ART-12444- changes in ocp4-konflux

[mbiarnes]

for find-bugs:second-fix
which closes OCPBUGS that are found/determined as not first-fix when running ocp4_konflux jobs - only and when the software-lifecycle phase is pre-release or signed (so before release)

test-job:
https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/hack/job/mbiarnes/job/ocp4-konflux/49/console

13:24:01 2025-12-05 12:24:01,001 artcommonlib INFO On commit: 9b492cc4fd8dcf2093ca5997fcc0365255e7a6fd (openshift-4.22)
13:24:01 2025-12-05 12:24:01,119 artcommonlib INFO Using branch from group.yml: rhaos-4.22-rhel-9
13:24:02 2025-12-05 12:24:01,980 art_tools.elliottlib.cli.find_bugs_second_fix_cli INFO Software lifecycle is pre-release. Performing second-fix action ...
13:24:02 2025-12-05 12:24:01,980 art_tools.elliottlib.cli.find_bugs_second_fix_cli INFO Fetching tracker bugs ..
13:24:05 2025-12-05 12:24:05,008 art_tools.elliottlib.cli.find_bugs_second_fix_cli INFO 0 trackers found: []
13:24:05 2025-12-05 12:24:05,008 art_tools.elliottlib.cli.find_bugs_second_fix_cli INFO 0 valid trackers found: []
13:24:05 2025-12-05 12:24:05,008 art_tools.elliottlib.cli.find_bugs_second_fix_cli INFO Computing second-fix tracker ids ..
13:24:05 2025-12-05 12:24:05,014 bugzilla._authfiles INFO Found bugzillarc files: ['/home/jenkins/.config/python-bugzilla/bugzillarc']
13:24:05 2025-12-05 12:24:05,274 bugzilla.base INFO Using RHBugzilla for URL containing .redhat.com
13:24:06 2025-12-05 12:24:06,040 art_tools.elliottlib.cli.find_bugs_second_fix_cli INFO 0 CVE trackers that are second-fix: []

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rayfordj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Added async method sweep_second_fix_bugs() to KonfluxOcp4Pipeline to perform second-fix bug sweep using Elliott with group openshift-{version}. Method supports dry-run mode, reports failures to Slack, and executes for versions in KONFLUX_IMAGESTREAM_OVERRIDE_VERSIONS.

Changes

Cohort / File(s)	Summary
Bug sweep enhancements pyartcd/pyartcd/pipelines/ocp4_konflux.py	Added sweep_second_fix_bugs() async method to perform second-fix bug sweep for overridden versions; integrated into run() flow after sweep_golang_bugs() with dry-run and Slack notification support

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify dry-run mode handling is consistent with existing sweep_bugs() and sweep_golang_bugs() patterns
• Confirm Slack notification logic follows established error reporting convention
• Check that the conditional branch in run() correctly gates execution for versions in KONFLUX_IMAGESTREAM_OVERRIDE_VERSIONS

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pyartcd/pyartcd/pipelines/ocp4_konflux.py (1)

428-448: Verify whether assembly check should be added for consistency.

The new method follows the established pattern well and integrates cleanly with the existing error handling and dry-run logic. However, both sweep_bugs() (lines 376-378) and sweep_golang_bugs() (lines 402-404) include an assembly check that skips execution when self.assembly != 'stream'. This method lacks that check.

If second-fix bug sweeps should run for all assemblies (not just stream), please add a comment explaining why this method differs from the others. Otherwise, consider adding the assembly check for consistency:

 async def sweep_second_fix_bugs(self):
     # find-bugs:second-fix closes CVE trackers that are not first-fix in pre-release branches
     # The command itself checks the software lifecycle phase and only runs for pre-release/signing phases
+    if self.assembly != 'stream':
+        self.runtime.logger.info('Not closing second-fix bugs since assembly is not stream')
+        return
+
     cmd = [
         'elliott',
         f'--group=openshift-{self.version}',
         "find-bugs:second-fix",
         "--close",
     ]

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between a3ab9bc and effa0c9.

📒 Files selected for processing (1)

• pyartcd/pyartcd/pipelines/ocp4_konflux.py (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

pyartcd/pyartcd/pipelines/ocp4_konflux.py (2)

artcommon/artcommonlib/exectools.py (1)

• cmd_assert_async (637-705)

pyartcd/pyartcd/slack.py (2)

• bind_channel (34-50)
• say (60-97)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: tests

🔇 Additional comments (1)

pyartcd/pyartcd/pipelines/ocp4_konflux.py (1)

729-729: LGTM! Integration follows the established sweep sequence.

The method is appropriately placed after the other bug sweep operations and within the version check, ensuring it only runs for versions in KONFLUX_IMAGESTREAM_OVERRIDE_VERSIONS.

[openshift-ci]

@mbiarnes: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	effa0c9	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[locriandev]

/lgtm with a nitpick

[locriandev]

Suggested change

	if self.runtime.dry_run:
	return
	self.slack_client.bind_channel(f'openshift-{self.version}')
	await self.slack_client.say(f'Second-fix bug sweep failed for {self.version}. Please investigate')
	message = f'Second-fix bug sweep failed for {self.version}. Please investigate'
	LOGGER.warning(message)
	if not self.runtime.dry_run:
	self.slack_client.bind_channel(f'openshift-{self.version}')
	await self.slack_client.say()