ci(claude): add find-konflux-images command to discover PR images#7999
ci(claude): add find-konflux-images command to discover PR images#7999zhfeng wants to merge 1 commit intoopenshift:mainfrom
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughA new documentation file is added at Sequence Diagram(s)sequenceDiagram
participant User
participant Bot as Find-Konflux-Images
participant GitHub
participant Repo as Git Repository
participant TektonConfig as Tekton Config (in PR commit)
participant Quay as quay.io (OCI registry)
User->>Bot: Invoke command on PR (e.g., /find-konflux-images)
Bot->>GitHub: Resolve PR reference (number/branch/commit)
GitHub-->>Bot: PR metadata, commit SHA
Bot->>Repo: Fetch commit contents
Repo-->>Bot: Tekton config files (pipeline/task refs)
Bot->>TektonConfig: Parse image build outputs and pipeline triggers
alt Pipelines referenced and triggers present
Bot->>Quay: Construct expected image URLs and query OCI manifests
Quay-->>Bot: Image existence + metadata (tags, digests, timestamps)
Bot->>GitHub: Post results table comment on PR (images, status)
alt Some images missing and retrigger allowed
Bot->>GitHub: Offer `/retest` option in comment
end
else No pipelines or config missing
Bot->>GitHub: Post error/diagnostic comment
end
alt User issues /retest
User->>GitHub: /retest comment
GitHub->>TektonConfig: Trigger pipelines (via CI)
TektonConfig-->>Quay: New images pushed (if successful)
Quay-->>Bot: Confirm new images on subsequent checks
end
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
openshift-ci
bot
added
area/ai
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: zhfeng The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (5)
.claude/commands/find-konflux-images.md (5)
21-21: Update step 2 to mentionimage-expires-afterextraction.The step description says it extracts
output-imagepatterns, but the implementation (lines 54-56) also extractsimage-expires-aftervalues, which are used for reporting expiration periods.📝 Suggested update
-2. Reads the `.tekton/*-pull-request.yaml` pipeline configs from the PR's commit to extract `output-image` patterns +2. Reads the `.tekton/*-pull-request.yaml` pipeline configs from the PR's commit to extract `output-image` patterns and `image-expires-after` values🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.claude/commands/find-konflux-images.md at line 21, Update step 2's description to state that, besides reading `.tekton/*-pull-request.yaml` to extract `output-image` patterns, it also extracts `image-expires-after` values used for reporting expiration periods; reference the same `.tekton/*-pull-request.yaml` files and mention both `output-image` and `image-expires-after` so the doc matches the implementation (see the extraction logic around where `output-image` and `image-expires-after` are read).
114-114: Consider locale-specific spelling preference.The static analysis tool noted that "afterwards" is British English, while "afterward" is preferred in American English. If the project has a style guide preference, consider aligning.
🌍 US English variant
-Builds typically take 10-20 minutes; re-run this command to check availability afterwards +Builds typically take 10-20 minutes; re-run this command to check availability afterward🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.claude/commands/find-konflux-images.md at line 114, The sentence "Builds typically take 10-20 minutes; re-run this command to check availability afterwards" uses the British variant "afterwards"; update that string to the US-preferred "afterward" (or conform to your project's style guide) so it reads "Builds typically take 10-20 minutes; re-run this command to check availability afterward." Locate and replace this exact sentence in .claude/commands/find-konflux-images.md.
13-16: Consider using PR#7887in examples for consistency.The PR objectives mention testing with PR
#7887, but the examples reference PR#7871. While this doesn't affect functionality, aligning the examples with the tested PR would improve traceability.📝 Suggested alignment
1. **By PR URL**: - `/find-konflux-images https://github.com/openshift/hypershift/pull/7871` + `/find-konflux-images https://github.com/openshift/hypershift/pull/7887` 2. **By repo and PR number**: - `/find-konflux-images openshift/hypershift 7871` + `/find-konflux-images openshift/hypershift 7887`🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.claude/commands/find-konflux-images.md around lines 13 - 16, Update the example PR references to match the tested PR `#7887`: replace the occurrences of "/find-konflux-images https://github.com/openshift/hypershift/pull/7871" and "/find-konflux-images openshift/hypershift 7871" with the corresponding "/find-konflux-images https://github.com/openshift/hypershift/pull/7887" and "/find-konflux-images openshift/hypershift 7887" so the examples align with the documented/tested PR; ensure both example lines in the file are changed consistently.
49-58: Add error handling guidance to the bash example.The bash snippet lacks error handling for several failure modes:
gh apicalls may fail (network issues, auth problems, file not found)base64 -dmay fail on malformed contentgrepmay find no matches (empty variables)sedpatterns assume single space after colonSince this is example code that users may copy, consider adding notes about error handling or using more robust patterns.
♻️ Suggested improvements
Add error handling notes and improve sed patterns:
```bash +# Note: Add error checking after each gh api call PR_FILES=$(gh api "repos/${REPO}/contents/.tekton?ref=${COMMIT_SHA}" --jq '.[].name' | grep pull-request) +if [ -z "$PR_FILES" ]; then + echo "ERROR: No pull-request pipeline configs found" + exit 1 +fi for file in $PR_FILES; do CONTENT=$(gh api "repos/${REPO}/contents/.tekton/${file}?ref=${COMMIT_SHA}" --jq '.content' | base64 -d) - IMAGE_PATTERN=$(echo "$CONTENT" | grep -A1 'name: output-image' | grep 'value:' | head -1 | sed 's/.*value: *//') - EXPIRES_AFTER=$(echo "$CONTENT" | grep -A1 'name: image-expires-after' | grep 'value:' | head -1 | sed 's/.*value: *//') + # Use [[:space:]]* to handle variable whitespace + IMAGE_PATTERN=$(echo "$CONTENT" | grep -A1 'name: output-image' | grep 'value:' | head -1 | sed 's/.*value:[[:space:]]*//') + EXPIRES_AFTER=$(echo "$CONTENT" | grep -A1 'name: image-expires-after' | grep 'value:' | head -1 | sed 's/.*value:[[:space:]]*//') COMPONENT=$(echo "$file" | sed 's/-pull-request\.yaml$//') done🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.claude/commands/find-konflux-images.md around lines 49 - 58, The snippet lacks error handling and assumes fixed whitespace; add checks after the gh api call that populates PR_FILES and after each CONTENT fetch (gh api and base64 -d) to exit with a clear error if they fail or return empty, validate that grep produced matches before running sed, and update the sed patterns used in IMAGE_PATTERN and EXPIRES_AFTER to use a robust whitespace matcher (e.g., [[:space:]]*) so variable spacing after "value:" is handled; reference the variables/functions PR_FILES, CONTENT, IMAGE_PATTERN, EXPIRES_AFTER, COMPONENT, the gh api calls and base64 -d when adding these checks and error messages.
135-138: Complete the requirements list.Several utilities used in the example scripts are not listed in the requirements:
base64(used in line 53)jq(used in line 50)sed(used throughout)grep(used throughout)📝 Suggested additions
## Requirements - `gh` CLI authenticated with access to the target repository - `curl` available - `python3` available +- `jq` for JSON parsing +- Standard Unix utilities: `base64`, `sed`, `grep`🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.claude/commands/find-konflux-images.md around lines 135 - 138, The requirements list is incomplete: add the missing CLI utilities used by the examples—include `base64` (used around line 53), `jq` (used around line 50), `sed`, and `grep` to the same list that currently contains `gh`, `curl`, and `python3` so readers know these are prerequisites; update the bullet list near the top of the document to enumerate those four additional tools.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.claude/commands/find-konflux-images.md:
- Around line 76-83: The TOKEN retrieval step may yield an empty or error
string; after the TOKEN assignment (the curl + python3 pipeline that sets TOKEN)
add validation that TOKEN is non-empty and contains a valid token before using
it for the manifests request (the HTTP_STATUS curl). If TOKEN is empty or
invalid, log a clear error and exit non‑zero so the subsequent call using TOKEN
is not attempted; alternatively replace the python3 extraction with a jq
extraction for consistency with the script and validate the jq output the same
way.
---
Nitpick comments:
In @.claude/commands/find-konflux-images.md:
- Line 21: Update step 2's description to state that, besides reading
`.tekton/*-pull-request.yaml` to extract `output-image` patterns, it also
extracts `image-expires-after` values used for reporting expiration periods;
reference the same `.tekton/*-pull-request.yaml` files and mention both
`output-image` and `image-expires-after` so the doc matches the implementation
(see the extraction logic around where `output-image` and `image-expires-after`
are read).
- Line 114: The sentence "Builds typically take 10-20 minutes; re-run this
command to check availability afterwards" uses the British variant "afterwards";
update that string to the US-preferred "afterward" (or conform to your project's
style guide) so it reads "Builds typically take 10-20 minutes; re-run this
command to check availability afterward." Locate and replace this exact sentence
in .claude/commands/find-konflux-images.md.
- Around line 13-16: Update the example PR references to match the tested PR
`#7887`: replace the occurrences of "/find-konflux-images
https://github.com/openshift/hypershift/pull/7871" and "/find-konflux-images
openshift/hypershift 7871" with the corresponding "/find-konflux-images
https://github.com/openshift/hypershift/pull/7887" and "/find-konflux-images
openshift/hypershift 7887" so the examples align with the documented/tested PR;
ensure both example lines in the file are changed consistently.
- Around line 49-58: The snippet lacks error handling and assumes fixed
whitespace; add checks after the gh api call that populates PR_FILES and after
each CONTENT fetch (gh api and base64 -d) to exit with a clear error if they
fail or return empty, validate that grep produced matches before running sed,
and update the sed patterns used in IMAGE_PATTERN and EXPIRES_AFTER to use a
robust whitespace matcher (e.g., [[:space:]]*) so variable spacing after
"value:" is handled; reference the variables/functions PR_FILES, CONTENT,
IMAGE_PATTERN, EXPIRES_AFTER, COMPONENT, the gh api calls and base64 -d when
adding these checks and error messages.
- Around line 135-138: The requirements list is incomplete: add the missing CLI
utilities used by the examples—include `base64` (used around line 53), `jq`
(used around line 50), `sed`, and `grep` to the same list that currently
contains `gh`, `curl`, and `python3` so readers know these are prerequisites;
update the bullet list near the top of the document to enumerate those four
additional tools.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: a2192ba6-e3f7-48a7-bce4-72df8c2fdbcd
📒 Files selected for processing (1)
.claude/commands/find-konflux-images.md
zhfeng
force-pushed
the
add-find-konflux-images-command
branch
from
b4270c0 to
7f99742
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.claude/commands/find-konflux-images.md (1)
79-83:⚠️ Potential issue | 🟠 MajorValidate auth token before calling the manifests API.
At Line 79-83,
TOKENis used immediately after extraction with no guard. If auth response is empty/invalid, the manifest check becomes a misleading auth failure instead of a clear token error.Suggested fix
TOKEN=$(curl -s "https://quay.io/v2/auth?service=quay.io&scope=repository:${REPO_PATH}:pull" \ | python3 -c "import sys,json; print(json.load(sys.stdin).get('token',''))") + +if [ -z "$TOKEN" ]; then + echo "ERROR: Failed to retrieve authentication token from quay.io for ${REPO_PATH}" + exit 1 +fi HTTP_STATUS=$(curl -s -H "Authorization: Bearer $TOKEN" \ -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.v2+json" \ "https://quay.io/v2/${REPO_PATH}/manifests/${TAG}" \ -o /dev/null -w "%{http_code}")Use this read-only check to verify the guard is currently missing and where to apply it:
#!/bin/bash set -euo pipefail target=".claude/commands/find-konflux-images.md" echo "== TOKEN retrieval block ==" rg -n -C3 'TOKEN=\$\(curl -s "https://quay.io/v2/auth' "$target" || true echo echo "== TOKEN validation guard occurrences ==" rg -n -C2 'if \[ -z "\$TOKEN" \]' "$target" || true echo echo "== Immediate TOKEN usage in Authorization header ==" rg -n -C2 'Authorization: Bearer \$TOKEN' "$target" || true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.claude/commands/find-konflux-images.md around lines 79 - 83, The TOKEN extracted by the curl+python pipeline (variable TOKEN) is used immediately in the Authorization header (Authorization: Bearer $TOKEN) without validation; add a guard right after the TOKEN assignment that checks if TOKEN is empty (e.g., if [ -z "$TOKEN" ] ), log a clear error like "Failed to obtain auth token from quay.io" and exit non‑zero so the subsequent HTTP_STATUS/manifest calls (the second curl that sets HTTP_STATUS) never run with an empty token.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.claude/commands/find-konflux-images.md:
- Around line 79-83: The TOKEN extracted by the curl+python pipeline (variable
TOKEN) is used immediately in the Authorization header (Authorization: Bearer
$TOKEN) without validation; add a guard right after the TOKEN assignment that
checks if TOKEN is empty (e.g., if [ -z "$TOKEN" ] ), log a clear error like
"Failed to obtain auth token from quay.io" and exit non‑zero so the subsequent
HTTP_STATUS/manifest calls (the second curl that sets HTTP_STATUS) never run
with an empty token.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: bfbe3ece-e8af-4782-9487-d5707f7d1ac3
📒 Files selected for processing (1)
.claude/commands/find-konflux-images.md
zhfeng
force-pushed
the
add-find-konflux-images-command
branch
from
7f99742 to
b0faf91
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.claude/commands/find-konflux-images.md:
- Around line 136-140: Update the "Requirements" section by either removing the
stale bullet "- `python3`" or adding a justification that current snippets need
it; specifically edit the Requirements header block to delete the python3 entry
if it is unused by any commands in this file (search for any references to
"python3" or scripts called in the file) or, if a script does require Python,
add a brief note explaining which snippet or command (by name) needs Python and
why.
- Line 25: Update wording for consistency in
.claude/commands/find-konflux-images.md: change the lowercase "markdown"
occurrences (referenced near the sentence "Reports results as a markdown table"
and the other instance around line 90) to "Markdown", and change the adverb
"afterwards" (around line 115) to the US English form "afterward"; search for
and replace those specific words in the file so capitalization and US English
usage are consistent.
- Around line 24-25: The doc line claiming images are checked "via the OCI
registry API" is inconsistent with the implementation that calls Quay's
proprietary tag endpoint (/api/v1/repository/<org>/<repo>/tag); either update
the markdown phrase to say "via the Quay tag API (/api/v1/repository/.../tag)"
to match the current implementation, or instead replace the Quay-specific calls
with standard OCI Registry v2 tag/manifest endpoints (implementing the v2
/v2/<name>/tags/list and manifest checks) so the text can remain "OCI registry
API".
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 8e427040-b9ee-4e9f-9fd6-080968f41eeb
📒 Files selected for processing (1)
.claude/commands/find-konflux-images.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
zhfeng
force-pushed
the
add-find-konflux-images-command
branch
from
b0faf91 to
322abf3
Compare
|
@zhfeng: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
It could be replaced by |
2 participants
Summary
/find-konflux-imagesthat discovers and verifies Konflux-built container images for any PR.tekton/*-pull-request.yamlpipeline configs from the PR's commit SHA to extractoutput-imagepatterns andimage-expires-aftervalues/retestif the PR is still openUsage
Test plan
image-expires-afterfrom each Tekton config (currently5dfor all components)Summary by CodeRabbit