USHIFT-6793: MicroShift CI Doctor - PCP tool prerequisites and GitHub token fix

[ggiguash]

Also addresses USHIFT-6863

Summary by CodeRabbit

• Chores
  • CI now ensures the user's local bin is on PATH and installs a performance-export utility and a plotting library into the user environment to improve diagnostics and metric export during test runs.
  • JIRA MCP setup was streamlined to skip redundant package installation and PATH modification, making configuration faster and cleaner.
  • Improved GitHub token generation and error handling for more reliable authentication during CI.

[openshift-ci-robot]

@ggiguash: This pull request references USHIFT-6793 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a new helper generate_github_token() to encapsulate GitHub App token generation and switches load_secrets() to call it; prepends ${HOME}/.local/bin to PATH before tool installs and installs uv==0.11.6 and matplotlib==3.9.4 into the user site; removes duplicated uv install and PATH export from the JIRA MCP configuration path.

Changes

Cohort / File(s)	Summary
GitHub token generation & secrets ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh	Added generate_github_token() to centralize GitHub App JWT creation, installation ID lookup, and installation access token exchange; load_secrets() now calls this helper and relies on its return behavior instead of inlining token logic.
Prerequisites & Python deps ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh	install_prerequisites() now prepends ${HOME}/.local/bin to PATH before installs and installs Python packages via pip install --user for uv==0.11.6 and matplotlib==3.9.4. PCP/tool download and install steps remain.
JIRA MCP configuration flow ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh	In configure_claude() JIRA MCP setup: removed the prior inline uv pip install and the additional ${HOME}/.local/bin PATH export; invokes claude mcp add ... jira using the prereq-installed environment.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor CI_Script as CI Script
    participant GH_Ext as "gh-token extension"
    participant GH_API as "GitHub REST API"
    participant Env as "Process Env"

    CI_Script->>GH_Ext: download & verify gh-token extension
    CI_Script->>GH_Ext: generate GitHub App JWT
    GH_Ext-->>CI_Script: JWT
    CI_Script->>GH_API: GET /app/installations (with JWT) -> installation_id
    GH_API-->>CI_Script: installation_id
    CI_Script->>GH_API: POST /app/installations/{id}/access_tokens (with JWT)
    GH_API-->>CI_Script: installation access token
    CI_Script->>Env: export GITHUB_TOKEN=<access token>

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 8 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	⚠️ Warning	The title mentions PCP tool prerequisites and GitHub token fix, but the raw summary shows only PCP prerequisites changes and no GitHub token-related changes in the actual code.	Update the title to accurately reflect the actual changes: remove the 'GitHub token fix' reference or clarify what GitHub token changes are included in the PR.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic Ginkgo test names is not applicable to this pull request. The PR modifies only a bash shell script that installs prerequisites and configures tools, with no Go code or Ginkgo test patterns.
Test Structure And Quality	✅ Passed	This pull request contains only bash script modifications and does not include any Ginkgo test code, making the custom check not applicable.
Microshift Test Compatibility	✅ Passed	This PR only modifies a shell script for CI environment setup. No new Ginkgo e2e tests were added, so this check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Pull request modifies shell script for CI infrastructure setup without adding new Ginkgo e2e tests, making SNO test compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies CI/CD shell script for tool installation and environment setup, not Kubernetes deployment manifests, operators, or controllers with scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The custom check for OTE Binary Stdout Contract is not applicable to this PR as it only modifies a Bash shell script, not Go binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only shell script for CI configuration with no Ginkgo e2e tests added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@ggiguash: This pull request references USHIFT-6793 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• Chores
• Improved CI environment setup by adding performance monitoring tools to support enhanced diagnostics during continuous integration testing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh (1)

106-106: Consider using pip install --user for consistency.

Line 176 in this same script uses pip install uv --user --upgrade. Using an unqualified pip install matplotlib here installs system-wide (or fails under PEP 668 "externally-managed-environment" restrictions on newer distros). For consistency and robustness, consider:

♻️ Proposed change

-    pip install matplotlib
+    pip install matplotlib --user

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh`
at line 106, Replace the unqualified "pip install matplotlib" with a user-local
install to match the other installs and avoid system-wide/PEP 668 issues: change
the command to use the --user flag (e.g., "pip install --user matplotlib"), and
optionally add --upgrade if you want the same upgrade behavior as "pip install
uv --user --upgrade".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh`:
- Line 107: Replace the plain sudo invocation so it fails fast if a password
prompt would be required: update the command `sudo dnf install -y
pcp-export-pcp2json` to use non-interactive sudo (e.g. `sudo -n dnf install -y
pcp-export-pcp2json`) or prepend a quick check like `sudo -n true || { echo
"passworded sudo not allowed"; exit 1; }` before the install; ensure the change
targets the line containing `sudo dnf install -y pcp-export-pcp2json`.

---

Nitpick comments:
In
`@ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh`:
- Line 106: Replace the unqualified "pip install matplotlib" with a user-local
install to match the other installs and avoid system-wide/PEP 668 issues: change
the command to use the --user flag (e.g., "pip install --user matplotlib"), and
optionally add --upgrade if you want the same upgrade behavior as "pip install
uv --user --upgrade".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: f62f7a6e-1108-4b15-abeb-5fbd76821ae4

📥 Commits

Reviewing files that changed from the base of the PR and between 7de9a9f and e776cd7.

📒 Files selected for processing (1)

• ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh

[ggiguash]

/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ggiguash]

/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci-robot]

@ggiguash: This pull request references USHIFT-6793 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• Chores
• Enhanced CI environment setup by installing performance monitoring utilities and a Python plotting library to improve diagnostics and metric export during test runs.
• Added progress log messages for the new tooling to make setup status clearer in CI output.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh (1)

106-107: Consider pinning versions for reproducible CI.

pip install matplotlib and dnf install -y pcp-export-pcp2json both pull whatever is latest at job time, which can introduce silent behavior changes in CI Doctor runs. For consistency with the pinned gh-token (line 55) and mcp-atlassian@0.21.0 (line 185) patterns already used in this file, consider pinning matplotlib to a known-good version (e.g. pip install 'matplotlib==X.Y.Z'). Also note the pip install here runs without --user, unlike pip install uv --user --upgrade in configure_claude (line 176) — harmless if running as root in the container, but worth a consistency pass.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh`
around lines 106 - 107, Pin the package versions and make pip usage consistent:
replace the unpinned "pip install matplotlib" with a specific version (e.g. "pip
install 'matplotlib==X.Y.Z'") and pin the DNF package by installing a known-good
release (ensure the exact pcp-export-pcp2json package version or repository
tag), and align pip invocation style with the existing "pip install uv --user
--upgrade" used in configure_claude by either adding "--user" or documenting why
system-wide install is required; update the "pip install matplotlib" and "dnf
install -y pcp-export-pcp2json" lines accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh`:
- Around line 106-107: Pin the package versions and make pip usage consistent:
replace the unpinned "pip install matplotlib" with a specific version (e.g. "pip
install 'matplotlib==X.Y.Z'") and pin the DNF package by installing a known-good
release (ensure the exact pcp-export-pcp2json package version or repository
tag), and align pip invocation style with the existing "pip install uv --user
--upgrade" used in configure_claude by either adding "--user" or documenting why
system-wide install is required; update the "pip install matplotlib" and "dnf
install -y pcp-export-pcp2json" lines accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0e1065a0-22d5-4cfe-8fd9-6ff790b14c18

📥 Commits

Reviewing files that changed from the base of the PR and between e776cd7 and 7bb7611.

📒 Files selected for processing (1)

• ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh

[ggiguash]

/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ggiguash]

/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ggiguash]

/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[pmtk]

/lgtm

[ggiguash]

/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get PR commits
gh pr view 77966 --repo openshift/release --json commits --jq '.commits[] | {oid: .oid, messageHeadline: .messageHeadline, authoredDate: .authoredDate}'

echo "---DIFF---"
# Get the PR diff
gh pr diff 77966 --repo openshift/release

Length of output: 5473

---

@ggiguash: Regenerating the PR description summary now and performing a full code review below.

---

Full Code Review

Summary of Changes (Both Commits)

Commit 1 – "Install PCP tool prerequisites"

• install_prerequisites(): Prepends ${HOME}/.local/bin to PATH and installs uv==0.11.6 and matplotlib==3.9.4 via pip install --user.
• configure_claude(): Removes the now-redundant pip install uv --user --upgrade and export PATH="${HOME}/.local/bin:${PATH}" from the JIRA MCP setup block.

Commit 2 – "Fix token generation to use installation ID"

• Extracts all GitHub App token logic from load_secrets() into a new generate_github_token() function.
• The new function implements the correct two-step GitHub Apps auth flow: generate a JWT from app credentials → look up the installation ID → exchange for an installation access token. The old code was returning a raw JWT (App token), not a proper installation access token, which would have had limited/incorrect permissions.

---

Issues Found

🔴 Critical – generate_github_token() return value not checked

In load_secrets(), the call to generate_github_token does not check the return code:

if [ -f "${GITHUB_APP_ID_PATH}" ] && [ -f "${GITHUB_KEY_PATH}" ]; then
    generate_github_token       # <-- return 1 on failure is silently ignored
    echo "GitHub token generated."

All error paths inside generate_github_token() use return 1, which is correct for a function — but the caller must act on it. With the old inline code, failures called exit 1 and halted the script. Now, if any step fails (bad checksum, empty JWT, missing installation ID, or failed token exchange), the script will continue executing with GITHUB_TOKEN unset or empty.

Suggested fix:

if [ -f "${GITHUB_APP_ID_PATH}" ] && [ -f "${GITHUB_KEY_PATH}" ]; then
    if ! generate_github_token; then
        echo "ERROR: Failed to generate GitHub token"
        exit 1
    fi
    echo "GitHub token generated."

---

🟡 Minor – pip install placement may conflict with uv tool availability

uv==0.11.6 is installed via pip install --user in install_prerequisites(), and ${HOME}/.local/bin is exported to PATH in the same function before the install. This ordering is correct. However, configure_claude() subsequently calls uvx mcp-atlassian@0.21.0 — if configure_claude() is ever called without a prior call to install_prerequisites(), uvx will not be on PATH. Worth ensuring the call order is enforced or documenting the dependency.

---

🟢 Good Practices

• Pinned dependency versions (uv==0.11.6, matplotlib==3.9.4) — prevents unexpected breakage from upstream changes.
• SHA256 verification of the gh-token binary download is retained.
• PATH export moved earlier — placing export PATH="${HOME}/.local/bin:${PATH}" at the top of install_prerequisites() ensures it's available for all subsequent installs in that function, which is cleaner than the previous placement inside configure_claude().
• Proper two-step GitHub Apps auth — the new token flow (JWT → installation ID → installation access token) is the correct GitHub Apps authentication pattern and fixes a real functional bug in the old code.

✅ Actions performed

Summary regeneration triggered.

[ggiguash]

/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ggiguash]

/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ggiguash]

/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ggiguash]

/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ggiguash: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-microshift-main-ci-doctor	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@ggiguash: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-microshift-main-ci-doctor	b8e17da	link	unknown	/pj-rehearse periodic-ci-openshift-microshift-main-ci-doctor

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ggiguash]

/pj-rehearse ack

[openshift-merge-bot]

@ggiguash: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[pmtk]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ggiguash, pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/openshift/microshift/claude/ci-doctor/OWNERS [ggiguash,pmtk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment