Merge pull request #931 from anwesha-palit-redhat/release-v1.20.x

SRVKP-10058 SRVKP-9700 SRVKP-10602: CVE fixes for qs + node-forge + lodash along with yarn 4 migration changes

Author: anwesha-palit-redhat

.ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
-  name: nodejs-18
-  namespace: openshift
-  tag: latest
+  name: console-plugin-test-cypress
+  namespace: ci
+  tag: node20-yarn4

.github/workflows/publish_container_image.yaml

@@ -1,27 +1,41 @@
-name: publish container images
+name: Build and Publish Container
+
 on:
   push:
     branches:
       - main
       - release-v* # example: release-v1.14
+      - main_ocp_4.22
     tags: ['v*']
+  pull_request:
+    branches:
+      - main
+      - main_ocp_4.22
+  workflow_dispatch:
 
 jobs:
   setup:
     name: build container
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
 
       - uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '20'
+      
+      - name: Enable Corepack
+        run: corepack enable
 
       - uses: docker/setup-buildx-action@v3
 
       - name: Login in to ghcr.io registry
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -41,5 +55,5 @@ jobs:
         run: ./scripts/build_container.sh
         env:
           SUPPORT_MULTI_ARCH: "true"
-          CONSOLE_PLUGIN_IMAGE_REPO: 'ghcr.io/${{ github.repository }}'
-          CONSOLE_PLUGIN_IMAGE_TAG: '${{ github.ref_name }}'
+          CONSOLE_PLUGIN_IMAGE_REPO: ${{ github.event_name == 'pull_request' && format('ttl.sh/{0}/console-plugin-pr-{1}', github.repository, github.event.pull_request.number) || format('ghcr.io/{0}', github.repository) }}
+          CONSOLE_PLUGIN_IMAGE_TAG: ${{ github.event_name == 'pull_request' && '24h' || github.ref_name }}

.konflux/dockerfiles/console-plugin.Dockerfile

@@ -5,21 +5,20 @@ FROM $BUILDER AS builder-ui
 
 WORKDIR /go/src/github.com/openshift-pipelines/console-plugin
 COPY . .
-RUN npm install -g yarn-1.22.22.tgz
-RUN set -e; for f in patches/*.patch; do echo ${f}; [[ -f ${f} ]] || continue; git apply ${f}; done
-
+#Install Yarn
+RUN if [[ -d /cachi2/output/deps/npm/ ]]; then \
+      npm install -g /cachi2/output/deps/npm/yarnpkg-cli-dist-4.6.0.tgz; \
+      YARN_ENABLE_NETWORK=0; \
+    else \
+      npm install -g corepack; \
+      corepack enable ;\
+      corepack prepare yarn@4.6.0 --activate;  \
+    fi
+
+
+# Install dependencies & build
 USER root
-
-# Enable FIPS mode during build process
-RUN fips-mode-setup --enable && \
-    update-crypto-policies --set FIPS && \
-    echo "Build stage - Verifying FIPS kernel parameter:" && \
-    cat /proc/sys/crypto/fips_enabled && \
-    echo "Build stage - Verifying OpenSSL FIPS status:" && \
-    openssl version -a | grep -i fips && \
-    (openssl md5 /dev/null || echo "MD5 test passed (expected failure in FIPS mode)")
-
-RUN yarn install --offline --frozen-lockfile --ignore-scripts && \
+RUN CYPRESS_INSTALL_BINARY=0 yarn install --immutable && \
     yarn build
 
 FROM $RUNTIME

.konflux/npm/package-lock.json

@@ -0,0 +1,7 @@
+{
+  "name": "yarn4-nodejs22-ubil9-minimal",
+  "version": "1.0.0",
+  "description": "Konflux image containing rebuilds for tooling to assist in building with yarn",
+  "dependencies": {
+    "@yarnpkg/cli-dist": "4.6.0"}
+}