[ci-operator] propagate binary-input dependencies so images are rebuilt when any of their binaries changes

[droslean]

/cc @testplatform

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci]

@droslean: GitHub didn't allow me to request PR reviews from the following users: testplatform.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @testplatform

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

Detector.AffectedTools now computes additional affected tools based on configured image "bin" inputs via a new helper getAffectedToolsByBinaryInputs, and unions those results with existing package/image-derived affected sets. Unit tests for the new helper were added.

Changes

Cohort / File(s)	Summary
Detector Implementation pkg/tool-detector/detector.go	Added getAffectedToolsByBinaryInputs(alreadyAffected sets.Set[string]) which scans d.config.Images for Inputs["bin"] and marks image.To when any bin path basename is in alreadyAffected. Updated AffectedTools() to compute and include binary-input-derived affected tools in both early-exit and main paths, and to log the new counts.
Detector Tests pkg/tool-detector/detector_test.go	Added TestDetector_getAffectedToolsByBinaryInputs table-driven tests: nil config -> empty set, ignore images without "bin" key, match bundle images when bin Paths basenames intersect alreadyAffected, combine multiple matches, deduplicate when bundle already present, and skip non-"bin" input keys.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: droslean

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [droslean]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/tool-detector/detector.go`:
- Around line 79-80: The code is incorrectly seeding
getAffectedToolsByBinaryInputs with affectedByImageChanges which fans out
bin-image-only edits; change calls to d.getAffectedToolsByBinaryInputs so they
only receive the set of tools whose binary inputs actually changed (i.e., the
inputs["bin"] diff/changeset or an explicit affectedByBinaryChanges value)
instead of affectedByImageChanges, and remove the union with
affectedByImageChanges where used (also update the other occurrences that call
getAffectedToolsByBinaryInputs at the other two sites). Ensure the union/merge
only happens when a real binary-input change is detected, not for
image-context-only changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3e286298-6528-456a-a26b-7fbf879f5814

📥 Commits

Reviewing files that changed from the base of the PR and between b5e0fe5 and 64c3054.

📒 Files selected for processing (2)

• pkg/tool-detector/detector.go
• pkg/tool-detector/detector_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/tool-detector/detector_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Don't fan out inputs["bin"] dependencies from image-context changes.

getAffectedToolsByBinaryInputs models consumers of binaries copied from the bin image. Seeding it with affectedByImageChanges means a Dockerfile/context-only edit can also rebuild downstream bundle images whose copied binary never changed, which widens the rebuild set beyond the PR goal.

Possible fix

 if len(goFiles) == 0 {
-	combined := affectedByImageChanges.Union(d.getAffectedToolsByBinaryInputs(affectedByImageChanges))
-	return combined, nil
+	return affectedByImageChanges, nil
 }
 ...
 if len(changedPackages) == 0 {
-	combined := affectedByImageChanges.Union(d.getAffectedToolsByBinaryInputs(affectedByImageChanges))
-	return combined, nil
+	return affectedByImageChanges, nil
 }
 ...
 combined := affectedByPackages.Union(affectedByImageChanges)
-affectedByBinaryInputs := d.getAffectedToolsByBinaryInputs(combined)
+affectedByBinaryInputs := d.getAffectedToolsByBinaryInputs(affectedByPackages)

Also applies to: 90-91, 101-103

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/tool-detector/detector.go` around lines 79 - 80, The code is incorrectly
seeding getAffectedToolsByBinaryInputs with affectedByImageChanges which fans
out bin-image-only edits; change calls to d.getAffectedToolsByBinaryInputs so
they only receive the set of tools whose binary inputs actually changed (i.e.,
the inputs["bin"] diff/changeset or an explicit affectedByBinaryChanges value)
instead of affectedByImageChanges, and remove the union with
affectedByImageChanges where used (also update the other occurrences that call
getAffectedToolsByBinaryInputs at the other two sites). Ensure the union/merge
only happens when a real binary-input change is detected, not for
image-context-only changes.

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

[openshift-ci]

@droslean: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/breaking-changes	64c3054	link	false	/test breaking-changes

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.