Skip to content

USHIFT-7211: MicroShift Manage Versions & Releases: Fix credentials for common versions update#81440

Open
pmtk wants to merge 1 commit into
openshift:mainfrom
pmtk:rel-ver-job-fix
Open

USHIFT-7211: MicroShift Manage Versions & Releases: Fix credentials for common versions update#81440
pmtk wants to merge 1 commit into
openshift:mainfrom
pmtk:rel-ver-job-fix

Conversation

@pmtk

@pmtk pmtk commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

This change updates the OpenShift CI step that runs MicroShift’s manage-versions/releases workflow.

In ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh (the script that generates /tmp/run.sh), the job now loads and exports the GitHub App credentials (APP_ID and CLIENT_KEY) immediately after querying /tmp/releases.json. That ensures the publishing step (gen_gh_releases.sh ... publish ... --input /tmp/releases.json) has credentials available when the job proceeds to print/consume releases.json and run the release publication logic.

@openshift-ci openshift-ci Bot requested review from agullon and eslutsky July 3, 2026 11:06
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 3, 2026
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 15ee59e1-ee46-45d7-a772-3e854d147a2a

📥 Commits

Reviewing files that changed from the base of the PR and between b08c834 and 377273c.

📒 Files selected for processing (1)
  • ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh
🚧 Files skipped from review as they are similar to previous changes (1)
  • ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh

Walkthrough

The generated release script now exports APP_ID and CLIENT_KEY before printing /tmp/releases.json, with xtrace temporarily disabled around the credential reads.

Changes

Microshift release script

Layer / File(s) Summary
Credential export order
ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh
In the /tmp/releases.json branch of the generated /tmp/run.sh, APP_ID and CLIENT_KEY are read and exported before cat /tmp/releases.json, with set +x/set -x wrapping the export operations. The publish command and input file remain unchanged.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the MicroShift manage-versions/releases credential fix for the common versions update.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only a CI shell script changed; no Ginkgo test titles were added or modified.
Test Structure And Quality ✅ Passed PR only changes a ci-operator shell script; no Ginkgo test files or test code are touched, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed PR only changes a ci-operator shell script; no Ginkgo tests or MicroShift-unsupported APIs/features were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only edits a ci-operator shell script; no new Ginkgo tests or node-topology assumptions were added, so SNO compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Only a ci-operator shell script changed; it adds credential export timing, with no manifests/controllers or scheduling/topology constraints.
Ote Binary Stdout Contract ✅ Passed Only a ci-operator shell script changed; no OTE binary, main/suite setup, or process-level stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only a CI shell script changed; no new Ginkgo tests or IPv4/public-internet assumptions were added.
No-Weak-Crypto ✅ Passed PR only moves credential exports earlier in a shell script; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons were added.
Container-Privileges ✅ Passed Only a bash step script changed; the diff contains no container/K8s manifest fields like privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation.
No-Sensitive-Data-In-Logs ✅ Passed The diff disables xtrace around APP_ID/CLIENT_KEY export before catting releases.json, so secrets won’t be echoed; no new sensitive logging is introduced.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh`:
- Around line 8-12: The rehearse dry-run handling in the
manage-versions-releases script was disabled, so `DRY_RUN` never gets set for
rehearse jobs. Restore the `JOB_NAME == rehearse*` guard in
`openshift-microshift-manage-versions-releases-commands.sh` so the step sets
`DRY_RUN="--dry-run"` only for rehearse runs; keep the existing `DRY_RUN`
variable and its use in the `publish`/`--create-pr` flow intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 01ff677d-6f88-46b0-ac3f-41538bcc85a0

📥 Commits

Reviewing files that changed from the base of the PR and between fc62cbb and 9745cb0.

📒 Files selected for processing (1)
  • ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh

Comment on lines +8 to +12
DRY_RUN=""
if [[ "$JOB_NAME" == rehearse* ]]; then
echo "INFO: \$JOB_NAME starts with rehearse - running in DRY RUN mode"
DRY_RUN="--dry-run"
fi
#if [[ "$JOB_NAME" == rehearse* ]]; then
# echo "INFO: \$JOB_NAME starts with rehearse - running in DRY RUN mode"
# DRY_RUN="--dry-run"
#fi

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file='ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh'
sibling='ci-operator/step-registry/openshift/microshift/publish-release-notes/openshift-microshift-publish-release-notes-commands.sh'

echo "== $file =="
cat -n "$file" | sed -n '1,140p'

echo
echo "== $sibling =="
cat -n "$sibling" | sed -n '1,120p'

echo
echo "== DRY_RUN references =="
rg -n 'DRY_RUN|rehearse\*|dry-run|create-pr|publish ' "$file" "$sibling"

Repository: openshift/release

Length of output: 7278


Restore rehearse dry-run handling

DRY_RUN is now always empty, so rehearse jobs will take the real publish and --create-pr paths instead of dry-run mode. Keep the JOB_NAME == rehearse* guard here unless this step never runs under rehearses.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh`
around lines 8 - 12, The rehearse dry-run handling in the
manage-versions-releases script was disabled, so `DRY_RUN` never gets set for
rehearse jobs. Restore the `JOB_NAME == rehearse*` guard in
`openshift-microshift-manage-versions-releases-commands.sh` so the step sets
`DRY_RUN="--dry-run"` only for rehearse runs; keep the existing `DRY_RUN`
variable and its use in the `publish`/`--create-pr` flow intact.

@pmtk

pmtk commented Jul 3, 2026

Copy link
Copy Markdown
Member Author

/pj-rehearse periodic-ci-openshift-microshift-release-4.22-periodics-update-versions-releases

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@pmtk: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@pmtk pmtk changed the title MicroShift Manage Versions & Releases: Move exports out of if USHIFT-7211: MicroShift Manage Versions & Releases: Fix credentials for common versions update Jul 3, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 3, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@pmtk: This pull request references USHIFT-7211 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

This update adjusts the MicroShift manage-versions/releases CI job script to change how release publishing runs in OpenShift Release infrastructure.

  • It removes the conditional “rehearse” dry-run behavior, so the job now proceeds without setting --dry-run from JOB_NAME.
  • It also exports the GitHub app credentials earlier in the release-processing flow, before /tmp/releases.json is printed and consumed.

In practice, this changes how the MicroShift release-management step executes in CI, making the publish path behave more directly and ensuring the required credentials are available before release data is handled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@pmtk pmtk force-pushed the rel-ver-job-fix branch 2 times, most recently from 7a6b2f3 to b08c834 Compare July 3, 2026 15:32

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh (1)

58-58: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Duplicate credential variable for the same key file.

CLIENT_KEY (Line 58) and KEY (Line 71) are both set to /tmp/key.pem. If both are truly required by different downstream consumers (gen_gh_releases.sh vs. generate_common_versions.py), a short comment clarifying why two separate env vars point at the same file would help avoid confusion for future maintainers.

Also applies to: 71-71

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh`
at line 58, The script sets both CLIENT_KEY and KEY to the same key file, which
is confusing without context. In
openshift-microshift-manage-versions-releases-commands.sh, keep the two env vars
only if they are required by different consumers like gen_gh_releases.sh and
generate_common_versions.py, and add a brief inline comment near the
CLIENT_KEY/KEY assignments explaining that they intentionally reference the same
/tmp/key.pem for separate downstream tools.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh`:
- Around line 56-59: Credential loading in the manage-versions-releases command
is happening while shell tracing is enabled, so the APP_ID assignment can leak
secret values into CI logs. In
openshift-microshift-manage-versions-releases-commands.sh, wrap the APP_ID and
CLIENT_KEY export/loading block with tracing disabled and then restore tracing
afterward, keeping the rest of the script’s set -euo pipefail behavior intact.
Use the existing shell setup in the script to scope the sensitive operations
only, and ensure no credential-derived values are echoed or traced.

---

Nitpick comments:
In
`@ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh`:
- Line 58: The script sets both CLIENT_KEY and KEY to the same key file, which
is confusing without context. In
openshift-microshift-manage-versions-releases-commands.sh, keep the two env vars
only if they are required by different consumers like gen_gh_releases.sh and
generate_common_versions.py, and add a brief inline comment near the
CLIENT_KEY/KEY assignments explaining that they intentionally reference the same
/tmp/key.pem for separate downstream tools.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8d6ccd7a-a917-4bb6-a408-66198c8c0bbd

📥 Commits

Reviewing files that changed from the base of the PR and between 9745cb0 and b08c834.

📒 Files selected for processing (1)
  • ci-operator/step-registry/openshift/microshift/manage-versions-releases/openshift-microshift-manage-versions-releases-commands.sh

@pmtk pmtk force-pushed the rel-ver-job-fix branch from b08c834 to 377273c Compare July 3, 2026 17:18
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@pmtk: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
periodic-ci-openshift-microshift-release-4.22-periodics-update-versions-releases N/A periodic Registry content changed
periodic-ci-openshift-microshift-release-4.21-periodics-update-versions-releases N/A periodic Registry content changed
periodic-ci-openshift-microshift-release-5.0-periodics-update-versions-releases N/A periodic Registry content changed
Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@pmtk: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants