Add oape-review-handler Prow presubmit job

[neha037]

Summary

• Adds a review-handler-agent image (Node.js 20 + Claude CLI + Go tooling) that clones scripts from main of openshift-eng/oape-ai-e2e
• Adds a new oape-review-handler presubmit test step triggered by /test oape-review-handler
• Job is always_run: false, optional: true — manual trigger only
• When triggered, the bot fetches unresolved PR review threads, invokes Claude Code per thread, pushes code fixes or posts explanation replies

Prerequisite

openshift-eng/oape-ai-e2e#63 must be merged to main before this job can function, since the dockerfile_literal clones scripts from the main branch.

Usage

On any PR in openshift/must-gather-operator:

/test oape-review-handler

For rehearsal from this PR:

/pj-rehearse oape-review-handler

Test plan

• Verify make jobs regenerates the presubmits YAML correctly
• Run /pj-rehearse oape-review-handler to validate job definition
• After prerequisite PR is merged, run /test oape-review-handler on a real PR with review comments

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR updates OpenShift CI configuration for openshift/must-gather-operator by introducing a new optional, manually triggered Prow presubmit test (/test oape-review-handler, job name pull-ci-openshift-must-gather-operator-master-oape-review-handler, with rerun_command: /test oape-review-handler; always_run: false, optional: true).

In practical terms, the job enables an AI-assisted review-reply workflow that, when run, fetches unresolved GitHub PR review threads and uses Claude Code to generate either code fixes (pushed back to the PR) or explanatory replies.

To support this, the PR adds a new review-handler-agent container image built inline from registry.access.redhat.com/ubi9/go-toolset. The image installs required tooling (git, make, jq, gh), enables Node.js 20 and installs @anthropic-ai/claude-code, and includes Go tooling (goimports, golangci-lint). It clones openshift-eng/oape-ai-e2e from main (prerequisite: openshift-eng/oape-ai-e2e#63 must be merged to main) to copy scripts, plugins, and deploy/config. It also applies a Node.js module stream conflict fix by running dnf module reset -y nodejs before enabling nodejs:20. The image is configured to run as user 1001.

The test task also supports rehearsal (/pj-rehearse oape-review-handler), including rehearsal from an openshift/release context by switching to openshift/must-gather-operator and selecting the first open PR number via the GitHub API, setting PULL_NUMBER accordingly.

When executed, the task:

• Obtains GitHub credentials via a mounted GitHub App token (JWT creation → installation lookup → access token) when /var/run/github-app/app-id and /var/run/github-app/private-key.pem are present, otherwise falls back to GITHUB_TOKEN/GH_TOKEN;
• Sets Vertex/Anthropic environment variables, computes PR_URL, configures gh auth, and runs /app/scripts/pr-agent/review-handler.sh --pr-url "$PR_URL" using the review-handler-agent image;
• Mounts the GCP ADC and GitHub App credentials (when available) and runs with a 1h timeout.

Finally, the PR updates release promotion for integration 5.0 to exclude review-handler-agent from promoted images.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9e411288-657b-4f55-80f0-b17da81dca12

📥 Commits

Reviewing files that changed from the base of the PR and between 714ddc9 and 4e5089d.

📒 Files selected for processing (1)

• ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml

---

Walkthrough

Replaces the must-gather-operator image build with an inline Dockerfile producing review-handler-agent from UBI9 go-toolset. The image is excluded from release 5.0 promotion. A new optional oape-review-handler CI task is added with GitHub App JWT authentication, Vertex AI environment setup, and execution of a review handler script.

Changes

review-handler-agent image and CI task

Layer / File(s)	Summary
Image build and promotion ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml	Replaces the prior image build with an inline Dockerfile for review-handler-agent and excludes that image from release 5.0 promotion.
Optional review task ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml	Adds optional PR discovery, GitHub App or token-based authentication, Vertex and Anthropic environment setup, credential mounts, and execution of /app/scripts/pr-agent/review-handler.sh.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	The new oape-review-handler presubmit calls api.github.com, github.com, cli.github.com, raw.githubusercontent.com, and npm, so it needs public internet.	Mirror/vendor those dependencies or gate the job to connected clusters only; if external access is unavoidable, mark it [Skipped:Disconnected].

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding the new oape-review-handler Prow presubmit job.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo titles were added or changed; the PR only introduces static ci-operator job labels and shell commands.
Test Structure And Quality	✅ Passed	Only ci-operator YAML changed; no Ginkgo It/BeforeEach/Eventually test code was added or modified, so the test-structure check is not applicable.
Microshift Test Compatibility	✅ Passed	Patch only adds a DNF nodejs reset in CI YAML; no new It/Describe/Context/When tests or MicroShift-sensitive APIs were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only adds CI config and a shell-based presubmit; no new Go/Ginkgo e2e tests or SNO-sensitive assertions were introduced.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR only changes ci-operator/prow config and an image/test job; it adds no deployment manifests, replicas, affinities, nodeSelectors, or topology-spread settings.
Ote Binary Stdout Contract	✅ Passed	Only ci-operator YAML changed; no Go/test-binary code or process-level stdout writes were introduced.
No-Weak-Crypto	✅ Passed	No weak crypto found in the new config; the JWT block uses standard RS256 with openssl sha256 signing, and there are no secret comparisons.
Container-Privileges	✅ Passed	The new CI job/image config has no privileged, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation fields; it ends with USER 1001.
No-Sensitive-Data-In-Logs	✅ Passed	The new job only logs repo/PR context and auth status; it never echoes token, key, or other sensitive values.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: neha037
Once this PR has been reviewed and has the lgtm label, please assign smarthall for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/must-gather-operator/OWNERS
• ci-operator/jobs/openshift/must-gather-operator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml (1)

18-25: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Make runtime tool dependencies explicit.

The Dockerfile installs jq, but the test script invokes curl, openssl, and python3. If those are only inherited from the base image, a base refresh can break auth or PR detection. Either install them explicitly or use the already-installed jq for JSON parsing.

Localized robustness tweak

-      RUN dnf install -y git make jq && \
+      RUN dnf install -y git make jq curl openssl python3 && \

Also applies to: 243-275

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml`
around lines 18 - 25, The Dockerfile setup in the image build block installs jq
but the test flow also relies on curl, openssl, and python3, so make those
runtime dependencies explicit in the same install sequence or remove the extra
dependency by reworking the script to use jq for JSON parsing. Update the image
build steps that configure the runtime environment so the tools used by the test
script are guaranteed available regardless of the base image, keeping the
existing install logic around dnf, gh, and nodejs/claude-code intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml`:
- Around line 23-34: The image build is still consuming mutable external inputs,
so update the RUN steps that install `@anthropic-ai/claude-code`, clone
oape-ai-e2e, and fetch golangci-lint to use immutable pinned versions or commit
SHAs instead of latest/main. Replace the network-piped golangci-lint installer
flow with a safer, pinned install method, and keep the build reproducible by
locking every remote dependency referenced in the Dockerfile snippet.

---

Nitpick comments:
In
`@ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml`:
- Around line 18-25: The Dockerfile setup in the image build block installs jq
but the test flow also relies on curl, openssl, and python3, so make those
runtime dependencies explicit in the same install sequence or remove the extra
dependency by reworking the script to use jq for JSON parsing. Update the image
build steps that configure the runtime environment so the tools used by the test
script are guaranteed available regardless of the base image, keeping the
existing install logic around dnf, gh, and nodejs/claude-code intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e7e046dc-9f0b-4b99-98c0-ed1a0db7d799

📥 Commits

Reviewing files that changed from the base of the PR and between ef6669c and 668b424.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/must-gather-operator/openshift-must-gather-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE='ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml'

echo "== file exists =="
git ls-files "$FILE"

echo
echo "== size =="
wc -l "$FILE"

echo
echo "== relevant excerpt =="
sed -n '1,120p' "$FILE"

Repository: openshift/release

Length of output: 3977

---

Pin the agent image’s external inputs
ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml:23-34 still pulls executable code from mutable network locations: @anthropic-ai/claude-code without a version, oape-ai-e2e from main, and the golangci-lint installer script via curl. Since this image later runs with GitHub/GCP credentials, lock these to immutable versions/SHAs and avoid piping the installer straight from the network.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml`
around lines 23 - 34, The image build is still consuming mutable external
inputs, so update the RUN steps that install `@anthropic-ai/claude-code`, clone
oape-ai-e2e, and fetch golangci-lint to use immutable pinned versions or commit
SHAs instead of latest/main. Replace the network-piped golangci-lint installer
flow with a safer, pinned install method, and keep the build reproducible by
locking every remote dependency referenced in the Dockerfile snippet.

[openshift-merge-bot]

@neha037: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@neha037: job(s): oape-review-handler either don't exist or were not found to be affected, and cannot be rehearsed

[neha037]

/pj-rehearse oape-review-handler

[openshift-merge-bot]

@neha037: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@neha037: job(s): oape-review-handler either don't exist or were not found to be affected, and cannot be rehearsed

[neha037]

/pj-rehearse pull-ci-openshift-must-gather-operator-master-oape-review-handler

[openshift-merge-bot]

@neha037: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@neha037: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-must-gather-operator-master-oape-review-handler	openshift/must-gather-operator	presubmit	Presubmit changed
pull-ci-openshift-must-gather-operator-master-ci-bundle-must-gather-operator-bundle	openshift/must-gather-operator	presubmit	Ci-operator config changed
pull-ci-openshift-must-gather-operator-master-coverage	openshift/must-gather-operator	presubmit	Ci-operator config changed
pull-ci-openshift-must-gather-operator-master-e2e-gcp-operator	openshift/must-gather-operator	presubmit	Ci-operator config changed
pull-ci-openshift-must-gather-operator-master-e2e-gcp-operator-rhcos10	openshift/must-gather-operator	presubmit	Ci-operator config changed
pull-ci-openshift-must-gather-operator-master-e2e-gcp-operator-rhcos10-fips	openshift/must-gather-operator	presubmit	Ci-operator config changed
pull-ci-openshift-must-gather-operator-master-images	openshift/must-gather-operator	presubmit	Ci-operator config changed
pull-ci-openshift-must-gather-operator-master-lint	openshift/must-gather-operator	presubmit	Ci-operator config changed
pull-ci-openshift-must-gather-operator-master-test	openshift/must-gather-operator	presubmit	Ci-operator config changed
pull-ci-openshift-must-gather-operator-master-validate-boilerplate	openshift/must-gather-operator	presubmit	Ci-operator config changed
pull-ci-openshift-must-gather-operator-master-verify-deps	openshift/must-gather-operator	presubmit	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[neha037]

/pj-rehearse pull-ci-openshift-must-gather-operator-master-oape-review-handler

[openshift-merge-bot]

@neha037: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[neha037]

/pj-rehearse pull-ci-openshift-must-gather-operator-master-oape-review-handler

[openshift-merge-bot]

@neha037: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@neha037: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.