Skip to content

ROSAENG-61450 | ci: add presubmit client image and go-toolset 1.26.5#3366

Open
amandahla wants to merge 1 commit into
openshift:masterfrom
amandahla:ROSAENG-61450-ci-clients
Open

ROSAENG-61450 | ci: add presubmit client image and go-toolset 1.26.5#3366
amandahla wants to merge 1 commit into
openshift:masterfrom
amandahla:ROSAENG-61450-ci-clients

Conversation

@amandahla

@amandahla amandahla commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

PR Summary

Add a Prow presubmit client image (Dockerfile.clients), pin ci-operator build_root in .ci-operator.yaml, document CI images in AGENTS.md, align Dockerfiles to ubi9/go-toolset:1.26.5, and update Renovate to track all Dockerfiles.

go.mod stays at 1.26.3 so current Prow from: src jobs (Go 1.26.3, GOTOOLCHAIN=local) keep passing. Bump go.mod to 1.26.5 in a follow-up after openshift/release switches to rosa-clients.

Detailed Description of the Issue

ROSA presubmits run on ocp/builder via from: src. We need a repo-owned client image (RHCS-style) on go-toolset. ci-operator does not re-clone into custom images from images: unless clone: true, so Dockerfile.clients must COPY the PR tree (same lesson as terraform-provider-rhcs#1257). Without COPY, the follow-up release PR would fail with missing Makefile.

Related Issues and PRs

Type of Change

  • feat - adds a new user-facing capability.
  • fix - resolves an incorrect behavior or bug.
  • docs - updates documentation only.
  • style - formatting or naming changes with no logic impact.
  • refactor - code restructuring with no behavior change.
  • test - adds or updates tests only.
  • chore - maintenance work (tooling, housekeeping, non-product code).
  • build - changes build system, packaging, or dependencies for build output.
  • ci - changes CI pipelines, jobs, or automation workflows.
  • perf - improves performance without changing intended behavior.

Previous Behavior

Presubmit jobs use ocp/builder (from: src). No repo-local presubmit client Dockerfile or .ci-operator.yaml.

Behavior After This Change

  • Dockerfile.clients on go-toolset 1.26.5 with jq, COPY of the repo, and Prow-friendly permissions.
  • Product/E2E/Konflux Dockerfiles use ubi9/go-toolset:1.26.5-1783931515.
  • .ci-operator.yaml pins build_root to rhel-9-golang-1.26-openshift-4.23.
  • renovate.json tracks all ROSA Dockerfiles.
  • AGENTS.md documents CI images, COPY behavior, and Go bump checklist.
  • go.mod remains 1.26.3 until after the release PR.

How to Test (Step-by-Step)

Preconditions

  • podman or docker

Test Steps

  1. Build: podman build -f Dockerfile.clients -t rosa-clients:local .
  2. Prow-shaped (no bind-mount):
    podman run --rm -w /opt/app-root/src rosa-clients:local \
      bash -c 'export GOTOOLCHAIN=auto && make rosa'
  3. Renovate: npx --yes --package renovate -- renovate-config-validator
  4. Confirm current Prow build / lint / test still pass (from: src until release PR).

Expected Results

Image contains the repo; make rosa works without -v mounts. Bind-mount testing alone is not enough.

Proof of the Fix

  • podman build -f Dockerfile.clients succeeded with COPY.
  • Prow-shaped run (no bind-mount): make rosa succeeded.
  • Bare go-toolset without COPY: Makefile missing (confirms the failure mode).

Breaking Changes

  • No breaking changes
  • Yes, this PR introduces a breaking change (describe impact and migration plan below)

Developer Verification Checklist

  • Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
  • PR description clearly explains both what changed and why.
  • Relevant Jira/GitHub issues and related PRs are linked.
  • make install-hooks has been run in this clone.
  • Tests were added/updated where appropriate.
  • I manually tested the change.
  • make test passes.
  • make lint passes.
  • make rosa passes.
  • Documentation or repo-local agent guidance was added/updated where appropriate.
  • Any risk, limitation, or follow-up work is documented.

@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amandahla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 13, 2026
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@amandahla, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 9 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 55c723cb-5490-49f9-8df8-5c4d0c80d268

📥 Commits

Reviewing files that changed from the base of the PR and between b522ca2 and ab75238.

📒 Files selected for processing (7)
  • .ci-operator.yaml
  • AGENTS.md
  • Dockerfile
  • Dockerfile.clients
  • images/Dockerfile.e2e
  • images/Dockerfile.konflux
  • renovate.json
📝 Walkthrough

Walkthrough

Updates the repository to Go 1.26.5 across module declarations and CI-related Dockerfiles, adds a Prow presubmit client image, and configures the OpenShift CI builder root image. Documentation now records CI image responsibilities and Go-version synchronization steps. Previously ignored govulncheck and Snyk findings are removed.

Possibly related issues

Possibly related PRs

  • openshift/rosa#3347 — Updates the same ubi9/go-toolset Docker build image tags across the repository.

Suggested reviewers: davidleerh, olucasfreitas, red-hat-konflux[bot], hunterkepley, gdbranco


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
Container-Privileges ❌ Error Dockerfile.clients leaves the final image as USER root with no switch to a non-root runtime, which trips the privilege check; no other privileged flags were added. Move root-only setup to build steps, then set a non-root UID/GID for the final image (and narrow safe.directory if needed).
Test Structure And Quality ⚠️ Warning New Ginkgo specs are focused, but many assertions are bare Expect(...).To(HaveOccurred()/BeNil()) checks without diagnostic context. Add contextual messages to the bare Gomega assertions in the new helper and e2e specs, especially the repeated HaveOccurred/BeNil checks.
✅ Passed checks (13 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR only changes .ci-operator.yaml, AGENTS.md, and Dockerfile.clients; no Ginkgo tests or titles were added or modified.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes CI config, docs, and a Dockerfile.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes .ci-operator.yaml, AGENTS.md, and Dockerfile.clients.
Topology-Aware Scheduling Compatibility ✅ Passed No deployment manifests, operator code, or controllers changed; only CI config, docs, and a client image were added.
Ote Binary Stdout Contract ✅ Passed Diff is limited to .ci-operator.yaml, AGENTS.md, and Dockerfile.clients; no Go/test entrypoints or stdout-writing process code changed.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR contains no Ginkgo e2e tests. Check applies only to new e2e tests; files modified are CI config (.ci-operator.yaml), documentation (AGENTS.md), and container build specification (Dockerfile.clie...
No-Weak-Crypto ✅ Passed Diff only adds build_root config, docs, and a Dockerfile installing jq; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret compares found.
No-Sensitive-Data-In-Logs ✅ Passed PASS: The patch only adds docs and a Dockerfile; changed files contain no logging statements or secret/PII dumps.
Title check ✅ Passed The title is concise and accurately summarizes the main change: adding a presubmit client image and bumping Go to 1.26.5.
Description check ✅ Passed The description fills the required template sections with problem context, related issues, behavior changes, test steps, and verification.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
Dockerfile.clients (1)

6-7: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Make the jq installation reproducible.

dnf install jq resolves the repository’s current package at build time, allowing the CI toolchain to change between rebuilds. Pin an approved RPM version or document and verify the intended floating-update policy.

As per path instructions, unpinned downloads in container builds should be flagged.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.clients` around lines 6 - 7, Update the jq installation in the
Dockerfile’s dnf command to use an approved, explicitly pinned RPM version
rather than resolving the latest repository package. Preserve the existing
weak-dependency and documentation options and cleanup step, and ensure the
selected version is available from the configured repositories.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Around line 75-80: Update the presubmit statement near the Dockerfile table to
describe rosa-clients execution as intended or future behavior, not as currently
active. Keep the deferred openshift/release wiring consistent with the PR
objective, or remove the statement until the follow-up release configuration
lands.

In `@Dockerfile.clients`:
- Around line 4-11: Update the Dockerfile user configuration so root is used
only for package installation and permission setup, then switch the final image
to the documented non-root UID after the existing mkdir/chgrp/chmod commands.
Ensure the final active USER is non-root and no later instruction restores root
privileges.
- Around line 8-14: Update the Git configuration setup in Dockerfile.clients to
avoid trusting every checkout and ensure it applies to the runtime environment:
replace the global wildcard safe.directory entry with a system-level entry for
/opt/app-root/src, adding other required checkout paths explicitly only if
needed.

---

Nitpick comments:
In `@Dockerfile.clients`:
- Around line 6-7: Update the jq installation in the Dockerfile’s dnf command to
use an approved, explicitly pinned RPM version rather than resolving the latest
repository package. Preserve the existing weak-dependency and documentation
options and cleanup step, and ensure the selected version is available from the
configured repositories.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2e98f9cf-5546-4e22-bb94-c5684565d693

📥 Commits

Reviewing files that changed from the base of the PR and between b289754 and b522ca2.

📒 Files selected for processing (3)
  • .ci-operator.yaml
  • AGENTS.md
  • Dockerfile.clients

Comment thread AGENTS.md Outdated
Comment thread Dockerfile.clients
Comment thread Dockerfile.clients Outdated
@amandahla amandahla changed the title ROSAENG-61450 | ci: add presubmit client image and CI docs ROSAENG-61450 | ci: add presubmit client image and bump Go to 1.26.5 Jul 13, 2026
@amandahla amandahla force-pushed the ROSAENG-61450-ci-clients branch 3 times, most recently from 4aa03d2 to 397355b Compare July 13, 2026 18:24
@amandahla

Copy link
Copy Markdown
Contributor Author

Consider this in favor of #3359

@amandahla amandahla marked this pull request as draft July 13, 2026 18:40
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 13, 2026
@amandahla amandahla force-pushed the ROSAENG-61450-ci-clients branch from 397355b to 868f6c5 Compare July 13, 2026 18:44
@amandahla amandahla changed the title ROSAENG-61450 | ci: add presubmit client image and bump Go to 1.26.5 ROSAENG-61450 | ci: add presubmit client image and go-toolset 1.26.5 Jul 13, 2026
@amandahla amandahla marked this pull request as ready for review July 13, 2026 18:45
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 13, 2026
@openshift-ci openshift-ci Bot requested a review from olucasfreitas July 13, 2026 18:45
@amandahla

Copy link
Copy Markdown
Contributor Author

security issues are related to bumping Go, not to this PR

@amandahla

Copy link
Copy Markdown
Contributor Author

/hold

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 13, 2026
Add Dockerfile.clients for Prow presubmits, pin build_root via
.ci-operator.yaml, document CI images in AGENTS.md, align product/E2E
Dockerfiles to ubi9/go-toolset 1.26.5, and track those Dockerfiles in
renovate. Leave go.mod at 1.26.3 until openshift/release switches
presubmits to rosa-clients; then bump go.mod to 1.26.5.

Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@amandahla amandahla force-pushed the ROSAENG-61450-ci-clients branch from 868f6c5 to ab75238 Compare July 13, 2026 19:09
@amandahla

Copy link
Copy Markdown
Contributor Author

/unhold

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 13, 2026
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

@amandahla: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security ab75238 link false /test security
ci/prow/govulncheck ab75238 link false /test govulncheck

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant