Conversation
…n to create a unique run each time
…upgrade other install apps
updated GH and mongo versions. Also wanted to trigger a new build to …
SSH Refactoring, breakout pipelines. Add generateName for pipeline ru…
There was a problem hiding this comment.
Pull request overview
This PR updates dependency versions and container build steps for the utility pod, and refactors Tekton manifests by separating the Task from Pipeline/PipelineRun definitions.
Changes:
- Updated utility-pod Dockerfile package installation flow and bumped GitHub CLI version; added parameterization for MongoDB repo version.
- Refactored Tekton YAML by removing embedded Pipeline/PipelineRun from
task.yamland adding standalonepipeline.yamlandrun.yaml; adjusted SSH key handling. - Bumped Trivy GitHub Action version used in the utility container workflow.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
utility-pod/Dockerfile |
Consolidates apt update/upgrade/install; updates GH CLI version and MongoDB repo setup. |
tekton/task.yaml |
Removes Pipeline/PipelineRun definitions, leaving a standalone git-clone Task; changes SSH agent behavior. |
tekton/pipeline.yaml |
Adds a Pipeline manifest referencing git-clone (but currently has readme-printing step commented out). |
tekton/run.yaml |
Adds a PipelineRun manifest with hard-coded repo/secret values. |
.github/workflows/build_util.yml |
Updates Trivy action version. |
Comments suppressed due to low confidence (1)
tekton/task.yaml:173
- The ssh-agent workaround has been commented out, but the surrounding comment still states it is needed because git-clone v0.4 doesn’t leverage
ssh-privatekeywithout adding it to a keychain. If this workaround is still required, commenting it out will break SSH-based clones; if it’s no longer required, the comment should be updated/removed to avoid misleading future changes. Consider gating this behavior behind a param so it’s explicit when needed.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| RUN curl -fsSL https://pgp.mongodb.com/server-8.0.asc | gpg -o /usr/share/keyrings/mongodb-server-${MONGODB_VERSION}.gpg --dearmor && \ | ||
| echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-${MONGODB_VERSION}.gpg ] https://repo.mongodb.org/apt/ubuntu noble/mongodb-org/${MONGODB_VERSION} multiverse" | tee /etc/apt/sources.list.d/mongodb-org-${MONGODB_VERSION}.list && \ |
There was a problem hiding this comment.
MONGODB_VERSION is set to 8.2, but the downloaded signing key is hard-coded to server-8.0.asc. This version mismatch can lead to using the wrong GPG key (or misleading keyring naming) and potentially break apt-get install due to signature verification failures. Align the key URL, keyring filename, and apt repo path to the same MongoDB major/minor version (or pin everything back to 8.0 if that’s the intended repo).
There was a problem hiding this comment.
Ya, I'd agree with you, however there is no 8.2 asc file so we're suing the 8.0 version
| metadata: | ||
| name: p-git-collin-test | ||
| spec: |
There was a problem hiding this comment.
p-git-collin-test looks like a personal/test pipeline name and isn’t descriptive of its purpose. Renaming it to something task-oriented (e.g., cat-branch-readme as before, or git-clone-readme) will make it clearer and reduce the chance of test resources landing in production-facing manifests.
Just updating versions and refreshing packages with latest from apt. No new packages added.