airship/armada-go
Code Issues Proposed changes

Security updates

Browse Source 
This PS bumps ubuntu version to jammy, Golang
version to 1.23 and Go modules to fix critical
CVEs.

Also switched from docker.io to ecr.aws docker
repos to fix docker.io ratelimit issue.

Change-Id: I630159f4e3520a1fc124172326c7dd14495b0524
This commit is contained in:
Sergiy Markin 2024-12-19 17:04:18 +00:00
parent 5f6eadb37a
commit b01dbef358
7 changed files with 146 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
.zuul.yaml
View File

@ -13,17 +13,16 @@
- project:
check:
jobs:
- armada-go-docker-build-gate-ubuntu_focal
# disable for now until jammy jobs are configured
#- armada-go-airskiff-deployment-focal
- armada-go-docker-build-gate-ubuntu_jammy
- armada-go-airskiff-deployment-jammy
gate:
jobs:
- armada-go-docker-build-gate-ubuntu_focal
- armada-go-docker-build-gate-ubuntu_jammy
post:
jobs:
- armada-go-docker-publish-ubuntu_focal
- armada-go-docker-publish-ubuntu_jammy
- nodeset:
@ -32,6 +31,12 @@
- name: primary
label: ubuntu-focal
- nodeset:
name: armada-go-single-node-jammy
nodes:
- name: primary
label: ubuntu-jammy
- job:
name: armada-go-base
abstract: true
@ -47,12 +52,12 @@
irrelevant-files: &irrelevant-files
- ^.*\.rst$
- ^doc/.*$
- ^etc/.*$
- ^examples/.*$
- ^releasenotes/.*$
- ^setup.cfg$
- ^deckhand/tests/unit/.*$
- ^swagger/.*$
timeout: 10800
pre-run:
- tools/gate/playbooks/checkout-treasuremap-ref.yaml
- tools/gate/playbooks/prepare-hosts.yaml
- tools/gate/playbooks/mount-volumes.yaml
- tools/gate/playbooks/deploy-env.yaml
@ -61,6 +66,7 @@
post-run:
- tools/gate/playbooks/osh-infra-collect-logs.yaml
vars:
treasuremap_ref: v1.9
extra_volume:
size: 80G
type: Linux
@ -77,15 +83,16 @@
loopback_device: /dev/loop100
loopback_image: "/opt/ext_vol/openstack-helm/ceph-loop.img"
ceph_osd_data_device: /dev/loop100
kube_version_repo: "v1.29"
kube_version: "1.29.5-1.1"
kube_version_repo: "v1.30"
kube_version: "1.30.3-1.1"
calico_setup: true
calico_version: "v3.27.0"
calico_version: "v3.27.4"
cilium_setup: false
cilium_version: "1.15.6"
helm_version: "v3.6.3"
yq_version: "v4.6.0"
crictl_version: "v1.26.1"
cilium_version: "1.16.0"
flannel_setup: false
flannel_version: v0.25.4
helm_version: "v3.15.4"
crictl_version: "v1.30.1"
zuul_osh_relative_path: ../../openstack/openstack-helm
zuul_osh_infra_relative_path: ../../openstack/openstack-helm-infra
zuul_treasuremap_relative_path: ../../airship/treasuremap
@ -93,19 +100,19 @@
run_helm_tests: "no"
- job:
name: armada-go-airskiff-deployment-focal
nodeset: treasuremap-airskiff-1node-ubuntu_focal
name: armada-go-airskiff-deployment-jammy
nodeset: treasuremap-airskiff-1node-ubuntu_jammy
description: |
Deploy Memcached using Airskiff and submitted Armada-go changes.
parent: armada-go-base
vars:
site: airskiff
HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.14.2-linux-amd64.tar.gz
HTK_COMMIT: 05f2f45971abcf483189358d663e2b46c3fc2fe8
OSH_INFRA_COMMIT: 05f2f45971abcf483189358d663e2b46c3fc2fe8
OSH_COMMIT: 049e679939fbd3b0c659dd0977911b8dc3b5a015
HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz
HTK_COMMIT: 43fd7143481b6ddda0dbd2f26bf6ec39a417b15b
OSH_INFRA_COMMIT: 43fd7143481b6ddda0dbd2f26bf6ec39a417b15b
OSH_COMMIT: 540df5cb0dbdaed63c202e2d6f2b7891062f8203
CLONE_ARMADA_GO: false
DISTRO: ubuntu_focal
DISTRO: ubuntu_jammy
DOCKER_REGISTRY: localhost:5000
MAKE_ARMADA_GO_IMAGES: true
USE_ARMADA_GO: true
@ -120,6 +127,7 @@
- ./tools/deployment/airskiff/developer/025-start-artifactory.sh
- ./tools/deployment/airskiff/developer/026-reduce-site.sh
- ./tools/deployment/airskiff/developer/027-enable-armada-operator.sh
# - ./tools/deployment/airskiff/common/sleep.sh
- ./tools/deployment/airskiff/developer/030-armada-bootstrap.sh
- ./tools/deployment/airskiff/developer/100-deploy-osh.sh
- ./tools/deployment/airskiff/common/os-env.sh
@ -127,28 +135,28 @@
irrelevant-files: *irrelevant-files
- job:
name: armada-go-docker-build-gate-ubuntu_focal
name: armada-go-docker-build-gate-ubuntu_jammy
timeout: 3600
run: tools/gate/playbooks/docker-image-build.yaml
nodeset: armada-go-single-node-focal
nodeset: armada-go-single-node-jammy
vars:
publish: false
distro: ubuntu_focal
distro: ubuntu_jammy
tags:
dynamic:
patch_set: true
- job:
name: armada-go-docker-publish-ubuntu_focal
name: armada-go-docker-publish-ubuntu_jammy
timeout: 3600
run: tools/gate/playbooks/docker-image-build.yaml
nodeset: armada-go-single-node-focal
nodeset: armada-go-single-node-jammy
secrets:
- airship_armada_go_quay_creds
vars:
publish: true
distro: ubuntu_focal
distro: ubuntu_jammy
tags:
dynamic:
branch: true

14
Makefile
View File

@ -13,8 +13,10 @@ LABEL ?= org.airshipit.build=community
COMMIT ?= $(shell git rev-parse HEAD)
PYTHON = python3
CHARTS := $(filter-out deps, $(patsubst charts/%/.,%,$(wildcard charts/*/.)))
DISTRO ?= ubuntu_focal
DISTRO ?= ubuntu_jammy
DISTRO_ALIAS ?= ubuntu_focal
IMAGE := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG}-${DISTRO}
IMAGE_ALIAS := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG}-${DISTRO_ALIAS}
UBUNTU_BASE_IMAGE ?=
# VERSION INFO
GIT_COMMIT = $(shell git rev-parse HEAD)
@ -127,6 +129,16 @@ else
$(_BASE_IMAGE_ARG) \
--build-arg HELM_ARTIFACT_URL=$(HELM_ARTIFACT_URL) .
endif
ifneq ($(DISTRO), $(DISTRO_ALIAS))
docker tag $(IMAGE) $(IMAGE_ALIAS)
ifeq ($(DOCKER_REGISTRY), localhost:5000)
docker push $(IMAGE_ALIAS)
endif
endif
ifeq ($(DOCKER_REGISTRY), localhost:5000)
docker push $(IMAGE)
endif
ifeq ($(PUSH_IMAGE), true)
docker push $(IMAGE)
endif

16
go.mod
View File

@ -1,6 +1,6 @@
module opendev.org/airship/armada-go
go 1.21
go 1.23
require (
github.com/databus23/goslo.policy v0.0.0-20210929125152-81bf2876dbdb
@ -8,7 +8,7 @@ require (
github.com/gin-gonic/gin v1.9.1
github.com/spf13/cobra v1.8.0
github.com/spf13/viper v1.18.2
golang.org/x/sync v0.5.0
golang.org/x/sync v0.10.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.29.2
k8s.io/apiextensions-apiserver v0.29.2
@ -69,16 +69,16 @@ require (
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/arch v0.3.0 // indirect
golang.org/x/crypto v0.17.0 // indirect
golang.org/x/crypto v0.31.0 // indirect
golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
golang.org/x/net v0.19.0 // indirect
golang.org/x/net v0.33.0 // indirect
golang.org/x/oauth2 v0.15.0 // indirect
golang.org/x/sys v0.20.0 // indirect
golang.org/x/term v0.15.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/sys v0.28.0 // indirect
golang.org/x/term v0.27.0 // indirect
golang.org/x/text v0.21.0 // indirect
golang.org/x/time v0.5.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.31.0 // indirect
google.golang.org/protobuf v1.36.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect

32
go.sum
View File

@ -170,8 +170,8 @@ golang.org/x/arch v0.3.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@ -181,37 +181,39 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ=
golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -222,6 +224,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.36.0 h1:mjIs9gYtt56AzC4ZaffQuh88TZurBGhIJMBZGSxNerQ=
google.golang.org/protobuf v1.36.0/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

4
images/armada-go/Dockerfile.ubuntu_focal
View File

@ -1,5 +1,5 @@
ARG FROM=ubuntu:20.04
ARG GO_IMAGE=golang:1.21-bullseye
ARG FROM=public.ecr.aws/ubuntu/ubuntu:focal
ARG GO_IMAGE=public.ecr.aws/docker/library/golang:1.21.1-bullseye
FROM ${GO_IMAGE} as builder
ENV PATH "/usr/local/go/bin:$PATH"

38
images/armada-go/Dockerfile.ubuntu_jammy Normal file
View File

@ -0,0 +1,38 @@
ARG FROM=public.ecr.aws/ubuntu/ubuntu:jammy
ARG GO_IMAGE=public.ecr.aws/docker/library/golang:1.23.1-bullseye
FROM ${GO_IMAGE} as builder
ENV PATH "/usr/local/go/bin:$PATH"
ENV CGO_ENABLED=0
WORKDIR /go/src/
COPY go.mod /go.sum ./
RUN go mod download
COPY . ./
RUN go build -v -o /usr/local/bin/armada-go ./
FROM ${FROM} as release
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \
org.opencontainers.image.url='https://airshipit.org' \
org.opencontainers.image.documentation='https://docs.airshipit.org/armada-go' \
org.opencontainers.image.source='https://opendev.org/airship/armada-go' \
org.opencontainers.image.vendor='The Airship Authors' \
org.opencontainers.image.licenses='Apache-2.0'
ENV DEBIAN_FRONTEND noninteractive
ENV LANG=C.UTF-8
ENV LC_ALL=C.UTF-8
EXPOSE 8000
WORKDIR /armada
COPY --from=builder /usr/local/bin/armada-go /usr/local/bin/armada
COPY crd.yaml /armada/crd.yaml
# Add armada user
RUN useradd -u 1000 -g users -d $(pwd) armada
ENTRYPOINT ["/usr/local/bin/armada"]
CMD ["server"]
USER armada

31
tools/gate/playbooks/checkout-treasuremap-ref.yaml Normal file
View File

@ -0,0 +1,31 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- hosts: all
tasks:
- name: Checkout treasuremap ref
shell: |
set -xe;
: "${TREASUREMAP_REF:=v1.9}"
cd ../treasuremap
git fetch https://review.opendev.org/airship/treasuremap ${TREASUREMAP_REF} && git checkout FETCH_HEAD
args:
chdir: "{{ zuul.project.src_dir }}"
environment:
TREASUREMAP_REF: "{{ treasuremap_ref }}"
...