From 16eb9bf700f2e64d2005cb2f8e5f6ce3bec40b3c Mon Sep 17 00:00:00 2001
From: Sandeep Yadav <sandyada@redhat.com>
Date: Thu, 14 May 2026 16:17:21 +0530
Subject: [PATCH] Fix ROSA account-roles-create overriding specific patch
 versions

The account-roles-create step was unconditionally writing the truncated
version (e.g., "4.21") to ${SHARED_DIR}/openshift_version, even when no
fallback occurred. This caused the provision step to override specific
patch version requests (e.g., OPENSHIFT_VERSION: 4.21.13) with the
latest available version in that minor release (e.g., 4.21.15).

The openshift_version file is intended to communicate fallback versions
when account role creation fails with the requested version and must
retry with a newer one. It should not be written during normal operations
where the user's requested version succeeds.

Changes:
- Add FALLBACK_OCCURRED flag to track actual fallback events
- Only write openshift_version file when fallback actually occurs
- Update log message to clarify it's storing a fallback version

This ensures that when users specify exact versions like "4.21.13" in
their job configs, the cluster is provisioned with that exact version
rather than being upgraded to the latest available patch release.
---
 .../create/rosa-sts-account-roles-create-commands.sh      | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/ci-operator/step-registry/rosa/sts/account-roles/create/rosa-sts-account-roles-create-commands.sh b/ci-operator/step-registry/rosa/sts/account-roles/create/rosa-sts-account-roles-create-commands.sh
index db0d4f6e9de45..5e2133ce379cf 100755
--- a/ci-operator/step-registry/rosa/sts/account-roles/create/rosa-sts-account-roles-create-commands.sh
+++ b/ci-operator/step-registry/rosa/sts/account-roles/create/rosa-sts-account-roles-create-commands.sh
@@ -12,6 +12,7 @@ OPENSHIFT_VERSION=${OPENSHIFT_VERSION:-}
 CHANNEL_GROUP=${CHANNEL_GROUP}
 PERMISSIONS_BOUNDARY=${PERMISSIONS_BOUNDARY:-}
 ACCOUNT_ROLES_PREFIX=$(head -n 1 "${SHARED_DIR}/cluster-prefix")
+FALLBACK_OCCURRED=false
 
 # Configure aws
 AWSCRED="${CLUSTER_PROFILE_DIR}/.awscred"
@@ -121,6 +122,7 @@ elif [[ "${create_ret}" -ne 0 ]]; then
     echo "Retrying with version ${fallback_version} (was ${OPENSHIFT_VERSION})"
     OPENSHIFT_VERSION="${fallback_version}"
     VERSION_SWITCH="--version ${OPENSHIFT_VERSION} --channel-group ${CHANNEL_GROUP}"
+    FALLBACK_OCCURRED=true
     rosa create account-roles -y --mode auto \
                               --prefix ${ACCOUNT_ROLES_PREFIX} \
                               ${CLUSTER_SWITCH} \
@@ -134,10 +136,10 @@ elif [[ "${create_ret}" -ne 0 ]]; then
   fi
 fi
 
-# Share the resolved version (includes fallback if one was used)
-if [[ "${CHANNEL_GROUP}" != "stable" && -n "${OPENSHIFT_VERSION:-}" ]]; then
+# Share the resolved version only if a fallback occurred
+if [[ "${FALLBACK_OCCURRED}" == "true" && "${CHANNEL_GROUP}" != "stable" && -n "${OPENSHIFT_VERSION:-}" ]]; then
   echo -n "${OPENSHIFT_VERSION}" > "${SHARED_DIR}/openshift_version"
-  echo "Stored resolved version ${OPENSHIFT_VERSION} to SHARED_DIR"
+  echo "Stored fallback version ${OPENSHIFT_VERSION} to SHARED_DIR"
 fi
 
 # Store the account-role-prefix for the next pre steps and the account roles deletion