CNTRLPLANE-3329: Fix gocacheprog cache corruption with atomic writes

[celebdor]

Summary

• Fixes golangci-lint typecheck failures caused by GOCACHEPROG serving corrupted cache entries
• os.WriteFile uses O_TRUNC which temporarily zeros a file — concurrent readers via DiskPath see partial content and get "bad checksum" errors
• Uses temp-file-then-rename for atomic writes (rename is atomic on POSIX, so readers never see partial content)
• Adds TestConcurrentPutSameOutputID which deterministically reproduces the corruption (50/50 failures without the fix, 0 failures with it)
• Adds a dedicated CI workflow to run gocacheprog unit tests on PRs that modify contrib/ci/gocacheprog/ (since it's a separate Go module, the main test workflow doesn't cover it)

Supersedes #8623 (the lint workaround) once this merges and the runner image rebuilds.

Test plan

• Unit tests pass with -race
• TestConcurrentPutSameOutputID fails 50/50 without fix, passes 20/20 with fix
• Reproduced locally: go build ./... then make lint via gocacheprog — fails without fix, passes with fix
• Lint CI job passes on this PR

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Cache files are now written atomically so concurrent readers never observe truncated or partial data.

• Tests

  • Added a concurrency test that validates concurrent writes/reads to the cache do not produce corrupted or empty files.

• Chores

  • Added reusable and PR-triggered CI workflows to run the concurrency-focused tests.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@celebdor: This pull request references CNTRLPLANE-3329 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Fixes golangci-lint typecheck failures caused by GOCACHEPROG serving corrupted cache entries
• os.WriteFile uses O_TRUNC which temporarily zeros a file — concurrent readers via DiskPath see partial content and get "bad checksum" errors
• Uses temp-file-then-rename for atomic writes
• Skips writing data files that already exist with the correct size

Supersedes #8623 (the lint workaround) once this merges and the runner image rebuilds.

Test plan

• Unit tests pass with -race
• Reproduced locally: go build ./... then make lint via gocacheprog — fails without fix, passes with fix
• Lint CI job passes on this PR

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added writeFileAtomic to write bytes to a temp file in the target directory and atomically rename it into place. handlePut now uses writeFileAtomic for both the output data file and the action entry file and returns errors if those atomic writes fail. A new test TestConcurrentPutSameOutputID runs concurrent PUTs (same OutputID) and interleaved GETs to detect any partial/corrupted reads.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant handlePut
  participant writeFileAtomic
  participant Filesystem
  participant Reader
  Client->>handlePut: PUT request (OutputID, Body)
  handlePut->>writeFileAtomic: writeFileAtomic(dPath, Body)
  writeFileAtomic->>Filesystem: create temp file & write bytes
  writeFileAtomic->>Filesystem: close temp file
  writeFileAtomic->>Filesystem: rename temp -> dPath (atomic)
  Filesystem-->>handlePut: write success
  handlePut-->>Client: respond with DiskPath
  Reader->>Filesystem: GET dPath (concurrent reads)
  Filesystem-->>Reader: return full file contents (post-rename)

Loading

Possibly related PRs

• openshift/hypershift#8576: Introduced gocacheprog implementation and initial concurrency testing scaffolding; relates to these atomic-write and concurrent-put changes.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: fixing cache corruption in gocacheprog using atomic writes, which matches the primary implementation (writeFileAtomic helper) and test additions.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR contains only standard Go tests, not Ginkgo tests. TestConcurrentPutSameOutputID uses a stable, deterministic name with no dynamic content.
Test Structure And Quality	✅ Passed	PR contains standard Go testing.T tests, not Ginkgo tests. Custom check for Ginkgo test quality is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies gocacheprog CI tool and workflows—no Kubernetes deployments, operators, controllers, or scheduling constraints introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added; TestConcurrentPutSameOutputID is a standard Go unit test for gocacheprog (a CI caching utility), not an OpenShift e2e test.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in code changes.
Container-Privileges	✅ Passed	PR contains no Kubernetes manifests or container specs with privileged settings. Changes are Go code and GitHub Actions workflows without privilege escalation.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements expose sensitive data like passwords, tokens, API keys, PII, or session IDs. All logs contain only generic error messages, hexadecimal cache IDs, or test data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[celebdor]

/override ci/prow/images

[celebdor]

/override ci/prow/okd-scos-images

[celebdor]

/override ci/prow/verify-deps

[openshift-ci]

@celebdor: Overrode contexts on behalf of celebdor: ci/prow/verify-deps

Details

In response to this:

/override ci/prow/verify-deps

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@celebdor: Overrode contexts on behalf of celebdor: ci/prow/okd-scos-images

Details

In response to this:

/override ci/prow/okd-scos-images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@celebdor: Overrode contexts on behalf of celebdor: ci/prow/images

Details

In response to this:

/override ci/prow/images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 0

[celebdor]

/hold

Adding tests and fine tuning

[celebdor]

/hold cancel

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@contrib/ci/gocacheprog/main_test.go`:
- Around line 463-471: The test currently ignores GET misses and file read
errors; update the loop where getReq is created and handleGet is called (see
getReq, handleGet, resp.Miss, and os.ReadFile) so that if resp.Miss is true or
os.ReadFile returns an error you increment badReads (or the test failure
counter) just like when the bytes differ, and do not silently return; this
ensures misses and read errors are counted as test failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1b0226b8-c931-497f-8399-90fb3393c8fc

📥 Commits

Reviewing files that changed from the base of the PR and between b10fff2 and 64c2027.

📒 Files selected for processing (2)

• contrib/ci/gocacheprog/main.go
• contrib/ci/gocacheprog/main_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Count GET misses and read errors as test failures.

Right now this only increments badReads when the bytes differ, so the test still passes if concurrent PUTs make handleGet return a miss or make DiskPath unreadable. Those are part of the failure mode this test is supposed to catch.

🔧 Suggested fix

 		go func() {
 			defer wg.Done()
 			getReq := &request{ID: int64(i + 5000), Command: "get", ActionID: seedAction}
 			resp := handleGet(getReq, "", rwDir)
 			if resp.Miss {
+				badReads.Add(1)
 				return
 			}
 			data, err := os.ReadFile(resp.DiskPath)
 			if err != nil {
+				badReads.Add(1)
 				return
 			}
 			if string(data) != string(body) {
 				badReads.Add(1)
 			}
 		}()

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	getReq := &request{ID: int64(i + 5000), Command: "get", ActionID: seedAction}
	resp := handleGet(getReq, "", rwDir)
	if resp.Miss {
	return
	}
	data, err := os.ReadFile(resp.DiskPath)
	if err != nil {
	return
	}
	go func() {
	defer wg.Done()
	getReq := &request{ID: int64(i + 5000), Command: "get", ActionID: seedAction}
	resp := handleGet(getReq, "", rwDir)
	if resp.Miss {
	badReads.Add(1)
	return
	}
	data, err := os.ReadFile(resp.DiskPath)
	if err != nil {
	badReads.Add(1)
	return
	}
	if string(data) != string(body) {
	badReads.Add(1)
	}
	}()

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@contrib/ci/gocacheprog/main_test.go` around lines 463 - 471, The test
currently ignores GET misses and file read errors; update the loop where getReq
is created and handleGet is called (see getReq, handleGet, resp.Miss, and
os.ReadFile) so that if resp.Miss is true or os.ReadFile returns an error you
increment badReads (or the test failure counter) just like when the bytes
differ, and do not silently return; this ensures misses and read errors are
counted as test failures.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/gocacheprog-test.yaml:
- Line 13: The workflow currently references the reusable workflow as
"openshift/hypershift/.github/workflows/gocacheprog-test-reusable.yaml@main",
which is mutable; update that reference to an immutable revision by replacing
"`@main`" with a specific commit SHA (e.g. "@<commit-sha>") or point to a local
workflow file (e.g. use a relative path to a vendored copy) so CI runs a
deterministic reusable workflow revision.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: da86a048-52fa-4fc7-93e3-fd97fd5bb262

📥 Commits

Reviewing files that changed from the base of the PR and between 64c2027 and 07ec332.

📒 Files selected for processing (2)

• .github/workflows/gocacheprog-test-reusable.yaml
• .github/workflows/gocacheprog-test.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== File: .github/workflows/gocacheprog-test.yaml =="
if [ -f ".github/workflows/gocacheprog-test.yaml" ]; then
  nl -ba .github/workflows/gocacheprog-test.yaml | sed -n '1,160p'
else
  echo "Missing file .github/workflows/gocacheprog-test.yaml"
fi

echo
echo "== Look for local reusable workflow file =="
ls -la .github/workflows | head -n 200 || true
echo
fd -H "gocacheprog-test-reusable\.yaml" .github/workflows || true

echo
echo "== Search for references to gocacheprog-test-reusable.yaml =="
rg -n "gocacheprog-test-reusable\.yaml(@|$)" .github/workflows -S || true

Repository: openshift/hypershift

Length of output: 177

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/gocacheprog-test.yaml"
echo "== File: $FILE =="
if [ -f "$FILE" ]; then
  cat -n "$FILE" | sed -n '1,220p'
else
  echo "Missing $FILE"
fi

echo
echo "== Listing .github/workflows (first 200 entries) =="
ls -la .github/workflows | head -n 200 || true

echo
echo "== Find local reusable workflow candidates =="
fd -H "gocacheprog-test-reusable\.yaml$" .github/workflows || true
fd -H "gocacheprog-test-reusable" .github/workflows || true

echo
echo "== Search for references to gocacheprog-test-reusable.yaml =="
rg -n "gocacheprog-test-reusable\.yaml(@|$)" .github/workflows -S || true

echo
echo "== Show any uses: .../gocacheprog-test-reusable... lines =="
rg -n "uses:\s*openshift/hypershift/\.github/workflows/gocacheprog-test-reusable\.yaml@" .github/workflows -S || true

Repository: openshift/hypershift

Length of output: 2943

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/gocacheprog-test-reusable.yaml"
echo "== File: $FILE =="
if [ -f "$FILE" ]; then
  cat -n "$FILE" | sed -n '1,220p'
else
  echo "Missing $FILE"
fi

echo
echo "== Search for tag/mutable refs in reusable workflow =="
rg -n "uses:\s*[^ ]+@((main)|(master)|(v[0-9]+)|(\w+))\b" .github/workflows/gocacheprog-test-reusable.yaml -S || true

echo
echo "== Search specifically for `@main` in reusable workflow =="
rg -n "`@main`\b" .github/workflows/gocacheprog-test-reusable.yaml -S || true

Repository: openshift/hypershift

Length of output: 1217

---

Pin reusable workflow reference to an immutable revision (avoid @main).

In .github/workflows/gocacheprog-test.yaml, the job calls openshift/hypershift/.github/workflows/gocacheprog-test-reusable.yaml@main (mutable), so CI won’t necessarily run the same reusable workflow revision deterministically. Use a local workflow reference (or a full commit SHA) instead.

🔒 Proposed fix

-    uses: openshift/hypershift/.github/workflows/gocacheprog-test-reusable.yaml@main
+    uses: ./.github/workflows/gocacheprog-test-reusable.yaml

🧰 Tools

🪛 zizmor (1.25.2)

[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gocacheprog-test.yaml at line 13, The workflow currently
references the reusable workflow as
"openshift/hypershift/.github/workflows/gocacheprog-test-reusable.yaml@main",
which is mutable; update that reference to an immutable revision by replacing
"`@main`" with a specific commit SHA (e.g. "@<commit-sha>") or point to a local
workflow file (e.g. use a relative path to a vendored copy) so CI runs a
deterministic reusable workflow revision.

[openshift-ci]

@celebdor: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	07ec332	link	true	/test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

Now I have the complete picture. Let me produce the report.

Test Failure Analysis Complete

Job Information

• Prow Job: lint / Lint (GitHub Actions workflow Lint, reusable workflow lint-reusable.yaml)
• Build ID: Run 26582810217, Job 78320291148
• PR: CNTRLPLANE-3329: Fix gocacheprog cache corruption with atomic writes #8624 — CNTRLPLANE-3329: Fix gocacheprog cache corruption with atomic writes
• Branch: CNTRLPLANE-3329/gocacheprog-atomic-writes
• Commit: 07ec3323ab4f

Test Failure Analysis

Error

hypershift-operator/controllers/manifests/networkpolicy/manifests.go:1: : loading compiled Go files from cache: reading srcfiles list: cache entry not found: bad checksum (typecheck)

Summary

The lint job fails with a Go toolchain typecheck error caused by corrupt cache entries served by gocacheprog from the shared EFS-backed read-only cache at /cache/go-build. This is a pre-existing infrastructure flake affecting all PRs targeting main — not caused by the changes in PR #8624. Every lint run using the reusable workflow (which enables gocacheprog) has failed since at least 11:49 UTC on 2026-05-28. The only recent successful lint run was a release-4.22 backport PR that used an older workflow without gocacheprog.

Root Cause

The lint-reusable.yaml workflow includes a warm-go-cache composite action that sets GOCACHEPROG=gocacheprog --ro /cache/go-build --rw /tmp/go-build-cache. This instructs Go's build toolchain to use the gocacheprog binary as an external cache program per the GOEXPERIMENT=cacheprog feature.

The shared read-only cache at /cache/go-build (mounted from EFS on the ARC runner nodes) contains corrupt or stale cache entries where the stored checksums no longer match the data. When golangci-lint invokes the Go type-checker and the toolchain reads compiled .go files from this cache through gocacheprog, it encounters entries whose checksums fail validation, producing the error cache entry not found: bad checksum.

The corruption is non-deterministic in which file it manifests — different runs hit different files (e.g., networkpolicy/manifests.go, cco/reconcile.go, conditions.go, certificates/register.go, alerts/reconcile.go) — but the failure pattern is identical: the Go toolchain rejects a cached artifact because the data doesn't match its recorded hash.

Ironically, PR #8624 itself introduces the fix for this class of problem — it replaces os.WriteFile (which truncates-then-writes, creating a window where concurrent readers see partial data) with atomic writes via os.Rename. However, the PR's code changes are to contrib/ci/gocacheprog/main.go and the fix is not yet deployed to the runner nodes. The currently-running gocacheprog binary on the ARC runners is still the old, vulnerable version. The corrupt /cache/go-build data was likely produced by the non-atomic writes the PR is attempting to fix.

Recommendations

1. Immediate unblock: Rebuild the shared EFS cache at /cache/go-build from scratch with a clean Go build to purge all corrupt entries. Alternatively, temporarily remove or empty the /cache/go-build directory on the runner nodes.

2. Merge and deploy PR CNTRLPLANE-3329: Fix gocacheprog cache corruption with atomic writes #8624: This PR directly fixes the root cause — gocacheprog using non-atomic os.WriteFile which truncates the file before writing, allowing concurrent readers to see partial/empty content that results in bad checksums. The fix uses os.Rename for atomic replacement. However, the PR itself can't pass lint until the cache is fixed (chicken-and-egg problem).

3. Short-term workaround: Disable gocacheprog in the lint workflow by either:

   • Removing the warm-go-cache step from lint-reusable.yaml, or
   • Adding GOCACHEPROG: "" override in the make lint step's env block.

   This will make lint slower but allow all PRs to pass.

4. After deploying the atomic-write fix: Rebuild the shared cache once more, then re-enable gocacheprog in the lint workflow.

Evidence

Evidence	Detail
Error message	loading compiled Go files from cache: reading srcfiles list: cache entry not found: bad checksum (typecheck)
Affected file (this run)	hypershift-operator/controllers/manifests/networkpolicy/manifests.go:1
Affected file (other run, PR metrics-forwarding-api)	control-plane-operator/.../cco/reconcile.go:1
Affected file (other run, PR CNTRLPLANE-3167)	control-plane-pki-operator/clienthelpers/conditions.go:12:2 (cascading import chain)
GOCACHEPROG value	gocacheprog --ro /cache/go-build --rw /tmp/go-build-cache
Shared cache path	/cache/go-build (EFS-backed read-only mount)
All reusable-workflow runs failing	19/19 runs with ref_wf=1 failed since 11:49 UTC
Only successful run	backport-8421-release-4.22 — used direct workflow without gocacheprog (ref_wf=0)
PR #8624 files changed	contrib/ci/gocacheprog/main.go (atomic writes), main_test.go (concurrency tests), .github/workflows/gocacheprog-test*.yaml
PR fix not yet deployed	gocacheprog binary on runners is the pre-PR version without atomic writes
golangci-lint version	2.11.4 built with go1.25.7
Runner	arc-runner-set-r7cfx-runner-lr8w7 (ARC runner)

---

[csrwng]

/approve
/lgtm

[openshift-merge-bot]

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

• The changed files don't match any pipeline_run_if_changed patterns
• All files match pipeline_skip_if_only_changed patterns
• No pipeline-controlled jobs are defined for the main branch

Use /test ? to see all available tests.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: celebdor, csrwng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [csrwng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment