konflux-build-triage: filter EOL versions and require user confirmation

[quay-devel]

Summary

• Filter unsupported versions: New get-supported-versions.sh script queries the Red Hat Quay lifecycle API at runtime. check-build-health.sh gains a --supported-only flag that excludes components for end-of-life Quay versions (using a blacklist so unreleased/in-development versions are still triaged).
• Require user confirmation: The dispatcher now presents a numbered table of actionable failures and waits for the user to approve which ones to triage before spawning any debugger sessions. No more auto-launching.
• Updated CLAUDE.md pipeline steps (now 6 steps with new confirmation gate at Step 4), non-negotiable rules, ambient.json prompts, README.md architecture diagram, and docs.

Test plan

• Verify get-supported-versions.sh returns correct supported/EOL lists from the Red Hat lifecycle API
• Verify get-supported-versions.sh --eol returns only EOL versions
• Verify check-build-health.sh --supported-only correctly filters EOL version components without false positives (e.g. v3-1 should not match v3-18)
• Run a triage session and confirm it presents failures for approval instead of auto-spawning
• Confirm unreleased/in-development versions (not yet in lifecycle API) are still included

🤖 Generated with Claude Code

[coderabbitai]

Walkthrough

The Konflux Build Triage workflow is enhanced to filter failures to supported Quay versions only and to gate debugger session spawning behind explicit user confirmation. A new script queries Red Hat's product lifecycle API, the health check script integrates filtering via a new --supported-only flag, and the dispatcher prompt and documentation are updated to enforce the confirmation workflow.

Changes

Supported Version Filtering and User Confirmation Gates

Layer / File(s)	Summary
Version lifecycle API integration workflows/konflux-build-triage/scripts/get-supported-versions.sh	New script queries Red Hat's product lifecycle API for Quay versions; supports --eol and --json flags; validates dependencies, handles API errors, and outputs supported or end-of-life versions sorted numerically.
Health check filtering workflows/konflux-build-triage/scripts/check-build-health.sh	Adds -s/--supported-only CLI option that loads EOL metadata via the new script, constructs a regex matching EOL version numbers, and filters components.tsv to exclude unsupported Quay versions.
Dispatcher rules and workflow flow workflows/konflux-build-triage/.ambient/ambient.json, workflows/konflux-build-triage/CLAUDE.md	Tightens dispatcher prompt rules to restrict checks to supported versions, prohibit auto-spawning, and always wait for user confirmation; updates pipeline steps to invoke check-build-health.sh --failed-only --supported-only, present failures in a table with deduplication and cap markers, prompt for user selection, and spawn debugger sessions only for approved failures. Final summary now includes Skipped (EOL version) and Skipped (user) counts.
Documentation updates workflows/konflux-build-triage/README.md	Architecture diagram and workflow description now include supported-version filtering via Red Hat lifecycle API, a dedicated user-confirmation gate before debugger spawning, and the new get-supported-versions.sh script in the scripts reference section.

Sequence Diagram

sequenceDiagram
    participant Agent as Dispatcher Agent
    participant Check as check-build-health.sh
    participant API as Red Hat Lifecycle API
    participant Get as get-supported-versions.sh
    participant User as User

    Agent->>Check: Invoke with --failed-only --supported-only
    Check->>Get: Query supported & EOL versions
    Get->>API: GET Red Hat Quay product lifecycle
    API-->>Get: Return version list with lifecycle status
    Get-->>Check: Return EOL version names
    Check->>Check: Filter components.tsv (remove EOL matches)
    Check-->>Agent: Return deduplicated failures
    
    Agent->>Agent: Build failure table with markers
    Agent->>User: Present "Build Failures Ready for Triage"
    Note over User: Review table: failures, already triaged,<br/>triage cap skipped, EOL skipped
    User-->>Agent: Select failures to triage or "none"
    
    alt User approves failures
        Agent->>Agent: Spawn debugger for each approved failure
        Note over Agent: Sessions spawned only for<br/>user-selected failures
    else User selects none
        Agent->>Agent: Skip spawning
    end
    
    Agent->>Agent: Report summary with skipped counts
    Agent-->>User: Exit (stop agent session)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux-triage-supported-versions-and-confirmation

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

workflows/konflux-build-triage/scripts/check-build-health.sh (2)

110-113: ⚡ Quick win

Allow error messages from get-supported-versions.sh to propagate.

Line 110 redirects stderr to /dev/null, which suppresses helpful error messages from get-supported-versions.sh. If the script fails (e.g., due to network issues, jq parsing errors, or API changes), the user only sees the generic "Failed to fetch lifecycle data" message without context about the root cause.

