SREP-4236: Update pr_check.sh to run without container engine

[reedcort]

Summary

• Adds build/prow_pr_check.sh that runs tests and resource generation directly without a container engine
• Enables the pr-check to run in Prow without needing nested containers (podman-in-podman)
• Leaves existing build/pr_check.sh intact for Jenkins until it is decommissioned

Context

This is part of migrating the pr-check from app-interface Jenkins to Prow (SREP-4236). A corresponding PR to openshift/release will add the Prow presubmit job configuration.

Test plan

• Verify build/prow_pr_check.sh runs successfully in a Go environment without a container engine
• Confirm Prow pr-check job passes after openshift/release PR is merged

🤖 Generated with Claude Code

[openshift-ci-robot]

@reedcort: This pull request references SREP-4236 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• Updates build/pr_check.sh to run tests and resource generation directly instead of via podman
• Enables the pr-check to run in Prow without needing nested containers (podman-in-podman)
• Replaces make container-test syncset package build-base with direct make test and go run build/resources.go calls

Context

This is part of migrating the pr-check from app-interface Jenkins to Prow (SREP-4236). A corresponding PR to openshift/release will add the Prow presubmit job configuration.

Test plan

• Verify build/pr_check.sh runs successfully in a Go environment without a container engine
• Confirm Prow pr-check job passes after openshift/release PR is merged

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Introduces a new Bash script hack/prow_pr_check.sh that verifies PR changes by running tests, generating selector syncset and packaged resource artifacts, and validating no working-tree modifications occurred.

Changes

Cohort / File(s)	Summary
New PR Verification Script hack/prow_pr_check.sh	New Bash script implementing PR verification workflow: enables strict error handling, runs test suite, generates selector syncset artifacts with exclusions and packaged resources, and validates clean working tree via git diff.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@reedcort: This pull request references SREP-4236 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• Adds build/prow_pr_check.sh that runs tests and resource generation directly without a container engine
• Enables the pr-check to run in Prow without needing nested containers (podman-in-podman)
• Leaves existing build/pr_check.sh intact for Jenkins until it is decommissioned

Context

This is part of migrating the pr-check from app-interface Jenkins to Prow (SREP-4236). A corresponding PR to openshift/release will add the Prow presubmit job configuration.

Test plan

• Verify build/prow_pr_check.sh runs successfully in a Go environment without a container engine
• Confirm Prow pr-check job passes after openshift/release PR is merged

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@build/prow_pr_check.sh`:
- Around line 24-26: The current check uses git diff --exit-code which misses
untracked generated files; replace the check around git diff --exit-code with a
two-part verification: run git diff --exit-code and then run git status
--porcelain --untracked-files=all (or git ls-files --others --exclude-standard)
and fail if either reports changes, and update the failure message printed by
the echo that currently starts "FAILURE: unexpected changes after building..."
to instruct the user to regenerate artifacts and commit them (e.g., "Run 'make
syncset package' or 'make generate' to regenerate artifacts, add and commit the
changes.") — locate and modify the git diff --exit-code check and the associated
echo/exit 1 lines in build/prow_pr_check.sh.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 49b811ae-d8ba-49af-aaad-ad5e32b20351

📥 Commits

Reviewing files that changed from the base of the PR and between c02f38d and 2244b0f.

📒 Files selected for processing (1)

• build/prow_pr_check.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major

git diff --exit-code misses untracked generated files

Line 24 only checks tracked-file diffs, so newly generated untracked files can slip through. That weakens the “generated artifacts are committed” gate. Also, Line 25’s remediation message still points to container-based targets.

Suggested fix

-if ! git diff --exit-code; then
-    echo "FAILURE: unexpected changes after building. Run 'make syncset package' and commit changes."
+if [[ -n "$(git status --porcelain --untracked-files=all)" ]]; then
+    git status --short
+    echo "FAILURE: unexpected changes after building. Regenerate resources and commit all tracked/untracked changes."
     exit 1
 fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ! git diff --exit-code; then
	echo "FAILURE: unexpected changes after building. Run 'make syncset package' and commit changes."
	exit 1
	if [[ -n "$(git status --porcelain --untracked-files=all)" ]]; then
	git status --short
	echo "FAILURE: unexpected changes after building. Regenerate resources and commit all tracked/untracked changes."
	exit 1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@build/prow_pr_check.sh` around lines 24 - 26, The current check uses git diff
--exit-code which misses untracked generated files; replace the check around git
diff --exit-code with a two-part verification: run git diff --exit-code and then
run git status --porcelain --untracked-files=all (or git ls-files --others
--exclude-standard) and fail if either reports changes, and update the failure
message printed by the echo that currently starts "FAILURE: unexpected changes
after building..." to instruct the user to regenerate artifacts and commit them
(e.g., "Run 'make syncset package' or 'make generate' to regenerate artifacts,
add and commit the changes.") — locate and modify the git diff --exit-code check
and the associated echo/exit 1 lines in build/prow_pr_check.sh.

[joshbranham]

/lgtm
/approve

[coderabbitai]

♻️ Duplicate comments (1)

hack/prow_pr_check.sh (1)

24-26: ⚠️ Potential issue | 🟠 Major

Harden the dirty-tree check to include untracked generated files.

Line 24 only checks tracked diffs, so newly generated untracked artifacts can pass this gate.

Suggested fix

-if ! git diff --exit-code; then
-    echo "FAILURE: unexpected changes after building. Run 'make syncset package' and commit changes."
+if [[ -n "$(git status --porcelain --untracked-files=all)" ]]; then
+    git status --short
+    echo "FAILURE: generated artifacts are out of date. Regenerate resources and commit all tracked/untracked changes."
     exit 1
 fi

#!/bin/bash
# Compare tracked-only vs full working-tree checks
git diff --exit-code >/dev/null; echo "git diff exit code: $?"
git status --porcelain --untracked-files=all

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/prow_pr_check.sh` around lines 24 - 26, The current check uses "git diff
--exit-code" which only detects changes to tracked files; update the dirty-tree
gate to detect untracked generated files as well by running a full working-tree
check such as "git status --porcelain --untracked-files=all" (or "git diff
--exit-code" combined with "git ls-files --others --exclude-standard") and fail
when its output is non-empty; modify the script location where "git diff
--exit-code" is invoked to replace or augment that command and ensure the script
echoes the same failure message and exits with code 1 when untracked or modified
files are present.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@hack/prow_pr_check.sh`:
- Around line 24-26: The current check uses "git diff --exit-code" which only
detects changes to tracked files; update the dirty-tree gate to detect untracked
generated files as well by running a full working-tree check such as "git status
--porcelain --untracked-files=all" (or "git diff --exit-code" combined with "git
ls-files --others --exclude-standard") and fail when its output is non-empty;
modify the script location where "git diff --exit-code" is invoked to replace or
augment that command and ensure the script echoes the same failure message and
exits with code 1 when untracked or modified files are present.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 55dad67e-ddf1-4bb0-a74f-6523d08c5736

📥 Commits

Reviewing files that changed from the base of the PR and between dcf1392 and 9cadbe5.

📒 Files selected for processing (1)

• hack/prow_pr_check.sh

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joshbranham, reedcort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [joshbranham]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@reedcort: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.