TRT-2689: Add devcontainer, APM config, and agentic CI scaffolding#31371
TRT-2689: Add devcontainer, APM config, and agentic CI scaffolding#31371smg247 wants to merge 4 commits into
Conversation
Add a Fedora 43 devcontainer with Go toolchain, golangci-lint, gh CLI, and Claude Code support via Vertex AI. Includes devcontainer.json, post-create.sh, .env.example, README with setup instructions, and an interactive /origin-dev-setup slash command. Add APM configuration (apm.yml, instructions, prompts) that generates agent context for Claude, Cursor, Gemini, and OpenCode. Instructions document the openshift-tests architecture including e2e tests, monitor tests, disruption tests, and the OTE extension framework. Add .agentic/ config overlays for the TRT agentic CI workflow (jira-solver and review-responder) and hack/agentic_setup.sh. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Pipeline controller notification For optional jobs, comment This repository is configured in: automatic mode |
|
@smg247: This pull request references TRT-2689 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: smg247 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Auto-collapses agent context files in GitHub PR diffs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
WalkthroughThis PR adds APM-generated agent-context files and regeneration tooling, MCP settings, a Podman-based devcontainer, and interactive Origin setup prompts and commands. ChangesAPM context, MCP, and devcontainer setup
Estimated code review effort: 3 (Moderate) | ~25 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 8
🧹 Nitpick comments (3)
.devcontainer/devcontainer.json (1)
10-14: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoffHost credential mounts widen container blast radius.
Mounting
~/.config/gcloud,~/.config/gh, and~/.claudeinto the container means any compromised dependency or malicious code executed inside the devcontainer (e.g. via the unverified installers in the Dockerfile/post-create.sh) gets direct access to GCP credentials, GitHub tokens, and Claude session data. Consider documenting this risk in the README or scoping mounts to only what's strictly necessary.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.devcontainer/devcontainer.json around lines 10 - 14, The devcontainer mounts in devcontainer.json expose host credentials and should be tightened or clearly documented. Review the mounts array that binds ~/.config/gcloud, ~/.config/gh, and ~/.claude into the container, then either scope them down to only the minimum required credentials or add explicit README guidance about the security risk and when to use these mounts..devcontainer/post-create.sh (1)
22-29: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueSymlink-based Claude project linking relies on unsanitized path substitution.
sed 's|/|-|g'onHOST_WORKSPACE_FOLDERis a reasonable approach but shellcheck suggests bash parameter expansion instead of spawningsed. Minor style nit, functionally fine as written.♻️ Optional simplification
- host_project_dir=$(echo "$HOST_WORKSPACE_FOLDER" | sed 's|/|-|g') + host_project_dir="${HOST_WORKSPACE_FOLDER//\//-}"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.devcontainer/post-create.sh around lines 22 - 29, The Claude project linking block in post-create.sh uses sed to replace slashes in HOST_WORKSPACE_FOLDER, but this can be simplified with shell parameter expansion. Update the host_project_dir assignment in the symlink setup logic to use bash’s built-in string substitution instead of spawning sed, keeping the existing HOST_WORKSPACE_FOLDER, claude_projects, and -workspace symlink behavior unchanged.Source: Linters/SAST tools
.devcontainer/Dockerfile (1)
32-35: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low valuePasswordless sudo for
vscodeuser.
NOPASSWD:ALLgrants unrestricted root escalation inside the container. Acceptable for a dev-only container, but worth a brief comment explaining the tradeoff since it broadens the attack surface if the container is ever exposed or reused for other purposes.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.devcontainer/Dockerfile around lines 32 - 35, The `vscode` user setup in the Dockerfile grants unrestricted passwordless sudo via the sudoers entry, so add a brief inline comment near the `useradd`/`sudoers.d/vscode` setup explaining that this is intentional for a dev-only container and broadens the attack surface if reused elsewhere. Keep the existing `vscode` provisioning behavior unchanged and document the tradeoff where the `vscode` user and sudoers rule are defined.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.agentic/solve-config.md:
- Line 9: The repo guidance in solve-config is out of sync with the vendoring
workflow because it only mentions running go mod vendor after go.mod changes.
Update the instruction text to match the repo standard by including go mod tidy
before go mod vendor, so the dependency metadata and vendor tree stay aligned.
Keep the fix localized to the vendoring guidance in the solve-config document.
In @.apm/instructions/general.instructions.md:
- Line 33: Update the vendoring guidance so it tells contributors to run go mod
tidy before go mod vendor when changing go.mod; this applies to the vendor/
instruction in the general instructions file, and the wording should make it
clear that both go.mod/go.sum and vendor/ must stay in sync.
In @.apm/prompts/origin-dev-setup.prompt.md:
- Around line 60-90: The Linux container startup logic is using a generic
`command -v docker` check, which can succeed for native Docker and incorrectly
skip the `--docker-path podman` fallback. Update the detection in the origin dev
setup prompt to explicitly verify the Podman Docker shim (or package presence)
before selecting the Linux path, and keep the `devcontainer up` command choice
tied to that shim-specific check.
In @.devcontainer/Dockerfile:
- Line 42: The uv installation step is piping a remote installer directly into
sh, so replace it with a safer flow in the Dockerfile’s uv install RUN step.
Download the installer separately, verify it against a pinned known-good
checksum before executing, or switch to a package-managed installation path.
Keep the existing INSTALLER_NO_MODIFY_PATH and UV_INSTALL_DIR behavior, but make
the install sequence explicit and verifiable.
- Around line 24-30: The devcontainer build in the Dockerfile downloads
golangci-lint and gh release artifacts without integrity verification. Update
the existing RUN block that fetches these binaries to validate them with pinned
checksums or signatures before installation, or, if this is intentionally left
unchecked, document that decision clearly in the Dockerfile so the risk is
explicit.
In @.devcontainer/post-create.sh:
- Around line 12-17: The Claude Code install step in post-create.sh currently
pipes the remote installer directly into sh, which should be replaced with a
safer download-and-verify flow. Update the install logic in the main Claude
installation block to fetch the installer first, verify its checksum or
signature before execution, and only then run it; keep the SKIP_CLAUDE_INSTALL
branch unchanged.
In @.devcontainer/README.md:
- Around line 23-26: Remove the redundant bootstrap step from the README
instructions: the manual podman exec invocation that runs
.devcontainer/post-create.sh repeats the work already handled by
postCreateCommand during devcontainer up. Update the instructions near the
numbered setup steps in .devcontainer/README.md so that the “Exec in” example
uses the same origin-dev podman exec command only to open an interactive bash
shell, and no longer references running the post-create script manually.
In `@hack/agentic_setup.sh`:
- Around line 8-11: The wrapper in agentic_setup.sh resolves REPO_ROOT and
invokes post-create.sh but never changes into the repository before running it.
Update this flow so the script enters ${REPO_ROOT} before calling
.devcontainer/post-create.sh, keeping the existing SKIP_CLAUDE_INSTALL=true
environment, so repo-relative commands inside post-create.sh such as go mod
download and make build run from the checkout root.
---
Nitpick comments:
In @.devcontainer/devcontainer.json:
- Around line 10-14: The devcontainer mounts in devcontainer.json expose host
credentials and should be tightened or clearly documented. Review the mounts
array that binds ~/.config/gcloud, ~/.config/gh, and ~/.claude into the
container, then either scope them down to only the minimum required credentials
or add explicit README guidance about the security risk and when to use these
mounts.
In @.devcontainer/Dockerfile:
- Around line 32-35: The `vscode` user setup in the Dockerfile grants
unrestricted passwordless sudo via the sudoers entry, so add a brief inline
comment near the `useradd`/`sudoers.d/vscode` setup explaining that this is
intentional for a dev-only container and broadens the attack surface if reused
elsewhere. Keep the existing `vscode` provisioning behavior unchanged and
document the tradeoff where the `vscode` user and sudoers rule are defined.
In @.devcontainer/post-create.sh:
- Around line 22-29: The Claude project linking block in post-create.sh uses sed
to replace slashes in HOST_WORKSPACE_FOLDER, but this can be simplified with
shell parameter expansion. Update the host_project_dir assignment in the symlink
setup logic to use bash’s built-in string substitution instead of spawning sed,
keeping the existing HOST_WORKSPACE_FOLDER, claude_projects, and -workspace
symlink behavior unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: a2311ea8-6503-43ff-913f-e1763cd419d3
📒 Files selected for processing (34)
.agentic/followup-config.md.agentic/solve-config.md.apm/instructions/general.instructions.md.apm/instructions/testing.instructions.md.apm/prompts/origin-dev-setup.prompt.md.claude/commands/origin-dev-setup.md.claude/rules/general.md.claude/rules/testing.md.cursor/commands/origin-dev-setup.md.cursor/mcp.json.cursor/rules/general.mdc.cursor/rules/testing.mdc.devcontainer/.env.example.devcontainer/Dockerfile.devcontainer/README.md.devcontainer/devcontainer.json.devcontainer/post-create.sh.gemini/commands/origin-dev-setup.toml.gemini/settings.json.gitattributes.github/instructions/general.instructions.md.github/instructions/testing.instructions.md.github/prompts/origin-dev-setup.prompt.md.gitignore.mcp.json.opencode/commands/origin-dev-setup.mdAGENTS.mdCLAUDE.mdGEMINI.mdMakefileapm.lock.yamlapm.ymlhack/agentic_setup.shopencode.json
| Also check for `podman-docker`: | ||
|
|
||
| ```bash | ||
| command -v docker | ||
| ``` | ||
|
|
||
| If missing, suggest installing `podman-docker` (dnf or apt depending on `/etc/os-release`). | ||
|
|
||
| ### 5. Environment file | ||
|
|
||
| Check if `.devcontainer/.env` exists: | ||
|
|
||
| ```bash | ||
| test -f .devcontainer/.env | ||
| ``` | ||
|
|
||
| If missing, copy from the example: | ||
|
|
||
| ```bash | ||
| cp .devcontainer/.env.example .devcontainer/.env | ||
| ``` | ||
|
|
||
| Then read `.devcontainer/.env` and check for empty required values. If any are blank (e.g. `ANTHROPIC_VERTEX_PROJECT_ID`), tell the user which values need to be filled in and ask them to edit `.devcontainer/.env` and let you know when they're done. **Do not** ask for the values directly or write to the file yourself — the user should edit it. Wait for them to confirm before continuing. | ||
|
|
||
| ### 6. Start the container | ||
|
|
||
| Determine the right command based on OS: | ||
|
|
||
| - **macOS**: `devcontainer up --workspace-folder . --docker-path podman` | ||
| - **Linux** (with `podman-docker`): `devcontainer up --workspace-folder .` | ||
| - **Linux** (without `podman-docker`): `devcontainer up --workspace-folder . --docker-path podman` |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Check for the Podman Docker shim explicitly. command -v docker also matches native Docker, so the Linux branch can incorrectly assume podman-docker is present and skip --docker-path podman when it isn’t. Use a shim-specific check or package verification before choosing that path.
🧰 Tools
🪛 LanguageTool
[style] ~82-~82: Consider using “who” when you are referring to a person instead of an object.
Context: ...OPIC_VERTEX_PROJECT_ID`), tell the user which values need to be filled in and ask the...
(THAT_WHO)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.apm/prompts/origin-dev-setup.prompt.md around lines 60 - 90, The Linux
container startup logic is using a generic `command -v docker` check, which can
succeed for native Docker and incorrectly skip the `--docker-path podman`
fallback. Update the detection in the origin dev setup prompt to explicitly
verify the Podman Docker shim (or package presence) before selecting the Linux
path, and keep the `devcontainer up` command choice tied to that shim-specific
check.
| RUN ARCH=$(uname -m) && \ | ||
| if [ "$ARCH" = "aarch64" ]; then GO_ARCH="arm64"; else GO_ARCH="amd64"; fi && \ | ||
| rpm -i "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-${GO_ARCH}.rpm" && \ | ||
| curl -fsSL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${GO_ARCH}.tar.gz" \ | ||
| | tar xz -C /tmp && \ | ||
| mv "/tmp/gh_${GH_VERSION}_linux_${GO_ARCH}/bin/gh" /usr/local/bin/gh && \ | ||
| chmod +x /usr/local/bin/gh |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== relevant files =="
git ls-files .devcontainer . | rg '(^|/)(Dockerfile|post-create\.sh|devcontainer.*json|compose\.ya?ml|README\.md)$' || true
echo
echo "== .devcontainer/Dockerfile =="
nl -ba .devcontainer/Dockerfile | sed -n '1,220p'
echo
echo "== search for golangci-lint / gh / checksum / signature / sha256 =="
rg -n 'golangci-lint|gh_|sha256|checksum|gpg|cosign|cosign|verify|devcontainer|post-create' .devcontainer . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || trueRepository: openshift/origin
Length of output: 19790
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== relevant files =="
git ls-files .devcontainer . | rg '(^|/)(Dockerfile|post-create\.sh|devcontainer.*json|compose\.ya?ml|README\.md)$' || true
echo
echo "== .devcontainer/Dockerfile =="
nl -ba .devcontainer/Dockerfile | sed -n '1,220p'
echo
echo "== search for golangci-lint / gh / checksum / signature / sha256 =="
rg -n 'golangci-lint|gh_|sha256|checksum|gpg|cosign|verify|devcontainer|post-create' .devcontainer . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || trueRepository: openshift/origin
Length of output: 19790
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== .devcontainer/Dockerfile =="
cat -n .devcontainer/Dockerfile
echo
echo "== .devcontainer/devcontainer.json =="
cat -n .devcontainer/devcontainer.json
echo
echo "== .devcontainer/post-create.sh =="
cat -n .devcontainer/post-create.sh
echo
echo "== .devcontainer/README.md =="
cat -n .devcontainer/README.md
echo
echo "== search =="
rg -n 'golangci-lint|gh_|sha256|checksum|gpg|cosign|verify|devcontainer|local development|developer|dev-only' .devcontainer README.md . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || trueRepository: openshift/origin
Length of output: 50373
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== .devcontainer/Dockerfile (lines 1-120) =="
awk '{printf "%4d %s\n", NR, $0}' .devcontainer/Dockerfile | sed -n '1,120p'
echo
echo "== .devcontainer/devcontainer.json =="
awk '{printf "%4d %s\n", NR, $0}' .devcontainer/devcontainer.json
echo
echo "== .devcontainer/post-create.sh =="
awk '{printf "%4d %s\n", NR, $0}' .devcontainer/post-create.sh
echo
echo "== .devcontainer/README.md =="
awk '{printf "%4d %s\n", NR, $0}' .devcontainer/README.md
echo
echo "== focused search in .devcontainer =="
rg -n 'golangci-lint|gh_|sha256|checksum|gpg|cosign|verify|local development|developer|dev-only|security|supply chain' .devcontainerRepository: openshift/origin
Length of output: 8295
Pin checksums or signatures for the devcontainer downloads. The devcontainer is for local development, but these release artifacts are still fetched and executed during the image build. Add integrity checks if this image may be shared, or document the risk as intentional.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.devcontainer/Dockerfile around lines 24 - 30, The devcontainer build in the
Dockerfile downloads golangci-lint and gh release artifacts without integrity
verification. Update the existing RUN block that fetches these binaries to
validate them with pinned checksums or signatures before installation, or, if
this is intentionally left unchecked, document that decision clearly in the
Dockerfile so the risk is explicit.
| ENV GOPATH=/home/vscode/go | ||
| ENV PATH="/home/vscode/.local/bin:${GOPATH}/bin:/usr/local/go/bin:${PATH}" | ||
|
|
||
| RUN curl -LsSf https://astral.sh/uv/install.sh | env INSTALLER_NO_MODIFY_PATH=1 UV_INSTALL_DIR=/usr/local/bin sh |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== File context ==\n'
git ls-files .devcontainer/Dockerfile .devcontainer/post-create.sh
printf '\n== Relevant snippets ==\n'
sed -n '1,120p' .devcontainer/Dockerfile
printf '\n--- post-create.sh ---\n'
sed -n '1,200p' .devcontainer/post-create.sh
printf '\n== Search for uv install references ==\n'
rg -n "astral\.sh/uv/install\.sh|uv install|INSTALLER_NO_MODIFY_PATH|UV_INSTALL_DIR" .devcontainer .Repository: openshift/origin
Length of output: 3311
Avoid piping the uv installer into sh. Download the script first and pin a known-good checksum before execution, or use a package-managed install; otherwise a compromised CDN or installer can execute arbitrary code during the image build.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.devcontainer/Dockerfile at line 42, The uv installation step is piping a
remote installer directly into sh, so replace it with a safer flow in the
Dockerfile’s uv install RUN step. Download the installer separately, verify it
against a pinned known-good checksum before executing, or switch to a
package-managed installation path. Keep the existing INSTALLER_NO_MODIFY_PATH
and UV_INSTALL_DIR behavior, but make the install sequence explicit and
verifiable.
| if [[ "${SKIP_CLAUDE_INSTALL:-}" != "true" ]]; then | ||
| echo "==> Installing Claude Code..." | ||
| curl -fsSL https://claude.ai/install.sh | sh | ||
| else | ||
| echo "==> Skipping Claude Code install (SKIP_CLAUDE_INSTALL=true)." | ||
| fi |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## File map\n'
git ls-files '.devcontainer/post-create.sh' 'hack/agentic_setup.sh'
printf '\n## Line-numbered snippets\n'
for f in '.devcontainer/post-create.sh' 'hack/agentic_setup.sh'; do
echo "\n### $f"
wc -l "$f"
cat -n "$f"
done
printf '\n## Search for Claude install references\n'
rg -n 'SKIP_CLAUDE_INSTALL|claude\.ai/install\.sh|Claude Code|install\.sh' .devcontainer hack -SRepository: openshift/origin
Length of output: 2980
Avoid piping the Claude installer directly into sh. Download it first and verify a checksum/signature before execution; otherwise a compromised claude.ai endpoint/CDN or MITM can execute arbitrary code in the devcontainer.
🧰 Tools
🪛 ast-grep (0.44.1)
[error] 13-13: Remote content fetched with curl/wget is piped directly into a shell interpreter, so any server compromise, MITM, or tampered mirror results in arbitrary code execution on this host. Download the script to a file first, verify its integrity (checksum/signature) and inspect it, then run the verified local copy.
Context: curl -fsSL https://claude.ai/install.sh | sh
Note: [CWE-494] Download of Code Without Integrity Check.
(curl-pipe-to-shell-bash)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.devcontainer/post-create.sh around lines 12 - 17, The Claude Code install
step in post-create.sh currently pipes the remote installer directly into sh,
which should be replaced with a safer download-and-verify flow. Update the
install logic in the main Claude installation block to fetch the installer
first, verify its checksum or signature before execution, and only then run it;
keep the SKIP_CLAUDE_INSTALL branch unchanged.
|
Scheduling required tests: |
- Fix vendor guidance: `go mod tidy && go mod vendor` in general instructions - Add `cd` to repo root in hack/agentic_setup.sh before running post-create.sh - Remove redundant post-create exec from README (postCreateCommand handles it) - Add dev-only comment on passwordless sudo in Dockerfile - Use bash parameter expansion instead of sed in post-create.sh Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Scheduling required tests: |
|
@coderabbitai can you summarize the findings that are still present here? |
|
Tip For best results, initiate chat on the files or code changes. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
gh pr view 31371 --repo openshift/origin --json reviews,comments --jq '.reviews[] | {author: .author.login, body: .body, state: .state}' | head -c 3000
echo "---review comments---"
gh api repos/openshift/origin/pulls/31371/comments --paginate --jq '.[] | select(.user.login=="coderabbitai[bot]" or .user.login=="coderabbitai") | {id, path, line, body: .body[0:300], in_reply_to: .in_reply_to_id}'Length of output: 7029 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "=== Full comment bodies ==="
gh api repos/openshift/origin/pulls/31371/comments --paginate --jq '.[] | select(.user.login=="coderabbitai[bot]" or .user.login=="coderabbitai") | "----\nID: \(.id)\nPATH: \(.path)\nLINE: \(.line)\n\(.body)\n"'Length of output: 20386 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "=== .agentic/solve-config.md ==="
cat -n .agentic/solve-config.md
echo "=== .apm/instructions/general.instructions.md (vendor line) ==="
grep -n "vendor" .apm/instructions/general.instructions.md
echo "=== .devcontainer/post-create.sh ==="
cat -n .devcontainer/post-create.sh
echo "=== .devcontainer/Dockerfile ==="
cat -n .devcontainer/Dockerfile
echo "=== .apm/prompts/origin-dev-setup.prompt.md podman docker check ==="
grep -n "docker" .apm/prompts/origin-dev-setup.prompt.mdLength of output: 5295
✅ Addressed (in commit 1cb8403)
🟡 Still open
Nitpick, unresolved (informational only)
Items 3-5 are the same class of concern (unverified |
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
origin-dev-setup.prompt.md command -v docker — Skip. This is an interactive Claude prompt, not a script. Claude asks the user what they have and adapts. Matches sippy's identical pattern which works in curl|sh supply chain (uv, golangci-lint/gh, Claude installer) — Skip. Dev-only container, all match sippy's pattern, versions are pinned. The installers don't publish stable checksums to verify against (they Mount blast radius docs — Skip. Already documented in README Prerequisites section with all three mounts, what they're for, and how to create them. |
|
Tip For best results, initiate chat on the files or code changes.
That leaves one still-open item from my earlier summary that wasn't addressed:
✏️ Learnings added
|
|
@coderabbitai, I have just addressed that in the latest commit |
|
Tip For best results, initiate chat on the files or code changes. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
cat -n .agentic/solve-config.mdLength of output: 578
|
|
@coderabbitai can you do a fresh review? |
|
✅ Action performedFull review finished. |
|
Scheduling required tests: |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.devcontainer/post-create.sh (1)
1-2: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winConsider adding
pipefailto guard thecurl | shpipeline.
set -eudoesn't includepipefail, so ifcurl(line 14) fails mid-pipeline, the exit status of the pipeline issh's, notcurl's — a network failure could silently skip the Claude install without trippingset -e.🔧 Proposed fix
#!/bin/bash -set -eu +set -euo pipefail🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.devcontainer/post-create.sh around lines 1 - 2, The shell setup in post-create.sh only enables errexit and nounset, so failures in the curl | sh install pipeline can be hidden by the shell at the end of the pipe. Update the script’s safety flags to include pipefail alongside the existing set options, and keep the Claude install flow in the same script so the pipeline exits on curl failures instead of silently continuing..apm/instructions/general.instructions.md (1)
8-10: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winInclude the GitHub mirrors in the regeneration guidance.
The generated surface in
.gitattributesandapm.lock.yamlalso includes.github/instructions/**and.github/prompts/**. Calling those out here would keep the source-of-truth doc aligned with the full deployed set.♻️ Proposed edit
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.apm/instructions/general.instructions.md around lines 8 - 10, The regeneration guidance is incomplete because it omits the GitHub mirror outputs that are also generated from .apm sources. Update the instructions in the general guidance so the make apm workflow explicitly includes the .github/instructions/** and .github/prompts/** mirrors alongside the existing AGENTS.md, CLAUDE.md, GEMINI.md, .claude/, .cursor/, .gemini/, and .opencode/ targets, using the same source-of-truth framing as the surrounding .apm docs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.devcontainer/.env.example:
- Around line 2-4: The example env keys are in the wrong order and violate the
lint rule. Reorder the entries in the .env example so
ANTHROPIC_VERTEX_PROJECT_ID appears before CLAUDE_CODE_USE_VERTEX, keeping
CLOUD_ML_REGION in the same block and preserving the existing values.
In @.devcontainer/Dockerfile:
- Line 52: The devcontainer currently installs gotestsum with a floating `@latest`
tag, which makes rebuilds non-reproducible; update the RUN go install
gotest.tools/gotestsum@latest step to use a pinned version so the Dockerfile
always installs the same tool version. Keep the change localized to the
gotestsum install line in the Dockerfile.
---
Nitpick comments:
In @.apm/instructions/general.instructions.md:
- Around line 8-10: The regeneration guidance is incomplete because it omits the
GitHub mirror outputs that are also generated from .apm sources. Update the
instructions in the general guidance so the make apm workflow explicitly
includes the .github/instructions/** and .github/prompts/** mirrors alongside
the existing AGENTS.md, CLAUDE.md, GEMINI.md, .claude/, .cursor/, .gemini/, and
.opencode/ targets, using the same source-of-truth framing as the surrounding
.apm docs.
In @.devcontainer/post-create.sh:
- Around line 1-2: The shell setup in post-create.sh only enables errexit and
nounset, so failures in the curl | sh install pipeline can be hidden by the
shell at the end of the pipe. Update the script’s safety flags to include
pipefail alongside the existing set options, and keep the Claude install flow in
the same script so the pipeline exits on curl failures instead of silently
continuing.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 44eec234-7dc6-40d6-9d4e-b3607c37bffe
📒 Files selected for processing (34)
.agentic/followup-config.md.agentic/solve-config.md.apm/instructions/general.instructions.md.apm/instructions/testing.instructions.md.apm/prompts/origin-dev-setup.prompt.md.claude/commands/origin-dev-setup.md.claude/rules/general.md.claude/rules/testing.md.cursor/commands/origin-dev-setup.md.cursor/mcp.json.cursor/rules/general.mdc.cursor/rules/testing.mdc.devcontainer/.env.example.devcontainer/Dockerfile.devcontainer/README.md.devcontainer/devcontainer.json.devcontainer/post-create.sh.gemini/commands/origin-dev-setup.toml.gemini/settings.json.gitattributes.github/instructions/general.instructions.md.github/instructions/testing.instructions.md.github/prompts/origin-dev-setup.prompt.md.gitignore.mcp.json.opencode/commands/origin-dev-setup.mdAGENTS.mdCLAUDE.mdGEMINI.mdMakefileapm.lock.yamlapm.ymlhack/agentic_setup.shopencode.json
|
|
||
| USER vscode | ||
|
|
||
| RUN go install gotest.tools/gotestsum@latest |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Map the Dockerfile and inspect the relevant section with line numbers.
git ls-files .devcontainer/Dockerfile
wc -l .devcontainer/Dockerfile
cat -n .devcontainer/Dockerfile | sed -n '1,120p'Repository: openshift/origin
Length of output: 2521
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n "gotestsum|gotest\.tools/gotestsum" . -g '!**/.git/**'Repository: openshift/origin
Length of output: 1760
Pin gotestsum instead of @latest. This keeps devcontainer rebuilds reproducible and avoids pulling a different tool version over time.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.devcontainer/Dockerfile at line 52, The devcontainer currently installs
gotestsum with a floating `@latest` tag, which makes rebuilds non-reproducible;
update the RUN go install gotest.tools/gotestsum@latest step to use a pinned
version so the Dockerfile always installs the same tool version. Keep the change
localized to the gotestsum install line in the Dockerfile.
|
@smg247: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Add a Fedora 43 devcontainer with Go toolchain, golangci-lint, gh CLI, and Claude Code support via Vertex AI. Includes devcontainer.json, post-create.sh, .env.example, README with setup instructions, and an interactive /origin-dev-setup slash command.
Add APM configuration (apm.yml, instructions, prompts) that generates agent context for Claude, Cursor, Gemini, and OpenCode. Instructions document the openshift-tests architecture including e2e tests, monitor tests, disruption tests, and the OTE extension framework.
Add .agentic/ config overlays for the TRT agentic CI workflow (jira-solver and review-responder) and hack/agentic_setup.sh.
Summary by CodeRabbit