poc(prow): 🚢 ✴️ openshift-eng/oape-ai-e2e workflow

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml

@@ -12,9 +12,13 @@ images:
     to: gh-token-minter
   - dockerfile_path: images/go-server.Dockerfile
     to: go-server
+  - dockerfile_path: prow-workflow/input.Dockerfile
+    to: workflow-input
 promotion:
   to:
-  - name: ai-e2e-agent
+  - excluded_images:
+    - workflow-input
+    name: ai-e2e-agent
     namespace: oape
     tag_by_commit: true
 resources:
@@ -24,6 +28,88 @@ resources:
     requests:
       cpu: 100m
       memory: 200Mi
+tests:
+- always_run: false
+  as: run-workflow
+  run_if_changed: ^prow-workflow/
+  steps:
+    pre:
+    - as: extract-params
+      commands: |
+        cp /params.env "${SHARED_DIR}/params.env"
+        cat "${SHARED_DIR}/params.env"
+      from: workflow-input
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+    - as: mint-gh-token
+      commands: |
+        set -euo pipefail
+        GH_APP_ID=$(cat /var/run/github-app/app-id)
+        PEM_PATH="/var/run/github-app/private-key.pem"
+
+        HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
+        NOW=$(date +%s)
+        EXP=$((NOW + 300))
+        PAYLOAD=$(printf '{"iat":%d,"exp":%d,"iss":"%s"}' "$NOW" "$EXP" "$GH_APP_ID" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
+        UNSIGNED="${HEADER}.${PAYLOAD}"
+        SIGNATURE=$(printf '%s' "$UNSIGNED" | openssl dgst -sha256 -sign "$PEM_PATH" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
+        JWT="${UNSIGNED}.${SIGNATURE}"
+
+        INST_ID=$(curl -sf \
+          -H "Authorization: Bearer ${JWT}" \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          https://api.github.com/app/installations \
+          | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['id'])")
+
+        set +x
+        TOKEN=$(curl -sf -X POST \
+          -H "Authorization: Bearer ${JWT}" \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          "https://api.github.com/app/installations/${INST_ID}/access_tokens" \
+          | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
+        echo "${TOKEN}" > "${SHARED_DIR}/gh-token"
+      credentials:
+      - mount_path: /var/run/github-app
+        name: openshift-app-platform-shift-github-bot
+        namespace: test-credentials
+      from: agent-worker
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+    test:
+    - as: agent-workflow
+      commands: |
+        set -euo pipefail
+        source "${SHARED_DIR}/params.env"
+        export EP_URL REPO_URL BASE_BRANCH
+
+        set +x
+        export GH_TOKEN
+        GH_TOKEN=$(cat "${SHARED_DIR}/gh-token")
+
+        export GOOGLE_APPLICATION_CREDENTIALS="/var/run/gcloud-adc/application_default_credentials.json"
+        export CLAUDE_CODE_USE_VERTEX="1"
+        export CLOUD_ML_REGION="global"
+        export ANTHROPIC_VERTEX_PROJECT_ID="itpc-gcp-hcm-pe-eng-claude"
+        export ANTHROPIC_MODEL="claude-opus-4-6"
+        export PYTHONUNBUFFERED=1
+
+        gh auth setup-git && python3.11 main.py
+      credentials:
+      - mount_path: /var/run/gcloud-adc
+        name: oap-lts-claude-gcp-vertex-sa
+        namespace: test-credentials
+      from: agent-worker
+      resources:
+        requests:
+          cpu: "1"
+          memory: 500Mi
+      timeout: 2h30m0s
 zz_generated_metadata:
   branch: main
   org: openshift-eng

ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml

@@ -55,3 +55,77 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )images,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build05
+    context: ci/prow/run-workflow
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-eng-oape-ai-e2e-main-run-workflow
+    rerun_command: /test run-workflow
+    run_if_changed: ^prow-workflow/
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --target=run-workflow
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )run-workflow,?($|\s.*)