feat:CVEs SRVKP-10058 SRVKP-9700 and yarn 4 migration with node20 support

anwesha-palit-redhat · anwesha-palit-redhat · commit 633074a302eb · 2026-02-27T10:49:24.000+05:30
diff --git a/.ci-operator.yaml b/.ci-operator.yaml
@@ -1,4 +1,4 @@
 build_root_image:
-  name: nodejs-18
-  namespace: openshift
-  tag: latest
+  name: console-plugin-test-cypress
+  namespace: ci
+  tag: node20-yarn4
diff --git a/.github/workflows/publish_container_image.yaml b/.github/workflows/publish_container_image.yaml
@@ -1,27 +1,41 @@
-name: publish container images
+name: Build and Publish Container
+
 on:
   push:
     branches:
       - main
       - release-v* # example: release-v1.14
+      - main_ocp_4.22
     tags: ['v*']
+  pull_request:
+    branches:
+      - main
+      - main_ocp_4.22
+  workflow_dispatch:
 
 jobs:
   setup:
     name: build container
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
 
       - uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '20'
+      
+      - name: Enable Corepack
+        run: corepack enable
 
       - uses: docker/setup-buildx-action@v3
 
       - name: Login in to ghcr.io registry
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -41,5 +55,5 @@ jobs:
         run: ./scripts/build_container.sh
         env:
           SUPPORT_MULTI_ARCH: "true"
-          CONSOLE_PLUGIN_IMAGE_REPO: 'ghcr.io/${{ github.repository }}'
-          CONSOLE_PLUGIN_IMAGE_TAG: '${{ github.ref_name }}'
+          CONSOLE_PLUGIN_IMAGE_REPO: ${{ github.event_name == 'pull_request' && format('ttl.sh/{0}/console-plugin-pr-{1}', github.repository, github.event.pull_request.number) || format('ghcr.io/{0}', github.repository) }}
+          CONSOLE_PLUGIN_IMAGE_TAG: ${{ github.event_name == 'pull_request' && '24h' || github.ref_name }}
diff --git a/.konflux/dockerfiles/console-plugin.Dockerfile b/.konflux/dockerfiles/console-plugin.Dockerfile
@@ -5,11 +5,19 @@ FROM $BUILDER AS builder-ui
 
 WORKDIR /go/src/github.com/openshift-pipelines/console-plugin
 COPY . .
-RUN npm install -g yarn-1.22.22.tgz
-COPY .konflux/yarn.lock .
-COPY .konflux/package.json .
-RUN set -e; for f in patches/*.patch; do echo ${f}; [[ -f ${f} ]] || continue; git apply ${f}; done
-RUN yarn install --offline --frozen-lockfile --ignore-scripts && \
+#Install Yarn
+RUN if [[ -d /cachi2/output/deps/npm/ ]]; then \
+      npm install -g /cachi2/output/deps/npm/yarnpkg-cli-dist-4.6.0.tgz; \
+      YARN_ENABLE_NETWORK=0; \
+    else \
+      echo "ERROR: Hermetic npm deps not injected"; \
+      exit 1; \
+    fi
+
+
+# Install dependencies & build
+USER root
+RUN CYPRESS_INSTALL_BINARY=0 yarn install --immutable && \
     yarn build
 
 FROM $RUNTIME
diff --git a/.konflux/npm/package-lock.json b/.konflux/npm/package-lock.json
diff --git a/.konflux/npm/package.json b/.konflux/npm/package.json
@@ -0,0 +1,7 @@
+{
+  "name": "yarn4-nodejs22-ubil9-minimal",
+  "version": "1.0.0",
+  "description": "Konflux image containing rebuilds for tooling to assist in building with yarn",
+  "dependencies": {
+    "@yarnpkg/cli-dist": "4.6.0"}
+}
diff --git a/.tekton/console-plugin-1-16-console-plugin-pull-request.yaml b/.tekton/console-plugin-1-16-console-plugin-pull-request.yaml
@@ -39,7 +39,7 @@ spec:
     - linux/x86_64
   - name: prefetch-input
     value: |
-      {"type": "rpm", "path": ".konflux/rpms"}
+       [{"type": "yarn"}, {"type": "npm", "path": ".konflux/npm"}]
   pipelineRef:
     name: docker-build-ta
   taskRunTemplate:
diff --git a/.tekton/console-plugin-1-16-console-plugin-push.yaml b/.tekton/console-plugin-1-16-console-plugin-push.yaml
@@ -33,7 +33,7 @@ spec:
     value: .konflux/dockerfiles/console-plugin.Dockerfile
   - name: prefetch-input
     value: |
-      {"type": "rpm", "path": ".konflux/rpms"}
+      [{"type": "yarn"}, {"type": "npm", "path": ".konflux/npm"}]
   pipelineRef:
     name: docker-build-ta
   taskRunTemplate:
diff --git a/.yarnrc b/.yarnrc
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -0,0 +1,8 @@
+# .yarnrc.yml
+nodeLinker: node-modules
+
+# Force packages to use the same webpack instance
+packageExtensions:
+  "@openshift-console/dynamic-plugin-sdk-webpack@*":
+    peerDependencies:
+      webpack: "*"
diff --git a/Dockerfile b/Dockerfile
@@ -1,19 +1,27 @@
-FROM registry.access.redhat.com/ubi8/nodejs-18:latest AS builder-ui
+ARG BUILDER=registry.access.redhat.com/ubi8/nodejs-18:latest
+ARG RUNTIME=registry.access.redhat.com/ubi8/nginx-124:latest
+
+# Stage 1: Build UI
+FROM $BUILDER AS builder-ui
+
 USER root
-RUN command -v yarn || npm i -g yarn
 
+# Enable Corepack and prepare Yarn 4.6
+RUN npm install -g corepack && corepack enable && corepack prepare yarn@4.6.0 --activate
+
+# Copy source
 ADD . /usr/src/app
 WORKDIR /usr/src/app
 
-RUN yarn install --frozen-lockfile && \
+# Install dependencies & build
+RUN yarn install --immutable && \
     yarn build
 
-FROM registry.access.redhat.com/ubi8/nginx-124:latest
+# Stage 2: Serve with Nginx
+FROM $RUNTIME
 
 COPY --from=builder-ui /usr/src/app/dist /usr/share/nginx/html
-
 COPY ./nginx.conf /etc/nginx/nginx.conf
 
 USER 1001
-
 ENTRYPOINT ["nginx", "-g", "daemon off;"]
diff --git a/Dockerfile.without_builder b/Dockerfile.without_builder
@@ -7,7 +7,9 @@
 # however in this project, the code will be executed on a browser,
 # hence assuming no impact on this approach
 
-FROM registry.access.redhat.com/ubi8/nginx-124:latest
+ARG RUNTIME=registry.access.redhat.com/ubi8/nginx-124:latest
+
+FROM $RUNTIME
 
 COPY ./dist /usr/share/nginx/html
 
diff --git a/integration-tests/package.json b/integration-tests/package.json
@@ -8,4 +8,4 @@
     "test-cypress-nightly": "yarn run test-headless && yarn run cypress-merge && yarn run cypress-generate",
     "posttest-cypress-headless": "yarn run cypress-merge && yarn run cypress-generate"
   }
-}
+}
diff --git a/package.json b/package.json
@@ -4,30 +4,40 @@
   "private": true,
   "repository": "git@github.com:openshift-pipelines/console-plugin.git",
   "license": "Apache-2.0",
+  "packageManager": "yarn@4.6.0",
+  "workspaces": [
+    "integration-tests"
+  ],
   "scripts": {
     "clean": "rm -rf dist",
-    "build": "yarn clean && NODE_ENV=production yarn ts-node node_modules/.bin/webpack",
-    "build-dev": "yarn clean && yarn ts-node node_modules/.bin/webpack",
-    "start": "yarn ts-node node_modules/.bin/webpack serve",
+    "webpack": "yarn exec webpack",
+    "build": "yarn clean && NODE_ENV=production NODE_OPTIONS=--max-old-space-size=4096 yarn webpack",
+    "build-dev": "yarn clean && NODE_OPTIONS=--max-old-space-size=4096 yarn webpack",
+    "start": "yarn webpack serve",
     "start-console": "./start-console.sh",
     "i18n": "./i18n-scripts/build-i18n.sh && node ./i18n-scripts/set-english-defaults.js",
     "ts-node": "ts-node -O '{\"module\":\"commonjs\"}'",
     "lint": "eslint ./src ./integration-tests --fix &&  stylelint \"src/**/*.css\" --allow-empty-input --fix",
-    "gherkin-lint": "./node_modules/.bin/gherkin-lint -c ./integration-tests/.gherkin-lintrc ./integration-tests/features",
-    "test-cypress": "cd integration-tests && cypress open --env openshift=true",
-    "test-cypress-headless": "cd integration-tests && node --max-old-space-size=4096 ../node_modules/.bin/cypress run --env openshift=true --browser ${BRIDGE_E2E_BROWSER_NAME:=electron} --headless cypress:cli,cypress:server:specs --spec \"cypress/features/pipelines/create-from-add-options.feature\"",
+    "gherkin-lint": "yarn gherkin-lint -c ./integration-tests/.gherkin-lintrc ./integration-tests/features",
+    "test-cypress": "yarn exec cypress open --env openshift=true --project integration-tests",
+    "test-cypress-headless": "NODE_OPTIONS=--max-old-space-size=4096 yarn exec cypress run --env openshift=true --browser ${BRIDGE_E2E_BROWSER_NAME:-electron} --headless --project integration-tests --spec \"integration-tests/cypress/features/pipelines/create-from-add-options.feature\" \"integration-tests/cypress/features/pipelines/pipeline-overview.feature\" \"integration-tests/cypress/features/pipelines/create-from-builder-page.feature\" \"integration-tests/cypress/features/pipelines/data-source-filter.feature\" \"integration-tests/cypress/features/pipelines/pipeline-metrics.feature\"",
     "cypress-merge": "mochawesome-merge ./integration-tests/screenshots/cypress_report*.json > ./integration-tests/screenshots/cypress.json",
     "cypress-generate": "marge -o ./integration-tests/screenshots/ -f cypress-report -t 'OpenShift Console Plugin Template Cypress Test Results' -p 'OpenShift Cypress Plugin Template Test Results' --showPassed false --assetsDir ./integration-tests/screenshots/cypress/assets ./integration-tests/screenshots/cypress.json",
     "cypress-postreport": "yarn cypress-merge && yarn cypress-generate",
     "generate-types": "openapi-typescript openapi/spec.yml --output src/types/api.ts",
-    "dev": "NODE_ENV=development NODE_OPTIONS=--max-old-space-size=8192 rm -rf dist && yarn ts-node ./node_modules/.bin/webpack serve --progress",
-    "test": "jest"
+    "dev": "NODE_ENV=development rm -rf dist && NODE_OPTIONS=--max-old-space-size=8192 yarn webpack serve --progress",
+    "test": "jest",
+    "memsource-upload": "./i18n-scripts/memsource-upload.sh",
+    "memsource-download": "./i18n-scripts/memsource-download.sh",
+    "i18n-to-po": "node ./i18n-scripts/i18n-to-po.js",
+    "po-to-i18n": "node ./i18n-scripts/po-to-i18n.js"
   },
   "devDependencies": {
     "@babel/core": "^7.24.7",
     "@babel/preset-env": "^7.24.7",
     "@babel/preset-react": "^7.24.7",
     "@babel/preset-typescript": "^7.24.7",
+    "@badeball/cypress-cucumber-preprocessor": "latest",
     "@cypress/webpack-preprocessor": "^5.15.5",
     "@openshift-console/dynamic-plugin-sdk": "1.4.0",
     "@openshift-console/dynamic-plugin-sdk-webpack": "1.1.1",
@@ -62,9 +72,8 @@
     "cache-loader": "^4.1.0",
     "copy-webpack-plugin": "^13.0.0",
     "css-loader": "^6.7.1",
-    "cypress": "^13.10.0",
+    "cypress": "^13.17.0",
     "cypress-axe": "^0.12.0",
-    "@badeball/cypress-cucumber-preprocessor": "latest",
     "cypress-file-upload": "^5.0.8",
     "cypress-multi-reporters": "^1.6.2",
     "eslint": "^8.10.0",
@@ -112,8 +121,9 @@
     "ts-loader": "^9.3.1",
     "ts-node": "^10.9.1",
     "typescript": "^4.7.4",
+    "webpack": "5.94.0",
     "webpack-cli": "^5.1.4",
-    "webpack-dev-server": "^5.2.0",
+    "webpack-dev-server": "^5.2.3",
     "yup": "1.6.1"
   },
   "consolePlugin": {
@@ -150,12 +160,17 @@
     "@types/js-yaml": "^3.10.0",
     "classnames": "^2.3.2",
     "gherkin-lint": "^4.1.3",
-    "lodash-es": "^4.17.21",
+    "i18next-conv": "^15.1.1",
+    "lodash-es": "^4.17.23",
     "micromatch": "4.0.8",
     "path-browserify": "^1.0.1",
     "stream-browserify": "^3.0.0"
   },
   "resolutions": {
-    "webpack": "5.94.0"
+    "webpack": "5.94.0",
+    "@types/d3-dispatch": "3.0.6",
+    "@types/d3-selection": "3.0.10",
+    "lodash": "4.17.23",
+    "lodash-es": "4.17.23"
   }
 }
diff --git a/scripts/build_container.sh b/scripts/build_container.sh
@@ -20,7 +20,8 @@ if [ "$SUPPORT_MULTI_ARCH" = "true" ]; then
   # WARNING: with this approach, if we use platform naive package may lead to a malfunction
   # however in this project, the code will be executed on a browser,
   # hence assuming no impact on this approach
-  yarn install --frozen-lockfile
+  corepack enable && corepack prepare yarn@4.6.0 --activate
+  yarn install --immutable
   yarn build
 
   docker buildx build --push \
diff --git a/test-frontend.sh b/test-frontend.sh
@@ -6,6 +6,10 @@ set -euo pipefail
 OPENSHIFT_CI=${OPENSHIFT_CI:=false}
 ARTIFACT_DIR=${ARTIFACT_DIR:=/tmp/artifacts}
 
+# Install and enable Corepack for Yarn 4
+npm install -g corepack
+corepack enable && corepack prepare yarn@4.6.0 --activate
+
 if [ ! -d node_modules ]; then
   yarn install
 fi
diff --git a/test-prow-e2e.sh b/test-prow-e2e.sh
@@ -2,6 +2,13 @@
 
 set -exuo pipefail
 
+# Set Cypress cache to user-writable location as user inside container may not have write access
+export CYPRESS_CACHE_FOLDER="${HOME}/.cache/Cypress"
+
+# Install and enable Corepack for Yarn 4
+npm install -g corepack 2>/dev/null || true
+corepack enable && corepack prepare yarn@4.6.0 --activate
+
 ARTIFACT_DIR=${ARTIFACT_DIR:=/tmp/artifacts}
 SCREENSHOTS_DIR=integration-tests/screenshots
 INSTALLER_DIR=${INSTALLER_DIR:=${ARTIFACT_DIR}/installer}
@@ -32,6 +39,9 @@ if [ ! -d node_modules ]; then
   yarn install
 fi
 
+# Ensure Cypress binary is installed
+yarn exec cypress install
+
 while getopts s:h:l:n: flag
 do
   case "${flag}" in
diff --git a/yarn-1.22.22.tgz b/yarn-1.22.22.tgz
diff --git a/yarn.lock b/yarn.lock