Proposed fix to preserve error context

-  EOL_VERSIONS=$("$SCRIPT_DIR/get-supported-versions.sh" --eol 2>/dev/null) || {
+  EOL_VERSIONS=$("$SCRIPT_DIR/get-supported-versions.sh" --eol) || {
     echo "Error: Failed to fetch lifecycle data from Red Hat lifecycle API" >&2
     exit 1
   }

This allows the original error message from get-supported-versions.sh to reach stderr, providing better debugging information while still failing with the additional context message.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workflows/konflux-build-triage/scripts/check-build-health.sh` around lines
110 - 113, The current call to get-supported-versions.sh hides stderr by
redirecting it to /dev/null; remove the 2>/dev/null so errors from
"$SCRIPT_DIR/get-supported-versions.sh" (which populates EOL_VERSIONS) are
allowed to propagate to the user, while keeping the existing failure branch that
echoes "Error: Failed to fetch lifecycle data from Red Hat lifecycle API" and
exits; update the invocation around the EOL_VERSIONS assignment to let the
script's own error output surface for debugging.

---

115-118: 💤 Low value

Consider simplifying the version-to-regex transformation.

The current sed pipeline works correctly but is more complex than necessary. It escapes dots, then un-escapes them while transforming the pattern. A simpler approach would directly convert dots to hyphens and prepend "v".

Simpler alternative

-    # Build a regex that matches application names containing EOL version numbers
-    # Application names follow the pattern: quay-v3-18 -> version 3.18
-    # Use ([^0-9]|$) boundary to prevent v3-1 matching inside v3-18
-    EOL_PATTERN=$(echo "$EOL_VERSIONS" | sed 's/\./\\./g' | sed 's/\(.*\)\\\.\(.*\)/v\1-\2/' | paste -sd'|' -)
+    # Build a regex that matches application names containing EOL version numbers
+    # Application names follow the pattern: quay-v3-18 -> version 3.18
+    # Use ([^0-9]|$) boundary to prevent v3-1 matching inside v3-18
+    EOL_PATTERN=$(echo "$EOL_VERSIONS" | sed 's/\./\-/g; s/^/v/' | paste -sd'|' -)

This achieves the same result with a single sed command: replace dots with hyphens and prepend "v" to each line.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workflows/konflux-build-triage/scripts/check-build-health.sh` around lines
115 - 118, The EOL_PATTERN construction uses an overly complex sed pipeline;
simplify it by transforming EOL_VERSIONS entries directly (replace '.' with '-'
and prepend 'v' for each version) before joining with paste, i.e., rebuild the
command that sets EOL_PATTERN to operate on EOL_VERSIONS with a single sed
invocation that does both the dot->hyphen and the 'v' prefix so the resulting
regex list (variable EOL_PATTERN) is equivalent but produced with one simpler
sed expression.

workflows/konflux-build-triage/scripts/get-supported-versions.sh (1)

54-58: ⚡ Quick win

Add raw output logging if jq parsing fails.

Per coding guidelines, if jq parse errors occur, the script should log the raw output for debugging. Currently, if the API returns unexpected JSON structure, the jq pipeline fails silently due to set -euo pipefail, making it difficult to diagnose the issue.

Proposed improvement to add error context

+# Parse and filter versions with error handling
+VERSIONS=$(echo "$RESPONSE" | jq -r "
+  .data[0].versions[]
+  | ${TYPE_FILTER}
+  | .name
+" 2>&1 | sort -t. -k1,1n -k2,2n) || {
+  echo "Error: Failed to parse API response. Raw response:" >&2
+  echo "$RESPONSE" >&2
+  exit 1
+}
-VERSIONS=$(echo "$RESPONSE" | jq -r "
-  .data[0].versions[]
-  | ${TYPE_FILTER}
-  | .name
-" | sort -t. -k1,1n -k2,2n)

As per coding guidelines: "If jq parse error occurs on output, log the raw output for debugging and skip the entry."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workflows/konflux-build-triage/scripts/get-supported-versions.sh` around
lines 54 - 58, The jq parsing of RESPONSE into VERSIONS can fail and, because of
set -euo pipefail, will abort without logging raw output; wrap the jq invocation
that builds VERSIONS (the pipeline using RESPONSE, TYPE_FILTER and
.data[0].versions[]) in a safe block: temporarily disable exit-on-error, run the
echo "$RESPONSE" | jq -r "… | ${TYPE_FILTER} | .name" and capture its exit code,
re-enable set -e, and if jq failed print the raw RESPONSE to stderr (and set
VERSIONS to empty or skip this entry) so callers can debug; ensure you reference
the existing VERSIONS, RESPONSE and TYPE_FILTER symbols when implementing the
change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@workflows/konflux-build-triage/scripts/check-build-health.sh`:
- Around line 110-113: The current call to get-supported-versions.sh hides
stderr by redirecting it to /dev/null; remove the 2>/dev/null so errors from
"$SCRIPT_DIR/get-supported-versions.sh" (which populates EOL_VERSIONS) are
allowed to propagate to the user, while keeping the existing failure branch that
echoes "Error: Failed to fetch lifecycle data from Red Hat lifecycle API" and
exits; update the invocation around the EOL_VERSIONS assignment to let the
script's own error output surface for debugging.
- Around line 115-118: The EOL_PATTERN construction uses an overly complex sed
pipeline; simplify it by transforming EOL_VERSIONS entries directly (replace '.'
with '-' and prepend 'v' for each version) before joining with paste, i.e.,
rebuild the command that sets EOL_PATTERN to operate on EOL_VERSIONS with a
single sed invocation that does both the dot->hyphen and the 'v' prefix so the
resulting regex list (variable EOL_PATTERN) is equivalent but produced with one
simpler sed expression.

In `@workflows/konflux-build-triage/scripts/get-supported-versions.sh`:
- Around line 54-58: The jq parsing of RESPONSE into VERSIONS can fail and,
because of set -euo pipefail, will abort without logging raw output; wrap the jq
invocation that builds VERSIONS (the pipeline using RESPONSE, TYPE_FILTER and
.data[0].versions[]) in a safe block: temporarily disable exit-on-error, run the
echo "$RESPONSE" | jq -r "… | ${TYPE_FILTER} | .name" and capture its exit code,
re-enable set -e, and if jq failed print the raw RESPONSE to stderr (and set
VERSIONS to empty or skip this entry) so callers can debug; ensure you reference
the existing VERSIONS, RESPONSE and TYPE_FILTER symbols when implementing the
change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 7d543663-2826-4cd0-b734-bdc429b172f4

📥 Commits

Reviewing files that changed from the base of the PR and between efc7430 and 8e9502e.

📒 Files selected for processing (5)

• workflows/konflux-build-triage/.ambient/ambient.json
• workflows/konflux-build-triage/CLAUDE.md
• workflows/konflux-build-triage/README.md
• workflows/konflux-build-triage/scripts/check-build-health.sh
• workflows/konflux-build-triage/scripts/get-supported-versions.sh

📜 Review details

🧰 Additional context used

📓 Path-based instructions (3)

workflows/konflux-build-triage/**/scripts/*.sh

📄 CodeRabbit inference engine (workflows/konflux-build-triage/CLAUDE.md)

If jq parse error occurs on output, log the raw output for debugging and skip the entry.

Files:

• workflows/konflux-build-triage/scripts/get-supported-versions.sh
• workflows/konflux-build-triage/scripts/check-build-health.sh

workflows/konflux-build-triage/**/scripts/get-supported-versions.sh

📄 CodeRabbit inference engine (workflows/konflux-build-triage/CLAUDE.md)

Query the Red Hat product lifecycle API at https://access.redhat.com/support/policy/updates/rhquay to determine currently supported Quay versions.

Files:

• workflows/konflux-build-triage/scripts/get-supported-versions.sh

workflows/konflux-build-triage/**/scripts/check-build-health.sh

📄 CodeRabbit inference engine (workflows/konflux-build-triage/CLAUDE.md)

Use check-build-health.sh with --supported-only flag to query Red Hat product lifecycle API and filter out components belonging to Quay versions that have reached end of life.

If check-build-health.sh fails, log error and exit immediately. KubeArchive is required.

Files:

• workflows/konflux-build-triage/scripts/check-build-health.sh

🪛 LanguageTool

workflows/konflux-build-triage/CLAUDE.md

[grammar] ~14-~14: Use a hyphen to join words.
Context: ...= stop spawning, alert. 5. Only triage supported versions. Skip components fo...

(QB_NEW_EN_HYPHEN)

🔇 Additional comments (11)

workflows/konflux-build-triage/scripts/get-supported-versions.sh (2)

60-73: LGTM!

---

41-46: The API endpoint successfully returns the expected data structure.

The Red Hat product lifecycle API at https://access.redhat.com/product-life-cycles/api/v1/products?name=Red+Hat+Quay correctly returns JSON with .data[0].versions[] containing objects with .type and .name fields as expected by the script's jq parsing.

			> Likely an incorrect or invalid review comment.

workflows/konflux-build-triage/scripts/check-build-health.sh (2)

16-16: LGTM!

Also applies to: 30-30, 45-45

---

119-127: LGTM!

workflows/konflux-build-triage/.ambient/ambient.json (1)

4-5: LGTM!

workflows/konflux-build-triage/README.md (1)

8-14: LGTM!

Also applies to: 17-22, 30-53, 93-93

workflows/konflux-build-triage/CLAUDE.md (5)

14-16: LGTM!

---

32-32: LGTM!

---

75-86: LGTM!

---

132-161: LGTM!

---

186-199: LGTM!