Fix ROSA account-roles-create overriding specific patch versions

[Sandeepyadav93]

The account-roles-create step was unconditionally writing the truncated version (e.g., "4.21") to ${SHARED_DIR}/openshift_version, even when no fallback occurred. This caused the provision step to override specific patch version requests (e.g., OPENSHIFT_VERSION: 4.21.13) with the latest available version in that minor release (e.g., 4.21.15).

The openshift_version file is intended to communicate fallback versions when account role creation fails with the requested version and must retry with a newer one. It should not be written during normal operations where the user's requested version succeeds.

Changes:

• Add FALLBACK_OCCURRED flag to track actual fallback events
• Only write openshift_version file when fallback actually occurs
• Update log message to clarify it's storing a fallback version

This ensures that when users specify exact versions like "4.21.13" in their job configs, the cluster is provisioned with that exact version rather than being upgraded to the latest available patch release.

Fix ROSA account-roles-create overriding specific patch versions

This PR fixes an issue in the ROSA (Red Hat OpenShift Service on AWS) CI infrastructure where the account-roles-create step was unintentionally overriding user-specified OpenShift patch versions.

Problem

The account-roles-create step was unconditionally writing a truncated minor version (e.g., "4.21") to ${SHARED_DIR}/openshift_version even when no fallback was necessary. This caused the downstream provision step to replace user-requested specific patch versions (e.g., OPENSHIFT_VERSION: 4.21.13) with the latest patch available in that minor release (e.g., 4.21.15), breaking reproducible cluster provisioning.

Solution

Modified the rosa-sts-account-roles-create-commands.sh step to:

• Introduce a FALLBACK_OCCURRED flag initialized to false that tracks whether account role creation actually required falling back to a different OpenShift version
• Set FALLBACK_OCCURRED=true only when the fallback retry path is executed with a different version
• Conditionally write openshift_version to the shared directory only when a fallback has genuinely occurred (checking both the flag and that OPENSHIFT_VERSION is set)
• Update the log message from generic version storage to clarify "Stored fallback version"

Impact

The fix ensures that exact user-specified OpenShift patch versions are preserved during normal CI operations. The openshift_version file is now correctly used only as a fallback communication mechanism when account role creation fails with the requested version and must retry with an alternative version, preventing unintended version overrides in downstream provisioning steps.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9d183c05-56c0-44e9-9e4b-1f922d1283ac

📥 Commits

Reviewing files that changed from the base of the PR and between 6ac04d3 and 16eb9bf.

📒 Files selected for processing (1)

• ci-operator/step-registry/rosa/sts/account-roles/create/rosa-sts-account-roles-create-commands.sh

---

Walkthrough

A shell script for ROSA account-role creation is updated to track when a version fallback occurs during retry logic, and conditionally writes the fallback version to shared output only when fallback actually happened rather than for all resolved versions.

Changes

Fallback Version Tracking and Conditional Output

Layer / File(s)	Summary
Fallback flag initialization and state management ci-operator/step-registry/rosa/sts/account-roles/create/rosa-sts-account-roles-create-commands.sh	Script initializes FALLBACK_OCCURRED=false at startup, sets it to true when entering the version fallback retry path, and uses it to gate the version output behavior in the post-step logic.
Version output conditional on fallback ci-operator/step-registry/rosa/sts/account-roles/create/rosa-sts-account-roles-create-commands.sh	Post-step logic now writes openshift_version to SHARED_DIR only when FALLBACK_OCCURRED is true and OPENSHIFT_VERSION is set, replacing the previous unconditional write for non-stable channel groups, with updated log messaging.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: fixing the account-roles-create step from incorrectly overriding specific patch versions with truncated minor versions when no fallback occurs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR does not contain any Ginkgo tests. The changes are limited to shell scripts and CI configuration files, making the custom check for Ginkgo test name stability not applicable.
Test Structure And Quality	✅ Passed	Check not applicable. PR modifies only a shell script with no Ginkgo test code. The check requires reviewing Ginkgo test code quality, which is absent.
Microshift Test Compatibility	✅ Passed	PR modifies only a shell script for CI orchestration. No Ginkgo e2e tests are added, so this check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies a shell script for ROSA CI operations, not Ginkgo e2e tests. The custom check for SNO test compatibility does not apply as no e2e tests are being added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies a shell script for ROSA account role creation, not deployment manifests, operator code, or controllers. No scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	This PR modifies a shell script automation step, not an OTE binary. The custom check targets OTE binaries and is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies a CI step script (shell script), not Ginkgo e2e tests. The custom check targets e2e tests and is not applicable to this infrastructure/automation code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Sandeepyadav93
Once this PR has been reviewed and has the lgtm label, please assign svetsa-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/rosa/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Sandeepyadav93: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-CSPI-QE-MSI-single-cluster-smoke-v4.14-single-cluster-rosa-4-14-candidate-smoke	CSPI-QE/MSI	presubmit	Registry content changed
pull-ci-ComplianceAsCode-content-master-4.21-e2e-rosa-ocp4-cis-node	ComplianceAsCode/content	presubmit	Registry content changed
pull-ci-ComplianceAsCode-content-master-4.21-e2e-rosa-ocp4-pci-dss-node	ComplianceAsCode/content	presubmit	Registry content changed
pull-ci-ComplianceAsCode-content-master-4.19-e2e-rosa-ocp4-cis-node	ComplianceAsCode/content	presubmit	Registry content changed
pull-ci-ComplianceAsCode-content-master-4.19-e2e-rosa-ocp4-pci-dss-node	ComplianceAsCode/content	presubmit	Registry content changed
pull-ci-ComplianceAsCode-content-master-4.20-e2e-rosa-ocp4-cis-node	ComplianceAsCode/content	presubmit	Registry content changed
pull-ci-ComplianceAsCode-content-master-4.20-e2e-rosa-ocp4-pci-dss-node	ComplianceAsCode/content	presubmit	Registry content changed
pull-ci-openshift-file-integrity-operator-master-e2e-rosa	openshift/file-integrity-operator	presubmit	Registry content changed
pull-ci-openshift-file-integrity-operator-release-5.1-e2e-rosa	openshift/file-integrity-operator	presubmit	Registry content changed
pull-ci-openshift-file-integrity-operator-release-5.0-e2e-rosa	openshift/file-integrity-operator	presubmit	Registry content changed
pull-ci-openshift-file-integrity-operator-release-4.23-e2e-rosa	openshift/file-integrity-operator	presubmit	Registry content changed
pull-ci-openshift-file-integrity-operator-release-4.22-e2e-rosa	openshift/file-integrity-operator	presubmit	Registry content changed
pull-ci-openshift-file-integrity-operator-release-4.21-e2e-rosa	openshift/file-integrity-operator	presubmit	Registry content changed
pull-ci-openshift-file-integrity-operator-release-4.20-e2e-rosa	openshift/file-integrity-operator	presubmit	Registry content changed
pull-ci-openshift-file-integrity-operator-release-4.19-e2e-rosa	openshift/file-integrity-operator	presubmit	Registry content changed
pull-ci-openshift-file-integrity-operator-release-4.18-e2e-rosa	openshift/file-integrity-operator	presubmit	Registry content changed
pull-ci-openshift-file-integrity-operator-release-4.17-e2e-rosa	openshift/file-integrity-operator	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-neuron-ci-main-4.20-stable-aws-neuron-operator-e2e	rh-ecosystem-edge/neuron-ci	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-neuron-ci-main-4.19-stable-aws-neuron-operator-e2e	rh-ecosystem-edge/neuron-ci	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-neuron-ci-main-4.21-stable-aws-neuron-operator-e2e	rh-ecosystem-edge/neuron-ci	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-neuron-ci-main-4.20-stable-aws-neuron-operator-kserve-e2e	rh-ecosystem-edge/neuron-ci	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-neuron-ci-main-4.19-stable-aws-neuron-operator-kserve-e2e	rh-ecosystem-edge/neuron-ci	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-neuron-ci-main-4.21-stable-aws-neuron-operator-kserve-e2e	rh-ecosystem-edge/neuron-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa-4.22-candidate-x86-loaded-upgrade-from-4.21-loaded-upgrade-24nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa-4.22-candidate-x86-loaded-upgrade-from-4.21-loaded-upgrade-120nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed

A total of 307 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[Sandeepyadav93]

/assign @dustman9000

Hello Dustin.

I see you recently updated this logic, will appreciate your review.

[openshift-ci]

@Sandeepyadav93: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.