You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
How to test changes / Special notes to the reviewer
Checklist
For each Chart updated, version bumped in the corresponding Chart.yaml according to Semantic Versioning.
For each Chart updated, variables are documented in the values.yaml and added to the corresponding README.md. The pre-commit utility can be used to generate the necessary content. Use pre-commit run -a to apply changes. The pre-commit Workflow will do this automatically for you if needed.
JSON Schema template updated and re-generated the raw schema via the pre-commit hook.
Tests pass using the Chart Testing tool and the ct lint command.
Here are some key observations to aid the review process:
⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🔒 Security concerns
Supply chain / remote script execution: The workflow downloads and executes install.sh for OLM via curl and then runs it, and also applies remote Kubernetes manifests from a GitHub release URL. Even with version pinning, executing remote scripts/manifests without checksum/signature verification can be risky. Consider verifying checksums/signatures (or using a pinned commit artifact / trusted action) before execution, and prefer kubectl apply with pinned digests or vendored manifests where feasible.
The helm install invocation for ingress-nginx appears to have arguments in the wrong order (chart reference used where the release name is expected). This may cause the step to fail at runtime; validate the command syntax.
The disk cleanup step sets rm_cmd to rmz, which is likely not a valid command on GitHub runners and could make the workflow fail before tests run. Confirm the intended value or remove the override.
- name: Remove unnecessary files to free up disk spaceif: steps.list-changed.outputs.changed == 'true'uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 # v3with:
remove_android: trueremove_dotnet: trueremove_haskell: truerm_cmd: "rmz"
The composite action hard-codes a minimal set of Helm overrides for KinD (e.g., route.enabled=false) but does not apply the other CI workarounds used elsewhere for KinD (e.g., disabling PVC-backed Postgres persistence and/or disabling the Helm test pod / using a known-good test pod image). This can reintroduce CI instability in KinD where Routes/PVCs are not available or where the default test image/tag is unreliable. Consider aligning the ct install overrides with the existing charts/backstage/ci/*-values.yaml patterns. (Ref 4, Ref 5)
Reference reasoning: The existing CI-specific values files for the Backstage chart explicitly disable Routes and PVC persistence and also provide patterns to disable the test pod or pin a custom test image/tag for CI. The new workflow only mirrors the Route workaround, so reusing or matching those established values would keep CI behavior consistent with the repo’s prior KinD-focused configuration.
To avoid unsafe parsing of Helm arguments, refactor the run step to use string concatenation for EXTRA_ARGS instead of creating a bash array with read -ra.
Why: The suggestion correctly identifies that parsing arguments with read -ra is fragile and proposes a more robust string concatenation approach, which simplifies the code and improves reliability.
Medium
General
Quote dynamic Helm args
Wrap the expression for extra_helm_args in quotes to ensure it always resolves to a string, preventing potential errors with Helm arguments.
Why: The suggestion correctly identifies a potential issue where a boolean false could be passed as an argument, and wrapping the expression in quotes ensures it is always treated as a string, improving the workflow's reliability.
Medium
Use kubectl apply for idempotency
Replace kubectl create -f with kubectl apply -f to make the resource creation step idempotent and prevent failures on workflow re-runs.
Why: The suggestion correctly points out that kubectl apply is idempotent and more suitable for CI/CD, which improves the robustness of the workflow against re-runs.
Low
High-level
Pin external dependencies in CI
To improve security and ensure reproducible builds, pin the OLM installation script dependency. Instead of using a mutable tag, verify the downloaded script against a known checksum.
Why: The suggestion correctly identifies an unpinned dependency (install.sh) in the new composite action, which is a valid security and reproducibility concern, although the proposed fix isn't perfectly applicable to release assets.
rm3l
changed the title
ci: stabilize CI
ci: stabilize CI [RHDHBUGS-2513]
Jan 15, 2026
rm3l
changed the title
ci: stabilize CI [RHDHBUGS-2513]
ci: Stabilize CI by pinning to specific RHDH tag on PRs and testing next on a nightly basis [RHDHBUGS-2513]
Jan 15, 2026
Adjust CI so PR validation remains stable even when next is broken.
Still keep coverage for testing the unstable next tag (e.g., on a schedule/nightly) to detect when it breaks or recovers.
Non-compliant requirements:
Fix CI failures related to the next tag of RHDH failing to start.
Requires further human verification:
Confirm PR workflow now passes reliably on main PRs with the pinned stable/RC image configuration.
Confirm nightly workflow actually runs and reports failures when next is broken (and passes when it recovers).
Confirm repository variables RHDH_IMAGE_REPOSITORY / RHDH_IMAGE_TAG are set as intended (or that defaults are acceptable).
⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🔒 Security concerns
Supply chain risk: The workflow downloads and executes install.sh for OLM from GitHub releases (curl ... -o install-olm.sh then chmod +x and runs it). Even with a pinned OLM_VERSION, this is still executing remote code without checksum/signature verification. Consider verifying checksums/signatures for the downloaded script/artifacts or using a pinned, trusted action/container image for OLM installation instead.
The composite action sets up Python with python-version: 3.14. If GitHub Actions toolcache or actions/setup-python does not support this version, the workflow may fail during environment setup. Consider using a currently supported Python version (or pinning to a known-good minor) for ct.
- name: Set up Pythonuses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6with:
python-version: 3.14
- name: Set up chart-testinguses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0with:
version: '3.14.0'yamllint_version: '1.37.1'
extra_helm_args is split on spaces (IFS=' ' read -ra ...), which can break flags that require quoting or contain spaces, and may not preserve intended argument boundaries. Consider passing extra args as multiline, JSON array, or using a more robust parsing strategy to avoid subtle CI-only failures.
Why: The suggestion correctly identifies that rmz is not a standard command and would cause the disk space cleanup step to fail, which is a critical bug in the workflow.
High
General
Simplify conditional expression for clarity
Simplify the extra_helm_args expression by removing the redundant || '' and improve readability by using a multiline block scalar.
Why: The suggestion correctly points out that || '' is redundant and improves readability by using a multiline block scalar, which is a good practice for long strings in YAML.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
rm3l
changed the title
Description of the change
Which issue(s) does this PR fix or relate to
Fixes https://issues.redhat.com/browse/RHDHBUGS-2513
How to test changes / Special notes to the reviewer
Checklist
Chart.yamlaccording to Semantic Versioning.values.yamland added to the corresponding README.md. The pre-commit utility can be used to generate the necessary content. Usepre-commit run -ato apply changes. The pre-commit Workflow will do this automatically for you if needed.pre-commithook.ct lintcommand.