Skip to content

Add README.md documentation for cmd/ tools #5259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Prucek wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add README.md documentation for cmd/ tools #5259

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions cmd/auto-config-brancher/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,57 @@
# auto-config-brancher

## What
Orchestrator that runs a sequence of CI configuration tools in order, commits each tool's changes separately, pushes the result, and creates a PR to openshift/release. This is the periodic automation that keeps release branch configs, job definitions, and private org mirrors up to date.

## How it works — tool sequence

Executes these tools in order (each one commits its own changes if any):

| Step | Tool | What it does |
|---|---|---|
| 1 | `config-brancher` | Branch ci-operator configs for future releases (`--skip-periodics`) |
| 2 | `ci-operator-config-mirror` | Mirror configs to openshift-priv (`--to-org openshift-priv --only-org openshift`) |
| 3 | `determinize-ci-operator` | Normalize ci-operator config YAML formatting |
| 4 | `ci-operator-prowgen` | Generate Prow jobs from ci-operator configs |
| 5 | `private-prow-configs-mirror` | Mirror Prow configs to private org |
| 6 | `determinize-prow-config` | Normalize Prow config YAML |
| 7 | `sanitize-prow-jobs` | Validate and format Prow job configs |
| 8 | `clusterimageset-updater` | Update Hive ClusterImageSet resources |
| 9 | `promoted-image-governor` | Validate image promotion configs (dry-run) |

If `--rebalancer-cron` is set and the current time is within +/-1 hour of the cron schedule, `rebalancer` is prepended as step 0.

@coderabbitai coderabbitai Bot Jun 17, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n --hidden --glob '!**/vendor/**' '\b(rebalancer|--rebalancer-cron)\b' cmd/auto-config-brancher cmd/rebalancer

Repository: openshift/ci-tools

Length of output: 867

🏁 Script executed:

#!/bin/bash
# Check main.go for rebalancer-cron flag definition and usage
cat cmd/auto-config-brancher/main.go | head -200

Repository: openshift/ci-tools

Length of output: 6159

🏁 Script executed:

#!/bin/bash
# Search for rebalancer-cron in main.go
rg -n 'rebalancer-cron|rebalancer' cmd/auto-config-brancher/main.go

Repository: openshift/ci-tools

Length of output: 44

🏁 Script executed:

#!/bin/bash
# Find FutureOptions definition
rg -n 'type FutureOptions|--rebalancer-cron' pkg/promotion/

Repository: openshift/ci-tools

Length of output: 120

🏁 Script executed:

#!/bin/bash
# Read FutureOptions struct
sed -n '95,150p' pkg/promotion/promotion.go

Repository: openshift/ci-tools

Length of output: 2034

🏁 Script executed:

#!/bin/bash
# List all files in cmd/auto-config-brancher
find cmd/auto-config-brancher -type f -name "*.go"

Repository: openshift/ci-tools

Length of output: 133

🏁 Script executed:

#!/bin/bash
# Search main_test.go for rebalancer references
rg -n 'rebalancer' cmd/auto-config-brancher/main_test.go

Repository: openshift/ci-tools

Length of output: 44

Remove or implement the --rebalancer-cron flag and step.

The README documents a --rebalancer-cron flag and optional rebalancer step (lines 22, 48), but neither exist in the implementation. The flag is not defined in FutureOptions or anywhere in main.go, and there is no logic to prepend a rebalancer step. Either remove these from the documentation or implement the feature.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/auto-config-brancher/README.md` at line 22, The README documents a
--rebalancer-cron flag and its behavior (lines 22 and 48), but this flag is not
implemented anywhere in the codebase. Either remove all references to the
--rebalancer-cron flag and the optional rebalancer step from the README
documentation, or implement the feature by adding the flag definition to
FutureOptions in main.go and adding the logic to check if the current time is
within +/-1 hour of the cron schedule and prepend rebalancer as step 0 when
appropriate.


### Change detection
1. Records git HEAD SHA before running tools
2. Each tool runs, and if `git diff-index --quiet HEAD` shows changes, stages all and commits with message `"{tool} {args}"`
3. After all tools: compares overall `git diff` from start SHA to current HEAD
4. If no overall diff (changes cancelled out): skips push
5. If changes: pushes to remote branch `auto-config-brancher`

### Authentication
- **Token auth** (`--github-token-path`): pushes via `https://{login}:{token}@github.com/...`
- **GitHub App auth** (no token): uses `GitClientFactory` for authenticated push via app installation

### PR creation
- Title: `"Automate config brancher by auto-config-brancher job at {timestamp}"`
- Labels: `tide/merge-method-merge`, `rehearsals-ack`, `priority/ci-critical`
- If `--self-approve`: adds `approved` and `lgtm` labels
- Body: `/cc @{assign}`
- Updates existing PR if one already exists (matched by title prefix)

## Flags
| Flag | Default | What it controls |
|---|---|---|
| `--target-dir` | — | Root directory of target repository |
| `--github-login` | `openshift-bot` | GitHub username for PR/push |
| `--assign` | `openshift/test-platform` | PR assignee |
| `--rebalancer-cron` | — | Cron expression for rebalancer (+/-1h window) |
| `--self-approve` | false | Auto-add approved+lgtm labels |
| `--current-release` | — | Current OCP release version |
| `--future-release` | — | Target release versions (repeatable) |

## Deployment
Periodic Prow job.
`auto-config-brancher` is a tool that reconciles various parts of CI config
in [openshift/release](https://github.com/openshift/release/) repository.

Expand Down
48 changes: 48 additions & 0 deletions cmd/auto-peribolos-sync/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,53 @@
# auto-peribolos-sync

## What
Automation wrapper that runs `private-org-peribolos-sync`, detects changes, commits them, and creates or updates a pull request on the `openshift/config` repository. This is the outer orchestration layer; the actual Peribolos config generation is delegated to `private-org-peribolos-sync`.

## How it works -- full flow

1. Initialize GitHub client and secrets
2. Shell out to `/usr/bin/private-org-peribolos-sync` with the provided arguments:
- `--destination-org openshift-priv`
- `--peribolos-config {path}`
- `--release-repo-path {path}`
- `--github-token-path {path}`
- Optionally `--whitelist-file`, `--only-org`, `--flatten-org`
3. After the subprocess completes, check for git changes using `bumper.HasChanges()`
4. If no changes, exit cleanly
5. If changes exist:
- Create a commit with title: `"Automate peribolos configuration sync {RFC1123 timestamp}"`
- Push to the `auto-peribolos-sync` branch on the `openshift/config` repo using HTTPS with token auth
- Create or update a pull request via `bumper.UpdatePullRequestWithLabels()`:
- Target: `openshift/config` default branch
- Source: `{github-login}:auto-peribolos-sync`
- Description: "Updates the repositories of the openshift-priv organization"
- If `--self-approve` is set, add `approved` and `lgtm` labels to the PR

## Flags
| Flag | Default | What it controls |
|---|---|---|
| `--dry-run` | `true` | When true, uses API tokens but does not create the PR |
| `--self-approve` | `false` | Add `approved` and `lgtm` labels to the PR |
| `--github-login` | `openshift-bot` | GitHub username for push and PR creation |
| `--git-name` | `""` | Git commit author name (must pair with `--git-email`) |
| `--git-email` | `""` | Git commit author email (must pair with `--git-name`) |
| `--peribolos-config` | (required) | Path to the Peribolos config file to update |
| `--release-repo-path` | (required) | Path to openshift/release repository directory |
| `--whitelist-file` | `""` | Path to whitelist file, passed through to `private-org-peribolos-sync` |
| `--only-org` | `""` | Only sync repos from this org, passed through |
| `--flatten-org` | (repeatable) | Additional flatten orgs, passed through |
| GitHub flags | | Standard Prow GitHub options |

## Key files
- `cmd/auto-peribolos-sync/main.go` -- all logic in this single file
- `cmd/private-org-peribolos-sync/main.go` -- the actual config generation tool it shells out to

## Deployment
Periodic Prow job. The container image (`ci_auto-peribolos-sync_latest`) bundles both `auto-peribolos-sync` and `private-org-peribolos-sync` binaries. The PR is created against the `openshift/config` repository (not `openshift/release`).

## Related
- `cmd/private-org-peribolos-sync` -- the tool this wrapper executes
- The PR targets `openshift/config` which holds the Peribolos config for all OpenShift GitHub orgs
`auto-peribolos-sync` is a like wrapper over the [private-org-peribolos-sync](../private-org-peribolos-sync) tool.

## What it does
Expand Down
54 changes: 54 additions & 0 deletions cmd/auto-testgrid-generator/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# auto-testgrid-generator

## What
Orchestrator that runs `testgrid-config-generator` to produce updated TestGrid dashboard configurations, then creates or updates a pull request against `kubernetes/test-infra` with the changes. This is the automation that keeps TestGrid dashboards in sync with the current set of OpenShift CI periodic jobs.

## How it works -- full flow

1. **Parse flags**: collects paths to the testgrid config directory, release controller config, Prow jobs directory, allow-list file, and git/PR creation options.

2. **Run testgrid-config-generator**: executes `/usr/bin/testgrid-config-generator` as a subprocess with the following arguments:
- `-testgrid-config {dir}` -- where to write TestGrid YAML
- `-release-config {dir}` -- release controller configuration
- `-prow-jobs-dir {dir}` -- Prow periodic job definitions
- `-allow-list {file}` -- job classification overrides

3. **Create or update PR**: uses `prcreation.PRCreationOptions.UpsertPR()` to:
- Check the git working directory for changes
- Create a branch and commit if changes exist
- Push to the fork and create a PR against `kubernetes/test-infra` (configurable with `--github-org`)
- If a PR with matching title already exists, force-push to update it
- PR title format: `Update OpenShift testgrid definitions by auto-testgrid-generator job at {timestamp}`
- Assigns the PR to `--assign` (default: `openshift/test-platform`)

### PR matching
The tool uses title matching (`matchTitle`) to find existing PRs. If a PR with the prefix "Update OpenShift testgrid definitions by auto-testgrid-generator job" already exists, it updates that PR rather than creating a new one.

## Flags
| Flag | Default | What it controls |
|---|---|---|
| `--testgrid-config` | (none) | Directory where TestGrid output YAML is stored |
| `--release-config` | (none) | Directory of release controller config files |
| `--prow-jobs-dir` | (none) | Directory of Prow job config files |
| `--allow-list` | (none) | File with release-type overrides |
| `--working-dir` | `.` | Git working directory |
| `--github-login` | `openshift-bot` | GitHub username for PR creation |
| `--github-org` | `kubernetes` | GitHub org (override for testing) |
| `--upstream-branch` | `master` | Target branch for the PR |
| `--assign` | `openshift/test-platform` | GitHub user or team to assign the PR to |
| `--git-name` | (from GitAuthorOptions) | Git author name for commits |
| `--git-email` | (from GitAuthorOptions) | Git author email for commits |
| (PRCreationOptions flags) | | GitHub token path, etc. |

## Key files
- `cmd/auto-testgrid-generator/main.go` -- entry point, subprocess execution of testgrid-config-generator, PR creation
- `cmd/testgrid-config-generator/main.go` -- the actual TestGrid config generation logic (invoked as a binary)
- `pkg/github/prcreation/` -- PR creation/update library

## Deployment
Periodic Prow job. The container image includes both the `auto-testgrid-generator` and `testgrid-config-generator` binaries (the latter at `/usr/bin/testgrid-config-generator`). The job runs with a GitHub token for PR creation against `kubernetes/test-infra`.

## Related
- `cmd/testgrid-config-generator` -- the actual generation logic, invoked as a subprocess
- Target repo: `kubernetes/test-infra` (TestGrid configuration lives there)
- TestGrid dashboards: `https://testgrid.k8s.io/redhat-openshift-*`
54 changes: 52 additions & 2 deletions cmd/autoowners/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,57 @@
# Populating `OWNERS` and `OWNERS_ALIASES`
# autoowners

This utility updates the `OWNERS` files from remote OpenShift repositories.
## What
Batch job that syncs OWNERS files from upstream source repositories into the openshift/release repository. For every org/repo that has CI configuration in openshift/release (under `ci-operator/jobs`, `ci-operator/config`, or `ci-operator/templates`), autoowners fetches the root-level `OWNERS` and `OWNERS_ALIASES` files from the upstream repo on GitHub, resolves aliases, filters out users who are not members of the downstream GitHub organization, and writes the resolved OWNERS files into the corresponding directories in openshift/release. It then commits and opens (or updates) a pull request with the changes.

This ensures that the people who own code upstream also control CI job approvals downstream, without manual synchronization.

## How it works -- full flow

1. **Discover repos**: Walk the `ci-operator/{jobs,config,templates}` subdirectories (and any `--extra-config-dir` paths) under `--target-dir` to build a list of org/repo pairs that have CI configuration. Skip the target repo itself (openshift/release) and any repos or orgs on the blocklist (`--ignore-repo`, `--ignore-org`). Each org/repo maps to one or more directories where an OWNERS file should be written.

2. **Fetch upstream OWNERS**: For each discovered org/repo, use the GitHub API (`GetFile`) to fetch the root `OWNERS` file and `OWNERS_ALIASES` file. If no OWNERS file exists upstream, log a warning and skip the repo. Strip `@` prefixes from usernames (common in upstream OWNERS files). Quote purely numeric GitHub usernames with double quotes so YAML parsers treat them as strings instead of integers.

3. **Resolve aliases**: If an `OWNERS_ALIASES` file was found, expand all alias references in the OWNERS file to their constituent usernames. The plugin supports both simple OWNERS format (flat approvers/reviewers lists) and full OWNERS format (filter-based with path patterns).

4. **Filter to org members**: Query the downstream GitHub org (default: `openshift`) for its complete member list via `ListOrgMembers(org, "all")`. Remove any user from the resolved OWNERS who is not a member of the downstream org. All comparisons are case-insensitive.

5. **Set reviewers fallback**: If the resolved OWNERS has approvers but an empty reviewers list, copy the approvers into reviewers. This matches the behavior Prow expects.

6. **Write OWNERS files**: For each directory associated with the org/repo, delete the existing OWNERS file and write the resolved content. Prepend a header comment with five lines: the "DO NOT EDIT" warning, the source URL, a note about alias expansion, a note about org member filtering, and a link to the OWNERS docs.

7. **Detect changes**: Run `git status --porcelain` to find modified OWNERS files. Verify that only OWNERS files were modified (error out if anything else changed). If nothing changed, exit cleanly.

8. **Commit and push**: Use `bumper.GitCommitSignoffAndPush` to commit changes and push to a remote branch (`autoowners`) on the bot's fork. The commit message includes the PR title with a timestamp.

9. **Create or update PR**: Call `bumper.UpdatePullRequestWithLabels` to open or update a pull request against the target repo's base branch. The PR body lists all directories that had OWNERS changes and `/cc`s the assignee. The `rehearsals-ack` label is always added (to skip pj-rehearse). If `--self-approve` is set, `approved` and `lgtm` labels are also added for auto-merge. The PR body is truncated to 65535 characters if it exceeds GitHub's limit.

## Flags
| Flag | Default | What it controls |
|---|---|---|
| `--dry-run` | `true` | When true, do not actually create the PR |
| `--github-login` | `openshift-bot` | GitHub username for push and PR creation |
| `--org` | `openshift` | Downstream GitHub org name (used for member filtering) |
| `--repo` | `release` | Downstream GitHub repository name |
| `--git-name` | (system default) | Git author name for commits |
| `--git-email` | (system default) | Git author email for commits |
| `--git-signoff` | `false` | Whether to add `Signed-off-by` to commits |
| `--assign` | `openshift/test-platform` | GitHub user or team to `/cc` on the PR |
| `--target-dir` | (required) | Path to the local clone of the target repo |
| `--target-subdir` | `ci-operator` | Subdirectory under target-dir where configs live |
| `--config-subdir` | `jobs,config,templates` | Subdirectories to scan for org/repo dirs (repeatable) |
| `--extra-config-dir` | (none) | Additional directories to scan (repeatable) |
| `--ignore-repo` | (none) | Repos to skip, in `org/repo` format (repeatable) |
| `--ignore-org` | (none) | Entire orgs to skip (repeatable) |
| `--debug-mode` | `false` | Enable DEBUG-level logging |
| `--self-approve` | `false` | Add `approved` and `lgtm` labels to the PR |
| `--pr-base-branch` | `master` | Base branch for the PR |
| `--plugin-config` | (none) | Path to Prow plugin config (for custom OWNERS filenames per repo) |

## Key files
- `cmd/autoowners/main.go` -- entire implementation: repo discovery, OWNERS fetching, alias resolution, member filtering, PR creation

## Deployment
Runs as a periodic Prow job (not a long-lived service). Typically scheduled to run on a regular cadence (e.g., daily) against a checkout of openshift/release.
```console
$ autoowners -h
Usage of autoowners:
Expand Down
63 changes: 60 additions & 3 deletions cmd/autopublicizeconfig/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,61 @@
# Auto publicize config
# autopublicizeconfig

This tool re-generates the publicize plugin configuration file and
submits a pull request against the openshift/release repository.
## What
Automation tool that generates the configuration file for the `publicize` plugin by discovering all repos that need private-to-public mirroring. It scans ci-operator configs and the whitelist to find repos building official images, computes the `openshift-priv/{repo}` to `{org}/{repo}` mapping, writes the config, and creates a PR on `openshift/release`.

This is the config generator for the `publicize` webhook plugin. It keeps the publicize config in sync as repos are added to or removed from the private org.

## How it works -- full flow

1. Initialize GitHub client and secrets
2. Scan ci-operator configs at `{release-repo-path}/ci-operator/config/` for repos that build official images (`api.BuildsAnyOfficialImages` with `WithoutOKD`)
3. Add all repos from the whitelist file
4. For each discovered `{org}/{repo}`:
- Compute the private repo name using `MirroredRepoName()` with the flattened orgs set
- Create the mapping: `openshift-priv/{mirroredName}` -> `{org}/{repo}`
5. Marshal the config as YAML and write to `--publicize-config` path, creating directories as needed
6. Check for git changes using `bumper.HasChanges()`
7. If no changes, exit cleanly
8. If running in dry-run mode, log and exit
9. If changes exist and not dry-run:
- Create a commit with title: `"Automate publicize configuration sync {RFC1123 timestamp}"`
- Push to the `auto-publicize-sync` branch on `openshift/release`
- Create or update a PR via `bumper.UpdatePullRequestWithLabels()`:
- Target: `openshift/release` default branch
- Source: `{github-login}:auto-publicize-sync`
- Description: "Updates the publicize plugin configuration"
- If `--self-approve` is set, add `approved` and `lgtm` labels

## Generated config format
```yaml
repositories:
openshift-priv/installer: openshift/installer
openshift-priv/cluster-version-operator: openshift/cluster-version-operator
openshift-priv/stolostron-multicloud-operators-subscription: stolostron/multicloud-operators-subscription
```

## Flags
| Flag | Default | What it controls |
|---|---|---|
| `--dry-run` | `true` | When true, writes config but does not create PR |
| `--self-approve` | `false` | Add `approved` and `lgtm` labels to the PR |
| `--github-login` | `openshift-bot` | GitHub username for push and PR creation |
| `--git-name` | `""` | Git commit author name (must pair with `--git-email`) |
| `--git-email` | `""` | Git commit author email (must pair with `--git-name`) |
| `--publicize-config` | (required) | Path where the generated publicize config will be written |
| `--release-repo-path` | (required) | Path to openshift/release repository directory |
| `--flatten-org` | (repeatable) | Additional orgs whose repos should not have org prefix |
| `--whitelist-file` | `""` | Path to YAML file listing repos to include |
| GitHub flags | | Standard Prow GitHub options |

## Key files
- `cmd/autopublicizeconfig/main.go` -- all logic in this single file
- `cmd/publicize/` -- the webhook plugin that consumes the generated config
- `pkg/privateorg/flatten.go` -- `MirroredRepoName()` naming logic

## Deployment
Periodic Prow job. Creates PRs against the `openshift/release` repository on branch `auto-publicize-sync`.

## Related
- `cmd/publicize` -- the webhook plugin that uses the generated config
- `cmd/ci-operator-config-mirror` -- uses the same repo discovery logic for a different purpose
Loading