OCM-24478 | ci: add ROSA changelog tag job

[olucasfreitas]

Summary

• add a ROSA ci-operator target that runs the new changelog PR helper from the repository checkout
• add a stable-tag postsubmit job that invokes the target after stable tags are pushed
• mount the GitHub credential secret into the job so the changelog helper can push a review branch and open a PR

Why

ROSA is adding a historical CHANGELOG.md that should be updated after stable tags, but all automation for this flow needs to remain on Prow rather than moving into GitHub Actions.

Testing

• python3 YAML parse for ci-operator/config/openshift/rosa/openshift-rosa-master.yaml
• python3 YAML parse for ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml
• git diff --check

Notes

• This PR depends on the companion openshift/rosa change at OCM-24478 | chore: add historical changelog automation rosa#3245.
• The tag job uses the existing github-credentials-openshift-ci-robot-private-git-cloner secret. If that token does not have the required write scope for branch push / PR creation, the job wiring will need a follow-up secret update.

Summary by CodeRabbit

This change adds OpenShift CI (ci-operator / Prow) automation so the openshift/rosa repository can maintain a historical CHANGELOG.md from Prow after stable tags.

What changed (practical terms)

• Adds a ci-operator postsubmit target named changelog-history in ci-operator/config/openshift/rosa/openshift-rosa-master.yaml. The target unsets GOFLAGS, exports GITHUB_TOKEN from /tmp/github/oauth, ensures jq is present (attempts dnf install if missing and fails if installation fails), and runs make changelog-pr from the repo checkout. It mounts the secret github-credentials-openshift-ci-robot-private-git-cloner at /tmp/github so the helper can push review branches and open PRs.
• Adds a generated Prow postsubmit job named branch-ci-openshift-rosa-master-changelog-history in ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml that invokes ci-operator --target=changelog-history (the job pod also mounts the same GitHub credential secret and exposes the oauth key path).
• Job-generation fixes: the changelog target is explicitly declared as a postsubmit (avoiding an unexpected presubmit), the stable-tag postsubmit name was aligned with Prow branch-regex semantics, and the generated master postsubmit is kept in sync with the ci-operator config while preserving the manually wired stable-tag job.

Impact / rationale

• Moves ROSA changelog automation from GitHub Actions to OpenShift CI so CHANGELOG.md updates run in Prow after stable tags are pushed.
• The job will attempt to push a review branch and open a PR using the mounted GitHub token.

Testing performed

• YAML parse checks for ci-operator/config/openshift/rosa/openshift-rosa-master.yaml and ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml.
• git diff --check.

Notes / follow-ups

• Depends on a companion change in the openshift/rosa repository.
• If the mounted GitHub token lacks write scope for branch pushes / PR creation, a secret update will be required.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 584e8100-1fc7-4b96-aa15-3f8d929c88f7

📥 Commits

Reviewing files that changed from the base of the PR and between 116c7c5 and 42cba2c.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/rosa/openshift-rosa-master.yaml

---

Walkthrough

A postsubmit Prow job changelog-history was added to ROSA master CI config; it runs in the src container, unsets GOFLAGS, sets GITHUB_TOKEN from /tmp/github/oauth, installs jq if missing, and executes make changelog-pr.

Changes

Changelog History Job

Layer / File(s)	Summary
changelog-history job definition ci-operator/config/openshift/rosa/openshift-rosa-master.yaml	Adds a postsubmit Prow job changelog-history that runs make changelog-pr in the src container, unsets GOFLAGS, sets GITHUB_TOKEN from /tmp/github/oauth, conditionally installs jq via dnf, and mounts the github-credentials-openshift-ci-robot-private-git-cloner secret at /tmp/github.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

lgtm, jira/valid-reference

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'OCM-24478 | ci: add ROSA changelog tag job' clearly indicates the main change: adding a new CI job for ROSA changelog tagging.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies only CI/CD configuration files (YAML) for the openshift/release repository, not Ginkgo test files. The check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code - only CI/CD configuration files (YAML, scripts). Check for test structure and quality is not applicable.
Microshift Test Compatibility	✅ Passed	This PR adds a Prow CI job configuration, not Ginkgo e2e tests. The custom check for MicroShift test compatibility only applies when new Ginkgo tests are added, which is not the case here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only modifies Prow CI configuration files and does not add any Ginkgo e2e tests. The changelog-history job is a build/changelog automation task, not a test.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only a ci-operator job configuration with no deployment manifests, operator code, or scheduling constraints. The check is not applicable to CI/CD configuration files.
Ote Binary Stdout Contract	✅ Passed	This PR modifies only Prow CI configuration in YAML files. The OTE Binary Stdout Contract check applies to Go test binaries, not CI configuration. No code violations present.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only CI job configuration (YAML files), not Ginkgo e2e tests. No test code with IPv4 assumptions or external connectivity issues found.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olucasfreitas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/rosa/OWNERS [olucasfreitas]
• ci-operator/jobs/openshift/rosa/OWNERS [olucasfreitas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/config/openshift/rosa/openshift-rosa-master.yaml (1)

66-68: ⚖️ Poor tradeoff

Consider ensuring jq is available in the base image rather than installing at runtime.

Installing packages at runtime via dnf adds latency to every job execution and creates an external dependency on package repositories. Best practice for CI jobs is to ensure required tools are present in the base container image.

Consider one of these approaches:

• Request that jq be added to the rhel-9-golang-1.25-openshift-4.22 builder image
• Use a different base image that includes jq
• Accept this pattern if the base image is outside your control and resilience to image changes is preferred

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/rosa/openshift-rosa-master.yaml` around lines 66
- 68, The current runtime-install snippet (the if block checking `command -v jq`
and running `dnf install -y jq`) should be removed and replaced by ensuring jq
is present in the base image; either request `jq` be added to the
`rhel-9-golang-1.25-openshift-4.22` builder image, change the job's base image
to one that already includes `jq`, or explicitly bake `jq` into your project
image/Dockerfile used by this CI job so the `if ! command -v jq` / `dnf install
-y jq` fallback is not required at runtime.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@ci-operator/config/openshift/rosa/openshift-rosa-master.yaml`:
- Around line 66-68: The current runtime-install snippet (the if block checking
`command -v jq` and running `dnf install -y jq`) should be removed and replaced
by ensuring jq is present in the base image; either request `jq` be added to the
`rhel-9-golang-1.25-openshift-4.22` builder image, change the job's base image
to one that already includes `jq`, or explicitly bake `jq` into your project
image/Dockerfile used by this CI job so the `if ! command -v jq` / `dnf install
-y jq` fallback is not required at runtime.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 07c364e4-4de0-4e7a-a2ce-43167c754a21

📥 Commits

Reviewing files that changed from the base of the PR and between 847c9fb and e08a914.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/rosa/openshift-rosa-master.yaml

[olucasfreitas]

/retest-required

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/config/openshift/rosa/openshift-rosa-master.yaml`:
- Around line 66-68: The script currently attempts to install jq with "dnf
install -y jq" but doesn’t check the install exit code, so if installation fails
the script proceeds to run "make changelog-pr" and fails later; update the block
that uses "command -v jq" and "dnf install -y jq" to test the dnf command’s exit
status and immediately print a clear error and exit non‑zero on failure (or set
errexit/pipefail at the top), e.g., ensure the failure path for "dnf install -y
jq" stops execution with a descriptive message about jq installation failure;
alternatively, document or switch to a base image that already includes jq to
avoid runtime installation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 19591f64-2f4e-4606-9402-8c1a16793c54

📥 Commits

Reviewing files that changed from the base of the PR and between 874424d and 116c7c5.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/rosa/openshift-rosa-master-postsubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/rosa/openshift-rosa-master.yaml

[olucasfreitas]

@amandahla please review this when you can, low priority

[olucasfreitas]

@coderabbitai resolve

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@olucasfreitas: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

✅ Actions performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.

[openshift-ci]

@olucasfreitas: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[olucasfreitas]

Closing this PR. The changelog automation has been moved to a GitHub Actions workflow in the openshift/rosa repository instead of Prow, following reviewer feedback. The companion ROSA PR (openshift/rosa#3245) now includes .github/workflows/update-changelog.yml directly.