hardcode kustomize download to bypass github api rate limits#1171
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🔗 Linked repositories identifiedCodeRabbit considers these linked repositories for cross-repo context during reviews:
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughSummary by CodeRabbitRelease Notes
WalkthroughThe Dockerfile adds build arguments for the Kustomize version and checksum, then replaces the script-based install with a checksum-verified tarball download and extraction into ChangesKustomize Installation Versioning
Estimated code review effort: 2 (Simple) | ~8 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@openshift-ci/build-root/Dockerfile`:
- Line 18: The Dockerfile currently downloads and installs kustomize using the
RUN curl ... | tar -xz pipeline with KUSTOMIZE_VERSION but performs no integrity
check; update the Dockerfile to fetch the corresponding release checksum or
signature for kustomize (using KUSTOMIZE_VERSION), verify the downloaded archive
before extracting (e.g., compare sha256/sha512 against the release checksum or
verify a GPG signature), and only copy the binary to /usr/local/bin if the
verification succeeds; reference the existing KUSTOMIZE_VERSION variable and the
kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz artifact when implementing the
checksum/sig retrieval and verification step.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 8d9e56c1-8ad1-4b23-adc2-2ac0b82e005b
📒 Files selected for processing (1)
openshift-ci/build-root/Dockerfile
|
/lgtm |
Signed-off-by: Triona Doyle <tekton@example.com>
Signed-off-by: Triona Doyle <tekton@example.com>
b008a14 to
4d1bbe8
Compare
|
/retest |
1 similar comment
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: svghadi The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@trdoyle81: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/retest |
79f3ade
into
redhat-developer:master
What type of PR is this?
/kind failing-test
What does this PR do / why we need it:
Fixes flaky OpenShift CI
imagesjob failures.The
install_kustomize.shscript in the CI Dockerfile queries the GitHub API, which frequently gets blocked by rate limits (403 API Rate Limit Exceeded) due to shared CI IPs. This causes a silent download failure and crashes the build during thetarextraction. This PR replaces the script with a directcurl | tardownload of Kustomizev5.8.1. This bypasses the GitHub API completely and makes the CI build deterministic.Have you updated the necessary documentation?
Which issue(s) this PR fixes:
Fixes #
Test acceptance criteria:
How to test changes / Special notes to the reviewer:
podman build -t ci-test .