Add updatecli policy to auto-sync charts and images from rke2-charts

[Copilot]

Implementation Complete ✓

• Analyze PR Sync chart and image versions with rancher/rke2-charts main #9555 and understand the required changes
• Review existing updatecli policies structure
• Understand the relationship between rke2 and rke2-charts
• Create updatecli policy configuration file to sync rke2-charts
• Create script to fetch chart versions and update files
• Refine policy to follow existing patterns
• Run code review
• Address code review feedback (string interpolation, K8s version constraints, YAML parsing)
• Final security check
• Address review feedback: Update K8s constraint to >= 1.31 < 1.36
• Add Dockerfile.windows update support
• Improve error checking and regex escaping
• Fix yq syntax errors for mikefarah/yq v4
• Add input validation for chart names
• Fix shell compatibility for updatecli execution
• Inline sync logic to eliminate external script dependency
• Fix bash here-string to POSIX sh pipe

Summary

Successfully created an automated updatecli policy that syncs chart and image versions from rancher/rke2-charts on a regular cadence.

Latest Fix (POSIX sh Pipe)

The inline script was using bash here-string syntax <<< "${variable}" which causes "redirection unexpected" error in /bin/sh (dash). Fixed by:

• Changed from done <<< "${image_pairs}" to echo "${image_pairs}" | while ... done
• Updated shebang from #!/bin/bash to #!/bin/sh to match what updatecli uses
• Now fully POSIX sh compatible

Files Modified

1. updatecli/updatecli.d/rke2-charts-sync.yml - UpdateCLI policy with POSIX sh compatible inline script
2. updatecli/scripts/sync_rke2_charts.sh - Script file (for manual testing)

Original prompt

Using #9555 as a reference, create an updateCLI policy that will automatically open similar PR's om a regular cadence, making sure to keep image and chart versions in sync with github.com/rancher/rke2-charts

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[thomasferrandiz]

@copilot use the feedback from the core review

[Copilot]

@copilot use the feedback from the core review

Applied both feedback items from the code review:

1. Updated K8s version constraint to >= 1.31 < 1.36
2. Added Dockerfile.windows update support for CNI versions

See commit 0d2ef4f

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 15.09%. Comparing base (ef385d4) to head (5f511b9).
⚠️ Report is 40 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9556      +/-   ##
==========================================
+ Coverage   14.21%   15.09%   +0.88%     
==========================================
  Files          47       47              
  Lines        4031     4193     +162     
==========================================
+ Hits          573      633      +60     
- Misses       3418     3508      +90     
- Partials       40       52      +12     

Flag	Coverage Δ
unittests	15.09% <ø> (+0.88%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cwayne18]

@copilot I tried to run this on my fork here: https://github.com/cwayne18/rke2/actions/runs/21919068113/job/63294062781 and it fails with a syntax error in the script on line 7

[Copilot]

@copilot I tried to run this on my fork here: https://github.com/cwayne18/rke2/actions/runs/21919068113/job/63294062781 and it fails with a syntax error in the script on line 7

Fixed in commit e1ad891. The issue was using jq-style yq syntax (--arg flags) when the environment uses mikefarah/yq v4 which has different syntax. Updated all yq commands to use yq eval with shell variable interpolation instead.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/cwayne18/rke2/actions/jobs/63294062781/logs
  • Triggering command: /usr/bin/curl curl -s -L REDACTED (http block)
• rke2-charts.rancher.io
  • Triggering command: /usr/bin/curl curl -sfL REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[cwayne18]

@copilot still fails: https://github.com/cwayne18/rke2/actions/runs/21920061053/job/63297534592

[Copilot]

@copilot still fails: https://github.com/cwayne18/rke2/actions/runs/21920061053/job/63297534592

Fixed in commit 907adf1. The issue was that updatecli executes shell scripts with /bin/sh (dash), not bash. The bash array syntax charts=() doesn't work in dash. Changed to use space-separated strings which are POSIX sh compatible.

[cwayne18]

@copilot still fails https://github.com/cwayne18/rke2/actions/runs/21920061053/job/63297534592

[Copilot]

@copilot still fails https://github.com/cwayne18/rke2/actions/runs/21920061053/job/63297534592

That workflow run (21920061053) is testing commit 5f511b9, which was before my POSIX sh fix in commit 907adf1. Please pull the latest changes and trigger a new workflow run to test the fix. The latest commit should resolve the shell syntax error.

[cwayne18]

@copilot

It did run successfully now, but even though it determined a sync is needed, no updatecli PR was opened. It seems to have failed with this:

The shell 🐚 command "/bin/sh /tmp/updatecli/bin/f9bea682cdfdc5755cb4de49830948097c41f3509802deb19a23e3a0c85792f5.sh" exited on error (exit code 127) with the following output:

---

command stderr output was:

bash: ./updatecli/scripts/sync_rke2_charts.sh: No such file or directory

---

https://github.com/cwayne18/rke2/actions/runs/21957552758/job/63425786984

[Copilot]

@copilot

It did run successfully now, but even though it determined a sync is needed, no updatecli PR was opened. It seems to have failed with this:
...

Fixed in commit 83f93c9. The script file didn't exist in the master branch (only in the PR branch). When updatecli executes targets with scmid: "rke2", it checks out the master branch. Embedded the entire sync logic inline in the YAML to eliminate the external script dependency.

[cwayne18]

@copilot now fails with:

/tmp/updatecli/bin/96c1f60049d01d3d0755f4e626057afde6a9da9b029a2646cdae3374d692617e.sh: 69: Syntax error: redirection unexpected

https://github.com/cwayne18/rke2/actions/runs/21958247519/job/63428291107

[Copilot]

@copilot now fails with:

/tmp/updatecli/bin/96c1f60049d01d3d0755f4e626057afde6a9da9b029a2646cdae3374d692617e.sh: 69: Syntax error: redirection unexpected
...

Fixed in commit 52bbcff. The bash here-string syntax <<< "${variable}" doesn't work in /bin/sh. Changed to use echo "${variable}" | while ... done which is POSIX sh compatible.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/cwayne18/rke2/actions/jobs/63428291107/logs
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)