[openshift-eng/oape-ai-e2e] Re-use gh-token-minter in workflow job

[swghosh]

• Replace inline bash/openssl JWT minting in the mint-gh-token CI step with the gh-token-minter image's CLI mode
• The step now uses from: gh-token-minter and calls python /app/ghpat_server.py which mints and prints the token to stdout
• Depends on Re-implement GitHub token minting w/o webserver openshift-eng/oape-ai-e2e#62 for the CLI mode support in ghpat_server.py

🤖 Generated with Claude Code

Details

Summary by CodeRabbit

This PR updates the OpenShift CI configuration for the openshift-eng/oape-ai-e2e repository to change how the Prow workflow mints GitHub access tokens and to introduce workflow helper images.

What changed (practical impact)

• CI config affected: ci-operator configuration for the oape-ai-e2e component (ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml).
• New/updated images: workflow-input, gh-token-minter, agent-worker and go-server are declared; workflow-input is intentionally excluded from promotion.
• Token minting: the run-workflow test’s mint-gh-token step no longer constructs JWTs inline with openssl/curl/python. Instead it runs the gh-token-minter container (from: gh-token-minter) and executes python /app/ghpat_server.py to mint the GitHub token, writing the token to ${SHARED_DIR}/gh-token. The step mounts the GitHub App credentials at /var/run/github-app.
• Workflow orchestration: the run-workflow job has three sequential steps:
  • extract-params (from: workflow-input) copies workflow params into SHARED_DIR/params.env,
  • mint-gh-token (from: gh-token-minter) produces ${SHARED_DIR}/gh-token,
  • agent-workflow (from: agent-worker) reads params and the minted GH_TOKEN, sets GCP/Anthropic environment variables, and runs the AI agent (python3.11 main.py).
• Secrets/credentials: GitHub App credentials and GCP ADC are mounted into their respective steps via test credentials.

Notes and dependencies

• This change depends on gh-token-minter providing CLI/standalone mode (ghpat_server.py emitting the token to stdout); the PR references an upstream change enabling that behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 69f38d07-0640-4ea6-b26c-92569eb45287

📥 Commits

Reviewing files that changed from the base of the PR and between 1e7d1aa and 5806f76.

📒 Files selected for processing (1)

• ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml

---

Walkthrough

Updates the run-workflow e2e job's mint-gh-token step to delegate GitHub App access token minting to the gh-token-minter image by running /app/ghpat_server.py, exporting GH_APP_ID, setting GH_APP_PEM_FILE_PATH, and writing the minted token to ${SHARED_DIR}/gh-token.

Changes

AI E2E Test Workflow Configuration

Layer / File(s)	Summary
Mint step delegates to ghpat_server.py ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml	Replaces the inline JWT/cURL/openssl token creation with running python /app/ghpat_server.py in the gh-token-minter image, exports GH_APP_ID, sets GH_APP_PEM_FILE_PATH, and writes the resulting token to ${SHARED_DIR}/gh-token.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main change: replacing inline JWT minting with the gh-token-minter image's CLI mode in the workflow job.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only a CI-operator YAML config file with no Ginkgo test definitions; the check for stable test names does not apply to CI configuration changes.
Test Structure And Quality	✅ Passed	No Ginkgo test code present in this PR. Changes are CI/YAML configuration only, not test code.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR—only CI/operator YAML configuration is modified for token minting logic. The custom check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests; it only modifies CI/Prow configuration YAML for token minting. SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only CI/operator config files (Prow jobs, ci-operator config) with no Kubernetes deployment manifests, operator code, or controllers. No scheduling constraints were introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only CI/operator YAML and documentation; no OTE binary code changes. Check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes are to CI/operator YAML configuration only, modifying GitHub token minting logic in a CI step. The custom check is not applicable.
No-Weak-Crypto	✅ Passed	PR modifies only CI YAML configuration, delegating JWT minting to external service. No weak crypto or custom implementations introduced in the changed YAML.
Container-Privileges	✅ Passed	CI YAML config contains no privileged: true, hostPID/Network/IPC, SYS_ADMIN capabilities, root execution, or allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logging detected. The code uses 'set +x' to disable debug logging, redirects token output to file, and never echoes credentials or tokens to logs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

@swghosh, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't rebase candidate onto e7590ed747edf939c14c54aa1740a7cc79319130 due to conflicts

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml (1)

38-40: 💤 Low value

Consider removing the cat to avoid potential log exposure.

If params.env ever contains sensitive values (e.g., API endpoints with tokens, internal URLs), they will appear in CI logs. The cp already confirms successful extraction.

Suggested fix

      commands: |
        cp /params.env "${SHARED_DIR}/params.env"
-       cat "${SHARED_DIR}/params.env"

Based on coding guidelines: "Never echo or print passwords, tokens, API keys, cluster URLs, or kubeconfig contents" in step registry scripts.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`
around lines 38 - 40, The commands block currently copies then prints params.env
(the lines with cp /params.env "${SHARED_DIR}/params.env" and cat
"${SHARED_DIR}/params.env"); remove the cat "${SHARED_DIR}/params.env" to avoid
exposing sensitive values in CI logs and keep only the cp step (or, if you need
verification, replace the print with a non-sensitive existence check such as
testing the file presence via [ -s ] or ls) while leaving the cp and SHARED_DIR
usage unchanged.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml`:
- Around line 38-40: The commands block currently copies then prints params.env
(the lines with cp /params.env "${SHARED_DIR}/params.env" and cat
"${SHARED_DIR}/params.env"); remove the cat "${SHARED_DIR}/params.env" to avoid
exposing sensitive values in CI logs and keep only the cp step (or, if you need
verification, replace the print with a non-sensitive existence check such as
testing the file presence via [ -s ] or ls) while leaving the cp and SHARED_DIR
usage unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0bb17a25-1085-45a5-9491-26a932fcfc10

📥 Commits

Reviewing files that changed from the base of the PR and between 92a93e9 and 1e7d1aa.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-postsubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml

[openshift-merge-bot]

@swghosh, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't rebase candidate onto 0495df244a0d6b561d1970d05e9a8cb27b472763 due to conflicts

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@swghosh: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-eng-oape-ai-e2e-main-run-workflow	openshift-eng/oape-ai-e2e	presubmit	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[swghosh]

/pj-rehearse

[openshift-merge-bot]

@swghosh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[swghosh]

/pj-rehearse ack

The rehearsal run created:

• feat: add TrustManager API type definitions (EP #1914) cert-manager-operator#432
• feat: trust-manager controller implementation (EP #1914) cert-manager-operator#433
• EP #1914: Add trust-manager E2E tests cert-manager-operator#434

so it is proof that this PR doesn't break the existing workflow behavior.

[openshift-merge-bot]

@swghosh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[shivprakashmuley]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: shivprakashmuley, swghosh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-eng/oape-ai-e2e/OWNERS [shivprakashmuley,swghosh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@swghosh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/config	1e7d1aa	link	true	/test config
ci/prow/prow-config-semantics	1e7d1aa	link	true	/test prow-config-semantics

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.