WIP/DO NOT MERGE: Testing setup jobs of cri-o

[ngopalak-redhat]

Summary by CodeRabbit

This PR introduces a new test step script for the cri-o setup workflow in the OpenShift CI infrastructure. The change adds cri-o-setup-test-commands.sh, which is invoked as part of the cri-o-setup workflow to test the setup jobs for cri-o.

The script implements a GCP-based test workflow that:

1. Downloads a specific fork of the cri-o source repository (from ngopalak-redhat/cri-o on the fix-libpathrs-0.2.5 branch) and extracts it to /tmp
2. Executes an Ansible playbook (setup-main.yml) from the extracted source's contrib/test/ci directory in local connection mode to run the setup tests
3. Creates a GCP image snapshot from the configured instance for future use
4. Manages image lifecycle by automatically deleting images older than 2 weeks to control storage costs
5. Cleans up the temporary GCP instance after the test completes

This new test step integrates into the existing cri-o-setup workflow that includes VCP provisioning, build host setup, and cleanup steps. The script is part of the OpenShift CI infrastructure's step registry, which is used to modularize and reuse CI job components across different repositories and test scenarios.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ngopalak-redhat
Once this PR has been reviewed and has the lgtm label, please assign saschagrunert for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/cri-o/setup/test/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The SSH heredoc in cri-o-setup-test-commands.sh is modified to download and extract a specific cri-o source tarball into /tmp before running the Ansible playbook. The previous logic that entered SOURCE_DIR, captured ANSIBLE_EXIT_CODE, and explicitly exited the heredoc with that status is removed.

Changes

CRI-O SSH Setup Heredoc Refactor

Layer / File(s)	Summary
SSH heredoc: tarball fetch and Ansible invocation ci-operator/step-registry/cri-o/setup/test/cri-o-setup-test-commands.sh	The heredoc now runs curl/tar to download and extract a specific cri-o archive into /tmp, changes into contrib/test/ci under that extracted path, and executes the Ansible playbook directly. The prior SOURCE_DIR directory entry, ANSIBLE_EXIT_CODE capture, and explicit heredoc exit with that code are removed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 inconclusive)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Script enables 'set -x' globally (lines 4, 14), causing environment variables, login credentials, SSH options, IPs, and GCP resource IDs to be logged, exposing sensitive authentication data.	Remove 'set -x' or conditionally enable it only for non-sensitive operations; use 'set +x' around sensitive commands (sourcing env, running login scripts); sanitize sensitive variable output before logging.
Title check	❓ Inconclusive	The title includes 'WIP/DO NOT MERGE' prefix which indicates work-in-progress status, but the core part 'Testing setup jobs of cri-o' is specific to the changeset involving cri-o setup test commands.	Consider removing the 'WIP/DO NOT MERGE' prefix to make the title more descriptive of the actual change (e.g., 'Update cri-o setup test commands to download source tarball' or 'Refactor cri-o test setup to use source tarball extraction').

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies a bash CI script without any Ginkgo tests; the check for stable test names is not applicable to shell scripts or non-Ginkgo test code.
Test Structure And Quality	✅ Passed	PR modifies a Bash shell script for CI/CD setup, not Ginkgo test code. The custom check for Ginkgo test quality (It blocks, BeforeEach/AfterEach, timeouts, assertions) is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The only modification is to a bash script for CI/CD infrastructure setup, which is out of scope for the MicroShift test compatibility check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests. The modified file is a bash CI setup script for cri-o, not a test file containing It(), Describe(), Context(), or When() patterns. Check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only a CI/CD test setup shell script, not deployment manifests, operator code, or controllers. No scheduling constraints or topology assumptions are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies a shell script in the openshift/release CI configuration repository, not an OTE binary. The check targets Go binaries communicating via JSON stdout; it does not apply to shell scripts o...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. The modified file is a bash setup script without any Ginkgo test patterns (It, Describe, Context, When). Check is inapplicable.
No-Weak-Crypto	✅ Passed	The PR modifies only a CI/CD shell script with standard operations (SSH, curl, tar, gcloud commands). No MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode, custom crypto, or insecure secret comparisons...
Container-Privileges	✅ Passed	The cri-o setup test changes involve a bash script and ci-operator config, not K8s container manifests with privileged settings. Unrelated infrastructure files with privileged:true are not part of...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ngopalak-redhat]

/hold

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/step-registry/cri-o/setup/test/cri-o-setup-test-commands.sh`:
- Around line 16-17: The directory path referenced in the cd command on line 17
does not match the extracted archive from line 16. When downloading from the
GitHub archive URL with the branch name fix-libpathrs-0.2.5, the extracted
directory will be named cri-o-fix-libpathrs-0.2.5, not cri-o-pin-runc-version.
Update the cd command to use the correct extracted directory name that
corresponds to the branch name in the curl download URL to ensure the path
exists before attempting to change into it.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4280faa0-e752-47b9-848a-9ca9f18f8281

📥 Commits

Reviewing files that changed from the base of the PR and between b6ad29a and 1b7585c.

📒 Files selected for processing (1)

• ci-operator/step-registry/cri-o/setup/test/cri-o-setup-test-commands.sh

[ngopalak-redhat]

/pj-rehearse

[openshift-merge-bot]

@ngopalak-redhat: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ngopalak-redhat: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-cri-o-cri-o-main-periodics-setup-periodic	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[ngopalak-redhat]

/pj-rehearse periodic-ci-cri-o-cri-o-main-periodics-setup-periodic

[openshift-merge-bot]

@ngopalak-redhat: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@ngopalak-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-cri-o-cri-o-main-periodics-setup-periodic	e18d8f6	link	unknown	/pj-rehearse periodic-ci-cri-o-cri-o-main-periodics-setup-periodic

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ngopalak-redhat]

/pj-rehearse periodic-ci-cri-o-cri-o-main-periodics-setup-periodic

[openshift-merge-bot]

@ngopalak-redhat: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.