OSAC-794: add Slack notification step to step registry

[omer-vishlitzky]

Summary

• Adds osac-project-notify step-registry ref that posts job results to Slack via incoming webhook
• Not wired into any workflow yet — will be added to periodic jobs in a follow-up

Test plan

• Webhook tested manually and via rehearsal — Slack message received successfully

Summary

This PR adds a new Slack notification capability to OpenShift CI's step registry. The change introduces a new step named osac-project-notify that enables CI jobs to post their completion status to Slack via an incoming webhook.

Changes Made

A complete notification step has been added to the OSAC project's step registry:

Step Configuration (osac-project-notify-ref.yaml): Defines a new CI step that runs as best_effort with a 5-minute timeout. The step executes a bash script to notify Slack, requests 100m CPU and 200Mi memory, and securely retrieves the webhook URL from a Vault-mounted credential (osac-slack-webhook). The step includes documentation explaining it sends the job result and a link to Prow logs.

Notification Logic (osac-project-notify-commands.sh): Implements the Slack notification by reading the webhook URL from Vault, determining the correct Prow logs URL based on the job type (distinguishing between presubmit pull logs and generic job logs), and posting a JSON message containing the job name, build ID, and logs link.

Access Control: Both the OWNERS file and metadata configuration establish osac-cicd as the approvers and reviewers for this new step.

Integration Status

The new step is not yet integrated into any workflows. According to the PR description, integration with periodic jobs will be handled in a follow-up change.

Testing

The webhook has been tested manually and via rehearsal, with successful Slack message delivery confirmed.

[openshift-ci-robot]

@omer-vishlitzky: This pull request references OSAC-865 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Adds osac-project-notify step-registry ref that posts job results to Slack via incoming webhook
• Not wired into any workflow yet — will be added to periodic jobs in a follow-up

Test plan

• Webhook tested manually and via rehearsal — Slack message received successfully

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: omer-vishlitzky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/osac-project/OWNERS [omer-vishlitzky]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

This PR introduces a new Slack notification step for OSAC CI pipelines. It registers a new step in the CI operator step registry, implements a bash script that reads webhook credentials from Vault and posts job completion notifications to Slack, and establishes ownership for the new step configuration.

Changes

OSAC Project Slack Notification Step

Layer / File(s)	Summary
Step registry definition and metadata ci-operator/step-registry/osac-project/notify/osac-project-notify-ref.yaml, ci-operator/step-registry/osac-project/notify/osac-project-notify-ref.metadata.json	New step registry entry declares osac-project-notify as best-effort with 5-minute timeout, mounts osac-slack-webhook credential from Vault, requests 100m CPU and 200Mi memory, and includes documentation. Metadata JSON assigns osac-cicd as approver and reviewer.
Slack notification implementation ci-operator/step-registry/osac-project/notify/osac-project-notify-commands.sh	Bash script with strict options reads webhook URL from Vault-provided path, derives Prow job log URL based on job type (presubmit routes to pull logs; others route to generic logs), and sends curl POST with job name, build id, and log link.
Ownership configuration ci-operator/step-registry/osac-project/notify/OWNERS	OWNERS file designates osac-cicd as both approvers and reviewers for the notify step path.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo tests present. PR adds CI/CD infrastructure (OWNERS, bash script, JSON metadata, YAML config). Custom check for stable test names not applicable.
Test Structure And Quality	✅ Passed	Custom check for Ginkgo test code quality is not applicable to this PR. PR adds CI infrastructure files (OWNERS, bash script, YAML config, metadata JSON) only, with no test code.
Microshift Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests, only CI/CD infrastructure (step registry configuration and bash script). MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only adds CI step registry files: a Slack notification script, YAML configuration, metadata, and OWNERS file. The SNO check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI step-registry entries (pipeline configuration), not production deployment manifests. No scheduling constraints are introduced; check is not applicable to CI infrastructure changes.
Ote Binary Stdout Contract	✅ Passed	PR adds CI orchestration files (bash script, YAML config, metadata, OWNERS), not OTE binaries. OTE Stdout Contract applies only to test code which is not present.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. The check is not applicable - this PR adds CI/CD notification infrastructure (OWNERS, bash script, YAML/JSON configs) rather than e2e tests.
Title check	✅ Passed	The PR title accurately describes the main change: adding a Slack notification step to the step registry, which is the primary purpose of the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@omer-vishlitzky: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/osac-project/notify/osac-project-notify-commands.sh`:
- Around line 3-17: The script currently uses set -o nounset and set -o pipefail
but should use set -euo pipefail; replace those options accordingly, and wrap
the sensitive operations that read WEBHOOK_URL and call curl (the WEBHOOK_URL
assignment and the curl invocation) with tracing disabled (use set +x before and
restore previous errexit/tracing state after) to avoid leaking the webhook; also
add curl --fail and check its exit status (or let -e cause exit) so notification
failures are not silent—refer to the WEBHOOK_URL variable assignment and the
curl command to locate the changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2913b073-472d-4ad1-bcd0-4bc8c5ef67c2

📥 Commits

Reviewing files that changed from the base of the PR and between 2c6d49e and e1cc7cf.

📒 Files selected for processing (4)

• ci-operator/step-registry/osac-project/notify/OWNERS
• ci-operator/step-registry/osac-project/notify/osac-project-notify-commands.sh
• ci-operator/step-registry/osac-project/notify/osac-project-notify-ref.metadata.json
• ci-operator/step-registry/osac-project/notify/osac-project-notify-ref.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

fd -type f -name "*osac-project-notify-commands.sh"

Repository: openshift/release

Length of output: 232

---

🏁 Script executed:

fd -t f "osac-project-notify-commands.sh"

Repository: openshift/release

Length of output: 139

---

🏁 Script executed:

cat -n ci-operator/step-registry/osac-project/notify/osac-project-notify-commands.sh

Repository: openshift/release

Length of output: 742

---

🏁 Script executed:

find . -type f -name "*.md" | xargs grep -l "step-registry" | head -5

Repository: openshift/release

Length of output: 285

---

🏁 Script executed:

find . -path "*/step-registry/*commands.sh" -type f | head -10 | xargs head -5

Repository: openshift/release

Length of output: 1687

---

🏁 Script executed:

# Check how many step-registry scripts use set -euo/set -e instead of individual flags
find . -path "*/step-registry/*commands.sh" -type f | wc -l
echo "---"
find . -path "*/step-registry/*commands.sh" -type f -exec grep -l "set -euo\|set -e " {} \; | wc -l
echo "---"
# Check for set +x/set -x patterns around sensitive operations
find . -path "*/step-registry/*commands.sh" -type f -exec grep -l "set +x\|set -x" {} \; | head -10

Repository: openshift/release

Length of output: 22016

---

🏁 Script executed:

# Check what pattern is standard in step-registry - look at recent examples
rg "set -euo\|set -e " ci-operator/step-registry/ -A1 -B1 | head -50

Repository: openshift/release

Length of output: 43

---

🏁 Script executed:

# Check the specific file and check what set options are most common in step-registry
rg "^set -" ci-operator/step-registry/ -c | sort | uniq -c | sort -rn | head -20

Repository: openshift/release

Length of output: 2149

---

🏁 Script executed:

# Let's look at actual set patterns in step-registry files
rg "^set -" ci-operator/step-registry/ --no-heading | head -50

Repository: openshift/release

Length of output: 6491

---

🏁 Script executed:

# Look at examples of how other scripts handle sensitive data with set +x
rg -A5 "set \+x" ci-operator/step-registry/ | head -60

Repository: openshift/release

Length of output: 6421

---

🏁 Script executed:

# Check if there are existing examples in step-registry of saving/restoring xtrace state with proper patterns
rg -B3 -A10 "xtrace_was_on|xtrace_state" ci-operator/step-registry/

Repository: openshift/release

Length of output: 43

---

🏁 Script executed:

# Look for examples of how scripts handle curl and error checking
rg "curl.*-s" ci-operator/step-registry/ | head -20

Repository: openshift/release

Length of output: 4354

---

Use set -euo pipefail and disable tracing around sensitive operations.

Lines 3-4 should consolidate to set -euo pipefail. Disable tracing with set +x around the webhook URL read and curl call to prevent credential leakage in CI logs. Additionally, add error checking to curl with --fail to prevent silent failures when the notification cannot be delivered.

Suggested changes

-set -o nounset
-set -o pipefail
+set -euo pipefail
 
+set +x
-WEBHOOK_URL="$(cat /var/run/vault/osac-slack-webhook/url)"
+WEBHOOK_URL="$(< /var/run/vault/osac-slack-webhook/url)"
 PROW_URL="https://prow.ci.openshift.org/view/gs/test-platform-results"
+set -x
 
 if [[ "${JOB_TYPE:-}" == "presubmit" ]]; then
     JOB_URL="${PROW_URL}/pr-logs/pull/${REPO_OWNER}_${REPO_NAME}/${PULL_NUMBER}/${JOB_NAME}/${BUILD_ID}"
 else
     JOB_URL="${PROW_URL}/logs/${JOB_NAME}/${BUILD_ID}"
 fi
 
-curl -s -X POST -H 'Content-type: application/json' \
+set +x
+curl --fail -s -X POST -H 'Content-type: application/json' \
     --data "{\"text\":\"Job *${JOB_NAME}* #${BUILD_ID} completed.\n<${JOB_URL}|View logs>\"}" \
     "${WEBHOOK_URL}"
+set -x

Per coding guidelines, step-registry scripts should use set -euo pipefail and protect sensitive operations from being logged.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/osac-project/notify/osac-project-notify-commands.sh`
around lines 3 - 17, The script currently uses set -o nounset and set -o
pipefail but should use set -euo pipefail; replace those options accordingly,
and wrap the sensitive operations that read WEBHOOK_URL and call curl (the
WEBHOOK_URL assignment and the curl invocation) with tracing disabled (use set
+x before and restore previous errexit/tracing state after) to avoid leaking the
webhook; also add curl --fail and check its exit status (or let -e cause exit)
so notification failures are not silent—refer to the WEBHOOK_URL variable
assignment and the curl command to locate the changes.

[openshift-ci]

@omer-vishlitzky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@omer-vishlitzky: This pull request references OSAC-794 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Adds osac-project-notify step-registry ref that posts job results to Slack via incoming webhook
• Not wired into any workflow yet — will be added to periodic jobs in a follow-up

Test plan

• Webhook tested manually and via rehearsal — Slack message received successfully

Summary

This PR adds a new Slack notification capability to OpenShift CI's step registry. The change introduces a new step named osac-project-notify that enables CI jobs to post their completion status to Slack via an incoming webhook.

Changes Made

A complete notification step has been added to the OSAC project's step registry:

Step Configuration (osac-project-notify-ref.yaml): Defines a new CI step that runs as best_effort with a 5-minute timeout. The step executes a bash script to notify Slack, requests 100m CPU and 200Mi memory, and securely retrieves the webhook URL from a Vault-mounted credential (osac-slack-webhook). The step includes documentation explaining it sends the job result and a link to Prow logs.

Notification Logic (osac-project-notify-commands.sh): Implements the Slack notification by reading the webhook URL from Vault, determining the correct Prow logs URL based on the job type (distinguishing between presubmit pull logs and generic job logs), and posting a JSON message containing the job name, build ID, and logs link.

Access Control: Both the OWNERS file and metadata configuration establish osac-cicd as the approvers and reviewers for this new step.

Integration Status

The new step is not yet integrated into any workflows. According to the PR description, integration with periodic jobs will be handled in a follow-up change.

Testing

The webhook has been tested manually and via rehearsal, with successful Slack message delivery confirmed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[omer-vishlitzky]

/jira refresh

[openshift-ci-robot]

@omer-vishlitzky: This pull request references OSAC-794 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.