test-only;no-merge#81449
Conversation
|
@hongkailiu: GitHub didn't allow me to request PR reviews from the following users: nobody. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: hongkailiu The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/pj-rehearse |
|
@hongkailiu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
WalkthroughUpdated periodic CI configuration for openshift-cluster-api-provider-aws to build a nested-podman-capable image for the rebasebot workload, replacing the prior base image reference with a Dockerfile-based build, and updated the test's capabilities and step image reference accordingly. ChangesRebasebot CI Image Update
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 14 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml (1)
8-17: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin the rebasebot source to a specific ref/tag.
The Dockerfile clones
rebasebotfrommainand installs it (git clone https://github.com/openshift-eng/rebasebot.git/pip install .) without pinning a commit or tag. This makes the resultingrebasebot-podmanimage non-reproducible and exposes the CI job to unreviewed upstream changes landing silently.♻️ Suggested fix: pin to a specific ref
RUN mkdir -p /opt/app-root/src/ && git -C /opt/app-root/src/ clone https://github.com/openshift-eng/rebasebot.git + RUN git -C /opt/app-root/src/rebasebot checkout <pinned-sha-or-tag> WORKDIR /opt/app-root/src/rebasebot🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml` around lines 8 - 17, The Dockerfile for the rebasebot-podman image clones and installs rebasebot without a fixed ref, making builds non-reproducible. Update the dockerfile_literal used in the periodic config to check out a specific commit or tag immediately after the git clone in the rebasebot setup, and keep the install step tied to that pinned revision so the image build is deterministic.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In
`@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml`:
- Around line 8-17: The Dockerfile for the rebasebot-podman image clones and
installs rebasebot without a fixed ref, making builds non-reproducible. Update
the dockerfile_literal used in the periodic config to check out a specific
commit or tag immediately after the git clone in the rebasebot setup, and keep
the install step tied to that pinned revision so the image build is
deterministic.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 36295937-047d-4297-9da6-7fe3767ddf8e
⛔ Files ignored due to path filters (1)
ci-operator/jobs/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main-periodics.yamlis excluded by!ci-operator/jobs/**
📒 Files selected for processing (1)
ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml
|
/pj-rehearse periodic-ci-openshift-cluster-api-provider-aws-main-periodics-rebasebot |
|
@hongkailiu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse periodic-ci-openshift-cluster-api-provider-aws-main-rebasebot-nested-podman |
|
@hongkailiu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main.yaml`:
- Around line 118-149: The rebasebot periodic is duplicated, so both the
existing rebasebot job and the new rebasebot-nested-podman job will run the same
command on the same cron and target branch. Remove the older periodic entry and
keep only the nested-podman version, using the rebasebot-nested-podman job
definition in openshift-cluster-api-provider-aws-main.yaml so only one job
pushes to openshift-cloud-team/cluster-api-provider-aws:rebase-bot-main.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 12daec5a-48c0-41a9-969c-d5d05b2a868c
⛔ Files ignored due to path filters (1)
ci-operator/jobs/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main-periodics.yamlis excluded by!ci-operator/jobs/**
📒 Files selected for processing (1)
ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main.yaml
|
@hongkailiu: job(s): either don't exist or were not found to be affected, and cannot be rehearsed |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml (2)
15-15: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value
uvinstalled but never used.Line 15 installs
uvvia pip, then immediately runspython3.12 -m pip install .directly instead of usinguv. This looks like leftover/dead scaffolding.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml` at line 15, The periodic job setup installs uv but never uses it, so remove the unused installation or switch the install step in the affected RUN command to use uv consistently. Update the job definition in openshift-cluster-api-provider-aws-main__periodics.yaml so the build/install flow matches the intended toolchain and does not leave dead scaffolding in the container setup.
8-17: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winUnpinned upstream clone risks silent build breaks.
The Dockerfile clones
rebasebotfrommainHEAD with no commit/tag pin (Line 13). Any upstream change to that branch will silently change the built image without a corresponding change here, making periodic runs non-reproducible.♻️ Pin to a specific commit or tag
- RUN mkdir -p /opt/app-root/src/ && git -C /opt/app-root/src/ clone https://github.com/openshift-eng/rebasebot.git + RUN mkdir -p /opt/app-root/src/ && git -C /opt/app-root/src/ clone --branch <pinned-ref> https://github.com/openshift-eng/rebasebot.git🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml` around lines 8 - 17, The rebasebot image build is cloning the upstream repository from a moving branch, which makes the periodic image non-reproducible. Update the Dockerfile_literal in the rebasebot-podman image definition to check out a fixed commit or tag after the clone, and keep the change localized to the RUN step that clones and enters /opt/app-root/src/rebasebot so future builds stay pinned to a known revision.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In
`@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml`:
- Line 15: The periodic job setup installs uv but never uses it, so remove the
unused installation or switch the install step in the affected RUN command to
use uv consistently. Update the job definition in
openshift-cluster-api-provider-aws-main__periodics.yaml so the build/install
flow matches the intended toolchain and does not leave dead scaffolding in the
container setup.
- Around line 8-17: The rebasebot image build is cloning the upstream repository
from a moving branch, which makes the periodic image non-reproducible. Update
the Dockerfile_literal in the rebasebot-podman image definition to check out a
fixed commit or tag after the clone, and keep the change localized to the RUN
step that clones and enters /opt/app-root/src/rebasebot so future builds stay
pinned to a known revision.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 9f7594fd-446f-468e-a550-6c7099737eb7
⛔ Files ignored due to path filters (2)
ci-operator/jobs/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main-periodics.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main-presubmits.yamlis excluded by!ci-operator/jobs/**
📒 Files selected for processing (1)
ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml
|
[REHEARSALNOTIFIER]
Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
/pj-rehearse periodic-ci-openshift-cluster-api-provider-aws-main-rebasebot-nested-podman |
|
@hongkailiu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@hongkailiu: job(s): periodic-ci-openshift-cluster-api-provider-aws-main-rebasebot-nested-podman either don't exist or were not found to be affected, and cannot be rehearsed |
|
/pj-rehearse |
|
@hongkailiu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@hongkailiu: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
/cc nobody
Summary by CodeRabbit
Updated the OpenShift CI periodic job configuration for the
openshift/cluster-api-provider-awsrepository so the rebasebot workload now runs with a nested-podman-capable image. In practical terms, this changes the periodic CI setup to build a rebasebot image with the tooling needed for nested container execution, then uses that image in the periodic test definition with nested-podman enabled. This should make the rebasebot-based periodic jobs compatible with environments that require podman-in-podman support.