CNTRLPLANE-2986: feat(ci): Add self-hosted GitHub Actions runners for HyperShift#7980
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
openshift-ci-robot
added
the
jira/valid-reference
|
@bryan-cox: This pull request references CNTRLPLANE-2986 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Review skipped — only excluded labels are configured. (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis pull request establishes infrastructure for self-hosted GitHub Actions runners. It introduces a specialized GitHub Actions runner container image with prebuilt development tools (Go, linting tools, kubectl, OpenShift client). The build system is updated to detect and use prebuilt tools from the CI image rather than building locally, with version verification. Four new GitHub Actions workflows are added to run linting, codespell, git commit, and container sync checks. A Helm values file configures the runner deployment with resource constraints and topology spreading. Supporting documentation details the runner setup and operation. A minor environment variable is added to the control-plane Dockerfile. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
@bryan-cox: This pull request references CNTRLPLANE-2986 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
Bot
added
the
area/ci-tooling
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bryan-cox The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
approved
|
@bryan-cox: This pull request references CNTRLPLANE-2986 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (2)
hack/github-actions-runner/values.yaml (2)
11-11: Consider moving the runner image to an organization-owned registry.The image
quay.io/rh_ee_brcox/arc-runneris hosted under a personal Quay account. For a production CI setup in theopenshift/hypershiftrepository, consider hosting the image under an organization-owned registry (e.g.,quay.io/openshiftorquay.io/hypershift) to ensure long-term availability and access control.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@hack/github-actions-runner/values.yaml` at line 11, The Helm values file references a runner image under a personal Quay account (the image string "quay.io/rh_ee_brcox/arc-runner@sha256:3e94ec8a185ff7e30e7947d02eb6b21ef1543e44e8f6f95b6335d0ea6a905e31"); update this to an organization-owned registry image (for example "quay.io/openshift/arc-runner:sha256-..." or "quay.io/hypershift/arc-runner:..."), push the image to the chosen org registry, and replace the image value in values.yaml to point to that organization-owned image so the repo uses a stable, org-managed image.
7-19: Security context is missing from the pod spec.The README documents security hardening (non-root user, dropped capabilities, seccomp profile), but these settings are not defined in this values file. If these are expected to be applied via OpenShift's SCCs, consider documenting this explicitly or adding them here for portability.
Example security context addition
template: spec: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: runner image: quay.io/rh_ee_brcox/arc-runner@sha256:3e94ec8a185ff7e30e7947d02eb6b21ef1543e44e8f6f95b6335d0ea6a905e31 command: ["/home/runner/run.sh"] securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: cpu: "4" memory: "16Gi" limits: cpu: "4" memory: "16Gi"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@hack/github-actions-runner/values.yaml` around lines 7 - 19, Add the recommended pod and container security context settings to the Helm values under template.spec to match the README hardening: add template.spec.securityContext with runAsNonRoot: true and seccompProfile.type: RuntimeDefault, and on the runner container (the item with name: runner) add a securityContext that sets allowPrivilegeEscalation: false and drops capabilities (capabilities.drop: [ALL]); alternatively document that these are intentionally left to OpenShift SCCs if you want to keep them out of values.yaml.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@hack/github-actions-runner/values.yaml`:
- Line 11: The Helm values file references a runner image under a personal Quay
account (the image string
"quay.io/rh_ee_brcox/arc-runner@sha256:3e94ec8a185ff7e30e7947d02eb6b21ef1543e44e8f6f95b6335d0ea6a905e31");
update this to an organization-owned registry image (for example
"quay.io/openshift/arc-runner:sha256-..." or
"quay.io/hypershift/arc-runner:..."), push the image to the chosen org registry,
and replace the image value in values.yaml to point to that organization-owned
image so the repo uses a stable, org-managed image.
