OCM-24478 | ci: add ROSA changelog tag job

[olucasfreitas]

Summary

• add a ROSA ci-operator target that runs the new changelog PR helper from the repository checkout
• add a stable-tag postsubmit job that invokes the target after stable tags are pushed
• mount the GitHub credential secret into the job so the changelog helper can push a review branch and open a PR

Why

ROSA is adding a historical CHANGELOG.md that should be updated after stable tags, but all automation for this flow needs to remain on Prow rather than moving into GitHub Actions.

Testing

• python3 YAML parse for ci-operator/config/openshift/rosa/openshift-rosa-master.yaml
• python3 YAML parse for ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml
• git diff --check

Notes

• This PR depends on the companion openshift/rosa change at OCM-24478 | chore: add historical changelog automation rosa#3245.
• The tag job uses the existing github-credentials-openshift-ci-robot-private-git-cloner secret. If that token does not have the required write scope for branch push / PR creation, the job wiring will need a follow-up secret update.

Summary by CodeRabbit

This change adds OpenShift CI (ci-operator / Prow) automation so the openshift/rosa repository can maintain a historical CHANGELOG.md from Prow after stable tags.

What changed (practical terms)

• Adds a new ci-operator postsubmit target named changelog-history in ci-operator/config/openshift/rosa/openshift-rosa-master.yaml. The target:
  • unsets GOFLAGS, exports GITHUB_TOKEN from /tmp/github/oauth, ensures jq is present (installs via dnf if missing), and runs make changelog-pr from the repository checkout.
  • mounts the existing secret github-credentials-openshift-ci-robot-private-git-cloner at /tmp/github so the helper can push review branches and open PRs.
• Adds a generated Prow postsubmit job (branch-ci-openshift-rosa-master-changelog-history) in ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml that invokes ci-operator --target=changelog-history after changes to master/stable tags. The pod mounts the same GitHub credential secret (and exposes its oauth key path) so the job can push branches / create PRs.
• Job-generation fixes: the changelog target is explicitly declared as a postsubmit (avoiding an unexpected presubmit), the stable-tag postsubmit name was aligned with Prow branch-regex semantics, and the generated master postsubmit is kept in sync with the ci-operator config while preserving the manually wired stable-tag job.

Impact / rationale

• Moves ROSA changelog automation from GitHub Actions to OpenShift CI so CHANGELOG.md updates run in Prow after stable tags are pushed.
• The job will attempt to push a review branch and open a PR using the mounted GitHub token.

Testing performed

• YAML parsing of ci-operator/config/openshift/rosa/openshift-rosa-master.yaml and ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml.
• git diff --check.

Notes / follow-ups

• Requires a companion change in the rosa repository.
• If the mounted GitHub token does not have write scope for branch pushes / PR creation, a secret update will be needed.

[coderabbitai]

Walkthrough

A postsubmit Prow job changelog-history was added to ROSA master CI config; it runs in the src container, unsets GOFLAGS, sets GITHUB_TOKEN from /tmp/github/oauth, installs jq if missing, and executes make changelog-pr.

Changes

Changelog History Job

Layer / File(s)	Summary
changelog-history job definition ci-operator/config/openshift/rosa/openshift-rosa-master.yaml	Adds a postsubmit Prow job changelog-history that runs make changelog-pr in the src container, unsets GOFLAGS, sets GITHUB_TOKEN from /tmp/github/oauth, conditionally installs jq via dnf, and mounts the github-credentials-openshift-ci-robot-private-git-cloner secret at /tmp/github.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

lgtm

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: adding a ROSA changelog tag job to CI. It is specific, concise, and accurately summarizes the primary modification in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only YAML configuration files. No Go test files or Ginkgo test syntax present. Custom check for stable test names is not applicable to this PR.
Test Structure And Quality	✅ Passed	The Ginkgo test code quality check is not applicable. This PR modifies only YAML CI/CD configuration files, not test code.
Microshift Test Compatibility	✅ Passed	This PR adds Prow CI job configurations for ROSA, not Ginkgo e2e tests. The MicroShift Test Compatibility check only applies when new Ginkgo tests are added, which is not the case here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds a Prow CI job for changelog generation, not Ginkgo e2e tests. The SNO compatibility check is not applicable since no e2e tests are being added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds a Prow CI job definition, not deployment manifests or operator code. Topology-aware scheduling check applies only to workloads that run on OpenShift, not CI infrastructure configurations.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML Prow job configs, not OTE test binaries. OTE stdout contract check applies to Go test code, not CI configuration.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds CI/Prow configuration files, not Ginkgo e2e tests. No test files with It(), Describe(), Context(), When() patterns found in the PR. Check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olucasfreitas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/rosa/OWNERS [olucasfreitas]
• ci-operator/jobs/openshift/rosa/OWNERS [olucasfreitas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/config/openshift/rosa/openshift-rosa-master.yaml (1)

66-68: ⚖️ Poor tradeoff

Consider ensuring jq is available in the base image rather than installing at runtime.

Installing packages at runtime via dnf adds latency to every job execution and creates an external dependency on package repositories. Best practice for CI jobs is to ensure required tools are present in the base container image.

Consider one of these approaches:

• Request that jq be added to the rhel-9-golang-1.25-openshift-4.22 builder image
• Use a different base image that includes jq
• Accept this pattern if the base image is outside your control and resilience to image changes is preferred

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/rosa/openshift-rosa-master.yaml` around lines 66
- 68, The current runtime-install snippet (the if block checking `command -v jq`
and running `dnf install -y jq`) should be removed and replaced by ensuring jq
is present in the base image; either request `jq` be added to the
`rhel-9-golang-1.25-openshift-4.22` builder image, change the job's base image
to one that already includes `jq`, or explicitly bake `jq` into your project
image/Dockerfile used by this CI job so the `if ! command -v jq` / `dnf install
-y jq` fallback is not required at runtime.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@ci-operator/config/openshift/rosa/openshift-rosa-master.yaml`:
- Around line 66-68: The current runtime-install snippet (the if block checking
`command -v jq` and running `dnf install -y jq`) should be removed and replaced
by ensuring jq is present in the base image; either request `jq` be added to the
`rhel-9-golang-1.25-openshift-4.22` builder image, change the job's base image
to one that already includes `jq`, or explicitly bake `jq` into your project
image/Dockerfile used by this CI job so the `if ! command -v jq` / `dnf install
-y jq` fallback is not required at runtime.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 07c364e4-4de0-4e7a-a2ce-43167c754a21

📥 Commits

Reviewing files that changed from the base of the PR and between 847c9fb and e08a914.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/rosa/openshift-rosa-master.yaml

[olucasfreitas]

/retest-required

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@olucasfreitas: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/config/openshift/rosa/openshift-rosa-master.yaml`:
- Around line 66-68: The script currently attempts to install jq with "dnf
install -y jq" but doesn’t check the install exit code, so if installation fails
the script proceeds to run "make changelog-pr" and fails later; update the block
that uses "command -v jq" and "dnf install -y jq" to test the dnf command’s exit
status and immediately print a clear error and exit non‑zero on failure (or set
errexit/pipefail at the top), e.g., ensure the failure path for "dnf install -y
jq" stops execution with a descriptive message about jq installation failure;
alternatively, document or switch to a base image that already includes jq to
avoid runtime installation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 19591f64-2f4e-4606-9402-8c1a16793c54

📥 Commits

Reviewing files that changed from the base of the PR and between 874424d and 116c7c5.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/rosa/openshift-rosa-master.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add error handling for jq installation.

If dnf install fails, the script continues to make changelog-pr without checking the exit code, which may result in unclear error messages if the changelog target depends on jq.

🛡️ Proposed fix to add error handling

     if ! command -v jq >/dev/null 2>&1; then
-      dnf install -y jq >/dev/null
+      if ! dnf install -y jq >/dev/null 2>&1; then
+        echo "ERROR: Failed to install jq dependency"
+        exit 1
+      fi
     fi

Alternatively, consider using a base image that already includes jq to avoid runtime installation overhead.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ! command -v jq >/dev/null 2>&1; then
	dnf install -y jq >/dev/null
	fi
	if ! command -v jq >/dev/null 2>&1; then
	if ! dnf install -y jq >/dev/null 2>&1; then
	echo "ERROR: Failed to install jq dependency"
	exit 1
	fi
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/rosa/openshift-rosa-master.yaml` around lines 66
- 68, The script currently attempts to install jq with "dnf install -y jq" but
doesn’t check the install exit code, so if installation fails the script
proceeds to run "make changelog-pr" and fails later; update the block that uses
"command -v jq" and "dnf install -y jq" to test the dnf command’s exit status
and immediately print a clear error and exit non‑zero on failure (or set
errexit/pipefail at the top), e.g., ensure the failure path for "dnf install -y
jq" stops execution with a descriptive message about jq installation failure;
alternatively, document or switch to a base image that already includes jq to
avoid runtime installation.

[openshift-ci]

@olucasfreitas: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.