OCPBUGS-85084: fix(ci): use explicit lease in dependabot commit fix push

[jparrill]

Summary

• Fix --force-with-lease push failure ("stale info") in the dependabot commit message fix workflow
• Use explicit lease form --force-with-lease=<ref>:<expected-sha> instead of relying on local tracking refs that don't exist in the shallow detached HEAD clone created by actions/checkout

Root Cause Analysis

The dependabot-commit-fix-reusable.yaml workflow (introduced in #8435) rewrites dependabot commit messages to pass gitlint, then pushes the amended commit. Every push has failed since the workflow was introduced.

Why it fails:

1. actions/checkout with ref: <SHA> + fetch-depth: 2 creates a shallow clone in detached HEAD state
2. In this state, git has no remote tracking branches (no refs/remotes/origin/<branch>)
3. --force-with-lease without an explicit expected value needs the local remote-tracking ref to compare against the current remote state
4. Since no tracking ref exists, git reports (stale info) and rejects the push

Evidence: All 6 workflow runs triggered by dependabot Gitlint failures on 2026-05-08 failed with the same error:

! [rejected] HEAD -> dependabot/go_modules/... (stale info)
error: failed to push some refs to 'https://github.com/openshift/hypershift'

Fix: Use --force-with-lease=${HEAD_BRANCH}:${HEAD_SHA} which explicitly provides the expected remote SHA, bypassing the need for local tracking refs. Verified empirically by reproducing the exact actions/checkout shallow clone scenario locally.

Test plan

• Trigger a dependabot rebase on an existing PR (@dependabot rebase on build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.0 to 1.21.1 in the azure-github-dependencies group across 1 directory #8460) to re-run Gitlint → fix workflow chain
• Verify the fix workflow completes successfully (push succeeds)
• Verify the dependabot commit message is rewritten correctly

🤖 Generated with Claude Code

Validation

• Run @dependabot rebase at build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.0 to 1.21.1 in the azure-github-dependencies group across 1 directory #8460 once this PR got merged.

Summary by CodeRabbit

• Chores
  • Enhanced the reliability of automated commit processing in continuous integration workflows by refining version control push operations with more precise specifications for handling code updates.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@jparrill: This pull request references Jira Issue OCPBUGS-85084, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• Fix --force-with-lease push failure ("stale info") in the dependabot commit message fix workflow
• Use explicit lease form --force-with-lease=<ref>:<expected-sha> instead of relying on local tracking refs that don't exist in the shallow detached HEAD clone created by actions/checkout

Root Cause Analysis

The dependabot-commit-fix-reusable.yaml workflow (introduced in #8435) rewrites dependabot commit messages to pass gitlint, then pushes the amended commit. Every push has failed since the workflow was introduced.

Why it fails:

1. actions/checkout with ref: <SHA> + fetch-depth: 2 creates a shallow clone in detached HEAD state
2. In this state, git has no remote tracking branches (no refs/remotes/origin/<branch>)
3. --force-with-lease without an explicit expected value needs the local remote-tracking ref to compare against the current remote state
4. Since no tracking ref exists, git reports (stale info) and rejects the push

Evidence: All 6 workflow runs triggered by dependabot Gitlint failures on 2026-05-08 failed with the same error:

! [rejected] HEAD -> dependabot/go_modules/... (stale info)
error: failed to push some refs to 'https://github.com/openshift/hypershift'

Fix: Use --force-with-lease=${HEAD_BRANCH}:${HEAD_SHA} which explicitly provides the expected remote SHA, bypassing the need for local tracking refs. Verified empirically by reproducing the exact actions/checkout shallow clone scenario locally.

Test plan

• Trigger a dependabot rebase on an existing PR (@dependabot rebase on build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.0 to 1.21.1 in the azure-github-dependencies group across 1 directory #8460) to re-run Gitlint → fix workflow chain
• Verify the fix workflow completes successfully (push succeeds)
• Verify the dependabot commit message is rewritten correctly

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This change modifies a reusable GitHub Actions workflow to enhance the git push operation. The workflow now passes the HEAD_SHA input into the job environment variables alongside HEAD_BRANCH. The git push command is updated to use a fully qualified refspec with --force-with-lease=${HEAD_BRANCH}:${HEAD_SHA} instead of the previous --force-with-lease without a specified lease target, improving the safety of force-push operations.

