Skip to content

[WIP] Add Prow CI scripts and OWNERS #218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eliorerz wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[WIP] Add Prow CI scripts and OWNERS #218

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 7 additions & 8 deletions .github/workflows/Dockerfile.ci
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,17 +38,16 @@ COPY ansible_pip_requirements.txt /tmp/ansible_pip_requirements.txt
RUN pip3 install --no-cache-dir -r /tmp/ansible_pip_requirements.txt && \
rm /tmp/ansible_pip_requirements.txt

# Pre-install Ansible Galaxy collections
# Pre-install Ansible Galaxy collections to a shared location
COPY ansible_collections.txt /tmp/ansible_collections.txt
RUN ansible-galaxy collection install -r /tmp/ansible_collections.txt && \
RUN ansible-galaxy collection install -r /tmp/ansible_collections.txt \
-p /usr/local/share/ansible/collections && \
rm /tmp/ansible_collections.txt

# Symlink collections to /usr/local for system-wide access
RUN mkdir -p /usr/local/share/ansible/collections && \
ln -s /root/.ansible/collections/ansible_collections /usr/local/share/ansible/collections/ansible_collections

# Set environment variable for Ansible to find collections
ENV ANSIBLE_COLLECTIONS_PATH=/usr/local/share/ansible/collections:/root/.ansible/collections
# Ansible configuration for non-root containers (e.g. Prow CI)
ENV ANSIBLE_COLLECTIONS_PATH=/usr/local/share/ansible/collections \
ANSIBLE_REMOTE_TMP=/tmp/.ansible/tmp \
HOME=/tmp

# Set working directory
WORKDIR /workspace
Expand Down
11 changes: 11 additions & 0 deletions Makefile.ci
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ include Makefile
.PHONY: validate validate-shell validate-yaml validate-json-schema validate-ansible \
validate-tags validate-templates validate-mirror validate-makefile validate-plugins \
build-ci-image push-ci-image test-ci-image build-push-ci-image \
build-tarball build-push-tarball \
deploy-cluster-pre-install-validate \
environment provision-landing-zone verify-landing-zone \
install-enclave verify-enclave-installation \
Expand Down Expand Up @@ -242,6 +243,16 @@ validate-makefile:
validate-plugins:
@./scripts/verification/validate.sh plugins

# --- Tarball targets ---

# Build distribution tarball (used by ci-operator container test)
build-tarball:
@./scripts/ci/build_tarball.sh build

# Build and push tarball to Quay (postsubmit)
build-push-tarball:
@./scripts/ci/build_tarball.sh build-push

# --- CI Image targets ---

build-ci-image:
Expand Down
20 changes: 20 additions & 0 deletions OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
approvers:
- agonzalezrh
- carbonin
- danielerez
- eliorerz
- eurijon
- javipolo
- maorfr
- mlorenzofr
- rporres
reviewers:
- agonzalezrh
- carbonin
- danielerez
- eliorerz
- eurijon
- javipolo
- maorfr
- mlorenzofr
- rporres
119 changes: 119 additions & 0 deletions scripts/ci/build_tarball.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
#!/usr/bin/env bash
# Build and optionally push the enclave distribution tarball.
#
# Usage:
# scripts/ci/build_tarball.sh build # Build and validate only
# scripts/ci/build_tarball.sh build-push # Build, validate, and push to Quay

set -euo pipefail

ACTION="${1:-build}"
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fail fast on invalid ACTION before building artifacts.

Invalid values currently run build+validation first, then fail at the end. Validate ACTION immediately after parsing.

🛠️ Proposed fix 
 ACTION="${1:-build}"
+case "$ACTION" in
+    build|build-push) ;;
+    *)
+        echo "Unknown action: $ACTION"
+        echo "Usage: $0 build|build-push"
+        exit 1
+        ;;
+esac
@@
 if [ "$ACTION" = "build-push" ]; then
@@
 elif [ "$ACTION" = "build" ]; then
     echo "Tarball built: $TARBALL"
-else
-    echo "Unknown action: $ACTION"
-    echo "Usage: $0 build|build-push"
-    exit 1
 fi

Also applies to: 23-33, 99-118

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@scripts/ci/build_tarball.sh` at line 10, Validate the ACTION variable
immediately after it's parsed (the ACTION="${1:-build}" assignment) and fail
fast on invalid values instead of running build steps; add an explicit check
(e.g., a case or allowed-list test) right after that assignment to verify ACTION
is one of the permitted values and call exit 1 with a clear error message if
not, and apply the same early validation logic to the other ACTION-handling
blocks referenced in the script (the logic currently around the blocks
corresponding to the 23-33 and 99-118 sections) so no build or validation steps
run before the script rejects an invalid ACTION.


TAG="${TARBALL_TAG:-$(git rev-parse --short HEAD 2>/dev/null || echo dev)}"
TARBALL="enclave.tar.gz"
MAX_SIZE=1073741824 # 1GB

# --- Build ---

cleanup() {
rm -f .version /tmp/tarball-contents.txt
}
trap cleanup EXIT

echo "Building distribution tarball..."
echo -n "$TAG" > .version

tar --exclude='.git' --exclude='.gitignore' --exclude='.github' --exclude='scripts' \
--exclude='Makefile.ci' --exclude="$TARBALL" \
-czvf "/tmp/$TARBALL" .
mv "/tmp/$TARBALL" .
Comment thread
coderabbitai[bot] marked this conversation as resolved.

echo ""
echo "Validating tarball..."

# Check size
SIZE=$(stat -c%s "$TARBALL")
echo "Tarball size: $(numfmt --to=iec-i --suffix=B "$SIZE")"
if [ "$SIZE" -gt "$MAX_SIZE" ]; then
echo "Error: Tarball exceeds 1GB"
exit 1
fi

# Extract file list
tar -tzf "$TARBALL" > /tmp/tarball-contents.txt

# Check required files
REQUIRED_FILES=(".version" "Makefile")
for file in "${REQUIRED_FILES[@]}"; do
if ! grep -q "^\./${file}$" /tmp/tarball-contents.txt; then
echo "Error: Required file '${file}' not found in tarball"
Comment on lines +47 to +49
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

cat >/tmp/grep-check.txt <<'EOF'
./agit/example.txt
./.github/workflows/x.yml
EOF

echo "Current regex check (should NOT match .git/, but does):"
if grep -q '^\./.git/' /tmp/grep-check.txt; then
  echo "false-positive reproduced"
else
  echo "no match"
fi

echo "Fixed string check:"
if grep -Fq './.git/' /tmp/grep-check.txt; then
  echo "matched"
else
  echo "correctly no match"
fi

Repository: rh-ecosystem-edge/enclave

Length of output: 189

🏁 Script executed:

sed -n '40,80p' scripts/ci/build_tarball.sh

Repository: rh-ecosystem-edge/enclave

Length of output: 1316

🏁 Script executed:

# Also check the variable assignments for REQUIRED_FILES and EXCLUDED_PATHS
grep -n "REQUIRED_FILES\|EXCLUDED_PATHS" scripts/ci/build_tarball.sh

Repository: rh-ecosystem-edge/enclave

Length of output: 258

Use fixed-string matching for tarball path assertions.

Lines 48 and 72 interpolate filenames/paths into regex patterns without escaping. Entries like .version, .git/, and .github/ contain unescaped . metacharacters that match any character, causing false positives. The shell test demonstrates that grep -q "^\./.git/" incorrectly matches ./agit/example.txt.

🛠️ Proposed fix 
 for file in "${REQUIRED_FILES[@]}"; do
-    if ! grep -q "^\./${file}$" /tmp/tarball-contents.txt; then
+    if ! grep -Fxq "./${file}" /tmp/tarball-contents.txt; then
         echo "Error: Required file '${file}' not found in tarball"
         head -20 /tmp/tarball-contents.txt
         exit 1
@@
 for path in "${EXCLUDED_PATHS[@]}"; do
-    if grep -q "^\./${path}" /tmp/tarball-contents.txt; then
+    if grep -Fq "./${path}" /tmp/tarball-contents.txt; then
         echo "Error: Excluded path '${path}' found in tarball"
         exit 1
     fi
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@scripts/ci/build_tarball.sh` around lines 47 - 49, The grep check in the loop
uses a regex with unescaped metacharacters (grep -q "^\./${file}$") which causes
false matches for names like ".git"; change to fixed-string, whole-line matching
by using grep with -F and -x (or --fixed-strings and --line-regexp) against
"./${file}" when checking /tmp/tarball-contents.txt; apply the same change
wherever the script uses the regex pattern (e.g., the loop over REQUIRED_FILES
and the similar check near line 72) and keep references to the variables
REQUIRED_FILES, file and the target file /tmp/tarball-contents.txt so the checks
match exact paths only.

head -20 /tmp/tarball-contents.txt
exit 1
fi
echo " Found ${file}"
done

# Check required directories (only if they exist in source)
REQUIRED_DIRS=("playbooks" "operators" "configs")
for dir in "${REQUIRED_DIRS[@]}"; do
if [ -d "$dir" ]; then
if ! grep -q "^\./${dir}/" /tmp/tarball-contents.txt; then
echo "Error: Required directory '${dir}/' not found in tarball"
head -20 /tmp/tarball-contents.txt
exit 1
fi
echo " Found ${dir}/"
fi
done

# Check excluded paths are absent
EXCLUDED_PATHS=(".git/" ".github/" "Makefile.ci" "scripts/")
for path in "${EXCLUDED_PATHS[@]}"; do
if grep -q "^\./${path}" /tmp/tarball-contents.txt; then
echo "Error: Excluded path '${path}' found in tarball"
exit 1
fi
echo " ${path} correctly excluded"
done
Comment thread
coderabbitai[bot] marked this conversation as resolved.

# Validate file counts for critical directories
echo "Validating file counts..."
for dir in "${REQUIRED_DIRS[@]}"; do
if [ -d "$dir" ]; then
SOURCE_COUNT=$(find "$dir" -type f | wc -l)
TARBALL_COUNT=$(grep "^\./${dir}/" /tmp/tarball-contents.txt | grep -v '/$' | wc -l)
echo " ${dir}/: source=${SOURCE_COUNT}, tarball=${TARBALL_COUNT}"
if [ "$SOURCE_COUNT" -ne "$TARBALL_COUNT" ]; then
echo "Error: File count mismatch in ${dir}/"
echo " Expected: ${SOURCE_COUNT} files"
echo " Found in tarball: ${TARBALL_COUNT} files"
exit 1
fi
fi
done

echo "Tarball validation passed"

# --- Push (optional) ---

if [ "$ACTION" = "build-push" ]; then
if [ -z "${QUAY_USER:-}" ] || [ -z "${QUAY_TOKEN:-}" ]; then
echo "Error: QUAY_USER and QUAY_TOKEN must be set"
exit 1
fi

echo "$QUAY_TOKEN" | podman login quay.io -u "$QUAY_USER" --password-stdin

echo "Pushing tarball with tag: $TAG"
oras push "quay.io/edge-infrastructure/enclave:${TAG}" \
"${TARBALL}:application/vnd.oci.image.layer.v1.tar+gzip"

rm -f "$TARBALL"
echo "Tarball pushed successfully"
elif [ "$ACTION" = "build" ]; then
echo "Tarball built: $TARBALL"
else
echo "Unknown action: $ACTION"
echo "Usage: $0 build|build-push"
exit 1
fi
Loading