Update Tekton files to version v2.x.1

.coderabbit.yaml

@@ -0,0 +1,7 @@
+---
+language: en-US
+early_access: false
+enable_free_tier: true
+reviews:
+  sequence_diagrams: false
+  poem: false

.github/workflows/build-notebooks-TEMPLATE.yaml

@@ -11,10 +11,18 @@ name: Build & Publish Notebook Servers (TEMPLATE)
         required: true
         description: "make target to build"
         type: string
+      python:
+        required: true
+        description: "python version"
+        type: string
       github:
         required: true
         description: "top workflow's `github`"
         type: string
+      platform:
+        required: true
+        description: "platform to build, podman build --platform="
+        type: string
       subscription:
         required: false
         default: false
@@ -23,9 +31,10 @@ name: Build & Publish Notebook Servers (TEMPLATE)
 
 jobs:
   build:
-    runs-on: ubuntu-24.04
+    # https://docs.github.com/en/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories
+    runs-on: ${{ inputs.platform == 'linux/arm64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
     env:
-      # Some pieces of code (image pulls for example) in podman consult TMPDIR or default to /var/tmp
+      # Some pieces of code (image pulls, for example) in podman consult TMPDIR or default to /var/tmp
       TMPDIR: /home/runner/.local/share/containers/tmpdir
       # Use the rootful instance of podman for sharing images with cri-o
       # https://podman-desktop.io/blog/sharing-podman-images-with-kubernetes-cluster#introduction
@@ -35,10 +44,12 @@ jobs:
       IMAGE_REGISTRY: "ghcr.io/${{ github.repository }}/workbench-images"
       # GitHub image registry used for storing $(CONTAINER_ENGINE)'s cache
       CACHE: "ghcr.io/${{ github.repository }}/workbench-images/build-cache"
-      TRIVY_VERSION: 0.57.1
-      TRIVY_VULNDB: "/home/runner/.local/share/containers/trivy_db"
+      TRIVY_VERSION: 0.64.1
       # Targets (and their folder) that should be scanned using FS instead of IMAGE scan due to resource constraints
       TRIVY_SCAN_FS_JSON: '{}'
+      # Makefile variables
+      BUILD_ARCH: ${{ inputs.platform }}
+      RELEASE_PYTHON_VERSION: ${{ inputs.python }}
 
     steps:
 
@@ -57,6 +68,12 @@ jobs:
         with:
           ref: "refs/pull/${{ fromJson(inputs.github).event.number }}/merge"
 
+      - name: Set up QEMU to build linux/s390x
+        if: ${{ inputs.platform == 'linux/s390x' }}
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: s390x
+
       - run: mkdir -p $TMPDIR
 
       # do this early because it's fast and why not
@@ -129,7 +146,8 @@ jobs:
 
           df -h
 
-      - run: sudo apt-get install -y btrfs-compsize
+      - id: install-compsize
+        run: sudo apt-get install -y btrfs-compsize
 
       - name: Mount lvm overlay for podman builds
         run: |
@@ -150,17 +168,34 @@ jobs:
         run: sudo apt-get -qq remove podman crun
 
       - uses: actions/cache@v4
+        # https://docs.github.com/en/actions/reference/variables-reference#default-environment-variables
+        # https://docs.github.com/en/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables
         id: cached-linuxbrew
         with:
           path: /home/linuxbrew/.linuxbrew
-          key: linuxbrew
+          key: linuxbrew-${{ runner.os }}-${{ runner.arch }}
 
-      - name: Install podman
-        if: steps.cached-linuxbrew.outputs.cache-hit != 'true'
+      - name: Install podman (linux/amd64)
+        if: inputs.platform == 'linux/amd64' && steps.cached-linuxbrew.outputs.cache-hit != 'true'
         run: |
           /bin/bash -c "$(curl -fsSL https://github.com/Homebrew/install/HEAD/install.sh)"
           /home/linuxbrew/.linuxbrew/bin/brew install podman
 
+      # Warning: Your CPU architecture (arm64) is not supported. We only support
+      # x86_64 CPU architectures. You will be unable to use binary packages (bottles).
+      #
+      # This is a Tier 2 configuration:
+      #  https://docs.brew.sh/Support-Tiers#tier-2
+      # Do not report any issues to Homebrew/* repositories!
+      # Read the above document instead before opening any issues or PRs.
+      - name: Install podman (linux/arm64)
+        if: inputs.platform == 'linux/arm64' && steps.cached-linuxbrew.outputs.cache-hit != 'true'
+        # Error: podman: no bottle available!
+        # If you're feeling brave, you can try to install from source with:
+        run: |
+          /bin/bash -c "$(curl -fsSL https://github.com/Homebrew/install/HEAD/install.sh)"
+          /home/linuxbrew/.linuxbrew/bin/brew install --build-from-source podman
+
       - name: Add linuxbrew to PATH
         run: echo "/home/linuxbrew/.linuxbrew/bin/" >> $GITHUB_PATH
 
@@ -227,67 +262,24 @@ jobs:
           echo "IMAGE_TAG=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
           echo "OUTPUT_IMAGE=${{ env.IMAGE_REGISTRY}}:${{ inputs.target }}-${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
 
+          echo "SANITIZED_PLATFORM=$(echo "${{ inputs.platform }}" | sed 's/[^a-zA-Z0-9._-]/_/g')" >> "$GITHUB_OUTPUT"
+
       # endregion
 
-      # region Trivy init & DB pre-pull
+      # region Image build
 
-      - name: "pull_request|schedule: resolve target if Trivy scan should run"
-        id: resolve-target
-        if: ${{ fromJson(inputs.github).event_name == 'pull_request' || fromJson(inputs.github).event_name == 'schedule' }}
-        env:
-          EVENT_NAME: ${{ fromJson(inputs.github).event_name }}
-          HAS_TRIVY_LABEL: ${{ contains(fromJson(inputs.github).event.pull_request.labels.*.name, 'trivy-scan') }}
-          FS_SCAN_FOLDER: ${{ fromJson(env.TRIVY_SCAN_FS_JSON)[inputs.target] }}
+      - name: Compute extra podman build args
+        id: extra-podman-build-args
         run: |
-          if [[ "$EVENT_NAME" == "pull_request" && "$HAS_TRIVY_LABEL" == "true" ]]; then
-            if [[ -n "$FS_SCAN_FOLDER" ]]; then
-              TARGET="$FS_SCAN_FOLDER"
-              TYPE="fs"
-            else
-              TARGET="${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}"
-              TYPE="image"
-            fi
-          elif [[ "$EVENT_NAME" == "schedule" ]]; then
-            if [[ -n "$FS_SCAN_FOLDER" ]]; then
-              TARGET="$FS_SCAN_FOLDER"
-              TYPE="fs"
-            else
-              TARGET="${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}"
-              TYPE="image"
-            fi
-          fi
+          set -Eeuxo pipefail
 
-          if [[ -n "$TARGET" ]]; then
-            echo "target=$TARGET" >> $GITHUB_OUTPUT
-            echo "type=$TYPE" >> $GITHUB_OUTPUT
-            echo "Trivy scan will run on $TARGET ($TYPE)"
-          else
-            echo "Trivy scan won't run"
+          EXTRA_PODMAN_BUILD_ARGS=""
+          if [[ "${{ inputs.platform }}" == "linux/s390x" ]]; then
+            # workaround for known issue https://github.com/zeromq/libzmq/pull/4486
+            # In qemu-user, CACHELINE_SIZE probe is undefined
+            EXTRA_PODMAN_BUILD_ARGS+='--env=CXXFLAGS=-Dundefined=64'
           fi
-
-      # only one db can be downloaded in one call https://github.com/aquasecurity/trivy/issues/3616
-      - name: Pre-pull Trivy vulnerabilities DB
-        if: ${{ steps.resolve-target.outputs.target }}
-        run: |
-          mkdir ${TRIVY_VULNDB}
-          podman run --rm \
-            --env PODMAN_SOCK \
-            -v ${TRIVY_VULNDB}:/cache \
-            docker.io/aquasec/trivy:$TRIVY_VERSION \
-              --cache-dir /cache \
-              image \
-              --download-db-only
-          podman run --rm \
-            --env PODMAN_SOCK \
-            -v ${TRIVY_VULNDB}:/cache \
-            docker.io/aquasec/trivy:$TRIVY_VERSION \
-              --cache-dir /cache \
-              image \
-              --download-java-db-only
-
-      # endregion
-
-      # region Image build
+          echo "EXTRA_PODMAN_BUILD_ARGS=$EXTRA_PODMAN_BUILD_ARGS" >> $GITHUB_OUTPUT
 
       # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push
       # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
@@ -303,7 +295,7 @@ jobs:
           fromJson(inputs.github).event_name == 'workflow_dispatch' }}
         env:
           IMAGE_TAG: "${{ steps.calculated_vars.outputs.IMAGE_TAG }}"
-          CONTAINER_BUILD_CACHE_ARGS: "--cache-from ${{ env.CACHE }} --cache-to ${{ env.CACHE }}"
+          CONTAINER_BUILD_CACHE_ARGS: "${{ steps.extra-podman-build-args.outputs.EXTRA_PODMAN_BUILD_ARGS }} --cache-from ${{ env.CACHE }} --cache-to ${{ env.CACHE }}"
       - name: "pull_request: make ${{ inputs.target }}"
         run: |
           # print running stats on disk occupancy
@@ -314,7 +306,7 @@ jobs:
           fromJson(inputs.github).event_name == 'pull_request_target' }}"
         env:
           IMAGE_TAG: "${{ steps.calculated_vars.outputs.IMAGE_TAG }}"
-          CONTAINER_BUILD_CACHE_ARGS: "--cache-from ${{ env.CACHE }}"
+          CONTAINER_BUILD_CACHE_ARGS: "${{ steps.extra-podman-build-args.outputs.EXTRA_PODMAN_BUILD_ARGS }} --cache-from ${{ env.CACHE }}"
           # We don't have access to image registry, so disable pushing
           PUSH_IMAGES: "no"
 
@@ -504,7 +496,9 @@ jobs:
           kubectl patch storageclass local-path -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
 
       - name: "Run image tests"
-        if: ${{ steps.have-tests.outputs.tests == 'true' }}
+        # skip on s390x because we are unable to install requirements-elyra.txt that's installed by runtime image tests
+        # https://github.com/opendatahub-io/elyra/refs/heads/main/etc/generic/requirements-elyra.txt
+        if: ${{ steps.have-tests.outputs.tests == 'true' && !contains(fromJSON('["linux/s390x"]'), inputs.platform) }}
         run: python3 ci/cached-builds/make_test.py --target ${{ inputs.target }}
         env:
           IMAGE_TAG: "${{ steps.calculated_vars.outputs.IMAGE_TAG }}"
@@ -527,6 +521,40 @@ jobs:
 
       # region Trivy vulnerability scan
 
+      - name: "pull_request|schedule: resolve target if Trivy scan should run"
+        id: resolve-target
+        if: ${{ fromJson(inputs.github).event_name == 'pull_request' || fromJson(inputs.github).event_name == 'schedule' }}
+        env:
+          EVENT_NAME: ${{ fromJson(inputs.github).event_name }}
+          HAS_TRIVY_LABEL: ${{ contains(fromJson(inputs.github).event.pull_request.labels.*.name, 'trivy-scan') }}
+          FS_SCAN_FOLDER: ${{ fromJson(env.TRIVY_SCAN_FS_JSON)[inputs.target] }}
+        run: |
+          if [[ "$EVENT_NAME" == "pull_request" && "$HAS_TRIVY_LABEL" == "true" ]]; then
+            if [[ -n "$FS_SCAN_FOLDER" ]]; then
+              TARGET="$FS_SCAN_FOLDER"
+              TYPE="fs"
+            else
+              TARGET="${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}"
+              TYPE="image"
+            fi
+          elif [[ "$EVENT_NAME" == "schedule" ]]; then
+            if [[ -n "$FS_SCAN_FOLDER" ]]; then
+              TARGET="$FS_SCAN_FOLDER"
+              TYPE="fs"
+            else
+              TARGET="${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}"
+              TYPE="image"
+            fi
+          fi
+
+          if [[ -n "$TARGET" ]]; then
+            echo "target=$TARGET" >> $GITHUB_OUTPUT
+            echo "type=$TYPE" >> $GITHUB_OUTPUT
+            echo "Trivy scan will run on $TARGET ($TYPE)"
+          else
+            echo "Trivy scan won't run"
+          fi
+
       - name: Run Trivy vulnerability scanner
         if: ${{ steps.resolve-target.outputs.target }}
         run: |
@@ -555,12 +583,9 @@ jobs:
           podman run --rm \
               $PODMAN_ARGS \
               -v ${REPORT_FOLDER}:/report \
-              -v ${TRIVY_VULNDB}:/cache \
               docker.io/aquasec/trivy:$TRIVY_VERSION \
-                --cache-dir /cache \
                 $SCAN_TYPE \
                 $SCAN_ARGS \
-                --skip-db-update \
                 --scanners vuln --ignore-unfixed \
                 --exit-code 0 --timeout 30m \
                 --format template --template "@/report/$REPORT_TEMPLATE" -o /report/$REPORT_FILE \
@@ -631,7 +656,7 @@ jobs:
         # --ipc=host because Microsoft says so in Playwright docs
         # --net=host because testcontainers connects to the Reaper container's exposed port
         # we need to pass through the relevant environment variables
-        #  DEBUG configures nodejs debuggers, sets different verbosity as needed
+        #  DEBUG configures Node.js debuggers, sets different verbosity as needed
         #  CI=true is set on every CI nowadays
         #  PODMAN_SOCK should be mounted to /var/run/docker.sock, other likely mounting locations may not exist (mkdir -p)
         #  TEST_TARGET is the workbench image the test will run
@@ -649,7 +674,7 @@ jobs:
             --volume ${PODMAN_SOCK}:/var/run/docker.sock \
             --volume ${PWD}:/mnt \
             --volume /mnt/node_modules \
-            mcr.microsoft.com/playwright:v1.52.0-noble \
+            mcr.microsoft.com/playwright:v1.53.1-noble \
             /bin/bash <<EOF
               set -Eeuxo pipefail
               cd /mnt
@@ -663,7 +688,7 @@ jobs:
       - uses: actions/upload-artifact@v4
         if: ${{ !cancelled() && fromJson(inputs.github).event_name == 'pull_request' && contains(inputs.target, 'codeserver') }}
         with:
-          name: "${{ inputs.target }}_playwright-report"
+          name: "${{ inputs.target }}_${{ steps.calculated_vars.outputs.SANITIZED_PLATFORM }}_playwright-report"
           path: tests/browser/playwright-report/
           retention-days: 30
 