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: using an explicit lease argument in the dependabot commit fix push workflow to resolve a git push failure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check for stable Ginkgo test names is not applicable. PR only modifies a GitHub Actions workflow file, not any test files.
Test Structure And Quality	✅ Passed	Check not applicable. Custom check reviews Ginkgo test code quality, but PR only modifies a GitHub Actions workflow YAML file (.github/workflows/dependabot-commit-fix-reusable.yaml), not test code.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. It only modifies a GitHub Actions workflow config file. The MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only a GitHub Actions workflow YAML file. It does not add any Ginkgo e2e tests, so the SNO test compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies GitHub Actions workflow file, not deployment manifests, operator code, or controllers. Topology-aware scheduling check does not apply.
Ote Binary Stdout Contract	✅ Passed	Check not applicable. PR modifies only GitHub Actions YAML workflow, not Go code or OTE binary code. OTE Binary Stdout Contract applies only to process-level code in binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies a GitHub Actions workflow file (.github/workflows/dependabot-commit-fix-reusable.yaml) to fix a git push issue. No Ginkgo e2e tests are added. The custom check is not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jparrill]

/area ci-tooling

[bryan-cox]

/lgtm

[jparrill]

/jra refresh

[jparrill]

/verified bypass

[openshift-ci-robot]

@jparrill: The verified label has been added.

Details

In response to this:

/verified bypass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

• The changed files don't match any pipeline_run_if_changed patterns
• All files match pipeline_skip_if_only_changed patterns
• No pipeline-controlled jobs are defined for the main branch

Use /test ? to see all available tests.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, jparrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox,jparrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jparrill]

/jira refresh

[openshift-ci-robot]

@jparrill: This pull request references Jira Issue OCPBUGS-85084, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jparrill]

/override e2e-azure-v2-self-managed

[openshift-ci]

@jparrill: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e-azure-v2-self-managed

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/e2e-azure-v2-self-managed
• ci/prow/images
• ci/prow/okd-scos-images
• ci/prow/verify-deps
• envtest-kube / Envtest Vanilla Kube ${{ matrix.version }}
• envtest-ocp / Envtest OCP (K8s ${{ matrix.version }})
• pull-ci-openshift-hypershift-main-e2e-azure-v2-self-managed
• pull-ci-openshift-hypershift-main-images
• pull-ci-openshift-hypershift-main-okd-scos-images
• pull-ci-openshift-hypershift-main-verify-deps
• test / Unit Tests (${{ matrix.shard }})
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override e2e-azure-v2-self-managed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@jparrill: Jira Issue OCPBUGS-85084: All pull requests linked via external trackers have merged:

• openshift/hypershift#8435
• openshift/hypershift#8476

Jira Issue OCPBUGS-85084 has been moved to the MODIFIED state.

Details

In response to this:

Summary

• Fix --force-with-lease push failure ("stale info") in the dependabot commit message fix workflow
• Use explicit lease form --force-with-lease=<ref>:<expected-sha> instead of relying on local tracking refs that don't exist in the shallow detached HEAD clone created by actions/checkout

Root Cause Analysis

The dependabot-commit-fix-reusable.yaml workflow (introduced in #8435) rewrites dependabot commit messages to pass gitlint, then pushes the amended commit. Every push has failed since the workflow was introduced.

Why it fails:

1. actions/checkout with ref: <SHA> + fetch-depth: 2 creates a shallow clone in detached HEAD state
2. In this state, git has no remote tracking branches (no refs/remotes/origin/<branch>)
3. --force-with-lease without an explicit expected value needs the local remote-tracking ref to compare against the current remote state
4. Since no tracking ref exists, git reports (stale info) and rejects the push

Evidence: All 6 workflow runs triggered by dependabot Gitlint failures on 2026-05-08 failed with the same error:

! [rejected] HEAD -> dependabot/go_modules/... (stale info)
error: failed to push some refs to 'https://github.com/openshift/hypershift'

Fix: Use --force-with-lease=${HEAD_BRANCH}:${HEAD_SHA} which explicitly provides the expected remote SHA, bypassing the need for local tracking refs. Verified empirically by reproducing the exact actions/checkout shallow clone scenario locally.

Test plan

• Trigger a dependabot rebase on an existing PR (@dependabot rebase on build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.0 to 1.21.1 in the azure-github-dependencies group across 1 directory #8460) to re-run Gitlint → fix workflow chain
• Verify the fix workflow completes successfully (push succeeds)
• Verify the dependabot commit message is rewritten correctly

🤖 Generated with Claude Code

Validation

• Run @dependabot rebase at build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.0 to 1.21.1 in the azure-github-dependencies group across 1 directory #8460 once this PR got merged.

Summary by CodeRabbit

• Chores
• Enhanced the reliability of automated commit processing in continuous integration workflows by refining version control push operations with more precise specifications for handling code updates.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-05-12-025124