ci(claude): add find-konflux-images command to discover PR images

[zhfeng]

Summary

• Adds a new Claude Code slash command /find-konflux-images that discovers and verifies Konflux-built container images for any PR
• Reads .tekton/*-pull-request.yaml pipeline configs from the PR's commit SHA to extract output-image patterns and image-expires-after values
• Verifies image availability on quay.io via OCI registry API and reports results as a markdown table
• Offers to retrigger expired images via /retest if the PR is still open

Usage

/find-konflux-images https://github.com/openshift/hypershift/pull/7887
/find-konflux-images openshift/hypershift 7887

Test plan

• Tested with PR CNTRLPLANE-2914: Add controlPlaneVersion status to HostedCluster and HostedControlPlane #7887 — correctly identified 6 components, 4 triggered builds all AVAILABLE, 2 untriggered as NOT FOUND
• Dynamically extracts image-expires-after from each Tekton config (currently 5d for all components)

Summary by CodeRabbit

• Documentation
  • Added a user guide for a command that locates, verifies, and reports Konflux/Tekton-built container images associated with a PR.
  • Documents accepted input formats, step-by-step workflow, output presentation (markdown table), and error handling scenarios.
  • Describes registry availability checks, image expiration caveats, PR-state handling, and optional retrigger (/retest) behavior.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: e543bc73-152d-4029-ac49-92fb7ffb164d

📥 Commits

Reviewing files that changed from the base of the PR and between b0faf91 and 322abf3.

📒 Files selected for processing (1)

• .claude/commands/find-konflux-images.md

🚧 Files skipped from review as they are similar to previous changes (1)

• .claude/commands/find-konflux-images.md

---

📝 Walkthrough

Walkthrough

A new documentation file is added at .claude/commands/find-konflux-images.md that describes a command for locating and verifying container images built via Konflux/Tekton associated with GitHub pull requests. The documentation outlines the command's workflow including PR resolution, Tekton configuration extraction, pipeline trigger verification, image URL construction, availability checks via quay.io OCI registry API, and result presentation in a markdown table. It includes error handling scenarios, usage examples, requirements, and conditions for offering image retrigger options via /retest.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Bot as Find-Konflux-Images
    participant GitHub
    participant Repo as Git Repository
    participant TektonConfig as Tekton Config (in PR commit)
    participant Quay as quay.io (OCI registry)
    User->>Bot: Invoke command on PR (e.g., /find-konflux-images)
    Bot->>GitHub: Resolve PR reference (number/branch/commit)
    GitHub-->>Bot: PR metadata, commit SHA
    Bot->>Repo: Fetch commit contents
    Repo-->>Bot: Tekton config files (pipeline/task refs)
    Bot->>TektonConfig: Parse image build outputs and pipeline triggers
    alt Pipelines referenced and triggers present
        Bot->>Quay: Construct expected image URLs and query OCI manifests
        Quay-->>Bot: Image existence + metadata (tags, digests, timestamps)
        Bot->>GitHub: Post results table comment on PR (images, status)
        alt Some images missing and retrigger allowed
            Bot->>GitHub: Offer `/retest` option in comment
        end
    else No pipelines or config missing
        Bot->>GitHub: Post error/diagnostic comment
    end
    alt User issues /retest
        User->>GitHub: /retest comment
        GitHub->>TektonConfig: Trigger pipelines (via CI)
        TektonConfig-->>Quay: New images pushed (if successful)
        Quay-->>Bot: Confirm new images on subsequent checks
    end

Loading

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: zhfeng
Once this PR has been reviewed and has the lgtm label, please assign bryan-cox for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

.claude/commands/find-konflux-images.md (5)

21-21: Update step 2 to mention image-expires-after extraction.

The step description says it extracts output-image patterns, but the implementation (lines 54-56) also extracts image-expires-after values, which are used for reporting expiration periods.

📝 Suggested update

-2. Reads the `.tekton/*-pull-request.yaml` pipeline configs from the PR's commit to extract `output-image` patterns
+2. Reads the `.tekton/*-pull-request.yaml` pipeline configs from the PR's commit to extract `output-image` patterns and `image-expires-after` values

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/find-konflux-images.md at line 21, Update step 2's
description to state that, besides reading `.tekton/*-pull-request.yaml` to
extract `output-image` patterns, it also extracts `image-expires-after` values
used for reporting expiration periods; reference the same
`.tekton/*-pull-request.yaml` files and mention both `output-image` and
`image-expires-after` so the doc matches the implementation (see the extraction
logic around where `output-image` and `image-expires-after` are read).

---

114-114: Consider locale-specific spelling preference.

The static analysis tool noted that "afterwards" is British English, while "afterward" is preferred in American English. If the project has a style guide preference, consider aligning.

🌍 US English variant

-Builds typically take 10-20 minutes; re-run this command to check availability afterwards
+Builds typically take 10-20 minutes; re-run this command to check availability afterward

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/find-konflux-images.md at line 114, The sentence "Builds
typically take 10-20 minutes; re-run this command to check availability
afterwards" uses the British variant "afterwards"; update that string to the
US-preferred "afterward" (or conform to your project's style guide) so it reads
"Builds typically take 10-20 minutes; re-run this command to check availability
afterward." Locate and replace this exact sentence in
.claude/commands/find-konflux-images.md.

---

13-16: Consider using PR #7887 in examples for consistency.

The PR objectives mention testing with PR #7887, but the examples reference PR #7871. While this doesn't affect functionality, aligning the examples with the tested PR would improve traceability.

📝 Suggested alignment

 1. **By PR URL**:
-   `/find-konflux-images https://github.com/openshift/hypershift/pull/7871`
+   `/find-konflux-images https://github.com/openshift/hypershift/pull/7887`
 
 2. **By repo and PR number**:
-   `/find-konflux-images openshift/hypershift 7871`
+   `/find-konflux-images openshift/hypershift 7887`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/find-konflux-images.md around lines 13 - 16, Update the
example PR references to match the tested PR `#7887`: replace the occurrences of
"/find-konflux-images https://github.com/openshift/hypershift/pull/7871" and
"/find-konflux-images openshift/hypershift 7871" with the corresponding
"/find-konflux-images https://github.com/openshift/hypershift/pull/7887" and
"/find-konflux-images openshift/hypershift 7887" so the examples align with the
documented/tested PR; ensure both example lines in the file are changed
consistently.

---

49-58: Add error handling guidance to the bash example.

The bash snippet lacks error handling for several failure modes:

• gh api calls may fail (network issues, auth problems, file not found)
• base64 -d may fail on malformed content
• grep may find no matches (empty variables)
• sed patterns assume single space after colon

Since this is example code that users may copy, consider adding notes about error handling or using more robust patterns.

♻️ Suggested improvements

Add error handling notes and improve sed patterns:

 ```bash
+# Note: Add error checking after each gh api call
 PR_FILES=$(gh api "repos/${REPO}/contents/.tekton?ref=${COMMIT_SHA}" --jq '.[].name' | grep pull-request)
+if [ -z "$PR_FILES" ]; then
+  echo "ERROR: No pull-request pipeline configs found"
+  exit 1
+fi
 
 for file in $PR_FILES; do
   CONTENT=$(gh api "repos/${REPO}/contents/.tekton/${file}?ref=${COMMIT_SHA}" --jq '.content' | base64 -d)
-  IMAGE_PATTERN=$(echo "$CONTENT" | grep -A1 'name: output-image' | grep 'value:' | head -1 | sed 's/.*value: *//')
-  EXPIRES_AFTER=$(echo "$CONTENT" | grep -A1 'name: image-expires-after' | grep 'value:' | head -1 | sed 's/.*value: *//')
+  # Use [[:space:]]* to handle variable whitespace
+  IMAGE_PATTERN=$(echo "$CONTENT" | grep -A1 'name: output-image' | grep 'value:' | head -1 | sed 's/.*value:[[:space:]]*//')
+  EXPIRES_AFTER=$(echo "$CONTENT" | grep -A1 'name: image-expires-after' | grep 'value:' | head -1 | sed 's/.*value:[[:space:]]*//')
   COMPONENT=$(echo "$file" | sed 's/-pull-request\.yaml$//')
 done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/find-konflux-images.md around lines 49 - 58, The snippet
lacks error handling and assumes fixed whitespace; add checks after the gh api
call that populates PR_FILES and after each CONTENT fetch (gh api and base64 -d)
to exit with a clear error if they fail or return empty, validate that grep
produced matches before running sed, and update the sed patterns used in
IMAGE_PATTERN and EXPIRES_AFTER to use a robust whitespace matcher (e.g.,
[[:space:]]*) so variable spacing after "value:" is handled; reference the
variables/functions PR_FILES, CONTENT, IMAGE_PATTERN, EXPIRES_AFTER, COMPONENT,
the gh api calls and base64 -d when adding these checks and error messages.

---

135-138: Complete the requirements list.

Several utilities used in the example scripts are not listed in the requirements:

• base64 (used in line 53)
• jq (used in line 50)
• sed (used throughout)
• grep (used throughout)

📝 Suggested additions

 ## Requirements
 
 - `gh` CLI authenticated with access to the target repository
 - `curl` available
 - `python3` available
+- `jq` for JSON parsing
+- Standard Unix utilities: `base64`, `sed`, `grep`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/find-konflux-images.md around lines 135 - 138, The
requirements list is incomplete: add the missing CLI utilities used by the
examples—include `base64` (used around line 53), `jq` (used around line 50),
`sed`, and `grep` to the same list that currently contains `gh`, `curl`, and
`python3` so readers know these are prerequisites; update the bullet list near
the top of the document to enumerate those four additional tools.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/commands/find-konflux-images.md:
- Around line 76-83: The TOKEN retrieval step may yield an empty or error
string; after the TOKEN assignment (the curl + python3 pipeline that sets TOKEN)
add validation that TOKEN is non-empty and contains a valid token before using
it for the manifests request (the HTTP_STATUS curl). If TOKEN is empty or
invalid, log a clear error and exit non‑zero so the subsequent call using TOKEN
is not attempted; alternatively replace the python3 extraction with a jq
extraction for consistency with the script and validate the jq output the same
way.

---

Nitpick comments:
In @.claude/commands/find-konflux-images.md:
- Line 21: Update step 2's description to state that, besides reading
`.tekton/*-pull-request.yaml` to extract `output-image` patterns, it also
extracts `image-expires-after` values used for reporting expiration periods;
reference the same `.tekton/*-pull-request.yaml` files and mention both
`output-image` and `image-expires-after` so the doc matches the implementation
(see the extraction logic around where `output-image` and `image-expires-after`
are read).
- Line 114: The sentence "Builds typically take 10-20 minutes; re-run this
command to check availability afterwards" uses the British variant "afterwards";
update that string to the US-preferred "afterward" (or conform to your project's
style guide) so it reads "Builds typically take 10-20 minutes; re-run this
command to check availability afterward." Locate and replace this exact sentence
in .claude/commands/find-konflux-images.md.
- Around line 13-16: Update the example PR references to match the tested PR
`#7887`: replace the occurrences of "/find-konflux-images
https://github.com/openshift/hypershift/pull/7871" and "/find-konflux-images
openshift/hypershift 7871" with the corresponding "/find-konflux-images
https://github.com/openshift/hypershift/pull/7887" and "/find-konflux-images
openshift/hypershift 7887" so the examples align with the documented/tested PR;
ensure both example lines in the file are changed consistently.
- Around line 49-58: The snippet lacks error handling and assumes fixed
whitespace; add checks after the gh api call that populates PR_FILES and after
each CONTENT fetch (gh api and base64 -d) to exit with a clear error if they
fail or return empty, validate that grep produced matches before running sed,
and update the sed patterns used in IMAGE_PATTERN and EXPIRES_AFTER to use a
robust whitespace matcher (e.g., [[:space:]]*) so variable spacing after
"value:" is handled; reference the variables/functions PR_FILES, CONTENT,
IMAGE_PATTERN, EXPIRES_AFTER, COMPONENT, the gh api calls and base64 -d when
adding these checks and error messages.
- Around line 135-138: The requirements list is incomplete: add the missing CLI
utilities used by the examples—include `base64` (used around line 53), `jq`
(used around line 50), `sed`, and `grep` to the same list that currently
contains `gh`, `curl`, and `python3` so readers know these are prerequisites;
update the bullet list near the top of the document to enumerate those four
additional tools.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: a2192ba6-e3f7-48a7-bce4-72df8c2fdbcd

📥 Commits

Reviewing files that changed from the base of the PR and between b3974fe and b4270c0.

📒 Files selected for processing (1)

• .claude/commands/find-konflux-images.md

[coderabbitai]

♻️ Duplicate comments (1)

.claude/commands/find-konflux-images.md (1)

79-83: ⚠️ Potential issue | 🟠 Major

Validate auth token before calling the manifests API.

At Line 79-83, TOKEN is used immediately after extraction with no guard. If auth response is empty/invalid, the manifest check becomes a misleading auth failure instead of a clear token error.

Suggested fix

 TOKEN=$(curl -s "https://quay.io/v2/auth?service=quay.io&scope=repository:${REPO_PATH}:pull" \
   | python3 -c "import sys,json; print(json.load(sys.stdin).get('token',''))")
+
+if [ -z "$TOKEN" ]; then
+  echo "ERROR: Failed to retrieve authentication token from quay.io for ${REPO_PATH}"
+  exit 1
+fi
 
 HTTP_STATUS=$(curl -s -H "Authorization: Bearer $TOKEN" \
   -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.v2+json" \
   "https://quay.io/v2/${REPO_PATH}/manifests/${TAG}" \
   -o /dev/null -w "%{http_code}")

Use this read-only check to verify the guard is currently missing and where to apply it:

#!/bin/bash
set -euo pipefail

target=".claude/commands/find-konflux-images.md"

echo "== TOKEN retrieval block =="
rg -n -C3 'TOKEN=\$\(curl -s "https://quay.io/v2/auth' "$target" || true

echo
echo "== TOKEN validation guard occurrences =="
rg -n -C2 'if \[ -z "\$TOKEN" \]' "$target" || true

echo
echo "== Immediate TOKEN usage in Authorization header =="
rg -n -C2 'Authorization: Bearer \$TOKEN' "$target" || true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/find-konflux-images.md around lines 79 - 83, The TOKEN
extracted by the curl+python pipeline (variable TOKEN) is used immediately in
the Authorization header (Authorization: Bearer $TOKEN) without validation; add
a guard right after the TOKEN assignment that checks if TOKEN is empty (e.g., if
[ -z "$TOKEN" ] ), log a clear error like "Failed to obtain auth token from
quay.io" and exit non‑zero so the subsequent HTTP_STATUS/manifest calls (the
second curl that sets HTTP_STATUS) never run with an empty token.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.claude/commands/find-konflux-images.md:
- Around line 79-83: The TOKEN extracted by the curl+python pipeline (variable
TOKEN) is used immediately in the Authorization header (Authorization: Bearer
$TOKEN) without validation; add a guard right after the TOKEN assignment that
checks if TOKEN is empty (e.g., if [ -z "$TOKEN" ] ), log a clear error like
"Failed to obtain auth token from quay.io" and exit non‑zero so the subsequent
HTTP_STATUS/manifest calls (the second curl that sets HTTP_STATUS) never run
with an empty token.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: bfbe3ece-e8af-4782-9487-d5707f7d1ac3

📥 Commits

Reviewing files that changed from the base of the PR and between b4270c0 and 7f99742.

📒 Files selected for processing (1)

• .claude/commands/find-konflux-images.md

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/commands/find-konflux-images.md:
- Around line 136-140: Update the "Requirements" section by either removing the
stale bullet "- `python3`" or adding a justification that current snippets need
it; specifically edit the Requirements header block to delete the python3 entry
if it is unused by any commands in this file (search for any references to
"python3" or scripts called in the file) or, if a script does require Python,
add a brief note explaining which snippet or command (by name) needs Python and
why.
- Line 25: Update wording for consistency in
.claude/commands/find-konflux-images.md: change the lowercase "markdown"
occurrences (referenced near the sentence "Reports results as a markdown table"
and the other instance around line 90) to "Markdown", and change the adverb
"afterwards" (around line 115) to the US English form "afterward"; search for
and replace those specific words in the file so capitalization and US English
usage are consistent.
- Around line 24-25: The doc line claiming images are checked "via the OCI
registry API" is inconsistent with the implementation that calls Quay's
proprietary tag endpoint (/api/v1/repository/<org>/<repo>/tag); either update
the markdown phrase to say "via the Quay tag API (/api/v1/repository/.../tag)"
to match the current implementation, or instead replace the Quay-specific calls
with standard OCI Registry v2 tag/manifest endpoints (implementing the v2
/v2/<name>/tags/list and manifest checks) so the text can remain "OCI registry
API".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 8e427040-b9ee-4e9f-9fd6-080968f41eeb

📥 Commits

Reviewing files that changed from the base of the PR and between 7f99742 and b0faf91.

📒 Files selected for processing (1)

• .claude/commands/find-konflux-images.md

[openshift-ci]

@zhfeng: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[zhfeng]

It could be replaced by

• OCPQE-31942: feat(utils): add find-konflux-images command openshift-eng/ai-helpers#390