@@ -673,4 +698,4 @@ jobs:
         if: "${{ !cancelled() }}"
 
       - run: sudo compsize -x "${HOME}/.local/share/containers"
-        if: "${{ !cancelled() }}"
+        if: "${{ !cancelled() && steps.install-compsize.outcome == 'success' }}"

.github/workflows/build-notebooks-pr-rhel.yaml

@@ -20,7 +20,7 @@ permissions:
 env:
   # language=json
   contributors: |
-    ["atheo89", "andyatmiami", "caponetto", "daniellutz", "dibryant", "harshad16", "jesuino", "jiridanek", "jstourac", "paulovmr", "Fiona-Waters", "grdryn"]
+    ["atheo89", "andyatmiami", "caponetto", "daniellutz", "dibryant", "harshad16", "jesuino", "jiridanek", "jstourac", "paulovmr", "Fiona-Waters", "grdryn", "kryanbeane", "mtchoum1", "obrown1205", "dependabot[bot]", "ide-developer"]
 
 jobs:
   gen:
@@ -70,6 +70,8 @@ jobs:
     if: ${{ fromJson(needs.gen.outputs.has_jobs) }}
     with:
       target: "${{ matrix.target }}"
+      python: "${{ matrix.python }}"
       github: "${{ toJSON(github) }}"
+      platform: "${{ matrix.platform }}"
       subscription: "${{ matrix.subscription }}"
     secrets: inherit

.github/workflows/build-notebooks-pr.yaml

@@ -40,7 +40,8 @@ jobs:
           python3 ci/cached-builds/gen_gha_matrix_jobs.py \
             --from-ref 'origin/${{ github.event.pull_request.base.ref }}' \
             --to-ref '${{ github.event.pull_request.head.ref }}' \
-            --rhel-images exclude
+            --rhel-images exclude \
+            --s390x-images include
         id: gen
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -55,6 +56,8 @@ jobs:
     if: ${{ fromJson(needs.gen.outputs.has_jobs) }}
     with:
       target: "${{ matrix.target }}"
+      python: "${{ matrix.python }}"
       github: "${{ toJSON(github) }}"
+      platform: "${{ matrix.platform }}"
       subscription: "${{ matrix.subscription }}"
     secrets: inherit

.github/workflows/build-notebooks-push.yaml

@@ -29,7 +29,8 @@ jobs:
       - name: Determine targets to build (we want to build everything on push)
         run: |
           set -x
-          python3 ci/cached-builds/gen_gha_matrix_jobs.py
+          python3 ci/cached-builds/gen_gha_matrix_jobs.py \
+            --s390x-images include
         id: gen
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -44,6 +45,8 @@ jobs:
     if: ${{ fromJson(needs.gen.outputs.has_jobs) }}
     with:
       target: "${{ matrix.target }}"
+      python: "${{ matrix.python }}"
       github: "${{ toJSON(github) }}"
+      platform: "${{ matrix.platform }}"
       subscription: "${{ matrix.subscription }}"
     secrets: inherit

.github/workflows/code-quality.yaml

@@ -69,8 +69,8 @@ jobs:
         id: validate-yaml-files
         run: |
           type yamllint || sudo apt-get -y install yamllint
-          # We ignore the .tekton directory with the konflux pipelines definitions as it's managed by devops (and usually violates rules...).
-          find . -name "*.yaml" | grep -v "./.tekton/" | xargs yamllint --strict --config-file ./ci/yamllint-config.yaml
+          # We ignore the insta-merge.yaml and .tekton directory with the konflux pipelines definitions as it's managed by devops (and usually violates rules...).
+          find . -name "*.yaml" | grep -v "./.tekton/" | grep -v "./.github/workflows/insta-merge.yaml" | xargs yamllint --strict --config-file ./ci/yamllint-config.yaml
           find . -name "*.yml" | grep -v "./.tekton/" | xargs yamllint --strict --config-file ./ci/yamllint-config.yaml
 
       # In some YAML files we use JSON strings, let's check these