Skip to content

USHIFT-7406: feat: add crypto scan step to Microshift rebase periodic job for 5.0+#82024

Open
fracappa wants to merge 1 commit into
openshift:mainfrom
fracappa:fca/microshift-cryptoscan-dependencies
Open

USHIFT-7406: feat: add crypto scan step to Microshift rebase periodic job for 5.0+#82024
fracappa wants to merge 1 commit into
openshift:mainfrom
fracappa:fca/microshift-cryptoscan-dependencies

Conversation

@fracappa

@fracappa fracappa commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Introduce a new step-registry workflow (openshift-microshift-rebase-with-cryptoscan) that chains the existing rebase with a crypto scan step. The scan runs in a nested-podman container with intranet access to pull the rh-crypto-scanner-imagefrom images.paas.redhat.com. Scan logic is delegated to the upstream microshift repo via the CRYPTO_SCAN env var

Summary by CodeRabbit

  • Adds a MicroShift 5.0+ periodic workflow that rebases the repository and runs the Red Hat crypto scanner.
  • Runs the scanner in a nested-Podman container with intranet access and credentials to pull the scanner image.
  • Updates the release-5.0 periodic job to use the new workflow and required capabilities.
  • Adds the crypto-scan step registry definition, source artifact, ownership metadata, and workflow configuration.

@openshift-ci-robot

openshift-ci-robot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@fracappa: This pull request references USHIFT-7406 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Introduce a new step-registry workflow (openshift-microshift-rebase-with-cryptoscan) that chains the existing rebase with a crypto scan step. The scan runs in a nested-podman container with intranet access to pull the rh-crypto-scanner-imagefrom images.paas.redhat.com. Scan logic is delegated to the upstream microshift repo via the CRYPTO_SCAN env var

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 16, 2026
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

MicroShift release configuration now builds a cryptoscan-src artifact with nested Podman, defines a cryptoscan step, composes it with the rebase workflow, and routes the nightly periodic job through the combined workflow.

Changes

MicroShift cryptoscan integration

Layer / File(s) Summary
Cryptoscan step definition
ci-operator/step-registry/openshift/microshift/cryptoscan/*
Defines the cryptoscan step, ownership metadata, command script, resource requests, credential mount, and source artifact input.
Combined rebase workflow
ci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/*
Adds a workflow that runs the existing MicroShift rebase chain and the cryptoscan chain.
Periodic job and source image wiring
ci-operator/config/openshift/microshift/openshift-microshift-release-5.0__periodics.yaml
Builds cryptoscan-src from the nested-podman image and updates rebase-on-nightlies to use the combined workflow with nested-Podman capabilities and unrestricted network access.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant PeriodicJob
  participant CombinedWorkflow
  participant RebaseChain
  participant CryptoscanStep
  participant CryptoscanSource
  PeriodicJob->>CombinedWorkflow: start scheduled rebase-with-cryptoscan workflow
  CombinedWorkflow->>RebaseChain: run MicroShift rebase
  CombinedWorkflow->>CryptoscanStep: run cryptoscan
  CryptoscanStep->>CryptoscanSource: consume cryptoscan-src
  CryptoscanStep->>CryptoscanStep: invoke rebase_job_entrypoint.sh with CRYPTO_SCAN=true
Loading
🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding a crypto scan step to the MicroShift rebase periodic job for 5.0+.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR only adds CI config/step-registry YAML and a shell script; no Ginkgo specs or dynamic test titles were introduced.
Test Structure And Quality ✅ Passed No Ginkgo test code was added or modified; the PR only changes ci-operator YAML, step-registry bash, and OWNERS/metadata files.
Microshift Test Compatibility ✅ Passed No Ginkgo tests were added or modified; changes only add CI/workflow config and a cryptoscan step, so no MicroShift-incompatible test APIs are introduced.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the diff is CI/step-registry config only and no test source files changed.
Topology-Aware Scheduling Compatibility ✅ Passed Only CI step-registry and generated job configs changed; no pod anti-affinity, topology spread, node selectors, tolerations, replicas, or PDB logic were introduced.
Ote Binary Stdout Contract ✅ Passed Only CI config and a wrapper shell script were added; no process-level OTE code or stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR only adds CI config/step-registry files; no new Ginkgo e2e tests or IPv4/external-connectivity code was added.
No-Weak-Crypto ✅ Passed The PR only adds CI wiring for a crypto-scanner workflow; no weak-crypto algorithms, custom crypto, or secret comparisons were introduced.
Container-Privileges ✅ Passed No added manifest sets privileged/hostPID/hostNetwork/hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or explicit root; only nested_podman/capabilities were added.
No-Sensitive-Data-In-Logs ✅ Passed The new workflow/script add no logging or echoing of secrets, tokens, PII, or hostnames; only a /secrets mount path and CRYPTO_SCAN env var are introduced.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci
openshift-ci Bot requested review from copejon and ggiguash July 16, 2026 16:34
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fracappa
Once this PR has been reviewed and has the lgtm label, please assign agullon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@fracappa: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-openshift-microshift-release-5.0-periodics-images openshift/microshift presubmit Presubmit changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-bootc-arm-nightly-el9 N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-bootc-release-arm-periodic-el10 N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-bootc-c2cc-nightly N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-bootc-nightly-el10 N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-bootc-nightly-el9 N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-release-arm-periodic N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-update-versions-releases N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-bootc-release-arm-periodic-el9 N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-publish-release-notes N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-bootc-release-periodic-el10 N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-bootc-release-periodic-el9 N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-ovn-ocp-conformance-serial N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-release-periodic N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-rebase-on-nightlies N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-footprint-and-performance-nightly N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-bootc-arm-nightly-el10 N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-arm-nightly N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-ai-model-serving-nightly N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-ovn-ocp-conformance N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-cache-nightly-arm N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-cache-nightly N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-nightly N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-clusterbot-nightly N/A periodic Ci-operator config changed
periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-tests-bootc-c2cc-arm-nightly N/A periodic Ci-operator config changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
ci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/openshift-microshift-rebase-with-cryptoscan-workflow.yaml (1)

3-6: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider explicitly adding pre and post phases and verify workflow uniqueness.

As per coding guidelines:

  1. New workflows should define pre, test, and post phases. Consider explicitly defining pre and post phases (even if empty) to strictly align with this structure, and ensure the workflow is validated via make validate-step-registry.
  2. Always use /step-finder before creating new step-registry components to avoid duplicating existing steps, workflows, or chains.
💡 Proposed explicit phases
 workflow:
   as: openshift-microshift-rebase-with-cryptoscan
   steps:
+    pre: []
     test:
       - chain: openshift-microshift-rebase
       - ref: openshift-microshift-cryptoscan
+    post: []
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/openshift-microshift-rebase-with-cryptoscan-workflow.yaml`
around lines 3 - 6, Update the workflow definition containing the test chain and
ref to explicitly include empty pre and post phases alongside test, preserving
the existing test entries. Before finalizing, use step-finder to verify no
equivalent workflow, chain, or step already exists, then validate the registry
with make validate-step-registry.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/openshift-microshift-rebase-with-cryptoscan-workflow.yaml`:
- Around line 3-6: Update the workflow definition containing the test chain and
ref to explicitly include empty pre and post phases alongside test, preserving
the existing test entries. Before finalizing, use step-finder to verify no
equivalent workflow, chain, or step already exists, then validate the registry
with make validate-step-registry.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 025ccc4a-268f-4614-b07a-167dd3b572ed

📥 Commits

Reviewing files that changed from the base of the PR and between 9c87d06 and 1b929c7.

⛔ Files ignored due to path filters (2)
  • ci-operator/jobs/openshift/microshift/openshift-microshift-release-5.0-periodics.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/microshift/openshift-microshift-release-5.0-presubmits.yaml is excluded by !ci-operator/jobs/**
📒 Files selected for processing (8)
  • ci-operator/config/openshift/microshift/openshift-microshift-release-5.0__periodics.yaml
  • ci-operator/step-registry/openshift/microshift/cryptoscan/OWNERS
  • ci-operator/step-registry/openshift/microshift/cryptoscan/openshift-microshift-cryptoscan-commands.sh
  • ci-operator/step-registry/openshift/microshift/cryptoscan/openshift-microshift-cryptoscan-ref.metadata.json
  • ci-operator/step-registry/openshift/microshift/cryptoscan/openshift-microshift-cryptoscan-ref.yaml
  • ci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/OWNERS
  • ci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/openshift-microshift-rebase-with-cryptoscan-workflow.metadata.json
  • ci-operator/step-registry/openshift/microshift/rebase/with-cryptoscan/openshift-microshift-rebase-with-cryptoscan-workflow.yaml

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@fracappa: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants