poc(prow): 🚢 ✴️ openshift-eng/oape-ai-e2e workflow by swghosh · Pull Request #79009 · openshift/release

swghosh · 2026-05-07T20:20:22Z

Run a Claude agent orchestrated by Prow Job structured as a pre-submit.

The expected trigger is through a PR on openshift-eng/oape-ai-e2e that updates the contents of prow-workflow/input.Dockerfile file.

❌ Approach 1 (using ephemeral namespace workflow): e339af0, din't work because the ephemeral namespace reservation timed out i.e. our flow was NEVER triggered! 😤
✅ Approach 2 (directly use inline CI built-ins): 5ac4f8c,
- The workflow authored this PR ai-eval: DNM, feat(EP-1914): API types, controller implementation, e2e cert-manager-operator#423 upon rehearsal!

Details

Changes to openshift-eng/oape-ai-e2e CI configuration

This PR adds a ci-operator image build and test to the openshift-eng/oape-ai-e2e CI config so a Claude-based agent (run from repository openshift-eng/oape-ai-e2e) can be executed automatically when files under prow-workflow/ change.

What this modifies practically

New image build: workflow-input is built from prow-workflow/input.Dockerfile and added to the images list. This image is treated as an input/configuration image and is excluded from promotion for the ai-e2e-agent promotion target.
New ci-operator test: run-workflow, triggered when changes match ^prow-workflow/. The test is a three-step flow:
1. extract-params — copies /params.env from the workflow-input image into ${SHARED_DIR}/params.env and prints it.
2. mint-gh-token — mounts GitHub App credentials, generates a GitHub App JWT, exchanges it for an installation access token via GitHub API, and writes the token to ${SHARED_DIR}/gh-token.
3. agent-workflow — sources ${SHARED_DIR}/params.env, loads ${SHARED_DIR}/gh-token into GH_TOKEN, sets Google/Vertex and Anthropic/Claude env vars, performs gh auth setup, and runs python3.11 main.py from /app; mounts ADC at /var/run/gcloud-adc and uses a 2h30m timeout.

Behavioral intent

The workflow is intended to run as a pre-submit triggered by PRs to openshift-eng/oape-ai-e2e that modify prow-workflow/input.Dockerfile (or other files under prow-workflow/), allowing CI to execute the Claude agent flow using parameters baked into the workflow-input image and a minted GitHub token.

Development/context notes

The PR description documents two approaches: an ephemeral-namespace workflow (attempted in an earlier commit but failed due to namespace reservation timeouts) and a direct inline ci-operator built-ins approach. The current changes implement the inline ci-operator test and image build; the ephemeral-namespace approach was attempted but did not complete successfully.

Files changed (high level)

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml — adds the workflow-input image build, the run-workflow test, and updates promotion exclusions.

Lines changed: +87 / -1. Estimated review effort: High.

in an ephemeral namespace using the oape-ai-e2e agent Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Swarup Ghosh <swghosh@redhat.com>

coderabbitai · 2026-05-07T20:20:52Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Adds a prow test run-workflow (trigger: ^prow-workflow/), adds workflow-input image build (excluded from ai-e2e-agent promotion), and three test steps: extract /params.env, mint a GitHub App installation token, and run an agent that sources params and runs python3.11 main.py with ADC mounted and a 2h30m timeout.

Changes

AI E2E Workflow Test

Layer / File(s)	Summary
Data Shape / Images `ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`	Adds image build `to: workflow-input` from `prow-workflow/input.Dockerfile` and marks `workflow-input` in `promotion.to[].excluded_images`.
Test Declaration / Trigger `ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`	Adds `tests[]` entry `as: run-workflow` with `run_if_changed: ^prow-workflow/`.
Params Extraction `ci-operator/.../openshift-eng-oape-ai-e2e-main.yaml`	`extract-params` step copies `/params.env` from `workflow-input` image into `${SHARED_DIR}/params.env` and prints it.
Token Minting `ci-operator/.../openshift-eng-oape-ai-e2e-main.yaml`	`mint-gh-token` step mounts GitHub App credentials, builds JWT, calls GitHub API to create an installation access token, and writes it to `${SHARED_DIR}/gh-token`.
Agent Run / Wiring `ci-operator/.../openshift-eng-oape-ai-e2e-main.yaml`	`agent-workflow` step sources `${SHARED_DIR}/params.env`, reads `${SHARED_DIR}/gh-token` into `GH_TOKEN`, sets cloud/AI env vars, performs `gh auth setup`, and runs `python3.11 main.py` with `/var/run/gcloud-adc` mounted; `timeout: 2h30m0s`.

Sequence Diagram(s)

sequenceDiagram
    participant Prow as Prow Job
    participant Image as workflow-input (image)
    participant Minter as mint-gh-token step
    participant GitHub as GitHub API
    participant Shared as Shared Dir
    participant Agent as agent-workflow step

    Prow->>Image: extract `/params.env` and copy to Shared
    Prow->>Minter: start mint-gh-token (mount creds)
    Minter->>GitHub: POST JWT → request installation token
    GitHub-->>Minter: return installation token
    Minter->>Shared: write `${SHARED_DIR}/gh-token`
    Prow->>Agent: start agent-workflow (mount Shared, ADC)
    Agent->>Shared: read `${SHARED_DIR}/params.env` and `${SHARED_DIR}/gh-token`
    Agent->>GitHub: `gh auth setup` / API usage
    Agent->>Agent: run `python3.11 main.py`

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title uses emojis and vague scope markers instead of clearly describing the main change, making it difficult to understand the actual purpose.	Replace the emoji and vague description with a clear, specific title like 'Add Prow workflow job for AI agent execution on oape-ai-e2e PRs' to accurately convey the changeset purpose.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies CI Operator YAML config only. No Ginkgo test code (Go test files) is present. The custom check for stable Ginkgo test names is not applicable to this PR.
Test Structure And Quality	✅ Passed	The custom check requires reviewing Ginkgo test code, but this PR only modifies CI configuration (YAML file). No Ginkgo tests are present in this PR, so the check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR adds CI configuration only. The 'run-workflow' test is a Prow step configuration executing shell/Python code, not Ginkgo e2e tests. No Go test code with Ginkgo patterns is added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only CI-operator configuration files, not Ginkgo e2e tests. SNO compatibility check applies only to Ginkgo tests (It/Describe/Context), not Prow job configurations.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR modifies a ci-operator config file defining CI/CD pipelines, not deployment manifests or operators deployed to clusters. No topology-unfriendly scheduling constraints are present.
Ote Binary Stdout Contract	✅ Passed	PR adds only a YAML CI configuration file, not OTE/Go test binaries. The check for OTE Binary Stdout Contract is inapplicable since no Go test code was added.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds a Prow job configuration in a YAML file, not Ginkgo e2e tests. The custom check applies only to Ginkgo tests (It(), Describe(), Context(), When(), etc.), which are not present in this PR.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

Generate code and open pull requests
Plan features and break down work
Investigate incidents and troubleshoot customer tickets together
Automate recurring tasks and respond to alerts with triggers
Summarize progress and report instantly

Built for teams:

Shared memory across your entire org—no repeating context
Per-thread sandboxes to safely plan and execute work
Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-05-07T20:23:07Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: swghosh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~ci-operator/config/openshift-eng/oape-ai-e2e/OWNERS~~ [swghosh]
~~ci-operator/jobs/openshift-eng/oape-ai-e2e/OWNERS~~ [swghosh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`:
- Around line 154-171: This presubmit uses an untrusted PR-built image
(${AGENT_WORKER_IMAGE}) while mounting live credentials
(GOOGLE_APPLICATION_CREDENTIALS, gh-token-secret and config from
shift-worker-config) and running python3.11 /app/main.py, exposing tokens to
attacker-controlled code; fix by changing the job to use a trusted, pinned image
(replace ${AGENT_WORKER_IMAGE} with a vetted registry:tag or a cluster-built
image stream) for the credentialed execution path or move this credentialed step
out of presubmit into a postsubmit/periodic job, and ensure the env entries
(EP_URL, REPO_URL, BASE_BRANCH, PYTHONUNBUFFERED) remain the same but
credentials are only injected into runs that use the trusted image.
- Around line 125-136: Replace the fixed sleep + blind jq extraction with a
readiness loop that ensures the token-minting service is responding and
returning a non-null token before creating the secret: after starting oc
port-forward (svc/gh-token-minter) and storing PF_PID, poll the endpoint
(TOKEN_RESP via curl) with a short sleep/retry loop and a reasonable timeout,
parse GH_TOKEN from TOKEN_RESP with jq and verify it is not "null" or empty,
fail the job if the timeout is reached, and only then kill PF_PID and run oc
create secret generic gh-token-secret --from-literal=GH_TOKEN="${GH_TOKEN}";
ensure you preserve set +x around the token fetch to avoid leaking secrets.
- Around line 57-58: The step is sourcing a PR-controlled file (source
"${SHARED_DIR}/params.env") while credentials are mounted, creating an
exfiltration path; remove the direct sourcing from the credentialed step and
instead load/validate workflow inputs in an unprivileged step before mounting
secrets — e.g., move reading of SHARED_DIR/params.env into the prior
non-credentialed "workflow-input" step (or parse it with a safe parser that only
reads allowed keys), and pass only explicit, validated variables to the
credentialed step via environment variables or a short-lived file that you
create after validation; reference SHARED_DIR and params.env to find and replace
the source call.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 41c98b96-6b13-4395-8b50-848a7f417edb

📥 Commits

Reviewing files that changed from the base of the PR and between 4b53613 and e339af0.

⛔ Files ignored due to path filters (1)

ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml

swghosh · 2026-05-07T20:29:51Z

/pj-rehearse

openshift-merge-bot · 2026-05-07T20:29:54Z

@swghosh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

swghosh · 2026-05-08T07:19:18Z

/pj-rehearse

openshift-merge-bot · 2026-05-08T07:19:21Z

@swghosh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

swghosh · 2026-05-08T07:19:47Z

/cc @shivprakashmuley @mytreya-rh

coderabbitai

♻️ Duplicate comments (2)

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml (2)

88-89: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Do not source a PR-authored file after mounting credentials.

workflow-input is built from repo content, so source "${SHARED_DIR}/params.env" executes arbitrary shell from the PR in the same step that mounts live credentials. Parse only the expected keys instead of evaluating the file.

Suggested hardening

-        source "${SHARED_DIR}/params.env"
-        export EP_URL REPO_URL BASE_BRANCH
+        while IFS='=' read -r key value; do
+          case "${key}" in
+            EP_URL|REPO_URL|BASE_BRANCH)
+              export "${key}=${value}"
+              ;;
+            ''|\#*)
+              ;;
+            *)
+              echo "unexpected workflow param: ${key}" >&2
+              exit 1
+              ;;
+          esac
+        done < "${SHARED_DIR}/params.env"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`
around lines 88 - 89, Replace the insecure sourcing of PR-authored
content—remove "source \"${SHARED_DIR}/params.env\""—and instead safely extract
and export only the expected keys (EP_URL, REPO_URL, BASE_BRANCH) from
${SHARED_DIR}/params.env without executing it; update the step that currently
references the source command to parse the file (e.g., by reading/grepping only
lines for those variable names and exporting their values) so arbitrary shell in
the PR cannot be evaluated when credentials are mounted.

75-79: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Keep live credentials out of PR-built agent-worker steps.

Both credentialed steps run from: agent-worker, which is built from the PR under test. That gives untrusted code access to the GitHub App key in mint-gh-token and the GCP credentials in agent-workflow. Use a trusted image for the credentialed path, or move this workflow to postsubmit/periodic.

Also applies to: 120-124

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`
around lines 75 - 79, The credentialed steps currently use "from: agent-worker"
(which is built from the PR under test) and thus expose the GitHub App key
(credential name openshift-app-platform-shift-github-bot, mount_path
/var/run/github-app) and GCP creds to untrusted PR code; update the credentialed
steps (e.g., the mint-gh-token and agent-workflow steps referenced) to use a
trusted image instead of "agent-worker" or move this job to a
postsubmit/periodic pipeline so credentials are only mounted into a trusted,
non-PR-built image; ensure the "from" value is replaced with a pinned/trusted
image name or relocate the workflow accordingly and remove credential mounts
from any PR-built step.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`:
- Around line 88-89: Replace the insecure sourcing of PR-authored content—remove
"source \"${SHARED_DIR}/params.env\""—and instead safely extract and export only
the expected keys (EP_URL, REPO_URL, BASE_BRANCH) from ${SHARED_DIR}/params.env
without executing it; update the step that currently references the source
command to parse the file (e.g., by reading/grepping only lines for those
variable names and exporting their values) so arbitrary shell in the PR cannot
be evaluated when credentials are mounted.
- Around line 75-79: The credentialed steps currently use "from: agent-worker"
(which is built from the PR under test) and thus expose the GitHub App key
(credential name openshift-app-platform-shift-github-bot, mount_path
/var/run/github-app) and GCP creds to untrusted PR code; update the credentialed
steps (e.g., the mint-gh-token and agent-workflow steps referenced) to use a
trusted image instead of "agent-worker" or move this job to a
postsubmit/periodic pipeline so credentials are only mounted into a trusted,
non-PR-built image; ensure the "from" value is replaced with a pinned/trusted
image name or relocate the workflow accordingly and remove credential mounts
from any PR-built step.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8f1e4b1a-d6e8-4951-a9b3-d52f50b68cce

📥 Commits

Reviewing files that changed from the base of the PR and between 1782cd8 and 9bc24e7.

📒 Files selected for processing (1)

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml

swghosh · 2026-05-08T09:21:46Z

/pj-rehearse

openshift-merge-bot · 2026-05-08T09:21:49Z

@swghosh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

coderabbitai

♻️ Duplicate comments (1)

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml (1)

88-89: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

The source command security issue remains unresolved.

A prior review flagged this exact pattern and it was marked "✅ Addressed in commit 1782cd8", but the current code still has source "${SHARED_DIR}/params.env" executing PR-controlled shell code while GCP ADC credentials are mounted at /var/run/gcloud-adc.

Since params.env originates from the PR-built workflow-input image, a malicious PR can embed shell commands in that file to exfiltrate the mounted credentials.

🔐 Recommended fix: parse only expected keys

-        source "${SHARED_DIR}/params.env"
-        export EP_URL REPO_URL BASE_BRANCH
+        # Load only expected workflow params without executing shell
+        while IFS='=' read -r key value; do
+          case "${key}" in
+            EP_URL|REPO_URL|BASE_BRANCH)
+              export "${key}=${value}"
+              ;;
+            ''|\#*)
+              # skip blank lines and comments
+              ;;
+            *)
+              echo "unexpected workflow param: ${key}" >&2
+              exit 1
+              ;;
+          esac
+        done < "${SHARED_DIR}/params.env"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`
around lines 88 - 89, Do not source the PR-controlled file directly; replace the
line source "${SHARED_DIR}/params.env" with safe parsing that reads only the
expected keys (EP_URL, REPO_URL, BASE_BRANCH) and validates/sanitizes their
values before exporting them. Concretely, implement parsing logic that opens
"${SHARED_DIR}/params.env", extracts lines matching
^(EP_URL|REPO_URL|BASE_BRANCH)=, strips surrounding quotes, rejects/escapes any
characters other than a safe whitelist (e.g., alphanumerics, /:._-), and then
export the three variables (EP_URL, REPO_URL, BASE_BRANCH) instead of sourcing
the file. Ensure no arbitrary commands from params.env can be executed.

🧹 Nitpick comments (1)

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml (1)

60-73: 💤 Low value

Add defensive error handling for GitHub API responses.

The inline Python extracts [0]['id'] and ['token'] without validation. If the GitHub App has no installations or the API returns an error, these will raise IndexError/KeyError with no actionable context.

🛡️ Suggested improvement

-        INST_ID=$(curl -sf \
-          -H "Authorization: Bearer ${JWT}" \
-          -H "Accept: application/vnd.github+json" \
-          -H "X-GitHub-Api-Version: 2022-11-28" \
-          https://api.github.com/app/installations \
-          | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['id'])")
+        INST_ID=$(curl -sf \
+          -H "Authorization: Bearer ${JWT}" \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          https://api.github.com/app/installations \
+          | python3 -c "import sys,json; d=json.load(sys.stdin); print(d[0]['id']) if d else sys.exit('No installations found')")

Similar pattern for the token extraction on line 68-73.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`
around lines 60 - 73, The extraction of INST_ID and TOKEN using inline Python
assumes the GitHub API returned a non-empty installations list and a token key;
update the two extraction steps (the INST_ID assignment and the TOKEN
assignment) to validate the HTTP response and JSON structure before accessing
[0]['id'] and ['token']: check curl exit/status and/or parse the response into a
variable, verify JSON is valid, ensure the installations array is non-empty (or
that 'id' exists) and that 'token' exists, and on any failure emit a clear error
message with the raw response and exit non-zero so callers can diagnose the
problem.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`:
- Around line 88-89: Do not source the PR-controlled file directly; replace the
line source "${SHARED_DIR}/params.env" with safe parsing that reads only the
expected keys (EP_URL, REPO_URL, BASE_BRANCH) and validates/sanitizes their
values before exporting them. Concretely, implement parsing logic that opens
"${SHARED_DIR}/params.env", extracts lines matching
^(EP_URL|REPO_URL|BASE_BRANCH)=, strips surrounding quotes, rejects/escapes any
characters other than a safe whitelist (e.g., alphanumerics, /:._-), and then
export the three variables (EP_URL, REPO_URL, BASE_BRANCH) instead of sourcing
the file. Ensure no arbitrary commands from params.env can be executed.

---

Nitpick comments:
In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`:
- Around line 60-73: The extraction of INST_ID and TOKEN using inline Python
assumes the GitHub API returned a non-empty installations list and a token key;
update the two extraction steps (the INST_ID assignment and the TOKEN
assignment) to validate the HTTP response and JSON structure before accessing
[0]['id'] and ['token']: check curl exit/status and/or parse the response into a
variable, verify JSON is valid, ensure the installations array is non-empty (or
that 'id' exists) and that 'token' exists, and on any failure emit a clear error
message with the raw response and exit non-zero so callers can diagnose the
problem.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6f158eca-249d-493a-90bd-0159e3c6fddc

📥 Commits

Reviewing files that changed from the base of the PR and between 5f4d15d and 5ac4f8c.

📒 Files selected for processing (1)

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml

swghosh · 2026-05-08T09:52:05Z

/pj-rehearse

openshift-merge-bot · 2026-05-08T09:52:07Z

@swghosh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

swghosh · 2026-05-08T11:30:23Z

/pj-rehearse

openshift-merge-bot · 2026-05-08T11:30:25Z

@swghosh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

…mespace Signed-off-by: Swarup Ghosh <swghosh@redhat.com>

openshift-merge-bot · 2026-05-08T11:54:27Z

[REHEARSALNOTIFIER]
@swghosh: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-eng-oape-ai-e2e-main-run-workflow	openshift-eng/oape-ai-e2e	presubmit	Presubmit changed
pull-ci-openshift-eng-oape-ai-e2e-main-images	openshift-eng/oape-ai-e2e	presubmit	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

swghosh · 2026-05-08T12:21:39Z

/pj-rehearse

openshift-merge-bot · 2026-05-08T12:21:42Z

@swghosh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

swghosh · 2026-05-08T13:13:19Z

/test owners

swghosh · 2026-05-08T14:05:27Z

/pj-rehearse ack

openshift-merge-bot · 2026-05-08T14:05:30Z

@swghosh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

swghosh · 2026-05-09T03:14:30Z

/label tide/merge-method-squash

openshift-ci · 2026-05-09T03:20:54Z

@swghosh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

poc(prow): Run a Claude agent orchestrated by Prow Job

e339af0

in an ephemeral namespace using the oape-ai-e2e agent Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Swarup Ghosh <swghosh@redhat.com>

swghosh changed the title ~~poc(prow): ✴️ oape-ai-e2e~~ poc(prow): ✴️ openshift-eng/oape-ai-e2e workflow May 7, 2026

swghosh mentioned this pull request May 7, 2026

poc(prow): add dummy workflow input openshift-eng/oape-ai-e2e#56

Merged

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 7, 2026

openshift-ci Bot requested review from neha037 and siddhibhor-56 May 7, 2026 20:23

coderabbitai Bot reviewed May 7, 2026

View reviewed changes

openshift-ci Bot requested review from mytreya-rh and shivprakashmuley May 8, 2026 07:19

swghosh force-pushed the oape-ai-e2e/prow-workflow branch from 1782cd8 to 9bc24e7 Compare May 8, 2026 07:53

coderabbitai Bot reviewed May 8, 2026

View reviewed changes

swghosh force-pushed the oape-ai-e2e/prow-workflow branch from 9bc24e7 to 5f4d15d Compare May 8, 2026 09:16

swghosh changed the title ~~poc(prow): ✴️ openshift-eng/oape-ai-e2e workflow~~ poc(prow):🚢 ✴️ openshift-eng/oape-ai-e2e workflow May 8, 2026

swghosh changed the title ~~poc(prow):🚢 ✴️ openshift-eng/oape-ai-e2e workflow~~ poc(prow): 🚢 ✴️ openshift-eng/oape-ai-e2e workflow May 8, 2026

swghosh force-pushed the oape-ai-e2e/prow-workflow branch from 5f4d15d to 5ac4f8c Compare May 8, 2026 09:45

coderabbitai Bot reviewed May 8, 2026

View reviewed changes

poc(prow): [2/2 approach] use inline built-ins w/o using ephemeral na…

3e8ff56

…mespace Signed-off-by: Swarup Ghosh <swghosh@redhat.com>

swghosh force-pushed the oape-ai-e2e/prow-workflow branch from 5ac4f8c to 3e8ff56 Compare May 8, 2026 11:49

swghosh mentioned this pull request May 8, 2026

ai-eval: DNM, feat(EP-1914): API types, controller implementation, e2e openshift/cert-manager-operator#423

Open

4 tasks

swghosh marked this pull request as draft May 8, 2026 14:04

openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 8, 2026

openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label May 8, 2026

openshift-ci Bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label May 9, 2026

swghosh marked this pull request as ready for review May 9, 2026 03:14

openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 9, 2026

Conversation

swghosh commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes to openshift-eng/oape-ai-e2e CI configuration

Uh oh!

coderabbitai Bot commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

❌ Failed checks (1 inconclusive)

Uh oh!

openshift-ci Bot commented May 7, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

swghosh commented May 7, 2026

Uh oh!

openshift-merge-bot Bot commented May 7, 2026

Uh oh!

swghosh commented May 8, 2026

Uh oh!

openshift-merge-bot Bot commented May 8, 2026

Uh oh!

swghosh commented May 8, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

swghosh commented May 8, 2026

Uh oh!

openshift-merge-bot Bot commented May 8, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

swghosh commented May 8, 2026

Uh oh!

openshift-merge-bot Bot commented May 8, 2026

Uh oh!

swghosh commented May 8, 2026

Uh oh!

openshift-merge-bot Bot commented May 8, 2026

Uh oh!

openshift-merge-bot Bot commented May 8, 2026

Uh oh!

swghosh commented May 8, 2026

Uh oh!

openshift-merge-bot Bot commented May 8, 2026

Uh oh!

swghosh commented May 8, 2026

Uh oh!

swghosh commented May 8, 2026

Uh oh!

openshift-merge-bot Bot commented May 8, 2026

Uh oh!

swghosh commented May 9, 2026

Uh oh!

openshift-ci Bot commented May 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

swghosh commented May 7, 2026 •

edited

Loading

coderabbitai Bot commented May 7, 2026 •

edited

Loading