NO-JIRA: tls-scanner: Fix exit code handling, lingering failed pods, and clarify docs

[DavidHurta]

The PR aims to fix exit code handling, lingering failed pods, and clarify documentation.

A few things I have found during integrating the steps into our component's CI. I am happy to address any feedback. Happy to drop any commits.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@DavidHurta: This pull request references Jira Issue OCPBUGS-84968, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Switches the scanner container command from /bin/sh to /bin/bash with set -o pipefail; captures the scanner pipeline exit code via PIPESTATUS[0], echoes it and writes /results/scan.done; artifact collection now waits for that marker; tightens final oc wait timeout from 4h to 10m.

Changes

TLS Scanner Execution & Completion Signaling

Layer / File(s)	Summary
Shell configuration & exit-code capture ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh	Container command changed to /bin/bash -c and set -o pipefail applied; capture scanner pipeline exit code from PIPESTATUS[0], append "Scan complete. Exit code: " to /results/output.log, and write /results/scan.done. Immediate exit ${SCAN_EXIT_CODE} remains commented out.
Artifact collection trigger ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh	Artifact-collection loop now waits for existence of /results/scan.done rather than grepping /results/output.log for a "Scan complete" line.
Pod success wait timeout ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh	oc wait timeout for pod/tls-scanner success condition reduced from 4h to 10m.

PQC_CHECK Documentation Wording

Layer / File(s)	Summary
Documentation text ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml	Reworded PQC_CHECK docs from "enable post-quantum cryptography readiness checks" to "check post-quantum cryptography readiness", clarifying the scanner only checks TLS 1.3 and mlkem/mlkem25519.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the three main changes: exit code handling fix, addressing lingering failed pods, and documentation clarification for PQC_CHECK.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The check applies to Ginkgo test files. This PR only modifies shell script and YAML config files for TLS scanner CI, with no Ginkgo tests present.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code. Changes are limited to shell script and YAML configuration files. The custom check is not applicable to this context.
Microshift Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It modifies CI operator shell scripts and YAML configuration files for TLS scanner orchestration. The MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only CI/CD infrastructure scripts and config files, not Ginkgo e2e tests. SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies CI test step scripts and registry metadata only. No deployment manifests, operator code, or scheduling constraints introduced. Topology-aware scheduling check is not applicable.
Ote Binary Stdout Contract	✅ Passed	This PR modifies only shell scripts and YAML config files, not OTE binaries. The check applies only to Go source code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR contains no new Ginkgo e2e tests—only CI workflow shell scripts and YAML configs. The custom check targets Ginkgo tests with IPv4/connectivity issues. Not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[DavidHurta]

/jira refresh

[DavidHurta]

/test all

[openshift-ci-robot]

@DavidHurta: This pull request references Jira Issue OCPBUGS-84968, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@DavidHurta: This pull request references Jira Issue OCPBUGS-84968, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Summary by CodeRabbit

• Bug Fixes
• Enhanced reliability of TLS scanner operations in CI/CD pipelines with improved process execution handling and completion detection mechanisms.
• Refined artifact collection logic to ensure more robust and reliable capture of scan results across pipeline executions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh`:
- Around line 77-83: The script captures the scanner exit in SCAN_EXIT_CODE from
${PIPESTATUS[0]} but never propagates it (the exit is commented out), so change
the flow to preserve artifact collection yet exit with the scanner's code: after
touching /results/scan.done and the sleep 120 (or replace sleep with a
background wait if needed), add an explicit exit ${SCAN_EXIT_CODE} so the
container exits with the original scanner status; ensure you reference
SCAN_EXIT_CODE and PIPESTATUS exactly as used in the snippet.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 705b0f2f-a447-455d-b396-4a5f45dbd733

📥 Commits

Reviewing files that changed from the base of the PR and between 363f952 and f4f7711.

📒 Files selected for processing (1)

• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh

[smith-xyz]

@DavidHurta let's coordinate on this cause I just put up a similar fix here: #78781

though your pipefail + PIPESTATUS[0] is an improvement that is worth keeping I think. My PR fixes the exit code issue for the artifacts and uses tee -a

[DavidHurta]

Hi @smith-xyz! Haha, I was looking for an existing similar PR yesterday, and there wasn't any 😁

[openshift-ci-robot]

@DavidHurta: This pull request references Jira Issue OCPBUGS-84968. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

Details

In response to this:

The PR aims to fix exit code handling, artifact collection, lingering failed pods, and clarify documentation.

A few things I have found during integrating the steps into our component's CI. I am happy to address any feedback.

Summary by CodeRabbit

• Bug Fixes
• Improved TLS scanner reliability by capturing pipeline exit status, recording the scan result marker, and making completion detection more robust; tightened final wait timeout to reduce lingering pods.
• Documentation
• Reworded PQC_CHECK description to clarify it "checks" post-quantum readiness and reiterates what the scanner inspects.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@DavidHurta: This pull request references Jira Issue OCPBUGS-84968, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The PR aims to fix exit code handling, artifact collection, lingering failed pods, and clarify documentation.

A few things I have found during integrating the steps into our component's CI. I am happy to address any feedback.

Summary by CodeRabbit

• Bug Fixes
• Improved TLS scanner reliability by capturing pipeline exit status, recording the scan result marker, and making completion detection more robust; tightened final wait timeout to reduce lingering pods.
• Documentation
• Reworded PQC_CHECK description to clarify it "checks" post-quantum readiness and reiterates what the scanner inspects.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[DavidHurta]

Missclick 🙌

[DavidHurta]

@smith-xyz, sure, let's use your PR to fix the artifact collection. I will then repurpose this PR to propose changes for the remaining potential issues, which this PR aimed to fix/address.

[DavidHurta]

/hold

Artifact collection being fixed in #78781.

I will update this PR after the #78781 PR merges if there is still anything worth pursuing.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@DavidHurta: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-version-operator-main-tls-scanner-default-profile	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-main-tls-scanner-modern-profile	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-5.1-tls-scanner	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-5.0-tls-scanner	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-4.23-tls-scanner	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-4.22-tls-scanner	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-master-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-5.1-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-5.0-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-4.23-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-4.22-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-runtime-extractor-main-tls-scanner	openshift/insights-runtime-extractor	presubmit	Registry content changed
pull-ci-openshift-insights-runtime-extractor-release-5.1-tls-scanner	openshift/insights-runtime-extractor	presubmit	Registry content changed
pull-ci-openshift-insights-runtime-extractor-release-5.0-tls-scanner	openshift/insights-runtime-extractor	presubmit	Registry content changed
pull-ci-openshift-insights-runtime-extractor-release-4.23-tls-scanner	openshift/insights-runtime-extractor	presubmit	Registry content changed
pull-ci-openshift-insights-runtime-extractor-release-4.22-tls-scanner	openshift/insights-runtime-extractor	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-main-smoke-tls	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.1-default-tls	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.1-default-pqc-readiness	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.1-tls13-adherence	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.1-tls13-pqc-readiness	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.0-default-tls	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.0-default-pqc-readiness	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.0-tls13-adherence	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.0-tls13-pqc-readiness	openshift/tls-scanner	presubmit	Registry content changed

A total of 36 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci-robot]

@DavidHurta: This pull request explicitly references no jira issue.

Details

In response to this:

The PR aims to fix exit code handling, artifact collection, lingering failed pods, and clarify documentation.

A few things I have found during integrating the steps into our component's CI. I am happy to address any feedback.

Summary by CodeRabbit

• Bug Fixes
• Improved TLS scanner reliability by capturing pipeline exit status, recording the scan result marker, and making completion detection more robust; tightened final wait timeout to reduce lingering pods.
• Documentation
• Reworded PQC_CHECK description to clarify it "checks" post-quantum readiness and reiterates what the scanner inspects.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[DavidHurta]

/unhold

[DavidHurta]

/pj-rehearse pull-ci-openshift-tls-scanner-release-5.0-tls13-adherence

[openshift-merge-bot]

@DavidHurta: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[DavidHurta]

This was very needed before the ad819e6 changes. Now not so much, but the 4 hour timeout seems excessive and is still prone to the lingering pods.

[DavidHurta]

@coderabbitai summary

[coderabbitai]

✅ Actions performed

Summary regeneration triggered.

[DavidHurta]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[DavidHurta]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

♻️ Duplicate comments (1)

ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh (1)

81-87: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Scanner failures are still masked because SCAN_EXIT_CODE is never propagated.

SCAN_EXIT_CODE is captured at Line 81, but Line 86-Line 87 keeps the exit commented, so the pod still exits successfully after sleep 120 even when the scan fails.

Proposed fix

       SCAN_EXIT_CODE=\${PIPESTATUS[0]}
       echo "Scan complete. Exit code: \${SCAN_EXIT_CODE}" | tee -a /results/output.log
       touch /results/scan.done
       # Keep pod alive for artifact collection
       sleep 120
-      # We are intentionally ignoring the scanner exit code for the moment
-      # exit \${SCAN_EXIT_CODE}
+      exit \${SCAN_EXIT_CODE}

Run this read-only check to confirm current behavior in-branch:

#!/bin/bash
set -euo pipefail
FILE="ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh"

echo "Checking scanner exit-code handling block..."
sed -n '76,90p' "$FILE"

echo
echo "Verifying capture vs propagation markers..."
rg -n 'PIPESTATUS\[0\]|scan\.done|exit \\\$\{SCAN_EXIT_CODE\}|intentionally ignoring' "$FILE"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh` around
lines 81 - 87, The script captures the scanner result into SCAN_EXIT_CODE but
never propagates it, so un-comment and restore exit propagation after the sleep
(or explicitly call "exit ${SCAN_EXIT_CODE}") so the pod returns the scanner's
status; update the block around SCAN_EXIT_CODE, the touch /results/scan.done
line, and the sleep 120 line to ensure the script ends with exit
${SCAN_EXIT_CODE} (or equivalent explicit exit) instead of a commented-out exit,
so failures are not masked.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh`:
- Around line 81-87: The script captures the scanner result into SCAN_EXIT_CODE
but never propagates it, so un-comment and restore exit propagation after the
sleep (or explicitly call "exit ${SCAN_EXIT_CODE}") so the pod returns the
scanner's status; update the block around SCAN_EXIT_CODE, the touch
/results/scan.done line, and the sleep 120 line to ensure the script ends with
exit ${SCAN_EXIT_CODE} (or equivalent explicit exit) instead of a commented-out
exit, so failures are not masked.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a538e8d8-c9a9-43e7-a332-a3bdc63bc43e

📥 Commits

Reviewing files that changed from the base of the PR and between 1f0d638 and 12df190.

📒 Files selected for processing (2)

• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml

[DavidHurta]

Suggested change

	echo "Scan complete. Exit code: \${SCAN_EXIT_CODE}" | tee -a /results/output.log
	echo "Scan complete. Exit code: \${SCAN_EXIT_CODE}"

[smith-xyz]

/pj-rehearse pull-ci-openshift-tls-scanner-main-smoke-tls

[openshift-merge-bot]

@smith-xyz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[smith-xyz]

/lgtm
/approve
/pj-rehearse ack

[openshift-merge-bot]

@smith-xyz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DavidHurta, smith-xyz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/tls/scanner/run/OWNERS [smith-xyz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@DavidHurta: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.