USHIFT-7116: add microshift-release-evaluation periodic job

[agullon]

Summary

Adds a new Prow periodic job (microshift-release-evaluation) that automates MicroShift release evaluation for upcoming OCP z-stream releases.

• Runs the microshift-release:pre-check AI skill every Thursday and Friday at 16:00 UTC
• Posts color-coded results to #team-ocp-edge-notifications via Prow reporter_config
• Uses the same edge-tooling AI helpers image and credential patterns as microshift-ci-doctor
• Requires intranet access (restrict_network_access: false) for Brew/advisory checks

New files

• Step registry: workflow, ref, and commands script under openshift/edge-tooling/microshift-release/evaluation/
• Job config entry in openshift-eng-edge-tooling-main.yaml

Blocked by

This job depends on the edge-tooling AI helpers image containing the latest pre-check skill changes:

• feat: migrate precheck Jira queries from PAT (Personal Access Token) to MCP Atlassian OAuth openshift-eng/edge-tooling#167 — migrate precheck Jira queries from PAT to MCP Atlassian OAuth
• feat: replace Product Pages MCP with ART Jira for pre-check time ranges openshift-eng/edge-tooling#172 — replace Product Pages MCP with ART Jira for pre-check time ranges

Jira

USHIFT-7116 (parent: USHIFT-6766)

Test plan

• Prow rehearsal passes for this PR
• First scheduled periodic run posts correct Slack message
• Artifact links in Slack message resolve correctly

Summary by CodeRabbit

• What changed

  • Adds a new periodic OpenShift CI job (microshift-release-evaluation) to the openshift-eng/edge-tooling ci-operator config in this repository. The job hooks a new step-registry workflow/ref and a commands script that run a MicroShift release evaluation using the microshift-release:pre-check AI skill (workflow: openshift-edge-tooling-microshift-release-evaluation).

• Practical effects

  • Schedule: runs Thu/Fri at 16:00 UTC (cron: 0 16 * * 4,5).
  • Network: allows intranet access (restrict_network_access: false) so Brew/advisory checks and Jira enrichment can run.
  • Runtime: reuses the edge-tooling AI helpers image (edge-tooling-ai-helpers) and the repository’s credential mounting patterns. The test runs a bash commands script that:
    • configures Claude permissions and optional Jira MCP,
    • loads secrets (GITHUB_TOKEN or GitHub App ID/key via gh-token; Jira API token and username from mounted files) and exports ATLASSIAN_* env vars,
    • invokes Claude in stream-json mode to run the microshift-release:pre-check skill,
    • writes artifacts including precheck-results.txt and a precheck-completed marker into SHARED_DIR/ARTIFACT_DIR,
    • includes a fallback extractor that parses a custom {"type":"result"} event from the Claude log if needed.
  • Notifications: Prow reporter_config posts color-coded results to #team-ocp-edge-notifications and includes links to the precheck-results.txt artifact and job logs.

• Ownership

  • New OWNERS and metadata files assign openshift-edge-approvers and openshift-edge-reviewers for the workflow/ref.

• Files added/updated (impact summary)

  • ci-operator config: registers new tests[] entry as: microshift-release-evaluation with reporter_config and cron.
  • step-registry: adds workflow, ref, commands script, metadata JSON, and OWNERS under ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation.

• Security & secrets

  • Script requires access to GitHub credentials (GITHUB_TOKEN or GitHub App ID/key) and Jira API token/username from mounted secret paths. It exports ATLASSIAN_API_TOKEN / ATLASSIAN_EMAIL for Jira access. Reviewers should validate secret-mounting practices and that gh-token is available in the execution environment.

• Tests / rollout

  • PR lists a test plan: Prow rehearsal, verify first scheduled run sends the correct Slack message, and artifact links resolve. These are pending; rehearsals should be run to validate reporter formatting, artifact persistence, and Claude stream-json event handling.

• Blockers / notes

  • Depends on edge-tooling changes to the AI helpers image and pre-check skill (referenced edge-tooling PRs were cited in the PR description). Confirm those artifacts are available to CI.
  • Reviewers should verify the Claude stream-json event format used by the fallback extraction and robustness of MCP/Jira connection logic.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a scheduled CI job and step-registry to run a Claude-driven MicroShift release pre-check (Thursdays/Fridays 16:00 UTC), including workflow/ref/metadata/OWNERS entries and a Bash orchestration script that loads secrets, configures Claude/MCPs, runs the pre-check, and saves results for the Slack reporter.

