ROSAENG-300: Onboard aws-nuke-cf CI, decouple janitor image from rosa-regional-platform

[typeid]

Summary

• Onboard openshift-online/aws-nuke-cf to OpenShift CI with Prow plugin/tide config
• Add pre-merge build-image test that builds the Containerfile and verifies aws-nuke --version
• Add postsubmit push-image job that pushes the built image to quay.io/rrp-dev-ci/ci-image on merge to main
• Remove push-ci-image postsubmit from rosa-regional-platform (image now owned by aws-nuke-cf)

Test plan

• Verify pre-merge build-image job runs on aws-nuke-cf PRs
• Verify postsubmit pushes image to quay.io/rrp-dev-ci/ci-image after merge
• Confirm rosa-regional-platform CI is unaffected

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added CI pipeline components (presubmit/postsubmit jobs) for aws-nuke-cf to enable automated builds, image tests and promotion.
  • Added repository-specific Tide and plugin configurations to enable PR automation and integrations for aws-nuke-cf.
  • Added OWNERS files for aws-nuke-cf to define approvers and reviewers.
  • Removed a legacy CI postsubmit job from the rosa-regional-platform repository.

[openshift-ci-robot]

@typeid: This pull request references ROSAENG-300 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Onboard openshift-online/aws-nuke-cf to OpenShift CI with Prow plugin/tide config
• Add pre-merge build-image test that builds the Containerfile and verifies aws-nuke --version
• Add postsubmit push-image job that pushes the built image to quay.io/rrp-dev-ci/ci-image on merge to main
• Remove push-ci-image postsubmit from rosa-regional-platform (image now owned by aws-nuke-cf)

Test plan

• Verify pre-merge build-image job runs on aws-nuke-cf PRs
• Verify postsubmit pushes image to quay.io/rrp-dev-ci/ci-image after merge
• Confirm rosa-regional-platform CI is unaffected

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[typeid]

/pj-rehearse

[openshift-merge-bot]

@typeid: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 42e93ee1-af5a-410b-bacb-0ea9f03df377

📥 Commits

Reviewing files that changed from the base of the PR and between d98333f and 29aa976.

📒 Files selected for processing (1)

• ci-operator/config/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/config/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main.yaml

---

Walkthrough

Adds CI and Prow configuration for repo openshift-online/aws-nuke-cf (ci-operator config, presubmit/postsubmit jobs, OWNERS, Tide and plugin configs) and removes a push-ci-image postsubmit job/config for openshift-online/rosa-regional-platform.

Changes

Cohort / File(s)	Summary
aws-nuke-cf ci-operator config ci-operator/config/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main.yaml	New ci-operator config: release/golang-1.21 buildroot, builds image from Containerfile, image stream aws-nuke-cf, resource requests/limits, adds push-image postsubmit test with ROSA_REGIONAL_QUAY_DEST_REPO: quay.io/rrp-dev-ci/aws-nuke-cf.
aws-nuke-cf Prow jobs ci-operator/jobs/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main-presubmits.yaml, ci-operator/jobs/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main-postsubmits.yaml	Adds presubmit(s) and a postsubmit for push-image; Kubernetes agent on build01, decorate: true/skip_cloning: true, ci-operator container args, secrets mounted, max_concurrency: 1 for postsubmit.
aws-nuke-cf Prow config & Tide core-services/prow/02_config/openshift-online/aws-nuke-cf/_pluginconfig.yaml, core-services/prow/02_config/openshift-online/aws-nuke-cf/_prowconfig.yaml	Adds repo-specific plugin config (approve/LGTM rules, external plugin endpoints/events, enabled builtin plugins) and a Tide query selecting PRs with approved+lgtm while excluding WIP/invalid labels.
aws-nuke-cf OWNERS ci-operator/config/openshift-online/aws-nuke-cf/OWNERS, ci-operator/jobs/openshift-online/aws-nuke-cf/OWNERS	Adds autogenerated OWNERS files listing approvers and reviewers: cdoan1, iamkirkbater, jmelis, psav, syncrou, theautoroboto, typeid.
rosa-regional-platform removals ci-operator/config/openshift-online/rosa-regional-platform/openshift-online-rosa-regional-platform-main.yaml, ci-operator/jobs/openshift-online/rosa-regional-platform/openshift-online-rosa-regional-platform-main-postsubmits.yaml	Removes the push-ci-image postsubmit test entry and its corresponding Prow postsubmit job that ran --target=push-ci-image.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as "Developer PR"
    participant Prow as "Prow (hook/tide)"
    participant CIop as "ci-operator"
    participant K8s as "Kubernetes (build01)"
    participant Quay as "Quay/Registry"

    Dev->>Prow: open PR / trigger presubmit
    Prow->>CIop: schedule presubmit job (images/build targets)
    CIop->>K8s: run build pod (mount secrets)
    K8s->>Quay: push built image (images target)
    Dev->>Prow: merge to main
    Prow->>CIop: schedule postsubmit (push-image)
    CIop->>Quay: push to `quay.io/rrp-dev-ci/aws-nuke-cf`

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: onboarding aws-nuke-cf CI and decoupling the janitor image from rosa-regional-platform, matching the changeset content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only CI/CD YAML configuration files with no Ginkgo test source files (Go test code with It(), Describe() functions) being added or modified.
Test Structure And Quality	✅ Passed	This custom check is not applicable to the provided pull request. The PR contains exclusively CI/CD infrastructure configuration files rather than Ginkgo test code.
Microshift Test Compatibility	✅ Passed	PR adds only YAML CI/CD configuration files with no Go test files containing Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only CI/CD infrastructure and OWNERS files; no new Ginkgo e2e test code added, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI/CD infrastructure configuration files (Prow job specs and ci-operator configs) that define build and test workflows, not deployment manifests or controllers with scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR modifies only CI/CD YAML and OWNERS config files, not Go source code, so the OTE Binary Stdout Contract check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only CI configuration files (YAML) in openshift/release; no Ginkgo e2e test code is present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

core-services/prow/02_config/openshift-online/aws-nuke-cf/_pluginconfig.yaml (1)

2-2: Populate commandHelpLink instead of leaving it empty.

Line 2 currently sets an empty help link, which removes useful bot command guidance in PR workflows. Consider using the standard help URL.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core-services/prow/02_config/openshift-online/aws-nuke-cf/_pluginconfig.yaml`
at line 2, The config key commandHelpLink in _pluginconfig.yaml is currently
empty; set commandHelpLink to the standard bot help URL (for example the
project's or prow/help page) so PR workflows show command guidance—locate the
commandHelpLink entry in _pluginconfig.yaml and replace the empty string with
the appropriate help URL.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@ci-operator/jobs/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main-postsubmits.yaml`:
- Line 18: Add a volume named "gcs-credentials" under spec.template.spec.volumes
to match the container's volumeMount; specifically create a secret-backed volume
with name: gcs-credentials and secret.secretName set to the secret that contains
the GCS service account (so the container arg
--gcs-upload-secret=/secrets/gcs/service-account.json can mount successfully).
Ensure the volume name exactly matches the existing volumeMount name
"gcs-credentials" and place it under spec.template.spec.volumes so the pod can
start.

In
`@ci-operator/jobs/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main-presubmits.yaml`:
- Line 21: The presubmit jobs reference the flag
--gcs-upload-secret=/secrets/gcs/service-account.json and mount name
gcs-credentials but the jobs' volumes blocks do not define that volume; add a
volume entry named gcs-credentials to each presubmit job's volumes list that
provides the service-account.json (e.g., a secret or projected secret) so the
mount path /secrets/gcs/service-account.json exists at runtime; update both
presubmit jobs' volumes sections to include the gcs-credentials volume (matching
the existing mount and flag).

---

Nitpick comments:
In
`@core-services/prow/02_config/openshift-online/aws-nuke-cf/_pluginconfig.yaml`:
- Line 2: The config key commandHelpLink in _pluginconfig.yaml is currently
empty; set commandHelpLink to the standard bot help URL (for example the
project's or prow/help page) so PR workflows show command guidance—locate the
commandHelpLink entry in _pluginconfig.yaml and replace the empty string with
the appropriate help URL.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 25a45560-99d2-4e74-bff5-cd7eb19f7420

📥 Commits

Reviewing files that changed from the base of the PR and between 5ae7632 and c7abee8.

📒 Files selected for processing (7)

• ci-operator/config/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main.yaml
• ci-operator/config/openshift-online/rosa-regional-platform/openshift-online-rosa-regional-platform-main.yaml
• ci-operator/jobs/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main-postsubmits.yaml
• ci-operator/jobs/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main-presubmits.yaml
• ci-operator/jobs/openshift-online/rosa-regional-platform/openshift-online-rosa-regional-platform-main-postsubmits.yaml
• core-services/prow/02_config/openshift-online/aws-nuke-cf/_pluginconfig.yaml
• core-services/prow/02_config/openshift-online/aws-nuke-cf/_prowconfig.yaml

💤 Files with no reviewable changes (2)

• ci-operator/config/openshift-online/rosa-regional-platform/openshift-online-rosa-regional-platform-main.yaml
• ci-operator/jobs/openshift-online/rosa-regional-platform/openshift-online-rosa-regional-platform-main-postsubmits.yaml

[typeid]

/pj-rehearse

[openshift-merge-bot]

@typeid: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[typeid]

/pj-rehearse

[openshift-merge-bot]

@typeid: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[typeid]

/pj-rehearse

[openshift-merge-bot]

@typeid: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

♻️ Duplicate comments (1)

ci-operator/jobs/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main-presubmits.yaml (1)

21-21: ⚠️ Potential issue | 🔴 Critical

Missing gcs-credentials volume still breaks this presubmit job.

