From e339af03ad0b9c0a683c861a4c5163c5a4493ffc Mon Sep 17 00:00:00 2001
From: Swarup Ghosh <swghosh@redhat.com>
Date: Fri, 8 May 2026 01:46:27 +0530
Subject: [PATCH 1/2] poc(prow): Run a Claude agent orchestrated by Prow Job in
 an ephemeral namespace using the oape-ai-e2e agent

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
---
 .../openshift-eng-oape-ai-e2e-main.yaml       | 200 +++++++++++++++++-
 ...shift-eng-oape-ai-e2e-main-presubmits.yaml |  74 +++++++
 2 files changed, 273 insertions(+), 1 deletion(-)

diff --git a/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml b/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml
index 82f7a68a1bf93..4bb055ff50a67 100644
--- a/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml
+++ b/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml
@@ -12,9 +12,13 @@ images:
     to: gh-token-minter
   - dockerfile_path: images/go-server.Dockerfile
     to: go-server
+  - dockerfile_path: prow-workflow/input.Dockerfile
+    to: workflow-input
 promotion:
   to:
-  - name: ai-e2e-agent
+  - excluded_images:
+    - workflow-input
+    name: ai-e2e-agent
     namespace: oape
     tag_by_commit: true
 resources:
@@ -24,6 +28,200 @@ resources:
     requests:
       cpu: 100m
       memory: 200Mi
+tests:
+- always_run: false
+  as: run-workflow
+  run_if_changed: ^prow-workflow/
+  steps:
+    env:
+      BONFIRE_NAMESPACE_DURATION: 3h
+    test:
+    - as: extract-params
+      commands: |
+        cp /params.env "${SHARED_DIR}/params.env"
+        cat "${SHARED_DIR}/params.env"
+      from: workflow-input
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+    - as: deploy-and-run
+      commands: |
+        set -euo pipefail
+
+        # --- Ephemeral namespace access ---
+        export KUBECONFIG="${SHARED_DIR}/ephemeral-kubeconfig"
+        NAMESPACE=$(cat "${SHARED_DIR}/ephemeral-namespace")
+        oc project "${NAMESPACE}"
+
+        # Load workflow params
+        source "${SHARED_DIR}/params.env"
+
+        # --- Create secrets from mounted CI credentials ---
+        oc create secret generic gcloud-adc \
+          --from-file=application_default_credentials.json=/var/run/gcloud-adc/application_default_credentials.json
+        oc create secret generic github-app \
+          --from-file=private-key.pem=/var/run/github-app/private-key.pem
+
+        # --- Create worker ConfigMap (env vars) ---
+        oc create configmap shift-worker-config \
+          --from-literal=CLAUDE_CODE_USE_VERTEX=1 \
+          --from-literal=CLOUD_ML_REGION=global \
+          --from-literal=ANTHROPIC_VERTEX_PROJECT_ID=itpc-gcp-hcm-pe-eng-claude \
+          --from-literal=ANTHROPIC_MODEL=claude-opus-4-6
+
+        # --- Deploy gh-token-minter ---
+        cat <<DEPLOYEOF | oc apply -f -
+        apiVersion: apps/v1
+        kind: Deployment
+        metadata:
+          name: gh-token-minter
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              app: gh-token-minter
+          template:
+            metadata:
+              labels:
+                app: gh-token-minter
+            spec:
+              containers:
+              - name: minter
+                image: ${GH_TOKEN_MINTER_IMAGE}
+                ports:
+                - containerPort: 8081
+                env:
+                - name: GH_APP_ID
+                  value: "3065249"
+                - name: GH_APP_PEM_FILE_PATH
+                  value: /etc/github-app/private-key.pem
+                - name: LISTEN_PORT
+                  value: "8081"
+                volumeMounts:
+                - name: gh-app-key
+                  mountPath: /etc/github-app
+                  readOnly: true
+              volumes:
+              - name: gh-app-key
+                secret:
+                  secretName: github-app
+        ---
+        apiVersion: v1
+        kind: Service
+        metadata:
+          name: gh-token-minter
+        spec:
+          selector:
+            app: gh-token-minter
+          ports:
+          - port: 8081
+            targetPort: 8081
+        DEPLOYEOF
+
+        oc wait --for=condition=Available deployment/gh-token-minter --timeout=120s
+
+        # --- Mint GH token via port-forward ---
+        oc port-forward svc/gh-token-minter 8081:8081 &
+        PF_PID=$!
+        sleep 3
+
+        # Disable tracing due to token handling
+        set +x
+        TOKEN_RESP=$(curl -sf http://localhost:8081/token)
+        kill $PF_PID || true
+        GH_TOKEN=$(echo "$TOKEN_RESP" | jq -r '.token')
+
+        oc create secret generic gh-token-secret \
+          --from-literal=GH_TOKEN="${GH_TOKEN}"
+
+        # --- Create agent-worker Job ---
+        JOB_ID="ci-$(date +%s)"
+        cat <<JOBEOF | oc apply -f -
+        apiVersion: batch/v1
+        kind: Job
+        metadata:
+          name: shift-workflow-${JOB_ID}
+          labels:
+            app: shift-worker
+        spec:
+          backoffLimit: 0
+          template:
+            spec:
+              restartPolicy: Never
+              containers:
+              - name: worker
+                image: ${AGENT_WORKER_IMAGE}
+                command: ["sh", "-c", "python3.11 /app/main.py"]
+                env:
+                - name: EP_URL
+                  value: "${EP_URL}"
+                - name: REPO_URL
+                  value: "${REPO_URL}"
+                - name: BASE_BRANCH
+                  value: "${BASE_BRANCH}"
+                - name: PYTHONUNBUFFERED
+                  value: "1"
+                - name: GOOGLE_APPLICATION_CREDENTIALS
+                  value: /secrets/gcloud/application_default_credentials.json
+                envFrom:
+                - configMapRef:
+                    name: shift-worker-config
+                - secretRef:
+                    name: gh-token-secret
+                resources:
+                  requests:
+                    cpu: 500m
+                    memory: 512Mi
+                  limits:
+                    cpu: "2"
+                    memory: 4Gi
+                volumeMounts:
+                - name: gcloud-adc
+                  mountPath: /secrets/gcloud
+                  readOnly: true
+              volumes:
+              - name: gcloud-adc
+                secret:
+                  secretName: gcloud-adc
+        JOBEOF
+
+        echo "Agent-worker Job shift-workflow-${JOB_ID} created."
+
+        # --- Wait for pod, stream logs, check result ---
+        oc wait --for=condition=Ready pod -l job-name=shift-workflow-${JOB_ID} --timeout=300s || true
+        POD=$(oc get pods -l job-name=shift-workflow-${JOB_ID} -o jsonpath='{.items[0].metadata.name}')
+        oc logs -f "${POD}" || true
+
+        # Check final status
+        if oc wait --for=condition=complete --timeout=30s job/shift-workflow-${JOB_ID} 2>/dev/null; then
+          echo "Workflow completed successfully."
+        else
+          echo "Workflow failed."
+          exit 1
+        fi
+      credentials:
+      - mount_path: /var/run/gcloud-adc
+        name: oap-lts-claude-gcp-vertex-sa
+        namespace: test-credentials
+      - mount_path: /var/run/github-app
+        name: openshift-app-platform-shift-github-bot
+        namespace: test-credentials
+      dependencies:
+      - env: AGENT_WORKER_IMAGE
+        name: agent-worker
+      - env: GH_TOKEN_MINTER_IMAGE
+        name: gh-token-minter
+      from_image:
+        name: cli-jq
+        namespace: ocp
+        tag: latest
+      resources:
+        requests:
+          cpu: 100m
+          memory: 256Mi
+      timeout: 2h0m0s
+    workflow: ephemeral-namespace
 zz_generated_metadata:
   branch: main
   org: openshift-eng
diff --git a/ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml b/ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml
index 35fd270a3bda0..67c75f322859c 100644
--- a/ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml
+++ b/ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml
@@ -55,3 +55,77 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )images,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build05
+    context: ci/prow/run-workflow
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-eng-oape-ai-e2e-main-run-workflow
+    rerun_command: /test run-workflow
+    run_if_changed: ^prow-workflow/
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --target=run-workflow
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )run-workflow,?($|\s.*)

From 3e8ff568e40ba0af8d8bf2a37fb89fce0b14968b Mon Sep 17 00:00:00 2001
From: Swarup Ghosh <swghosh@redhat.com>
Date: Fri, 8 May 2026 12:32:37 +0530
Subject: [PATCH 2/2] poc(prow): [2/2 approach] use inline built-ins w/o using
 ephemeral namespace

Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
---
 .../openshift-eng-oape-ai-e2e-main.yaml       | 218 +++++-------------
 1 file changed, 53 insertions(+), 165 deletions(-)

diff --git a/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml b/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml
index 4bb055ff50a67..166ef78592eef 100644
--- a/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml
+++ b/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml
@@ -33,9 +33,7 @@ tests:
   as: run-workflow
   run_if_changed: ^prow-workflow/
   steps:
-    env:
-      BONFIRE_NAMESPACE_DURATION: 3h
-    test:
+    pre:
     - as: extract-params
       commands: |
         cp /params.env "${SHARED_DIR}/params.env"
@@ -45,183 +43,73 @@ tests:
         requests:
           cpu: 100m
           memory: 128Mi
-    - as: deploy-and-run
+    - as: mint-gh-token
       commands: |
         set -euo pipefail
+        GH_APP_ID=$(cat /var/run/github-app/app-id)
+        PEM_PATH="/var/run/github-app/private-key.pem"
 
-        # --- Ephemeral namespace access ---
-        export KUBECONFIG="${SHARED_DIR}/ephemeral-kubeconfig"
-        NAMESPACE=$(cat "${SHARED_DIR}/ephemeral-namespace")
-        oc project "${NAMESPACE}"
-
-        # Load workflow params
-        source "${SHARED_DIR}/params.env"
-
-        # --- Create secrets from mounted CI credentials ---
-        oc create secret generic gcloud-adc \
-          --from-file=application_default_credentials.json=/var/run/gcloud-adc/application_default_credentials.json
-        oc create secret generic github-app \
-          --from-file=private-key.pem=/var/run/github-app/private-key.pem
-
-        # --- Create worker ConfigMap (env vars) ---
-        oc create configmap shift-worker-config \
-          --from-literal=CLAUDE_CODE_USE_VERTEX=1 \
-          --from-literal=CLOUD_ML_REGION=global \
-          --from-literal=ANTHROPIC_VERTEX_PROJECT_ID=itpc-gcp-hcm-pe-eng-claude \
-          --from-literal=ANTHROPIC_MODEL=claude-opus-4-6
-
-        # --- Deploy gh-token-minter ---
-        cat <<DEPLOYEOF | oc apply -f -
-        apiVersion: apps/v1
-        kind: Deployment
-        metadata:
-          name: gh-token-minter
-        spec:
-          replicas: 1
-          selector:
-            matchLabels:
-              app: gh-token-minter
-          template:
-            metadata:
-              labels:
-                app: gh-token-minter
-            spec:
-              containers:
-              - name: minter
-                image: ${GH_TOKEN_MINTER_IMAGE}
-                ports:
-                - containerPort: 8081
-                env:
-                - name: GH_APP_ID
-                  value: "3065249"
-                - name: GH_APP_PEM_FILE_PATH
-                  value: /etc/github-app/private-key.pem
-                - name: LISTEN_PORT
-                  value: "8081"
-                volumeMounts:
-                - name: gh-app-key
-                  mountPath: /etc/github-app
-                  readOnly: true
-              volumes:
-              - name: gh-app-key
-                secret:
-                  secretName: github-app
-        ---
-        apiVersion: v1
-        kind: Service
-        metadata:
-          name: gh-token-minter
-        spec:
-          selector:
-            app: gh-token-minter
-          ports:
-          - port: 8081
-            targetPort: 8081
-        DEPLOYEOF
-
-        oc wait --for=condition=Available deployment/gh-token-minter --timeout=120s
+        HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
+        NOW=$(date +%s)
+        EXP=$((NOW + 300))
+        PAYLOAD=$(printf '{"iat":%d,"exp":%d,"iss":"%s"}' "$NOW" "$EXP" "$GH_APP_ID" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
+        UNSIGNED="${HEADER}.${PAYLOAD}"
+        SIGNATURE=$(printf '%s' "$UNSIGNED" | openssl dgst -sha256 -sign "$PEM_PATH" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
+        JWT="${UNSIGNED}.${SIGNATURE}"
 
-        # --- Mint GH token via port-forward ---
-        oc port-forward svc/gh-token-minter 8081:8081 &
-        PF_PID=$!
-        sleep 3
+        INST_ID=$(curl -sf \
+          -H "Authorization: Bearer ${JWT}" \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          https://api.github.com/app/installations \
+          | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['id'])")
 
-        # Disable tracing due to token handling
         set +x
-        TOKEN_RESP=$(curl -sf http://localhost:8081/token)
-        kill $PF_PID || true
-        GH_TOKEN=$(echo "$TOKEN_RESP" | jq -r '.token')
-
-        oc create secret generic gh-token-secret \
-          --from-literal=GH_TOKEN="${GH_TOKEN}"
-
-        # --- Create agent-worker Job ---
-        JOB_ID="ci-$(date +%s)"
-        cat <<JOBEOF | oc apply -f -
-        apiVersion: batch/v1
-        kind: Job
-        metadata:
-          name: shift-workflow-${JOB_ID}
-          labels:
-            app: shift-worker
-        spec:
-          backoffLimit: 0
-          template:
-            spec:
-              restartPolicy: Never
-              containers:
-              - name: worker
-                image: ${AGENT_WORKER_IMAGE}
-                command: ["sh", "-c", "python3.11 /app/main.py"]
-                env:
-                - name: EP_URL
-                  value: "${EP_URL}"
-                - name: REPO_URL
-                  value: "${REPO_URL}"
-                - name: BASE_BRANCH
-                  value: "${BASE_BRANCH}"
-                - name: PYTHONUNBUFFERED
-                  value: "1"
-                - name: GOOGLE_APPLICATION_CREDENTIALS
-                  value: /secrets/gcloud/application_default_credentials.json
-                envFrom:
-                - configMapRef:
-                    name: shift-worker-config
-                - secretRef:
-                    name: gh-token-secret
-                resources:
-                  requests:
-                    cpu: 500m
-                    memory: 512Mi
-                  limits:
-                    cpu: "2"
-                    memory: 4Gi
-                volumeMounts:
-                - name: gcloud-adc
-                  mountPath: /secrets/gcloud
-                  readOnly: true
-              volumes:
-              - name: gcloud-adc
-                secret:
-                  secretName: gcloud-adc
-        JOBEOF
+        TOKEN=$(curl -sf -X POST \
+          -H "Authorization: Bearer ${JWT}" \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          "https://api.github.com/app/installations/${INST_ID}/access_tokens" \
+          | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
+        echo "${TOKEN}" > "${SHARED_DIR}/gh-token"
+      credentials:
+      - mount_path: /var/run/github-app
+        name: openshift-app-platform-shift-github-bot
+        namespace: test-credentials
+      from: agent-worker
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+    test:
+    - as: agent-workflow
+      commands: |
+        set -euo pipefail
+        source "${SHARED_DIR}/params.env"
+        export EP_URL REPO_URL BASE_BRANCH
 
-        echo "Agent-worker Job shift-workflow-${JOB_ID} created."
+        set +x
+        export GH_TOKEN
+        GH_TOKEN=$(cat "${SHARED_DIR}/gh-token")
 
-        # --- Wait for pod, stream logs, check result ---
-        oc wait --for=condition=Ready pod -l job-name=shift-workflow-${JOB_ID} --timeout=300s || true
-        POD=$(oc get pods -l job-name=shift-workflow-${JOB_ID} -o jsonpath='{.items[0].metadata.name}')
-        oc logs -f "${POD}" || true
+        export GOOGLE_APPLICATION_CREDENTIALS="/var/run/gcloud-adc/application_default_credentials.json"
+        export CLAUDE_CODE_USE_VERTEX="1"
+        export CLOUD_ML_REGION="global"
+        export ANTHROPIC_VERTEX_PROJECT_ID="itpc-gcp-hcm-pe-eng-claude"
+        export ANTHROPIC_MODEL="claude-opus-4-6"
+        export PYTHONUNBUFFERED=1
 
-        # Check final status
-        if oc wait --for=condition=complete --timeout=30s job/shift-workflow-${JOB_ID} 2>/dev/null; then
-          echo "Workflow completed successfully."
-        else
-          echo "Workflow failed."
-          exit 1
-        fi
+        gh auth setup-git && python3.11 main.py
       credentials:
       - mount_path: /var/run/gcloud-adc
         name: oap-lts-claude-gcp-vertex-sa
         namespace: test-credentials
-      - mount_path: /var/run/github-app
-        name: openshift-app-platform-shift-github-bot
-        namespace: test-credentials
-      dependencies:
-      - env: AGENT_WORKER_IMAGE
-        name: agent-worker
-      - env: GH_TOKEN_MINTER_IMAGE
-        name: gh-token-minter
-      from_image:
-        name: cli-jq
-        namespace: ocp
-        tag: latest
+      from: agent-worker
       resources:
         requests:
-          cpu: 100m
-          memory: 256Mi
-      timeout: 2h0m0s
-    workflow: ephemeral-namespace
+          cpu: "1"
+          memory: 500Mi
+      timeout: 2h30m0s
 zz_generated_metadata:
   branch: main
   org: openshift-eng