CNTRLPLANE-3352: Convert GHA callers to use reusable workflows @main

[bryan-cox]

What this PR does / why we need it:

Converts all 9 GHA workflow callers to thin stubs that reference reusable workflow definitions via @main. This is the second of two PRs — it depends on #8386 which has already been merged.

After this PR merges, every PR-triggered GHA run automatically uses the latest workflow definition from main, eliminating the need for:

• The verify-workflows Prow job in openshift/release
• Forced rebases when workflow files change on main

Callers converted:

• codespell.yaml
• cpo-container-sync.yaml
• docs-build.yaml
• envtest-kube.yaml
• envtest-ocp.yaml
• gitlint.yaml
• lint.yaml
• test.yaml
• verify.yaml

Key details:

• docs-build.yaml preserves name: Docs Build so docs-deploy.yaml's workflow_run trigger continues working
• test.yaml uses secrets: inherit to pass CODECOV_TOKEN
• Push triggers for main/release branches remain on the reusable workflows (not the callers)
• Check names will change from JobName to caller-job / JobName — cosmetic only, nothing gates on these

Next step after merge: Remove verify-workflows Prow job from openshift/release after a few days of bake time.

Future release branches (4.23+): Will need push/PR trigger branch lists updated in both caller and reusable files.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3352

Special notes for your reviewer:

• CNTRLPLANE-3352: Add reusable GHA workflow definitions #8386 (dormant reusable workflow files) has already been merged, so GHA CI should pass on this PR.
• Forks: @main ref to upstream is intentional — fork PRs always get the latest upstream workflow.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Refactor

  • CI/CD workflows refactored to invoke reusable workflow components for consistency; job-level permissions tightened and several workflow triggers/flows simplified.

• Tests

  • Added unit tests verifying annotation lookup returns true only when a key’s value exactly matches, and false for absent keys, differing values, or nil annotations.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-3352 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Converts all 9 GHA workflow callers to thin stubs that reference reusable workflow definitions via @main. This is the second of two PRs — it depends on #8386 being merged first so the reusable files exist on main.

After this PR merges, every PR-triggered GHA run automatically uses the latest workflow definition from main, eliminating the need for:

• The verify-workflows Prow job in openshift/release
• Forced rebases when workflow files change on main

Callers converted:

• codespell.yaml
• cpo-container-sync.yaml
• docs-build.yaml
• envtest-kube.yaml
• envtest-ocp.yaml
• gitlint.yaml
• lint.yaml
• test.yaml
• verify.yaml

Key details:

• docs-build.yaml preserves name: Docs Build so docs-deploy.yaml's workflow_run trigger continues working
• docs-build.yaml path filter includes both docs-build.yaml and docs-build-reusable.yaml
• test.yaml uses secrets: inherit to pass CODECOV_TOKEN
• Push triggers for main/release branches remain on the reusable workflows (not the callers)
• Check names will change from JobName to caller-job / JobName — cosmetic only, nothing gates on these

Next step after merge: Remove verify-workflows Prow job from openshift/release after a few days of bake time.

Future release branches (4.23+): Will need push/PR trigger branch lists updated in both caller and reusable files.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3352

Special notes for your reviewer:

• Do not merge until CNTRLPLANE-3352: Add reusable GHA workflow definitions #8386 is merged — the @main refs require the reusable files to exist on main.
• GHA CI on this PR will fail because the @main refs can't resolve yet. This is expected.
• Forks: @main ref to upstream is intentional — fork PRs always get the latest upstream workflow.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Multiple GitHub Actions workflows were refactored to delegate jobs to reusable workflows instead of defining jobs inline. Top-level workflow permissions for repository contents were moved to the corresponding job level. Several workflows had push triggers removed (now only pull_request and workflow_dispatch) and change-detection logic updated to prefer pull-request base/head SHAs with fallbacks. One unit test was added to verify annotation-value checking behavior.