Line 21 and Lines 34-36 reference/mount gcs-credentials, but the volumes list (Lines 47-56) does not define it, so the pod cannot start.

Proposed fix

       volumes:
+      - name: gcs-credentials
+        secret:
+          secretName: gcs-credentials
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
       - name: pull-secret
         secret:
           secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator

Also applies to: 34-36, 47-56

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/jobs/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main-presubmits.yaml`
at line 21, The job references a volume named "gcs-credentials" (mounted and
used by the --gcs-upload-secret flag at /secrets/gcs/service-account.json) but
that volume is not defined in the pod's volumes list; add a volume entry named
"gcs-credentials" under the pod spec volumes to fix the startup failure — create
it as a secret volume (type: secret) with the correct secretName (the GCS
service account secret) so the container mount (gcs-credentials) and the flag
--gcs-upload-secret=/secrets/gcs/service-account.json match the defined volume
and secret.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In
`@ci-operator/jobs/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main-presubmits.yaml`:
- Line 21: The job references a volume named "gcs-credentials" (mounted and used
by the --gcs-upload-secret flag at /secrets/gcs/service-account.json) but that
volume is not defined in the pod's volumes list; add a volume entry named
"gcs-credentials" under the pod spec volumes to fix the startup failure — create
it as a secret volume (type: secret) with the correct secretName (the GCS
service account secret) so the container mount (gcs-credentials) and the flag
--gcs-upload-secret=/secrets/gcs/service-account.json match the defined volume
and secret.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 00b9fb85-d233-49b2-9e2f-46937e43d4c7

📥 Commits

Reviewing files that changed from the base of the PR and between 7b21368 and d98333f.

📒 Files selected for processing (1)

• ci-operator/jobs/openshift-online/aws-nuke-cf/openshift-online-aws-nuke-cf-main-presubmits.yaml

[typeid]

/pj-rehearse

[openshift-merge-bot]

@typeid: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[typeid]

/retest

[typeid]

/retest

[typeid]

/pj-rehearse

[openshift-merge-bot]

@typeid: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[typeid]

/pj-rehearse ack

[openshift-merge-bot]

@typeid: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[typeid]

/pj-rehearse ack

[openshift-merge-bot]

@typeid: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@typeid: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-online-aws-nuke-cf-main-images	openshift-online/aws-nuke-cf	presubmit	Presubmit changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[cdoan1]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cdoan1, typeid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-online/rosa-regional-platform/OWNERS [cdoan1,typeid]
• ci-operator/jobs/openshift-online/rosa-regional-platform/OWNERS [cdoan1,typeid]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[typeid]

/pj-rehearse ack

[openshift-merge-bot]

@typeid: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@typeid: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift-online/aws-nuke-cf/main/build-image	7b21368	link	unknown	/pj-rehearse pull-ci-openshift-online-aws-nuke-cf-main-build-image

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

@typeid: Updated the following 3 configmaps:

• plugins configmap in namespace ci at cluster app.ci using the following files:
  • key core-services-prow-02_config-openshift-online-aws-nuke-cf-_pluginconfig.yaml using file core-services/prow/02_config/openshift-online/aws-nuke-cf/_pluginconfig.yaml
• config configmap in namespace ci at cluster app.ci using the following files:
  • key core-services-prow-02_config-openshift-online-aws-nuke-cf-_prowconfig.yaml using file core-services/prow/02_config/openshift-online/aws-nuke-cf/_prowconfig.yaml
• config configmap in namespace ci at cluster core-ci using the following files:
  • key core-services-prow-02_config-openshift-online-aws-nuke-cf-_prowconfig.yaml using file core-services/prow/02_config/openshift-online/aws-nuke-cf/_prowconfig.yaml

Details

In response to this:

Summary

• Onboard openshift-online/aws-nuke-cf to OpenShift CI with Prow plugin/tide config
• Add pre-merge build-image test that builds the Containerfile and verifies aws-nuke --version
• Add postsubmit push-image job that pushes the built image to quay.io/rrp-dev-ci/ci-image on merge to main
• Remove push-ci-image postsubmit from rosa-regional-platform (image now owned by aws-nuke-cf)

Test plan

• Verify pre-merge build-image job runs on aws-nuke-cf PRs
• Verify postsubmit pushes image to quay.io/rrp-dev-ci/ci-image after merge
• Confirm rosa-regional-platform CI is unaffected

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
• Added CI pipeline components (presubmit/postsubmit jobs) for aws-nuke-cf to enable automated builds, image tests and promotion.
• Added repository-specific Tide and plugin configurations to enable PR automation and integrations for aws-nuke-cf.
• Added OWNERS files for aws-nuke-cf to define approvers and reviewers.
• Removed a legacy CI postsubmit job from the rosa-regional-platform repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.