Add RedHatQE/firewatch-granular CI config and step registry

[amp-rh]

Summary

Adds CI pipeline for RedHatQE/firewatch-granular, a Go tool that parses JUnit XML from CI artifacts and extracts granular metadata (operator names, component names, file:line locations) as Jira labels for the existing firewatch reporting step.

Included in this PR:

• ci-operator/config/RedHatQE/firewatch-granular/ - Image build, unit tests, lint, and 4 integration tests
• ci-operator/step-registry/firewatch/granular-analysis/ - Step ref for use in post chains before firewatch-report-issues
• ci-operator/jobs/RedHatQE/firewatch-granular/ - Presubmit and postsubmit job definitions

How it works:
The firewatch-granular-analysis step runs after tests complete and before firewatch-report-issues. It reads JUnit XML from ${ARTIFACT_DIR}, extracts operator/component/location information from failure messages and stack traces, and appends labels to ${SHARED_DIR}/firewatch-additional-labels. The existing firewatch step already reads this file and applies the labels to Jira tickets.

Labels produced:

• operator:etcd, operator:kube-apiserver, etc. (capped at 5)
• component:security-authorization, component:traffic-ingress, etc. (capped at 3)
• location:tcp_test.go:103, etc. (capped at 3)

Testing:

• 32 Go unit tests covering JUnit parsing, extraction, and output
• 4 integration test targets validating end-to-end behavior with pre-baked fixtures
• No live cluster required for any test

/cc @CSPI-QE

Summary by CodeRabbit

This PR adds OpenShift CI infrastructure configuration for the RedHatQE/firewatch-granular project, enabling it to be built, tested, and integrated into CI pipelines across the OpenShift infrastructure.

What's Being Added

CI Operator Configuration (ci-operator/config/RedHatQE/firewatch-granular/main.yaml)

• Build pipeline for the firewatch-granular Go tool using RHEL 9 and Go 1.22
• Container image target: firewatch-granular
• Four test suites:
  • unit: runs make test (unit tests)
  • lint: runs make lint (code quality checks)
  • integration-fixtures: validates label extraction (operator/component/file location) against test XML fixtures, enforcing label count caps
  • integration-no-failures: ensures no labels file is created for passing tests, but JSON report is still written
  • integration-empty-dir: validates graceful behavior when artifact directory is missing
  • integration-append-mode: confirms pre-existing labels aren't overwritten when new labels are appended
• Image promotion to the firewatch namespace/tag main for distribution

Step Registry Entry (ci-operator/step-registry/firewatch/granular-analysis/)

• Reusable CI step (firewatch-granular-analysis) that other jobs can include in their post chains
• Executes the analyzer against JUnit XML artifacts and generates Jira labels
• Runs before the existing firewatch-report-issues step so labels can be applied to tickets
• Configurable artifact subdirectory and labels file name via environment variables
• Minimal resource footprint: 10m CPU, 100Mi memory, marked as best-effort

Job Definitions (ci-operator/jobs/RedHatQE/firewatch-granular/)

• Presubmit and postsubmit job configurations for the firewatch-granular repository on the main branch
• Enables pull request testing and continuous deployment of the tool

Practical Impact

The firewatch-granular tool can now be built and validated as part of the OpenShift CI infrastructure, and other job configurations can use the firewatch-granular-analysis step to automatically extract metadata from test failures and enhance Jira ticket reporting with structured labels (operators, components, file locations).

[openshift-ci]

@amp-rh: GitHub didn't allow me to request PR reviews from the following users: CSPI-QE.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

Summary

Adds CI pipeline for RedHatQE/firewatch-granular, a Go tool that parses JUnit XML from CI artifacts and extracts granular metadata (operator names, component names, file:line locations) as Jira labels for the existing firewatch reporting step.

Included in this PR:

• ci-operator/config/RedHatQE/firewatch-granular/ - Image build, unit tests, lint, and 4 integration tests
• ci-operator/step-registry/firewatch/granular-analysis/ - Step ref for use in post chains before firewatch-report-issues
• ci-operator/jobs/RedHatQE/firewatch-granular/ - Presubmit and postsubmit job definitions

How it works:
The firewatch-granular-analysis step runs after tests complete and before firewatch-report-issues. It reads JUnit XML from ${ARTIFACT_DIR}, extracts operator/component/location information from failure messages and stack traces, and appends labels to ${SHARED_DIR}/firewatch-additional-labels. The existing firewatch step already reads this file and applies the labels to Jira tickets.

Labels produced:

• operator:etcd, operator:kube-apiserver, etc. (capped at 5)
• component:security-authorization, component:traffic-ingress, etc. (capped at 3)
• location:tcp_test.go:103, etc. (capped at 3)

Testing:

• 32 Go unit tests covering JUnit parsing, extraction, and output
• 4 integration test targets validating end-to-end behavior with pre-baked fixtures
• No live cluster required for any test

/cc @CSPI-QE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

Adds a new OpenShift CI operator configuration for the RedHatQE/firewatch-granular repository, defining image build, unit/lint/integration test jobs, and promotion rules. Also introduces a reusable step registry entry (firewatch-granular-analysis) with a commands script, ref YAML, and OWNERS file for running granular JUnit analysis in CI post chains.

Changes

firewatch-granular CI onboarding

Layer / File(s)	Summary
CI operator config: build, test jobs, and promotion ci-operator/config/RedHatQE/firewatch-granular/RedHatQE-firewatch-granular-main.yaml	Defines the RHEL 9 / Go 1.22 build root, Dockerfile → firewatch-granular image mapping, resource defaults, unit and lint jobs, and four integration scenarios (integration-fixtures, integration-no-failures, integration-empty-dir, integration-append-mode). Adds promotion to the firewatch namespace under tag main and generated metadata.
Step registry: firewatch-granular-analysis ref ci-operator/step-registry/firewatch/granular-analysis/OWNERS, ci-operator/step-registry/firewatch/granular-analysis/firewatch-granular-analysis-commands.sh, ci-operator/step-registry/firewatch/granular-analysis/firewatch-granular-analysis-ref.yaml	Adds OWNERS (CSPI-QE approver/reviewer), a Bash commands script that resolves artifact/output dirs from env vars, runs firewatch-granular analyze, and reports generated outputs. The ref YAML specifies the firewatch/firewatch-granular:main container, 10m/100Mi resource requests, two env vars (FIREWATCH_GRANULAR_ARTIFACT_SUBDIR, FIREWATCH_JIRA_ADDITIONAL_LABELS_FILE), best_effort: true, and documentation for post-chain placement before firewatch-report-issues.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

lgtm, approved, rehearsals-ack

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding CI configuration and step registry for RedHatQE/firewatch-granular.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains only CI configuration files (YAML) and shell scripts, not Ginkgo test code. No Ginkgo test definitions (It(), Describe(), Context(), When()) with dynamic or unstable names are pres...
Test Structure And Quality	✅ Passed	This PR adds CI configuration, job definitions, and shell scripts for firewatch-granular—not Ginkgo test code. The check is inapplicable since no Ginkgo tests are in scope.
Microshift Test Compatibility	✅ Passed	This PR adds CI pipeline configuration and step registry for firewatch-granular, not Ginkgo e2e tests. The tests defined are shell-based integration tests of a CLI tool, not e2e tests that would us...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The PR adds CI configuration, step registry, and shell-based integration tests for firewatch-granular tool—not e2e tests requiring SNO compatibility checks.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR adds only CI pipeline configuration and step registry entries, not deployment manifests or operator code. No topology-unaware scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR adds CI config for firewatch-granular (a utility tool), not OTE binaries. The OTE Binary Stdout Contract check doesn't apply to non-OTE tools or CI configuration files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are being added. The PR adds CI pipeline configuration (YAML, shell scripts) for the firewatch-granular Go tool, not new e2e tests to OpenShift's test suite.
No-Weak-Crypto	✅ Passed	PR contains only CI/CD configuration files (YAML, bash, OWNERS). No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or insecure secret compa...
Container-Privileges	✅ Passed	No privileged container settings found. CI configs, step registry, and job definitions contain no privileged: true, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation: true, or root-user sett...
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logging found. Files only log non-sensitive metadata like operator names, component names, file locations used for Jira categorization, and standard status messages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

@amp-rh, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not load configuration from candidate revision of release repo: failed to load ci-operator configuration from release repo: failed to load ci-operator config (error unmarshaling JSON: json: cannot unmarshal array into Go struct field ReleaseBuildConfiguration.images of type api.ImageConfiguration)

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amp-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/firewatch/OWNERS [amp-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

The OWNERS file contains untrusted users, which makes it INVALID. The following users are mentioned in OWNERS file(s) but are untrusted for the following reasons. One way to make the user trusted is to add them as members of the openshift org. You can then trigger verification by writing /verify-owners in a comment.

• cspi-qe
  • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
  • ci-operator/jobs/RedHatQE/firewatch-granular/OWNERS
• CSPI-QE
  • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
  • ci-operator/step-registry/firewatch/granular-analysis/OWNERS

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/firewatch/granular-analysis/firewatch-granular-analysis-commands.sh (1)

3-5: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Enable default errexit behavior in the step script.

This script should default to set -euo pipefail; currently -e is missing. You can still preserve the explicit analyzer exit-code handling by temporarily disabling -e only around that call.

Proposed patch

-set -o nounset
-set -o pipefail
+set -o errexit
+set -o nounset
+set -o pipefail
@@
-firewatch-granular analyze \
+set +e
+firewatch-granular analyze \
     --artifact-dir "${artifact_dir}" \
     --output-dir "${output_dir}"
 
 exit_code=$?
+set -e

As per coding guidelines, step-registry command scripts should use default set -euo pipefail (without -x).

Also applies to: 17-21

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/firewatch/granular-analysis/firewatch-granular-analysis-commands.sh`
around lines 3 - 5, Add `set -o errexit` to the set commands at the beginning of
the firewatch-granular-analysis-commands.sh script to comply with coding
guidelines requiring `set -euo pipefail`. Additionally, review the code around
lines 17-21 to identify any explicit analyzer exit-code handling that needs
special treatment; if present, temporarily disable `-e` only around those
specific calls using `set +e` before the call and `set -e` after it to preserve
the intended behavior while maintaining the default errexit behavior for the
rest of the script.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/step-registry/firewatch/granular-analysis/firewatch-granular-analysis-commands.sh`:
- Around line 3-5: Add `set -o errexit` to the set commands at the beginning of
the firewatch-granular-analysis-commands.sh script to comply with coding
guidelines requiring `set -euo pipefail`. Additionally, review the code around
lines 17-21 to identify any explicit analyzer exit-code handling that needs
special treatment; if present, temporarily disable `-e` only around those
specific calls using `set +e` before the call and `set -e` after it to preserve
the intended behavior while maintaining the default errexit behavior for the
rest of the script.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e9c392ca-c57e-459d-ae36-f2b3ef55cbfe

📥 Commits

Reviewing files that changed from the base of the PR and between 526a2fe and 26a0b9b.

⛔ Files ignored due to path filters (3)

• ci-operator/jobs/RedHatQE/firewatch-granular/OWNERS is excluded by !ci-operator/jobs/**
• ci-operator/jobs/RedHatQE/firewatch-granular/RedHatQE-firewatch-granular-main-postsubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/RedHatQE/firewatch-granular/RedHatQE-firewatch-granular-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (4)

• ci-operator/config/RedHatQE/firewatch-granular/RedHatQE-firewatch-granular-main.yaml
• ci-operator/step-registry/firewatch/granular-analysis/OWNERS
• ci-operator/step-registry/firewatch/granular-analysis/firewatch-granular-analysis-commands.sh
• ci-operator/step-registry/firewatch/granular-analysis/firewatch-granular-analysis-ref.yaml

[openshift-ci]

@amp-rh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/check-gh-automation	26a0b9b	link	true	/test check-gh-automation
ci/prow/ci-operator-config-metadata	26a0b9b	link	true	/test ci-operator-config-metadata
ci/prow/ci-operator-config	26a0b9b	link	true	/test ci-operator-config
ci/prow/generated-config	26a0b9b	link	true	/test generated-config
ci/prow/step-registry-metadata	26a0b9b	link	true	/test step-registry-metadata
ci/prow/openshift-image-mirror-mappings	26a0b9b	link	true	/test openshift-image-mirror-mappings
ci/prow/config	26a0b9b	link	true	/test config
ci/prow/owners	26a0b9b	link	true	/test owners
ci/prow/ci-operator-registry	26a0b9b	link	true	/test ci-operator-registry

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.