Fix image security issue / adjust certification check (#886)

helderjs · web-flow · commit df960f189e31 · 2023-02-28T19:58:46.000+01:00
update base image version and adjust preflight check
diff --git a/.github/actions/certify-openshift-images/action.yaml b/.github/actions/certify-openshift-images/action.yaml
@@ -16,10 +16,6 @@ inputs:
   rhcc_project:
     description: The Redhat certification central project id
     required: true
-  submit:
-    description: Submit result to RedHat Connect
-    required: false
-    default: "false"
 runs:
   using: 'docker'
   image: 'Dockerfile'
@@ -28,5 +24,4 @@ runs:
     VERSION: ${{ inputs.version }}
     QUAY_PASSWORD: ${{ inputs.quay_password }}
     RHCC_TOKEN: ${{ inputs.rhcc_token }}
-    RHCC_PROJECT: ${{ inputs.rhcc_project }}
-    SUBMIT: ${{ inputs.submit }}
+    RHCC_PROJECT: ${{ inputs.rhcc_project }}
diff --git a/.github/actions/certify-openshift-images/entrypoint.sh b/.github/actions/certify-openshift-images/entrypoint.sh
@@ -7,19 +7,12 @@ docker login -u mongodb+mongodb_atlas_kubernetes -p "${QUAY_PASSWORD}" quay.io
 DIGESTS=$(docker manifest inspect "${REPOSITORY}:${VERSION}" | jq -r .manifests[].digest)
 
 for DIGEST in $DIGESTS; do
-  echo "Checking image $DIGEST"
-  # Do the preflight check first
-  preflight check container "${REPOSITORY}:${VERSION}@${DIGEST}" --artifacts "${DIGEST}" --docker-config="${HOME}/.docker/config.json"
-
-  if [ "$SUBMIT" = "true" ]; then
-    rm -rf "${DIGEST}"
-    echo "Submitting result to RedHat Connect"
+    echo "Check and Submit result to RedHat Connect"
     # Send results to RedHat if preflight finished wthout errors
-    preflight check container "${REPOSITORY}@${DIGEST}" \
+    preflight check container "quay.io/${REPOSITORY}@${DIGEST}" \
       --artifacts "${DIGEST}" \
       --pyxis-api-token="${RHCC_TOKEN}" \
       --certification-project-id="${RHCC_PROJECT}" \
       --docker-config="${HOME}/.docker/config.json" \
       --submit
-  fi
 done
diff --git a/.github/workflows/release-openshift.yaml b/.github/workflows/release-openshift.yaml
@@ -62,7 +62,6 @@ jobs:
           quay_password: ${{ secrets.QUAY_PASSWORD }}
           rhcc_token: ${{ secrets.RH_CERTIFICATION_PYXIS_API_TOKEN }}
           rhcc_project: ${{ secrets.RH_CERTIFICATION_OSPID }}
-          submit: "true"
       - name: Configure certified release
         if: ${{ matrix.certified }}
         env:
diff --git a/Dockerfile b/Dockerfile
@@ -27,7 +27,7 @@ ENV TARGET_OS=${TARGETOS}
 
 RUN make manager
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.6
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.7
 
 RUN microdnf install yum &&\
     yum -y update &&\
