ROX-31146: Reduce spam of Konflux PRs, releasers can approve/4.9 (#2438)

Author: msugakov

.github/CODEOWNERS

@@ -4,11 +4,11 @@
 
 * @stackrox/scanner
 
-# The RHTAP maintainers for ACS review all changes related to the Konflux pipelines, such as new
-# pipelines, parameter changes or automated task updates as well as Dockerfile updates.
-# rhacs-bot auto-approves MintMaker PRs for automated task and security updates.
-**/konflux.*Dockerfile  @stackrox/rhtap-maintainers @rhacs-bot
-/.konflux/              @stackrox/rhtap-maintainers @rhacs-bot
-/.tekton/               @stackrox/rhtap-maintainers @rhacs-bot
-rpms.*                  @stackrox/rhtap-maintainers @rhacs-bot
-.github/renovate.json5  @stackrox/rhtap-maintainers
+# The Konflux maintainers for ACS review all changes related to the Konflux pipelines, Dockerfiles, etc.
+# Release engineers need to merge MintMaker PRs at the time of release.
+# rhacs-bot needs ability to auto-approve MintMaker PRs for automated task and security updates.
+**/konflux.*Dockerfile  @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot
+/.tekton/               @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot
+rpms.*                  @stackrox/konflux-maintainers-no-email @stackrox/release-mgmt-no-email @rhacs-bot
+/.konflux/              @stackrox/konflux-maintainers
+.github/renovate.json5  @stackrox/konflux-maintainers

.github/workflows/auto-approve.yml

@@ -1,7 +1,7 @@
 name: auto-merge
 
 on:
-  pull_request_target:
+  pull_request:
     types:
     - labeled
 

.github/workflows/tag-more-reviewers.yaml

@@ -0,0 +1,30 @@
+name: Tag more reviewers
+
+on:
+  pull_request:
+    types:
+    - review_requested
+
+jobs:
+  tag-konflux-maintainers:
+    # We have lots of PR traffic from MintMaker (acting as `red-hat-konflux[bot]`), and so it's unsustainable to go
+    # through these emails every day. Therefore, the notifications are disabled for `konflux-maintainers-no-email`
+    # team that's set as owner in CODEOWNERS for the Konflux stuff.
+    # At the same time, we want to be notified when humans, not the bot, request reviews (which happens automatically
+    # again through CODEOWNERS) for the Konflux-related files. This job invites `konflux-maintainers` team for review
+    # for such cases.
+    if: |
+      github.event.requested_team.name == 'konflux-maintainers-no-email' &&
+      github.event.pull_request.user.login != 'red-hat-konflux[bot]'
+    env:
+      GH_TOKEN: ${{ secrets.RHACS_BOT_GITHUB_TOKEN }}
+    runs-on: ubuntu-latest
+    steps:
+    - name: Tag Konflux Maintainers for review
+      run: |
+        exec gh api \
+          --method POST \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          "/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers" \
+          --input - <<< '{ "team_reviewers": [ "konflux-maintainers" ] }'

.tekton/scanner-component-pipeline.yaml

@@ -2,19 +2,22 @@ apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
   name: scanner-component-pipeline
+
 spec:
+
   finally:
+
   - name: slack-notification
     params:
     - name: message
       value: ':x: `{{event_type}}` pipeline for <https://console.redhat.com/application-pipeline/workspaces/rh-acs/applications/acs/pipelineruns/$(context.pipelineRun.name)|$(context.pipelineRun.name)> (`$(params.output-image-repo)`, revision <$(params.git-url)/commit/$(params.revision)|$(params.revision)>) has failed.'
     - name: key-name
       value: 'acs-konflux-notifications'
     when:
-        # Run when any task has Failed
+    # Run when any task has Failed
     - input: $(tasks.status)
       operator: in
-      values: ["Failed"]
+      values: [ "Failed" ]
     taskRef:
       params:
       - name: name
@@ -24,6 +27,7 @@ spec:
       - name: kind
         value: task
       resolver: bundles
+
   - name: show-sbom
     params:
     - name: IMAGE_URL
@@ -37,6 +41,7 @@ spec:
       - name: kind
         value: task
       resolver: bundles
+
   - name: post-metric-end
     params:
     - name: AGGREGATE_TASKS_STATUS
@@ -50,6 +55,7 @@ spec:
       - name: kind
         value: task
       resolver: bundles
+
   params:
   - description: Source Repository URL
     name: git-url
@@ -108,7 +114,7 @@ spec:
     description: Build stage to target in container build
     name: build-target-stage
     type: string
-  - default: []
+  - default: [ ]
     description: List of scanner-data file names to fetch to include in the container build.
     name: blobs-to-fetch
     type: array
@@ -134,6 +140,7 @@ spec:
   - name: extra-labels
     type: array
     description: Additional labels to put on the built containers.
+
   results:
   - description: ""
     name: IMAGE_URL
@@ -147,17 +154,21 @@ spec:
   - description: ""
     name: CHAINS-GIT_COMMIT
     value: $(tasks.clone-repository.results.commit)
+
   workspaces:
   - name: git-auth
+
   tasks:
+
   - name: post-metric-start
     taskRef: *post-bigquery-metrics-ref
+
   - name: init
     params:
     - name: image-url
-          # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.)
-          # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with
-          # its expected input. We later actually add this tag on a built image with the apply-index-image-tag task.
+      # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.)
+      # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with
+      # its expected input. We later actually add this tag on a built image with the apply-index-image-tag task.
       value: $(params.output-image-repo):konflux-$(params.revision)
     - name: rebuild
       value: $(params.rebuild)
@@ -172,6 +183,7 @@ spec:
       - name: kind
         value: task
       resolver: bundles
+
   - name: clone-repository
     params:
     - name: url
@@ -198,10 +210,11 @@ spec:
     when:
     - input: $(tasks.init.results.build)
       operator: in
-      values: ["true"]
+      values: [ "true" ]
     workspaces:
     - name: basic-auth
       workspace: git-auth
+
   - name: determine-image-expiration
     params:
     - name: DEFAULT_IMAGE_EXPIRES_AFTER
@@ -217,6 +230,7 @@ spec:
       - name: kind
         value: task
       resolver: bundles
+
   - name: determine-image-tag
     params:
     - name: TAG_SUFFIX
@@ -232,10 +246,11 @@ spec:
       - name: kind
         value: task
       resolver: bundles
+
   - name: fetch-scanner-data
     params:
     - name: BLOBS_TO_FETCH
-      value: ["$(params.blobs-to-fetch[*])"]
+      value: [ "$(params.blobs-to-fetch[*])" ]
     - name: TARGET_DIR
       value: .konflux/scanner-data
     - name: SOURCE_ARTIFACT
@@ -253,6 +268,7 @@ spec:
       - name: kind
         value: task
       resolver: bundles
+
   - name: prefetch-dependencies
     params:
     - name: input
@@ -265,7 +281,7 @@ spec:
       value: $(params.oci-artifact-expires-after)
     - name: ACTIVATION_KEY
       value: subscription-manager-activation-key-prod
-          # Required for RPM prefetching support
+      # Required for RPM prefetching support
     - name: dev-package-managers
       value: "true"
     taskRef:
@@ -280,6 +296,7 @@ spec:
     workspaces:
     - name: git-basic-auth
       workspace: git-auth
+
   - name: build-images
     matrix:
       params:
@@ -315,7 +332,7 @@ spec:
     - name: BUILDAH_FORMAT
       value: $(params.buildah-format)
     - name: LABELS
-      value: ["$(params.extra-labels[*])"]
+      value: [ "$(params.extra-labels[*])" ]
     - name: BUILD_TIMESTAMP
       value: "$(tasks.clone-repository.results.commit-timestamp)"
     taskRef:
@@ -330,7 +347,8 @@ spec:
     when:
     - input: $(tasks.init.results.build)
       operator: in
-      values: ["true"]
+      values: [ "true" ]
+
   - name: build-image-index
     params:
     - name: IMAGE
@@ -357,7 +375,8 @@ spec:
     when:
     - input: $(tasks.init.results.build)
       operator: in
-      values: ["true"]
+      values: [ "true" ]
+
   - name: apply-index-image-tag
     params:
     - name: IMAGE_URL
@@ -379,7 +398,8 @@ spec:
     when:
     - input: $(tasks.init.results.build)
       operator: in
-      values: ["true"]
+      values: [ "true" ]
+
   - name: build-source-image
     params:
     - name: BINARY_IMAGE
@@ -402,10 +422,11 @@ spec:
     when:
     - input: $(tasks.init.results.build)
       operator: in
-      values: ["true"]
+      values: [ "true" ]
     - input: $(params.build-source-image)
       operator: in
-      values: ["true"]
+      values: [ "true" ]
+
   - name: deprecated-base-image-check
     params:
     - name: IMAGE_URL
@@ -424,7 +445,8 @@ spec:
     when:
     - input: $(params.skip-checks)
       operator: in
-      values: ["false"]
+      values: [ "false" ]
+
   - name: clair-scan
     matrix:
       params:
@@ -448,7 +470,8 @@ spec:
     when:
     - input: $(params.skip-checks)
       operator: in
-      values: ["false"]
+      values: [ "false" ]
+
   - name: ecosystem-cert-preflight-checks
     matrix:
       params:
@@ -470,7 +493,8 @@ spec:
     when:
     - input: $(params.skip-checks)
       operator: in
-      values: ["false"]
+      values: [ "false" ]
+
   - name: sast-shell-check
     params:
     - name: image-digest
@@ -493,7 +517,8 @@ spec:
     when:
     - input: $(params.skip-checks)
       operator: in
-      values: ["false"]
+      values: [ "false" ]
+
   - name: sast-unicode-check
     params:
     - name: image-digest
@@ -516,7 +541,8 @@ spec:
     when:
     - input: $(params.skip-checks)
       operator: in
-      values: ["false"]
+      values: [ "false" ]
+
   - name: sast-snyk-check
     params:
     - name: SOURCE_ARTIFACT
@@ -539,7 +565,8 @@ spec:
     when:
     - input: $(params.skip-checks)
       operator: in
-      values: ["false"]
+      values: [ "false" ]
+
   - name: clamav-scan
     matrix:
       params:
@@ -563,7 +590,8 @@ spec:
     when:
     - input: $(params.skip-checks)
       operator: in
-      values: ["false"]
+      values: [ "false" ]
+
   - name: rpms-signature-scan
     params:
     - name: image-digest
@@ -582,7 +610,8 @@ spec:
     when:
     - input: $(params.skip-checks)
       operator: in
-      values: ["false"]
+      values: [ "false" ]
+
   - name: push-dockerfile
     params:
     - name: IMAGE