Skip to content

test-only;no-merge#81449

Open
hongkailiu wants to merge 2 commits into
openshift:mainfrom
hongkailiu:capa-periodic
Open

test-only;no-merge#81449
hongkailiu wants to merge 2 commits into
openshift:mainfrom
hongkailiu:capa-periodic

Conversation

@hongkailiu

@hongkailiu hongkailiu commented Jul 3, 2026

Copy link
Copy Markdown
Member

/cc nobody

Summary by CodeRabbit

Updated the OpenShift CI periodic job configuration for the openshift/cluster-api-provider-aws repository so the rebasebot workload now runs with a nested-podman-capable image. In practical terms, this changes the periodic CI setup to build a rebasebot image with the tooling needed for nested container execution, then uses that image in the periodic test definition with nested-podman enabled. This should make the rebasebot-based periodic jobs compatible with environments that require podman-in-podman support.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@hongkailiu: GitHub didn't allow me to request PR reviews from the following users: nobody.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc nobody

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hongkailiu
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@hongkailiu

Copy link
Copy Markdown
Member Author

/pj-rehearse

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@hongkailiu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

Updated periodic CI configuration for openshift-cluster-api-provider-aws to build a nested-podman-capable image for the rebasebot workload, replacing the prior base image reference with a Dockerfile-based build, and updated the test's capabilities and step image reference accordingly.

Changes

Rebasebot CI Image Update

Layer / File(s) Summary
Nested-podman image build
ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml
Replaces the base_images/rebasebot reference with a new base_images.nested-podman and an images.items entry building rebasebot-podman via a dockerfile_literal that installs dependencies, symlinks docker to podman, and clones/installs rebasebot.
Test and step wiring
ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml
Adds a capabilities entry for nested-podman to the rebasebot test, and changes the step's image source from from_image to from: rebasebot-podman with nested_podman: true.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title is a non-descriptive meta label and does not summarize the actual CI configuration changes. Rename it to a concise summary of the main change, such as updating the rebasebot periodic to use nested-podman.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only generated CI job YAML changed; no Ginkgo test titles or dynamic names were added or modified.
Test Structure And Quality ✅ Passed No Ginkgo test code was changed; the PR only updates generated ci-operator YAML/job configs.
Microshift Test Compatibility ✅ Passed Only Prow job YAML changed (periodic label + a new images presubmit); no Ginkgo/e2e test definitions or MicroShift-unsafe API/resource references were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only updates ci-operator YAML for rebasebot; no new Ginkgo e2e tests or SNO-sensitive logic were added.
Topology-Aware Scheduling Compatibility ✅ Passed Only CI job config changed; no workload manifests/controllers or node-affinity/anti-affinity/spread/PDB changes, so no topology-aware scheduling issue.
Ote Binary Stdout Contract ✅ Passed PR only changes ci-operator YAML for nested-podman jobs; no OTE binary code or process-level stdout writes were touched.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only ci-operator job YAML changed; no new Ginkgo test code or network-sensitive test logic was added.
No-Weak-Crypto ✅ Passed Changed files are CI YAML only; scans found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or custom crypto/comparison code.
Container-Privileges ✅ Passed The changed manifest has no privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation settings; nested_podman and USER root appear in similar CI image configs too.
No-Sensitive-Data-In-Logs ✅ Passed The only changed step is a CI command using secret file paths and an internal email; no logging or secret/token output was added.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml (1)

8-17: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the rebasebot source to a specific ref/tag.

The Dockerfile clones rebasebot from main and installs it (git clone https://github.com/openshift-eng/rebasebot.git / pip install .) without pinning a commit or tag. This makes the resulting rebasebot-podman image non-reproducible and exposes the CI job to unreviewed upstream changes landing silently.

♻️ Suggested fix: pin to a specific ref
       RUN mkdir -p /opt/app-root/src/ && git -C /opt/app-root/src/ clone https://github.com/openshift-eng/rebasebot.git
+      RUN git -C /opt/app-root/src/rebasebot checkout <pinned-sha-or-tag>
       WORKDIR /opt/app-root/src/rebasebot
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml`
around lines 8 - 17, The Dockerfile for the rebasebot-podman image clones and
installs rebasebot without a fixed ref, making builds non-reproducible. Update
the dockerfile_literal used in the periodic config to check out a specific
commit or tag immediately after the git clone in the rebasebot setup, and keep
the install step tied to that pinned revision so the image build is
deterministic.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml`:
- Around line 8-17: The Dockerfile for the rebasebot-podman image clones and
installs rebasebot without a fixed ref, making builds non-reproducible. Update
the dockerfile_literal used in the periodic config to check out a specific
commit or tag immediately after the git clone in the rebasebot setup, and keep
the install step tied to that pinned revision so the image build is
deterministic.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 36295937-047d-4297-9da6-7fe3767ddf8e

📥 Commits

Reviewing files that changed from the base of the PR and between c7c2ad4 and 643fca8.

⛔ Files ignored due to path filters (1)
  • ci-operator/jobs/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main-periodics.yaml is excluded by !ci-operator/jobs/**
📒 Files selected for processing (1)
  • ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml

@hongkailiu

Copy link
Copy Markdown
Member Author

/pj-rehearse periodic-ci-openshift-cluster-api-provider-aws-main-periodics-rebasebot

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@hongkailiu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@hongkailiu

Copy link
Copy Markdown
Member Author

/pj-rehearse periodic-ci-openshift-cluster-api-provider-aws-main-rebasebot-nested-podman

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@hongkailiu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main.yaml`:
- Around line 118-149: The rebasebot periodic is duplicated, so both the
existing rebasebot job and the new rebasebot-nested-podman job will run the same
command on the same cron and target branch. Remove the older periodic entry and
keep only the nested-podman version, using the rebasebot-nested-podman job
definition in openshift-cluster-api-provider-aws-main.yaml so only one job
pushes to openshift-cloud-team/cluster-api-provider-aws:rebase-bot-main.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 12daec5a-48c0-41a9-969c-d5d05b2a868c

📥 Commits

Reviewing files that changed from the base of the PR and between 643fca8 and 91ce905.

⛔ Files ignored due to path filters (1)
  • ci-operator/jobs/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main-periodics.yaml is excluded by !ci-operator/jobs/**
📒 Files selected for processing (1)
  • ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main.yaml

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@hongkailiu: job(s): either don't exist or were not found to be affected, and cannot be rehearsed

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml (2)

15-15: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

uv installed but never used.

Line 15 installs uv via pip, then immediately runs python3.12 -m pip install . directly instead of using uv. This looks like leftover/dead scaffolding.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml`
at line 15, The periodic job setup installs uv but never uses it, so remove the
unused installation or switch the install step in the affected RUN command to
use uv consistently. Update the job definition in
openshift-cluster-api-provider-aws-main__periodics.yaml so the build/install
flow matches the intended toolchain and does not leave dead scaffolding in the
container setup.

8-17: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Unpinned upstream clone risks silent build breaks.

The Dockerfile clones rebasebot from main HEAD with no commit/tag pin (Line 13). Any upstream change to that branch will silently change the built image without a corresponding change here, making periodic runs non-reproducible.

♻️ Pin to a specific commit or tag
-      RUN mkdir -p /opt/app-root/src/ && git -C /opt/app-root/src/ clone https://github.com/openshift-eng/rebasebot.git
+      RUN mkdir -p /opt/app-root/src/ && git -C /opt/app-root/src/ clone --branch <pinned-ref> https://github.com/openshift-eng/rebasebot.git
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml`
around lines 8 - 17, The rebasebot image build is cloning the upstream
repository from a moving branch, which makes the periodic image
non-reproducible. Update the Dockerfile_literal in the rebasebot-podman image
definition to check out a fixed commit or tag after the clone, and keep the
change localized to the RUN step that clones and enters
/opt/app-root/src/rebasebot so future builds stay pinned to a known revision.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml`:
- Line 15: The periodic job setup installs uv but never uses it, so remove the
unused installation or switch the install step in the affected RUN command to
use uv consistently. Update the job definition in
openshift-cluster-api-provider-aws-main__periodics.yaml so the build/install
flow matches the intended toolchain and does not leave dead scaffolding in the
container setup.
- Around line 8-17: The rebasebot image build is cloning the upstream repository
from a moving branch, which makes the periodic image non-reproducible. Update
the Dockerfile_literal in the rebasebot-podman image definition to check out a
fixed commit or tag after the clone, and keep the change localized to the RUN
step that clones and enters /opt/app-root/src/rebasebot so future builds stay
pinned to a known revision.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9f7594fd-446f-468e-a550-6c7099737eb7

📥 Commits

Reviewing files that changed from the base of the PR and between 91ce905 and a55c292.

⛔ Files ignored due to path filters (2)
  • ci-operator/jobs/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main-periodics.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main-presubmits.yaml is excluded by !ci-operator/jobs/**
📒 Files selected for processing (1)
  • ci-operator/config/openshift/cluster-api-provider-aws/openshift-cluster-api-provider-aws-main__periodics.yaml

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@hongkailiu: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-openshift-cluster-api-provider-aws-main-periodics-images openshift/cluster-api-provider-aws presubmit Presubmit changed
periodic-ci-openshift-cluster-api-provider-aws-main-periodics-rebasebot N/A periodic Ci-operator config changed
Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@hongkailiu

Copy link
Copy Markdown
Member Author

/pj-rehearse periodic-ci-openshift-cluster-api-provider-aws-main-rebasebot-nested-podman

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@hongkailiu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@hongkailiu: job(s): periodic-ci-openshift-cluster-api-provider-aws-main-rebasebot-nested-podman either don't exist or were not found to be affected, and cannot be rehearsed

@hongkailiu

Copy link
Copy Markdown
Member Author

/pj-rehearse

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@hongkailiu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@hongkailiu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/rehearse/periodic-ci-openshift-cluster-api-provider-aws-main-rebasebot-nested-podman 91ce905 link unknown /pj-rehearse periodic-ci-openshift-cluster-api-provider-aws-main-rebasebot-nested-podman
ci/rehearse/openshift/cluster-api-provider-aws/main/periodics-images a55c292 link unknown /pj-rehearse pull-ci-openshift-cluster-api-provider-aws-main-periodics-images
ci/rehearse/periodic-ci-openshift-cluster-api-provider-aws-main-periodics-rebasebot a55c292 link unknown /pj-rehearse periodic-ci-openshift-cluster-api-provider-aws-main-periodics-rebasebot

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant