release\/.*)`, not "Mirror only protected branches"
157
-
-**The mirror URL must end in `.git`** — GitLab treats URLs with and without `.git` as different identities
158
-
-**The component name can't be reused immediately after deletion** — use a variation if needed
159
-
-**Use the GitLab URL for Konflux components**, not GitHub — the existing setup uses GitLab and the Tekton annotations reference GitLab URLs
160
-
-**Images go to the same quay repo as main** — the `okp-mcp` component's custom pipeline builds release branches too, so no `IMAGE` change is needed in app-interface
161
-
-**Konflux auto-commits `.tekton/` files** for new components — review the auto-generated commit on the release branch and ensure it doesn't conflict with existing custom pipelines
162
-
-**The auto-generated Konflux PR build may fail** on `sast-coverity-check` (image pull flakiness) — this doesn't block the push build
163
-
-**Production is staging-only** — only `rlsapi` has a production target in app-interface. `lightspeed-stack`, `redhat-okp`, and `okp-mcp` are staging-only as of 2026-04-02
110
+
-**`ref` only accepts SHAs or `main`/`master`/`internal`/`stable`** — the saas-file schema rejects branch names like `release/2026-04-01`. Use commit SHAs to pin to a release branch.
111
+
-**`IMAGE_TAG` must differ from `ref`** — when both are the same SHA, the saas-file-validator rejects it because IMAGE_TAG is auto-derived from ref. Remove IMAGE_TAG for okp-mcp when ref is a SHA.
112
+
-**SHAs are static** — if you push a bugfix to the release branch, you must update the SHA in app-interface manually.
113
+
-**GitLab mirror must include the branch** — if the mirror regex doesn't match, Konflux never sees the push. The mirror is configured with regex `(main|release\/.*)`.
114
+
-**The `sast-coverity-check` Konflux task may fail** due to image pull flakiness — this doesn't block the actual build or deployment.
0 commit comments