Skip to content

ART-20930: add golang-builder-shipment pipeline#3083

Open
lgarciaaco wants to merge 1 commit into
openshift-eng:mainfrom
lgarciaaco:art-20930/golang-builder-shipment
Open

ART-20930: add golang-builder-shipment pipeline#3083
lgarciaaco wants to merge 1 commit into
openshift-eng:mainfrom
lgarciaaco:art-20930/golang-builder-shipment

Conversation

@lgarciaaco

@lgarciaaco lgarciaaco commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

New artcd golang-builder-shipment pipeline that creates shipment MRs in ocp-shipment-data for golang builder images. This moves golang builder releases from the silent auto-release path to a shipment-gated pipeline requiring ERT approval.

  • Adds GolangBuilderShipmentPipeline class with lifecycle-to-ReleasePlan mapping (prodocp-art-golang-builder-prod-rhel9, ecocp-art-golang-builder-ec-rhel9)
  • Builds ShipmentConfig YAML using elliott snapshot new --builds-file and the elliottlib.shipment_model Pydantic models
  • Creates draft MR in ocp-shipment-data via python-gitlab at shipment/ocp/<golang-group>/art-images-base/<env>/stream.image.<timestamp>.yaml
  • Registers golang-builder-shipment CLI command in __main__.py and pipelines/__init__.py
  • Unit tests for release plan mapping, path conventions, ShipmentConfig construction, and --builds-file command assembly

Test plan

  • Unit tests pass: python -m pytest pyartcd/tests/pipelines/test_golang_builder_shipment.py -v
  • Dry run: artcd --dry-run golang-builder-shipment --ocp-version 4.22 --golang-group rhel-9-golang-1.25 --env prod NVR1
  • End-to-end with Jenkins (ART-20930 t7)

Ref: ART-20930

Summary by CodeRabbit

  • New Features
    • Added a golang-builder-shipment command to generate shipment configuration from provided Go builder NVRs and open draft merge requests targeting main.
    • prod vs ec selection is now determined from lifecycle metadata.
    • Supports dry-run mode to validate without creating merge requests.
  • Tests
    • Added unit tests covering lifecycle resolution, release-plan mapping, shipment config generation, MR creation behavior (including dry-run), and related helper utilities.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 22, 2026
@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joepvd for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

A new golang_builder_shipment pipeline module is added to pyartcd. It resolves an environment-to-ReleasePlan mapping by fetching lifecycle metadata from ocp-build-data, builds a ShipmentConfig via elliott snapshot new, creates a draft GitLab MR in ocp-shipment-data, and is wired into the package exports and a Click CLI command. The implementation is accompanied by comprehensive unit tests covering all pipeline methods and edge cases.

Changes

Golang Builder Shipment Pipeline

Layer / File(s) Summary
Module registration and release plan infrastructure
pyartcd/pyartcd/__main__.py, pyartcd/pyartcd/pipelines/__init__.py, pyartcd/pyartcd/pipelines/golang_builder_shipment.py, pyartcd/tests/pipelines/test_golang_builder_shipment.py
Registers golang_builder_shipment in pyartcd.pipelines and __main__ exports. Defines GOLANG_BUILDER_SHIPMENT_RELEASE_PLAN_MAP constant associating prod and ec environments to ReleasePlan names. Establishes test imports and module structure.
Environment lifecycle detection
pyartcd/pyartcd/pipelines/golang_builder_shipment.py, pyartcd/tests/pipelines/test_golang_builder_shipment.py
Implements resolve_lifecycle_env() to fetch software_lifecycle.phase from ocp-build-data group.yml, map lifecycle phases (releaseprod, pre-releaseec) to environment names, default to prod when metadata is absent, and raise RuntimeError on HTTP failures. Tests validate phase mapping, defaults, and error handling via mock HTTP responses.
Pipeline initialization and static helpers
pyartcd/pyartcd/pipelines/golang_builder_shipment.py, pyartcd/tests/pipelines/test_golang_builder_shipment.py
Introduces GolangBuilderShipmentPipeline class constructor storing runtime, OCP version, golang group, NVRs, and derived state (product, env, release_plan). Adds static methods resolve_release_plan() to map prod/ec to plan names and basic_auth_url() to inject OAuth2 tokens into git URLs. Tests validate plan mapping, URL rewriting, and constructor field initialization.
Pipeline execution and repository setup
pyartcd/pyartcd/pipelines/golang_builder_shipment.py, pyartcd/tests/pipelines/test_golang_builder_shipment.py
Implements run() orchestration to create/refresh working directories, lazily resolve environment and release plan, clone ocp-shipment-data via OAuth2-authenticated remote, fetch main branch, and delegate to snapshot/config/MR methods. Tests verify ValueError when GITLAB_TOKEN is absent.
Snapshot creation
pyartcd/pyartcd/pipelines/golang_builder_shipment.py, pyartcd/tests/pipelines/test_golang_builder_shipment.py
Implements _create_snapshot() to write NVRs to temporary builds file, invoke elliott snapshot new with group/assembly/builds-file options, conditionally add --pull-secret when QUAY_AUTH_FILE is set, validate JSON output, parse YAML spec, and return Snapshot object. Tests verify pull-secret injection and command structure.
Shipment configuration assembly
pyartcd/pyartcd/pipelines/golang_builder_shipment.py, pyartcd/tests/pipelines/test_golang_builder_shipment.py
Implements build_shipment_config() to construct ShipmentConfig, Shipment, Environments, and ReleaseNotes objects from snapshot and resolved release plan. Assigns release plan to both stage and prod environment fields, includes product/application/group/assembly metadata, and optionally adds ART Jira reference. Tests validate metadata, environment plan assignment, ReleaseNotes references, and file path convention.
MR creation and CLI entrypoint
pyartcd/pyartcd/pipelines/golang_builder_shipment.py, pyartcd/tests/pipelines/test_golang_builder_shipment.py
Implements create_shipment_mr() to write shipment YAML into ocp-shipment-data under shipment/<product>/<golang_group>/<application>/<env>, commit and push to timestamped branch via OAuth2 token-in-URL, and create draft GitLab MR targeting main; returns placeholder URL when dry_run is enabled. Adds golang-builder-shipment Click command collecting OCP version, golang group, art jira, NVRs, and optional data path; instantiates pipeline and prints resulting MR URL. Tests verify dry-run behavior, MR title/target, and command integration.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

approved, lgtm, tide/merge-method-squash


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors, 2 warnings)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error Line 282 logs raw elliott snapshot new output which may contain sensitive build metadata, container image manifests, or credentials. Additionally, line 274 passes --pull-secret with auth file p... Remove the logging at line 282 that logs raw stdout. If debugging output is needed, log only specific fields like snapshot/build counts, not the full YAML output containing potentially sensitive data.
No-Injection-Vectors ❌ Error Found URL injection vulnerability in basic_auth_url() method: GitLab token is directly interpolated into URL without encoding, allowing special characters in token to break URL format or cause in... Use urllib.parse.quote() to properly URL-encode the token: quote(token, safe='') before interpolating into the URL string.
Docstring Coverage ⚠️ Warning Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Ai-Attribution ⚠️ Warning AI tools were used (evidenced by "AI-generated summary" labels in raw_summary), but commit lacks required Red Hat attribution trailers (Assisted-by or Generated-by). Add Assisted-by or Generated-by trailer to commit message to properly attribute AI tool usage per Red Hat policy.
✅ Passed checks (7 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto ✅ Passed No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in the PR.
Container-Privileges ✅ Passed PR introduces only Python source and test files with no Kubernetes manifests, container configs, or privileged security settings.
No-Hardcoded-Secrets ✅ Passed No hardcoded secrets found. All credentials (GITLAB_TOKEN, QUAY_AUTH_FILE) correctly retrieved from environment variables at runtime. Test file uses obvious placeholders (mytoken, test-token).
Title check ✅ Passed The title accurately and specifically describes the main change: a new golang-builder-shipment pipeline is being added to the codebase.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyartcd/pyartcd/pipelines/golang_builder_shipment.py`:
- Around line 72-83: Add validation for the golang_group parameter in the
__init__ method before it is assigned to self.golang_group. Implement an
allow-list approach to reject any golang_group values containing path traversal
patterns like forward slashes or double dots (..). This validation at the trust
boundary will prevent malicious payloads from escaping the intended directory
layout when golang_group is subsequently used in branch name construction and
filesystem path operations.
- Around line 126-129: The basic_auth_url function embeds the GITLAB_TOKEN
directly into the Git remote URL, which persists credentials in .git/config and
increases accidental leakage risk. Instead of injecting the token into the URL
via the basic_auth_url function call at lines 161-163, refactor the code to use
git credential helpers or pass authentication via HTTP headers. Remove or
refactor the basic_auth_url function and configure git operations to
authenticate using environment variables (like GIT_CREDENTIALS) or by passing
authentication headers directly in API calls rather than embedding credentials
in the remote URL itself.
- Around line 199-200: Remove the `f` prefix from the static string literals at
lines 199-200 in the golang_builder_shipment.py file. The strings "The golang
builder images are available from " and
"registry.redhat.io/openshift/golang-builder." do not contain any placeholder
expressions (curly braces with variables), so they should be regular strings
without the `f` prefix to comply with Ruff linting rule F541.
- Line 129: The `basic_auth_url` construction uses `parsed.hostname` which
strips the port number from URLs, breaking access to custom GitLab endpoints
with non-default ports. Replace `parsed.hostname` with `parsed.netloc` in the
return statement on line 129 to preserve the full host:port combination from the
parsed URL.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift-eng/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4cbbfe7c-d8b0-43e8-a06c-29e23bddb20b

📥 Commits

Reviewing files that changed from the base of the PR and between 78c90e3 and 464760a.

📒 Files selected for processing (4)
  • pyartcd/pyartcd/__main__.py
  • pyartcd/pyartcd/pipelines/__init__.py
  • pyartcd/pyartcd/pipelines/golang_builder_shipment.py
  • pyartcd/tests/pipelines/test_golang_builder_shipment.py

Comment on lines +72 to +83
golang_group: str,
env: str,
nvrs: List[str],
art_jira: str = "",
shipment_data_repo_url: Optional[str] = None,
):
self.runtime = runtime
self.ocp_version = ocp_version
self.golang_group = golang_group
self.env = env
self.nvrs = sorted(nvrs)
self.art_jira = art_jira

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate golang_group before using it in branch and filesystem paths.

golang_group from CLI flows into Line 264 branch name and Line 269 path construction without allow-list validation. Payloads containing / or .. can escape expected layout and write outside the intended subtree.

Suggested fix
+import re
@@
 class GolangBuilderShipmentPipeline:
@@
     def __init__(
@@
-        self.golang_group = golang_group
+        if not re.fullmatch(r"[A-Za-z0-9][A-Za-z0-9._-]*", golang_group):
+            raise ValueError(f"Invalid golang_group: {golang_group!r}")
+        self.golang_group = golang_group

As per coding guidelines: “Path traversal: canonicalize paths, reject ../” and “Validate at trust boundaries with allow-lists, not deny-lists”.

Also applies to: 264-270

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyartcd/pyartcd/pipelines/golang_builder_shipment.py` around lines 72 - 83,
Add validation for the golang_group parameter in the __init__ method before it
is assigned to self.golang_group. Implement an allow-list approach to reject any
golang_group values containing path traversal patterns like forward slashes or
double dots (..). This validation at the trust boundary will prevent malicious
payloads from escaping the intended directory layout when golang_group is
subsequently used in branch name construction and filesystem path operations.

Source: Coding guidelines

Comment thread pyartcd/pyartcd/pipelines/golang_builder_shipment.py
def basic_auth_url(url: str, token: str) -> str:
"""Inject token into a GitLab URL for push authentication."""
parsed = urlparse(url)
return f"{parsed.scheme}://oauth2:{token}@{parsed.hostname}{parsed.path}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Preserve explicit port in basic_auth_url.

Line 129 uses parsed.hostname, which drops non-default ports from input URLs (e.g., :8443) and can break repo access for custom GitLab endpoints.

Suggested fix
     def basic_auth_url(url: str, token: str) -> str:
         """Inject token into a GitLab URL for push authentication."""
         parsed = urlparse(url)
-        return f"{parsed.scheme}://oauth2:{token}@{parsed.hostname}{parsed.path}"
+        host = parsed.hostname if parsed.port is None else f"{parsed.hostname}:{parsed.port}"
+        return f"{parsed.scheme}://oauth2:{token}@{host}{parsed.path}"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyartcd/pyartcd/pipelines/golang_builder_shipment.py` at line 129, The
`basic_auth_url` construction uses `parsed.hostname` which strips the port
number from URLs, breaking access to custom GitLab endpoints with non-default
ports. Replace `parsed.hostname` with `parsed.netloc` in the return statement on
line 129 to preserve the full host:port combination from the parsed URL.

Comment thread pyartcd/pyartcd/pipelines/golang_builder_shipment.py Outdated
@lgarciaaco lgarciaaco force-pushed the art-20930/golang-builder-shipment branch 2 times, most recently from aa4906d to fe664c4 Compare June 22, 2026 12:41

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
pyartcd/pyartcd/pipelines/golang_builder_shipment.py (1)

311-311: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Accessing private _directory attribute of GitRepository.

Line 311 directly accesses self.shipment_data_repo._directory, which is a private attribute (prefixed with _). Consider exposing a public property or method in GitRepository to access the directory path, or use the existing public interface if available.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyartcd/pyartcd/pipelines/golang_builder_shipment.py` at line 311, The code
at line 311 in golang_builder_shipment.py directly accesses the private
attribute `_directory` on the `shipment_data_repo` GitRepository object. Replace
this direct access to the private attribute with a call to an existing public
method or property of the GitRepository class that returns the directory path.
If no public interface exists for this, add a public property method to the
GitRepository class (such as `get_directory()` or `directory`) that returns the
path, then use that public interface instead of accessing `_directory` directly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pyartcd/pyartcd/pipelines/golang_builder_shipment.py`:
- Line 311: The code at line 311 in golang_builder_shipment.py directly accesses
the private attribute `_directory` on the `shipment_data_repo` GitRepository
object. Replace this direct access to the private attribute with a call to an
existing public method or property of the GitRepository class that returns the
directory path. If no public interface exists for this, add a public property
method to the GitRepository class (such as `get_directory()` or `directory`)
that returns the path, then use that public interface instead of accessing
`_directory` directly.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift-eng/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c5b05c86-1b25-44ff-82ad-b4f458a3a47e

📥 Commits

Reviewing files that changed from the base of the PR and between 464760a and aa4906d.

📒 Files selected for processing (4)
  • pyartcd/pyartcd/__main__.py
  • pyartcd/pyartcd/pipelines/__init__.py
  • pyartcd/pyartcd/pipelines/golang_builder_shipment.py
  • pyartcd/tests/pipelines/test_golang_builder_shipment.py
✅ Files skipped from review due to trivial changes (1)
  • pyartcd/pyartcd/pipelines/init.py
🚧 Files skipped from review as they are similar to previous changes (1)
  • pyartcd/pyartcd/main.py

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyartcd/pyartcd/pipelines/golang_builder_shipment.py`:
- Line 24: Remove the unused `Dict` type import from the import statement on
line 24 in the typing imports. The `Dict` type hint is imported but never used
anywhere in the file, which causes the Ruff F401 linting rule to fail. Simply
remove `Dict` from the comma-separated list of imports while keeping `List`,
`Optional`, and `Tuple` which are actually used in the file.

In `@pyartcd/tests/pipelines/test_golang_builder_shipment.py`:
- Line 231: The assignment of `_gitlab_token` to the hardcoded string literal
"test-token" violates security guidelines for handling sensitive values. Replace
the hardcoded string literal with a dynamically generated placeholder using
secrets.token_hex() or a similar method to generate a random token string,
ensuring the test maintains functionality while avoiding secret-pattern
violations and adhering to the coding guidelines for variables named token,
secret, api_key, or password.
- Around line 1-4: The import ordering in the test file is not following
alphabetical order as required by Ruff's I001 rule. Reorganize the imports at
the top of the file so that standard library imports are sorted alphabetically
by module name. The pathlib import should come before the unittest imports since
"pathlib" comes before "unittest" alphabetically. Group related imports from the
same module together after sorting.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift-eng/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6b83b366-27ae-424c-95d5-0244d840ff43

📥 Commits

Reviewing files that changed from the base of the PR and between aa4906d and fe664c4.

📒 Files selected for processing (4)
  • pyartcd/pyartcd/__main__.py
  • pyartcd/pyartcd/pipelines/__init__.py
  • pyartcd/pyartcd/pipelines/golang_builder_shipment.py
  • pyartcd/tests/pipelines/test_golang_builder_shipment.py
🚧 Files skipped from review as they are similar to previous changes (2)
  • pyartcd/pyartcd/pipelines/init.py
  • pyartcd/pyartcd/main.py

Comment thread pyartcd/pyartcd/pipelines/golang_builder_shipment.py Outdated
Comment on lines +1 to +4
import unittest
from unittest import IsolatedAsyncioTestCase
from unittest.mock import AsyncMock, MagicMock, Mock, patch
from pathlib import Path

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix import ordering to unblock Ruff.

Line 1–Line 4 import order is failing ruff (I001) in CI.

Suggested diff
-import unittest
-from unittest import IsolatedAsyncioTestCase
-from unittest.mock import AsyncMock, MagicMock, Mock, patch
 from pathlib import Path
+import unittest
+from unittest import IsolatedAsyncioTestCase
+from unittest.mock import AsyncMock, MagicMock, Mock, patch
🧰 Tools
🪛 GitHub Actions: unit-tests / 0_tests.txt

[error] 1-1: ruff check (I001): Import block is un-sorted or un-formatted

🪛 GitHub Actions: unit-tests / tests

[error] 1-1: ruff check failed (Ruff rule I001): Import block is un-sorted or un-formatted

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyartcd/tests/pipelines/test_golang_builder_shipment.py` around lines 1 - 4,
The import ordering in the test file is not following alphabetical order as
required by Ruff's I001 rule. Reorganize the imports at the top of the file so
that standard library imports are sorted alphabetically by module name. The
pathlib import should come before the unittest imports since "pathlib" comes
before "unittest" alphabetically. Group related imports from the same module
together after sorting.

Source: Pipeline failures

)
pipeline.env = "prod"
pipeline.release_plan = "ocp-art-golang-builder-prod-rhel9"
pipeline._gitlab_token = "test-token"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Avoid hardcoded token literals, even in tests.

Line 231 assigns _gitlab_token to a string literal. Use a generated placeholder (for example via secrets.token_hex) to avoid secret-pattern violations/noise.

As per coding guidelines, "**/*.{js,ts,tsx,jsx,py,go,java,cs,rb,php,conf,config,yml,yaml,json,toml,properties,env,env.*,.env*,xml,gradle,maven}: Flag hardcoded secrets ... and variables named api_key, secret, token, or password assigned to string literals."

🧰 Tools
🪛 Ruff (0.15.17)

[error] 231-231: Possible hardcoded password assigned to: "_gitlab_token"

(S105)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyartcd/tests/pipelines/test_golang_builder_shipment.py` at line 231, The
assignment of `_gitlab_token` to the hardcoded string literal "test-token"
violates security guidelines for handling sensitive values. Replace the
hardcoded string literal with a dynamically generated placeholder using
secrets.token_hex() or a similar method to generate a random token string,
ensuring the test maintains functionality while avoiding secret-pattern
violations and adhering to the coding guidelines for variables named token,
secret, api_key, or password.

Sources: Coding guidelines, Linters/SAST tools

@lgarciaaco lgarciaaco changed the title feat(pyartcd): add golang-builder-shipment pipeline ART-20930: add golang-builder-shipment pipeline Jun 23, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 23, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 23, 2026

Copy link
Copy Markdown

@lgarciaaco: This pull request references ART-20930 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

New artcd golang-builder-shipment pipeline that creates shipment MRs in ocp-shipment-data for golang builder images. This moves golang builder releases from the silent auto-release path to a shipment-gated pipeline requiring ERT approval.

  • Adds GolangBuilderShipmentPipeline class with lifecycle-to-ReleasePlan mapping (prodocp-art-golang-builder-prod-rhel9, ecocp-art-golang-builder-ec-rhel9)
  • Builds ShipmentConfig YAML using elliott snapshot new --builds-file and the elliottlib.shipment_model Pydantic models
  • Creates draft MR in ocp-shipment-data via python-gitlab at shipment/ocp/<golang-group>/art-images-base/<env>/stream.image.<timestamp>.yaml
  • Registers golang-builder-shipment CLI command in __main__.py and pipelines/__init__.py
  • Unit tests for release plan mapping, path conventions, ShipmentConfig construction, and --builds-file command assembly

Test plan

  • Unit tests pass: python -m pytest pyartcd/tests/pipelines/test_golang_builder_shipment.py -v
  • Dry run: artcd --dry-run golang-builder-shipment --ocp-version 4.22 --golang-group rhel-9-golang-1.25 --env prod NVR1
  • End-to-end with Jenkins (ART-20930 t7)

Ref: ART-20930

Summary by CodeRabbit

  • New Features
  • Added a golang-builder-shipment command to generate shipment configuration from provided Go builder NVRs and open draft merge requests targeting main.
  • prod vs ec selection is now determined from lifecycle metadata.
  • Supports dry-run mode to validate without creating merge requests.
  • Tests
  • Added unit tests covering lifecycle resolution, release-plan mapping, shipment config generation, MR creation behavior (including dry-run), and related helper utilities.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@lgarciaaco lgarciaaco marked this pull request as ready for review June 24, 2026 13:43
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 24, 2026
New artcd command to create shipment MRs in ocp-shipment-data for
golang builder images. Auto-resolves Konflux image NVRs from golang
RPM NVRs, detects prod vs ec lifecycle from ocp-build-data, and
opens a draft MR for ERT approval.

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@lgarciaaco lgarciaaco force-pushed the art-20930/golang-builder-shipment branch from c863f38 to 4560d5b Compare June 29, 2026 09:28
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@lgarciaaco: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 4560d5b link false /test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci

openshift-ci Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants