./hack/post-release.sh omit bundle change

[wgahnagl]

This makes it so that the bundle changes get reverted so they don't have to be reverted manually

Summary by CodeRabbit

• Chores
  • Improved build release process tooling with enhanced configuration options for managing file modifications during pre-release workflows.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

The pre-release script now accepts a -k flag to control whether RBAC-related files from make bundle are reverted during release preparation. By default, the script reverts specific RBAC and manifests files back to HEAD after running bundle, preserving only version-related changes. When -k is provided, all bundle changes are retained. The implementation adds flag initialization, updates usage documentation, introduces conditional checkout logic in the GitHub update flow, and wires the flag through option parsing.

🚥 Pre-merge checks | ✅ 18 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references './hack/post-release.sh' but the changes are actually in 'hack/pre-release.sh', creating a mismatch between the stated file and the actual changeset.	Correct the title to reference './hack/pre-release.sh' instead of './hack/post-release.sh' to accurately reflect which script was modified.
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (18 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Go Best Practices & Build Tags	✅ Passed	PR modifies only hack/pre-release.sh (bash script), not Go code. Custom check for Go best practices & build tags is not applicable to shell script modifications.
Security: Secrets, Ssh & Csr	✅ Passed	PR modifies pre-release.sh to add -k flag for RBAC reversion; no credential, SSH, or CSR approval code exists, making the security check not applicable.
Kubernetes Controller Patterns	✅ Passed	Custom check is for Kubernetes controller patterns (reconciliation, finalizers, owner references) but PR modifies hack/pre-release.sh shell script for release automation, not controller code.
Windows Service Management	✅ Passed	Custom check for Windows Service Management not applicable. The PR modifies hack/pre-release.sh for WMCO version management, not Windows service configuration.
Platform-Specific Requirements	✅ Passed	Custom check not applicable: PR modifies hack/pre-release.sh, a build/version automation script without platform-specific infrastructure code.
Stable And Deterministic Test Names	✅ Passed	PR modifies only hack/pre-release.sh shell script; no test files modified. Repository uses Go standard testing framework, not Ginkgo. Check is not applicable.
Test Structure And Quality	✅ Passed	Custom check for Ginkgo test code quality is not applicable; PR only modifies bash shell script hack/pre-release.sh for release automation, not test code.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. Changes are limited to hack/pre-release.sh shell script (build tooling), which is outside the scope of the MicroShift test compatibility check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests present. This PR modifies only hack/pre-release.sh (shell release automation script). SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only hack/pre-release.sh build script, not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	Check is not applicable: PR modifies hack/pre-release.sh (release automation script), not OTE binary code. OTE binary is separate at ote/cmd/wmco-tests-ext/main.go and unaffected by these changes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; only hack/pre-release.sh shell script is modified. Check is not applicable.
No-Weak-Crypto	✅ Passed	PR contains no cryptographic code. Changes limited to shell script flag parsing and git checkout logic for RBAC manifest reversion during release automation.
Container-Privileges	✅ Passed	PR only modifies hack/pre-release.sh for RBAC bundle control. No container/K8s manifests with privileged settings were introduced or changed.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logging in the PR. Echo statements only log user messages and file paths; no credentials, tokens, or secrets are exposed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jrvaldes]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jrvaldes, wgahnagl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jrvaldes]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/pre-release.sh`:
- Around line 442-449: The getopts option parsing lacks a fallback for invalid
flags, so update the case block that handles getopts (the "while getopts
\"bcdgk\" opt; do" and its case for "$opt") to add a default branch (*) that
prints a clear error/usage message and exits non‑zero; also handle the ":" case
if you want explicit "missing argument" detection for options that take
arguments. Ensure the new branch references the same variables (opt) and uses
the same script exit style as other failure paths so bad flags cause an
immediate non-zero exit instead of continuing execution.
- Around line 239-243: The script suppresses failures when reverting RBAC bundle
files by appending "2>/dev/null || true" to the git checkout command (the block
conditioned on KEEP_BUNDLE_CHANGES), so revert errors are hidden and the script
can continue with unintended RBAC changes; remove the suppression and ensure
failures are propagated by deleting "2>/dev/null || true" and/or adding explicit
error handling after the git checkout (check the exit status and exit with a
non-zero code or log and exit) for the git checkout of
bundle/manifests/prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml,
bundle/manifests/system-wicd-nodes_rbac.authorization.k8s.io_v1_clusterrole.yaml
and config/rbac/role.yaml so the script fails when the revert fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5d3d0936-7be6-4265-bf8c-243796526487

📥 Commits

Reviewing files that changed from the base of the PR and between 3eea65e and 5f1ffd1.

📒 Files selected for processing (1)

• hack/pre-release.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not suppress RBAC reversion failures.

At Line 243, 2>/dev/null || true hides checkout failures, so the script can continue while still carrying unintended RBAC changes (opposite of the default contract).

Suggested fix

-  if [[ $KEEP_BUNDLE_CHANGES == "false" ]]; then
-    echo "Reverting RBAC changes from make bundle (use -k flag to keep all changes)"
-    git checkout HEAD -- bundle/manifests/prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml \
-                         bundle/manifests/system-wicd-nodes_rbac.authorization.k8s.io_v1_clusterrole.yaml \
-                         config/rbac/role.yaml 2>/dev/null || true
+  if [[ $KEEP_BUNDLE_CHANGES == "false" ]]; then
+    echo "Reverting RBAC changes from make bundle (use -k flag to keep all changes)"
+    for file in \
+      bundle/manifests/prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml \
+      bundle/manifests/system-wicd-nodes_rbac.authorization.k8s.io_v1_clusterrole.yaml \
+      config/rbac/role.yaml; do
+      if git ls-files --error-unmatch "$file" >/dev/null 2>&1; then
+        git checkout HEAD -- "$file"
+      fi
+    done
   else

As per coding guidelines, hack/**/* scripts must “Check for proper error handling.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/pre-release.sh` around lines 239 - 243, The script suppresses failures
when reverting RBAC bundle files by appending "2>/dev/null || true" to the git
checkout command (the block conditioned on KEEP_BUNDLE_CHANGES), so revert
errors are hidden and the script can continue with unintended RBAC changes;
remove the suppression and ensure failures are propagated by deleting
"2>/dev/null || true" and/or adding explicit error handling after the git
checkout (check the exit status and exit with a non-zero code or log and exit)
for the git checkout of
bundle/manifests/prometheus-k8s_rbac.authorization.k8s.io_v1_role.yaml,
bundle/manifests/system-wicd-nodes_rbac.authorization.k8s.io_v1_clusterrole.yaml
and config/rbac/role.yaml so the script fails when the revert fails.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Handle unsupported flags explicitly in getopts.

There is no fallback branch for invalid options. At Line 443-449 this matches ShellCheck SC2220 and leads to unclear/partial execution on bad flags.

Suggested fix

 while getopts "bcdgk" opt; do
   case "$opt" in
     c) CVP=true;;
     b) BASEIMAGE=true;;
     d) DISTGIT=true;;
     g) GITLAB=true;;
     k) KEEP_BUNDLE_CHANGES=true;;
+    \?)
+      echo "Invalid option: -$OPTARG"
+      usage
+      exit 2
+      ;;
   esac
 done 

As per coding guidelines, **/*.sh must “Validate shellcheck compliance.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	while getopts "bcdgk" opt; do
	case "$opt" in
	c) CVP=true;;
	b) BASEIMAGE=true;;
	d) DISTGIT=true;;
	g) GITLAB=true;;
	esac
	k) KEEP_BUNDLE_CHANGES=true;;
	esac
	while getopts "bcdgk" opt; do
	case "$opt" in
	c) CVP=true;;
	b) BASEIMAGE=true;;
	d) DISTGIT=true;;
	g) GITLAB=true;;
	k) KEEP_BUNDLE_CHANGES=true;;
	\?)
	echo "Invalid option: -$OPTARG"
	usage
	exit 2
	;;
	esac
	done

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 443-449: Invalid flags are not handled. Add a *) case.

(SC2220)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/pre-release.sh` around lines 442 - 449, The getopts option parsing lacks
a fallback for invalid flags, so update the case block that handles getopts (the
"while getopts \"bcdgk\" opt; do" and its case for "$opt") to add a default
branch (*) that prints a clear error/usage message and exits non‑zero; also
handle the ":" case if you want explicit "missing argument" detection for
options that take arguments. Ensure the new branch references the same variables
(opt) and uses the same script exit style as other failure paths so bad flags
cause an immediate non-zero exit instead of continuing execution.

Sources: Coding guidelines, Linters/SAST tools

[openshift-ci]

@wgahnagl: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/vsphere-e2e-operator	5f1ffd1	link	true	/test vsphere-e2e-operator
ci/prow/nutanix-e2e-operator	5f1ffd1	link	true	/test nutanix-e2e-operator
ci/prow/vsphere-proxy-e2e-operator	5f1ffd1	link	true	/test vsphere-proxy-e2e-operator
ci/prow/vsphere-disconnected-e2e-operator	5f1ffd1	link	true	/test vsphere-disconnected-e2e-operator
ci/prow/platform-none-vsphere-e2e-operator	5f1ffd1	link	true	/test platform-none-vsphere-e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.