aws-account-operator: Add prek validation to PROW CI#78697
aws-account-operator: Add prek validation to PROW CI#78697BATMAN-JD wants to merge 1 commit intoopenshift:mainfrom
Conversation
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
WalkthroughCI adds a Changes
Sequence Diagram(s)sequenceDiagram
participant CI as CI Orchestrator
participant Image as prek-runner (container)
participant Repo as Temp Git Workspace
participant Remote as Prek Release Server
CI->>Image: Start container with mounted workspace
CI->>Repo: Create temp git repo, add files
Image->>Remote: Read .prek-version (or use v0.3.9) and download prek binary
Remote-->>Image: Return prek tarball
Image->>Image: Extract /usr/local/bin/prek
CI->>Image: If hack/ci.sh executable -> run it
alt hack/ci.sh not executable
CI->>Image: Run `prek run --all-files`
end
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 12✅ Passed checks (12 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 11 minutes and 12 seconds.Comment |
|
/pj-rehearse |
|
@BATMAN-JD: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/lgtm |
| items: | ||
| - dockerfile_path: build/Dockerfile | ||
| to: aws-account-operator | ||
| - dockerfile_literal: | |
There was a problem hiding this comment.
Why not just include all this in the boilerplate image so we don't need per-repo config to handle running this?
There was a problem hiding this comment.
This is actually a really good point. Let me look into boilerplate.
There was a problem hiding this comment.
first goal is to show something that works and then generalize. if we can add to a central location and not break everyone, that works for me.
There was a problem hiding this comment.
Makes sense to me, just wanted to float the option to save some PRs and config drift possibilities.
BATMAN-JD
force-pushed
the
aws-account-operator-prek-ci
branch
from
0bed2e3 to
a46038f
Compare
|
New changes are detected. LGTM label has been removed. |
|
/retest |
BATMAN-JD
force-pushed
the
aws-account-operator-prek-ci
branch
from
a46038f to
0014018
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: BATMAN-JD, geowa4 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/pj-rehearse |
|
@BATMAN-JD: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
BATMAN-JD
force-pushed
the
aws-account-operator-prek-ci
branch
2 times, most recently
from
1bd0043 to
57fdc7e
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 8314f404-1651-42d6-a589-8d8841c75035
⛔ Files ignored due to path filters (1)
ci-operator/jobs/openshift/aws-account-operator/openshift-aws-account-operator-master-presubmits.yamlis excluded by!ci-operator/jobs/**
📒 Files selected for processing (1)
ci-operator/config/openshift/aws-account-operator/openshift-aws-account-operator-master.yaml
| RUN PREK_VERSION="$(tr -d '[:space:]' < .prek-version 2>/dev/null || true)" \ | ||
| && PREK_VERSION="${PREK_VERSION:-v0.3.9}" \ | ||
| && curl -fsSL "https://github.com/j178/prek/releases/download/${PREK_VERSION}/prek-x86_64-unknown-linux-gnu.tar.gz" \ | ||
| | tar xzf - --strip-components=1 -C /usr/local/bin/ prek-x86_64-unknown-linux-gnu/prek |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Read the target YAML file to see the full context
cat -n ci-operator/config/openshift/aws-account-operator/openshift-aws-account-operator-master.yaml | head -100Repository: openshift/release
Length of output: 3483
🏁 Script executed:
# Check if .prek-version file exists in the repo
find . -name ".prek-version" -o -name "*prek*" | head -20Repository: openshift/release
Length of output: 43
🏁 Script executed:
# Search for other mentions of prek in the codebase
rg -i "prek" --type yaml --type sh --type mdRepository: openshift/release
Length of output: 4240
🏁 Script executed:
# Check if .prek-version exists in the aws-account-operator repo
# The config references the repo at /go/src/github.com/openshift/aws-account-operator
# Since we're in openshift/release repo, let's search for any reference to aws-account-operator content
rg -i "\.prek-version" --type yaml --type shRepository: openshift/release
Length of output: 456
🏁 Script executed:
# Search for PR `#975` or similar references in the repo
rg "975|prek" --type md | head -30Repository: openshift/release
Length of output: 357
🏁 Script executed:
# Check the prek project to understand if binary validation is expected
web_search
prek tool GitHub j178/prek releases binary verificationRepository: openshift/release
Length of output: 155
🌐 Web query:
j178/prek GitHub releases binary verification checksum
💡 Result:
For j178/prek GitHub releases, the project provides SHA-256 checksums for prebuilt release assets (published alongside the binaries as *.sha256 files). The releases page lists assets with their SHA-256 digests. Additionally, starting around the v0.3.x timeframe, prek’s release process includes GitHub Artifact Attestations that you can verify with the GitHub CLI (this provides provenance/integrity attestation for the downloaded artifacts). How to verify a downloaded release binary (checksum): 1) Download the matching binary asset from https://github.com/j178/prek/releases (for your version/OS/arch). 2) Download the corresponding checksum file (typically named like the asset but with the extension .sha256). 3) Verify the binary against the checksum in that .sha256 file. How to verify GitHub Artifact Attestations (provenance/integrity): gh attestation verify --repo j178/prek You can also verify with a downloaded attestation bundle: gh attestation verify --bundle
Citations:
- 1: https://github.com/j178/prek/releases
- 2: https://newreleases.io/project/github/j178/prek/release/v0.3.6
- 3: docs: add commands for artifact verification using GitHub Attestations j178/prek#1500
- 4: Add GitHub artifact attestations to release workflow j178/prek#1494
- 5: https://newreleases.io/project/github/j178/prek/release/v0.3.10
🌐 Web query:
aws-account-operator pull request 975 prek
💡 Result:
No pull request #975 exists in the openshift/aws-account-operator repository or any closely related repositories. Searches across GitHub, general web, and specific queries for "aws-account-operator pull request 975" and variations including "prek" returned no matching results. The repository is active (last push 2026-03-31) with 1 open issue but no mention of PR 975. "Prek" may refer to a username, prefix, or internal term not publicly documented. The aws-account-operator manages pools of AWS accounts for OpenShift Hive.
Citations:
- 1: https://github.com/openshift/aws-account-operator
- 2: https://github.com/openshift/aws-account-operator/pulls
- 3: https://pkg.go.dev/github.com/openshift/aws-account-operator
Download and verify the prek binary before extraction.
The code downloads a binary directly from GitHub without checksum or signature validation. The prek project provides SHA-256 checksums for releases—these should be downloaded and verified before extracting. Additionally, the || true fallback to v0.3.9 when .prek-version is absent silently masks version drift and makes it difficult to detect when an unexpected prek version is being used.
Validate the release asset checksum (or use GitHub attestations) and consider requiring .prek-version to be present for reproducible builds.
|
/pj-rehearse |
|
@BATMAN-JD: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
Add prek-based pre-commit validation to aws-account-operator CI pipeline. Changes: - Add prek-runner image that builds on top of aws-account-operator image - Install git and prek from release pinned in .prek-version - Add prek test that runs hack/ci.sh (or falls back to prek run --all-files) - Configure test to skip for documentation-only changes Depends on aws-account-operator PR openshift#975 being merged first. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
BATMAN-JD
force-pushed
the
aws-account-operator-prek-ci
branch
from
57fdc7e to
1f187c2
Compare
|
/pj-rehearse |
|
@BATMAN-JD: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
[REHEARSALNOTIFIER]
Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
/pj-rehearse ack |
|
@BATMAN-JD: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
openshift-merge-bot
Bot
added
the
rehearsals-ack
|
@BATMAN-JD: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
Add prek-based pre-commit validation to aws-account-operator CI pipeline.
Changes
prek-runnerimage that builds on top ofaws-account-operatorimage.prek-versionprektest that runshack/ci.sh(or falls back toprek run --all-files)Dependencies
.prek-versionandhack/ci.sh)Testing
The prek test will run automatically in CI once this PR is merged and aws-account-operator has the prek infrastructure in place.
Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com
Summary by CodeRabbit