feat: migrate cli-yq BuildConfig to MultiArchBuildConfig

[Prucek]

Summary

• Migrate cli-yq from a BuildConfig on app.ci to a MultiArchBuildConfig
• Make the Dockerfile arch-agnostic by detecting uname -m at build time for the yq binary download

Test plan

• Verify MABC builds successfully on both amd64 and arm64
• Verify resulting image contains working yq and jq binaries

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated cli-yq build configuration to support multiple processor architectures (x86_64 and ARM64). The new multi-architecture build system automatically detects the target platform and compiles appropriate binaries, improving compatibility across different system architectures while maintaining all required dependencies.

[coderabbitai]

Walkthrough

This change replaces a standard OpenShift BuildConfig for the cli-yq image with a new MultiArchBuildConfig, migrating the build configuration from the app.ci cluster to the build-clusters multiarch environment to support multi-architecture image builds for both x86_64 and aarch64 platforms.

Changes

Cohort / File(s)	Summary
BuildConfig Removal clusters/app.ci/supplemental-ci-images/cli-yq.yaml	Deleted the entire single-architecture BuildConfig resource that previously built and pushed the cli-yq image with retention limits and ConfigChange triggers.
MultiArchBuildConfig Addition clusters/build-clusters/multiarch_builds/supplemental-ci-images/cli-yq_mabc.yaml	Added a new MultiArchBuildConfig resource that builds cli-yq for multiple architectures (amd64, arm64), with architecture detection, dynamic binary download, and yq/jq installation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: migrating cli-yq from BuildConfig to MultiArchBuildConfig, which is exactly what the changeset does.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only YAML configuration files, not Go test code with Ginkgo test definitions.
Test Structure And Quality	✅ Passed	This pull request contains no Ginkgo test code, only OpenShift build configuration YAML manifests, making this test-focused check not applicable.
Microshift Test Compatibility	✅ Passed	This custom check is not applicable to this pull request. The PR modifies only YAML build configuration manifests with no new e2e test code containing Ginkgo test functions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The custom check for Single Node OpenShift (SNO) test compatibility is not applicable to this pull request. The PR contains only YAML build configuration manifests and does not add any Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request modifies only build infrastructure resources (BuildConfig and MultiArchBuildConfig), not deployment manifests, operators, or controllers affecting cluster topology scheduling.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check is not applicable to this pull request as it modifies YAML configuration files, not executable code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains only infrastructure YAML manifest files for image builds, not test code. IPv6 and disconnected network compatibility check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• clusters/OWNERS [Prucek]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Prucek: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@clusters/build-clusters/multiarch_builds/supplemental-ci-images/cli-yq_mabc.yaml`:
- Around line 28-29: The script currently downloads yq to /tmp/yq and makes it
executable, but doesn't place it on PATH; update the download/install step to
write the binary into a directory on PATH (e.g., /usr/local/bin/yq) and set
executable permissions there so callers can run yq by name; specifically replace
references to /tmp/yq with a PATH location and ensure chmod +x is applied to
that target (and optionally verify installation with a --version check).
- Around line 28-29: The curl invocation that downloads "releases/latest" for yq
should be changed to a pinned release and an integrity check added: replace the
dynamic URL used in the curl that writes to /tmp/yq with a fixed versioned
release (keep ${ARCH} for arch-specific binary), download the corresponding
checksum (or signature) for that specific version, verify the binary against the
checksum (e.g., sha256) before chmod +x and installing, and fail the build if
verification does not match; update the comments near the curl and /tmp/yq usage
so the pinned VERSION and checksum verification steps are clear.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 309a9333-a4e4-4596-a478-fa651af6c3c7

📥 Commits

Reviewing files that changed from the base of the PR and between dbe0855 and e6425e0.

📒 Files selected for processing (2)

• clusters/app.ci/supplemental-ci-images/cli-yq.yaml
• clusters/build-clusters/multiarch_builds/supplemental-ci-images/cli-yq_mabc.yaml

💤 Files with no reviewable changes (1)

• clusters/app.ci/supplemental-ci-images/cli-yq.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Install yq into PATH; /tmp/yq will not be callable as yq.

At Line 28–29, the binary is only placed in /tmp and chmodded. Consumers typically execute yq by name, so this can ship an image with no usable yq on PATH.

💡 Proposed fix

-            curl -L "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /tmp/yq && \
-            chmod +x /tmp/yq
+            curl -fsSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /usr/local/bin/yq && \
+            chmod 0755 /usr/local/bin/yq

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl -L "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /tmp/yq && \
	chmod +x /tmp/yq
	curl -fsSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /usr/local/bin/yq && \
	chmod 0755 /usr/local/bin/yq

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clusters/build-clusters/multiarch_builds/supplemental-ci-images/cli-yq_mabc.yaml`
around lines 28 - 29, The script currently downloads yq to /tmp/yq and makes it
executable, but doesn't place it on PATH; update the download/install step to
write the binary into a directory on PATH (e.g., /usr/local/bin/yq) and set
executable permissions there so callers can run yq by name; specifically replace
references to /tmp/yq with a PATH location and ensure chmod +x is applied to
that target (and optionally verify installation with a --version check).

---

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="clusters/build-clusters/multiarch_builds/supplemental-ci-images/cli-yq_mabc.yaml"

echo "Inspect current download/install stanza:"
sed -n '22,32p' "$FILE"

echo
echo "Expected after fix:"
echo "- no 'releases/latest' URL"
echo "- checksum verification step present (e.g., sha256sum -c)"
echo "- fail-fast curl flags (e.g., -f)"
rg -n 'releases/latest|sha256sum -c|curl -f|curl -fsSL' "$FILE"

Repository: openshift/release

Length of output: 811

---

Avoid floating latest binary downloads without integrity verification.

Using releases/latest at line 28 makes builds non-reproducible and increases supply-chain risk. Pin a yq version and verify the checksum before installation.

Proposed hardening

-            curl -L "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /tmp/yq && \
-            chmod +x /tmp/yq
+            YQ_VERSION=v4.44.6 && \
+            curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/checksums" -o /tmp/yq.checksums && \
+            curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${ARCH}" -o /usr/local/bin/yq && \
+            grep " yq_linux_${ARCH}$" /tmp/yq.checksums | sed 's# yq_linux_# /usr/local/bin/yq#' | sha256sum -c - && \
+            chmod 0755 /usr/local/bin/yq

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl -L "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" -o /tmp/yq && \
	chmod +x /tmp/yq
	YQ_VERSION=v4.44.6 && \
	curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/checksums" -o /tmp/yq.checksums && \
	curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${ARCH}" -o /usr/local/bin/yq && \
	grep " yq_linux_${ARCH}$" /tmp/yq.checksums | sed 's# yq_linux_# /usr/local/bin/yq#' | sha256sum -c - && \
	chmod 0755 /usr/local/bin/yq

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clusters/build-clusters/multiarch_builds/supplemental-ci-images/cli-yq_mabc.yaml`
around lines 28 - 29, The curl invocation that downloads "releases/latest" for
yq should be changed to a pinned release and an integrity check added: replace
the dynamic URL used in the curl that writes to /tmp/yq with a fixed versioned
release (keep ${ARCH} for arch-specific binary), download the corresponding
checksum (or signature) for that specific version, verify the binary against the
checksum (e.g., sha256) before chmod +x and installing, and fail the build if
verification does not match; update the comments near the curl and /tmp/yq usage
so the pinned VERSION and checksum verification steps are clear.

[openshift-ci]

@Prucek: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.