CNTRLPLANE-3329: Add nightly CronJob to warm EFS-backed Go build cache

[vismishr]

What this PR does / why we need it:

The EFS-backed PV mounted on ARC runner pods is empty until something
populates it. This PR adds a Kubernetes CronJob that runs nightly at
2 AM UTC to compile all Go packages and test binaries from main, then
syncs the resulting build cache to the shared PV.

Once populated, every CI run copies from this pre-warmed cache instead
of compiling from scratch, eliminating ~2-3.5 min of overhead per shard.

How it works:

1. Clones openshift/hypershift main branch (shallow, depth 1)
2. Runs go build ./... and go test -c ./... to compile everything
3. Copies the build cache from local tmpdir to the EFS PV
4. Runner pods (mounted read-only) pick up the cache on their next run

CronJob details:

• Schedule: 0 2 * * * (2 AM UTC daily)
• Concurrency: Forbid (no overlapping runs)
• Deadline: 1 hour timeout
• Resources: 4 CPU / 16Gi (matches runner pods)
• Uses the same runner image as CI pods

Which issue(s) this PR fixes:

Fixes https://redhat.atlassian.net/browse/CNTRLPLANE-3329

Special notes for your reviewer:

• This CronJob can be applied to the cluster independently of the other
  PRs (CNTRLPLANE-3329: Mount EFS-backed Go build cache PV on ARC runner pods #8493, CNTRLPLANE-3329: Replace actions/cache with EFS-backed build cache in unit tests #8494, CNTRLPLANE-3329: Extend EFS-backed build cache to lint, verify, and envtest workflows #8495). In fact, it should be applied first so the
  cache is warm before runners start using it.
• After merging, apply with: oc apply -f hack/github-actions-runner/cache-warming-cronjob.yaml
• To test immediately: oc create job --from=cronjob/go-cache-warmer go-cache-warmer-manual -n arc-runners

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Chores
  • Added a daily CronJob that pre-populates the Go build cache during off-hours to reduce build latency.
  • Job restricts concurrent runs, enforces execution timeouts, limited job history, retry/backoff controls, and resource limits to protect cluster stability.
  • Container runtime is hardened; the job prunes stale cache entries, syncs cache to persistent storage, and reports disk usage to maintain storage health.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@vismishr: This pull request references CNTRLPLANE-3329 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

The EFS-backed PV mounted on ARC runner pods is empty until something
populates it. This PR adds a Kubernetes CronJob that runs nightly at
2 AM UTC to compile all Go packages and test binaries from main, then
syncs the resulting build cache to the shared PV.

Once populated, every CI run copies from this pre-warmed cache instead
of compiling from scratch, eliminating ~2-3.5 min of overhead per shard.

How it works:

1. Clones openshift/hypershift main branch (shallow, depth 1)
2. Runs go build ./... and go test -c ./... to compile everything
3. Copies the build cache from local tmpdir to the EFS PV
4. Runner pods (mounted read-only) pick up the cache on their next run

CronJob details:

• Schedule: 0 2 * * * (2 AM UTC daily)
• Concurrency: Forbid (no overlapping runs)
• Deadline: 1 hour timeout
• Resources: 4 CPU / 16Gi (matches runner pods)
• Uses the same runner image as CI pods

Which issue(s) this PR fixes:

Fixes https://redhat.atlassian.net/browse/CNTRLPLANE-3329

Special notes for your reviewer:

• This CronJob can be applied to the cluster independently of the other
  PRs (CNTRLPLANE-3329: Mount EFS-backed Go build cache PV on ARC runner pods #8493, CNTRLPLANE-3329: Replace actions/cache with EFS-backed build cache in unit tests #8494, CNTRLPLANE-3329: Extend EFS-backed build cache to lint, verify, and envtest workflows #8495). In fact, it should be applied first so the
  cache is warm before runners start using it.
• After merging, apply with: oc apply -f hack/github-actions-runner/cache-warming-cronjob.yaml
• To test immediately: oc create job --from=cronjob/go-cache-warmer go-cache-warmer-manual -n arc-runners

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9782b90a-66de-4602-940b-338e9bbab9b4

📥 Commits

Reviewing files that changed from the base of the PR and between 4341d0c and ca1f7ee.

📒 Files selected for processing (1)

• hack/github-actions-runner/cache-warming-cronjob.yaml

---

📝 Walkthrough

Walkthrough

A new Kubernetes CronJob go-cache-warmer was added in the arc-runners namespace, scheduled 0 2 * * * (02:00 daily) with concurrencyPolicy: Forbid, activeDeadlineSeconds: 3600, backoffLimit: 1, successfulJobsHistoryLimit: 3, and failedJobsHistoryLimit: 1. It runs a hardened, non-root pod that shallow-clones openshift/hypershift, runs go build and attempts go test -c, prunes stale cache older than 7 days, syncs ${GOCACHE} into the mounted PVC go-cache-pvc at /cache/go-build, and prints disk usage. Resources set to 4 CPU and 16Gi memory.

Sequence Diagram(s)

sequenceDiagram
  participant Scheduler as CronJob Scheduler
  participant KubeAPI as Kubernetes API/Controller
  participant Pod as Job Pod (container)
  participant Git as Git Repo (openshift/hypershift)
  participant PVC as PersistentVolume (go-cache-pvc)

  Scheduler->>KubeAPI: trigger job (02:00 daily)
  KubeAPI->>Pod: create Job Pod (concurrency: Forbid, restartPolicy: Never)
  Pod->>Git: shallow clone main -> /tmp/hypershift
  Pod->>Pod: run go build ./... and attempt go test -c (populate GOCACHE)
  Pod->>Pod: prune /cache/go-build files older than 7 days
  Pod->>PVC: copy ${GOCACHE} -> /cache/go-build (mounted PVC)
  Pod->>KubeAPI: exit and report status

Loading

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: adding a nightly CronJob to warm an EFS-backed Go build cache, which matches the core purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR adds only a Kubernetes CronJob manifest (cache-warming-cronjob.yaml). No Ginkgo test files or test constructs are present. The custom check is not applicable to this infrastructure change.
Test Structure And Quality	✅ Passed	PR adds only a Kubernetes CronJob manifest file with no Ginkgo test code. Custom check for test structure is not applicable.
Microshift Test Compatibility	✅ Passed	This PR adds a Kubernetes CronJob manifest file only, not Ginkgo e2e tests. The MicroShift Test Compatibility check is not applicable to infrastructure/manifest changes without e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR adds only a Kubernetes CronJob manifest (cache-warming-cronjob.yaml) for infrastructure purposes. No Ginkgo e2e tests are added, so the SNO test compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	The CronJob manifest introduces no scheduling constraints (no affinity, nodeSelector, tolerations, or topology spread constraints). It works on all OpenShift topologies.
Ote Binary Stdout Contract	✅ Passed	PR only adds a Kubernetes CronJob YAML manifest (cache-warming-cronjob.yaml). No Go code is modified. The OTE Binary Stdout Contract check is not applicable to YAML configuration files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds a Kubernetes CronJob manifest file (cache-warming-cronjob.yaml), not Ginkgo e2e tests. The check is only applicable to new Ginkgo e2e tests, which are not present in this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 39.95%. Comparing base (4341d0c) to head (ca1f7ee).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8496   +/-   ##
=======================================
  Coverage   39.95%   39.95%           
=======================================
  Files         751      751           
  Lines       92733    92733           
=======================================
  Hits        37048    37048           
  Misses      52998    52998           
  Partials     2687     2687           

Flag	Coverage Δ
cmd-support	34.07% <ø> (ø)
cpo-hostedcontrolplane	40.52% <ø> (ø)
cpo-other	40.08% <ø> (ø)
hypershift-operator	50.44% <ø> (ø)
other	31.55% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

hack/github-actions-runner/cache-warming-cronjob.yaml (1)

23-23: ⚡ Quick win

Pin the runner image by digest instead of latest.

Using a mutable tag makes cache behavior non-reproducible across runs and can introduce unreviewed runtime changes. The codebase already establishes this pattern elsewhere (e.g., hack/github-actions-runner/monitoring/grafana.yaml pins by digest, and many production images in hypershift-operator/ use digest pinning). Consider updating to quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner@sha256:<digest>.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/github-actions-runner/cache-warming-cronjob.yaml` at line 23, Replace
the mutable image tag
"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest"
with a digest-pinned reference using the `@sha256`:<digest> form (e.g.
quay.io/.../hypershift-gh-actions-runner@sha256:<digest>); fetch the current
published sha256 for that repo (via quay/skopeo/registry API) and substitute it
so the CronJob uses an immutable image reference consistent with other
manifests.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/github-actions-runner/cache-warming-cronjob.yaml`:
- Around line 40-43: Replace the destructive "rm -rf /cache/go-build/*" + "cp -a
\"${GOCACHE}\"/* /cache/go-build/" sequence with a safe atomic swap: copy into a
temporary staging directory (e.g. /cache/go-build.tmp), verify the copy
succeeded, then rename/move the temp dir into place (atomic mv to replace
/cache/go-build) and clean up on failure; ensure the CI cronjob uses the temp
dir and atomic rename so readers never see an empty/partial /cache/go-build
during the update.

---

Nitpick comments:
In `@hack/github-actions-runner/cache-warming-cronjob.yaml`:
- Line 23: Replace the mutable image tag
"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest"
with a digest-pinned reference using the `@sha256`:<digest> form (e.g.
quay.io/.../hypershift-gh-actions-runner@sha256:<digest>); fetch the current
published sha256 for that repo (via quay/skopeo/registry API) and substitute it
so the CronJob uses an immutable image reference consistent with other
manifests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e2b9174f-9b0a-4e9f-aacb-a3a7ab0da805

📥 Commits

Reviewing files that changed from the base of the PR and between 4341d0c and 1631c3c.

📒 Files selected for processing (1)

• hack/github-actions-runner/cache-warming-cronjob.yaml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/github-actions-runner/cache-warming-cronjob.yaml`:
- Around line 19-23: The Pod spec for the cache-warmer job lacks hardened
securityContext; update the Pod-level spec and the container "cache-warmer"
securityContext to enforce non-root and least privilege: set pod-level
runAsNonRoot: true and runAsUser (e.g., 1000), and in the container
securityContext set allowPrivilegeEscalation: false, privileged: false,
readOnlyRootFilesystem: true, runAsNonRoot: true, drop all capabilities
(capabilities.drop: ["ALL"]) and enable seccompProfile with type RuntimeDefault
(or LocalhostProfile if required by cluster). Apply these changes to the cronjob
block that defines the container named "cache-warmer" (and replicate to the
other similar block referenced lines 49-66).
- Line 23: The cronjob is using a mutable image tag
"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest";
resolve the image digest (for example via `skopeo inspect
docker://quay.io/...:latest` or `podman pull` + `podman inspect --format
'{{index .Digest}}'`), then replace the tag with the immutable digest form
`quay.io/redhat-user-workloads/crt-redhat-acm-tenant@sha256:<DIGEST>` in the
image field so the cron execution is reproducible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c578c230-3d3e-4b1e-836c-6c30491409f3

📥 Commits

Reviewing files that changed from the base of the PR and between 1631c3c and 9dad273.

📒 Files selected for processing (1)

• hack/github-actions-runner/cache-warming-cronjob.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and examine its structure
find . -name "cache-warming-cronjob.yaml" -type f

Repository: openshift/hypershift

Length of output: 120

---

🏁 Script executed:

# If found, examine the file around line 23
if [ -f "hack/github-actions-runner/cache-warming-cronjob.yaml" ]; then
  echo "=== File exists. Examining contents ===" && \
  cat -n "hack/github-actions-runner/cache-warming-cronjob.yaml" | head -40
else
  echo "File not found at specified path"
fi

Repository: openshift/hypershift

Length of output: 1659

---

Avoid mutable :latest for cron execution reproducibility.

Pin this image to a digest to prevent unreviewed runtime drift in nightly jobs. Resolve the actual digest value and update the image reference.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/github-actions-runner/cache-warming-cronjob.yaml` at line 23, The
cronjob is using a mutable image tag
"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest";
resolve the image digest (for example via `skopeo inspect
docker://quay.io/...:latest` or `podman pull` + `podman inspect --format
'{{index .Digest}}'`), then replace the tag with the immutable digest form
`quay.io/redhat-user-workloads/crt-redhat-acm-tenant@sha256:<DIGEST>` in the
image field so the cron execution is reproducible.

[vismishr]

Intentionally using :latest here — the CronJob needs to stay in sync with the ARC runner image so the Go build cache is compiled with the same Go version and toolchain the runners use. Pinning to a digest would require a manual update every time the runner image is rebuilt.

[coderabbitai]

@vismishr, that's a fair point — since the build cache must be ABI-compatible with the exact toolchain the runners use, keeping both on :latest is a sensible way to guarantee that alignment without manual digest chasing on every runner rebuild. Understood, I'll stand down on this one.

---

✏️ Learnings added

Learnt from: vismishr
Repo: openshift/hypershift PR: 8496
File: hack/github-actions-runner/cache-warming-cronjob.yaml:23-23
Timestamp: 2026-05-12T19:47:18.581Z
Learning: In `hack/github-actions-runner/cache-warming-cronjob.yaml` (openshift/hypershift), the CronJob `go-cache-warmer` intentionally uses the mutable `:latest` tag for `quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest`. This is by design so the Go build cache is always compiled with the same Go version and toolchain as the ARC runner pods, which also track `:latest`. Pinning to a digest is not desired because it would require a manual update on every runner image rebuild.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[vismishr]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

♻️ Duplicate comments (2)

hack/github-actions-runner/cache-warming-cronjob.yaml (2)

23-23: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin image to immutable digest for reproducibility.

The :latest tag remains mutable, so the nightly CronJob can pull unreviewed runtime changes. For stable, reproducible execution, resolve and pin to the image digest.

Run the following script to resolve the current digest:

#!/bin/bash
# Resolve the digest for the latest runner image
skopeo inspect --format '{{.Digest}}' \
  docker://quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest

Then update the image field to:

image: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner@sha256:<DIGEST>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/github-actions-runner/cache-warming-cronjob.yaml` at line 23, The
CronJob image is using the mutable tag
"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest";
resolve the current immutable digest (e.g., via skopeo inspect) and update the
image field to the digest form using the same image name but with
`@sha256`:<DIGEST> instead of :latest so the nightly CronJob pins to a
reproducible image; change the image line that currently contains
"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest"
to the corresponding "@sha256:<DIGEST>" value.

---

18-22: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden pod and container security context.

The pod and container still lack explicit security constraints. Without runAsNonRoot, allowPrivilegeEscalation: false, seccomp profile, and capability drops, the workload runs with weaker baseline security.

As per coding guidelines, static analysis flags CKV_K8S_20 (allowPrivilegeEscalation) and CKV_K8S_23 (root containers).

🔒 Recommended hardening patch

       template:
         spec:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
           restartPolicy: Never
           containers:
             - name: cache-warmer
               image: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest
+              securityContext:
+                allowPrivilegeEscalation: false
+                runAsNonRoot: true
+                capabilities:
+                  drop:
+                    - ALL
               command:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/github-actions-runner/cache-warming-cronjob.yaml` around lines 18 - 22,
The pod spec under template.spec for the cache-warmer workload is missing
hardened security settings; update the PodTemplate to include a
podSecurityContext (e.g., runAsNonRoot: true, runAsUser: <non-root uid>,
fsGroup: <gid>) and add a securityContext on the container named "cache-warmer"
to set runAsNonRoot: true (and runAsUser matching the pod if needed),
allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, capabilities:
drop: ["ALL"], and a seccompProfile (type: RuntimeDefault) to satisfy
CKV_K8S_20/CKV_K8S_23 policies and prevent the container from running as root or
escalating privileges.

🧹 Nitpick comments (1)

hack/github-actions-runner/cache-warming-cronjob.yaml (1)

44-45: ⚡ Quick win

Consider atomic cache update for consistency.

Good: the previous rm -rf /cache/go-build/* has been removed, eliminating the risk of leaving the cache empty on copy failure.

However, readers may still observe a mix of old and new files during the multi-file copy. For stricter consistency, stage the new cache into a temporary directory and atomically rename it into place.

♻️ Optional atomic swap pattern

                  echo "=== Syncing build cache to PV ==="
+                  rm -rf /cache/go-build.new /cache/go-build.old
+                  mkdir -p /cache/go-build.new
+                  cp -a "${GOCACHE}"/. /cache/go-build.new/
+                  if [ -d /cache/go-build ]; then
+                    mv /cache/go-build /cache/go-build.old
+                  fi
+                  mv /cache/go-build.new /cache/go-build
+                  rm -rf /cache/go-build.old
-                  cp -a "${GOCACHE}"/* /cache/go-build/

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/github-actions-runner/cache-warming-cronjob.yaml` around lines 44 - 45,
Staging the new Go build cache into place atomically will avoid readers seeing
mixed old/new files: when syncing from "${GOCACHE}" to /cache/go-build, create a
temporary directory (e.g., via mktemp -d), copy into that temp dir using the
same cp -a invocation, then atomically replace the target by renaming the temp
dir into /cache/go-build (use mv -T or mv then appropriate cleanup) so the swap
is instantaneous; update the cache-warming script around the cp -a
"${GOCACHE}"/* /cache/go-build/ step to implement this temp-dir -> mv swap and
ensure proper cleanup on error.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@hack/github-actions-runner/cache-warming-cronjob.yaml`:
- Line 23: The CronJob image is using the mutable tag
"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest";
resolve the current immutable digest (e.g., via skopeo inspect) and update the
image field to the digest form using the same image name but with
`@sha256`:<DIGEST> instead of :latest so the nightly CronJob pins to a
reproducible image; change the image line that currently contains
"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest"
to the corresponding "@sha256:<DIGEST>" value.
- Around line 18-22: The pod spec under template.spec for the cache-warmer
workload is missing hardened security settings; update the PodTemplate to
include a podSecurityContext (e.g., runAsNonRoot: true, runAsUser: <non-root
uid>, fsGroup: <gid>) and add a securityContext on the container named
"cache-warmer" to set runAsNonRoot: true (and runAsUser matching the pod if
needed), allowPrivilegeEscalation: false, readOnlyRootFilesystem: true,
capabilities: drop: ["ALL"], and a seccompProfile (type: RuntimeDefault) to
satisfy CKV_K8S_20/CKV_K8S_23 policies and prevent the container from running as
root or escalating privileges.

---

Nitpick comments:
In `@hack/github-actions-runner/cache-warming-cronjob.yaml`:
- Around line 44-45: Staging the new Go build cache into place atomically will
avoid readers seeing mixed old/new files: when syncing from "${GOCACHE}" to
/cache/go-build, create a temporary directory (e.g., via mktemp -d), copy into
that temp dir using the same cp -a invocation, then atomically replace the
target by renaming the temp dir into /cache/go-build (use mv -T or mv then
appropriate cleanup) so the swap is instantaneous; update the cache-warming
script around the cp -a "${GOCACHE}"/* /cache/go-build/ step to implement this
temp-dir -> mv swap and ensure proper cleanup on error.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 36dfb90f-6826-4cb1-ab4c-542e261d2431

📥 Commits

Reviewing files that changed from the base of the PR and between 4341d0c and 9dad273.

📒 Files selected for processing (1)

• hack/github-actions-runner/cache-warming-cronjob.yaml

[vismishr]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/github-actions-runner/cache-warming-cronjob.yaml`:
- Line 51: The find command can remove the mounted /cache/go-build directory
itself when empty and cause the job to fail under set -e; update the command
that currently reads "find /cache/go-build -type d -empty -delete" to restrict
deletion to children only by adding -mindepth 1 (e.g. "find /cache/go-build
-mindepth 1 -type d -empty -delete") so the mount root is never removed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d8b109ed-2661-46cf-9f8c-45de5957b481

📥 Commits

Reviewing files that changed from the base of the PR and between 4341d0c and c73ce25.

📒 Files selected for processing (1)

• hack/github-actions-runner/cache-warming-cronjob.yaml

[vismishr]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[bryan-cox]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, vismishr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-05-12T22:43:59Z
• View Job
• View Job History

e2e-aks

• Status: ✅ PASS
• Started: 2026-05-12T21:33:09Z
• View Job
• View Job History

[bryan-cox]

/retest

[bryan-cox]

/retest

[hypershift-jira-solve-ci]

The PR only changes a YAML file for a cache-warming CronJob — completely unrelated to the hypershift-k8sgpt step or any test/CI infra code. This confirms the failure is a CI infrastructure issue, not caused by the PR.

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-azure-v2-self-managed
• Build ID: 2054292898509230080
• Target: e2e-azure-v2-self-managed
• PR: CNTRLPLANE-3329: Add nightly CronJob to warm EFS-backed Go build cache #8496 (CNTRLPLANE-3329: Add nightly CronJob to warm EFS-backed Go build cache)

Test Failure Analysis

Error

"e2e-azure-v2-self-managed" pod "e2e-azure-v2-self-managed-hypershift-k8sgpt" failed:
pod pending for more than 1h0m0s: containers have not started in 1h0m0.000965425s:
inject-cli, sidecar, test:
* Container sidecar is not ready with reason PodInitializing
* Container test is not ready with reason PodInitializing

Summary

All 8 actual e2e tests passed successfully (4 public, 2 private, 2 OAuth LB — all SUCCESS in 31 seconds). The job failure is caused exclusively by a CI infrastructure issue in the post phase: the hypershift-k8sgpt diagnostic post-step pod was stuck in Pending state for over 1 hour due to a stalled image pull of the inject-cli init container image (quay-proxy.ci.openshift.org/openshift/ci@sha256:077c1fe97d5dbc01f8ff417f209817eeda26e284ebd8c70bb24a621d5f46c126) from the CI image registry. The three preceding init containers (ci-scheduling-dns-wait, place-entrypoint, cp-entrypoint-wrapper) all completed successfully, but the fourth init container inject-cli never finished pulling, blocking the sidecar and test containers from starting. PR #8496 only modifies hack/github-actions-runner/cache-warming-cronjob.yaml and has no relation to the hypershift-k8sgpt CI step or any test infrastructure.

Root Cause

The root cause is a transient CI infrastructure image pull failure — specifically, the inject-cli init container image pull from quay-proxy.ci.openshift.org hung indefinitely during the hypershift-k8sgpt post-phase step.

Detailed timeline:

1. 21:37:00 — hypershift-k8sgpt pod created in namespace ci-op-lrip3mr3 on node ip-10-0-181-30.ec2.internal
2. 21:40:08–21:40:39 — Init containers 1–3 (ci-scheduling-dns-wait, place-entrypoint, cp-entrypoint-wrapper) completed successfully
3. 21:40:41 — Init container 4 (inject-cli) began pulling image quay-proxy.ci.openshift.org/openshift/ci@sha256:077c1fe97d5dbc01f8ff417f209817eeda26e284ebd8c70bb24a621d5f46c126
4. No further events — The image pull stalled with no timeout, error, or progress reported for 60+ minutes
5. 22:40:39 — ci-operator killed the pod after its 1-hour pending timeout, marking the step as failed

The hypershift-k8sgpt step is a post-phase diagnostic step (k8sgpt cluster analysis) — it runs after all tests complete and is not related to the actual test functionality. The test phase completed successfully in 31 seconds with all 8 tests passing.

This failure is not caused by PR #8496, which only adds a cache-warming CronJob YAML file (hack/github-actions-runner/cache-warming-cronjob.yaml).

Recommendations

1. Retest the PR — This is a transient CI infrastructure flake. Simply retrigger the job with /retest or /test e2e-azure-v2-self-managed.

2. No code changes needed — PR CNTRLPLANE-3329: Add nightly CronJob to warm EFS-backed Go build cache #8496 changes are completely unrelated to the failure. The test phase passed successfully.

3. If the issue recurs frequently, consider filing a CI infrastructure bug against the quay-proxy.ci.openshift.org registry or the hypershift-k8sgpt step timeout configuration. The 1-hour pending timeout for a post-phase diagnostic step is excessive — a shorter timeout (e.g., 10–15 minutes) would fail faster without blocking cleanup steps for an hour.

Evidence

Evidence	Detail
Failed Step	e2e-azure-v2-self-managed-hypershift-k8sgpt (post phase, diagnostic step)
Step Duration	3818s (~63 min) — entirely spent waiting for image pull
Test Phase Result	✅ All 8 tests PASSED in 31 seconds
Pre Phase Result	✅ All 5 pre-steps succeeded (44m21s total)
Stuck Image	quay-proxy.ci.openshift.org/openshift/ci@sha256:077c1fe97d5dbc01f8ff417f209817eeda26e284ebd8c70bb24a621d5f46c126
Stuck Container	inject-cli (4th init container in the pod)
Last Event	21:40:41 kubelet: Pulling image "quay-proxy.ci.openshift.org/openshift/ci@sha256:077c..." — no further events
Init Containers 1-3	All completed successfully (ci-scheduling-dns-wait, place-entrypoint, cp-entrypoint-wrapper)
Pod Final State	Pending — deleted by ci-operator after 1h timeout
CI Node	ip-10-0-181-30.ec2.internal (build01 cluster)
PR #8496 Files Changed	Only hack/github-actions-runner/cache-warming-cronjob.yaml — unrelated to failure
Job Failure Reason	executing_graph:step_failed:...pod_pending

---

[bryan-cox]

/verified bypass

Hack change only

[openshift-ci-robot]

@bryan-cox: The verified label has been added.

Details

In response to this:

/verified bypass

Hack change only

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@vismishr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-v2-self-managed	ca1f7ee	link	false	/test e2e-azure-v2-self-managed

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.