do not merge: just for testing

[psturc]

Summary by CodeRabbit

This PR modifies the MAPT cluster cleanup step in the OpenShift CI infrastructure to test a different version of the cleanup script. Specifically, it changes the script source URL in the konflux-ci-mapt-cleanup-commands.sh file from:

https://raw.githubusercontent.com/konflux-ci/tekton-integration-catalog/main/scripts/mapt/delete-mapt-clusters.sh

to:

https://raw.githubusercontent.com/psturc/tekton-integration-catalog/fix-mapt-deletion-script/scripts/mapt/delete-mapt-clusters.sh

This directs the Konflux CI cleanup job to fetch and execute the delete script from a fork (psturc/tekton-integration-catalog) on a feature branch (fix-mapt-deletion-script) rather than the official upstream repository. All other functionality remains unchanged—the script still sets up strict bash error handling, loads AWS credentials, creates a temporary directory, and executes the fetched cleanup script.

As indicated by the draft status and PR title, this is a test PR and is not intended for merging.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[psturc]

/pj-rehearse

[openshift-merge-bot]

@psturc: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Walkthrough

A shell cleanup script is updated to fetch its deletion routine from an alternative GitHub repository branch. The curl command now points to a fork at psturc/tekton-integration-catalog on fix-mapt-deletion-script instead of the upstream konflux-ci/tekton-integration-catalog on main, while all other script behavior remains unchanged.

Changes

MAPT Cleanup Script Source Update

Layer / File(s)	Summary
Script fetch source update ci-operator/step-registry/konflux-ci/mapt-cleanup/konflux-ci-mapt-cleanup-commands.sh	Curl command updated to fetch delete-mapt-clusters.sh from psturc/tekton-integration-catalog on fix-mapt-deletion-script instead of konflux-ci/tekton-integration-catalog on main.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'do not merge: just for testing' is a meta-comment about the PR itself rather than a description of the actual code changes being made (updating the MAPT cleanup script source repository).	Replace the title with a descriptive summary of the actual changes, such as 'Update MAPT cleanup script to use fix-mapt-deletion-script branch from psturc/tekton-integration-catalog' or similar.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	The script downloads and executes delete-mapt-clusters.sh via curl from raw.githubusercontent.com (line 14), requiring public internet in disconnected IPv6-only CI.	Avoid fetching from public internet in disconnected IPv6 jobs—vendor/mirror or pin the script internally (or bundle into the repo) so CI doesn’t need raw.githubusercontent.com; add an IPv6 disconnected CI verification run.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Checked repo: no *_test.go using Ginkgo/onsi/ginkgo and no It/Describe/Context/When test titles found; PR only updates the mapt-cleanup bash script.
Test Structure And Quality	✅ Passed	PR #80473 changes only ci-operator/step-registry/konflux-ci/mapt-cleanup/konflux-ci-mapt-cleanup-commands.sh (a bash script); no Ginkgo test code/It blocks were modified, so the test-quality checks...
Microshift Test Compatibility	✅ Passed	PR #80473 changes only ci-operator/step-registry/konflux-ci/mapt-cleanup/konflux-ci-mapt-cleanup-commands.sh (curl URL swap); no new Ginkgo e2e tests added to evaluate for MicroShift compatibility.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR #80473 changes only ci-operator/step-registry/konflux-ci/mapt-cleanup/konflux-ci-mapt-cleanup-commands.sh (no Go/Ginkgo e2e tests added), so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates a CI bash cleanup script to fetch delete-mapt-clusters.sh from a different upstream ref; no Kubernetes manifests/controllers or scheduling constraints (affinity/topologyKey/spread)...
Ote Binary Stdout Contract	✅ Passed	PR changes only ci-operator/.../konflux-ci-mapt-cleanup-commands.sh (bash). No OTE Go main/init/TestMain suite setup code altered that could corrupt JSON stdout contract.
No-Weak-Crypto	✅ Passed	No weak crypto found: local cleanup script only exports AWS creds and runs a fetched delete-mapt-clusters.sh. Scanned both new/old fetched scripts for MD5/SHA1/DES/RC4/3DES/Blowfish/ECB and secret-...
Container-Privileges	✅ Passed	PR changes only the step-registry bash script/ref; the YAML manifest shown has no privileged/securityContext fields (no hostPID/hostNetwork/hostIPC, SYS_ADMIN, runAsUser, or allowPrivilegeEscalation).
No-Sensitive-Data-In-Logs	✅ Passed	The mapt cleanup wrapper script has no echo/printf/set -x or similar logging that would print AWS secret/token values; curl runs silent (-s) and no sensitive data is written to stdout/stderr.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: psturc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/konflux-ci/mapt-cleanup/OWNERS [psturc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@psturc: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-konflux-ci-e2e-tests-main-mapt-clusters-resources-cleanup	N/A	periodic	Registry content changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/konflux-ci/mapt-cleanup/konflux-ci-mapt-cleanup-commands.sh`:
- Line 14: The pipeline currently pipes a mutable personal-fork script directly
into bash via the `curl ... | bash` invocation for `delete-mapt-clusters.sh`,
exposing AWS creds to a supply-chain risk; change this to fetch an immutable
commit/tag URL (or release tarball), save the script to disk (do not pipe),
verify its integrity via checksum or GPG signature, and only then execute it;
additionally run the verified script in a separate least-privileged step or
environment (remove direct execution in the same process where AWS credentials
are exported) to eliminate credential exposure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 944681ba-0142-4aa7-941e-ba0165566c43

📥 Commits

Reviewing files that changed from the base of the PR and between 57b22aa and 7a92260.

📒 Files selected for processing (1)

• ci-operator/step-registry/konflux-ci/mapt-cleanup/konflux-ci-mapt-cleanup-commands.sh

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Pin and verify the fetched script before execution.

Line 14 executes code directly from a mutable personal fork branch (curl ... | bash) while AWS credentials are exported in the same process. This creates a critical supply-chain path for credential exfiltration if that branch changes or is compromised. Use an immutable commit URL, download to disk, verify checksum/signature, then execute.

Suggested hardening

-curl -sSL https://raw.githubusercontent.com/psturc/tekton-integration-catalog/fix-mapt-deletion-script/scripts/mapt/delete-mapt-clusters.sh | bash
+SCRIPT_URL="https://raw.githubusercontent.com/psturc/tekton-integration-catalog/<PINNED_COMMIT_SHA>/scripts/mapt/delete-mapt-clusters.sh"
+SCRIPT_PATH="$(mktemp)"
+SCRIPT_SHA256="<EXPECTED_SHA256>"
+
+curl --fail --silent --show-error --location "${SCRIPT_URL}" -o "${SCRIPT_PATH}"
+echo "${SCRIPT_SHA256}  ${SCRIPT_PATH}" | sha256sum -c -
+bash "${SCRIPT_PATH}"

As per coding guidelines: “Protect sensitive information in step-registry command scripts … never echo passwords, tokens, API keys … to logs.” A mutable unpinned remote script in this credentialed context breaks that guarantee boundary.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/konflux-ci/mapt-cleanup/konflux-ci-mapt-cleanup-commands.sh`
at line 14, The pipeline currently pipes a mutable personal-fork script directly
into bash via the `curl ... | bash` invocation for `delete-mapt-clusters.sh`,
exposing AWS creds to a supply-chain risk; change this to fetch an immutable
commit/tag URL (or release tarball), save the script to disk (do not pipe),
verify its integrity via checksum or GPG signature, and only then execute it;
additionally run the verified script in a separate least-privileged step or
environment (remove direct execution in the same process where AWS credentials
are exported) to eliminate credential exposure.

Source: Coding guidelines

[psturc]

/pj-rehearse periodic-ci-konflux-ci-e2e-tests-main-mapt-clusters-resources-cleanup

[openshift-merge-bot]

@psturc: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@psturc: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.