mirror-gui: add catalog-sync ci-operator variant and daily promotion

[yakovbeder]

Add openshift-mirror-gui-main__catalog-sync variant building mirror-gui-catalog-sync with Docker build-arg SYNC_CATALOGS=true for fresh operator catalog metadata.

Regenerate presubmit/postsubmit jobs for the variant. Add a hand-maintained periodic promotion job (prowgen does not emit it); re-copy after prowgen.

The default mirror-gui image tag is unchanged; the synced image is promoted as ocp/5.0:mirror-gui-catalog-sync to satisfy ci-operator duplicate-promotion checks.

This PR adds a rehearsable catalog-sync variant to OpenShift CI for the openshift/mirror-gui repository to build and verify an operator catalog image and promote the synced image into the ocp integration registry.

What changed (practical impact)

• Adds a new ci-operator variant/config: ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml. The variant:

  • Builds the mirror-gui image using .ci-operator/build-root/Dockerfile and the Dockerfile in the repo (produces the mirror-gui image).
  • Configures promotion of the built image into the ocp integration stream 5.0 (promoted as ocp/5.0:mirror-gui-catalog-sync via the variant’s releases.initial/latest settings) while leaving the default mirror-gui tag unchanged.
  • Sets global resource requests/limits (memory limit 4Gi; cpu request 100m; memory request 200Mi).
  • Adds a steps-style test named catalog-sync-verify that runs inside the built mirror-gui image, mounts ci-pull-credentials, exports required env vars, runs /app/sync-catalogs.sh, prints /tmp/catalog-data/catalog-index.json, and fails if no catalog entries are found (robustified with set -euo pipefail and safer jq parsing).
  • Declares credentials mount for ci-pull-credentials so the verify step can access pull secrets (credentials stanza present in steps format).

• Regenerated presubmits to include the catalog-sync variant and rehearsable contexts:

  • ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml now contains entries for the catalog-sync-catalog-sync-verify and catalog-sync-images contexts and trigger/rerun commands for rehearsing these steps in PRs.

Notes and operational details

• The verify test is steps-based so prow metadata normalizer recognizes the credentials stanza; the job includes the necessary mounts and resource requests to match prowgen expectations.
• The promotion target is the ocp integration 5.0 namespace/tag (ocp/5.0:mirror-gui-catalog-sync) to satisfy ci-operator duplicate-promotion checks; the default mirror-gui tag remains unchanged.
• The PR includes safety improvements to the verification script and adjusts presubmit ordering/arguments to align with prowgen behavior.

Files added/updated (high level)

• ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml (new)
• ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml (regenerated entries to include catalog-sync variant and verify/images rehearsable jobs)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 39c02149-bc4d-4cae-be2b-82c66d44552d

📥 Commits

Reviewing files that changed from the base of the PR and between 8d4b1fa and 71b0599.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml

---

Walkthrough

Adds a new OpenShift CI catalog-sync job for openshift/mirror-gui that builds an image from .ci-operator/build-root/Dockerfile, publishes to mirror-gui (marks latest), targets 5.0/ocp, sets wildcard resource requests/limits, and runs a catalog-sync-verify test that asserts catalog-index.json has ≥1 entry.

Changes

Catalog-Sync CI Job

Layer / File(s)	Summary
Job manifest and build wiring ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml	Adds a new CI job catalog-sync for branch main (org openshift, repo mirror-gui, variant catalog-sync) that builds from .ci-operator/build-root/Dockerfile (Dockerfile path override), publishes an image to mirror-gui, and marks latest for included images.
Promotion / release targets and resources ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml	Configures promotion to release 5.0 in namespace ocp and sets wildcard resource requests/limits (memory limit 4Gi, cpu request 100m, memory request 200Mi).
Test stage: catalog-sync-verify ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml	Adds catalog-sync-verify test that mounts ci-pull-credentials, exports env vars, runs /app/./sync-catalogs.sh, prints catalog-index.json, and fails if parsed catalog entry count < 1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

rehearsals-ack

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding a catalog-sync ci-operator variant and daily promotion for mirror-gui, which matches the file additions and configuration changes in the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds CI configuration files (YAML), not Ginkgo tests. Test names like "catalog-sync-verify" are static with no dynamic values. Check not applicable.
Test Structure And Quality	✅ Passed	Custom check for Ginkgo test code quality is not applicable. This PR adds only CI configuration files (YAML), not Ginkgo test code. No Go test files or Ginkgo test blocks exist in this PR.
Microshift Test Compatibility	✅ Passed	The PR adds only a CI operator configuration file (YAML), not Ginkgo e2e tests. The check applies only when new Ginkgo e2e tests are added, so it is not applicable here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only CI configuration and shell-script tests, not Ginkgo e2e tests. The SNO compatibility check only applies to Ginkgo tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only CI configuration (ci-operator config) with no Kubernetes deployment manifests, operator code, or scheduling constraints. The custom check for topology-aware scheduling is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR adds only a YAML CI config file, not Go source code or test binaries. OTE Binary Stdout Contract check does not apply.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR adds only a ci-operator configuration file (YAML). No Ginkgo e2e tests are added. The custom check applies only to new Ginkgo e2e tests, making it not applicable to this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[aguidirh]

/pj-rehearse max

[openshift-merge-bot]

@aguidirh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[yakovbeder]

/pj-rehearse max

[openshift-merge-bot]

@yakovbeder: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yakovbeder

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/mirror-gui/OWNERS [yakovbeder]
• ci-operator/jobs/openshift/mirror-gui/OWNERS [yakovbeder]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml`:
- Around line 27-40: The verification block is fragile: add strict shell options
(set -euo pipefail) at the top of the commands, verify
/tmp/catalog-data/catalog-index.json exists and is readable before parsing, and
ensure CATALOG_COUNT is a numeric value returned by jq (e.g., validate jq output
or default to 0 on failure) so that the test fails on parse errors; specifically
update the script invoking sync-catalogs.sh and the subsequent lines that
compute CATALOG_COUNT to abort immediately on any error, treat
missing/non-numeric jq output as 0, and log an explicit error if CATALOG_COUNT <
1 (references: sync-catalogs.sh, /tmp/catalog-data/catalog-index.json,
CATALOG_COUNT, jq).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a165433d-a0d8-490c-a147-057c07b860ec

📥 Commits

Reviewing files that changed from the base of the PR and between 987a0bc and 8d4b1fa.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml

[openshift-merge-bot]

@yakovbeder, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't checkout base SHA 2552e0d0338b88cf72735b9d36f53841a9e7da96: error checking out "2552e0d0338b88cf72735b9d36f53841a9e7da96": exit status 128 fatal: unable to read tree (2552e0d0338b88cf72735b9d36f53841a9e7da96)

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[yakovbeder]

/pj-rehearse max

[openshift-merge-bot]

@yakovbeder: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@yakovbeder: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-mirror-gui-main-catalog-sync-catalog-sync-verify	openshift/mirror-gui	presubmit	Presubmit changed
pull-ci-openshift-mirror-gui-main-catalog-sync-images	openshift/mirror-gui	presubmit	Presubmit changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@yakovbeder: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.