Skip to content

ROX-29003: Add ACS smoke test#423

Open
kurlov wants to merge 12 commits into
masterfrom
akurlov/ROX-29003-smoke-test-on-infra
Open

ROX-29003: Add ACS smoke test#423
kurlov wants to merge 12 commits into
masterfrom
akurlov/ROX-29003-smoke-test-on-infra

Conversation

@kurlov

@kurlov kurlov commented Jul 2, 2026

Copy link
Copy Markdown
Member

Add an automated ACS smoke test running on GHA for PRs which add a new ACS version(s) to the bundles.yaml file (e.g. #427).

GH actions files:

  1. acs-smoke-test.yml - setups infra cluster and triggers smoke test for the provided operator-index image and ACS version.
    This workflow is tested in this PR 🟢
  2. auto-smoke-test - derives ACS version(s) from diff of PR which updates bundles.yaml. Also it waits for the Konflux pipeline success check and once it's green and checks the operator-index image. I intentionally decided to wait for check status instead of waiting for image because it allows fail faster (check failed). Then it builds a test matrix of ACS version(s) and operator-index image (the image is the same no matter how many ACS versions was added to the bundles.yaml file).
    This workflow is NOT tested in this PR ⚠️

Smoke test

Each smoke test runs on the single infra cluster.
The test consists of two scenarios:

  1. Scenario 1: Install oldest supported ACS and then upgrade to the provided version. The oldest supported version parsed from bundles.yaml file.
  2. Reset the cluster for the next scenario
  3. Scenario 2: Install provided ACS operator-index and upgrade to the latest if available

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The PR adds ACS smoke-test automation in GitHub Actions and Bash: workflows derive inputs and run cluster-based smoke tests, while shared helpers and a test script handle install, upgrade, polling, reset, cleanup, and reporting.

Changes

ACS smoke test automation

Layer / File(s) Summary
Workflow input derivation and dispatch
.github/workflows/auto-smoke-test.yml, .github/workflows/acs-smoke-test.yml
Defines triggers and inputs, derives acs-version and operator-index-image, and conditionally calls the reusable smoke-test workflow.
Cluster provisioning and smoke test run
.github/workflows/acs-smoke-test.yml
Creates the OpenShift cluster, runs the smoke-test scripts in a container, resets operator state between runs, deletes the cluster, and publishes the step summary.
Smoke test helper library
smoke-test/lib.sh
Adds Bash helpers for logging, version parsing, catalog source handling, subscription management, CSV polling, install and upgrade primitives, CSV logging, and cleanup.
Install and upgrade flows
smoke-test/lib.sh
Adds official and custom catalog install paths, custom and latest-GA upgrade paths, and reset behavior between tests.
Latest GA upgrade test
smoke-test/upgrade-latest-test.sh
Implements the custom-install and conditional latest-GA upgrade test flow using the shared helpers.

Estimated code review effort: 4 (Complex) | ~60 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is concise and accurately summarizes the main change: adding an ACS smoke test.
Description check ✅ Passed The description is clearly related to the workflow and smoke-test changes in the pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch akurlov/ROX-29003-smoke-test-on-infra

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
.github/workflows/auto-smoke-test.yml (1)

1-115: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add an explicit permissions: block.

No permissions: is set for this workflow, so derive-inputs runs with default (often broad) GITHUB_TOKEN scope, and the flagged token is what's used for the git diff/checkout in this job.

🔒 Proposed fix
 name: "Auto Smoke Test"
+
+permissions:
+  contents: read
 
 on:
As per static analysis hints (zizmor `excessive-permissions`, lines 1-115, 26-104).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-smoke-test.yml around lines 1 - 115, Add an explicit
permissions block for this workflow so the default GITHUB_TOKEN is not
over-scoped. Update the workflow near the top of the file and ensure the
derive-inputs job only has the minimum access needed for actions/checkout and
the git diff logic, rather than relying on the broad default token permissions.
Use the workflow-level permissions setting to lock this down.

Source: Linters/SAST tools

.github/workflows/acs-smoke-test.yml (1)

1-43: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add an explicit permissions: block.

No permissions: is declared, so the workflow runs with the (often broad) default GITHUB_TOKEN scope for every job, including run-smoke-tests which also holds GH_TOKEN: ${{ github.token }} in env. Scope this down to least privilege (e.g. contents: read), overriding per-job if a step genuinely needs more.

🔒 Proposed fix
 name: "ACS Smoke Test"
+
+permissions:
+  contents: read
 
 on:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/acs-smoke-test.yml around lines 1 - 43, Add an explicit
permissions block to the ACS Smoke Test workflow so the default GITHUB_TOKEN
scope is restricted to least privilege instead of inheriting broad access.
Update the workflow-level configuration near the on/workflow_call and env
sections, and keep any job-specific elevation only where a step truly needs it;
the run-smoke-tests job should continue using GH_TOKEN from github.token but
with the workflow permissions narrowed, such as contents: read.
smoke-test/upgrade-latest-test.sh (1)

32-42: 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Graceful-skip claim doesn't hold — wait_for_catalog hard-exits the whole script.

The comment says a catalog timeout should degrade gracefully, but wait_for_catalog is invoked directly in the if condition (not in a subshell). Since wait_for_catalog calls fail(), which does exit 1 (lib.sh line 11), a timeout kills the entire script instead of just falling through to the else branch. The && short-circuit never gets a chance to evaluate to false because the process exits first.

Wrap the call in a subshell so its internal exit only terminates the subshell, letting the if/else logic work as intended:

🐛 Proposed fix
-if wait_for_catalog "redhat-operators" "openshift-marketplace" 180 &&
+if ( wait_for_catalog "redhat-operators" "openshift-marketplace" 180 ) &&
    latest=$(get_latest_official_minor "$ACS_MAJOR") && [[ -n "$latest" ]]; then
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@smoke-test/upgrade-latest-test.sh` around lines 32 - 42, The graceful-skip
path in `upgrade-latest-test.sh` does not work because `wait_for_catalog` can
call `fail()` and exit the whole script before the `if` can fall through. Update
the `if` condition around `wait_for_catalog`, `get_latest_official_minor`, and
the `LATEST_MINOR` assignment so the catalog check runs in a subshell and only
affects the condition result. Keep the existing `info`/`warn` branches, but
ensure a timeout or catalog failure does not terminate the script and instead
reaches the upgrade-skip `else` path.
🧹 Nitpick comments (3)
.github/workflows/auto-smoke-test.yml (2)

34-37: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on checkout.

fetch-depth: 0 checkout persists the GITHUB_TOKEN credential by default; this job doesn't push anything, so disable persistence for defense-in-depth.

🔒 Proposed fix
       - name: Check out code
         uses: actions/checkout@v7
         with:
           fetch-depth: 0
+          persist-credentials: false
As per static analysis hints (zizmor `artipacked`, lines 34-37).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-smoke-test.yml around lines 34 - 37, The checkout
step in the workflow currently leaves the default GitHub token credentials
persisted, which is unnecessary for this read-only job. Update the
actions/checkout usage in the “Check out code” step to disable credential
persistence by setting persist-credentials to false alongside the existing
fetch-depth setting. This is the only change needed in the checkout
configuration.

Source: Linters/SAST tools


106-114: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider scoping secrets: inherit to only what's needed.

secrets: inherit passes every repo/org secret to the called workflow, which only needs GCP_RELEASE_AUTOMATION_SA. Passing it explicitly via secrets: would narrow the blast radius if this workflow is ever triggered from less-trusted contexts.
As per static analysis hints (zizmor secrets-inherit, line 110).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-smoke-test.yml around lines 106 - 114, The reusable
workflow invocation in smoke-test currently uses secrets: inherit, which exposes
all available secrets to the called workflow. Replace it with an explicit
secrets mapping that passes only the secret actually needed by
acs-smoke-test.yml, using the smoke-test job’s uses block and secrets
configuration to narrow access.

Source: Linters/SAST tools

.github/workflows/acs-smoke-test.yml (1)

71-72: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider persist-credentials: false on checkout.

The container job checks out the repo but never pushes; persisting the token on disk is unnecessary residual exposure, especially combined with the missing permissions: block above.

🔒 Proposed fix
       - name: Check out code
         uses: actions/checkout@v7
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/acs-smoke-test.yml around lines 71 - 72, The checkout step
in the ACS smoke test workflow leaves Git credentials on disk even though the
container job does not push; update the `actions/checkout` usage to disable
credential persistence, and make sure the workflow’s job-level `permissions` are
explicitly scoped as tightly as possible. Use the `Check out code` step in
`acs-smoke-test.yml` and the surrounding job definition to apply the security
hardening consistently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-smoke-test.yml:
- Around line 72-105: The Determine operator-index image step is interpolating
inputs.operator-index-image-override directly inside the shell script, which
should be avoided. Move the override value into an env entry for this step and
read it from the environment in the run block instead of embedding the input in
the script. Keep the existing logic in the image step and update the
operator-index-image-override check to use the env-backed value so the rest of
the loop and GITHUB_OUTPUT handling stays unchanged.
- Around line 54-58: Update the NEW_VERSIONS extraction in the auto-smoke-test
workflow so it only matches indented bundle version entries, not any added key
containing version:. The current grep in the bundle diff parsing can
accidentally pick up oldest_supported_version lines; tighten the pattern in the
version-filtering pipeline (the shell snippet that uses git diff, grep, sed, and
sort) to match only lines with leading indentation before version so
support-policy updates are ignored.
- Around line 39-70: The Determine ACS version step is interpolating user/input
and GitHub context directly into the shell script, so move the acs-version
override and base ref values into env variables instead of embedding `${{
inputs.acs-version-override }}` and `${{ github.base_ref }}` in the run block.
Update the workflow step to read those values inside the script as
`$ACS_VERSION_OVERRIDE` and `$BASE_REF`, and keep the existing logic in the
version-determination flow unchanged.

---

Outside diff comments:
In @.github/workflows/acs-smoke-test.yml:
- Around line 1-43: Add an explicit permissions block to the ACS Smoke Test
workflow so the default GITHUB_TOKEN scope is restricted to least privilege
instead of inheriting broad access. Update the workflow-level configuration near
the on/workflow_call and env sections, and keep any job-specific elevation only
where a step truly needs it; the run-smoke-tests job should continue using
GH_TOKEN from github.token but with the workflow permissions narrowed, such as
contents: read.

In @.github/workflows/auto-smoke-test.yml:
- Around line 1-115: Add an explicit permissions block for this workflow so the
default GITHUB_TOKEN is not over-scoped. Update the workflow near the top of the
file and ensure the derive-inputs job only has the minimum access needed for
actions/checkout and the git diff logic, rather than relying on the broad
default token permissions. Use the workflow-level permissions setting to lock
this down.

In `@smoke-test/upgrade-latest-test.sh`:
- Around line 32-42: The graceful-skip path in `upgrade-latest-test.sh` does not
work because `wait_for_catalog` can call `fail()` and exit the whole script
before the `if` can fall through. Update the `if` condition around
`wait_for_catalog`, `get_latest_official_minor`, and the `LATEST_MINOR`
assignment so the catalog check runs in a subshell and only affects the
condition result. Keep the existing `info`/`warn` branches, but ensure a timeout
or catalog failure does not terminate the script and instead reaches the
upgrade-skip `else` path.

---

Nitpick comments:
In @.github/workflows/acs-smoke-test.yml:
- Around line 71-72: The checkout step in the ACS smoke test workflow leaves Git
credentials on disk even though the container job does not push; update the
`actions/checkout` usage to disable credential persistence, and make sure the
workflow’s job-level `permissions` are explicitly scoped as tightly as possible.
Use the `Check out code` step in `acs-smoke-test.yml` and the surrounding job
definition to apply the security hardening consistently.

In @.github/workflows/auto-smoke-test.yml:
- Around line 34-37: The checkout step in the workflow currently leaves the
default GitHub token credentials persisted, which is unnecessary for this
read-only job. Update the actions/checkout usage in the “Check out code” step to
disable credential persistence by setting persist-credentials to false alongside
the existing fetch-depth setting. This is the only change needed in the checkout
configuration.
- Around line 106-114: The reusable workflow invocation in smoke-test currently
uses secrets: inherit, which exposes all available secrets to the called
workflow. Replace it with an explicit secrets mapping that passes only the
secret actually needed by acs-smoke-test.yml, using the smoke-test job’s uses
block and secrets configuration to narrow access.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e72ae90a-9989-401c-a338-0777f2c3706a

📥 Commits

Reviewing files that changed from the base of the PR and between ec13353 and 7641694.

📒 Files selected for processing (4)
  • .github/workflows/acs-smoke-test.yml
  • .github/workflows/auto-smoke-test.yml
  • smoke-test/lib.sh
  • smoke-test/upgrade-latest-test.sh

Comment thread .github/workflows/auto-smoke-test.yml
Comment thread .github/workflows/auto-smoke-test.yml Outdated
Comment thread .github/workflows/auto-smoke-test.yml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
.github/workflows/auto-smoke-test.yml (1)

57-58: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

github.base_ref still interpolated directly into shell.

The acs-version-override and operator-index-image-override interpolations were correctly moved into env:, but github.base_ref at Line 58 is still expanded directly inside the run: script — the exact concern raised previously and still flagged by static analysis.

🔒 Proposed fix
       - name: Determine ACS version
         id: version
         env:
           ACS_VERSION_OVERRIDE: ${{ inputs.acs-version-override }}
           OPERATOR_INDEX_IMAGE_OVERRIDE: ${{ inputs.operator-index-image-override }}
+          BASE_REF: ${{ github.base_ref }}
         run: |
           ...
           if [ "${{ github.event_name }}" = "pull_request" ]; then
-            DIFF_BASE="origin/${{ github.base_ref }}"
+            DIFF_BASE="origin/$BASE_REF"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-smoke-test.yml around lines 57 - 58, The pull_request
branch logic in the auto-smoke-test workflow still interpolates github.base_ref
directly inside the run script, so move that value into env like the other
overrides and reference the environment variable from the shell instead. Update
the DIFF_BASE assignment in the workflow job that contains the pull_request
check so the shell only reads a safe env var rather than expanding
github.base_ref inline.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/auto-smoke-test.yml:
- Around line 57-58: The pull_request branch logic in the auto-smoke-test
workflow still interpolates github.base_ref directly inside the run script, so
move that value into env like the other overrides and reference the environment
variable from the shell instead. Update the DIFF_BASE assignment in the workflow
job that contains the pull_request check so the shell only reads a safe env var
rather than expanding github.base_ref inline.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 92759a7c-bf3e-4980-a585-8e3df4768a04

📥 Commits

Reviewing files that changed from the base of the PR and between 7641694 and d58a4d8.

📒 Files selected for processing (1)
  • .github/workflows/auto-smoke-test.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant