Dnm hcp runs for 422 by Sandeepyadav93 · Pull Request #79362 · openshift/release

Sandeepyadav93 · 2026-05-16T02:31:06Z

Summary

This PR updates OpenShift CI configuration and step-registry scripts used by the openshift-eng ocp-qe-perfscale CI jobs that run ROSA HCP (Hosted Control Plane) performance and scalability tests.

What changed (practical terms)

CI job definitions (ci-operator configs) for the perfscale test jobs were modified so scheduled ROSA HCP tests target the perf4 cluster sector and include explicit cron schedules.
- For 4.21-nightly: the control-plane-120nodes-onperfsector job now uses CLUSTER_SECTOR=perf4, gains a cron (0 2,14 * * *), and the always_run:false restriction was removed to allow scheduled execution.
- For 4.22-nightly: the control-plane-120nodes-onperfsector job’s CLUSTER_SECTOR changed to perf4, and a new node-density-heavy-24nodes-onperfsector job was added. The new job includes:
  - cron: 0 2,14 * * *
  - workflow: rosa-aws-sts-hcp-mp
  - env.CLUSTER_SECTOR: perf4
  - on-perfsector envs such as CLUSTER_TAGS: TicketId:731, REGION: us-east-2, REPLICAS: "24", OPENSHIFT_VERSION: "4.22"
  - test chain referencing rosa-cluster-credentials-hypershift-mgmt → openshift-qe-hypershift-infra → openshift-qe-node-density-heavy
Several step-registry shell scripts used by openshift-qe tests were changed to alter repository checkout behavior for the e2e-benchmarking repository:
- Files affected: ci-operator/step-registry/openshift-qe/{cluster-density-v2,crd-scale,node-density-cni,node-density}/...-commands.sh
- The previous logic that used the GitHub releases API (curl + jq), respected E2E_VERSION, and optionally performed a shallow clone (--depth 1) has been replaced with a plain git clone $REPO_URL (no tag/branch selection and no shallow-depth). This changes which revision is fetched and will retrieve full git history by default.

Impact

Test scheduling: Resource-intensive ROSA HCP perfscale jobs will run on a regular cron schedule and target the perf4 sector instead of perf2, ensuring consistent execution windows and shifting load to perf4.
New coverage: Adds a 4.22 node-density-heavy (24 replicas) job to the perfscale suite.
Reproducibility/consistency risk: The step-registry changes make the checkout no longer respect a chosen release/tag (E2E_VERSION) and remove shallow cloning. That may cause tests to run against a different revision than before and increase clone time and network/CI resource usage.

Files of interest

ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.21-nightly-x86.yaml
ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.22-nightly-x86.yaml
ci-operator/step-registry/openshift-qe/cluster-density-v2/openshift-qe-cluster-density-v2-commands.sh
ci-operator/step-registry/openshift-qe/crd-scale/openshift-qe-crd-scale-commands.sh
ci-operator/step-registry/openshift-qe/node-density-cni/openshift-qe-node-density-cni-commands.sh
ci-operator/step-registry/openshift-qe/node-density/openshift-qe-node-density-commands.sh

coderabbitai · 2026-05-16T02:31:31Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

CI job configs update ROSA HCP perfsector tests to use perf4 (control-plane-120nodes in 4.21 and 4.22), 4.21 gains a cron, and 4.22 adds a new node-density-heavy-24nodes-onperfsector job. Multiple step-registry scripts switch their e2e-benchmarking checkout to a plain git clone $REPO_URL.

Changes

ROSA HCP Performance Testing Configuration

Layer / File(s)	Summary
Control-plane and cron update (4.21) `ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.21-nightly-x86.yaml`	`control-plane-120nodes-onperfsector`: added `cron: "0 2,14 * * *"`, removed `always_run: false`, and changed `env.CLUSTER_SECTOR` from `perf2` to `perf4`.
New node-density-heavy job and sector update (4.22) `ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.22-nightly-x86.yaml`	Adds `node-density-heavy-24nodes-onperfsector` with `cron: 0 2,14 * * *`, `workflow: rosa-aws-sts-hcp-mp`, `env.CLUSTER_SECTOR: perf4`, region/replica/version envs, and test chain wiring; also updates `control-plane-120nodes-onperfsector` to `perf4`.

Step-registry: e2e-benchmarking checkout simplification

Layer / File(s)	Summary
Plain git clone in cluster-density-v2 `ci-operator/step-registry/openshift-qe/cluster-density-v2/openshift-qe-cluster-density-v2-commands.sh`	Replaced tag/`LATEST_TAG` selection and `--depth 1` shallow clone with `git clone $REPO_URL`.
Plain git clone in crd-scale `ci-operator/step-registry/openshift-qe/crd-scale/openshift-qe-crd-scale-commands.sh`	Switched from `git clone $TAG_OPTION --depth 1` to `git clone $REPO_URL`.
Plain git clone in node-density-cni `ci-operator/step-registry/openshift-qe/node-density-cni/openshift-qe-node-density-cni-commands.sh`	Removed release/tag selection and shallow clone behavior in favor of `git clone $REPO_URL`.
Plain git clone in node-density `ci-operator/step-registry/openshift-qe/node-density/openshift-qe-node-density-commands.sh`	Replaced E2E_VERSION/tag-aware shallow clone logic with a simple `git clone $REPO_URL`.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

rehearsals-ack

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Dnm hcp runs for 422' is vague and uses non-descriptive abbreviations that do not clearly convey the changeset's purpose to a reviewer.	Replace with a clear, descriptive title such as 'Add node-density-heavy test and update cluster sector for HCP 4.22' to better describe the actual changes.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo test definitions found in PR. Changes are to CI job configs and benchmark scripts only. Test job names are all static descriptive strings without dynamic content.
Test Structure And Quality	✅ Passed	The custom check for "Test Structure and Quality" applies to Ginkgo test code. This PR contains only YAML config files and bash shell scripts, with no Ginkgo test files. Check is not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are CI/CD configuration (YAML) and step registry scripts (bash) only. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR modifies CI configuration (YAML) and test orchestration shell scripts only, not test source code. SNO compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies CI configuration and test scripts only. Does not add deployment manifests, operator code, or controllers that introduce topology-aware scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check applies only to Go test binaries using Ginkgo. This PR contains only YAML CI config and bash scripts—no Go code or test binaries. Check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only CI infrastructure (job configs and shell scripts). No new Ginkgo e2e tests were added, so this check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Sandeepyadav93 · 2026-05-16T02:31:51Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-120nodes-onperfsector

openshift-merge-bot · 2026-05-16T02:31:53Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

Sandeepyadav93 · 2026-05-16T02:32:59Z

/uncc @mohit-sheth @rsevilla87

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/openshift-qe/hypershift-infra/openshift-qe-hypershift-infra-commands.sh`:
- Around line 107-121: The current check can set VERIFY_SUCCESS=true when no
prometheus pods were evaluated because ALL_ON_INFRA defaults to true; modify the
for node in $(oc get pods -n openshift-monitoring -o wide | grep -i
"prometheus-k8s-" | grep -i running | awk '{print$7}') loop to track whether any
pods were found (e.g., increment a POD_COUNT or set a FOUND_PROM_POD flag inside
the loop) and after the loop only set VERIFY_SUCCESS=true and break if BOTH
ALL_ON_INFRA is true and the pod count/FOUND_PROM_POD indicates at least one pod
was evaluated; ensure you update the conditional that currently checks [
"$ALL_ON_INFRA" = true ] to require the additional non-zero pod condition.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2ff3fde4-3dc1-47ab-8104-03514ededc9e

📥 Commits

Reviewing files that changed from the base of the PR and between 0dc30c3 and 2316b75.

⛔ Files ignored due to path filters (2)

ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-periodics.yaml is excluded by !ci-operator/jobs/**
ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (3)

ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.21-nightly-x86.yaml
ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.22-nightly-x86.yaml
ci-operator/step-registry/openshift-qe/hypershift-infra/openshift-qe-hypershift-infra-commands.sh

coderabbitai · 2026-05-16T02:35:00Z

+        while [ $RETRY -lt $MAX_RETRIES ]; do
+            ALL_ON_INFRA=true
+            for node in $(oc get pods -n openshift-monitoring -o wide | grep -i "prometheus-k8s-" | grep -i running | awk '{print$7}'); do
+                if [[ $(oc get nodes --no-headers -l node-role.kubernetes.io/infra | awk '{print$1}' | grep -w "$node") != "" ]]; then
+                    log "$(date) - prometheus pod on $node (infra node) ✓"
+                else
+                    log "$(date) - WARNING: prometheus pod on $node is NOT an infra node"
+                    ALL_ON_INFRA=false
+                fi
+            done
+
+            if [ "$ALL_ON_INFRA" = true ]; then
+                log "$(date) - All prometheus-k8s pods are on infra nodes ✓"
+                VERIFY_SUCCESS=true
+                break


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid false success when no Prometheus pods are matched.

Line 118 can mark verification successful even when zero pods were evaluated, because ALL_ON_INFRA starts as true and the loop may not run. This can incorrectly pass migration validation.

Proposed fix

while [ $RETRY -lt $MAX_RETRIES ]; do ALL_ON_INFRA=true - for node in $(oc get pods -n openshift-monitoring -o wide | grep -i "prometheus-k8s-" | grep -i running | awk '{print$7}'); do + mapfile -t PROM_NODES < <(oc get pods -n openshift-monitoring -o wide | awk '/prometheus-k8s-/ && tolower($3)=="running" {print $7}') + + if [ "${`#PROM_NODES`[@]}" -eq 0 ]; then + log "$(date) - WARNING: no running prometheus-k8s pods found yet" + ALL_ON_INFRA=false + fi + + for node in "${PROM_NODES[@]}"; do if [[ $(oc get nodes --no-headers -l node-role.kubernetes.io/infra | awk '{print$1}' | grep -w "$node") != "" ]]; then log "$(date) - prometheus pod on $node (infra node) ✓" else log "$(date) - WARNING: prometheus pod on $node is NOT an infra node" ALL_ON_INFRA=false fi done

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

while [ $RETRY -lt $MAX_RETRIES ]; do

ALL_ON_INFRA=true

for node in $(oc get pods -n openshift-monitoring -o wide | grep -i "prometheus-k8s-" | grep -i running | awk '{print$7}'); do

if [[ $(oc get nodes --no-headers -l node-role.kubernetes.io/infra | awk '{print$1}' | grep -w "$node") != "" ]]; then

log "$(date) - prometheus pod on $node (infra node) ✓"

else

log "$(date) - WARNING: prometheus pod on $node is NOT an infra node"

ALL_ON_INFRA=false

fi

done

if [ "$ALL_ON_INFRA" = true ]; then

log "$(date) - All prometheus-k8s pods are on infra nodes ✓"

VERIFY_SUCCESS=true

break

while [ $RETRY -lt $MAX_RETRIES ]; do

ALL_ON_INFRA=true

mapfile -t PROM_NODES < <(oc get pods -n openshift-monitoring -o wide | awk '/prometheus-k8s-/ && tolower($3)=="running" {print $7}')

if [ "${`#PROM_NODES`[@]}" -eq 0 ]; then

log "$(date) - WARNING: no running prometheus-k8s pods found yet"

ALL_ON_INFRA=false

fi

for node in "${PROM_NODES[@]}"; do

if [[ $(oc get nodes --no-headers -l node-role.kubernetes.io/infra | awk '{print$1}' | grep -w "$node") != "" ]]; then

log "$(date) - prometheus pod on $node (infra node) ✓"

else

log "$(date) - WARNING: prometheus pod on $node is NOT an infra node"

ALL_ON_INFRA=false

fi

done

if [ "$ALL_ON_INFRA" = true ]; then

log "$(date) - All prometheus-k8s pods are on infra nodes ✓"

VERIFY_SUCCESS=true

break

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/step-registry/openshift-qe/hypershift-infra/openshift-qe-hypershift-infra-commands.sh` around lines 107 - 121, The current check can set VERIFY_SUCCESS=true when no prometheus pods were evaluated because ALL_ON_INFRA defaults to true; modify the for node in $(oc get pods -n openshift-monitoring -o wide | grep -i "prometheus-k8s-" | grep -i running | awk '{print$7}') loop to track whether any pods were found (e.g., increment a POD_COUNT or set a FOUND_PROM_POD flag inside the loop) and after the loop only set VERIFY_SUCCESS=true and break if BOTH ALL_ON_INFRA is true and the pod count/FOUND_PROM_POD indicates at least one pod was evaluated; ensure you update the conditional that currently checks [ "$ALL_ON_INFRA" = true ] to require the additional non-zero pod condition.

Sandeepyadav93 · 2026-05-16T13:22:44Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-120nodes-onperfsector

openshift-merge-bot · 2026-05-16T13:22:46Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

Sandeepyadav93 · 2026-05-16T16:23:13Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-120nodes-onperfsector

openshift-merge-bot · 2026-05-16T16:23:16Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

Sandeepyadav93 · 2026-05-17T01:45:39Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-120nodes-onperfsector

openshift-merge-bot · 2026-05-17T01:45:41Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

Sandeepyadav93 · 2026-05-17T07:10:08Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.21-nightly-x86-control-plane-120nodes-onperfsector

openshift-merge-bot · 2026-05-17T07:10:11Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

Sandeepyadav93 · 2026-05-17T13:42:44Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-120nodes-onperfsector

openshift-merge-bot · 2026-05-17T13:42:47Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

Sandeepyadav93 · 2026-05-17T18:48:57Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-120nodes-onperfsector

openshift-merge-bot · 2026-05-17T18:48:59Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

Sandeepyadav93 · 2026-05-18T15:05:54Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-node-density-heavy-24nodes-onperfsector

openshift-merge-bot · 2026-05-18T15:05:57Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

Sandeepyadav93 · 2026-05-18T16:09:14Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-node-density-heavy-24nodes-onperfsector

openshift-merge-bot · 2026-05-18T16:09:17Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-merge-bot · 2026-05-18T16:13:15Z

@Sandeepyadav93: job(s): either don't exist or were not found to be affected, and cannot be rehearsed

Sandeepyadav93 · 2026-05-19T01:47:06Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-120nodes-onperfsector

openshift-merge-bot · 2026-05-19T01:47:08Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci · 2026-05-19T05:57:35Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Sandeepyadav93
Once this PR has been reviewed and has the lgtm label, please assign afcollins for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/OWNERS
ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/OWNERS
~~ci-operator/step-registry/openshift-qe/OWNERS~~ [Sandeepyadav93]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sandeepyadav93 · 2026-05-19T05:58:26Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-120nodes-onperfsector

openshift-merge-bot · 2026-05-19T05:58:29Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.22-nightly-x86.yaml`:
- Line 211: The CLUSTER_SECTOR variable was changed to perf4 for this job
(CLUSTER_SECTOR) while most onperfsector jobs still reference perf2; confirm
whether this is an intentional staged migration or a mistake, then either (A)
make the change consistent by updating all onperfsector job definitions (the
other job entries that still use perf2) to use CLUSTER_SECTOR: perf4, or (B)
revert this single job back to perf2; also add a short comment near
CLUSTER_SECTOR and/or a top-of-file note describing the migration plan and scope
so future reviewers know whether perf2→perf4 is complete or in-progress.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 144741ff-f38f-49f7-a45b-90d9aba40466

📥 Commits

Reviewing files that changed from the base of the PR and between 077b269 and 44a7867.

📒 Files selected for processing (2)

ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.21-nightly-x86.yaml
ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.22-nightly-x86.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.21-nightly-x86.yaml

coderabbitai · 2026-05-19T06:01:39Z

    env:
      CHANNEL_GROUP: nightly
-      CLUSTER_SECTOR: perf2
+      CLUSTER_SECTOR: perf4


⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Description: Verify sector usage across all onperfsector jobs in 4.21 and 4.22 configs # Check CLUSTER_SECTOR values in related config files echo "=== 4.22 config ===" rg -n 'CLUSTER_SECTOR:' ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.22-nightly-x86.yaml echo -e "\n=== 4.21 config ===" rg -n 'CLUSTER_SECTOR:' ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.21-nightly-x86.yaml

Repository: openshift/release

Length of output: 774

Clarify whether the sector migration to perf4 is intentional and complete.

CLUSTER_SECTOR was changed to perf4 for this job at line 211, but the majority of onperfsector jobs in this file still use perf2 (lines 180, 244, 290, 336, 382, 427, 473, 519, 566). Only two jobs in the 4.22 config use perf4 (lines 150 and 211). If this is part of a deliberate sector migration strategy, clarify the plan; if unintended, migrate remaining jobs consistently.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.22-nightly-x86.yaml` at line 211, The CLUSTER_SECTOR variable was changed to perf4 for this job (CLUSTER_SECTOR) while most onperfsector jobs still reference perf2; confirm whether this is an intentional staged migration or a mistake, then either (A) make the change consistent by updating all onperfsector job definitions (the other job entries that still use perf2) to use CLUSTER_SECTOR: perf4, or (B) revert this single job back to perf2; also add a short comment near CLUSTER_SECTOR and/or a top-of-file note describing the migration plan and scope so future reviewers know whether perf2→perf4 is complete or in-progress.

Sandeepyadav93 · 2026-05-19T11:52:29Z

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.21-nightly-x86-control-plane-120nodes-onperfsector

openshift-merge-bot · 2026-05-19T11:52:32Z

@Sandeepyadav93: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-merge-bot · 2026-05-19T11:53:48Z

[REHEARSALNOTIFIER]
@Sandeepyadav93: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-cloud-bulldozer-orion-main-payload-control-plane-6nodes	cloud-bulldozer/orion	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.19-nightly-upgrade-chaos-aws-loaded-upgrade-418to419-pod-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.19-nightly-upgrade-chaos-aws-loaded-upgrade-418to419-node-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.19-nightly-upgrade-chaos-aws-ipsec-loaded-upgrade-418to419-pod-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.19-nightly-upgrade-chaos-aws-ipsec-loaded-upgrade-418to419-node-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.19-nightly-upgrade-chaos-gcp-loaded-upgrade-418to419-node-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.19-nightly-upgrade-chaos-gcp-loaded-upgrade-418to419-pod-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.19-nightly-upgrade-chaos-gcp-fipsetcd-loaded-upgrade-418to419-node-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.16-nightly-upgrade-chaos-aws-loaded-upgrade-415to416	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.16-nightly-upgrade-chaos-gcp-loaded-upgrade-415to416	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.20-nightly-upgrade-chaos-azure-multi-upgrade-419to420-3nodes-pod-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.20-nightly-upgrade-chaos-azure-multi-upgrade-419to420-3nodes-node-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-rosa-4.20-nightly-krkn-tests-rosa	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-rosa-4.20-nightly-krkn-tests-rosa-hcp	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-rosa-4.20-nightly-krkn-rosa-hcp-node	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-rosa-4.17-nightly-krkn-tests-rosa	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-rosa-4.17-nightly-krkn-tests-rosa-hcp	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-rosa-4.17-nightly-krkn-rosa-hcp-node	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-rosa-4.17-nightly-krkn-tests-rosa-infra	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.15-nightly-krkn-hub-tests-aro	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.18-nightly-upgrade-chaos-aws-loaded-upgrade-417to418-pod-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.18-nightly-upgrade-chaos-aws-loaded-upgrade-417to418-node-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.18-nightly-upgrade-chaos-gcp-loaded-upgrade-417to418-node-scenarios	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.18-nightly-x86-cpou-upgrade-4.16-loaded-upgrade-416to418-aws	redhat-chaos/prow-scripts	presubmit	Registry content changed
pull-ci-redhat-chaos-prow-scripts-main-4.18-nightly-x86-cpou-upgrade-4.16-loaded-upgrade-416to418-gcp	redhat-chaos/prow-scripts	presubmit	Registry content changed

A total of 640 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

coderabbitai

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/openshift-qe/cluster-density-v2/openshift-qe-cluster-density-v2-commands.sh`:
- Line 52: The git clone step currently clones full history and is unpinned (git
clone $REPO_URL); change it to perform a shallow, ref-pinned clone (e.g., use
--depth 1 and --branch <ref_var> / --single-branch) and introduce an env var
(e.g., REPO_REF or GIT_REF) to pin the commit/branch used for benchmarking. Also
prevent credential leakage by wrapping any reads/exports of Elasticsearch
credentials (ES_PASSWORD, ES_USERNAME) and any other sensitive vars with tracing
disabled (use set +x before reading/exporting and set -x after); ensure both the
locations referenced in the review (the blocks that read/export
ES_USERNAME/ES_PASSWORD and any later usages around line 66) are updated to
disable tracing only for the minimal sensitive operations.

In
`@ci-operator/step-registry/openshift-qe/crd-scale/openshift-qe-crd-scale-commands.sh`:
- Around line 52-54: Remove the unused external GitHub API call and stale
variables by deleting the LATEST_TAG and TAG_OPTION computation (they are never
used) and ensure git clone $REPO_URL is used without calling the GitHub releases
API; additionally, prevent credential leakage by disabling shell tracing around
reading and exporting secrets: wrap the reads of ES_PASSWORD and ES_USERNAME and
the export of ES_SERVER with tracing off (temporarily run "set +x" before
reading/exporting and "set -x" after) so the sensitive values are not printed to
CI logs; references to update: LATEST_TAG, TAG_OPTION, REPO_URL, ES_PASSWORD,
ES_USERNAME, ES_SERVER, and any existing set -x usage in this script.

In
`@ci-operator/step-registry/openshift-qe/node-density-cni/openshift-qe-node-density-cni-commands.sh`:
- Line 54: The git clone line uses an unpinned, full-depth clone (git clone
$REPO_URL); update it to match the node-density-heavy pattern by performing a
shallow, pinned checkout: use the existing REPO_URL but clone with --depth 1 and
--single-branch and pin to a fixed ref/branch variable (e.g., REPO_REF or
NODE_DENSITY_REF) or fetch that ref explicitly and checkout it, ensuring
deterministic, shallow clones instead of full history downloads.

In
`@ci-operator/step-registry/openshift-qe/node-density/openshift-qe-node-density-commands.sh`:
- Line 57: Replace the full clone command (git clone $REPO_URL) with a shallow,
branch-pinned clone to speed and stabilize checkouts (use the repo branch/ref
variable and depth=1) and wrap sensitive operations where tracing is active:
temporarily disable shell tracing (set +x) before the credential-related blocks
(the clone/checkout area and the Elasticsearch URL construction that
interpolates $ES_USERNAME and $ES_PASSWORD) and re-enable tracing (set -x)
immediately after; ensure the exact blocks to change are the git clone
invocation and the block that builds/uses the ES server URL so no credentials
are emitted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ba3d56ef-f829-499e-a822-aec114a12c82

📥 Commits

Reviewing files that changed from the base of the PR and between 44a7867 and dd9f520.

⛔ Files ignored due to path filters (2)

ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-periodics.yaml is excluded by !ci-operator/jobs/**
ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (6)

ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.21-nightly-x86.yaml
ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.22-nightly-x86.yaml
ci-operator/step-registry/openshift-qe/cluster-density-v2/openshift-qe-cluster-density-v2-commands.sh
ci-operator/step-registry/openshift-qe/crd-scale/openshift-qe-crd-scale-commands.sh
ci-operator/step-registry/openshift-qe/node-density-cni/openshift-qe-node-density-cni-commands.sh
ci-operator/step-registry/openshift-qe/node-density/openshift-qe-node-density-commands.sh

🚧 Files skipped from review as they are similar to previous changes (1)

ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__rosa_hcp-4.22-nightly-x86.yaml

coderabbitai · 2026-05-19T11:57:31Z

-LATEST_TAG=$(curl -s "https://api.github.com/repos/cloud-bulldozer/e2e-benchmarking/releases/latest" | jq -r '.tag_name');
-TAG_OPTION="--branch $(if [ "$E2E_VERSION" == "default" ]; then echo "$LATEST_TAG"; else echo "$E2E_VERSION"; fi)";
-git clone $REPO_URL $TAG_OPTION --depth 1
+git clone $REPO_URL


⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Find and examine the file fd -t f "openshift-qe-cluster-density-v2-commands.sh"

Repository: openshift/release

Length of output: 163

🏁 Script executed:

# Check the content of the file head -60 ci-operator/step-registry/openshift-qe/cluster-density-v2/openshift-qe-cluster-density-v2-commands.sh

Repository: openshift/release

Length of output: 2671

🏁 Script executed:

# Look for context around line 52 and check tracing/set flags sed -n '1,80p' ci-operator/step-registry/openshift-qe/cluster-density-v2/openshift-qe-cluster-density-v2-commands.sh | cat -n

Repository: openshift/release

Length of output: 3730

Pin checkout to explicit ref with shallow clone AND fix credential leakage in tracing.

Line 52 clones without pinning to a specific ref and pulls full history, which increases clone overhead and can skew benchmark comparability across runs. Additionally, lines 15–16 and 66 read and export Elasticsearch credentials (password and username) while set -x tracing is enabled, causing credential leakage in CI logs. This violates the step registry security guideline requiring set +x around sensitive data.

Suggested changes

-ES_PASSWORD=$(cat "${ES_SECRETS_PATH}/password") -ES_USERNAME=$(cat "${ES_SECRETS_PATH}/username") +set +x +ES_PASSWORD=$(cat "${ES_SECRETS_PATH}/password") +ES_USERNAME=$(cat "${ES_SECRETS_PATH}/username") +set -x

-export ES_SERVER="https://$ES_USERNAME:$ES_PASSWORD@$ES_HOST" +set +x +export ES_SERVER="https://$ES_USERNAME:$ES_PASSWORD@$ES_HOST" +set -x

-git clone $REPO_URL +E2E_REF="${E2E_VERSION:-main}" +git clone --depth 1 --branch "${E2E_REF}" "${REPO_URL}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/step-registry/openshift-qe/cluster-density-v2/openshift-qe-cluster-density-v2-commands.sh` at line 52, The git clone step currently clones full history and is unpinned (git clone $REPO_URL); change it to perform a shallow, ref-pinned clone (e.g., use --depth 1 and --branch <ref_var> / --single-branch) and introduce an env var (e.g., REPO_REF or GIT_REF) to pin the commit/branch used for benchmarking. Also prevent credential leakage by wrapping any reads/exports of Elasticsearch credentials (ES_PASSWORD, ES_USERNAME) and any other sensitive vars with tracing disabled (use set +x before reading/exporting and set -x after); ensure both the locations referenced in the review (the blocks that read/export ES_USERNAME/ES_PASSWORD and any later usages around line 66) are updated to disable tracing only for the minimal sensitive operations.

coderabbitai · 2026-05-19T11:57:31Z

 LATEST_TAG=$(curl -s "https://api.github.com/repos/cloud-bulldozer/e2e-benchmarking/releases/latest" | jq -r '.tag_name');
 TAG_OPTION="--branch $(if [ "$E2E_VERSION" == "default" ]; then echo "$LATEST_TAG"; else echo "$E2E_VERSION"; fi)";
-git clone $REPO_URL $TAG_OPTION --depth 1
+git clone $REPO_URL


⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n ci-operator/step-registry/openshift-qe/crd-scale/openshift-qe-crd-scale-commands.sh

Repository: openshift/release

Length of output: 3118

Remove stale tag-resolution logic that creates unnecessary external API calls.

Lines 52-53 fetch and compute TAG_OPTION, but Line 54 ignores it entirely. This keeps an external GitHub API dependency on the hot path with no functional effect.

Additionally, this script violates the step registry security guidelines: Lines 17-18 read sensitive credentials (ES_PASSWORD, ES_USERNAME) and Line 58 exports ES_SERVER with embedded credentials while set -x tracing is active. Disable tracing around these sensitive operations to prevent credential leakage in CI logs.

Suggested changes

REPO_URL="https://github.com/cloud-bulldozer/e2e-benchmarking"; -LATEST_TAG=$(curl -s "https://api.github.com/repos/cloud-bulldozer/e2e-benchmarking/releases/latest" | jq -r '.tag_name'); -TAG_OPTION="--branch $(if [ "$E2E_VERSION" == "default" ]; then echo "$LATEST_TAG"; else echo "$E2E_VERSION"; fi)"; git clone $REPO_URL ES_SECRETS_PATH=${ES_SECRETS_PATH:-/secret} ES_HOST=${ES_HOST:-"search-ocp-qe-perf-scale-test-elk-hcm7wtsqpxy7xogbu72bor4uve.us-east-1.es.amazonaws.com"} +set +x ES_PASSWORD=$(cat "${ES_SECRETS_PATH}/password") ES_USERNAME=$(cat "${ES_SECRETS_PATH}/username") +set -x if [ -e "${ES_SECRETS_PATH}/host" ]; then ES_HOST=$(cat "${ES_SECRETS_PATH}/host") fi

And around line 58:

+set +x export ES_SERVER="https://$ES_USERNAME:$ES_PASSWORD@$ES_HOST" +set -x export EXTRA_FLAGS="${KB_FLAGS} ${CRD_SCALE_EXTRA_FLAGS} --gc-metrics=false --profile-type=${PROFILE_TYPE} --iterations=${ITERATIONS}"

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 53-53: TAG_OPTION appears unused. Verify use (or export if used externally).

(SC2034)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/step-registry/openshift-qe/crd-scale/openshift-qe-crd-scale-commands.sh` around lines 52 - 54, Remove the unused external GitHub API call and stale variables by deleting the LATEST_TAG and TAG_OPTION computation (they are never used) and ensure git clone $REPO_URL is used without calling the GitHub releases API; additionally, prevent credential leakage by disabling shell tracing around reading and exporting secrets: wrap the reads of ES_PASSWORD and ES_USERNAME and the export of ES_SERVER with tracing off (temporarily run "set +x" before reading/exporting and "set -x" after) so the sensitive values are not printed to CI logs; references to update: LATEST_TAG, TAG_OPTION, REPO_URL, ES_PASSWORD, ES_USERNAME, ES_SERVER, and any existing set -x usage in this script.

coderabbitai · 2026-05-19T11:57:31Z

-LATEST_TAG=$(curl -s "https://api.github.com/repos/cloud-bulldozer/e2e-benchmarking/releases/latest" | jq -r '.tag_name');
-TAG_OPTION="--branch $(if [ "$E2E_VERSION" == "default" ]; then echo "$LATEST_TAG"; else echo "$E2E_VERSION"; fi)";
-git clone $REPO_URL $TAG_OPTION --depth 1
+git clone $REPO_URL


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Find the file and read its contents around line 54 fd -t f "openshift-qe-node-density-cni-commands.sh" ci-operator/step-registry/

Repository: openshift/release

Length of output: 159

🏁 Script executed:

#!/bin/bash # Read the file to see the context around line 54 wc -l ci-operator/step-registry/openshift-qe/node-density-cni/openshift-qe-node-density-cni-commands.sh

Repository: openshift/release

Length of output: 162

🏁 Script executed:

#!/bin/bash # Read the full file content with line numbers cat -n ci-operator/step-registry/openshift-qe/node-density-cni/openshift-qe-node-density-cni-commands.sh

Repository: openshift/release

Length of output: 4132

🏁 Script executed:

#!/bin/bash # Search for E2E_VERSION usage in step registry rg "E2E_VERSION" ci-operator/step-registry/ --type sh

Repository: openshift/release

Length of output: 5833

🏁 Script executed:

#!/bin/bash # Search for git clone patterns in step registry scripts rg "git clone" ci-operator/step-registry/ --type sh -A 2 -B 1 | head -100

Repository: openshift/release

Length of output: 12380

🏁 Script executed:

#!/bin/bash # Look for similar benchmark/e2e workload scripts in the step registry fd -t f "*commands.sh" ci-operator/step-registry/ | xargs grep -l "e2e-benchmarking\|kube-burner" | head -10

Repository: openshift/release

Length of output: 353

🏁 Script executed:

#!/bin/bash # Search for other node-density related scripts to compare patterns find ci-operator/step-registry -name "*node-density*-commands.sh" -type f

Repository: openshift/release

Length of output: 761

🏁 Script executed:

#!/bin/bash # Check one of the similar workload scripts to see how they handle git clone cat -n ci-operator/step-registry/openshift-qe/node-density-heavy/openshift-qe-node-density-heavy-commands.sh | head -100

Repository: openshift/release

Length of output: 3174

🏁 Script executed:

#!/bin/bash # Look for cluster-density-v2 to compare find ci-operator/step-registry -name "*cluster-density-v2*-commands.sh" -type f -exec cat -n {} \; | head -150

Repository: openshift/release

Length of output: 6301

🏁 Script executed:

#!/bin/bash # Extract the git clone lines from node-density-heavy to compare patterns sed -n '32,36p' ci-operator/step-registry/openshift-qe/node-density-heavy/openshift-qe-node-density-heavy-commands.sh

Repository: openshift/release

Length of output: 463

Align repository checkout with node-density-heavy using fixed ref and shallow clone.

Line 54 clones without version pinning or shallow depth, causing full history downloads and non-deterministic performance results. The node-density-heavy script demonstrates the established pattern in this codebase for handling this correctly.

Suggested change

+LATEST_TAG=$(curl -s "https://api.github.com/repos/cloud-bulldozer/e2e-benchmarking/releases/latest" | jq -r '.tag_name'); +TAG_OPTION="--branch $(if [ "$E2E_VERSION" == "default" ]; then echo "$LATEST_TAG"; else echo "$E2E_VERSION"; fi)"; -git clone $REPO_URL +git clone $REPO_URL $TAG_OPTION --depth 1

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/step-registry/openshift-qe/node-density-cni/openshift-qe-node-density-cni-commands.sh` at line 54, The git clone line uses an unpinned, full-depth clone (git clone $REPO_URL); update it to match the node-density-heavy pattern by performing a shallow, pinned checkout: use the existing REPO_URL but clone with --depth 1 and --single-branch and pin to a fixed ref/branch variable (e.g., REPO_REF or NODE_DENSITY_REF) or fetch that ref explicitly and checkout it, ensuring deterministic, shallow clones instead of full history downloads.

coderabbitai · 2026-05-19T11:57:31Z

-LATEST_TAG=$(curl -s "https://api.github.com/repos/cloud-bulldozer/e2e-benchmarking/releases/latest" | jq -r '.tag_name');
-TAG_OPTION="--branch $(if [ "$E2E_VERSION" == "default" ]; then echo "$LATEST_TAG"; else echo "$E2E_VERSION"; fi)";
-git clone $REPO_URL $TAG_OPTION --depth 1
+git clone $REPO_URL


⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n ci-operator/step-registry/openshift-qe/node-density/openshift-qe-node-density-commands.sh

Repository: openshift/release

Length of output: 4306

Disable tracing around credential operations to prevent leakage in CI logs.

Line 62 exposes $ES_PASSWORD and $ES_USERNAME in the Elasticsearch server URL while set -x is active, which will leak credentials to CI logs. Per coding guidelines, tracing must be temporarily disabled around sensitive URLs and credentials.

Additionally, line 57 should use a shallow clone with a pinned branch for faster, more consistent checkouts.

Suggested changes

REPO_URL="https://github.com/cloud-bulldozer/e2e-benchmarking"; -git clone $REPO_URL +E2E_REF="${E2E_VERSION:-main}" +git clone --depth 1 --branch "${E2E_REF}" "${REPO_URL}" export EXTRA_FLAGS UUID set +o errexit ./run.sh RUN_EXIT_CODE=$? set -o errexit METRICS_FOLDER="collected-metrics-${UUID}" if [[ -f ${METRICS_FOLDER}/jobSummary.json ]]; then cp -r ${METRICS_FOLDER} "${ARTIFACT_DIR}/" if [[ ${JOB_NAME} == *openshift-eng-ocp-qe-perfscale-ci* ]] && [[ ${JOB_TYPE} == "periodic" ]]; then set +e + set +x OCP_PERF_DASH_HOST=$(cat ${ES_SECRETS_PATH}/ocp-perf-dash-address) OCP_PERF_DASH_DIR="/usr/share/ocp-perf-dash/${JOB_NAME}/${WORKLOAD}/${UUID}" METRICS="${METRICS_FOLDER}/*QuantilesMeasurement*.json ${METRICS_FOLDER}/jobSummary.json" SSH_ARGS="-i ${ES_SECRETS_PATH}/ocp-perf-dash-id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" ssh ${SSH_ARGS} ${OCP_PERF_DASH_HOST} "mkdir -p ${OCP_PERF_DASH_DIR}" scp ${SSH_ARGS} ${METRICS} ${OCP_PERF_DASH_HOST}:${OCP_PERF_DASH_DIR}" + set -x set -e

Additionally, lines 25-30 and 62 need tracing disabled around sensitive data operations.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/step-registry/openshift-qe/node-density/openshift-qe-node-density-commands.sh` at line 57, Replace the full clone command (git clone $REPO_URL) with a shallow, branch-pinned clone to speed and stabilize checkouts (use the repo branch/ref variable and depth=1) and wrap sensitive operations where tracing is active: temporarily disable shell tracing (set +x) before the credential-related blocks (the clone/checkout area and the Elasticsearch URL construction that interpolates $ES_USERNAME and $ES_PASSWORD) and re-enable tracing (set -x) immediately after; ensure the exact blocks to change are the git clone invocation and the block that builds/uses the ES server URL so no credentials are emitted.

openshift-ci · 2026-05-19T20:10:50Z

@Sandeepyadav93: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/step-registry-shellcheck	`dd9f520`	link	true	`/test step-registry-shellcheck`
ci/rehearse/periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.21-nightly-x86-control-plane-120nodes-onperfsector	`dd9f520`	link	unknown	`/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.21-nightly-x86-control-plane-120nodes-onperfsector`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci Bot requested review from mohit-sheth and rsevilla87 May 16, 2026 02:31

openshift-ci Bot removed request for mohit-sheth and rsevilla87 May 16, 2026 02:33

coderabbitai Bot reviewed May 16, 2026

View reviewed changes

Sandeepyadav93 force-pushed the dnm_hcp_runs_for_422 branch from 2316b75 to 085ae44 Compare May 16, 2026 13:20

Sandeepyadav93 force-pushed the dnm_hcp_runs_for_422 branch from 085ae44 to 077b269 Compare May 17, 2026 07:07

Sandeepyadav93 force-pushed the dnm_hcp_runs_for_422 branch 2 times, most recently from fd9292c to c86e396 Compare May 18, 2026 15:05

Sandeepyadav93 force-pushed the dnm_hcp_runs_for_422 branch from c86e396 to 44a7867 Compare May 19, 2026 05:55

coderabbitai Bot reviewed May 19, 2026

View reviewed changes

[dnm] patch to rehearse jobs for 4.22 release readiness

dd9f520

Sandeepyadav93 force-pushed the dnm_hcp_runs_for_422 branch from 44a7867 to dd9f520 Compare May 19, 2026 11:50

coderabbitai Bot reviewed May 19, 2026

View reviewed changes

Conversation

Sandeepyadav93 commented May 16, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

What changed (practical terms)

Impact

Files of interest

Uh oh!

coderabbitai Bot commented May 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Suggested labels

❌ Failed checks (1 warning, 1 inconclusive)

Uh oh!

Sandeepyadav93 commented May 16, 2026

Uh oh!

openshift-merge-bot Bot commented May 16, 2026

Uh oh!

Sandeepyadav93 commented May 16, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 16, 2026

Choose a reason for hiding this comment

Uh oh!

Sandeepyadav93 commented May 16, 2026

Uh oh!

openshift-merge-bot Bot commented May 16, 2026

Uh oh!

Sandeepyadav93 commented May 16, 2026

Uh oh!

openshift-merge-bot Bot commented May 16, 2026

Uh oh!

Sandeepyadav93 commented May 17, 2026

Uh oh!

openshift-merge-bot Bot commented May 17, 2026

Uh oh!

Sandeepyadav93 commented May 17, 2026

Uh oh!

openshift-merge-bot Bot commented May 17, 2026

Uh oh!

Sandeepyadav93 commented May 17, 2026

Uh oh!

openshift-merge-bot Bot commented May 17, 2026

Uh oh!

Sandeepyadav93 commented May 17, 2026

Uh oh!

openshift-merge-bot Bot commented May 17, 2026

Uh oh!

Sandeepyadav93 commented May 18, 2026

Uh oh!

openshift-merge-bot Bot commented May 18, 2026

Uh oh!

Sandeepyadav93 commented May 18, 2026

Uh oh!

openshift-merge-bot Bot commented May 18, 2026

Uh oh!

openshift-merge-bot Bot commented May 18, 2026

Uh oh!

Sandeepyadav93 commented May 19, 2026

Uh oh!

openshift-merge-bot Bot commented May 19, 2026

Uh oh!

openshift-ci Bot commented May 19, 2026

Uh oh!

Sandeepyadav93 commented May 19, 2026

Uh oh!

openshift-merge-bot Bot commented May 19, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 19, 2026

Choose a reason for hiding this comment

Uh oh!

Sandeepyadav93 commented May 19, 2026

Uh oh!

Sandeepyadav93 commented May 16, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 16, 2026 •

edited

Loading