[openshift-eng/oape-ai-e2e] Re-use gh-token-minter in workflow job

[swghosh]

• Replace inline bash/openssl JWT minting in the mint-gh-token CI step with the gh-token-minter image's CLI mode
• The step now uses from: gh-token-minter and calls python /app/ghpat_server.py which mints and prints the token to stdout
• Depends on Re-implement GitHub token minting w/o webserver openshift-eng/oape-ai-e2e#62 for the CLI mode support in ghpat_server.py

🤖 Generated with Claude Code

Details

Summary by CodeRabbit

This PR updates the Prow CI configuration for the openshift-eng/oape-ai-e2e repository to replace inline JWT token minting with a dedicated gh-token-minter container image.

Changes to openshift-eng-oape-ai-e2e-main.yaml:

1. New workflow-input image: Added a build definition for prow-workflow/input.Dockerfile, which provides parameter configuration for the Prow workflow.

2. Updated promotion rules: Modified the promotion configuration to exclude the workflow-input image from being promoted to the oape namespace, since it's only used internally by the workflow.

3. Multi-step Prow job configuration: Added a run-workflow test with three sequential steps:

   • extract-params: Copies workflow parameters from the workflow-input image to the shared directory
   • mint-gh-token: Replaces inline bash/OpenSSL JWT minting with the gh-token-minter image's CLI mode, running python /app/ghpat_server.py to mint and output the GitHub token
   • agent-workflow: Main test step that loads parameters, constructs environment variables (including the minted GitHub token), configures Google Cloud and Anthropic/Claude settings, and executes the AI agent workflow

Impact: The CI job now delegates GitHub token minting to a specialized containerized service rather than inline scripts, improving maintainability and reducing duplication. The token minting depends on ghpat_server.py providing CLI mode support, as referenced in the upstream dependency openshift-eng/oape-ai-e2e#62.

[coderabbitai]

Walkthrough

The PR updates the OAPE AI E2E job configuration in CI operator, adding a new build image (workflow-input) from prow-workflow/input.Dockerfile, excluding it from promotion, and defining a complete three-step test workflow that extracts shared parameters, mints GitHub credentials, and runs the Python agent with mounted GCP credentials.

Changes

AI E2E Test Workflow Configuration

Layer / File(s)	Summary
Image source and promotion rules ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml	New workflow-input image built from prow-workflow/input.Dockerfile is added to the images list, and the promotion configuration is updated to explicitly exclude workflow-input from promotion while promoting only ai-e2e-agent.
Multi-step test workflow execution ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml	Three-step workflow: first extracts /params.env from the workflow-input image into shared directory; second mints a GitHub token by running ghpat_server.py with mounted GitHub App credentials; third runs the main agent by sourcing shared params, configuring cloud/Anthropic environment variables, constructing the GitHub token, and executing gh auth setup-git followed by python3.11 main.py with Google ADC credentials mounted.

Sequence Diagram

sequenceDiagram
  participant WorkflowInput as workflow-input image
  participant TokenMinter as ghpat_server token minter
  participant AgentWorkflow as Agent workflow execution
  participant SharedDir as Shared parameters
  participant GitAuth as Git authentication
  participant GCPCreds as GCP credentials

  WorkflowInput->>SharedDir: Extract /params.env
  SharedDir->>AgentWorkflow: Load SHARED_DIR/params.env
  TokenMinter->>AgentWorkflow: Mint GH_TOKEN from GitHub App
  AgentWorkflow->>GCPCreds: Mount Google ADC credentials
  AgentWorkflow->>GitAuth: gh auth setup-git with GH_TOKEN
  GitAuth->>AgentWorkflow: Git authentication ready
  AgentWorkflow->>AgentWorkflow: python3.11 main.py with env vars

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	PR exposes sensitive data to CI logs: Line 40 echoes params.env (containing EP_URL/internal hostname) without set +x protection, and line 49 exposes GitHub App ID to logs before set +x is enabled.	Add set +x before line 40's cat command, and move lines 49-50 (GitHub App ID reads) after the set +x on line 51 to prevent credential exposure in logs.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: using the gh-token-minter image for token minting in the oape-ai-e2e Prow workflow configuration, which aligns with the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies OpenShift Release CI configuration files, not Ginkgo test definitions. No Ginkgo tests exist in the PR. The CI step names are static and deterministic.
Test Structure And Quality	✅ Passed	PR modifies only YAML CI/operator configuration files, not Ginkgo test code. Custom check for test quality is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	PR only modifies Prow CI YAML configuration, not Ginkgo e2e test files. The check applies only to new Ginkgo tests (It(), Describe(), etc.), which are not present in this PR.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only a CI operator YAML configuration file, not Ginkgo e2e tests. No Go test files added or modified; custom check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	File is a ci-operator CI/CD configuration, not a deployment manifest, operator, or controller. It contains no Kubernetes resource definitions or scheduling constraints affecting topology.
Ote Binary Stdout Contract	✅ Passed	PR only modifies YAML CI configuration; OTE Binary Stdout Contract check applies to Go test binaries, not CI/Prow job configuration files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only CI/operator YAML configuration, not Ginkgo e2e tests. Custom check only applies to Ginkgo e2e test additions, not CI configuration files.
No-Weak-Crypto	✅ Passed	PR introduces no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), removes custom bash JWT crypto, and delegates to external tool without implementing weak crypto patterns.
Container-Privileges	✅ Passed	No privilege escalation settings found in the CI operator YAML config: no privileged mode, hostPID/Network/IPC, SYS_ADMIN capability, or allowPrivilegeEscalation directives present.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch oape-ai-e2e/prow-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

@swghosh, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't rebase candidate onto e7590ed747edf939c14c54aa1740a7cc79319130 due to conflicts

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml (1)

38-40: 💤 Low value

Consider removing the cat to avoid potential log exposure.

If params.env ever contains sensitive values (e.g., API endpoints with tokens, internal URLs), they will appear in CI logs. The cp already confirms successful extraction.

Suggested fix

      commands: |
        cp /params.env "${SHARED_DIR}/params.env"
-       cat "${SHARED_DIR}/params.env"

Based on coding guidelines: "Never echo or print passwords, tokens, API keys, cluster URLs, or kubeconfig contents" in step registry scripts.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`
around lines 38 - 40, The commands block currently copies then prints params.env
(the lines with cp /params.env "${SHARED_DIR}/params.env" and cat
"${SHARED_DIR}/params.env"); remove the cat "${SHARED_DIR}/params.env" to avoid
exposing sensitive values in CI logs and keep only the cp step (or, if you need
verification, replace the print with a non-sensitive existence check such as
testing the file presence via [ -s ] or ls) while leaving the cp and SHARED_DIR
usage unchanged.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`:
- Around line 38-40: The commands block currently copies then prints params.env
(the lines with cp /params.env "${SHARED_DIR}/params.env" and cat
"${SHARED_DIR}/params.env"); remove the cat "${SHARED_DIR}/params.env" to avoid
exposing sensitive values in CI logs and keep only the cp step (or, if you need
verification, replace the print with a non-sensitive existence check such as
testing the file presence via [ -s ] or ls) while leaving the cp and SHARED_DIR
usage unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0bb17a25-1085-45a5-9491-26a932fcfc10

📥 Commits

Reviewing files that changed from the base of the PR and between 92a93e9 and 1e7d1aa.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-postsubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml

[openshift-merge-bot]

@swghosh, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't rebase candidate onto 0495df244a0d6b561d1970d05e9a8cb27b472763 due to conflicts

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: swghosh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-eng/oape-ai-e2e/OWNERS [swghosh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@swghosh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/prow-config-semantics	1e7d1aa	link	true	/test prow-config-semantics
ci/prow/config	1e7d1aa	link	true	/test config

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.