feat: add STIG compliance adjustments to hack/release files

maze88 · maze88 · commit 41d820524933 · 2025-10-21T18:50:40.000+03:00
Signed-off-by: Michael Zeevi &lt;mzeevi@nvidia.com&gt;
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -289,8 +289,9 @@ jobs:
           done
 
           # Special handling for Mofed component (update registry only, not version, for all releases)
-          echo "Updating Mofed component registry for release"
-          yq -i '.Mofed.repository = "${{ env.DOCKER_REGISTRY_MANAGED_COMPONENTS }}"' hack/release.yaml
+          echo "Updating Mofed components registry for release"
+          yq -i     '.Mofed.repository = "${{ env.DOCKER_REGISTRY_MANAGED_COMPONENTS }}"' hack/release.yaml
+          yq -i '.MofedStig.repository = "${{ env.DOCKER_REGISTRY_MANAGED_COMPONENTS }}"' hack/release.yaml
 
           # Update chart versions
           yq -i '.version = "${{ env.CHART_VERSION }}"'  deployment/network-operator/Chart.yaml
@@ -309,4 +310,4 @@ jobs:
             --base $BASE_BRANCH \
             --head $(git branch --show-current) \
             --title "cicd: release Network Operator $APP_VERSION" \
-            --body "Created by the [*${{ github.job }}* job](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})."
+            --body "Created by the [*${{ github.job }}* job](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})."
diff --git a/hack/release.go b/hack/release.go
@@ -67,6 +67,7 @@ type Release struct {
 	SriovCni                     *ReleaseImageSpec
 	SriovIbCni                   *ReleaseImageSpec
 	Mofed                        *ReleaseImageSpec
+	MofedStig                    *ReleaseImageSpec
 	RdmaSharedDevicePlugin       *ReleaseImageSpec
 	SriovDevicePlugin            *ReleaseImageSpec
 	IbKubernetes                 *ReleaseImageSpec
@@ -185,19 +186,38 @@ func docaDriverTagsCheck(release *Release, docaDriverMatrix *string) {
 		fmt.Printf("Error: %v\n", err)
 		os.Exit(1)
 	}
-	if err := validateTags(config, tags, release.Mofed.Version); err != nil {
+	tagsStig, err := listTags(release.MofedStig.Repository, release.MofedStig.Image)
+	if err != nil {
+		fmt.Printf("Error: %v\n", err)
+		os.Exit(1)
+	}
+	// validate all non-STIG compliant tags
+	if err := validateTags(config, tags, release.Mofed.Version, func(os string) bool {
+		return !strings.HasSuffix(os, "-stig")
+	}); err != nil {
+		fmt.Printf("Error: %v\n", err)
+		os.Exit(1)
+	}
+	// validate all STIG compliant tags
+	if err := validateTags(config, tagsStig, release.MofedStig.Version, func(os string) bool {
+		return strings.HasSuffix(os, "-stig")
+	}); err != nil {
 		fmt.Printf("Error: %v\n", err)
 		os.Exit(1)
 	}
 }
 
-func validateTags(config DocaDriverMatrix, tags []string, version string) error {
+func validateTags(config DocaDriverMatrix, tags []string, version string,
+	shouldValidateOsFunction func(string) bool) error {
 	// Build expected OS-arch combinations
 	expectedCombinations := make(map[string]struct{})
 	for _, entry := range config.DynamicallyCompiled {
 		for _, arch := range entry.Arches {
-			key := fmt.Sprintf("%s-%s", entry.OS, arch)
-			expectedCombinations[key] = struct{}{}
+			shouldValidateCurrentEntry := shouldValidateOsFunction(entry.OS)
+			if shouldValidateCurrentEntry {
+				key := fmt.Sprintf("%s-%s", entry.OS, arch)
+				expectedCombinations[key] = struct{}{}
+			}
 		}
 	}
 
diff --git a/hack/release.yaml b/hack/release.yaml
@@ -38,6 +38,10 @@ Mofed:
   image: doca-driver
   repository: nvcr.io/nvstaging/mellanox
   version: doca3.2.0-25.10-1.0.0.0-0
+MofedStig:
+  image: doca-driver-stig
+  repository: nvcr.io/nvstaging/mellanox
+  version: doca3.2.0-25.10-1.0.0.0-0
 RdmaSharedDevicePlugin:
   image: k8s-rdma-shared-dev-plugin
   repository: nvcr.io/nvstaging/mellanox