Changes

Cohort / File(s)	Summary
Reusable workflow replacements .github/workflows/codespell.yaml, .github/workflows/cpo-container-sync.yaml, .github/workflows/docs-build.yaml, .github/workflows/gitlint.yaml, .github/workflows/lint.yaml, .github/workflows/verify.yaml, .github/workflows/test.yaml	Jobs converted from inline step sequences to reusable-workflow invocations (uses: ...-reusable.yaml@main); permissions.contents: read moved from workflow-level to job-level; local runner/step details removed.
Envtest workflows (reusable + callers) .github/workflows/envtest-kube-reusable.yaml, .github/workflows/envtest-kube.yaml, .github/workflows/envtest-ocp-reusable.yaml, .github/workflows/envtest-ocp.yaml	Introduced/updated reusable envtest workflows that compute ref ranges using PR base/head SHAs (with fallback to before..HEAD); caller workflows now invoke the reusable workflows and no longer run inline matrix/change-detection; triggers narrowed to remove push.
Lint reusable logic .github/workflows/lint-reusable.yaml	Conditionalized the git fetch step to only run when github.base_ref is present, replacing unconditional fetch with a guarded script.
Verify reusable ordering .github/workflows/verify-reusable.yaml	Reordered verification steps so make staticcheck, make fmt, and make vet run immediately after make generate update (control-flow ordering change only).
Test change (unit tests) support/util/annotations_test.go	Added unit tests for HasAnnotationWithValue(obj, key, value) to assert true only when the annotation key exists and its value exactly equals the expected value; covers absent key, differing value, and nil annotations cases.

Sequence Diagram(s)

sequenceDiagram
  participant Caller as Caller Workflow (this repo)
  participant GH as GitHub Actions
  participant Reusable as Reusable Workflow
  participant Runner as Runner
  participant Repo as Repository

  Caller->>GH: invoke job using "uses: reusable-workflow@main"
  GH->>Reusable: start reusable workflow run (job-level permissions rgba(0,128,255,0.5))
  Reusable->>Runner: allocate runner and execute job steps
  Runner->>Repo: actions/checkout (read contents rgba(0,200,100,0.5))
  Runner->>Runner: run build/test/lint/make commands rgba(200,100,0,0.5)
  Runner->>GH: upload artifacts / set outputs / exit status
  GH->>Caller: propagate results (success/failure, outputs)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: converting GitHub Actions workflow callers to use reusable workflows on @main branch.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic Ginkgo test names is not applicable to this pull request. This PR modifies only GitHub Actions workflow configuration files (.github/workflows/*.yaml) and one standard Go test file (support/util/annotations_test.go). The test file uses the Go testing framework with table-driven tests via t.Run(), not Ginkgo, and all test names are fully static and deterministic with no dynamic values. No Ginkgo test files are modified by this PR.
Test Structure And Quality	✅ Passed	The custom check for Ginkgo test code is not applicable; the test file uses standard Go unit tests with testing.T, not Ginkgo constructs.
Microshift Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests; it only adds standard Go unit tests in support/util/annotations_test.go and refactors GitHub Actions workflows.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The pull request does not add new Ginkgo e2e tests. Only unit tests in support/util/annotations_test.go and GitHub Actions workflow changes are present.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI/CD workflows and unit tests, not deployment manifests or operator code; topology-aware scheduling check does not apply.
Ote Binary Stdout Contract	✅ Passed	PR contains only GitHub Actions workflow changes and a unit test addition in support/util/annotations_test.go with no stdout writes or side effects.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds standard Go unit tests, not Ginkgo e2e tests. Tests use Go testing patterns and contain no IPv4 hardcoded addresses or external connectivity requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/docs-build.yaml:
- Around line 11-15: The workflow currently uses an external reusable workflow
with "uses:
openshift/hypershift/.github/workflows/docs-build-reusable.yaml@main", which
causes PRs that only edit the reusable workflow not to validate those edits;
update the caller in .github/workflows/docs-build.yaml to reference the reusable
workflow from the PR branch instead of `@main` by using a local relative path
(e.g. "uses: ./.github/workflows/docs-build-reusable.yaml") or otherwise ensure
it consumes the same ref as the PR so edits to docs-build-reusable.yaml trigger
validation.

In @.github/workflows/envtest-kube-reusable.yaml:
- Around line 31-44: The current step runs git diff and treats any non-matching
output as "should_run=false", but it does not detect git diff failures; modify
the script around the git diff invocation so that failures cause the step to
fail instead of falling through: when computing ref (using variables ref,
PUSH_DIFF_REF, PR_DIFF_REF and EVENT_NAME) run git diff --name-only "$ref" and
check its exit status—if git diff exits non-zero, write an error and exit
non-zero (fail the job) rather than proceeding to echo "should_run=false" to
GITHUB_OUTPUT; ensure the logic that writes "should_run=true"/"false" only runs
when git diff succeeds.

In @.github/workflows/test-reusable.yaml:
- Line 19: Add the custom runner label "arc-runner-set" to the actionlint
configuration so actionlint recognizes it across workflows; locate the
actionlint config (e.g., the repository-level actionlint YAML) and add
"arc-runner-set" to the runner labels list (runner-labels /
allowed-runner-labels) so the label used in workflows like the one containing
runs-on: arc-runner-set is registered and no longer flagged as unknown.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 506990b7-a690-4593-9a17-b3d5d06c07fd

📥 Commits

Reviewing files that changed from the base of the PR and between 540acc8 and ae79858.

📒 Files selected for processing (18)

• .github/workflows/codespell-reusable.yaml
• .github/workflows/codespell.yaml
• .github/workflows/cpo-container-sync-reusable.yaml
• .github/workflows/cpo-container-sync.yaml
• .github/workflows/docs-build-reusable.yaml
• .github/workflows/docs-build.yaml
• .github/workflows/envtest-kube-reusable.yaml
• .github/workflows/envtest-kube.yaml
• .github/workflows/envtest-ocp-reusable.yaml
• .github/workflows/envtest-ocp.yaml
• .github/workflows/gitlint-reusable.yaml
• .github/workflows/gitlint.yaml
• .github/workflows/lint-reusable.yaml
• .github/workflows/lint.yaml
• .github/workflows/test-reusable.yaml
• .github/workflows/test.yaml
• .github/workflows/verify-reusable.yaml
• .github/workflows/verify.yaml

[bryan-cox]

/area ci-tooling

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 36.70%. Comparing base (23d5637) to head (71c61f1).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8387   +/-   ##
=======================================
  Coverage   36.69%   36.70%           
=======================================
  Files         767      767           
  Lines       93353    93353           
=======================================
+ Hits        34260    34264    +4     
+ Misses      56409    56405    -4     
  Partials     2684     2684           

see 1 file with indirect coverage changes

Flag	Coverage Δ
cmd-support	30.45% <ø> (+0.01%)	⬆️
cpo-hostedcontrolplane	37.19% <ø> (ø)
cpo-other	37.69% <ø> (ø)
hypershift-operator	47.82% <ø> (ø)
other	27.76% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@support/util/annotations_test.go`:
- Around line 150-171: The test case that constructs a HostedCluster with a
slash in metadata.name is invalid; remove the table entry named "When annotation
has multiple slashes..." (the AzurePrivateLinkService test using
HostedClusterAnnotation and an existing hyperv1.HostedCluster with Name:
"name/extra") and replace it with a test asserting that annotations containing
multiple slashes are treated as a format error: create an
AzurePrivateLinkService with HostedClusterAnnotation: "clusters/name/extra" and
assert the code path (call the function under test that parses
HostedClusterAnnotation) returns an error and does not resolve to a
HostedCluster (i.e., no wantHCNS/wantHCN success expectations); reference the
same symbols HostedClusterAnnotation, hyperv1.AzurePrivateLinkService, and
hyperv1.HostedCluster when locating and editing the test table.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 82faf04d-23b5-48f3-9a46-48e782cb2a54

📥 Commits

Reviewing files that changed from the base of the PR and between fe59e07 and 4324a17.

📒 Files selected for processing (1)

• support/util/annotations_test.go

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bryan-cox]

/verified by GHA tests

[openshift-ci-robot]

@bryan-cox: This PR has been marked as verified by GHA tests.

Details

In response to this:

/verified by GHA tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[csrwng]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[cwbotbot]

Test Results

e2e-aws

• Status: ❌ FAIL
• Started: 2026-04-30T21:50:24Z
• View Job
• View Job History

e2e-aks

• Status: ❌ FAIL
• Started: 2026-04-30T21:50:24Z
• View Job
• View Job History

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD afd63bd and 2 for PR HEAD 71c61f1 in total

[bryan-cox]

/override "ci/prow/e2e-kubevirt-aws-ovn-reduced"

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-kubevirt-aws-ovn-reduced

Details

In response to this:

/override "ci/prow/e2e-kubevirt-aws-ovn-reduced"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bryan-cox]

/override "ci/prow/e2e-azure-self-managed"
/override "ci/prow/e2e-aws-upgrade-hypershift-operator"
/override "ci/prow/e2e-aws"
/override "ci/prow/e2e-aks"

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-aks, ci/prow/e2e-aws, ci/prow/e2e-aws-upgrade-hypershift-operator, ci/prow/e2e-azure-self-managed

Details

In response to this:

/override "ci/prow/e2e-azure-self-managed"
/override "ci/prow/e2e-aws-upgrade-hypershift-operator"
/override "ci/prow/e2e-aws"
/override "ci/prow/e2e-aks"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aks | Build: 2049979460949643264 | Cost: $3.1518932500000005 | Failed step: hypershift-azure-run-e2e

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}