ROSAENG-1067: add gcp marketplace testing to rosa-e2e

[bmeng]

1. Updating existing osd gcp provision/deprovision steps to support sso-client login
2. Updating the osd-gcp provision step to handle wif condition
3. Add new steps to create/delete wif-config
4. Add new workflow for gcp-marketplace with wif
5. Add new 4.22 candidate job for gcp-marketplace with the new workflow by using rosa-e2e-03 profile which contains the gcp credentials

Note: as the job is currently using labelfilter OSD-GCP and we do not have the Label implement in rosa-e2e yet, there is no real testing performed, only test the workflow with gcp-marketplace + wif

==================================

This PR updates OpenShift CI configuration in the openshift/release repository to add GCP Marketplace testing for rosa-e2e and to make ROSA OCM authentication and provisioning steps support Workload Identity Federation (WIF) and SSO client credentials.

What is affected (practical terms)

• Area: ci-operator configs and step-registry under openshift/release that drive openshift-online/rosa-e2e CI jobs and step definitions.
• What it enables: scheduled Marketplace-based validation of OpenShift candidate 4.22 on OSD GCP using the rosa-e2e-03 profile (contains GCP credentials), plus end-to-end support for creating and deleting GCP Workload Identity Federation configs and for using SSO client credentials when logging into OCM during provision/deprovision steps.

Key changes

• New periodic job

  • Adds a periodic job osd-gcp-e2e-candidate-4-22 (cron "30 7 * * *") in ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml.
  • Job uses cluster_profile: rosa-e2e-03, CHANNEL_GROUP=candidate, CLUSTER_TOPOLOGY=osd-gcp, SUBSCRIPTION_TYPE=marketplace-gcp, OCM_LOGIN_ENV=staging, OPENSHIFT_VERSION="4.22", and runs the new rosa-e2e-osd-gcp workflow.

• New workflow, WIF steps, refs, metadata and OWNERS

  • Adds rosa-e2e-osd-gcp workflow (ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml) that provisions a GCP WIF config, creates an OSD GCP cluster (HOSTED_CP=false) with ENABLE_WIF enabled, runs rosa-e2e tests, and then best-effort gathers artifacts and performs teardown (cluster deprovision and WIF deprovision).
  • Adds provisioning and deprovisioning step implementations and refs for GCP WIF:
    • Provision: osd-ccs-gcp-wif-config-provision (creates WIF config, writes wif-config-id and wif-config-name to SHARED_DIR, writes artifact to ARTIFACT_DIR).
    • Deprovision: osd-ccs-gcp-wif-config-deprovision (reads SHARED_DIR/wif-config-id, deletes the WIF config if present, skips if absent).
    • Corresponding step-ref YAMLs and metadata JSON files added; resource requests and timeouts configured.
  • Adds OWNERS and metadata for the new workflow and WIF step directories (approvers/reviewers include tiwillia, dustman9000, bmeng, ravitri; WIF owners also list gdbranco and jfrazierredhat among approvers/reviewers).

• Provisioning / deprovisioning authentication and WIF control

  • Provision and deprovision scripts now read ocm-token, sso-client-id, and sso-client-secret from ${CLUSTER_PROFILE_DIR} using non-fatal reads and support both login methods.
  • Authentication precedence: prefer ocm-token (offline token) if present; otherwise use SSO client-id + client-secret when both are present; if neither is available the step errors and exits.
  • Adds ENABLE_WIF environment variable (default "no") to the GCP provision step ref; when ENABLE_WIF="yes" the provision step expects SHARED_DIR/wif-config-id (produced by the WIF provision step) and passes --wif-config to ocm create cluster instead of using CCS service-account file.

Impact and rationale

• Enables automated CI validation of GCP Marketplace subscription flows for OpenShift candidate 4.22 on OSD GCP.
• Introduces explicit WIF create/delete steps so provisioning can use Workload Identity Federation instead of CCS service-account auth.
• Makes OCM login flexible for environments that provide SSO client credentials while preserving token-based login precedence.
• Review focus: confirm the authentication precedence and error behavior, verify the rosa-e2e-03 profile contains the required GCP credentials for marketplace runs, and validate WIF create/delete and best-effort teardown semantics for cleanup reliability.

Additional notes

• Multiple OWNERS and metadata JSON files were added for the new workflow and step-registry paths.
• The PR references Jira ROSAENG-1067; the openshift-ci-robot noted the Jira issue lacks a target version for the repository’s target branch (expected 5.0.0).

[openshift-ci-robot]

@bmeng: This pull request references ROSAENG-1067 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

1. Updating existing osd gcp provision/deprovision steps to support sso-client login
2. Add new workflow for gcp-marketplace
3. Add new 4.22 candidate job for gcp-marketplace with the new workflow by using rosa-e2e-03 profile which contains the gcp credentials

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a new rosa-e2e-osd-gcp workflow, metadata, and OWNERS; schedules a new periodic job for OSD GCP (OpenShift 4.22); and updates provisioning/deprovisioning scripts to select OCM authentication via offline token or SSO credentials from CLUSTER_PROFILE_DIR.

Changes

ROSA E2E OSD GCP Test Pipeline

Layer / File(s)	Summary
WIF provisioning step and refs ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-commands.sh, ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.yaml, ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/OWNERS	Adds a WIF provision script and step ref that logs into OCM (token or SSO), creates a GCP WIF config, validates/extracts the ID, writes SHARED_DIR/wif-config-id/wif-config-name, and records output to artifacts; includes OWNERS.
WIF deprovision step and refs ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-commands.sh, ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.yaml, ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/OWNERS	Adds a WIF deprovision script and step ref that logs into OCM (token or SSO), skips deletion when SHARED_DIR/wif-config-id is absent, and deletes the specified WIF config; includes OWNERS.
CCS GCP provision: ENABLE_WIF and auth switch ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh, ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-ref.yaml	Adds ENABLE_WIF (default no), conditional OCM login (token preferred, fallback to SSO, fail otherwise), reads SHARED_DIR/wif-config-id when enabled, and switches ocm create cluster to use --wif-config vs CCS service-account auth.
CCS cluster deprovision: conditional OCM auth ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh	Deprovision script now reads ocm-token, sso-client-id, and sso-client-secret from CLUSTER_PROFILE_DIR, selects token or SSO ocm login, and errors when neither credential source exists.
ROSA E2E OSD GCP workflow, metadata, OWNERS, and periodic job ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml, ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.metadata.json, ci-operator/step-registry/rosa/e2e/osd-gcp/OWNERS, ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml	Adds rosa-e2e-osd-gcp workflow (provision → rosa-e2e-test → best-effort gather → cluster and WIF teardown), owner metadata and OWNERS, and a periodic job osd-gcp-e2e-candidate-4-22 scheduled 30 7 * * * for OpenShift 4.22 using rosa-e2e-osd-gcp.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/release#79215: Aligns with other changes to ROSA E2E periodics and candidate-channel 4.22 job definitions.

Suggested labels

lgtm, rehearsals-ack

Suggested reviewers

• gdbranco
• ravitri

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ROSAENG-1067: add gcp marketplace testing to rosa-e2e' accurately reflects the main changes: adding GCP marketplace testing support with WIF and new workflows to ROSA E2E.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo test code in this PR. It only adds CI/CD configuration files (YAML workflows, shell scripts, OWNERS files, metadata). Actual tests come from a container image, not defined here.
Test Structure And Quality	✅ Passed	No Ginkgo test code found in this PR. All changes are CI/CD configuration files (YAML), shell scripts, JSON metadata, and OWNERS files. Custom check for test structure/quality is not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are CI configuration files (YAML workflows, shell scripts, JSON metadata, OWNERS) only. The rosa-e2e-test binary is pre-compiled and not modified.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo tests added. This PR modifies CI infrastructure (YAML workflows, job definitions, shell scripts) only. The rosa-e2e-test suite is pre-existing and containerized.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI/CD test infrastructure (job configs, workflows, shell scripts) with no Kubernetes deployment manifests or pod scheduling constraints. Check is not applicable to CI infrastructure changes.
Ote Binary Stdout Contract	✅ Passed	PR contains only CI config and shell scripts for infrastructure provisioning. No Go test code, OTE binaries, or process-level stdout writes that could violate the contract are present or modified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests added in this PR. Changes are CI/CD infrastructure only (workflow configs, shell scripts for provisioning/deprovisioning, OWNERS files, and metadata). Check is not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh (1)

11-23: ⚡ Quick win

Wrap credential handling with set +x to prevent potential log exposure.

Same pattern as the provision script—sensitive credential operations should be wrapped with tracing protection.

🛡️ Proposed defensive fix

 # Log in
 OCM_VERSION=$(ocm version)
+{ set +x; } 2>/dev/null
 SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true)
 SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true)
 OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true)
 if [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then
   echo "Logging into ${OCM_LOGIN_ENV} with SSO credentials using ocm cli ${OCM_VERSION}"
   ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}"
 elif [[ -n "${OCM_TOKEN}" ]]; then
   echo "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}"
   ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}"
 else
   echo "Cannot login! You need to securely supply SSO credentials or an ocm-token!"
   exit 1
 fi
+set -x 2>/dev/null || true

As per coding guidelines: "Use set +x and save/restore tracing state when handling passwords, tokens, or sensitive URLs in step registry scripts to prevent credential leakage in CI logs"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh`
around lines 11 - 23, Wrap the sensitive credential reads and ocm login calls
with tracing disabled: before reading SSO_CLIENT_ID/SSO_CLIENT_SECRET/OCM_TOKEN
and before invoking the ocm login commands, save the current xtrace state, run
set +x to disable tracing, perform the cat reads and the ocm login invocation(s)
that use SSO_CLIENT_ID, SSO_CLIENT_SECRET or OCM_TOKEN, then restore the
original tracing state; apply this around both the SSO branch (ocm login
--client-id/--client-secret) and the token branch (ocm login --token) so the
sensitive values are never echoed to CI logs.

ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh (1)

148-160: ⚡ Quick win

Wrap credential handling with set +x to prevent potential log exposure.

Per coding guidelines, sensitive data operations (reading tokens/secrets and passing them to commands) should be wrapped with tracing protection to prevent credential leakage if set -x is enabled for debugging or by the CI environment.

🛡️ Proposed defensive fix

 # Log in
 OCM_VERSION=$(ocm version)
+{ set +x; } 2>/dev/null
 SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true)
 SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true)
 OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true)
 if [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then
   logger "INFO" "Logging into ${OCM_LOGIN_ENV} with SSO credentials using ocm cli ${OCM_VERSION}"
   ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}"
 elif [[ -n "${OCM_TOKEN}" ]]; then
   logger "INFO" "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}"
   ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}"
 else
   logger "ERROR" "Cannot login! You need to securely supply SSO credentials or an ocm-token!"
   exit 1
 fi
+set -x 2>/dev/null || true

As per coding guidelines: "Use set +x and save/restore tracing state when handling passwords, tokens, or sensitive URLs in step registry scripts to prevent credential leakage in CI logs"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh`
around lines 148 - 160, The credential reads and ocm login calls (SSO_CLIENT_ID,
SSO_CLIENT_SECRET, OCM_TOKEN and the ocm login invocations) must be executed
with shell tracing disabled to avoid leaking secrets; save the current xtrace
state, run set +x before reading files from CLUSTER_PROFILE_DIR and before
invoking ocm login (both SSO and token branches), then restore the original
xtrace state afterward; keep the logger messages and exit logic unchanged and
ensure the save/restore handles both enabled and disabled trace states so
tracing is restored exactly as it was before.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh`:
- Around line 11-23: Wrap the sensitive credential reads and ocm login calls
with tracing disabled: before reading SSO_CLIENT_ID/SSO_CLIENT_SECRET/OCM_TOKEN
and before invoking the ocm login commands, save the current xtrace state, run
set +x to disable tracing, perform the cat reads and the ocm login invocation(s)
that use SSO_CLIENT_ID, SSO_CLIENT_SECRET or OCM_TOKEN, then restore the
original tracing state; apply this around both the SSO branch (ocm login
--client-id/--client-secret) and the token branch (ocm login --token) so the
sensitive values are never echoed to CI logs.

In
`@ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh`:
- Around line 148-160: The credential reads and ocm login calls (SSO_CLIENT_ID,
SSO_CLIENT_SECRET, OCM_TOKEN and the ocm login invocations) must be executed
with shell tracing disabled to avoid leaking secrets; save the current xtrace
state, run set +x before reading files from CLUSTER_PROFILE_DIR and before
invoking ocm login (both SSO and token branches), then restore the original
xtrace state afterward; keep the logger messages and exit logic unchanged and
ensure the save/restore handles both enabled and disabled trace states so
tracing is restored exactly as it was before.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 634399c0-f1f1-490d-a4e6-588c176d88b0

📥 Commits

Reviewing files that changed from the base of the PR and between 16e4c03 and 150752b.

📒 Files selected for processing (4)

• ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml
• ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh
• ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh
• ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh`:
- Around line 148-160: This code exposes sensitive values (OCM_TOKEN,
SSO_CLIENT_ID, SSO_CLIENT_SECRET and the ocm login URL) if shell tracing is
enabled; wrap the credential-reading and ocm login sequence with saved/restored
xtrace state: capture current tracing state, disable tracing (set +x) while
reading the files and invoking ocm login (the block referencing OCM_TOKEN,
SSO_CLIENT_ID, SSO_CLIENT_SECRET, ocm login and logger), then restore the
original tracing state immediately after to avoid leaking secrets in CI logs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 340ac11c-2010-4e6c-a84d-3dbe8747427d

📥 Commits

Reviewing files that changed from the base of the PR and between 0d55994 and 1d6eeb8.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (6)

• ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml
• ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh
• ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh
• ci-operator/step-registry/rosa/e2e/osd-gcp/OWNERS
• ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.metadata.json
• ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml

✅ Files skipped from review due to trivial changes (2)

• ci-operator/step-registry/rosa/e2e/osd-gcp/OWNERS
• ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.metadata.json

🚧 Files skipped from review as they are similar to previous changes (3)

• ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml
• ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh
• ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml

[bmeng]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-periodics-osd-gcp-e2e-candidate-4-22

[openshift-merge-bot]

@bmeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bmeng]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-periodics-osd-gcp-e2e-candidate-4-22

[openshift-merge-bot]

@bmeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-ref.yaml (1)

64-66: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update step docs to reflect SSO login support.

The documentation still says the cluster profile should include only ocm-token, but the script now supports either offline token or SSO client credentials. This mismatch can mislead step consumers.

Suggested fix

   documentation: |-
-    Using ocm cli to create an osd ccs GCP cluster with the provided cluster profile. The cluster profile should include the offline token ocm-token to login.
+    Using ocm cli to create an osd ccs GCP cluster with the provided cluster profile.
+    The cluster profile must include either ocm-token or both sso-client-id and sso-client-secret for login.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-ref.yaml`
around lines 64 - 66, The documentation YAML block under the documentation key
currently states the cluster profile should include only `ocm-token`; update
that text to reflect the script now accepts either an offline token
(`ocm-token`) or SSO client credentials (e.g., `sso_client_id` and
`sso_client_secret` or the specific SSO fields your step expects) for login;
locate the documentation string (the documentation: |- block) and edit the
sentence to mention both supported authentication methods and any required field
names/format so consumers know they can use offline token or SSO client
credentials.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-commands.sh`:
- Around line 16-29: Wrap reading of OCM_TOKEN/SSO_CLIENT_ID/SSO_CLIENT_SECRET
and the subsequent ocm login calls with a saved xtrace state: capture current
xtrace with e.g. old_xtrace=$(set -o | grep xtrace) or check "$-" for x, disable
tracing (set +x), perform the sensitive reads and both ocm login branches (the
blocks using OCM_TOKEN, SSO_CLIENT_ID, SSO_CLIENT_SECRET and the ocm login
calls), then restore the original tracing state (re-enable set -x only if it was
previously enabled). Ensure you reference the existing variables OCM_TOKEN,
SSO_CLIENT_ID, SSO_CLIENT_SECRET and the ocm login branches so the
save/disable/restore wraps exactly those operations.

In
`@ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-commands.sh`:
- Around line 16-29: The ocm login block (checking OCM_TOKEN,
SSO_CLIENT_ID/SSO_CLIENT_SECRET and calling ocm login) does not protect
sensitive values from shell xtrace; wrap the sections that read and use
OCM_TOKEN/SSO_CLIENT_SECRET in code that saves the current xtrace state,
disables tracing (set +x) before reading/using secrets and then restores the
original tracing state afterward so tokens/secrets are never printed in CI logs;
apply this around the branches that call ocm login (references: OCM_TOKEN,
SSO_CLIENT_ID, SSO_CLIENT_SECRET, and the ocm login calls).

---

Outside diff comments:
In
`@ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-ref.yaml`:
- Around line 64-66: The documentation YAML block under the documentation key
currently states the cluster profile should include only `ocm-token`; update
that text to reflect the script now accepts either an offline token
(`ocm-token`) or SSO client credentials (e.g., `sso_client_id` and
`sso_client_secret` or the specific SSO fields your step expects) for login;
locate the documentation string (the documentation: |- block) and edit the
sentence to mention both supported authentication methods and any required field
names/format so consumers know they can use offline token or SSO client
credentials.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0d4bf12c-d781-44cc-8566-72fdd569259b

📥 Commits

Reviewing files that changed from the base of the PR and between 1d6eeb8 and 9799106.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (14)

• ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml
• ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh
• ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh
• ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-ref.yaml
• ci-operator/step-registry/osd-ccs/gcp/wif-config/OWNERS
• ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/OWNERS
• ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-commands.sh
• ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.yaml
• ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/OWNERS
• ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-commands.sh
• ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.yaml
• ci-operator/step-registry/rosa/e2e/osd-gcp/OWNERS
• ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.metadata.json
• ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml

✅ Files skipped from review due to trivial changes (4)

• ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/OWNERS
• ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/OWNERS
• ci-operator/step-registry/osd-ccs/gcp/wif-config/OWNERS
• ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.metadata.json

🚧 Files skipped from review as they are similar to previous changes (4)

• ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml
• ci-operator/step-registry/rosa/e2e/osd-gcp/OWNERS
• ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh
• ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml

[bmeng]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-periodics-osd-gcp-e2e-candidate-4-22

[openshift-merge-bot]

@bmeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bmeng]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-periodics-osd-gcp-e2e-candidate-4-22

[openshift-merge-bot]

@bmeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bmeng]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-periodics-osd-gcp-e2e-candidate-4-22

[openshift-merge-bot]

@bmeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bmeng]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-periodics-osd-gcp-e2e-candidate-4-22

[openshift-merge-bot]

@bmeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bmeng]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-periodics-osd-gcp-e2e-candidate-4-22

[openshift-merge-bot]

@bmeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bmeng]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-periodics-osd-gcp-e2e-candidate-4-22

[openshift-merge-bot]

@bmeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@bmeng: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-online-rosa-e2e-main-periodics-images	openshift-online/rosa-e2e	presubmit	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-gcp-ocm-osd-ccs-marketplace-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-gcp-ocm-osd-ccs-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-release-main-nightly-4.20-e2e-osd-ccs-gcp	N/A	periodic	Registry content changed
periodic-ci-openshift-online-rosa-e2e-main-periodics-rosa-classic-sts-e2e-stable-4-20	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-stable-gcp-ocm-osd-ccs-marketplace-f999	N/A	periodic	Registry content changed
periodic-ci-openshift-online-rosa-e2e-main-periodics-rosa-hcp-e2e-stable-4-21	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-stable-gcp-ocm-osd-ccs-xpn-private-marketplace-f999	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-gcp-ocm-osd-ccs-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-5.0-amd64-nightly-gcp-ocm-osd-ccs-marketplace-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-gcp-ocm-osd-ccs-xpn-marketplace-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-ocm-osd-ccs-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-release-main-nightly-4.21-e2e-osd-ccs-gcp	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-5.0-amd64-nightly-gcp-ocm-osd-ccs-f7	N/A	periodic	Registry content changed
periodic-ci-quay-quay-tests-master-quay-osd-ocp-quay-e2e-tests-quay313-osd-ocp419	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-gcp-ocm-osd-ccs-xpn-marketplace-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-release-main-nightly-5.0-e2e-osd-ccs-gcp	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-stable-gcp-ocm-osd-ccs-xpn-f999	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-stable-gcp-ocm-osd-ccs-xpn-f999	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-gcp-ocm-osd-ccs-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-stable-gcp-ocm-osd-ccs-marketplace-f999	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-5.0-amd64-nightly-gcp-ocm-osd-ccs-xpn-private-f7	N/A	periodic	Registry content changed
periodic-ci-quay-quay-tests-master-quay-osd-ocp-quay-e2e-tests-quay312-osd-ocp419	N/A	periodic	Registry content changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-osd-ccs-gcp	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-5.0-amd64-nightly-aws-ocm-osd-ccs-f7	N/A	periodic	Registry content changed

A total of 58 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[bmeng]

/pj-rehearse periodic-ci-openshift-release-main-nightly-4.20-e2e-osd-ccs-gcp

[openshift-merge-bot]

@bmeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[rcampos2029]

Please add myself and @miguelhbrito to the list of reviewers and approvers.

[dustman9000]

/lgtm
/pj-rehearse ack

[openshift-merge-bot]

@dustman9000: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

[dustman9000]

/retest rehearse-79383-periodic-ci-openshift-release-main-nightly-4.20-e2e-osd-ccs-gcp

[openshift-ci]

@dustman9000: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

/test boskos-config

/test boskos-config-generation

/test check-gh-automation

/test check-gh-automation-tide

/test check-trigger-trusted-apps

/test ci-operator-config

/test ci-operator-config-metadata

/test ci-operator-registry

/test ci-secret-bootstrap-config-validation

/test ci-testgrid-allow-list

/test clusterimageset-validate

/test config

/test core-valid

/test generated-config

/test generated-dashboards

/test image-mirroring-config-validation

/test jira-lifecycle-config

/test labels

/test openshift-image-mirror-mappings

/test ordered-prow-config

/test owners

/test pr-reminder-config

/test prow-config

/test prow-config-filenames

/test prow-config-semantics

/test pylint

/test release-config

/test release-controller-config

/test rover-groups-config-validation

/test secret-generator-config-valid

/test services-valid

/test stackrox-stackrox-stackrox-stackrox-check

/test step-registry-metadata

/test step-registry-shellcheck

/test sync-rover-groups

/test verified-config

/test yamllint

The following commands are available to trigger optional jobs:

/test check-cluster-profiles-config

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-release-check-gh-automation

pull-ci-openshift-release-main-ci-operator-config

pull-ci-openshift-release-main-ci-operator-config-metadata

pull-ci-openshift-release-main-ci-operator-registry

pull-ci-openshift-release-main-config

pull-ci-openshift-release-main-core-valid

pull-ci-openshift-release-main-generated-config

pull-ci-openshift-release-main-ordered-prow-config

pull-ci-openshift-release-main-owners

pull-ci-openshift-release-main-prow-config-filenames

pull-ci-openshift-release-main-prow-config-semantics

pull-ci-openshift-release-main-release-controller-config

pull-ci-openshift-release-main-step-registry-metadata

pull-ci-openshift-release-main-step-registry-shellcheck

pull-ci-openshift-release-openshift-image-mirror-mappings

pull-ci-openshift-release-yamllint

Details

In response to this:

/retest rehearse-79383-periodic-ci-openshift-release-main-nightly-4.20-e2e-osd-ccs-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dustman9000]

/pj-rehearse periodic-ci-openshift-release-main-nightly-4.20-e2e-osd-ccs-gcp

[openshift-merge-bot]

@dustman9000: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[dustman9000]

/lgtm
/pj-rehearse ack

[openshift-merge-bot]

@dustman9000: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bmeng, dustman9000

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-online/rosa-e2e/OWNERS [bmeng,dustman9000]
• ci-operator/jobs/openshift-online/rosa-e2e/OWNERS [bmeng,dustman9000]
• ci-operator/step-registry/rosa/e2e/OWNERS [bmeng,dustman9000]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment