NO-JIRA: feat(ci): add skopeo and gh CLI to ARC runner image

[enxebre]

Summary

• Add skopeo and gh CLI to the ARC runner Docker image
• These tools are needed by the CPO override validation workflow to inspect container images and query PR metadata

wanted by #8616

Test plan

• Runner image builds successfully
• skopeo inspect works inside the runner
• gh pr view works inside the runner

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated the GitHub Actions runner container image to include additional system tools (container image tooling and the GitHub CLI). This enhances workflow automation, improves developer experience, and enables more robust repository and image management within CI environments.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@enxebre: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Add skopeo and gh CLI to the ARC runner Docker image
• These tools are needed by the CPO override validation workflow to inspect container images and query PR metadata

Test plan

• Runner image builds successfully
• skopeo inspect works inside the runner
• gh pr view works inside the runner

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This pull request updates the GitHub Actions runner Dockerfile to include two additional tools. It adds skopeo to the root package installation and integrates the GitHub CLI by fetching the official GPG signing key, configuring the APT repository source, updating the package cache, and installing the gh package. The changes consolidate tool provisioning in a single Docker build stage.

Sequence Diagram(s)

sequenceDiagram
  participant BuildStage
  participant APT
  participant GitHubAPTRepo
  BuildStage->>APT: apt-get install (existing deps + skopeo)
  BuildStage->>GitHubAPTRepo: fetch GitHub CLI GPG key + add deb entry
  BuildStage->>APT: apt-get update
  BuildStage->>APT: apt-get install gh

Loading

Possibly related PRs

• openshift/hypershift#8598: Adjusts workflow to avoid using gh api when gh is not available on ARC runners; related to gh availability in CI runners.

Suggested reviewers

• cblecker

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	Found unstable Ginkgo test name using fmt.Sprintf with dynamic variable in test/envtest/generator.go line 230.	Replace fmt.Sprintf in test title with static string; move dynamic featureSet value to test body assertions.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and concisely summarizes the main change: adding skopeo and gh CLI to the ARC runner image, matching the changeset summary perfectly.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Structure And Quality	✅ Passed	PR only modifies Dockerfile.github-actions-runner (adding skopeo and gh CLI). Check is for Ginkgo test code quality, but PR contains no test code changes.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds topologySpreadConstraints using whenUnsatisfiable: ScheduleAnyway (not DoNotSchedule), which is topology-aware and compatible with all OpenShift topologies.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds Dockerfile.github-actions-runner and standard Go tests (not Ginkgo). Custom check targets Ginkgo e2e tests with patterns like It(), Describe(), Context(), When() — none are present.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms or patterns detected. GitHub CLI uses RSA 4096, which is modern and secure.
Container-Privileges	✅ Passed	The Dockerfile contains no privileged settings (privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation), only tool installation and user switch to 'runner'.
No-Sensitive-Data-In-Logs	✅ Passed	Dockerfile adds skopeo and GitHub CLI without exposing sensitive data. All curl commands use silent flags, no credentials are logged, and APT configuration contains only public URLs.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

Dockerfile.github-actions-runner (1)

45-45: 💤 Low value

Consider adding a HEALTHCHECK instruction.

The container security guidelines require a HEALTHCHECK to be defined. While this is a pre-existing omission, adding one would improve container orchestration and health monitoring.

Example HEALTHCHECK

HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
    CMD pgrep -x Runner.Listener || exit 1

As per coding guidelines: "HEALTHCHECK defined".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.github-actions-runner` at line 45, Add a Docker HEALTHCHECK
instruction after the USER runner line to satisfy the "HEALTHCHECK defined"
guideline; implement a lightweight check that verifies the Runner process is
alive (e.g., using a command that looks for the Runner.Listener process or
equivalent) and configure sensible flags like --interval, --timeout,
--start-period and --retries so orchestration can detect unhealthy containers.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Dockerfile.github-actions-runner`:
- Line 45: Add a Docker HEALTHCHECK instruction after the USER runner line to
satisfy the "HEALTHCHECK defined" guideline; implement a lightweight check that
verifies the Runner process is alive (e.g., using a command that looks for the
Runner.Listener process or equivalent) and configure sensible flags like
--interval, --timeout, --start-period and --retries so orchestration can detect
unhealthy containers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d08b99c8-0a53-496f-80ee-1ef6658960e3

📥 Commits

Reviewing files that changed from the base of the PR and between adfbcdd and 538e292.

📒 Files selected for processing (1)

• Dockerfile.github-actions-runner

[bryan-cox]

/retest

[bryan-cox]

Can we update the hack docs so its documented we added skopeo and gh cli?

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.68%. Comparing base (adfbcdd) to head (97ee248).
⚠️ Report is 34 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8627      +/-   ##
==========================================
- Coverage   45.84%   40.68%   -5.17%     
==========================================
  Files         440      755     +315     
  Lines       52824    93363   +40539     
==========================================
+ Hits        24218    37985   +13767     
- Misses      26816    52645   +25829     
- Partials     1790     2733     +943     

see 315 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.70% <ø> (?)
cpo-hostedcontrolplane	41.80% <ø> (ø)
cpo-other	41.39% <ø> (ø)
hypershift-operator	50.82% <ø> (ø)
other	31.61% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bryan-cox]

/retest

[bryan-cox]

/area ci-tooling

[bryan-cox]

/verified later @enxebre

[bryan-cox]

/lgtm

[openshift-ci-robot]

@bryan-cox: This PR has been marked to be verified later by @enxebre.

Details

In response to this:

/verified later @enxebre

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, enxebre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox,enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-06-01T09:39:30Z
• View Job
• View Job History

e2e-aks

• Status: ✅ PASS
• Started: 2026-05-29T15:58:38Z
• View Job
• View Job History

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 9b67f7b and 2 for PR HEAD 97ee248 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 8b13140 and 1 for PR HEAD 97ee248 in total

[bryan-cox]

/retest

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 988f2be and 0 for PR HEAD 97ee248 in total

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2060390333161672704 | Cost: $2.27400825 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[openshift-merge-bot]

/hold

Revision 97ee248 was retested 3 times: holding

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD ab1e63b and 2 for PR HEAD 97ee248 in total

[openshift-ci]

@enxebre: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

Now I have complete understanding of the failure. Here is the analysis:

Test Failure Analysis Complete

Job Information

• Prow Job: codecov/project (GitHub Actions check, not a Prow CI job)
• Build ID: Check Run 78851591210
• PR: #8627 — NO-JIRA: feat(ci): add skopeo and gh CLI to ARC runner image
• Branch: worktree-dockerfile-runner-tools
• Base Commit: adfbcdd (2026-05-28)
• Head Commit: 97ee248

Test Failure Analysis

Error

codecov/project: 40.68% (-5.17%) compared to adfbcdd
Project coverage dropped from 45.84% to 40.68% (-5.17%).
Files: 440 → 755 (+315), Lines: 52,824 → 93,363 (+40,539)
⚠ Report is 34 commits behind head on main.

Summary

This is not a real test or code failure. The codecov/project check is failing because Codecov is comparing this PR's coverage against a stale base commit (adfbcdd) that is 34 commits behind main. During that 34-commit gap, 315 new files and 40,539 new lines were added to main — but the unit test runs on this PR branch don't include coverage for those newly-added files. This creates a false -5.17% coverage drop. The PR itself only modifies Dockerfile.github-actions-runner (a non-code file explicitly excluded from coverage via **/Dockerfile* in codecov.yml), so it cannot have caused any real coverage change. All actual CI/Prow jobs and unit tests passed.

Root Cause

The root cause is a stale Codecov base comparison combined with significant main branch churn:

1. Stale base commit: Codecov is comparing against base commit adfbcdd (from 2026-05-28), but main has advanced 34 commits since then. The Codecov report itself confirms: "Report is 34 commits behind head on main."

2. Large coverage denominator shift: Those 34 commits added 315 new source files and 40,539 lines of code to the repository. When Codecov computes project-level coverage for this PR, it includes all those new files in the denominator but the PR's test runs don't necessarily cover all of them, causing the overall percentage to drop from 45.84% → 40.68%.

3. PR changes are coverage-neutral: The PR modifies only Dockerfile.github-actions-runner, which is explicitly excluded from coverage measurement in codecov.yml (via the **/Dockerfile* ignore pattern). The file adds skopeo and gh CLI to the GitHub Actions runner image — it contains no Go source code.

4. No coverage threshold configured: The codecov.yml does not define a coverage.status.project.default.threshold value. Without an explicit threshold, Codecov defaults to failing the check when coverage drops by any amount compared to the base, even when that drop is entirely due to base-branch drift rather than the PR's changes.

5. codecov/patch passed: Notably, the companion codecov/patch check (which only evaluates coverage of lines actually changed in the PR) passed successfully, confirming the PR itself introduced no coverage regression.

Recommendations

1. This failure can be safely ignored — it is a false positive caused by base-branch drift. All 13 Prow CI jobs, all unit tests, lint, verify, and the codecov/patch check passed. The PR changes no Go source code.

2. Rebase the PR onto current main — this will update the Codecov base reference and likely resolve the coverage delta by aligning the file/line counts. Run:

   git fetch origin main && git rebase origin/main
   

3. Add a coverage threshold to codecov.yml to prevent future false failures from base drift. Add to the project's codecov.yml:

   coverage:
     status:
       project:
         default:
           threshold: 1%    # Allow up to 1% drop before failing
       patch:
         default:
           target: auto

4. Consider setting notify.wait_for_ci: true — the current config has wait_for_ci: false, meaning Codecov reports before all CI coverage uploads complete. Setting it to true ensures all unit test coverage data is aggregated before the status check is posted, reducing incomplete-coverage false positives.

Evidence

Evidence	Detail
PR files changed	Only Dockerfile.github-actions-runner — zero Go source files
Codecov ignore rules	**/Dockerfile* is in the ignore list in codecov.yml
Base commit staleness	adfbcdd is 34 commits behind main (Codecov report confirms this)
Coverage delta cause	315 new files (+40,539 lines) added to main since base; PR test runs don't cover them all
codecov/patch status	✅ PASSED — "All modified and coverable lines are covered by tests"
All Prow jobs	✅ All 13 Prow CI jobs passed (e2e-aws, e2e-aks, e2e-azure, images, security, etc.)
All unit tests	✅ All 5 unit test shards passed
Coverage threshold config	None configured — Codecov uses default (fail on any drop)
wait_for_ci setting	false — Codecov may report before all coverage uploads arrive

---