RHAIENG-2487: add sample AWS ec2 job

[ktdreyer]

Introduce a new job that runs on an ephemeral AWS ec2 runner.

In a future commit we will fill out the test commands.

Summary by CodeRabbit

• Chores
  • Added a new "OpenShift Docling E2E" CI workflow to run lightweight end-to-end checks; can be triggered manually or on push to main/branch.
  • Workflow provisions a temporary cloud-based runner (EC2), runs the E2E job, then reliably stops and cleans up the runner after completion.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow that provisions an EC2-based self-hosted runner via OIDC/AWS, runs an OpenShift docling E2E job on that runner, then stops the EC2 instance as a cleanup step.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow /.github/workflows/openshift-docling-e2e.yaml	New workflow with three jobs: launch-ec2-runner (assume-role via OIDC, start EC2 runner, outputs label and instance-id), openshift-docling-e2e (runs on the provisioned EC2-labeled runner and executes steps), and stop-ec2-runner (always runs to stop the EC2 instance). Defines INSTANCE_TYPE, AZ/AMI/subnet/security-group mappings, block-device mappings, and AWS tags.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions
    participant OIDC as GitHub OIDC
    participant AWS as AWS (STS / EC2)
    participant Runner as EC2 Self-hosted Runner

    GH->>OIDC: Request OIDC token (workflow)
    OIDC-->>GH: Return token
    GH->>AWS: Assume IAM role using token (STS)
    AWS-->>GH: Return temporary credentials
    GH->>AWS: Start EC2 instance (AMI, subnet, tags) -> returns instance-id & label
    AWS-->>GH: Provide instance metadata
    GH->>Runner: Dispatch `openshift-docling-e2e` job to runner label
    Runner-->>GH: Checkout repo, run steps, emit logs
    GH->>AWS: stop-ec2-runner job calls stop/terminate with instance-id
    AWS-->>GH: Stop/terminate instance (cleanup)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify OIDC role assumption configuration and permissions scope
• Check AMI / subnet / security-group / AZ mappings and block-device mappings
• Confirm outputs (label, ec2-instance-id) are produced and consumed correctly across jobs
• Validate stop-ec2-runner runs if: always() and uses correct inputs/secrets

Poem

🐰
I hopped online at dawn's first light,
Brought an EC2 runner into the night,
Tests danced, logs whispered tight,
Then I padded home and powered out the light,
Fields clean, I munched a carrot bite 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: introduction of a new AWS EC2 job workflow, which is the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ec2-github-runner-RHAIENG-2487

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14dbd2b and fa056ec.

📒 Files selected for processing (1)

• .github/workflows/openshift-docling-e2e.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/openshift-docling-e2e.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: e2e-test (v1.26.15)
• GitHub Check: e2e-test (v1.27.16)
• GitHub Check: e2e-test (v1.28.15)
• GitHub Check: e2e-test (v1.31.4)
• GitHub Check: e2e-test (v1.25.16)
• GitHub Check: e2e-test (v1.32.0)
• GitHub Check: e2e-test (v1.30.8)
• GitHub Check: e2e-test (v1.29.12)
• GitHub Check: e2e-test (v1.24.17)
• GitHub Check: build-helm-chart
• GitHub Check: code-check
• GitHub Check: build-spark-operator

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ktdreyer]

I've left this in for easy testing. You can remove it.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

.github/workflows/openshift-docling-e2e.yaml (1)

90-113: Consider handling the case where launch-ec2-runner fails.

The stop-ec2-runner job uses if: always() to ensure cleanup, which is good. However, if the launch-ec2-runner job fails before successfully starting an instance, the outputs label and ec2-instance-id will be empty, potentially causing this job to fail with confusing error messages.

While there's no instance to stop if launch fails, consider adding a conditional check to improve error handling and clarity.

🔎 Proposed enhancement

  stop-ec2-runner:
    permissions:
      id-token: write # This is required for OIDC (AWS auth)
      contents: read
    needs:
      - launch-ec2-runner
      - openshift-docling-e2e
    runs-on: ubuntu-latest
-   if: ${{ always() }}
+   if: ${{ always() && needs.launch-ec2-runner.outputs.ec2-instance-id != '' }}
    steps:

This ensures the stop job only runs if an instance was actually created.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8714a45 and ff08646.

📒 Files selected for processing (1)

• .github/workflows/openshift-docling-e2e.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: e2e-test (v1.27.16)
• GitHub Check: build-helm-chart
• GitHub Check: launch-ec2-runner

🔇 Additional comments (6)

.github/workflows/openshift-docling-e2e.yaml (6)

10-13: Acknowledged: Future use input defined.

The pr_or_branch input is defined but not yet utilized in the workflow. This aligns with the PR description indicating that test commands will be filled out in future commits.

---

19-25: LGTM!

The environment variable and shell defaults are configured appropriately.

---

38-39: LGTM!

Repository checkout is appropriately configured.

---

41-46: LGTM!

AWS credentials configuration using OIDC is properly set up with appropriate permissions and session naming for CloudTrail tracking.

---

84-88: LGTM!

The placeholder test commands are appropriate given the PR description states that "the test commands will be filled out" in a future commit.

---

100-105: LGTM!

AWS credentials configuration for the cleanup job is correctly configured and consistent with the launch job.

[shruthis4]

LGTM

[ktdreyer]

I found an error in the push settings. I fixed that here: #16