- Around line 7-19: Add the recommended pod and container security context
settings to the Helm values under template.spec to match the README hardening:
add template.spec.securityContext with runAsNonRoot: true and
seccompProfile.type: RuntimeDefault, and on the runner container (the item with
name: runner) add a securityContext that sets allowPrivilegeEscalation: false
and drops capabilities (capabilities.drop: [ALL]); alternatively document that
these are intentionally left to OpenShift SCCs if you want to keep them out of
values.yaml.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 8895532a-85fe-4ccf-a2fb-aae67367ba0a
📒 Files selected for processing (5)
.github/workflows/ci.yamlDockerfile.github-actions-runnerMakefilehack/github-actions-runner/README.mdhack/github-actions-runner/values.yaml
bryan-cox
force-pushed
the
CNTRLPLANE-2986
branch
from
95fbad5 to
013489c
Compare
|
@bryan-cox: This pull request references CNTRLPLANE-2986 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
Dockerfile.github-actions-runner (1)
19-19: Consider pinning the OpenShift client version for reproducibility.The
stableURL is mutable and may introduce unexpected changes. For a reproducible runner image (matching the digest-pinning approach used for the base image), consider using a versioned URL.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.github-actions-runner` at line 19, The RUN line that fetches the OpenShift client uses the mutable "stable" path ("RUN curl -fsSL \"https://mirror.openshift.com/.../stable/openshift-client-linux.tar.gz\" | tar -C /usr/local/bin -xz oc kubectl"); change this to a versioned URL (replace "stable" with a specific release like "vX.Y.Z" or the exact release directory) and, if possible, pin by digest or verify a published checksum before extracting to ensure reproducible builds; update the RUN invocation to download the specific release tarball and verify its checksum (or use a digested URL) prior to tar -C /usr/local/bin -xz oc kubectl.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@Dockerfile.github-actions-runner`:
- Line 19: The RUN line that fetches the OpenShift client uses the mutable
"stable" path ("RUN curl -fsSL
\"https://mirror.openshift.com/.../stable/openshift-client-linux.tar.gz\" | tar
-C /usr/local/bin -xz oc kubectl"); change this to a versioned URL (replace
"stable" with a specific release like "vX.Y.Z" or the exact release directory)
and, if possible, pin by digest or verify a published checksum before extracting
to ensure reproducible builds; update the RUN invocation to download the
specific release tarball and verify its checksum (or use a digested URL) prior
to tar -C /usr/local/bin -xz oc kubectl.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 28fcb2cf-cd17-4855-b0b8-96bb4fc653bd
📒 Files selected for processing (8)
.github/workflows/codespell.yaml.github/workflows/cpo-container-sync.yaml.github/workflows/gitlint.yaml.github/workflows/lint.yamlDockerfile.github-actions-runnerMakefilehack/github-actions-runner/README.mdhack/github-actions-runner/values.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- hack/github-actions-runner/values.yaml
|
@bryan-cox: This pull request references CNTRLPLANE-2986 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
bryan-cox
force-pushed
the
CNTRLPLANE-2986
branch
from
5513a41 to
d71d578
Compare
|
@bryan-cox: This pull request references CNTRLPLANE-2986 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
Dockerfile.control-plane (1)
4-4: Remove hardcodedBREAK_SYNC=truefrom the control-plane image build path.Setting this globally in the builder stage makes all builds run with non-default behavior and reduces reproducibility/maintainability. If this is CI-only, pass it as a build arg in the specific workflow instead of baking it into the Dockerfile.
Suggested change
-WORKDIR /hypershift -ENV BREAK_SYNC=true +WORKDIR /hypershiftAs per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.control-plane` at line 4, Remove the hardcoded ENV BREAK_SYNC=true from the control-plane Dockerfile builder stage and instead accept it as a build-time variable (use an ARG named BREAK_SYNC or rely on CI build-args) so the image build is reproducible and the non-default behavior is not baked into the image; update the Dockerfile to use ARG BREAK_SYNC with a sensible default (or no default) and update CI/workflow to pass --build-arg BREAK_SYNC when needed, ensuring any references to BREAK_SYNC in the Dockerfile refer to the ARG rather than a fixed ENV.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@main.go`:
- Around line 42-43: Remove the temporary dead-code block: delete the
typo-filled comment ("This is a teh temporaray fucntion...") and the unused
global variable named unusedVariable so the entrypoint no longer contains unused
globals that fail golangci-lint/Codespell; ensure no other references to
unusedVariable remain (search for "unusedVariable") and run linters to confirm
the CI issue is resolved.
---
Nitpick comments:
In `@Dockerfile.control-plane`:
- Line 4: Remove the hardcoded ENV BREAK_SYNC=true from the control-plane
Dockerfile builder stage and instead accept it as a build-time variable (use an
ARG named BREAK_SYNC or rely on CI build-args) so the image build is
reproducible and the non-default behavior is not baked into the image; update
the Dockerfile to use ARG BREAK_SYNC with a sensible default (or no default) and
update CI/workflow to pass --build-arg BREAK_SYNC when needed, ensuring any
references to BREAK_SYNC in the Dockerfile refer to the ARG rather than a fixed
ENV.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: e09eb09a-def1-4c9d-ad54-cc379f89fe07
📒 Files selected for processing (6)
.github/workflows/codespell.yaml.github/workflows/cpo-container-sync.yaml.github/workflows/gitlint.yaml.github/workflows/lint.yamlDockerfile.control-planemain.go
|
@bryan-cox: This pull request references CNTRLPLANE-2986 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@Dockerfile.github-actions-runner`:
- Around line 17-19: Replace the mutable downloads with pinned versions and
verify SHA256 checksums before extracting: stop streaming archives directly into
tar for both the Go download (using the GO_VERSION variable referenced in the
RUN that fetches go${GO_VERSION}.linux-arm64.tar.gz) and the OpenShift client
download (replace the "stable" path and the tarball URL used in the RUN that
extracts oc and kubectl with a specific OC_VERSION), download the corresponding
.sha256 (or .sha256sum) files, validate them with sha256sum -c (or compute and
compare the checksum), and only then extract the verified archive to /usr/local
or /usr/local/bin; ensure failure on checksum mismatch so the build aborts.
In `@Makefile`:
- Around line 85-98: The detection logic treats any golangci-lint in PATH as a
CI prebuilt even when the kube-api-linter plugin or version marker is missing;
update the conditional around PREBUILT_GOLANGCI to require that
PREBUILT_KUBEAPILINTER exists and IMAGE_VERSION_FILE exists (and optionally
matches expected contents) before setting GOLANGCI_LINT and KUBEAPILINTER_PLUGIN
to the prebuilt paths, otherwise fall back to the local-dev build paths
(GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/golangci-lint) and
KUBEAPILINTER_PLUGIN := $(abspath $(TOOLS_BIN_DIR)/kube-api-linter.so)); apply
the same stricter checks to the analogous block that currently appears around
lines 109-118 so CI won't silently skip validation when the version file or
plugin is missing.
- Around line 96-104: The Makefile uses absolute targets GOLANGCI_LINT and
KUBEAPILINTER_PLUGIN but the build rules change directory to $(TOOLS_DIR) and
write $@ which resolves relative to the original cwd, causing mismatched paths;
update the build recipes for the targets $(TOOLS_BIN_DIR)/golangci-lint and
$(TOOLS_BIN_DIR)/kube-api-linter.so (and the similar rules at the other
occurrences) to produce the desired absolute output: either remove the cd and
run $(GO) build -o $@ from the repo root using package import paths, or keep cd
$(TOOLS_DIR) but set -o to an absolute path like -o $(abspath $@) (or
$(CURDIR)/$@) so the binary/plugin is written into $(TOOLS_BIN_DIR) as expected;
ensure both rules reference the same variable names GOLANGCI_LINT and
KUBEAPILINTER_PLUGIN so dependency names and rule targets match.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 5334088e-3fd5-4a52-b431-4644aa3c0496
📒 Files selected for processing (2)
Dockerfile.github-actions-runnerMakefile
| RUN curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-arm64.tar.gz" | tar -C /usr/local -xz | ||
|
|
||
| RUN curl -fsSL "https://mirror.openshift.com/pub/openshift-v4/aarch64/clients/ocp/stable/openshift-client-linux.tar.gz" | tar -C /usr/local/bin -xz oc kubectl |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify mutable channel and missing checksum validation patterns in the Dockerfile
rg -n 'openshift-v4/aarch64/clients/ocp/stable/openshift-client-linux.tar.gz|go.dev/dl/go\$\{GO_VERSION\}.linux-arm64.tar.gz' Dockerfile.github-actions-runner
rg -n 'sha256sum -c|SHA256|_SHA256' Dockerfile.github-actions-runner || trueRepository: openshift/hypershift
Length of output: 322
Pin package versions and add checksum verification for supply-chain integrity.
Line 19 downloads from a mutable stable URL, and both line 17 and line 19 stream archives directly to tar without checksum validation. This causes nondeterministic builds and creates supply-chain risk for the runner image.
Replace the mutable stable channel with a specific version, and verify all downloads with SHA256 checksums:
Proposed fix
ARG GO_VERSION=1.25.3
-RUN curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-arm64.tar.gz" | tar -C /usr/local -xz
+ARG GO_SHA256=<pin-go-tarball-sha256>
+RUN curl -fsSLo /tmp/go.tgz "https://go.dev/dl/go${GO_VERSION}.linux-arm64.tar.gz" && \
+ echo "${GO_SHA256} /tmp/go.tgz" | sha256sum -c - && \
+ tar -C /usr/local -xzf /tmp/go.tgz && \
+ rm -f /tmp/go.tgz
-RUN curl -fsSL "https://mirror.openshift.com/pub/openshift-v4/aarch64/clients/ocp/stable/openshift-client-linux.tar.gz" | tar -C /usr/local/bin -xz oc kubectl
+ARG OCP_CLIENT_VERSION=<pin-ocp-version>
+ARG OCP_CLIENT_SHA256=<pin-oc-tarball-sha256>
+RUN curl -fsSLo /tmp/oc.tgz "https://mirror.openshift.com/pub/openshift-v4/aarch64/clients/ocp/${OCP_CLIENT_VERSION}/openshift-client-linux.tar.gz" && \
+ echo "${OCP_CLIENT_SHA256} /tmp/oc.tgz" | sha256sum -c - && \
+ tar -C /usr/local/bin -xzf /tmp/oc.tgz oc kubectl && \
+ rm -f /tmp/oc.tgz🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile.github-actions-runner` around lines 17 - 19, Replace the mutable
downloads with pinned versions and verify SHA256 checksums before extracting:
stop streaming archives directly into tar for both the Go download (using the
GO_VERSION variable referenced in the RUN that fetches
go${GO_VERSION}.linux-arm64.tar.gz) and the OpenShift client download (replace
the "stable" path and the tarball URL used in the RUN that extracts oc and
kubectl with a specific OC_VERSION), download the corresponding .sha256 (or
.sha256sum) files, validate them with sha256sum -c (or compute and compare the
checksum), and only then extract the verified archive to /usr/local or
/usr/local/bin; ensure failure on checksum mismatch so the build aborts.
|
@bryan-cox: This pull request references CNTRLPLANE-2986 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
♻️ Duplicate comments (1)
Makefile (1)
97-110:⚠️ Potential issue | 🟠 MajorAbsolute prerequisites don’t match declared build targets, which can break
make lintbootstrappingLine 97/98/102/103 set absolute prerequisite paths, but Line 106 and Line 109 declare relative targets. On a clean tree, Make may fail with “No rule to make target …” for local lint dependencies.
Proposed fix
-$(TOOLS_BIN_DIR)/golangci-lint: $(TOOLS_DIR)/go.mod +$(abspath $(TOOLS_BIN_DIR)/golangci-lint): $(TOOLS_DIR)/go.mod cd $(TOOLS_DIR); $(GO) build -tags=tools -o $(BIN_DIR)/golangci-lint github.com/golangci/golangci-lint/v2/cmd/golangci-lint -$(TOOLS_BIN_DIR)/kube-api-linter.so: $(TOOLS_DIR)/go.mod +$(abspath $(TOOLS_BIN_DIR)/kube-api-linter.so): $(TOOLS_DIR)/go.mod cd $(TOOLS_DIR); CGO_ENABLED=1 $(GO) build -buildmode=plugin -o $(BIN_DIR)/kube-api-linter.so sigs.k8s.io/kube-api-linter/pkg/plugin#!/bin/bash set -euo pipefail echo "Checking absolute local assignments used as lint prerequisites:" rg -n -C1 'GOLANGCI_LINT := \$\(abspath \$\(TOOLS_BIN_DIR\)/golangci-lint\)|KUBEAPILINTER_PLUGIN := \$\(abspath \$\(TOOLS_BIN_DIR\)/kube-api-linter\.so\)' Makefile echo echo "Checking declared build rule targets:" rg -n -C1 '^\$\(TOOLS_BIN_DIR\)/(golangci-lint|kube-api-linter\.so):' Makefile echo echo "If both blocks are present, prerequisite names and target names differ (absolute vs relative), which can prevent rule resolution when files are missing."As per coding guidelines, "-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Makefile` around lines 97 - 110, The Makefile sets GOLANGCI_LINT and KUBEAPILINTER_PLUGIN using $(abspath $(TOOLS_BIN_DIR)/...) while the corresponding build rules declare targets as $(TOOLS_BIN_DIR)/golangci-lint and $(TOOLS_BIN_DIR)/kube-api-linter.so, so Make can't match prerequisites to targets; fix by making the variable assignments and rule targets use the same canonical names — either remove abspath when setting GOLANGCI_LINT and KUBEAPILINTER_PLUGIN or change the rule targets to the abspath form so that the variables GOLANGCI_LINT and KUBEAPILINTER_PLUGIN exactly match the targets referenced by the build rules for $(TOOLS_BIN_DIR)/golangci-lint and $(TOOLS_BIN_DIR)/kube-api-linter.so.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@Makefile`:
- Around line 97-110: The Makefile sets GOLANGCI_LINT and KUBEAPILINTER_PLUGIN
using $(abspath $(TOOLS_BIN_DIR)/...) while the corresponding build rules
declare targets as $(TOOLS_BIN_DIR)/golangci-lint and
$(TOOLS_BIN_DIR)/kube-api-linter.so, so Make can't match prerequisites to
targets; fix by making the variable assignments and rule targets use the same
canonical names — either remove abspath when setting GOLANGCI_LINT and
KUBEAPILINTER_PLUGIN or change the rule targets to the abspath form so that the
variables GOLANGCI_LINT and KUBEAPILINTER_PLUGIN exactly match the targets
referenced by the build rules for $(TOOLS_BIN_DIR)/golangci-lint and
$(TOOLS_BIN_DIR)/kube-api-linter.so.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: b0604676-bdbe-432d-aa89-b973a59f22bd
📒 Files selected for processing (2)
Makefilehack/github-actions-runner/values.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- hack/github-actions-runner/values.yaml
bryan-cox
changed the title
|
@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-v2-aws DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@bryan-cox: Overrode contexts on behalf of bryan-cox: Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@bryan-cox: Overrode contexts on behalf of bryan-cox: Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-v2-aws DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/override "ci/prow/e2e-aks-cilium" |
|
/override "Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main" |
|
/override "Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main" |
|
@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-aks-cilium DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@bryan-cox: /override requires failed status contexts, check run or a prowjob name to operate on.
Only the following failed contexts/checkruns were expected:
If you are trying to override a checkrun that has a space in it, you must put a double quote on the context. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@bryan-cox: /override requires failed status contexts, check run or a prowjob name to operate on.
Only the following failed contexts/checkruns were expected:
If you are trying to override a checkrun that has a space in it, you must put a double quote on the context. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/verified bypass |
openshift-ci-robot
added
the
verified
|
@bryan-cox: The DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/override "ci/prow/e2e-azure-self-managed" |
|
@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-azure-self-managed DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/override "ci/prow/e2e-aks" |
|
/override "Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main" |
|
/override "Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main" |
|
@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-aks DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@bryan-cox: /override requires failed status contexts, check run or a prowjob name to operate on.
Only the following failed contexts/checkruns were expected:
If you are trying to override a checkrun that has a space in it, you must put a double quote on the context. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@bryan-cox: /override requires failed status contexts, check run or a prowjob name to operate on.
Only the following failed contexts/checkruns were expected:
If you are trying to override a checkrun that has a space in it, you must put a double quote on the context. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/override "ci/prow/e2e-azure-self-managed" |
|
/override "ci/prow/okd-scos-images" |
|
@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-azure-self-managed DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/okd-scos-images DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-merge-bot
Bot
merged commit e4c50a5
into
openshift:main
|
@bryan-cox: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Switch the HyperShift Prow verify job from `make verify` to `make verify-ci`. The verify-ci target excludes lint, codespell, gitlint, and cpo-container-sync checks which now run in GitHub Actions workflows, avoiding duplicate CI work. The full `make verify` target remains unchanged for local development use. Related: openshift/hypershift#7980 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Switch the HyperShift Prow verify job from `make verify` to `make verify-ci`. The verify-ci target excludes lint, codespell, gitlint, and cpo-container-sync checks which now run in GitHub Actions workflows, avoiding duplicate CI work. The full `make verify` target remains unchanged for local development use. Related: openshift/hypershift#7980 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
6 participants
What this PR does / why we need it:
Adds self-hosted ARM64 GitHub Actions runners on a HyperShift hosted cluster using Actions Runner Controller (ARC) to run lint, codespell, gitlint, and cpo-container-sync checks. These checks run as separate GitHub Actions workflows for faster, parallelized PR feedback.
The existing
make verifytarget is unchanged so local workflows remain consistent. A newmake verify-citarget is added for Prow CI, which excludes the checks that now also run in GitHub Actions (lint, codespell, gitlint, cpo-container-sync).The runners use a custom image with Go, make, gcc, and oc/kubectl pre-installed. golangci-lint and the kube-api-linter plugin are pre-built into the image to avoid compiling 300+ vendored deps on every CI run.
Which issue(s) this PR fixes:
Fixes CNTRLPLANE-2986
Special notes for your reviewer:
c6g.8xlargenodes, matching the target CI workloadmake verifyis unchanged — local dev workflow stays the samemake verify-ciis a new target for Prow that excludes checks now running in GitHub ActionsChecklist: