CNTRLPLANE-3278: fix verify-workflows to check PR head, not merge commit

[bryan-cox]

Summary

• Fixes the verify-workflows presubmit for openshift/hypershift that was introduced in CNTRLPLANE-3278: Add Prow presubmit to enforce GitHub Actions workflow consistency for HyperShift #77164
• The script was always passing because ci-operator runs tests on a merge commit (PR merged into base branch), and HEAD in that context is the merge result — which always has main's workflow files

Problem

ci-operator creates a merge commit when building the src image:

• HEAD = merge of PR into main
• HEAD^1 = main (base branch)
• HEAD^2 = actual PR head commit

The original script compared HEAD:.github/workflows/* against main, but since HEAD is the merge result, workflow files from main are always present — the check always passed regardless of the PR branch state.

Verified locally:

# On the merge result (HEAD), workflow files match main:
git rev-parse HEAD:.github/workflows/test.yaml == git rev-parse MAIN:.github/workflows/test.yaml  ✓

# But the actual PR branch (HEAD^2) has outdated files:
git rev-parse HEAD^2:.github/workflows/test.yaml != git rev-parse MAIN:.github/workflows/test.yaml  ✗

Fix

Extract the actual PR head commit via HEAD^2 (second parent of the merge commit) and compare that against main instead:

PR_HEAD=$(git rev-parse HEAD^2 2>/dev/null) || PR_HEAD="HEAD"

Falls back to HEAD if there's no second parent (e.g., non-merge context).

Test plan

• Tested locally: outdated branch correctly detected with HEAD^2
• Test PR openshift/hypershift#8283 should fail after this fix (it incorrectly passed before)
• Test PR openshift/hypershift#8284 should still pass (intentional workflow change)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced PR verification workflow with improved git comparison logic for more accurate change detection
  • Added detailed logging for better visibility into the verification process

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-3278 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Fixes the verify-workflows presubmit for openshift/hypershift that was introduced in CNTRLPLANE-3278: Add Prow presubmit to enforce GitHub Actions workflow consistency for HyperShift #77164
• The script was always passing because ci-operator runs tests on a merge commit (PR merged into base branch), and HEAD in that context is the merge result — which always has main's workflow files

Problem

ci-operator creates a merge commit when building the src image:

• HEAD = merge of PR into main
• HEAD^1 = main (base branch)
• HEAD^2 = actual PR head commit

The original script compared HEAD:.github/workflows/* against main, but since HEAD is the merge result, workflow files from main are always present — the check always passed regardless of the PR branch state.

Verified locally:

# On the merge result (HEAD), workflow files match main:
git rev-parse HEAD:.github/workflows/test.yaml == git rev-parse MAIN:.github/workflows/test.yaml  ✓

# But the actual PR branch (HEAD^2) has outdated files:
git rev-parse HEAD^2:.github/workflows/test.yaml != git rev-parse MAIN:.github/workflows/test.yaml  ✗

Fix

Extract the actual PR head commit via HEAD^2 (second parent of the merge commit) and compare that against main instead:

PR_HEAD=$(git rev-parse HEAD^2 2>/dev/null) || PR_HEAD="HEAD"

Falls back to HEAD if there's no second parent (e.g., non-merge context).

Test plan

• Tested locally: outdated branch correctly detected with HEAD^2
• Test PR openshift/hypershift#8283 should fail after this fix (it incorrectly passed before)
• Test PR openshift/hypershift#8284 should still pass (intentional workflow change)

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1e50e6d4-d8ab-4ff4-9eaa-b1a477e72491

📥 Commits

Reviewing files that changed from the base of the PR and between f5d1b0d and d906ff0.

📒 Files selected for processing (1)

• ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml

---

Walkthrough

Updated the git comparison logic in the verify-workflows script within a CI workflow configuration file. The change switches from using the merge commit (HEAD) to deriving the PR's head commit (PR_HEAD) from the merge commit's second parent with a fallback, recalculates the base commit accordingly, and adjusts per-file hash lookups to use the derived PR head commit instead of the merge commit.

Changes

Cohort / File(s)	Summary
CI Workflow Git Logic ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml	Modified verify-workflows script to derive PR_HEAD from merge commit's second parent (HEAD^2) with fallback to HEAD, recompute BASE using git merge-base, add logging for PR_HEAD, MAIN_REF, and BASE, and update per-file hash lookups to reference PR_HEAD instead of HEAD.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	PR modifies CI operator configuration file with shell script, not Ginkgo test code subject to this check.	Verify if check applies to this PR or if Ginkgo tests exist elsewhere that require review.
Ote Binary Stdout Contract	❓ Inconclusive	Unable to execute shell command to examine file contents.	Provide the file content or verify file path accessibility.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: fixing the verify-workflows script to compare against the PR head commit instead of the merge commit.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR modifies only YAML CI configuration file with bash script commands. No Ginkgo test code was modified. Custom check targeting Ginkgo tests is not applicable.
Microshift Test Compatibility	✅ Passed	This custom check is specifically designed to assess MicroShift API compatibility for new Ginkgo e2e tests. The PR only modifies CI/CD configuration and workflow validation scripts, with no new Ginkgo e2e tests being added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests; it only modifies CI workflow configuration and shell script logic.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only a CI workflow verification script, not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies CI operator configuration and pipeline job definitions, not Ginkgo e2e tests.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@bryan-cox: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-hypershift-main-verify-workflows	openshift/hypershift	presubmit	Ci-operator config changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[bryan-cox]

/pj-rehearse skip

We can't test this on hypershift here unfortunately

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[clebs]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, clebs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/hypershift/OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.