[DRAFT] fix(ci): resolve pre-existing CI failures on rhoai-3.3#2184
Open
crackcodecamp wants to merge 5 commits intored-hat-data-services:rhoai-3.3from
Open
[DRAFT] fix(ci): resolve pre-existing CI failures on rhoai-3.3#2184crackcodecamp wants to merge 5 commits intored-hat-data-services:rhoai-3.3from
crackcodecamp wants to merge 5 commits intored-hat-data-services:rhoai-3.3from
Conversation
All v3-0 Tekton PipelineRun YAMLs that reference Dockerfile.konflux.* were incorrectly pointing to non-konflux build-args files (cpu.conf, cuda.conf, rocm.conf). The test_rhds_pipelines_use_rhds_args test enforces that Dockerfile.konflux.* must use konflux.* build-args. Update all 17 affected v3-0 pipelines to reference the konflux.* prefixed build-args files which already exist in each directory.
All pyproject.toml files now use wheel~=0.46.2 consistently (the ==0.46.2 variant was removed). The ignored_exceptions entry for wheel is stale and causes test_image_pyprojects_version_alignment to fail with "now has single specifier but ignored_exceptions expects multiple".
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
📝 WalkthroughWalkthroughAdds three new composite GitHub Actions (apt-install, playwright-test, setup-uv); switches many Tekton PipelineRun manifests to Konflux-specific build-args files; tweaks Dockerfiles (Meson build-constraint handling, gettext, PDF deps script); updates uv and Pillow settings in pyproject.toml files; removes ChangesGitHub Actions – New Composite Actions
Tekton PipelineRun Build-Args Refactoring
Dockerfile Constraint and Dependency Updates
Python Configuration and Dependency Overrides
Tests / Tooling / CI wiring
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@crackcodecamp — This PR is from a fork. Recommended: Push your branch to the main repo for full CI: Then open a new PR from that branch. No push access? A maintainer will cherry-pick and test your changes. See CONTRIBUTING.md for details. |
Add pillow>=12.2.0 to override-dependencies in both llmcompressor pyproject.toml files to resolve the dependency conflict between llmcompressor's pillow upper bound and the required pillow version. Regenerate all pylock.toml files with latest uv to fix stale lock files that included non-Linux platform wheels. Sync codeserver Dockerfile.cpu with Dockerfile.konflux.cpu to fix the Dockerfile alignment check (meson constraint file naming and missing gettext package). Regenerate Dockerfile fragments via dockerfile_fragments.py.
crackcodecamp
force-pushed
the
fix/ci-preexisting-failures-rhoai-3.3
branch
from
5f21dba to
d3b40c1
Compare
Copy apt-install, setup-uv, and playwright-test composite actions from upstream/main. These are referenced by the build TEMPLATE workflow on main, which resolves at runtime. Without them, builds fail at the 'Setup uv and Python' step. Add required-version to root pyproject.toml so the setup-uv action can determine which uv version to install.
crackcodecamp
force-pushed
the
fix/ci-preexisting-failures-rhoai-3.3
branch
from
d3b40c1 to
a27390d
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/actions/apt-install/action.yml:
- Line 56: The run step currently expands inputs.packages directly (run: sudo
apt-get install ${{ inputs.packages }}), allowing shell/option injection; change
the action to treat packages as a validated, tokenized list and pass them as
explicit argv rather than a raw shell expansion: require callers to supply a
static space-separated list (or change the input to a multiline/array format),
add shell safety (set -euo pipefail) in the script, and invoke apt-get with a
safe invocation that uses -- to end options and passes each package as a
separate argument (e.g., populate "$@" from a validated split of inputs.packages
or use the action.yml args array feature) so no untrusted characters are
interpreted by the shell or as apt options.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: b40b4aaf-fdb5-414c-9017-85eecbe8cc47
📒 Files selected for processing (43)
.github/actions/apt-install/action.yml.github/actions/playwright-test/action.yml.github/actions/setup-uv/action.yml.tekton/odh-pipeline-runtime-datascience-cpu-py312-v3-0-push.yaml.tekton/odh-pipeline-runtime-minimal-cpu-py312-v3-0-push.yaml.tekton/odh-pipeline-runtime-pytorch-cuda-py312-v3-0-push.yaml.tekton/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-v3-0-push.yaml.tekton/odh-pipeline-runtime-pytorch-rocm-py312-v3-0-push.yaml.tekton/odh-pipeline-runtime-tensorflow-cuda-py312-v3-0-push.yaml.tekton/odh-pipeline-runtime-tensorflow-rocm-py312-v3-0-push.yaml.tekton/odh-workbench-jupyter-datascience-cpu-py312-v3-0-push.yaml.tekton/odh-workbench-jupyter-minimal-cpu-py312-v3-0-push.yaml.tekton/odh-workbench-jupyter-minimal-cuda-py312-v3-0-push.yaml.tekton/odh-workbench-jupyter-minimal-rocm-py312-v3-0-push.yaml.tekton/odh-workbench-jupyter-pytorch-cuda-py312-v3-0-push.yaml.tekton/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-v3-0-push.yaml.tekton/odh-workbench-jupyter-pytorch-rocm-py312-v3-0-push.yaml.tekton/odh-workbench-jupyter-tensorflow-cuda-py312-v3-0-push.yaml.tekton/odh-workbench-jupyter-tensorflow-rocm-py312-v3-0-push.yaml.tekton/odh-workbench-jupyter-trustyai-cpu-py312-v3-0-push.yamlcodeserver/ubi9-python-3.12/Dockerfile.cpucodeserver/ubi9-python-3.12/pylock.tomljupyter/datascience/ubi9-python-3.12/Dockerfile.cpujupyter/datascience/ubi9-python-3.12/Dockerfile.konflux.cpujupyter/datascience/ubi9-python-3.12/pylock.tomljupyter/minimal/ubi9-python-3.12/pylock.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/pylock.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomljupyter/pytorch/ubi9-python-3.12/pylock.tomljupyter/rocm/pytorch/ubi9-python-3.12/pylock.tomljupyter/rocm/tensorflow/ubi9-python-3.12/pylock.tomljupyter/tensorflow/ubi9-python-3.12/pylock.tomljupyter/trustyai/ubi9-python-3.12/pylock.tomlpyproject.tomlruntimes/datascience/ubi9-python-3.12/pylock.tomlruntimes/minimal/ubi9-python-3.12/pylock.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/pylock.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomlruntimes/pytorch/ubi9-python-3.12/pylock.tomlruntimes/rocm-pytorch/ubi9-python-3.12/pylock.tomlruntimes/rocm-tensorflow/ubi9-python-3.12/pylock.tomlruntimes/tensorflow/ubi9-python-3.12/pylock.tomltests/test_main.py
💤 Files with no reviewable changes (1)
- tests/test_main.py
|
|
||
| - name: Install packages | ||
| shell: bash | ||
| run: sudo apt-get install ${{ inputs.packages }} |
There was a problem hiding this comment.
Harden package input handling to prevent command/option injection.
Line 56 executes inputs.packages directly in the shell. In a reusable action, this can be abused via shell metacharacters or apt flags if any caller passes non-literal input.
🔧 Proposed hardening
- - name: Install packages
- shell: bash
- run: sudo apt-get install ${{ inputs.packages }}
+ - name: Install packages
+ shell: bash
+ env:
+ INPUT_PACKAGES: ${{ inputs.packages }}
+ run: |
+ read -r -a pkgs <<< "${INPUT_PACKAGES}"
+ sudo apt-get install -- "${pkgs[@]}"#!/bin/bash
set -euo pipefail
# Verify all callers of this action and inspect how `packages` is provided.
rg -n --glob '.github/workflows/*.y*ml' 'uses:\s*\./\.github/actions/apt-install' -C3
rg -n --glob '.github/workflows/*.y*ml' 'packages:\s*\$\{\{'Expected result: callers should pass static package lists, not values derived from untrusted event payloads.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/actions/apt-install/action.yml at line 56, The run step currently
expands inputs.packages directly (run: sudo apt-get install ${{ inputs.packages
}}), allowing shell/option injection; change the action to treat packages as a
validated, tokenized list and pass them as explicit argv rather than a raw shell
expansion: require callers to supply a static space-separated list (or change
the input to a multiline/array format), add shell safety (set -euo pipefail) in
the script, and invoke apt-get with a safe invocation that uses -- to end
options and passes each package as a separate argument (e.g., populate "$@" from
a validated split of inputs.packages or use the action.yml args array feature)
so no untrusted characters are interpreted by the shell or as apt options.
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
crackcodecamp
changed the title
Since Nov 2025, GitHub Actions runs pull_request_target workflows from main against all branches. This causes rhoai-3.3 CI failures because newer workflows reference code/configs the branch doesn't have. - provision-k8s: replace inline `sudo rm` (fails on Ubuntu 24.04 where microsoft-prod.list no longer exists) with the apt-install composite action that uses `rm -f` (idempotent) - pre-commit: switch uv-lock from uv-pre-commit repo (pinned at 0.9.18) to a local hook using system uv, avoiding version mismatch with required-version >= 0.10.9 in pyproject.toml
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.pre-commit-config.yaml:
- Around line 11-14: The pre-commit hook definition for entry "uv lock --locked"
currently uses a root-anchored files pattern and pass_filenames: false, so it
only validates the repo root; change the hook so it runs per changed file and
matches nested projects by (1) setting pass_filenames: true and (2) replacing
the files regex that references '^uv\.lock$|^pyproject\.toml$|^uv\.toml$' with a
non-root-anchored pattern that matches nested paths (e.g. allow files ending
with uv.lock, pyproject.toml or uv.toml anywhere in the tree), keeping the entry
"uv lock --locked" unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 40a6e47e-d459-4bc3-8491-21b1a594c72f
📒 Files selected for processing (2)
.github/actions/provision-k8s/action.yml.pre-commit-config.yaml
Comment on lines
+11
to
+14
| entry: uv lock --locked | ||
| language: system | ||
| files: '(^uv\.lock$|^pyproject\.toml$|^uv\.toml$)' | ||
| pass_filenames: false |
There was a problem hiding this comment.
uv-lock hook currently protects only the repo root project
The files pattern is root-anchored, and with pass_filenames: false + uv lock --locked, this validates only the root lock context. Nested runtime pyproject.toml/uv.lock changes can bypass this guard.
Suggested adjustment
- id: uv-lock
name: uv-lock
- entry: uv lock --locked
+ entry: bash -c 'set -euo pipefail; for f in "$@"; do d="$(dirname "$f")"; (cd "$d" && uv lock --locked); done' --
language: system
- files: '(^uv\.lock$|^pyproject\.toml$|^uv\.toml$)'
- pass_filenames: false
+ files: '(^|.*/)(uv\.lock|pyproject\.toml|uv\.toml)$'
+ pass_filenames: true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| entry: uv lock --locked | |
| language: system | |
| files: '(^uv\.lock$|^pyproject\.toml$|^uv\.toml$)' | |
| pass_filenames: false | |
| entry: bash -c 'set -euo pipefail; for f in "$@"; do d="$(dirname "$f")"; (cd "$d" && uv lock --locked); done' -- | |
| language: system | |
| files: '(^|.*/)(uv\.lock|pyproject\.toml|uv\.toml)$' | |
| pass_filenames: true |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.pre-commit-config.yaml around lines 11 - 14, The pre-commit hook definition
for entry "uv lock --locked" currently uses a root-anchored files pattern and
pass_filenames: false, so it only validates the repo root; change the hook so it
runs per changed file and matches nested projects by (1) setting pass_filenames:
true and (2) replacing the files regex that references
'^uv\.lock$|^pyproject\.toml$|^uv\.toml$' with a non-root-anchored pattern that
matches nested paths (e.g. allow files ending with uv.lock, pyproject.toml or
uv.toml anywhere in the tree), keeping the entry "uv lock --locked" unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes pre-existing CI failures affecting all PRs targeting
rhoai-3.3.Root cause
Since November 2025, GitHub Actions runs
pull_request_targetworkflows frommainagainst every branch. This means CI checks added tomainafterrhoai-3.3branched off are now running against it — referencing code, actions, and configs the branch doesn't have.Fixes
fc5985ckonflux.build-args while usingDockerfile.konflux.*— updated all 17 to usekonflux.*build-argswheelexceptione0c5f5fwheel~=0.46.2, so theignored_exceptionsentry is no longer needed6f2ea38llmcompressor==0.9.0capspillow<=12.0.0but CVE-2026-40192 requires>=12.2.0— addedoverride-dependenciesand regenerated lock filesa27390dbuild-notebooks-TEMPLATE.yamlon main referencesapt-install,setup-uv,playwright-testactions that were missing fromrhoai-3.3— backported all threeprovision-k8srunner failure (24 AIPCC builds)9bf5093sudo rm /etc/apt/sources.list.d/microsoft-prod.list(without-f) fails on Ubuntu 24.04 runners where the file no longer exists. Switched to use the backportedapt-installaction which usesrm -fpytest-testspre-commit failure9bf5093uv-pre-commitpinned at rev0.9.18conflicts withrequired-version >= 0.10.9in pyproject.toml. Switched to a local hook using system uv (installed bysetup-uv)Remaining (not fixable here)
Test plan
pytest-testspasses (all subtests green, pre-commit uv-lock succeeds)check-generated-codepasses (llmcompressor lock generation succeeds)provision-k8sno longer fails onmicrosoft-prod.list)code-static-analysispasses