diff --git a/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml b/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml index 82f7a68a1bf93..166ef78592eef 100644 --- a/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml +++ b/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml @@ -12,9 +12,13 @@ images: to: gh-token-minter - dockerfile_path: images/go-server.Dockerfile to: go-server + - dockerfile_path: prow-workflow/input.Dockerfile + to: workflow-input promotion: to: - - name: ai-e2e-agent + - excluded_images: + - workflow-input + name: ai-e2e-agent namespace: oape tag_by_commit: true resources: @@ -24,6 +28,88 @@ resources: requests: cpu: 100m memory: 200Mi +tests: +- always_run: false + as: run-workflow + run_if_changed: ^prow-workflow/ + steps: + pre: + - as: extract-params + commands: | + cp /params.env "${SHARED_DIR}/params.env" + cat "${SHARED_DIR}/params.env" + from: workflow-input + resources: + requests: + cpu: 100m + memory: 128Mi + - as: mint-gh-token + commands: | + set -euo pipefail + GH_APP_ID=$(cat /var/run/github-app/app-id) + PEM_PATH="/var/run/github-app/private-key.pem" + + HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=') + NOW=$(date +%s) + EXP=$((NOW + 300)) + PAYLOAD=$(printf '{"iat":%d,"exp":%d,"iss":"%s"}' "$NOW" "$EXP" "$GH_APP_ID" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=') + UNSIGNED="${HEADER}.${PAYLOAD}" + SIGNATURE=$(printf '%s' "$UNSIGNED" | openssl dgst -sha256 -sign "$PEM_PATH" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=') + JWT="${UNSIGNED}.${SIGNATURE}" + + INST_ID=$(curl -sf \ + -H "Authorization: Bearer ${JWT}" \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + https://api.github.com/app/installations \ + | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['id'])") + + set +x + TOKEN=$(curl -sf -X POST \ + -H "Authorization: Bearer ${JWT}" \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/app/installations/${INST_ID}/access_tokens" \ + | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") + echo "${TOKEN}" > "${SHARED_DIR}/gh-token" + credentials: + - mount_path: /var/run/github-app + name: openshift-app-platform-shift-github-bot + namespace: test-credentials + from: agent-worker + resources: + requests: + cpu: 100m + memory: 128Mi + test: + - as: agent-workflow + commands: | + set -euo pipefail + source "${SHARED_DIR}/params.env" + export EP_URL REPO_URL BASE_BRANCH + + set +x + export GH_TOKEN + GH_TOKEN=$(cat "${SHARED_DIR}/gh-token") + + export GOOGLE_APPLICATION_CREDENTIALS="/var/run/gcloud-adc/application_default_credentials.json" + export CLAUDE_CODE_USE_VERTEX="1" + export CLOUD_ML_REGION="global" + export ANTHROPIC_VERTEX_PROJECT_ID="itpc-gcp-hcm-pe-eng-claude" + export ANTHROPIC_MODEL="claude-opus-4-6" + export PYTHONUNBUFFERED=1 + + gh auth setup-git && python3.11 main.py + credentials: + - mount_path: /var/run/gcloud-adc + name: oap-lts-claude-gcp-vertex-sa + namespace: test-credentials + from: agent-worker + resources: + requests: + cpu: "1" + memory: 500Mi + timeout: 2h30m0s zz_generated_metadata: branch: main org: openshift-eng diff --git a/ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml b/ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml index 35fd270a3bda0..67c75f322859c 100644 --- a/ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml +++ b/ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml @@ -55,3 +55,77 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )images,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build05 + context: ci/prow/run-workflow + decorate: true + decoration_config: + skip_cloning: true + labels: + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-eng-oape-ai-e2e-main-run-workflow + rerun_command: /test run-workflow + run_if_changed: ^prow-workflow/ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --target=run-workflow + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )run-workflow,?($|\s.*)