fix: merge Pull Request changes

[flacatus]

Konflux CI PR Integration & Documentation (updated)

This PR makes the Konflux CI installation step able to merge and test infra-deployments PRs and adds documentation for the install and conformance test steps.

What changed (practical terms)

• The konflux install script (ci-operator/step-registry/konflux-ci/install-konflux/konflux-ci-install-konflux-commands.sh) now:
  • Chooses a GitHub account with the highest remaining rate limit.
  • Clones redhat-appstudio/infra-deployments (main) and, when running as a presubmit with REPO_NAME=infra-deployments and PULL_NUMBER set, fetches refs/pull/<PULL_NUMBER>/head and merges it into the working tree before bootstrapping.
  • Continues with cluster login, marks masters schedulable, runs hack/bootstrap-cluster.sh preview, creates the e2e-secrets/quay-repository secret, and registers the PAC route with SprayProxy.
• Added README for konflux-ci-install-konflux documenting the step’s behavior, required credentials (mounted secret keys), usage examples, PR-merge behavior, and default timeout (1h).
• Added/updated redhat-appstudio conformance-tests README documenting the post-install conformance step: repo/ref selection (Gangway override), test resource deployment, LocalQueue verification, Ginkgo v2 test execution with label filtering, required env vars/credentials, example usage, and a default timeout (2h).

Practical impact

• Presubmit jobs can validate infra-deployments changes end-to-end by merging PRs into the bootstrap code path during Konflux installation, enabling more accurate testing of infra changes.
• Documentation clarifies how to run and parameterize the install and conformance steps and which secrets and environment variables are required for CI authors and reviewers.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4e90d7d8-b5b2-4b4a-9537-0de372e68afd

📥 Commits

Reviewing files that changed from the base of the PR and between 424af10 and 9d9f0e7.

📒 Files selected for processing (3)

• ci-operator/step-registry/konflux-ci/install-konflux/README.md
• ci-operator/step-registry/konflux-ci/install-konflux/konflux-ci-install-konflux-commands.sh
• ci-operator/step-registry/redhat-appstudio/conformance-tests/README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/konflux-ci/install-konflux/konflux-ci-install-konflux-commands.sh

---

Walkthrough

The Konflux install step script adds conditional logic to merge GitHub PR changes when installing infra-deployments repository. When both REPO_NAME is infra-deployments and PULL_NUMBER is non-empty, the script fetches the PR head ref and merges it; otherwise, installation proceeds unchanged. Two README files for the install and conformance test steps are added.

Changes

Conditional infra-deployments PR merge

Layer / File(s)	Summary
Conditional PR merge for infra-deployments ci-operator/step-registry/konflux-ci/install-konflux/konflux-ci-install-konflux-commands.sh	When REPO_NAME is infra-deployments and PULL_NUMBER is non-empty, the script fetches upstream's PR head ref and merges it into the working tree with logging. Otherwise, the script proceeds unchanged.
Install README ci-operator/step-registry/konflux-ci/install-konflux/README.md	Adds a new README describing the konflux-ci-install-konflux step: flow, required secrets, usage example, PR merge behavior for infra-deployments, and timeouts.
Conformance README ci-operator/step-registry/redhat-appstudio/conformance-tests/README.md	Adds a new README describing the Konflux conformance-tests step: test workflow, env vars, credential keys, usage example, and timeout guidance.

---

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels: lgtm, rehearsals-ack

Suggested reviewers:

• psturc
• gbenhaim

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'fix: merge Pull Request changes' is vague and does not clearly describe the specific technical change. While it references merging PR changes, it lacks detail about what was actually modified or fixed.	Provide a more specific title that describes the actual change, such as 'feat: add conditional GitHub PR merge support to konflux installation' or similar that conveys the primary modification.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR does not introduce any Ginkgo test code. It only adds bash scripts and documentation for CI test orchestration. The actual Ginkgo tests are in external repositories cloned at runtime.
Test Structure And Quality	✅ Passed	PR does not contain Ginkgo test code. Changes are shell scripts and documentation only. Custom check for test quality is not applicable.
Microshift Test Compatibility	✅ Passed	PR does not add any new Ginkgo e2e tests. Changes consist only of test infrastructure setup scripts and documentation files. The check is not applicable to this PR.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR adds shell scripts, documentation, metadata, and OWNERS files only. No Go test files with Ginkgo patterns detected.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI step registry files only. No deployment manifests, operators, or controllers. No scheduling constraints found.
Ote Binary Stdout Contract	✅ Passed	Check not applicable. PR modifies only shell scripts and README docs, no Go test files or OTE binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests. Changes are only bash scripts and documentation for Konflux installation/setup infrastructure. Check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[flacatus]

/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

[openshift-merge-bot]

@flacatus: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[flacatus]

/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

[openshift-merge-bot]

@flacatus: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[konflux-ci-qe-bot]

🤖 Pipeline Failure Analysis

Category: Infrastructure

The pipeline failed primarily due to widespread network connectivity issues, including DNS resolution failures and I/O timeouts, which prevented access to the OpenShift cluster's API server.

📋 Technical Details

Immediate Cause

The OpenShift cluster's API server was intermittently unreachable. Multiple diagnostic steps failed to connect to the API server due to DNS resolution failures (e.g., "lookup api.konflux-...: no such host") and network connectivity timeouts (e.g., "dial tcp ...: i/o timeout", "Client.Timeout exceeded while awaiting headers").

Contributing Factors

The redhat-appstudio-conformance-tests step also reported a specific configuration error where the GitHub Application's private key did not match its Application ID. This prevented the Pipeline as Code (PaC) component from successfully creating Pull Requests, contributing to the test's overall timeout.

Impact

The inability to reliably communicate with the OpenShift API server prevented the successful execution of the core Red Hat AppStudio conformance tests. Furthermore, it completely blocked the collection of essential audit logs and other diagnostic artifacts from the cluster, hindering further investigation.

🔍 Evidence

appstudio-e2e-tests/gather-audit-logs

Category: infrastructure
Root Cause: The OpenShift cluster's API server was intermittently unreachable due to DNS resolution failures for its hostname and network connectivity timeouts, preventing the must-gather tool from collecting audit logs and cluster state.

Logs:

artifacts/appstudio-e2e-tests/gather-audit-logs/build-log.txt

error getting cluster operators: Get "https://api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com:6443/apis/config.openshift.io/v1/clusteroperators": dial tcp [REDACTED: Public IP (ipv4)]: i/o timeout

artifacts/appstudio-e2e-tests/gather-audit-logs/build-log.txt

Error running must-gather collection:
    creating temp namespace: Post "https://api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com:6443/api/v1/namespaces": dial tcp [REDACTED: Public IP (ipv4)]: i/o timeout

artifacts/appstudio-e2e-tests/gather-audit-logs/build-log.txt

E0518 13:11:14.396980      48 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com:6443/api?timeout=32s\": dial tcp: lookup api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com on 172.30.0.10:53: no such host"

appstudio-e2e-tests/gather-extra

Category: infrastructure
Root Cause: The step failed to gather artifacts due to a network connectivity issue or unresponsiveness of the target server, resulting in a client timeout while attempting to connect.

Logs:

artifacts/appstudio-e2e-tests/gather-extra/build-log.txt

Unable to connect to the server: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

appstudio-e2e-tests/redhat-appstudio-conformance-tests

Category: configuration
Root Cause: The GitHub Application used by the Pipeline as Code (PaC) component failed to authenticate with GitHub because its private key did not match the application ID. This misconfiguration prevented the creation of Pull Requests, causing the conformance test to time out.

Logs:

artifacts/appstudio-e2e-tests/redhat-appstudio-conformance-tests/build-log.txt

I0518 12:58:31.684025   24741 setup.go:183] diagnostic: Component user-ns1/konflux-ci-upstream-ybet conditions=[] build-status="{\"pac\":{\"state\":\"error\",\"error-id\":72,\"error-message\":\"72: GitHub Application private key does not match Application ID\"},\"message\":\"done\"}"

artifacts/appstudio-e2e-tests/redhat-appstudio-conformance-tests/build-log.txt

I0518 13:03:30.025136   24741 setup.go:183] diagnostic: Component user-ns1/konflux-ci-upstream-ybet conditions=[] build-status="{\"pac\":{\"state\":\"error\",\"error-id\":72,\"error-message\":\"72: GitHub Application private key does not match Application ID\"},\"message\":\"done\"}"

artifacts/appstudio-e2e-tests/redhat-appstudio-conformance-tests/build-log.txt line 640

[FAILED] Timed out after 300.001s.
  timed out waiting for PaC PR
  Expected success, but got an error:
      <*errors.errorString | 0xc001588060>: 
      PaC branch konflux-konflux-ci-upstream-ybet not found among 9 PRs

appstudio-e2e-tests/redhat-appstudio-gather

Category: infrastructure
Root Cause: The step failed due to a networking issue, specifically a DNS lookup failure, which prevented oc commands from resolving the hostname of the OpenShift API server and thus from connecting to the cluster.

Logs:

artifacts/appstudio-e2e-tests/redhat-appstudio-gather/build-log.txt

E0518 13:11:52.758874      34 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com:6443/api?timeout=5s\": dial tcp: lookup api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com on 172.30.0.10:53: no such host"

artifacts/appstudio-e2e-tests/redhat-appstudio-gather/build-log.txt

Unable to connect to the server: dial tcp: lookup api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com on 172.30.0.10:53: no such host

artifacts/appstudio-e2e-tests/redhat-appstudio-gather/build-log.txt

Error running must-gather collection:
    creating temp namespace: Post "https://api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com:6443/api/v1/namespaces": dial tcp: lookup api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com on 172.30.0.10:53: no such host

artifacts/appstudio-e2e-tests/redhat-appstudio-gather/build-log.txt

error running backup collection: Get "https://api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com:6443/api?timeout=32s": dial tcp: lookup api.konflux-4-18-us-west-2-6j4f2.konflux-qe.devcluster.openshift.com on 172.30.0.10:53: no such host

---

Analysis powered by prow-failure-analysis | Build: 2056345779789893632

[flacatus]

/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

[openshift-merge-bot]

@flacatus: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@flacatus: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests	redhat-appstudio/infra-deployments	presubmit	Registry content changed
periodic-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests-periodic	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[flacatus]

/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

[openshift-merge-bot]

@flacatus: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[flacatus]

/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

[openshift-merge-bot]

@flacatus: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[psturc]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: flacatus, psturc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/konflux-ci/install-konflux/OWNERS [flacatus,psturc]
• ci-operator/step-registry/redhat-appstudio/conformance-tests/OWNERS [flacatus,psturc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[flacatus]

/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

[openshift-merge-bot]

@flacatus: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[flacatus]

/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

[openshift-merge-bot]

@flacatus: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@flacatus: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/redhat-appstudio/infra-deployments/main/appstudio-e2e-tests	9d9f0e7	link	unknown	/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[flacatus]

/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

[openshift-merge-bot]

@flacatus: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[flacatus]

/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

[openshift-merge-bot]

@flacatus: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[flacatus]

/pj-rehearse pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests

[openshift-merge-bot]

@flacatus: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.