Change backplane-cli CI to use hardened images

[feichashao]

This PR changes the CI pipeline of backplane-cli to use the Red Hat Hardened Images.

The Hardened Images were added by #79686 .

Using the HI can let the CI to have the latest Go version, this allows we update the go.mod in backplane-cli repo to the latest, to mitigate as many CVEs as possible.

Summary by CodeRabbit

This PR updates the OpenShift CI configuration for the backplane-cli repository to use Red Hat Hardened Images (hi-go:1.26-fips-builder) as the base/build image and adds additional diagnostics and tooling steps to the lint job.

What changed, in practical terms:

• CI images: The ci-operator config now sets base_images.base and build_root.image_stream_tag to ci/hi-go:1.26-fips-builder, moving backplane-cli CI to the Hardened Image that provides Go 1.26.
• Lint job: The lint test now:
  • unsets GOFLAGS and explicitly sets HOME=/tmp/home and GOPATH=/go,
  • prints PATH, runs go env and id,
  • installs golangci-lint via go install and installs runtime utilities via dnf (which, gawk, tar, gzip),
  • runs make lint.
    These steps aim to surface and mitigate environment/permission issues observed in CI (for example, HOME being / in the rehearsal causing attempts to write to /.local/state and permission failures).
• Other jobs (test, scan-optional, build, coverage, publish-coverage, combined-release) continue to run in the src container built from the new base image and retain their existing commands and secrets.

Reason for change:

• Hardened Images include a newer Go toolchain (Go 1.26), enabling the backplane-cli repo to update go.mod to the newer Go and address CVEs.

Operational notes:

• The lint job explicitly sets HOME to /tmp/home (writable) in the config; the author also suggested a possible follow-up for test-step write-permissions by setting writable Go caches (for example, GOCACHE=/tmp/go-cache and GOMODCACHE=/tmp/go-mod) if CI rehearsals continue to encounter permission errors.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Repoints the backplane-cli CI builder image to ci/hi-go:1.26-fips-builder and expands the lint job to set environment vars, print diagnostics, install which, gawk, tar, and gzip, install golangci-lint, then run make lint.

Changes

CI Configuration Update

Layer / File(s)	Summary
Base image update ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml	Updated base_images.base and build_root.image_stream_tag to ci/hi-go:1.26-fips-builder.
Lint job command extensions ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml	Sets HOME and GOPATH, echoes PATH, runs go env and id, installs which, gawk, tar, gzip via dnf, runs go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest, then runs make lint.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/release#79686: Related migration work touching ci/hi-go image stream/tag wiring.

Suggested labels

rehearsals-ack

Suggested reviewers

• smg247

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Change backplane-cli CI to use hardened images' directly and clearly summarizes the main change: updating the CI configuration to use Red Hat Hardened Images (HI) for Go builder, as evidenced by the switch from UBI/OpenShift RHEL golang-1.25 to ci/hi-go:1.26-fips-builder.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies only a CI operator configuration file (YAML). The custom check concerns Ginkgo test names, but no Ginkgo tests or test code is modified here.
Test Structure And Quality	✅ Passed	This PR modifies only CI configuration (YAML), not Ginkgo test code. The check is not applicable—no test source files were changed.
Microshift Test Compatibility	✅ Passed	PR modifies only CI configuration (openshift-backplane-cli-main.yaml); no Ginkgo e2e tests are added. Check only applies to new tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only CI configuration files (openshift-backplane-cli-main.yaml), not test code. No Ginkgo e2e tests are added, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only CI configuration (ci-operator test job definitions), not deployment manifests, operator code, or controllers. It contains no scheduling constraints or topology assumptions.
Ote Binary Stdout Contract	✅ Passed	PR modifies only CI configuration YAML for backplane-cli, not application or test code. OTE violations occur in executable code, not CI configuration.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies CI configuration for backplane-cli (a Go CLI tool), not Ginkgo e2e tests. No e2e tests are added, so the IPv6/disconnected network compatibility check does not apply.
No-Weak-Crypto	✅ Passed	The modified file is a CI configuration YAML that contains no weak crypto patterns (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), no custom crypto implementations, and no insecure token comparisons.
Container-Privileges	✅ Passed	No privileged container settings (privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation) found in the modified YAML configuration file.
No-Sensitive-Data-In-Logs	✅ Passed	The PR adds diagnostic logging statements (echo PATH, go env, id) for container debugging. These output standard system information, not passwords, tokens, API keys, or PII.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feichashao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/backplane-cli/OWNERS [feichashao]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[feichashao]

I did some simple tries locally and the HI images work for me. But we will need to run a rehearsal to see how it works on CI before merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml`:
- Around line 2-10: The CI config was updated to use base: name=hi-go and
build_root.image_stream_tag: hi-go:1.26-fips-builder but the generated job YAMLs
were not regenerated; run the repo's make update (or the project-specific
generator) to regenerate CI job YAMLs for the backplane-cli main pre/postsubmit
jobs under ci-operator/jobs/openshift/backplane-cli/, commit those updated job
YAMLs alongside the change to base/build_root, and verify the
hi-go:1.26-fips-builder imagestream/tag exists in the ci namespace (or
create/replicate it) so CI can pull the image.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: bd048f52-47f4-4357-9dd2-0528776dc6e6

📥 Commits

Reviewing files that changed from the base of the PR and between 6685b3d and 5969748.

📒 Files selected for processing (1)

• ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that make update was run by checking for changes in generated ProwJob configs

# Check for corresponding job config changes
fd -e yaml . ci-operator/jobs/openshift/backplane-cli/ --exec echo "Found job config: {}"

# Check git diff to see if job configs were modified alongside this config change
git diff --name-only origin/main | grep -E "ci-operator/jobs/openshift/backplane-cli"

Repository: openshift/release

Length of output: 270

---

🏁 Script executed:

#!/bin/bash
# Description: Verify the hi-go hardened image exists and check the tag

# Use oc to check if the image stream and tag exist in the ci namespace
oc get imagestream hi-go -n ci -o jsonpath='{.spec.tags[?(@.name=="1.26-fips-builder")].name}' 2>/dev/null || echo "Tag 1.26-fips-builder not found or imagestream does not exist"

# Check for available tags
oc get imagestream hi-go -n ci -o jsonpath='{.spec.tags[*].name}' 2>/dev/null | tr ' ' '\n'

Repository: openshift/release

Length of output: 123

---

Run make update and commit regenerated CI job YAMLs for the hi-go base/build_root change

• Updating base_images.base and build_root.image_stream_tag in ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml should be accompanied by regenerated files under ci-operator/jobs/openshift/backplane-cli/ (main pre/postsubmits); no corresponding job YAML changes are present.
• Ensure the hi-go:1.26-fips-builder imagestream/tag needed by CI is available in the ci namespace.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml`
around lines 2 - 10, The CI config was updated to use base: name=hi-go and
build_root.image_stream_tag: hi-go:1.26-fips-builder but the generated job YAMLs
were not regenerated; run the repo's make update (or the project-specific
generator) to regenerate CI job YAMLs for the backplane-cli main pre/postsubmit
jobs under ci-operator/jobs/openshift/backplane-cli/, commit those updated job
YAMLs alongside the change to base/build_root, and verify the
hi-go:1.26-fips-builder imagestream/tag exists in the ci namespace (or
create/replicate it) so CI can pull the image.

[feichashao]

Could you double check? I don't see anything need to change in ci-operator/jobs/openshift/backplane-cli/openshift-backplane-cli-main-presubmits.yaml for this.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the current presubmits job YAML for backplane-cli to see if it references base_images or build_root
cat ci-operator/jobs/openshift/backplane-cli/openshift-backplane-cli-main-presubmits.yaml

Length of output: 570

---

🏁 Script executed:

#!/bin/bash
# List all job config files for backplane-cli
fd . ci-operator/jobs/openshift/backplane-cli/

# Also look at the full content of whatever exists
fd . ci-operator/jobs/openshift/backplane-cli/ --exec cat {}

Length of output: 718

---

🏁 Script executed:

#!/bin/bash
# Search broadly for backplane-cli job files
fd backplane-cli ci-operator/jobs/

# Also check if the directory exists at all
ls ci-operator/jobs/openshift/ | grep backplane

Length of output: 607

---

🏁 Script executed:

#!/bin/bash
# Check what directories are available at the root
ls -la

# Try to find the jobs directory
find . -maxdepth 3 -type d -name "backplane-cli" 2>/dev/null

# Check top-level directory structure
ls ci-operator/ 2>/dev/null || echo "ci-operator dir not found"

Length of output: 1775

---

---

@feichashao, you're right — I was mistaken. Changes to base_images and build_root.image_stream_tag in a ci-operator config YAML are read by ci-operator at runtime from the config file; they are not embedded into the generated ProwJob specs under ci-operator/jobs/. Since the ProwJob spec itself (test names, job types, cluster config, labels, etc.) is unchanged, running make update would be a no-op here and no job YAML regeneration is needed.

I'll withdraw that part of my review comment. Apologies for the noise!

---

✏️ Learnings added

Learnt from: feichashao
Repo: openshift/release PR: 79740
File: ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml:2-10
Timestamp: 2026-05-27T06:35:08.802Z
Learning: In the openshift/release repository, changes to `base_images` and `build_root.image_stream_tag` fields in ci-operator config YAMLs under `ci-operator/config/` do NOT require running `make update` or regenerating the ProwJob spec YAMLs under `ci-operator/jobs/`. These fields are read by ci-operator at runtime from the config YAML and are not embedded into the generated ProwJob specs. Only structural/semantic changes that alter the ProwJob spec itself (e.g., adding/renaming tests, changing job types, modifying metadata that feeds into the ProwJob spec) require `make update`.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: PillaiManish
Repo: openshift/release PR: 79231
File: ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml:0-0
Timestamp: 2026-05-20T05:41:25.164Z
Learning: When reviewing OpenShift/Kubernetes operator manifests/CSVs, if a ClusterServiceVersion (CSV) defines an `emptyDir` volume mounted at `/tmp` with `medium: Memory`, treat that data as scoped to the *pod lifecycle* (not the container lifecycle). Container restarts within the same pod (e.g., restart after SIGTERM/termination and recreation of the container) should not wipe the `emptyDir` contents; data written to something like `/tmp/e2e-cover` should still be present and can be collected afterward (e.g., via `oc cp`). The `emptyDir` is cleared when the pod is deleted/recreated/rescheduled (pod lifecycle ends), not on container restarts.

---

Learnt from: rdiscala
Repo: openshift/release PR: 79357
File: ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__cnf-ran-sno-day2-worker-4.18.yaml:23-23
Timestamp: 2026-05-20T11:54:20.424Z
Learning: In the openshift/release repository CI operator configuration YAMLs, do not treat an intentionally impossible cron schedule (e.g., `0 0 31 2 *` for “Feb 31”) as a misconfiguration. This pattern is an intentional mechanism used to disable/park a periodic CI job temporarily (e.g., while an upstream bug is being fixed). Only flag cron syntax errors when the schedule is not an intentional “impossible date” disable pattern used for job parking.

---

Learnt from: dhaiducek
Repo: openshift/release PR: 79563
File: ci-operator/config/stolostron/cluster-proxy/stolostron-cluster-proxy-main.yaml:41-43
Timestamp: 2026-05-20T19:31:57.286Z
Learning: In the openshift/release repo, for ci-operator container test step config YAML files under ci-operator/config/, remember that the `commands` field is read by ci-operator at runtime from the config YAML and is not embedded into the generated ProwJob YAML under `ci-operator/jobs/`. Therefore, if a PR changes only `commands` (and not any ProwJob-spec affecting structural fields such as test/job names, job types/spec, or metadata that changes the resulting ProwJob spec), you generally do NOT need to run `make update` and regenerating artifacts should be a no-op diff. Run `make update` only when the changes affect the generated ProwJob spec (e.g., new/renamed tests, new job types, or other spec/metadata changes that alter `ci-operator/jobs/` output).

---

Learnt from: tthvo
Repo: openshift/release PR: 79564
File: ci-operator/config/openshift/multiarch/openshift-multiarch-main__nightly-4.20-upgrade-from-nightly-4.19.yaml:94-94
Timestamp: 2026-05-20T20:01:14.481Z
Learning: In the openshift/release repo, when editing ci-operator config YAMLs under ci-operator/config/, changes that only modify the *values* of environment variables inside test step `env` blocks (e.g., COMPUTE_NODE_TYPE, ADDITIONAL_WORKER_VM_TYPE, MIGRATION_INFRA_MACHINE_TYPE) do not change the generated ProwJob specs under ci-operator/jobs/. For these value-only env tweaks, reviewers should not require running `make update` because it should produce no diff. Require `make update` only for structural/semantic changes that can affect the generated ProwJob spec (e.g., adding/renaming tests, changing job types, or altering metadata/fields that feed into the ProwJob spec).

---

Learnt from: karampok
Repo: openshift/release PR: 79537
File: ci-operator/config/openshift/bond-cni/openshift-bond-cni-main.yaml:32-33
Timestamp: 2026-05-21T09:04:21.025Z
Learning: In openshift/release, when modifying a ci-operator config YAML under ci-operator/config/ by adding an `env` block (key/value environment variables such as `TEST_TYPE`, `TEST_SUITE`, `TEST_ARGS`) to an existing test step, this change does not affect the generated ProwJob specs under ci-operator/jobs/. In this case, `make update` is a no-op—do not request or flag that `make update` was (or needs to be) run for these env-only edits.

[feichashao]

/pj-rehearse

[openshift-merge-bot]

@feichashao: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[feichashao]

The rehearsal was failing with:

Container test exited with code 1, reason Error
---
filesystem error: cannot create directories: Permission denied [/.local/state]
{"component":"entrypoint","error":"wrapped process failed: exit status 1","file":"sigs.k8s.io/prow/pkg/entrypoint/run.go:84","func":"sigs.k8s.io/prow/pkg/entrypoint.Options.internalRun","level":"error","msg":"Error executing test process","severity":"error","time":"2026-05-27T06:46:29Z"}
--- 

Likely something different in the image.

[feichashao]

/pj-rehearse pull-ci-openshift-backplane-cli-main-lint

[openshift-merge-bot]

@feichashao: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[feichashao]

As a debug, I let the rehearsal prints the below:

    echo HOME=$HOME
    ls -lhd /.local/
    ls -lh /.local/

The result is:

{  HOME=/
ls: cannot access '/.local/': No such file or directory
{"component":"entrypoint","error":"wrapped process failed: exit status 2","file":"sigs.k8s.io/prow/pkg/entrypoint/run.go:84","func":"sigs.k8s.io/prow/pkg/entrypoint.Options.internalRun","level":"error","msg":"Error executing test process","severity":"error","time":"2026-06-01T06:56:42Z"}
}

[feichashao]

/pj-rehearse pull-ci-openshift-backplane-cli-main-lint

[openshift-merge-bot]

@feichashao: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[feichashao]

ok, so the problem is mostly

INFO[2026-06-01T07:26:42Z] HOME=/

output:

INFO[2026-06-01T07:26:42Z] Logs for container test in pod lint:         
INFO[2026-06-01T07:26:42Z] HOME=/
pwd=/go/src/github.com/openshift/backplane-cli
/bin/bash: line 6: USER: unbound variable
{"component":"entrypoint","error":"wrapped process failed: exit status 1","file":"sigs.k8s.io/prow/pkg/entrypoint/run.go:84","func":"sigs.k8s.io/prow/pkg/entrypoint.Options.internalRun","level":"error","msg":"Error executing test process","severity":"error","time":"2026-06-01T07:26:41Z"} 

potential fix:

tests:
- as: test
  commands: |
    export GOCACHE=/tmp/go-cache
    export GOMODCACHE=/tmp/go-mod
    make test
  container:
    from: src

[feichashao]

/pj-rehearse pull-ci-openshift-backplane-cli-main-lint

[openshift-merge-bot]

@feichashao: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[feichashao]

/pj-rehearse pull-ci-openshift-backplane-cli-main-lint

[openshift-merge-bot]

@feichashao: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml`:
- Around line 25-30: Replace the unpinned go install of golangci-lint and ensure
its binary is on PATH: change the go install call (currently "go install
github.com/golangci/golangci-lint/cmd/golangci-lint@latest") to a pinned module
version, set GOBIN to a deterministic directory (e.g., export GOBIN=/go/bin or
similar), and export PATH to include $GOBIN or $GOPATH/bin before running make
lint; also optionally run a quick "which golangci-lint" or "golangci-lint
--version" check after installation to fail fast if the binary is not found.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dbfed555-2124-4827-a385-9d5278822888

📥 Commits

Reviewing files that changed from the base of the PR and between 6dc914f and fb2a9cb.

📒 Files selected for processing (1)

• ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether the repo already pins golangci-lint or expects it on PATH.
set -euo pipefail

echo "== Makefile references =="
rg -n -C2 'golangci-lint|GOBIN|GOPATH|PATH' Makefile . 2>/dev/null || true

echo
echo "== Existing golangci-lint version pins =="
rg -n -C2 'golangci-lint@|golangci-lint-version|GOLANGCI' . 2>/dev/null || true

Repository: openshift/release

Length of output: 50377

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Show the exact step context in the referenced ci-operator config
echo "== YAML step context =="
FILE="ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml"
if [ -f "$FILE" ]; then
  sed -n '1,120p' "$FILE" | nl -ba | sed -n '1,120p' >/dev/null
  # Print around lines 20-45 (safe even if file shorter)
  nl -ba "$FILE" | sed -n '15,60p'
else
  echo "Missing: $FILE"
fi

echo
# 2) Find where golangci-lint is invoked (Makefile/scripts) and whether PATH/GOBIN is set there.
echo "== golangci-lint usage in Makefiles/hack scripts =="
rg -n --hidden --no-ignore-vcs "golangci-lint" Makefile **/Makefile tools/hack . || true

echo
# 3) Specifically check the make lint target implementation
echo "== Where 'make lint' is defined =="
rg -n --hidden --no-ignore-vcs "^[a-zA-Z0-9_./-]*lint:|^lint:|make lint" Makefile **/Makefile tools/hack . || true

echo
# 4) Check if PATH is augmented with $GOPATH/bin anywhere in the CI tooling invoked by make lint.
echo "== PATH updates for GOPATH/bin (repo tooling) =="
rg -n --hidden --no-ignore-vcs 'update_path_var|GOPATH/bin|GOBIN|export GOBIN|/go/bin|PATH=.*\$\{?GOPATH\}?.*bin' tools/hack **/*.sh **/*.mk **/*.bash Makefile || true

Repository: openshift/release

Length of output: 146

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml"

echo "== YAML step context (lines 15-60) =="
if [ -f "$FILE" ]; then
  awk 'NR>=15 && NR<=60 {printf "%d\t%s\n", NR, $0}' "$FILE"
else
  echo "Missing: $FILE"
fi

echo
echo "== Where make lint calls golangci-lint =="
rg -n -S --hidden --no-ignore-vcs --glob 'Makefile' --glob '*.mk' --glob '*.sh' --glob '*.bash' \
  --max-count 200 "make lint|golangci-lint" . || true

echo
echo "== PATH/GOBIN/GOPATH/bin handling in repo tooling =="
rg -n -S --hidden --no-ignore-vcs --glob '*.sh' --glob '*.bash' --glob '*.mk' --glob 'Makefile' \
  --max-count 200 'export GOBIN|GOBIN=|GOPATH/bin|GOPATH\)/bin|update_path_var|PATH=.*GOPATH.*bin|/go/bin' . || true

echo
echo "== Any golangci-lint version pinning in repo (not image-mapping) =="
rg -n -S --hidden --no-ignore-vcs --glob 'Makefile' --glob '*.mk' --glob '*.sh' --glob '*.bash' \
  --max-count 200 'golangci-lint@|golangci-lint-version|GOLANGCI_LINT|GOLANGCI-LINT|v[0-9]+\.[0-9]+\.[0-9]+' . || true

Repository: openshift/release

Length of output: 33371

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Find the lint target and inspect its implementation
echo "== Root Makefile lint target =="
if [ -f Makefile ]; then
  rg -n --no-heading '^([a-zA-Z0-9_.-]+:)?lint(_[a-zA-Z0-9_.-]+)?:' Makefile || true
  # Print a small window around the first match (if any)
  LINT_LINE="$(rg -n --no-heading '^.*\blint\b.*:' Makefile | head -n1 | cut -d: -f1 || true)"
  if [ -n "${LINT_LINE:-}" ]; then
    START=$((LINT_LINE-20))
    END=$((LINT_LINE+80))
    awk -v s="$START" -v e="$END" 'NR>=s && NR<=e {print NR ":" $0}' Makefile
  fi
else
  echo "Missing: Makefile"
fi

echo
echo "== Where golangci-lint is invoked =="
rg -n --hidden --no-ignore-vcs -S --max-count 200 'golangci-lint' . || true

echo
echo "== Inspect PATH update logic used by repo tooling =="
if [ -f tools/hack/golang/hack/lib/init.sh ]; then
  rg -n --no-heading 'update_path_var' tools/hack/golang/hack/lib/init.sh tools/hack/golang/hack/lib/util/environment.sh || true
  echo "--- init.sh around update_path_var call ---"
  CALL_LINE="$(rg -n --no-heading 'update_path_var' tools/hack/golang/hack/lib/init.sh | head -n1 | cut -d: -f1 || true)"
  if [ -n "${CALL_LINE:-}" ]; then
    START=$((CALL_LINE-30)); END=$((CALL_LINE+30))
    awk -v s="$START" -v e="$END" 'NR>=s && NR<=e {print NR ":" $0}' tools/hack/golang/hack/lib/init.sh
  fi
  echo "--- environment.sh: update_path_var function ---"
  FUNC_LINE="$(rg -n --no-heading 'function os::util::environment::update_path_var' tools/hack/golang/hack/lib/util/environment.sh | head -n1 | cut -d: -f1 || true)"
  if [ -n "${FUNC_LINE:-}" ]; then
    START=$((FUNC_LINE-5)); END=$((FUNC_LINE+40))
    awk -v s="$START" -v e="$END" 'NR>=s && NR<=e {print NR ":" $0}' tools/hack/golang/hack/lib/util/environment.sh
  fi
else
  echo "Missing: tools/hack/golang/hack/lib/init.sh"
fi

echo
echo "== Is init.sh sourced by lint-related scripts? =="
# Look for sourcing of tools/hack/golang/hack/lib/init.sh
rg -n --hidden --no-ignore-vcs 'hack/lib/init\.sh' . || true

# Also look for lint commands scripts referencing hack env/init
rg -n --hidden --no-ignore-vcs --max-count 200 '(make lint|lint)' tools/hack/golang/hack ci-operator/step-registry/ | head -n 200 || true

Repository: openshift/release

Length of output: 50374

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Root Makefile existence =="
ls -la Makefile 2>/dev/null || echo "No root Makefile"

echo
echo "== Search for lint target(s) in root Makefile (if present) =="
if [ -f Makefile ]; then
  rg -n '^([a-zA-Z0-9_.-]+:)?lint(_[a-zA-Z0-9_.-]+)?:' Makefile || true
  rg -n 'golangci-lint' Makefile || true
fi

echo
echo "== Search for golangci-lint usage in Go tooling Makefiles =="
for f in tools/hack/golang/Makefile tools/hack/golang/*/Makefile tools/hack/golang/**/Makefile; do
  [ -f "$f" ] || continue
  echo "--- $f ---"
  rg -n 'golangci-lint' "$f" || true
  rg -n '^([a-zA-Z0-9_.-]+:)?lint(_[a-zA-Z0-9_.-]+)?:' "$f" || true
done

echo
echo "== Identify which scripts/targets implement 'make lint' (repo-local) =="
# Look for the actual command executed by `make lint` in any Makefile we find.
rg -n --glob 'Makefile' --glob '*.mk' -S --no-ignore-vcs --max-count 200 \
  '(^lint:|^[^#\n]*\blint\b.*:|make lint\b|golangci-lint)' . || true

Repository: openshift/release

Length of output: 383

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Show all "lint" occurrences in the root Makefile (small file)
echo "== 'lint' occurrences in root Makefile =="
rg -n --no-heading --hidden --no-ignore-vcs 'lint' Makefile || true

echo
echo "== Try to locate a lint target definition in root Makefile =="
rg -n --no-heading --hidden --no-ignore-vcs '^[a-zA-Z0-9_.-]*lint([_a-zA-Z0-9.-]*)?:' Makefile || true

echo
echo "== Inspect root Makefile includes/includes of other makefiles =="
rg -n --no-heading --hidden --no-ignore-vcs 'include|\.mk' Makefile || true

echo
echo "== Find where golangci-lint is expected/ensured in repo tooling =="
# Limit to tools/hack/golang/hack subtree
rg -n --hidden --no-ignore-vcs --glob '*.sh' --glob '*.mk' --glob 'Makefile' \
  'golangci-lint|GOLANGCI_LINT|ensure::.*golangci|ensure::.*lint' tools/hack/golang/hack tools/hack/golang/Makefile tools/hack/golang . || true

echo
echo "== Search for find/ensure helpers that operate on GOPATH/bin or PATH =="
rg -n --hidden --no-ignore-vcs --glob '*.sh' 'gopath_binary|system_binary|GOPATH.*bin|update_path_var' tools/hack/golang/hack/lib/util tools/hack/golang/hack/lib/init.sh || true

Repository: openshift/release

Length of output: 3017

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Makefile size =="
wc -l Makefile

echo
echo "== Root Makefile (first 120 lines) =="
sed -n '1,120p' Makefile | nl -ba | head -n 120

echo
echo "== Root Makefile (120-260) =="
sed -n '120,260p' Makefile | nl -ba | head -n 200

echo
echo "== Root Makefile (search for 'lint' again with context) =="
rg -n -C2 --no-heading --hidden --no-ignore-vcs 'lint' Makefile || true

echo
echo "== Find any includes of other makefiles from root Makefile =="
rg -n --no-heading 'include|\.mk|tools/hack/golang' Makefile || true

echo
echo "== Where does 'lint' target resolve? List all targets matching 'lint' =="
# Extract target names roughly by looking for '^[a-zA-Z0-9_.-]+:' lines containing lint
rg -n --no-heading '^[a-zA-Z0-9_.-]+[a-zA-Z0-9_.-]*:.*' Makefile | head -n 200

Repository: openshift/release

Length of output: 194

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Root Makefile include statements =="
rg -n --no-heading --hidden --no-ignore-vcs '^[[:space:]]*include|include[[:space:]].*tools/hack/golang' Makefile || true

echo
echo "== Root Makefile lines containing 'lint' =="
rg -n --no-heading --hidden --no-ignore-vcs 'lint' Makefile | head -n 200

echo
echo "== Root Makefile lines around first 'make lint' invocation (if any) =="
# Look for a target named lint or recipe calling golangci-lint in root Makefile
rg -n --no-heading --hidden --no-ignore-vcs '^(lint|.*:.*lint).*:|golangci-lint' Makefile || true

echo
echo "== Root Makefile: show line range 130-220 =="
sed -n '130,220p' Makefile

echo
echo "== tools/hack/golang/Makefile: lint/golangci-lint occurrences =="
[ -f tools/hack/golang/Makefile ] && rg -n --no-heading --hidden --no-ignore-vcs 'lint|golangci-lint' tools/hack/golang/Makefile || true

echo
echo "== tools/hack/golang/Makefile: show first 160 lines =="
[ -f tools/hack/golang/Makefile ] && sed -n '1,160p' tools/hack/golang/Makefile

echo
echo "== Where init.sh / update_path_var are pulled in =="
rg -n --no-heading --hidden --no-ignore-vcs 'hack/lib/init\.sh|update_path_var' Makefile tools/hack/golang/Makefile tools/hack/golang/hack/** -S --max-count 200 || true

echo
echo "== Find any Makefile target named 'golangci-lint' in tools/hack/golang =="
rg -n --no-heading --hidden --no-ignore-vcs '^([a-zA-Z0-9_.-]+:)?golangci-lint(_[a-zA-Z0-9_.-]+)?:' tools/hack/golang -S || true

Repository: openshift/release

Length of output: 9689

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Locate a lint target definition in repo (Makefile/*.mk/*.sh) =="
rg -n --hidden --no-ignore-vcs --glob 'Makefile' --glob '*.mk' --glob '*.sh' \
  '(^|\s)(lint):' . | head -n 200 || true

echo
echo "== Search for 'golangci-lint' usage inside lint scripts =="
rg -n --hidden --no-ignore-vcs --glob 'Makefile' --glob '*.mk' --glob '*.sh' \
  'golangci-lint' . | rg -n 'lint' | head -n 200 || true

echo
echo "== Search for 'make lint' call sites =="
rg -n --hidden --no-ignore-vcs --glob '*.sh' --glob '*.yaml' --glob '*.yml' \
  'make lint' . | head -n 200 || true

echo
echo "== Find any Makefile targets named 'lint' or 'lint:' specifically in repo =="
rg -n --hidden --no-ignore-vcs --glob 'Makefile' --glob '*.mk' \
  '^[a-zA-Z0-9_.-]*lint(_[a-zA-Z0-9_.-]+)?:' . | head -n 200 || true

echo
echo "== Open tooling for lint in tools/hack (search 'lint' in golang hack) =="
rg -n --hidden --no-ignore-vcs --glob '*.sh' --glob '*.mk' \
  'lint' tools/hack/golang/hack tools/hack/golang/Makefile | head -n 200 || true

Repository: openshift/release

Length of output: 31103

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show nearby go install patterns for golangci-lint (excluding huge output)
echo "== go install golangci-lint occurrences in ci-operator/config (first 80 matches) =="
rg -n --no-heading --hidden --no-ignore-vcs 'go install .*golangci-lint.*@' ci-operator/config/**/*.yaml ci-operator/config/**/*.yml 2>/dev/null | head -n 80 || true

echo
echo "== Inspect openshift-tests-private main around its golangci-lint install =="
FILE="ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-main.yaml"
if [ -f "$FILE" ]; then
  awk 'NR>=90 && NR<=140 {print NR ":" $0}' "$FILE"
else
  echo "Missing: $FILE"
fi

echo
echo "== Inspect openshift-backplane-cli main around the step (lines 20-40) =="
FILE2="ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml"
if [ -f "$FILE2" ]; then
  awk 'NR>=18 && NR<=40 {print NR ":" $0}' "$FILE2"
else
  echo "Missing: $FILE2"
fi

Repository: openshift/release

Length of output: 2656

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Find lint target definition(s) in Makefile(s) =="
rg -n --no-heading --hidden --no-ignore-vcs --glob 'Makefile' --glob '*.mk' \
  '^[a-zA-Z0-9_.-]*lint([_a-zA-Z0-9.-]*)?:' . | head -n 200 || true

echo
echo "== Find golangci-lint invocations used by repo lint tooling =="
rg -n --hidden --no-ignore-vcs --glob '*.sh' --glob '*.mk' --glob 'Makefile' \
  'golangci-lint( run| version|$)' tools/hack/golang . | head -n 200 || true

echo
echo "== Search for PATH update to include GOPATH/bin in golang tooling =="
rg -n --hidden --no-ignore-vcs 'update_path_var|GOPATH/bin|GOBIN' tools/hack/golang/hack/lib/tools tools/hack/golang/hack/lib/init.sh tools/hack/golang/hack/lib/util/environment.sh tools/hack/golang/hack | head -n 200 || true

echo
echo "== Search for any scripts named 'lint' or 'golangci-lint' under tools/hack/golang/hack =="
fd -t f 'lint|golangci-lint' tools/hack/golang/hack 2>/dev/null | head -n 200 || true

Repository: openshift/release

Length of output: 2331

---

Pin golangci-lint (and make its binary path explicit) in the backplane-cli lint step.

ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml installs github.com/golangci/golangci-lint/...@latest and then runs make lint without pinning the version; this makes the presubmit drift over time. The step also doesn’t explicitly ensure the installed binary location is on PATH (no GOBIN/PATH update and no which golangci-lint), so it can break if $GOPATH/bin isn’t already on PATH for this container.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml`
around lines 25 - 30, Replace the unpinned go install of golangci-lint and
ensure its binary is on PATH: change the go install call (currently "go install
github.com/golangci/golangci-lint/cmd/golangci-lint@latest") to a pinned module
version, set GOBIN to a deterministic directory (e.g., export GOBIN=/go/bin or
similar), and export PATH to include $GOBIN or $GOPATH/bin before running make
lint; also optionally run a quick "which golangci-lint" or "golangci-lint
--version" check after installation to fail fast if the binary is not found.

[feichashao]

/pj-rehearse

[openshift-merge-bot]

@feichashao: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[feichashao]

/pj-rehearse pull-ci-openshift-backplane-cli-main-lint

[openshift-merge-bot]

@feichashao: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[feichashao]

�[36mINFO�[0m[2026-06-04T04:04:48Z] /go/src/github.com/openshift/backplane-cli
uid=1003910000(1003910000) gid=0(root) groups=0(root),1003910000
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/tmp/home/.cache/go-build'
GOCACHEPROG=''
GODEBUG='fips140=on'
GOENV='/tmp/home/.config/go/env'
GOEXE=''
GOEXPERIMENT='nodwarf5'
GOFIPS140='certified'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3595561888=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/go/src/github.com/openshift/backplane-cli/go.mod'
GOMODCACHE='/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/lib/golang'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/tmp/home/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/usr/lib/golang/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.26.4-X:nodwarf5'
GOWORK=''
PKG_CONFIG='pkg-config'
which: no docker in (/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)
which: no podman in (/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)
Installing golangci-lint v2.5.0...
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /go/bin v2.5.0
golangci/golangci-lint info checking GitHub for tag 'v2.5.0'
golangci/golangci-lint info found version: 2.5.0 for v2.5.0/linux/amd64
install: cannot remove '/go/bin/golangci-lint': Permission denied
make: *** [Makefile:72: getlint] Error 1

[feichashao]

/pj-rehearse

[openshift-merge-bot]

@feichashao: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@feichashao: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-backplane-cli-main-build	openshift/backplane-cli	presubmit	Ci-operator config changed
pull-ci-openshift-backplane-cli-main-coverage	openshift/backplane-cli	presubmit	Ci-operator config changed
pull-ci-openshift-backplane-cli-main-images	openshift/backplane-cli	presubmit	Ci-operator config changed
pull-ci-openshift-backplane-cli-main-lint	openshift/backplane-cli	presubmit	Ci-operator config changed
pull-ci-openshift-backplane-cli-main-scan-optional	openshift/backplane-cli	presubmit	Ci-operator config changed
pull-ci-openshift-backplane-cli-main-test	openshift/backplane-cli	presubmit	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[feichashao]

/pj-rehearse

[openshift-merge-bot]

@feichashao: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@feichashao: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.