Add Slack notification for LVMS CI Doctor to #team-ocp-edge-notifications

[kasturinarra]

Summary

• Add webhook-based Slack notification in the LVMS CI Doctor post step to send report links to #team-ocp-edge-notifications
• Prow reporter_config only supports a single channel (#lvms-release-coordination), so a webhook curl in the post step covers the second channel
• Reuses the existing edge-tooling-ci-monitor-slack-webhook Vault secret (already contains the team-ocp-edge-notifications webhook)
• Notification only fires for periodic jobs (not presubmits)

Changes

• openshift-edge-tooling-lvms-ci-post-ref.yaml — added credential mount for the slack webhook secret
• openshift-edge-tooling-lvms-ci-post-commands.sh — added curl to post report link via webhook after downloading the report

Test plan

• Verify CI rehearsal passes (pj-rehearse)
• Trigger a periodic LVMS CI Doctor run and confirm notification appears in #team-ocp-edge-notifications

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR updates the OpenShift CI “LVMS CI Doctor” post-step so that periodic LVMS CI Doctor runs also notify #team-ocp-edge-notifications in Slack. Practically, this ensures the report artifact link and corresponding Prow log links reach the edge notifications channel as well as the existing Prow-reporter channel, working around Prow’s reporter_config single-Slack-channel limitation.

It does this by:

• updating the openshift-edge-tooling-lvms-ci-post job spec to mount the existing edge-tooling-ci-monitor-slack-webhook Vault secret (exposing it at /var/run/slack-webhook)
• extending openshift-edge-tooling-lvms-ci-post-commands.sh to curl the Slack webhook and post the report + Prow log links after the report is detected
• restricting the Slack webhook message to periodic jobs only (not presubmits)
• making Slack delivery non-fatal (prints a warning and continues if the webhook post fails)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0fdaa232-69e6-4742-bbf3-ae11589184df

📥 Commits

Reviewing files that changed from the base of the PR and between 18f3c59 and 5b42d69.

📒 Files selected for processing (2)

• ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/openshift-edge-tooling-lvms-ci-post-commands.sh
• ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/openshift-edge-tooling-lvms-ci-post-ref.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/openshift-edge-tooling-lvms-ci-post-ref.yaml
• ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/openshift-edge-tooling-lvms-ci-post-commands.sh

---

Walkthrough

The LVMS CI post step now mounts a Slack webhook credential and, for periodic jobs, posts a Slack notification containing the LVMS CI Doctor report artifact and Prow log links. Notification failures are non-fatal.

Changes

LVMS CI Slack notification

Layer / File(s)	Summary
Slack post flow ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/...	The post script checks for the webhook file, builds the LVMS CI Doctor message with report and log URLs, posts it to Slack, and logs success or a warning on failure.
Credential mount and docs ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/...	The post-step reference adds the Slack webhook credential mount and updates the step description to mention the Slack notification.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a Slack notification for LVMS CI Doctor to the target channel.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR only changes a shell step and YAML metadata; no Ginkgo It/Describe/Context/When titles were added or modified.
Test Structure And Quality	✅ Passed	PR only changes a post-step shell script and YAML ref; no Ginkgo tests or test structure to review.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added or modified; the PR only changes a shell post-step and YAML credentials, so MicroShift compatibility isn’t implicated.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo/e2e tests were added or modified; the diff only changes a post-step shell script and YAML credentials, so SNO compatibility is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Only a CI post-step script and credential mount changed; no node selectors, affinities, spread constraints, replicas, or PDBs were added.
Ote Binary Stdout Contract	✅ Passed	Only a ci-operator shell step and YAML changed; no OTE binary or process-level main/suite code was touched.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes a post-step shell script and YAML credentials/docs.
No-Weak-Crypto	✅ Passed	Changed files only add a Slack webhook curl and credential mount; no weak crypto, custom crypto, or secret/token comparisons are present.
Container-Privileges	✅ Passed	The only manifest change adds a Slack webhook credential mount; no privileged, hostPID/hostNetwork/hostIPC, SYS_ADMIN, root, or allowPrivilegeEscalation settings appear.
No-Sensitive-Data-In-Logs	✅ Passed	The new webhook POST is wrapped with set +x, so the secret URL isn't traced, and no passwords/tokens/PII are echoed in the added logs.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[kasturinarra]

/pj-rehearse periodic-ci-openshift-eng-edge-tooling-main-lvms-ci-doctor

[openshift-merge-bot]

@kasturinarra: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/openshift-edge-tooling-lvms-ci-post-commands.sh`:
- Around line 41-45: The Slack notification call in the post script can hang
indefinitely because the curl invocation has no connect/read bounds; update the
webhook request in openshift-edge-tooling-lvms-ci-post-commands.sh to use
explicit timeout settings on the curl command so a slow or blackholed endpoint
fails quickly. Keep the existing best-effort behavior and message handling
around the webhook post, but make sure the timeout is applied directly in the
curl call that posts PAYLOAD to the URL read from WEBHOOK_FILE.
- Around line 36-43: The Slack notification block in
openshift-edge-tooling-lvms-ci-post-commands.sh leaks the webhook URL because
xtrace is still enabled when curl expands $(cat "${WEBHOOK_FILE}"). Update the
webhook posting section that builds REPORT_URL, MESSAGE, PAYLOAD, and calls curl
by disabling tracing with set +x before reading/posting the webhook, then
restoring it afterward (or keep xtrace off for the whole script) so the secret
never appears in job logs.

In
`@ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/openshift-edge-tooling-lvms-ci-post-ref.yaml`:
- Line 21: The step description is documenting the wrong Slack destination: the
YAML summary currently says the notification goes to team-ocp-edge, but the
corresponding posting logic uses the team-ocp-edge-notifications channel. Update
the text in the affected step metadata to match the actual channel used by the
companion script so the documented destination aligns with the implementation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 227110e5-3f2b-49eb-bdd8-a60e38f45cc9

📥 Commits

Reviewing files that changed from the base of the PR and between 436ce01 and 18f3c59.

📒 Files selected for processing (2)

• ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/openshift-edge-tooling-lvms-ci-post-commands.sh
• ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/openshift-edge-tooling-lvms-ci-post-ref.yaml

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kasturinarra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/openshift/edge-tooling/lvms-ci/post/OWNERS [kasturinarra]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@kasturinarra: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-eng-edge-tooling-main-lvms-ci-doctor	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[kasturinarra]

/pj-rehearse periodic-ci-openshift-eng-edge-tooling-main-lvms-ci-doctor

[openshift-merge-bot]

@kasturinarra: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@kasturinarra: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/generated-dashboards	c2a8ab5	link	true	/test generated-dashboards
ci/prow/generated-config	c2a8ab5	link	true	/test generated-config
ci/prow/image-mirroring-config-validation	c2a8ab5	link	true	/test image-mirroring-config-validation
ci/prow/check-gh-automation-tide	c2a8ab5	link	true	/test check-gh-automation-tide
ci/prow/ordered-prow-config	c2a8ab5	link	true	/test ordered-prow-config
ci/prow/sync-rover-groups	c2a8ab5	link	true	/test sync-rover-groups
ci/prow/ci-operator-config-metadata	c2a8ab5	link	true	/test ci-operator-config-metadata
ci/prow/prow-config-semantics	c2a8ab5	link	true	/test prow-config-semantics
ci/prow/ci-secret-bootstrap-config-validation	c2a8ab5	link	true	/test ci-secret-bootstrap-config-validation
ci/prow/boskos-config	c2a8ab5	link	true	/test boskos-config
ci/prow/clusterimageset-validate	c2a8ab5	link	true	/test clusterimageset-validate
ci/prow/check-trigger-trusted-apps	c2a8ab5	link	true	/test check-trigger-trusted-apps
ci/prow/secret-generator-config-valid	c2a8ab5	link	true	/test secret-generator-config-valid
ci/prow/check-gh-automation	c2a8ab5	link	true	/test check-gh-automation
ci/prow/stackrox-stackrox-stackrox-stackrox-check	c2a8ab5	link	true	/test stackrox-stackrox-stackrox-stackrox-check
ci/prow/boskos-config-generation	c2a8ab5	link	true	/test boskos-config-generation
ci/prow/check-cluster-profiles-config	c2a8ab5	link	false	/test check-cluster-profiles-config
ci/prow/prow-config-filenames	c2a8ab5	link	true	/test prow-config-filenames
ci/prow/config	c2a8ab5	link	true	/test config
ci/prow/prow-config	c2a8ab5	link	true	/test prow-config
ci/prow/cluster-manifest-verifier	c2a8ab5	link	true	/test cluster-manifest-verifier

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.