Skip to content

[ART-21083] fix(scanner): align okd-scan with build pipeline for arches and base chain#3095

Draft
lgarciaaco wants to merge 1 commit into
openshift-eng:mainfrom
lgarciaaco:ART-21083-okd-scan-parity
Draft

[ART-21083] fix(scanner): align okd-scan with build pipeline for arches and base chain#3095
lgarciaaco wants to merge 1 commit into
openshift-eng:mainfrom
lgarciaaco:ART-21083-okd-scan-parity

Conversation

@lgarciaaco

@lgarciaaco lgarciaaco commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes two gaps where okd-scan did not detect changes that the OKD build pipeline acts on:

  1. Arch expansion: okd-scan now passes --arches (from OKD_ARCHES) to doozer, so scan_arch_changes compares against OKD's 2-arch target instead of OCP's 4-arch group config.
  2. Base chain: _is_image_enabled now includes base_only images for OKD variant, matching what artcd okd builds (e.g. openshift-enterprise-base-rhel9).

Changes

  • Import OKD_ARCHES in okd_scan.py from okd.py (single source of truth) and pass --arches to doozer
  • Update _is_image_enabled to include base_only images for OKD variant (for_payload or base_only)
  • Remove redundant for_payload filter in _is_image_enabled_for_scan (now handled by _is_image_enabled)
  • Make OKD_ARCHES a tuple for immutability (now shared across two consumers)
  • Add unit tests covering both gaps (image filtering + arch detection)

Test plan

  • pytest doozer/tests/cli/test_scan_sources_konflux.py::TestOkdImageFiltering — 8 pass
  • pytest doozer/tests/cli/test_scan_sources_konflux.py::TestOkdArchChanges — 3 pass
  • pytest pyartcd/tests/pipelines/test_okd_scan.py — 8 pass
  • Full test_scan_sources_konflux.py suite — 49 pass
  • E2E: artcd okd-scan --image-list=openshift-enterprise-base-rhel9 against fork with controlled scenarios

Resolves: ART-21083

Summary by CodeRabbit

  • New Features

    • OKD source scans now consider both payload and base-only images when determining what to include.
    • OKD scan pipelines now constrain rebuild checks to the OKD architecture set.
  • Bug Fixes

    • Fixed OKD image filtering so missing payload/base-only flags don’t incorrectly exclude images.
    • Removed redundant OKD-specific filtering so inclusion logic is applied consistently.
    • Improved OKD architecture-change detection to avoid false rebuild triggers and looping edge cases.
  • Tests

    • Added unit and pipeline coverage for OKD image selection and architecture handling.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 24, 2026
@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign fgallott for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift-eng/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4bb2b346-d1ec-41e1-9f50-6e6cef658327

📥 Commits

Reviewing files that changed from the base of the PR and between ff43999 and 5773312.

📒 Files selected for processing (5)
  • doozer/doozerlib/cli/scan_sources_konflux.py
  • doozer/tests/cli/test_scan_sources_konflux.py
  • pyartcd/pyartcd/pipelines/okd.py
  • pyartcd/pyartcd/pipelines/okd_scan.py
  • pyartcd/tests/pipelines/test_okd_scan.py
✅ Files skipped from review due to trivial changes (1)
  • pyartcd/pyartcd/pipelines/okd.py
🚧 Files skipped from review as they are similar to previous changes (4)
  • doozer/doozerlib/cli/scan_sources_konflux.py
  • doozer/tests/cli/test_scan_sources_konflux.py
  • pyartcd/tests/pipelines/test_okd_scan.py
  • pyartcd/pyartcd/pipelines/okd_scan.py

Walkthrough

OKD image filtering now includes base_only images, and OKD scan command construction now passes --arches from OKD_ARCHES. Tests cover the updated image gating, arch-change detection, and pipeline command construction.

Changes

OKD Scan Image Filtering and Arch Scoping

Layer / File(s) Summary
Image filtering
doozer/doozerlib/cli/scan_sources_konflux.py, doozer/tests/cli/test_scan_sources_konflux.py
_is_image_enabled now returns for_payload or base_only for OKD images, defaulting missing fields to False. The extra OKD for_payload exclusion is removed from _is_image_enabled_for_scan. Tests cover OKD payload, base-only, disabled, OCP base-only, and arch-change behavior.
Arch scoping
pyartcd/pyartcd/pipelines/okd.py, pyartcd/pyartcd/pipelines/okd_scan.py, pyartcd/tests/pipelines/test_okd_scan.py
OKD_ARCHES changes from a list to a tuple. The OKD scan pipeline imports it and adds --arches=<comma-joined> to the doozer command. Tests verify the argument value and that only one --arches= entry is present.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

approved, lgtm

Suggested reviewers

  • fgallott
  • vfreex
🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: aligning okd-scan with the build pipeline for arches and base image handling.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto ✅ Passed Touched files only change OKD image/arch filtering; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons found.
Container-Privileges ✅ Passed No modified container/K8s manifests or privilege-related settings were found; the PR only changes Python logic/tests around OKD scanning.
No-Sensitive-Data-In-Logs ✅ Passed No new sensitive-data logging was added; changed code only adjusts OKD arch/image filtering and tests, while existing logs are status/image messages.
No-Hardcoded-Secrets ✅ Passed Searched all touched files and added-line diff; found no API keys, tokens, passwords, private keys, embedded-credential URLs, or long base64 literals.
No-Injection-Vectors ✅ Passed No injection sinks were added; OKD commands are executed via argv lists in create_subprocess_exec, and YAML parsing uses safe_load.
Ai-Attribution ✅ Passed No AI-tool mention or Assisted-by/Generated-by/Co-Authored-By trailers were present in the commit or repo text.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@lgarciaaco lgarciaaco force-pushed the ART-21083-okd-scan-parity branch from 3157b49 to ff43999 Compare June 24, 2026 11:09
@lgarciaaco lgarciaaco changed the title fix(okd-scan): align scan with build pipeline for arches and base chain [ART-21083] fix(scanner): align okd-scan with build pipeline for arches and base chain Jun 24, 2026
…chain

okd-scan was not detecting two categories of changes that the OKD build
pipeline acts on:

1. Arch expansion: adding aarch64 to OKD_ARCHES did not trigger rebuilds
   because okd-scan did not pass --arches to doozer, so scan_arch_changes
   compared against OCP's 4-arch group config instead of OKD's 2-arch target.

2. Base chain: base_only images (like openshift-enterprise-base-rhel9) were
   excluded from the OKD scan set because _is_image_enabled required
   for_payload=true, but the OKD build pipeline includes base_only parents.

Changes:
- Import OKD_ARCHES in okd_scan.py from okd.py (single source of truth)
  and pass --arches to doozer invocation
- Update _is_image_enabled to include base_only images for OKD variant
- Remove redundant for_payload filter in _is_image_enabled_for_scan
- Make OKD_ARCHES a tuple for immutability
- Add comprehensive unit tests for both gaps

Resolves: ART-21083

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@lgarciaaco lgarciaaco force-pushed the ART-21083-okd-scan-parity branch from ff43999 to 5773312 Compare June 24, 2026 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant