USHIFT-7116: add microshift-release-evaluation periodic job

[agullon]

Summary

Adds a new Prow periodic job (microshift-release-evaluation) that automates MicroShift release evaluation for upcoming OCP z-stream releases.

• Runs the microshift-release:pre-check AI skill every Thursday and Friday at 16:00 UTC
• Posts color-coded results to #team-ocp-edge-notifications via Prow reporter_config
• Uses the same edge-tooling AI helpers image and credential patterns as microshift-ci-doctor
• Requires intranet access (restrict_network_access: false) for Brew/advisory checks

New files

• Step registry: workflow, ref, and commands script under openshift/edge-tooling/microshift-release/evaluation/
• Job config entry in openshift-eng-edge-tooling-main.yaml

Blocked by

This job depends on the edge-tooling AI helpers image containing the latest pre-check skill changes:

• feat: migrate precheck Jira queries from PAT (Personal Access Token) to MCP Atlassian OAuth openshift-eng/edge-tooling#167 — migrate precheck Jira queries from PAT to MCP Atlassian OAuth
• feat: replace Product Pages MCP with ART Jira for pre-check time ranges openshift-eng/edge-tooling#172 — replace Product Pages MCP with ART Jira for pre-check time ranges

Jira

USHIFT-7116 (parent: USHIFT-6766)

Test plan

• Prow rehearsal passes for this PR
• First scheduled periodic run posts correct Slack message
• Artifact links in Slack message resolve correctly

Summary by CodeRabbit

This PR adds a new periodic Prow CI job to automate MicroShift release evaluation against upcoming OCP z-stream releases. The job is configured to run every Thursday and Friday at 16:00 UTC and will post color-coded evaluation results to the #team-ocp-edge-notifications Slack channel.

What's being added:

The implementation consists of:

1. A new scheduled test job entry (microshift-release-evaluation) in the OpenShift edge-tooling CI configuration
2. A complete step-registry workflow under openshift/edge-tooling/microshift-release/evaluation/ that includes:
   • A Bash script that orchestrates the evaluation by invoking a Claude AI skill
   • YAML workflow and step definitions
   • Metadata and ownership files

Technical details:

The job reuses existing patterns from the microshift-ci-doctor job, including the same edge-tooling AI helpers container image and credential management approach. The evaluation script:

• Loads GitHub and Jira credentials from mounted secrets
• Dynamically configures Claude MCP servers (Product Pages and optionally Jira)
• Clones/updates the MicroShift repository
• Runs the microshift-release:pre-check AI skill with a time-bounded prompt
• Saves results to artifacts for Slack notification and artifact linking

The job requires intranet access (restrict_network_access: false) to perform Brew and advisory checks needed for the evaluation.

Status and dependencies:

This PR is currently blocked on upstream edge-tooling PRs that need to update the pre-check skill to migrate Jira queries to MCP OAuth and replace the Product Pages MCP integration with ART Jira support.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

This PR introduces a complete scheduled CI workflow for evaluating OpenShift z-stream releases against MicroShift compatibility. A new test job runs Thursdays and Fridays at 16:00 UTC, invoking a Claude-based evaluation workflow that manages credentials, configures AI connectivity via MCP servers, executes a pre-check skill, and reports results to Slack via the Prow reporter.

Changes

MicroShift Release Evaluation Workflow

Layer / File(s)	Summary
Workflow and job registration ci-operator/config/openshift-eng/edge-tooling/openshift-eng-edge-tooling-main.yaml, ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-workflow.yaml, ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-workflow.metadata.json	Scheduled test job microshift-release-evaluation added with cron schedule (Thursdays and Fridays, 16:00 UTC), network access enabled, and Slack reporter pointing to #team-ocp-edge-notifications. Workflow YAML wraps the evaluation step ref and documents the pre-check skill execution and result persistence.
Step reference and ownership ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-ref.yaml, ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-ref.metadata.json, ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/OWNERS	Step reference YAML specifies the container source, command entrypoint, mounted secrets for GitHub App and Jira credentials, environment variables for Claude configuration and token defaults, CPU/memory requests, and 30-minute execution timeout. OWNERS file and metadata establish openshift-edge-approvers and openshift-edge-reviewers.
Evaluation script orchestration ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-commands.sh	Bash script orchestrates the complete evaluation: initialization with verbose logging and exit traps to persist results; load_secrets() acquires GitHub token from App credentials or environment and Jira credentials from mounted files; wait_for_mcp_status() polls for MCP readiness; configure_claude() initializes Claude, ensures Product Pages MCP, and conditionally configures Jira MCP; main flow validates job context, clones/fetches the MicroShift repository, constructs a time-range prompt to invoke the pre-check skill, streams output to logs, and persists deterministic results within a 1200-second timeout.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

rehearsals-ack, jira/valid-reference

Suggested reviewers

• copejon
• jeff-roche

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Global set -x tracing enabled (line 3) while loading/exporting sensitive credentials (GITHUB_TOKEN, JIRA_API_TOKEN), risking exposure in CI logs when claude runs with tracing.	Remove set -x from line 3. Use only set -euo pipefail by default; enable tracing only for active debugging with minimal scope.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds CI configuration and shell scripts, not Ginkgo test files. The Ginkgo test naming check is not applicable.
Test Structure And Quality	✅ Passed	This PR adds Prow CI job configurations and supporting shell scripts, not Ginkgo test code. The custom check applies only to Ginkgo tests; no .go test files are present in this PR.
Microshift Test Compatibility	✅ Passed	PR adds CI/infrastructure files only (Prow job config, step registry workflow/ref definitions, Bash script). No Ginkgo e2e tests are added, so the MicroShift compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests (It(), Describe(), Context(), etc.) are added in this PR. The changes are CI configuration files and a bash automation script for MicroShift release evaluation, not test code.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI infrastructure (job config, step registry, scripts) with no Kubernetes manifests or scheduling constraints affecting workload topology compatibility.
Ote Binary Stdout Contract	✅ Passed	PR adds Prow job YAML/Bash/metadata files only—no Go code or openshift-tests implementations. OTE Binary Stdout Contract applies only to Go binaries implementing openshift-tests.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests. Changes are CI/CD infrastructure (job config, workflow YAML, bash script). Custom check only applies to Ginkgo tests.
No-Weak-Crypto	✅ Passed	PR adds CI workflow configs and bash script. No weak crypto (MD5, SHA1, DES, RC4, etc.), custom crypto, or non-constant-time secret comparisons detected. Token operations delegated to external tools.
Container-Privileges	✅ Passed	No privileged container settings found. Job uses standard container execution with appropriate resource limits and no securityContext or privilege escalation configurations.
Title check	✅ Passed	The title accurately and specifically describes the primary change: adding a new microshift-release-evaluation periodic job to the CI system.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@agullon: This pull request references USHIFT-7116 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Adds a new Prow periodic job (microshift-release-evaluation) that automates MicroShift release evaluation for upcoming OCP z-stream releases.

• Runs the microshift-release:pre-check AI skill every Thursday and Friday at 16:00 UTC
• Posts color-coded results to #team-ocp-edge-notifications via Prow reporter_config
• Uses the same edge-tooling AI helpers image and credential patterns as microshift-ci-doctor
• Requires intranet access (restrict_network_access: false) for Brew/advisory checks

New files

• Step registry: workflow, ref, and commands script under openshift/edge-tooling/microshift-release/evaluation/
• Job config entry in openshift-eng-edge-tooling-main.yaml

Blocked by

This job depends on the edge-tooling AI helpers image containing the latest pre-check skill changes:

• feat: migrate precheck Jira queries from PAT (Personal Access Token) to MCP Atlassian OAuth openshift-eng/edge-tooling#167 — migrate precheck Jira queries from PAT to MCP Atlassian OAuth
• feat: replace Product Pages MCP with ART Jira for pre-check time ranges openshift-eng/edge-tooling#172 — replace Product Pages MCP with ART Jira for pre-check time ranges

Jira

USHIFT-7116 (parent: USHIFT-6766)

Test plan

• Prow rehearsal passes for this PR
• First scheduled periodic run posts correct Slack message
• Artifact links in Slack message resolve correctly

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: agullon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-eng/edge-tooling/OWNERS [agullon]
• ci-operator/step-registry/openshift/edge-tooling/OWNERS [agullon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@agullon: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.
The following jobs are not rehearsable without the network-access-rehearsals-ok, and approved labels present on this PR. This is due to the restrict_network_access field being set to false. The network-access-rehearsals-ok label can be added by any openshift org member other than the PR's author by commenting: /pj-rehearse network-access-allowed:

Test name
periodic-ci-openshift-eng-edge-tooling-main-microshift-release-evaluation

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-commands.sh`:
- Around line 2-3: The script currently enables bash xtrace globally via the
"set -x" invocation; remove that global "set -x" so the script starts with only
"set -euo pipefail" and never leaves tracing on for the whole step, and if debug
output is needed wrap the minimal sensitive sections with scoped tracing blocks
using "set -x" immediately before the debug lines and "set +x" right after
(refer to the existing "set -euo pipefail" and "set -x" entries to locate and
change this).
- Around line 37-45: The fallback that extracts Claude output writes results
only to ${SHARED_DIR} (variables result_text, CLAUDE_LOG, and files
precheck-results.txt / precheck-completed) but not to the artifact location,
breaking the advertised artifacts link; update the branch that handles
result_text to also persist the same files into ${ARTIFACT_DIR} (write
${ARTIFACT_DIR}/precheck-results.txt and touch
${ARTIFACT_DIR}/precheck-completed) so both SHARED_DIR and ARTIFACT_DIR contain
the fallback outputs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 29c69d3e-f50f-40d0-9554-5b0b41f19781

📥 Commits

Reviewing files that changed from the base of the PR and between d5f6a1a and fb806ee.

📒 Files selected for processing (7)

• ci-operator/config/openshift-eng/edge-tooling/openshift-eng-edge-tooling-main.yaml
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/OWNERS
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-commands.sh
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-ref.metadata.json
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-ref.yaml
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-workflow.metadata.json
• ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-workflow.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not enable xtrace by default here.

Line 3 makes tracing opt-out for the whole script. This step loads GitHub and Jira credentials later, so future edits outside the two set +x blocks can easily spill sensitive operations into CI logs. Start without -x and only scope it to temporary debug sections when needed.

Suggested fix

 #!/usr/bin/bash
 set -euo pipefail
-set -x

As per coding guidelines, step registry command scripts should use set -euo pipefail by default (without -x tracing) and only enable -x for active debugging, keeping the scope of disabled tracing minimal.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-commands.sh`
around lines 2 - 3, The script currently enables bash xtrace globally via the
"set -x" invocation; remove that global "set -x" so the script starts with only
"set -euo pipefail" and never leaves tracing on for the whole step, and if debug
output is needed wrap the minimal sensitive sections with scoped tracing blocks
using "set -x" immediately before the debug lines and "set +x" right after
(refer to the existing "set -euo pipefail" and "set -x" entries to locate and
change this).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Persist fallback results into ARTIFACT_DIR as well.

When RESULTS_TEXT is missing, this branch reconstructs the output only into ${SHARED_DIR}. The periodic job advertises artifacts/precheck-results.txt in Slack, so the fallback path still leaves users with a broken “View results” link.

Suggested fix

         result_text="$(grep '"type":"result"' "${CLAUDE_LOG}" | tail -1 | jq -r '.result // empty' 2>/dev/null || true)"
         if [[ -n "${result_text}" ]]; then
-            echo "${result_text}" > "${SHARED_DIR}/precheck-results.txt"
+            echo "${result_text}" > "${SHARED_DIR}/precheck-results.txt"
+            echo "${result_text}" > "${ARTIFACT_DIR}/precheck-results.txt"
             touch "${SHARED_DIR}/precheck-completed"
             echo "Pre-check results extracted from Claude log."
             return 0
         fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Fallback: extract text from Claude stream-json result event
	if [[ -f "${CLAUDE_LOG}" ]]; then
	local result_text
	result_text="$(grep '"type":"result"' "${CLAUDE_LOG}" | tail -1 | jq -r '.result // empty' 2>/dev/null || true)"
	if [[ -n "${result_text}" ]]; then
	echo "${result_text}" > "${SHARED_DIR}/precheck-results.txt"
	touch "${SHARED_DIR}/precheck-completed"
	echo "Pre-check results extracted from Claude log."
	return 0
	# Fallback: extract text from Claude stream-json result event
	if [[ -f "${CLAUDE_LOG}" ]]; then
	local result_text
	result_text="$(grep '"type":"result"' "${CLAUDE_LOG}" | tail -1 | jq -r '.result // empty' 2>/dev/null || true)"
	if [[ -n "${result_text}" ]]; then
	echo "${result_text}" > "${SHARED_DIR}/precheck-results.txt"
	echo "${result_text}" > "${ARTIFACT_DIR}/precheck-results.txt"
	touch "${SHARED_DIR}/precheck-completed"
	echo "Pre-check results extracted from Claude log."
	return 0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/openshift/edge-tooling/microshift-release/evaluation/openshift-edge-tooling-microshift-release-evaluation-commands.sh`
around lines 37 - 45, The fallback that extracts Claude output writes results
only to ${SHARED_DIR} (variables result_text, CLAUDE_LOG, and files
precheck-results.txt / precheck-completed) but not to the artifact location,
breaking the advertised artifacts link; update the branch that handles
result_text to also persist the same files into ${ARTIFACT_DIR} (write
${ARTIFACT_DIR}/precheck-results.txt and touch
${ARTIFACT_DIR}/precheck-completed) so both SHARED_DIR and ARTIFACT_DIR contain
the fallback outputs.