Skip to content

CNTRLPLANE-3278: fix verify-workflows to check PR head, not merge commit#78025

Merged
openshift-merge-bot[bot] merged 1 commit intoopenshift:mainfrom
bryan-cox:fix-verify-workflows
Apr 20, 2026
Merged

CNTRLPLANE-3278: fix verify-workflows to check PR head, not merge commit#78025
openshift-merge-bot[bot] merged 1 commit intoopenshift:mainfrom
bryan-cox:fix-verify-workflows

Conversation

@bryan-cox
Copy link
Copy Markdown
Member

@bryan-cox bryan-cox commented Apr 20, 2026

Summary

Problem

ci-operator creates a merge commit when building the src image:

  • HEAD = merge of PR into main
  • HEAD^1 = main (base branch)
  • HEAD^2 = actual PR head commit

The original script compared HEAD:.github/workflows/* against main, but since HEAD is the merge result, workflow files from main are always present — the check always passed regardless of the PR branch state.

Verified locally:

# On the merge result (HEAD), workflow files match main:
git rev-parse HEAD:.github/workflows/test.yaml == git rev-parse MAIN:.github/workflows/test.yaml  ✓

# But the actual PR branch (HEAD^2) has outdated files:
git rev-parse HEAD^2:.github/workflows/test.yaml != git rev-parse MAIN:.github/workflows/test.yaml  ✗

Fix

Extract the actual PR head commit via HEAD^2 (second parent of the merge commit) and compare that against main instead:

PR_HEAD=$(git rev-parse HEAD^2 2>/dev/null) || PR_HEAD="HEAD"

Falls back to HEAD if there's no second parent (e.g., non-merge context).

Test plan

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Enhanced PR verification workflow with improved git comparison logic for more accurate change detection
    • Added detailed logging for better visibility into the verification process

ci-operator runs tests on a merge commit (PR merged into base branch).
The verify-workflows script was comparing workflow files on HEAD, which
is the merge result and always contains main's files. This caused the
check to always pass, even for PRs with outdated workflows.

Fix by extracting the actual PR head commit (HEAD^2, the second parent
of the merge) and comparing that against main instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 20, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Apr 20, 2026

@bryan-cox: This pull request references CNTRLPLANE-3278 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Problem

ci-operator creates a merge commit when building the src image:

  • HEAD = merge of PR into main
  • HEAD^1 = main (base branch)
  • HEAD^2 = actual PR head commit

The original script compared HEAD:.github/workflows/* against main, but since HEAD is the merge result, workflow files from main are always present — the check always passed regardless of the PR branch state.

Verified locally:

# On the merge result (HEAD), workflow files match main:
git rev-parse HEAD:.github/workflows/test.yaml == git rev-parse MAIN:.github/workflows/test.yaml  ✓

# But the actual PR branch (HEAD^2) has outdated files:
git rev-parse HEAD^2:.github/workflows/test.yaml != git rev-parse MAIN:.github/workflows/test.yaml  ✗

Fix

Extract the actual PR head commit via HEAD^2 (second parent of the merge commit) and compare that against main instead:

PR_HEAD=$(git rev-parse HEAD^2 2>/dev/null) || PR_HEAD="HEAD"

Falls back to HEAD if there's no second parent (e.g., non-merge context).

Test plan

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 20, 2026

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1e50e6d4-d8ab-4ff4-9eaa-b1a477e72491

📥 Commits

Reviewing files that changed from the base of the PR and between f5d1b0d and d906ff0.

📒 Files selected for processing (1)
  • ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml

Walkthrough

Updated the git comparison logic in the verify-workflows script within a CI workflow configuration file. The change switches from using the merge commit (HEAD) to deriving the PR's head commit (PR_HEAD) from the merge commit's second parent with a fallback, recalculates the base commit accordingly, and adjusts per-file hash lookups to use the derived PR head commit instead of the merge commit.

Changes

Cohort / File(s) Summary
CI Workflow Git Logic
ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml
Modified verify-workflows script to derive PR_HEAD from merge commit's second parent (HEAD^2) with fallback to HEAD, recompute BASE using git merge-base, add logging for PR_HEAD, MAIN_REF, and BASE, and update per-file hash lookups to reference PR_HEAD instead of HEAD.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 inconclusive)

Check name Status Explanation Resolution
Test Structure And Quality ❓ Inconclusive PR modifies CI operator configuration file with shell script, not Ginkgo test code subject to this check. Verify if check applies to this PR or if Ginkgo tests exist elsewhere that require review.
Ote Binary Stdout Contract ❓ Inconclusive Unable to execute shell command to examine file contents. Provide the file content or verify file path accessibility.
✅ Passed checks (8 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: fixing the verify-workflows script to compare against the PR head commit instead of the merge commit.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names ✅ Passed PR modifies only YAML CI configuration file with bash script commands. No Ginkgo test code was modified. Custom check targeting Ginkgo tests is not applicable.
Microshift Test Compatibility ✅ Passed This custom check is specifically designed to assess MicroShift API compatibility for new Ginkgo e2e tests. The PR only modifies CI/CD configuration and workflow validation scripts, with no new Ginkgo e2e tests being added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR does not add any new Ginkgo e2e tests; it only modifies CI workflow configuration and shell script logic.
Topology-Aware Scheduling Compatibility ✅ Passed PR modifies only a CI workflow verification script, not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR only modifies CI operator configuration and pipeline job definitions, not Ginkgo e2e tests.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from cblecker and clebs April 20, 2026 11:49
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 20, 2026
@openshift-merge-bot
Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@bryan-cox: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-openshift-hypershift-main-verify-workflows openshift/hypershift presubmit Ci-operator config changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@bryan-cox
Copy link
Copy Markdown
Member Author

/pj-rehearse skip

We can't test this on hypershift here unfortunately

@openshift-merge-bot
Copy link
Copy Markdown
Contributor

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Apr 20, 2026
@clebs
Copy link
Copy Markdown
Member

clebs commented Apr 20, 2026

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Apr 20, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Apr 20, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, clebs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Apr 20, 2026

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit c7a6294 into openshift:main Apr 20, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants