Skip to content

chore(deps): bump ARO-Tools to enforce shellIdentity in pipeline schema (AROSLSRE-1380)#5917

Merged
openshift-merge-bot[bot] merged 1 commit into
Azure:mainfrom
raelga:rael/bump-aro-tools-AROSLSRE-1380
Jul 3, 2026
Merged

chore(deps): bump ARO-Tools to enforce shellIdentity in pipeline schema (AROSLSRE-1380)#5917
openshift-merge-bot[bot] merged 1 commit into
Azure:mainfrom
raelga:rael/bump-aro-tools-AROSLSRE-1380

Conversation

@raelga

@raelga raelga commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Refs: https://issues.redhat.com/browse/AROSLSRE-1380

What

Bumps the github.com/Azure/ARO-Tools/* modules across the workspace from 2277df76598b (2026-06-17) to 4612291d5420 (2026-07-03).

The notable change in that range is Azure/ARO-Tools#262, which makes shellIdentity a required field on shellStepBase in the pipeline schema.

Why

shellIdentity is effectively mandatory: sdp-pipelines EV2RA manifest generation validates it unconditionally and aborts if it is unset. But ARO-HCP CI only validates pipelines against the schema (never runs EV2RA generation), so until now a Shell step missing shellIdentity passed every ARO-HCP check and only exploded at bump time in sdp-pipelines.

That is exactly the regression that hit ARO-28045 / #5834 (reverted in #5888, relanded in #5889). Landing this bump makes make validate-config-pipelines fail fast at PR time for any Shell step missing an identity, closing the detection gap tracked in AROSLSRE-1380.

Testing

Special notes for your reviewer

Pure dependency bump — only go.mod/go.sum change (20 files). No source changes. This is the follow-up that makes the ARO-Tools#262 schema enforcement live in ARO-HCP.

Copilot AI review requested due to automatic review settings July 3, 2026 12:11
@openshift-ci openshift-ci Bot requested review from bennerv and deads2k July 3, 2026 12:11
@openshift-ci openshift-ci Bot added the approved label Jul 3, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR bumps the workspace’s github.com/Azure/ARO-Tools/* module dependencies from 2277df76598b (2026-06-17) to 4612291d5420 (2026-07-03) so ARO-HCP’s pipeline validation picks up the updated pipeline schema (notably making shellIdentity required on Shell steps), closing a validation gap that previously only surfaced during downstream EV2RA manifest generation.

Changes:

  • Bump ARO-Tools pseudo-versions across all affected workspace modules and refresh go.sum accordingly.
  • Pick up related transitive dependency updates (notably armresourcegraph moving to v0.10.0 in several modules).
  • Keep module graphs in sync across tooling and test modules.

Reviewed changes

Copilot reviewed 10 out of 20 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tooling/yamlwrap/go.mod Bump ARO-Tools/tools/yamlwrap and indirect testutil to the new ARO-Tools pseudo-version.
tooling/yamlwrap/go.sum Refresh sums for updated ARO-Tools dependencies.
tooling/templatize/go.mod Bump ARO-Tools deps (config, pipelines, multiple tools/*) to the new pseudo-version; refresh indirects.
tooling/templatize/go.sum Refresh sums for updated ARO-Tools deps and related transitive updates (incl. armresourcegraph v0.10.0).
tooling/secret-sync/go.mod Bump ARO-Tools/tools/secret-sync and related indirect ARO-Tools modules to the new pseudo-version.
tooling/secret-sync/go.sum Refresh sums for updated ARO-Tools deps.
tooling/pipeline-documentation/go.mod Bump ARO-Tools/pipelines to the new pseudo-version.
tooling/pipeline-documentation/go.sum Refresh sums for updated ARO-Tools/pipelines.
tooling/helmtest/go.mod Bump ARO-Tools config, pipelines, testutil, and indirect tooling modules to the new pseudo-version.
tooling/helmtest/go.sum Refresh sums for updated ARO-Tools deps.
tooling/hcpctl/go.mod Bump ARO-Tools/tools/cmdutils and update armresourcegraph to v0.10.0.
tooling/hcpctl/go.sum Refresh sums for updated deps (but currently missing the armresourcegraph v0.10.0/go.mod checksum line).
tooling/grafanactl/go.mod Bump ARO-Tools/tools/grafanactl and indirect cmdutils; add armresourcegraph v0.10.0 indirect.
tooling/grafanactl/go.sum Refresh sums for updated deps (includes armresourcegraph v0.10.0 + /go.mod checksum).
tooling/aro-hcp-exporter/go.mod Update armresourcegraph to v0.10.0.
tooling/aro-hcp-exporter/go.sum Refresh sums for updated deps (but currently missing the armresourcegraph v0.10.0/go.mod checksum line).
test/go.mod Bump ARO-Tools/config and ARO-Tools/tools/prow-job-executor plus indirect ARO-Tools modules to the new pseudo-version.
test/go.sum Refresh sums for updated ARO-Tools deps and transitive updates (incl. armresourcegraph v0.10.0 + /go.mod).
mgmt-agent/go.mod Bump ARO-Tools/testutil to the new pseudo-version.
mgmt-agent/go.sum Refresh sums for updated ARO-Tools/testutil.

@mmazur

mmazur commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

/lgtm

…SLSRE-1380)

Bumps the github.com/Azure/ARO-Tools modules from 2277df76598b (2026-06-17)
to 4612291d5420 (2026-07-03), which makes shellIdentity a required field on
shellStepBase in the pipeline schema (Azure/ARO-Tools#262).

This lands the enforcement so that a Shell step missing shellIdentity now
fails ARO-HCP 'make validate-config-pipelines' at PR time, instead of only
breaking the sdp-pipelines EV2 bump after merge (the regression that hit
ARO-28045 / Azure#5834).

All in-repo pipelines validate cleanly against the stricter schema; the known
offenders were already fixed in Azure#5889 and Azure#5890.
@raelga raelga force-pushed the rael/bump-aro-tools-AROSLSRE-1380 branch from c3665e6 to c380ad1 Compare July 3, 2026 13:19
@openshift-ci openshift-ci Bot removed the lgtm label Jul 3, 2026
@raelga

raelga commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot Thanks for the review. Good catch — the two go.sum files you flagged (tooling/hcpctl/go.sum and tooling/aro-hcp-exporter/go.sum) were indeed missing the armresourcegraph v0.10.0/go.mod checksum line. Those are transitive ARO-Tools consumers, so make bump-aro-tools (which only go gets direct requirers) didn't touch them; the missing /go.mod hash only surfaces under a full make tidy.

Fixed in c380ad1 by running make tidy, which added the missing line to both files. Verified both modules now build with go build -mod=readonly ./..., and this resolves the ci/prow/verify (verify-deepcopy) and ci/prow/images (aro-hcp-exporter Docker build) failures from the prior push.

No further action or commit needed from you — this is resolved.

@roivaz

roivaz commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

/lgtm

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mmazur, raelga, roivaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [mmazur,raelga,roivaz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@raelga

raelga commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator Author

/test e2e-parallel

@openshift-merge-bot openshift-merge-bot Bot merged commit c49ba45 into Azure:main Jul 3, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants