OCPBUGS-87334: Updating ose-cluster-cloud-controller-manager-operator-container image to be consistent with ART for 5.0

[openshift-bot]

Updating ose-cluster-cloud-controller-manager-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-cluster-cloud-controller-manager-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

• Chores
  • Updated build infrastructure and runtime base image versions to maintain system stability and compatibility with current infrastructure standards.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/201

[coderabbitai]

Walkthrough

This PR updates base image versions across the build pipeline: the CI operator configuration now references Go 1.25 with OpenShift 5.0, and the Dockerfile runtime stage uses the 5.0 base image instead of 4.22, aligning both build artifacts with a newer OpenShift release.

Changes

Base Image and Runtime Version Updates

Layer / File(s)	Summary
Build image and runtime base image tag updates .ci-operator.yaml, Dockerfile	CI operator configuration Go/OpenShift RHEL release tag updated to golang-1.25-openshift-5.0, and Dockerfile runtime stage base image tag updated from 4.22 to 5.0.

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 12 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	New Ginkgo tests in PR lack explicit timeouts on 16+ Eventually calls and lack meaningful assertion failure messages.	Add explicit timeout parameters to all Eventually/Consistently calls and include descriptive failure messages in all Expect assertions.
Microshift Test Compatibility	⚠️ Warning	New Ginkgo e2e tests added in openshift-tests/ccm-aws-tests/e2e/aws/loadbalancer.go use config.openshift.io APIs (Infrastructure, FeatureGate) unavailable on MicroShift, lack MicroShift skip markers.	Add [apigroup:config.openshift.io] tag to test name or guard tests with IsMicroShiftCluster() check to skip on MicroShift.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New test vsphere_mixed_node.go expects >=1 worker node and multiple control-plane nodes, which fails on SNO where all roles run on single node.	Add [Skipped:SingleReplicaTopology] label to tests or guard with exutil.IsSingleNode() check that skips on SNO.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies infrastructure files (.ci-operator.yaml, Dockerfile); no Ginkgo test definitions present or modified, making this check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only build configuration files (.ci-operator.yaml and Dockerfile), not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only configuration files (.ci-operator.yaml, Dockerfile), not Go source code. OTE Binary Stdout Contract check applies only to process-level Go code modifications.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies CI configuration files. No new Ginkgo e2e tests are added, so the IPv6/disconnected network check does not apply.
No-Weak-Crypto	✅ Passed	PR contains no weak cryptography: no MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB usage found. Code uses SHA256, TLS, and x509 properly. Changes are CI/build configuration only.
Container-Privileges	✅ Passed	The PR only updates .ci-operator.yaml and Dockerfile for image/toolchain. No privilege configurations like privileged, hostPID, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation are introduced.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains no logging statements or sensitive data in logs. It only updates CI/Dockerfile configuration tags for image versions.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: updating container image configuration to align with ART requirements for OpenShift 5.0, which matches the changeset modifications to CI operator and Dockerfile configurations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign elmiko for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87334, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating ose-cluster-cloud-controller-manager-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-cluster-cloud-controller-manager-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87334, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Updating ose-cluster-cloud-controller-manager-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-cluster-cloud-controller-manager-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

• Chores
• Updated build infrastructure and runtime base image versions to maintain system stability and compatibility with current infrastructure standards.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

Dockerfile (3)

1-1: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Go version inconsistency with CI operator configuration.

The builder stage uses golang-1.26, but the CI operator configuration (.ci-operator.yaml) now specifies golang-1.25. See the review comment on .ci-operator.yaml for details and recommended fix.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 1, The Dockerfile's builder stage references a Go 1.26
image while CI is configured for Go 1.25; update the FROM image tag used in the
builder stage (the line starting with FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0) to the
corresponding golang-1.25 variant so the builder image and the CI operator
(.ci-operator.yaml) use the same Go version.

---

8-17: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing HEALTHCHECK directive.

The Dockerfile does not define a HEALTHCHECK, which is required by the coding guidelines. Health checks enable orchestrators (like Kubernetes) to monitor container health and restart unhealthy instances.

Define an appropriate health check for your operator, such as an HTTP endpoint check or a command that validates the operator's readiness.

💚 Example HEALTHCHECK addition

 COPY --from=builder /go/src/github.com/openshift/cluster-cloud-controller-manager-operator/openshift-tests/bin/cloud-controller-manager-operator-tests-ext.gz /usr/bin/cloud-controller-manager-operator-tests-ext.gz

 LABEL io.openshift.release.operator true
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD ["/cluster-controller-manager-operator", "health-check"] || exit 1

Adjust the command to match your operator's actual health check mechanism (e.g., an HTTP endpoint on localhost:8080/healthz or a subcommand that validates operational status).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 8 - 17, Add a Docker HEALTHCHECK directive to the
Dockerfile to satisfy the coding guideline: implement a probe that exercises the
operator's real readiness endpoint or a lightweight internal health command
(e.g., an HTTP GET against the operator's /healthz or invoking the operator
binary with a health subcommand) and include sensible options (interval,
timeout, retries) so orchestrators can detect and restart unhealthy containers;
place the HEALTHCHECK after the LABEL and reference the running
entrypoint/service (the operator binary such as
cluster-controller-manager-operator or whichever binary is launched at container
start) when constructing the probe.

Source: Coding guidelines

---

8-17: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Missing USER directive - container runs as root.

The Dockerfile does not include a USER directive, meaning the container will run as root by default. The coding guidelines explicitly state "USER non-root; never run as root." Running as root violates container security best practices and increases the attack surface.

Add a non-root user and switch to it before the final stage completes.

🔒 Proposed fix to add non-root USER

 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
+USER 1001
 COPY --from=builder /go/src/github.com/openshift/cluster-cloud-controller-manager-operator/bin/cluster-controller-manager-operator .
 COPY --from=builder /go/src/github.com/openshift/cluster-cloud-controller-manager-operator/bin/config-sync-controllers .

Note: Verify that UID 1001 (or another non-root UID) is appropriate for your OpenShift deployment. Some base images pre-define a non-root user; confirm compatibility with the 5.0:base-rhel9 image.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 8 - 17, The Dockerfile currently leaves the final
image running as root; add a non-root user and switch to it before the image is
finalized. Create or use a non-root UID (e.g. 1001), ensure the bundled files
and the manifests copied in the final stage are owned by that UID (chown the
copied artifacts), and add a USER <uid> directive after the COPY/LABEL steps so
the container runs non-root; verify compatibility with the base image
(registry.ci.openshift.org/ocp/5.0:base-rhel9) and choose an appropriate UID if
1001 is not suitable.

Source: Coding guidelines

🧹 Nitpick comments (1)

Dockerfile (1)

3-3: ⚖️ Poor tradeoff

Avoid copying entire build context in builder stage.

Line 3 copies the entire repository context with COPY . ., which violates the coding guideline to "COPY specific files, not entire context." While this is in the builder stage (not the final runtime image), it can still introduce unnecessary files, increase build cache invalidation, and pose a minor security risk if sensitive files exist in the repository.

Consider explicitly listing required directories or files, such as:

COPY go.mod go.sum ./
COPY vendor/ vendor/
COPY cmd/ cmd/
COPY pkg/ pkg/
# etc.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, The Dockerfile currently uses a broad COPY . . in the
builder stage; replace that with explicit COPY entries for only the
build-required files and directories (e.g., module files, vendor, cmd, pkg, or
other source dirs) so the builder stage does not pull the entire repo into the
image; update the builder stage COPY lines to list those specific
files/directories instead of using COPY . ., ensuring you include any files
referenced by the build (like go.mod/go.sum, source packages, and vendor) to
avoid build failures.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.ci-operator.yaml:
- Around line 1-4: The CI config sets build_root_image.tag to
rhel-9-release-golang-1.25-openshift-5.0 but the Dockerfile still uses
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 in the
builder FROM line; update the Dockerfile builder stage to use the golang-1.25
image (e.g.,
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-5.0) so the
Dockerfile's FROM matches build_root_image.tag and the Go toolchain is
consistent across CI and the build image.

---

Outside diff comments:
In `@Dockerfile`:
- Line 1: The Dockerfile's builder stage references a Go 1.26 image while CI is
configured for Go 1.25; update the FROM image tag used in the builder stage (the
line starting with FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0) to the
corresponding golang-1.25 variant so the builder image and the CI operator
(.ci-operator.yaml) use the same Go version.
- Around line 8-17: Add a Docker HEALTHCHECK directive to the Dockerfile to
satisfy the coding guideline: implement a probe that exercises the operator's
real readiness endpoint or a lightweight internal health command (e.g., an HTTP
GET against the operator's /healthz or invoking the operator binary with a
health subcommand) and include sensible options (interval, timeout, retries) so
orchestrators can detect and restart unhealthy containers; place the HEALTHCHECK
after the LABEL and reference the running entrypoint/service (the operator
binary such as cluster-controller-manager-operator or whichever binary is
launched at container start) when constructing the probe.
- Around line 8-17: The Dockerfile currently leaves the final image running as
root; add a non-root user and switch to it before the image is finalized. Create
or use a non-root UID (e.g. 1001), ensure the bundled files and the manifests
copied in the final stage are owned by that UID (chown the copied artifacts),
and add a USER <uid> directive after the COPY/LABEL steps so the container runs
non-root; verify compatibility with the base image
(registry.ci.openshift.org/ocp/5.0:base-rhel9) and choose an appropriate UID if
1001 is not suitable.

---

Nitpick comments:
In `@Dockerfile`:
- Line 3: The Dockerfile currently uses a broad COPY . . in the builder stage;
replace that with explicit COPY entries for only the build-required files and
directories (e.g., module files, vendor, cmd, pkg, or other source dirs) so the
builder stage does not pull the entire repo into the image; update the builder
stage COPY lines to list those specific files/directories instead of using COPY
. ., ensuring you include any files referenced by the build (like go.mod/go.sum,
source packages, and vendor) to avoid build failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 81e01337-ed95-4f0b-9b90-5c4a86b54776

📥 Commits

Reviewing files that changed from the base of the PR and between a9cbda8 and bd6fe89.

📒 Files selected for processing (2)

• .ci-operator.yaml
• Dockerfile

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check the Go version in the Dockerfile builder stage

rg -n 'FROM.*builder.*golang-' Dockerfile

Repository: openshift/cluster-cloud-controller-manager-operator

Length of output: 184

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the build_root_image block in .ci-operator.yaml
echo "---- .ci-operator.yaml (build_root_image) ----"
rg -n "build_root_image" .ci-operator.yaml || true
sed -n '1,120p' .ci-operator.yaml | cat -n

# Confirm which Dockerfile and which Go builder images are referenced
echo "---- Dockerfile builder Go references ----"
ls -la Dockerfile* || true
rg -n "FROM.*(golang-|builder:|builder)" Dockerfile* 2>/dev/null || true

echo "---- Dockerfile Go tag occurrences ----"
rg -n "golang-1\.2[56]-openshift-5\.0" Dockerfile* 2>/dev/null || true
rg -n "golang-1\.25|golang-1\.26" Dockerfile* 2>/dev/null || true

# Also check for any other Dockerfiles (rare) that might matter
echo "---- Other Dockerfile files (if any) ----"
fd -g "Dockerfile*" . || true

Repository: openshift/cluster-cloud-controller-manager-operator

Length of output: 1234

---

Critical: Align Go toolchain version between .ci-operator.yaml and Dockerfile builder stage

.ci-operator.yaml sets build_root_image.tag to rhel-9-release-golang-1.25-openshift-5.0, but the Dockerfile builder stage still uses registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0, creating a CI/toolchain mismatch.

🔧 Suggested alignment

FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-5.0 AS builder

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.ci-operator.yaml around lines 1 - 4, The CI config sets
build_root_image.tag to rhel-9-release-golang-1.25-openshift-5.0 but the
Dockerfile still uses
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 in the
builder FROM line; update the Dockerfile builder stage to use the golang-1.25
image (e.g.,
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-5.0) so the
Dockerfile's FROM matches build_root_image.tag and the Go toolchain is
consistent across CI and the build image.

[openshift-ci]

@openshift-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	bd6fe89	link	true	/test e2e-aws-ovn
ci/prow/lint	bd6fe89	link	true	/test lint
ci/prow/verify-deps	bd6fe89	link	true	/test verify-deps
ci/prow/vet	bd6fe89	link	true	/test vet
ci/prow/unit	bd6fe89	link	true	/test unit
ci/prow/vendor	bd6fe89	link	true	/test vendor

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.