Skip to content

aws-account-operator: Add prek validation to PROW CI #78697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BATMAN-JD wants to merge 1 commit into
base: main
Choose a base branch
from
Open

aws-account-operator: Add prek validation to PROW CI #78697

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions ci-operator/config/openshift/aws-account-operator/openshift-aws-account-operator-master.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,14 @@ images:
items:
- dockerfile_path: build/Dockerfile
to: aws-account-operator
- dockerfile_literal: |
Copy link
Copy Markdown
Contributor

@joshbranham joshbranham May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just include all this in the boilerplate image so we don't need per-repo config to handle running this?

Copy link
Copy Markdown
Contributor Author

@BATMAN-JD BATMAN-JD May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actually a really good point. Let me look into boilerplate.

Copy link
Copy Markdown
Contributor

@geowa4 geowa4 May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

first goal is to show something that works and then generalize. if we can add to a central location and not break everyone, that works for me.

Copy link
Copy Markdown
Contributor

@joshbranham joshbranham May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me, just wanted to float the option to save some PRs and config drift possibilities.

FROM src
RUN PREK_VERSION="$(tr -d '[:space:]' < .prek-version 2>/dev/null || true)" \
&& PREK_VERSION="${PREK_VERSION:-v0.3.9}" \
&& curl -fsSL "https://github.com/j178/prek/releases/download/${PREK_VERSION}/prek-x86_64-unknown-linux-gnu.tar.gz" \
| tar xzf - --strip-components=1 -C /usr/local/bin/ prek-x86_64-unknown-linux-gnu/prek
Comment on lines +9 to +12
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Read the target YAML file to see the full context
cat -n ci-operator/config/openshift/aws-account-operator/openshift-aws-account-operator-master.yaml | head -100

Repository: openshift/release

Length of output: 3483

🏁 Script executed:

# Check if .prek-version file exists in the repo
find . -name ".prek-version" -o -name "*prek*" | head -20

Repository: openshift/release

Length of output: 43

🏁 Script executed:

# Search for other mentions of prek in the codebase
rg -i "prek" --type yaml --type sh --type md

Repository: openshift/release

Length of output: 4240

🏁 Script executed:

# Check if .prek-version exists in the aws-account-operator repo
# The config references the repo at /go/src/github.com/openshift/aws-account-operator
# Since we're in openshift/release repo, let's search for any reference to aws-account-operator content
rg -i "\.prek-version" --type yaml --type sh

Repository: openshift/release

Length of output: 456

🏁 Script executed:

# Search for PR `#975` or similar references in the repo
rg "975|prek" --type md | head -30

Repository: openshift/release

Length of output: 357

🏁 Script executed:

# Check the prek project to understand if binary validation is expected
web_search
prek tool GitHub j178/prek releases binary verification

Repository: openshift/release

Length of output: 155

🌐 Web query:

j178/prek GitHub releases binary verification checksum

💡 Result:

For j178/prek GitHub releases, the project provides SHA-256 checksums for prebuilt release assets (published alongside the binaries as *.sha256 files). The releases page lists assets with their SHA-256 digests. Additionally, starting around the v0.3.x timeframe, prek’s release process includes GitHub Artifact Attestations that you can verify with the GitHub CLI (this provides provenance/integrity attestation for the downloaded artifacts). How to verify a downloaded release binary (checksum): 1) Download the matching binary asset from https://github.com/j178/prek/releases (for your version/OS/arch). 2) Download the corresponding checksum file (typically named like the asset but with the extension .sha256). 3) Verify the binary against the checksum in that .sha256 file. How to verify GitHub Artifact Attestations (provenance/integrity): gh attestation verify --repo j178/prek You can also verify with a downloaded attestation bundle: gh attestation verify --bundle

Citations:

🌐 Web query:

aws-account-operator pull request 975 prek

💡 Result:

No pull request #975 exists in the openshift/aws-account-operator repository or any closely related repositories. Searches across GitHub, general web, and specific queries for "aws-account-operator pull request 975" and variations including "prek" returned no matching results. The repository is active (last push 2026-03-31) with 1 open issue but no mention of PR 975. "Prek" may refer to a username, prefix, or internal term not publicly documented. The aws-account-operator manages pools of AWS accounts for OpenShift Hive.

Citations:

Download and verify the prek binary before extraction.

The code downloads a binary directly from GitHub without checksum or signature validation. The prek project provides SHA-256 checksums for releases—these should be downloaded and verified before extracting. Additionally, the || true fallback to v0.3.9 when .prek-version is absent silently masks version drift and makes it difficult to detect when an unexpected prek version is being used.

Validate the release asset checksum (or use GitHub attestations) and consider requiring .prek-version to be present for reproducible builds.

from: src
to: prek-runner
resources:
'*':
limits:
Expand Down Expand Up @@ -47,6 +55,19 @@ tests:
container:
from: src
skip_if_only_changed: ^(?:\.tekton|\.github)|\.md$|^(?:\.gitignore|OWNERS|LICENSE)$
- as: prek
commands: |
export PREK_HOME=/tmp/prek
git init
git add -A
if [ -x hack/ci.sh ]; then
./hack/ci.sh
else
prek run --all-files
fi
container:
from: prek-runner
skip_if_only_changed: ^(?:\.tekton|\.github)|\.md$|^(?:\.gitignore|OWNERS|LICENSE)$
- always_run: false
as: integration-test
cluster_claim:
Expand Down
62 changes: 62 additions & 0 deletions ...jobs/openshift/aws-account-operator/openshift-aws-account-operator-master-presubmits.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,68 @@ presubmits:
secret:
secretName: result-aggregator
trigger: (?m)^/test( | .* )lint,?($|\s.*)
- agent: kubernetes
always_run: false
branches:
- ^master$
- ^master-
cluster: build06
context: ci/prow/prek
decorate: true
labels:
ci.openshift.io/generator: prowgen
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: pull-ci-openshift-aws-account-operator-master-prek
rerun_command: /test prek
skip_if_only_changed: ^(?:\.tekton|\.github)|\.md$|^(?:\.gitignore|OWNERS|LICENSE)$
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --report-credentials-file=/etc/report/credentials
- --target=prek
command:
- ci-operator
env:
- name: HTTP_SERVER_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
imagePullPolicy: Always
name: ""
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
trigger: (?m)^/test( | .* )prek,?($|\s.*)
- agent: kubernetes
always_run: false
branches:
Expand Down