[hack] Add z-stream-release-check.py pre-sprint planning tool#4045
Draft
mtnbikenc wants to merge 1 commit into
Draft
[hack] Add z-stream-release-check.py pre-sprint planning tool#4045mtnbikenc wants to merge 1 commit into
mtnbikenc wants to merge 1 commit into
Conversation
Contributor
|
Skipping CI for Draft Pull Request. |
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Excluded labels (none allowed) (2)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mtnbikenc The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Member
Author
Example output —
|
Member
Author
Example output —
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.claude/commands/z-stream-release-check.md:
- Around line 16-19: The docs and script disagree: update
hack/z-stream-release-check.py so IMAGE HEALTH matches the markdown by (1)
treating images with Critical or Important CVEs as "action needed" (not
informational-only) when computing the grade/flag, and (2) showing the actual
"threshold crossing" date for images already below B instead of printing `--`.
Locate the reporting logic in functions named like generate_image_health_row or
format_image_health_table (and any CVE filter/threshold-check helper) and change
the CVE severity check to mark Critical/Important as degradations and remove the
code path that replaces threshold dates with `--` for degraded images so the
real threshold date is displayed.
In `@hack/z-stream-release-check.py`:
- Around line 1423-1426: When computing the previous OCP minor for pre-release
branches, don't compute prev_ocp_minor by decrementing ocp_parts_pr[1] (which
yields invalid values like "5.-1"); instead, find the previous released minor by
locating ocp_minor in the ordered list of branches/tags (all_tags) and taking
the immediate predecessor. Update the block that sets prev_ocp_minor and
base_tag (the code using ocp_minor, ocp_parts_pr, prev_ocp_minor and calling
_find_pre_release_base_tag) to look up the prior entry in the sorted/ordered
branch/tag sequence and pass that value to _find_pre_release_base_tag so
major-version rollovers are handled correctly.
- Around line 726-730: The except block around the call to _fetch_support_dates
currently swallows RuntimeError and sets support_dates = {}, which must instead
be treated as a fatal lifecycle API failure; update the except RuntimeError as
exc handler to log the error (same stderr message) and then call sys.exit(2) (or
re-raise) instead of assigning an empty dict so the process fails fast and does
not continue with empty support_dates.
- Around line 1620-1629: The fetch_unreleased_prs error path stores an "error"
in result["unreleased"] but the downstream branch-clear logic still treats that
branch as "No action needed"; update the decision at the branch disposition
point to check unreleased.get("error") and treat any non-empty error as a
non-clear state (or fail the run for critical API errors). Specifically, when
evaluating the "clear" condition that currently inspects unreleased["ahead_by"],
unreleased["total_prs"], etc., add a check like: if unreleased.get("error"):
mark the branch as needing attention (or raise/exit) so branches with failed
compare calls cannot be reported as ✓ No action needed; refer to
fetch_unreleased_prs, result["unreleased"], and the unreleased variable in that
decision logic to implement this.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 12c76d81-9605-4a0c-bfe6-5f8c168f6d88
📒 Files selected for processing (2)
.claude/commands/z-stream-release-check.mdhack/z-stream-release-check.py
Introduces hack/z-stream-release-check.py and a companion Claude slash
command (.claude/commands/z-stream-release-check.md) for determining
which WMCO release branches need a z-stream release. Run before sprint
planning to produce a per-branch report covering image health,
unreleased PRs, and a concrete sprint recommendation.
Data sources
- Red Hat Container Catalog (catalog.redhat.com): WMCO operator image
freshness grades (A–F) and CVE vulnerability counts per branch.
Also fetches ubi9/ubi-minimal base image grade to assess whether a
rebuild would extend the grade window.
- OCP Lifecycle JSON API (access.redhat.com): EOM dates per OCP minor
version from the phases[] array. Uses EUS Term 2 end dates for OCP
4.18+ / WMCO 10.18+ when available; falls back to Maintenance
support end dates for all other releases.
- GitHub API (api.github.com): release branches, tags, and PR
metadata. Uses the Compare API to find commits on each branch since
its last release tag, then fetches per-PR file lists to filter
non-shipped changes.
- Jira (redhat.atlassian.net): open release Epics and Tasks in the
WINC project. Optional; requires JIRA_API_TOKEN + JIRA_USERNAME.
Shown as supplementary context only — does not affect
recommendations.
Branch classification
- In catalog (active): RHEL9 catalog entry exists; support status
determined by OCP lifecycle API.
- Pre-release: branch exists in GitHub but no release tags yet —
the newest branch still tracking master. Shown with [PRE-RELEASE];
skipped in image health and sprint recommendation. Use
--pre-release-prs to fetch and display unreleased PRs for it.
- Old EOM / pre-RHEL9: tagged but not in RHEL9 catalog (e.g.
release-4.17 and earlier). Hidden by default; shown with --all.
- OCP 4.x below 4.15: predates WMCO 10.x entirely; always classified
as old EOM without tag checks.
Image health (Container Health Index)
Grade A–F is time-based (age of oldest unpatched Critical/Important
erratum). Release recommendation triggers when:
- Grade is below B (C, D, E, or F) — image needs a rebuild now.
- Grade is A or B but will drop within SPRINT_LOOKAHEAD_DAYS (21
days) — sprint planning happens at sprint start; a release may
not ship until sprint end, so upcoming degradation must be acted
on now.
The Threshold Date column shows when the grade first crosses below B:
- For A/B images: the upcoming deadline.
- For already-degraded images: the column is suppressed since the
catalog API generates start_date dynamically from today.
CVE counts (C/I/M/L) are informational only and do not trigger
recommendations — the grade already encodes CVE timeliness.
Base image rebuild value (ext ✓ / same / ↓ / —) indicates whether
rebuilding from ubi9/ubi-minimal:latest would extend the grade
window; advisory only, does not trigger recommendations.
Unreleased PR detection
Uses the GitHub Compare API (tag...branch) to find merge commits
since the last release tag. Smart filtering excludes:
- Bot bump PRs by branch prefix: konflux/, mintmaker/, renovate/,
dependabot/. openshift-cherrypick-robot PRs are kept (they carry
real bug/CVE fixes).
- Bot PRs by GitHub login: openshift-bot, openshift-merge-robot,
openshift-ci-robot.
- Non-shipped PRs: PRs where every changed file matches test/,
docs/, or hack/ prefixes, or the CI skip-if-only-changed pattern
(ote/, .github/, .tekton/, *.md, root config files including
.coderabbit.yaml). Conservatively treated as shipped on fetch
failure.
- Version-bump PRs ("Update version to X.Y.Z"): shown as [INFO]
to indicate release prep has started but do not themselves
trigger a recommendation.
Any remaining non-bot, non-version-bump team PR triggers a release
recommendation.
Sprint recommendation logic (any one condition is sufficient)
✗ UNRELEASED PRs — shipped team PRs exist since the last release tag
✗ IMAGE GRADE — current grade below B (C/D/E/F)
⚠ UPCOMING GRADE — grade A/B now but drops within 21 days
Output modes
Default: four-section human-readable text report (RELEASE BRANCHES,
IMAGE HEALTH, UNRELEASED PULL REQUESTS, SPRINT RECOMMENDATION) with
ANSI color coding, auto-disabled when stdout is not a TTY.
--json: machine-readable JSON with all fields; progress suppressed.
--connectivity: probe all required APIs and exit.
--all: include past-EOM and pre-RHEL9 branches in output.
--branch BRANCH: restrict output to a single branch.
--pre-release-prs: fetch and display PRs for pre-release branches.
Other
- Progress feedback shown for all remote fetching; one dot per PR
detail + file-check round trip.
- Retry-enabled GET wrapper handles transient network failures.
- Paginated fetching for catalog images, GitHub branches, tags, and
PR file lists.
- Exit 0 on success regardless of recommendations; exit 2 on fatal
connectivity or API errors.
- OCP major → WMCO major mapping: ocp_major + 6 (OCP 4 → WMCO 10,
OCP 5 → WMCO 11), used throughout for tag patterns, Jira
fixVersion parsing, and support date lookups.
- EUS Term 2 eligibility: OCP 4.18+ (WMCO 10.18+) or any OCP 5.x+
when the lifecycle API provides an EUS Term 2 end date.
mtnbikenc
force-pushed
the
z-stream-release-check
branch
from
4ed0525 to
838f934
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
hack/z-stream-release-check.py— a script for determining which WMCO release branches need a z-stream release before sprint planning.claude/commands/z-stream-release-check.md— a Claude slash command (/z-stream-release-check) that runs the script and interprets the outputWhat the script does
Fetches data from four sources and produces a four-section report:
release-X.Ybranch as active, pre-release, or old EOM; shows last release tag, publish date, and EOM date from the OCP lifecycle API; optionally shows open Jira release ticketsubi9/ubi-minimalbase would extend the grade window[INFO])Release recommendation logic
Any one condition is sufficient:
✗ UNRELEASED PRs— non-bot, shipped team PRs exist since the last tag✗ IMAGE GRADE— current grade is C, D, E, or F⚠ UPCOMING GRADE— grade is A/B but drops below B within 21 daysCVE counts are informational only and do not trigger a recommendation.
Usage
Optional env vars:
GITHUB_TOKEN(avoid rate limiting),JIRA_API_TOKEN+JIRA_USERNAME(enable Jira release ticket tracking).Test plan
python3 hack/z-stream-release-check.pyand verify output sections render correctly--jsonand verify valid JSON output with no progress noise on stdout--connectivityand verify all APIs report reachable--alland verify past-EOM branches appear--branch release-4.18and verify single-branch output🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Documentation