ci: add medik8s-polarion-reporter Prow step for Polarion XUnit import

[maximunited]

Summary

• Adds step-registry/medik8s/polarion-reporter/ — a new post-phase step that POSTs *_junit.xml from $SHARED_DIR to Polarion's XUnit importer API using credentials mounted from medik8s-polarion-creds
• Wires the step into e2e-sbr-aws-odf and e2e-sbr-weekly-aws-odf; the weekly job sets POLARION_TESTRUN_ID=RHWA-SBR-4.22-weekly
• No custom image needed — uses ubi base + curl

Related

• RHWA-844: Enable Polarion test result reporting from Prow E2E tests (SBR)
• Companion PR in medik8s/system-tests: ci: route JUnit XML to ARTIFACT_DIR and copy to SHARED_DIR for Polarion import medik8s/system-tests#15

Blocked on

medik8s-polarion-creds secret must be provisioned in the CI test-credentials namespace via vault.ci.openshift.org before the reporter step will function at runtime. The step itself exits gracefully (no error) if no XML files are found in $SHARED_DIR.

Summary by CodeRabbit

This PR adds automated Polarion test result reporting to the OpenShift CI infrastructure for the medik8s/system-tests repository. It implements a new post-phase Prow step that collects JUnit XML test results from the shared test directory and uploads them to Polarion's XUnit importer API for centralized test tracking.

Infrastructure changes:

1. New Prow step registry entry (medik8s-polarion-reporter):

   • Uses the lightweight UBI base image with curl
   • Reads Polarion credentials from the medik8s-polarion-creds secret
   • Uploads any *_junit.xml files from $SHARED_DIR to Polarion via multipart form POST
   • Exits gracefully if no XML files are present (non-blocking)
   • Returns error on failed imports (HTTP non-2xx responses)
   • Configurable via environment variables for project ID, test run ID, and Polarion instance URL

2. Integration into two SBR (System Builder Recipes) jobs in the 4.22 configuration:

   • e2e-sbr-aws-odf: Standard job that reports results using the default project ID (OSE)
   • e2e-sbr-weekly-aws-odf: Weekly job (runs Sunday 6am UTC) configured with POLARION_TESTRUN_ID=RHWA-SBR-4.22-weekly to consolidate weekly test runs

The implementation is non-blocking—jobs will not fail if the reporter step encounters issues—and depends on the medik8s-polarion-creds secret being provisioned in the test-credentials namespace before runtime.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maximunited

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/medik8s/system-tests/OWNERS [maximunited]
• ci-operator/step-registry/medik8s/OWNERS [maximunited]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 51955af0-936a-45db-a199-be86454bb7c3

📥 Commits

Reviewing files that changed from the base of the PR and between 50dc07a and a730056.

📒 Files selected for processing (3)

• ci-operator/config/medik8s/system-tests/medik8s-system-tests-main__4.22-konflux.yaml
• ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-commands.sh
• ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-ref.yaml

💤 Files with no reviewable changes (1)

• ci-operator/config/medik8s/system-tests/medik8s-system-tests-main__4.22-konflux.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-commands.sh

---

Walkthrough

Introduces a new medik8s-polarion-reporter CI step registry entry consisting of a ref YAML configuration and a bash command script. The script uploads JUnit XML test results from $SHARED_DIR to the Polarion XUnit importer API. The step is then added as a post section to the weekly SBR test definition, with a POLARION_TESTRUN_ID variable configured.

Changes

Polarion Reporter Step and Integration

Layer / File(s)	Summary
Polarion reporter step definition ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-ref.yaml	Step registry ref YAML declares step identity, CLI-based command execution, credential mount from test-credentials/medik8s-polarion-creds at /var/run/polarion, resource requests (100m CPU, 100Mi memory), 10-minute timeout, and Polarion environment variables (POLARION_PROJECT_ID, POLARION_TESTRUN_ID, POLARION_URL) with defaults and documentation.
Reporter script implementation ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-commands.sh	Bash script with strict error handling discovers *_junit.xml files in $SHARED_DIR, reads Polarion credentials from mounted secret files, constructs the XUnit import URL, generates a temporary XML properties file containing project ID and optional test run ID, and uploads each JUnit file via multipart curl POST, exiting non-zero on HTTP errors.
Wire reporter as post-step in test configs ci-operator/config/medik8s/system-tests/medik8s-system-tests-main__4.22-konflux.yaml	Adds POLARION_TESTRUN_ID: "RHWA-SBR-4.22-weekly" environment variable and a post section referencing medik8s-polarion-reporter to the e2e-sbr-weekly-aws-odf test definition.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Line 65 logs unfiltered Polarion API responses via cat "${response_file}", which may expose sensitive data from error messages without redaction.	Filter or redact the response before logging, or log only the HTTP status code without the response body that could contain sensitive information.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding a new Prow step for Polarion test result reporting via XUnit import.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR adds CI infrastructure (YAML configs and bash scripts) for Polarion test reporting, not Ginkgo tests. No test name definitions exist in the changed files to validate.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code — only bash scripts and YAML CI configuration files. Ginkgo test quality check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR adds CI/CD infrastructure files (YAML configs and bash script for test result reporting), not Ginkgo e2e tests. The MicroShift compatibility check applies only to new Ginkgo tests, which ar...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds no Ginkgo e2e tests—only CI infrastructure (Polarion reporter step). The SNO compatibility check is inapplicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI/CD infrastructure files (Prow job configs and test reporter script), not deployment manifests, operators, or controllers. No scheduling constraints or topology assumptions present.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check applies only to Go test binaries, but this PR contains only YAML CI configuration and a bash utility script for result reporting—not test binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds CI infrastructure (bash utility script and YAML configs) for Polarion test result reporting, not Ginkgo e2e tests. Check applies only to new test code, so not applicable here.
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the PR files.
Container-Privileges	✅ Passed	No privileged container configurations, hostPID/hostNetwork/hostIPC, SYS_ADMIN capabilities, allowPrivilegeEscalation, or root user directives found in any added/modified files.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-commands.sh`:
- Around line 34-38: Add explicit timeout and retry parameters to the curl
command in the http_code variable assignment to prevent indefinite blocking when
Polarion is slow or unreachable. Include connection timeout (--connect-timeout),
maximum operation timeout (--max-time), and retry settings (--retry and
--retry-delay) to the curl invocation. Additionally, consider disabling debug
tracing around the credential passing section where POLARION_USER and
POLARION_PASS are used to prevent credential exposure in logs if tracing is
enabled.

In
`@ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-ref.yaml`:
- Around line 29-32: The documentation in the yaml file states the glob pattern
as junit_*.xml, but the actual command script implementation uses *_junit.xml.
Update the documentation string in the medik8s-polarion-reporter-ref.yaml file
to match the actual glob pattern used in the command script by changing
junit_*.xml to *_junit.xml to ensure consistency and prevent user confusion
about the expected file naming convention.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7066dc73-7f14-4e38-8d37-56b1d205b955

📥 Commits

Reviewing files that changed from the base of the PR and between 9fcddd9 and 50dc07a.

📒 Files selected for processing (3)

• ci-operator/config/medik8s/system-tests/medik8s-system-tests-main__4.22-konflux.yaml
• ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-commands.sh
• ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-ref.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify current curl invocation in the reporter step lacks explicit timeout flags.
rg -n -C2 'http_code=\$\(curl|--connect-timeout|--max-time|--retry' ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-commands.sh

Repository: openshift/release

Length of output: 374

---

Add explicit curl timeouts and retries to prevent indefinite blocking on Polarion requests.

The current curl invocation lacks per-request timeout bounds. If Polarion is slow or unreachable, this request can block until the step-level timeout expires. Adding explicit timeouts and retries ensures faster failure and deterministic retry behavior.

Suggested patch

-  http_code=$(curl --silent --output /tmp/polarion-response.txt --write-out "%{http_code}" \
+  http_code=$(curl --silent --output /tmp/polarion-response.txt --write-out "%{http_code}" \
+    --connect-timeout 10 \
+    --max-time 120 \
+    --retry 2 \
+    --retry-delay 2 \
+    --retry-connrefused \
     -u "${POLARION_USER}:${POLARION_PASS}" \
     -F "file=@${xml_file}" \
     -F "properties=@${properties_file}" \
     "${IMPORT_URL}")

Note: This script passes credentials via -u "${POLARION_USER}:${POLARION_PASS}". If debug tracing is enabled (set -x), these will be exposed in logs. Consider temporarily disabling tracing around credential operations per the CLAUDE.md security guidelines.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	http_code=$(curl --silent --output /tmp/polarion-response.txt --write-out "%{http_code}" \
	-u "${POLARION_USER}:${POLARION_PASS}" \
	-F "file=@${xml_file}" \
	-F "properties=@${properties_file}" \
	"${IMPORT_URL}")
	http_code=$(curl --silent --output /tmp/polarion-response.txt --write-out "%{http_code}" \
	--connect-timeout 10 \
	--max-time 120 \
	--retry 2 \
	--retry-delay 2 \
	--retry-connrefused \
	-u "${POLARION_USER}:${POLARION_PASS}" \
	-F "file=@${xml_file}" \
	-F "properties=@${properties_file}" \
	"${IMPORT_URL}")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-commands.sh`
around lines 34 - 38, Add explicit timeout and retry parameters to the curl
command in the http_code variable assignment to prevent indefinite blocking when
Polarion is slow or unreachable. Include connection timeout (--connect-timeout),
maximum operation timeout (--max-time), and retry settings (--retry and
--retry-delay) to the curl invocation. Additionally, consider disabling debug
tracing around the credential passing section where POLARION_USER and
POLARION_PASS are used to prevent credential exposure in logs if tracing is
enabled.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align the documented XML glob with the implemented one.

The docs say junit_*.xml, but the command script matches *_junit.xml. Please make these consistent to avoid operator confusion.

Suggested patch

-    Must run after the test step that writes junit_*.xml files to $SHARED_DIR.
+    Must run after the test step that writes *_junit.xml files to $SHARED_DIR.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/medik8s/polarion-reporter/medik8s-polarion-reporter-ref.yaml`
around lines 29 - 32, The documentation in the yaml file states the glob pattern
as junit_*.xml, but the actual command script implementation uses *_junit.xml.
Update the documentation string in the medik8s-polarion-reporter-ref.yaml file
to match the actual glob pattern used in the command script by changing
junit_*.xml to *_junit.xml to ensure consistency and prevent user confusion
about the expected file naming convention.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@maximunited: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-medik8s-system-tests-main-4.22-konflux-e2e-sbr-weekly-aws-odf	N/A	periodic	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@maximunited: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ci-operator-config-metadata	a730056	link	true	/test ci-operator-config-metadata
ci/prow/owners	a730056	link	true	/test owners
ci/prow/step-registry-metadata	a730056	link	true	/test step-registry-metadata

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.