Changes

MicroShift Release Evaluation Workflow

Layer / File(s)	Summary
Workflow and job registration ci-operator/config/openshift-eng/edge-tooling/openshift-eng-edge-tooling-main.yaml, ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-workflow.yaml, ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-workflow.metadata.json	Scheduled test job microshift-release-evaluation added with cron 0 16 * * 4,5, network access enabled, Slack reporter configuration, and workflow YAML registering the test step.
Step reference and ownership ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-ref.yaml, ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-ref.metadata.json, ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/OWNERS	Step-ref YAML declares the container, command entrypoint, mounted secrets (GitHub App, Jira), default Claude env vars, resources, and timeouts. Metadata and OWNERS assign openshift-edge-approvers and openshift-edge-reviewers.
Evaluation script orchestration ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-commands.sh	New Bash orchestration script: startup/teardown and atexit handler; load_secrets() for GitHub/Jira credentials; wait_for_mcp_status() and configure_claude() to manage MCPs (including optional Jira); main flow validates JOB_NAME, fetches MicroShift, builds a pre-check prompt, runs claude --output-format stream-json with a 1200s timeout, and writes deterministic precheck results to artifacts.

Sequence Diagram

sequenceDiagram
  participant Prow as Prow
  participant Job as CI Job
  participant Script as evaluation script
  participant GitHub as GitHub (repo/token)
  participant Claude as Claude
  participant Jira as Jira (optional)
  participant Artifacts as ArtifactDir
  participant Reporter as Prow Reporter (Slack)

  Prow->>Job: trigger scheduled job
  Job->>Script: execute evaluation commands
  Script->>GitHub: obtain repo (clone/fetch) and token
  Script->>Claude: configure MCPs and send pre-check prompt
  Claude->>Jira: optional MCP connection (if creds present)
  Claude->>Script: stream-json pre-check results
  Script->>Artifacts: write precheck-results.txt, claude-precheck.log
  Job->>Reporter: report success/failure using artifacts

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

ok-to-test

Suggested reviewers

• jerpeter1

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Claude invoked with --verbose flag and output piped to publicly accessible artifact log. Verbose mode may expose environment variables (GITHUB_TOKEN, JIRA_API_TOKEN, JIRA_USERNAME) to public logs.	Remove --verbose flag or filter sensitive environment variables before writing logs to public artifact directories.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: adding a new microshift-release-evaluation periodic job to the CI configuration.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds CI job configuration and shell scripts with no Ginkgo test definitions; the check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	This PR adds CI configuration and Bash scripts, not Ginkgo tests. The check is inapplicable as it requires Ginkgo test code patterns that are absent.
Microshift Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests. It adds CI job configuration, a Bash automation script, and step registry workflow definitions—not Go test files.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It adds CI/CD infrastructure (job config, step registry, bash script) for MicroShift release evaluation. The custom check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only Prow CI job and test automation files. No deployment manifests, operators, or scheduling constraints that affect production clusters are introduced.
Ote Binary Stdout Contract	✅ Passed	PR adds CI job config and bash script (no Go code), not OTE test binaries. OTE stdout contract check is inapplicable to non-Go test code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes consist of CI/CD job configuration (YAML), workflow definitions, and a bash script—not Go test code.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the added files.
Container-Privileges	✅ Passed	No container privilege flags found in YAML configs, workflows, or scripts. No privileged, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation, or root escalation settings.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@agullon: This pull request references USHIFT-7116 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Adds a new Prow periodic job (microshift-release-evaluation) that automates MicroShift release evaluation for upcoming OCP z-stream releases.

• Runs the microshift-release:pre-check AI skill every Thursday and Friday at 16:00 UTC
• Posts color-coded results to #team-ocp-edge-notifications via Prow reporter_config
• Uses the same edge-tooling AI helpers image and credential patterns as microshift-ci-doctor
• Requires intranet access (restrict_network_access: false) for Brew/advisory checks

New files

• Step registry: workflow, ref, and commands script under openshift/edge-tooling/microshift-release/evaluation/
• Job config entry in openshift-eng-edge-tooling-main.yaml

Blocked by

This job depends on the edge-tooling AI helpers image containing the latest pre-check skill changes:

• feat: migrate precheck Jira queries from PAT (Personal Access Token) to MCP Atlassian OAuth openshift-eng/edge-tooling#167 — migrate precheck Jira queries from PAT to MCP Atlassian OAuth
• feat: replace Product Pages MCP with ART Jira for pre-check time ranges openshift-eng/edge-tooling#172 — replace Product Pages MCP with ART Jira for pre-check time ranges

Jira

USHIFT-7116 (parent: USHIFT-6766)

Test plan

• Prow rehearsal passes for this PR
• First scheduled periodic run posts correct Slack message
• Artifact links in Slack message resolve correctly

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-commands.sh`:
- Around line 2-3: The script currently enables bash xtrace globally via the
"set -x" invocation; remove that global "set -x" so the script starts with only
"set -euo pipefail" and never leaves tracing on for the whole step, and if debug
output is needed wrap the minimal sensitive sections with scoped tracing blocks
using "set -x" immediately before the debug lines and "set +x" right after
(refer to the existing "set -euo pipefail" and "set -x" entries to locate and
change this).
- Around line 37-45: The fallback that extracts Claude output writes results
only to ${SHARED_DIR} (variables result_text, CLAUDE_LOG, and files
precheck-results.txt / precheck-completed) but not to the artifact location,
breaking the advertised artifacts link; update the branch that handles
result_text to also persist the same files into ${ARTIFACT_DIR} (write
${ARTIFACT_DIR}/precheck-results.txt and touch
${ARTIFACT_DIR}/precheck-completed) so both SHARED_DIR and ARTIFACT_DIR contain
the fallback outputs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 29c69d3e-f50f-40d0-9554-5b0b41f19781

📥 Commits

Reviewing files that changed from the base of the PR and between d5f6a1a and fb806ee.

📒 Files selected for processing (7)

• ci-operator/config/openshift-eng/edge-tooling/openshift-eng-edge-tooling-main.yaml
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/OWNERS
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-commands.sh
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-ref.metadata.json
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-ref.yaml
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-workflow.metadata.json
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-workflow.yaml

[openshift-merge-bot]

@agullon, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't checkout base SHA 91df2be0ea0bffe5d64b7d1ae31046527bb38f19: error checking out "91df2be0ea0bffe5d64b7d1ae31046527bb38f19": exit status 128 fatal: unable to read tree (91df2be0ea0bffe5d64b7d1ae31046527bb38f19)

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[agullon]

/label tide/merge-method-squash

[agullon]

/hold cancel

[openshift-merge-bot]

@agullon, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't rebase candidate onto df0ba54e98600e9cb624a1ce05d89c46d5851f35 due to conflicts

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[agullon]

/test prow-config-filenames

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: agullon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-eng/edge-tooling/OWNERS [agullon]
• ci-operator/jobs/openshift-eng/edge-tooling/OWNERS [agullon]
• ci-operator/step-registry/openshift/edge-tooling/OWNERS [agullon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[agullon]

/pj-rehearse periodic-ci-openshift-eng-edge-tooling-main-microshift-release-evaluation

[openshift-merge-bot]

@agullon: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@agullon: job(s): periodic-ci-openshift-eng-edge-tooling-main-microshift-release-evaluation either don't exist or were not found to be affected, and cannot be rehearsed

[agullon]

/pj-rehearse periodic-ci-openshift-eng-edge-tooling-main-microshift-release-evaluation

[openshift-merge-bot]

@agullon: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@agullon: job(s): periodic-ci-openshift-eng-edge-tooling-main-microshift-release-evaluation either don't exist or were not found to be affected, and cannot be rehearsed

[agullon]

/pj-rehearse periodic-ci-openshift-eng-edge-tooling-main-microshift-release-evaluation

[openshift-merge-bot]

@agullon: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[agullon]

/pj-rehearse periodic-ci-openshift-eng-edge-tooling-main-microshift-release-evaluation

[openshift-merge-bot]

@agullon: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@agullon: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-eng-edge-tooling-main-microshift-release-evaluation	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[agullon]

/pj-rehearse periodic-ci-openshift-eng-edge-tooling-main-microshift-release-evaluation

[openshift-merge-bot]

@agullon: pj-rehearse could not automatically process this event because the request waited in queue for longer than 5 minutes. Use /pj-rehearse to trigger rehearsals manually.

[openshift-merge-bot]

@agullon: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

[agullon]

/pj-rehearse periodic-ci-openshift-eng-edge-tooling-main-microshift-release-evaluation

[openshift-ci]

@agullon: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-merge-bot]

@agullon: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

[openshift-merge-bot]

@openshift-ci[bot]: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

[openshift-merge-bot]

@openshift-merge-bot[bot]: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.