CI: Update images from rhel-8-release-golang tag to rhel-9-release-golag #4886
Conversation
…lang By default crc support 2 major release so better to update the images to rhel-9 since rhel-10 is released and available from quite some time.
WalkthroughRHEL base images and Go versions were bumped from rhel-8/golang-1.23 to rhel-9/golang-1.24 across devcontainer, CI workflows, and multiple image build files; the update-go-version.sh script was extended to propagate the new tags and to update an additional build-installer workflow matrix entry. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Dev as Developer
participant Script as update-go-version.sh
participant Files as Repo files
participant CI as GitHub Workflows
Dev->>Script: invoke with new golang_base_version
Script->>Files: scan targets (images/*, .devcontainer, go.mod, Makefile, tools/go.mod)
Note right of Script: compute rhel-9 image tag & go versions
Script->>Files: replace rhel-8-release-golang-* → rhel-9-release-golang-*
Script->>Files: update Makefile GOVERSION, go.mod, tools/go.mod
Script->>CI: update matrix.go entries (including build-installer matrix entry)
Script-->>Dev: write changes / exit
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
images/openshift-ci/Dockerfile (1)
18-19: Update Google Cloud SDK repo to target RHEL9
Thegoogle-cloud-sdk.repostill points at the EL8 endpoint and will fail on UBI9. Change itsbaseurlto the EL9 equivalent. The Azure CLI repo has no EL8 markers and is OS-agnostic—no update needed there.• images/openshift-ci/google-cloud-sdk.repo, line 3:
-baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-x86_64 +baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-x86_64update-go-version.sh (1)
19-26: Prevent yq null-path crashes and ensure Go matrix value is a quoted string.Current checks can error when a workflow lacks the matrix path (null piped to has("go") can fail), and the assignment writes 1.x as a YAML number, making style="single" a no-op. Quote the value and make the path checks null-safe. Also, quote the command substitution in [ ] to avoid word-splitting issues.
Apply the following diff:
-for f in .github/workflows/*.yml; do - if [ $(yq eval '.jobs.build.strategy.matrix | has("go")' "$f") == "true" ]; then - yq eval --inplace ".jobs.build.strategy.matrix.go[0] = ${golang_base_version} | .jobs.build.strategy.matrix.go[0] style=\"single\"" "$f"; - fi - if [ $(yq eval '.jobs.build-installer.strategy.matrix | has("go")' "$f") == "true" ]; then - yq eval --inplace ".jobs.build-installer.strategy.matrix.go[0] = ${golang_base_version} | .jobs.build-installer.strategy.matrix.go[0] style=\"single\"" "$f"; - fi -done +for f in .github/workflows/*.yml; do + if [ "$(yq eval '.jobs.build.strategy.matrix // {} | has("go")' "$f")" = "true" ]; then + yq eval --inplace '.jobs.build.strategy.matrix.go[0] = "'$golang_base_version'" | .jobs.build.strategy.matrix.go[0] style="single"' "$f" + fi + if [ "$(yq eval '.jobs.build-installer.strategy.matrix // {} | has("go")' "$f")" = "true" ]; then + yq eval --inplace '.jobs.build-installer.strategy.matrix.go[0] = "'$golang_base_version'" | .jobs.build-installer.strategy.matrix.go[0] style="single"' "$f" + fi +doneNotes:
- Using // {} ensures has("go") receives a map even when the path is missing.
- Assigning "'$golang_base_version'" writes a YAML string; setting style="single" then reliably yields a single-quoted scalar, avoiding YAML float interpretation.
- Quoting the command substitution protects the [ ] comparison from word-splitting.
🧹 Nitpick comments (5)
images/build/Dockerfile (2)
2-2: Replace deprecated MAINTAINER with an OCI labelMAINTAINER is deprecated (Hadolint DL4000). Prefer an OCI-compliant label to avoid linter failures.
Apply this diff:
-MAINTAINER CRC <[email protected]> +LABEL org.opencontainers.image.authors="CRC <[email protected]>"
8-8: Optional: pin final base image to a digest for reproducible buildsPinning ubi9 to a sha256 digest (and doing the same for the builder image) helps avoid supply-chain drift.
Example:
-FROM registry.access.redhat.com/ubi9/ubi +# e.g., pin to a known-good digest +FROM registry.access.redhat.com/ubi9/ubi@sha256:<digest>If you’d like, I can help resolve and propose specific digests currently used in CI.
images/openshift-ci/Dockerfile (1)
21-30: Optional: prefer dnf on UBI9 and keep cache paths consistentOn UBI9, dnf is the canonical tool. If reproducibility matters, consider dropping the unconditional update. If security freshness matters, keep update but switch to dnf and clean the correct cache path.
Suggested diff:
-RUN yum update -y && \ - yum install --setopt=tsflags=nodocs -y \ +RUN dnf -y update && \ + dnf -y install --setopt=tsflags=nodocs \ google-cloud-sdk \ nss_wrapper \ unzip \ sshpass \ jq \ azure-cli \ openssh-clients && \ - yum clean all && rm -rf /var/cache/yum/* + dnf clean all && rm -rf /var/cache/dnf/*update-go-version.sh (1)
16-18: RHEL-9 sed replacements look correct; consider whitespace-tolerant match and safer glob handling.Your anchoring to the FROM line and the captured suffix is solid. Two optional robustness tweaks:
- Allow leading whitespace before FROM (some Dockerfiles/Containerfiles indent multi-stage lines).
- If a glob (images//Dockerfile or images//Containerfile) has no matches, sed -i will fail and abort due to set -e. Guarding against missing files avoids surprising failures.
You can apply the whitespace-tolerant pattern directly here:
-sed -i "s,^\(FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-\)1.[0-9]\+,\1${golang_base_version}," images/*/Dockerfile -sed -i "s,^\(FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-\)1.[0-9]\+,\1${golang_base_version}," images/*/Containerfile +sed -i "s,^[[:space:]]*\(FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-\)1\.[0-9]\+,\1${golang_base_version}," images/*/Dockerfile +sed -i "s,^[[:space:]]*\(FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-\)1\.[0-9]\+,\1${golang_base_version}," images/*/ContainerfileIf you want to avoid failures when no files match, enable nullglob near the top (outside this hunk):
shopt -s nullglob.github/workflows/verify-devcontainer.yml (1)
11-11: RHEL 9 base image switch looks good; consider pinning by digest for reproducibility.The new image tag aligns with the PR goal. For CI determinism and supply-chain hardening, consider pinning the image to a digest to avoid tag drift.
For example:
- image: registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.23-openshift-4.19 + image: registry.ci.openshift.org/openshift/release@sha256:<digest-for-rhel-9-release-golang-1.23-openshift-4.19>If pinning isn’t desirable, you can keep the tag as-is.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (7)
.devcontainer/devcontainer.json(1 hunks).github/workflows/verify-devcontainer.yml(1 hunks)images/build-e2e/Containerfile(1 hunks)images/build-integration/Containerfile(1 hunks)images/build/Dockerfile(1 hunks)images/openshift-ci/Dockerfile(1 hunks)update-go-version.sh(2 hunks)
🧰 Additional context used
🪛 Hadolint (2.12.0)
images/build/Dockerfile
[error] 2-2: MAINTAINER is deprecated
(DL4000)
🔇 Additional comments (7)
images/build-e2e/Containerfile (1)
2-2: RHEL 9 builder base image update — LGTMAlignment with the two-major-release policy looks good; no functional changes in the stage.
images/build/Dockerfile (2)
1-1: RHEL 9 builder base image update — LGTMConsistent with the rest of the PR; no behavioral change expected in the build stage.
9-9: COPY from builder — LGTMNo change in semantics; path and destination remain correct.
.devcontainer/devcontainer.json (1)
3-3: Devcontainer image moved to RHEL 9 — LGTMKeeps Go/OpenShift tags consistent with builder images used in CI.
images/build-integration/Containerfile (1)
2-2: RHEL 9 builder base image update — LGTMMatches the e2e and CI Dockerfiles; build flow unchanged.
images/openshift-ci/Dockerfile (1)
4-4: RHEL 9 builder base image update — LGTMConsistent with the other image updates; no changes to the rest of the pipeline.
update-go-version.sh (1)
28-28: LGTM on verify-devcontainer sed target.The pattern targets the image reference in verify-devcontainer.yml correctly to RHEL 9.
Looks like openshift-4.19 doesn't have tag for golang-1.24 but openshift 4.20 have it for both 1.23 and 1.24 `registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.23-openshift-4.20` since plan is to update the golang version to 1.24 in following commit so switching to 4.20
Since 1.25 is released and now most of the dep modules are switching to use 1.24 in the mod file since 1.23 is EOL https://endoflife.date/go
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/qe-image.yml (1)
33-33: Shebang typo will break script execution (Exec format error).The generated script starts with
!#/bin/bashinstead of#!/bin/bash. Since it’s executed as./build-qe-images.sh, this will fail at runtime.Apply this fix:
- !#/bin/bash + #!/bin/bashimages/openshift-ci/Dockerfile (1)
18-21: Update google-cloud-sdk.repo to target EL9 repositories
- images/openshift-ci/google-cloud-sdk.repo (line 3) currently uses
baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-x86_64
which will fail on UBI9.- images/openshift-ci/azure-cli.repo contains no EL8 references and is EL9-compatible.
Recommendation:
- Change the Google Cloud SDK baseurl to
https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-x86_64
or switch to using$releaseverif supported.
🧹 Nitpick comments (3)
.github/workflows/qe-image.yml (1)
41-43: Optional: invoke the script via bash to reduce reliance on the shebang.Even with the shebang fixed, calling via bash is a bit more robust on CI runners.
- chmod +x build-qe-images.sh - ./build-qe-images.sh + chmod +x build-qe-images.sh + bash ./build-qe-images.shimages/build/Dockerfile (2)
1-1: Base image bump to rhel-9/go1.24 looks correct and aligned with UBI9 runtime.Matches the repo-wide upgrade and should avoid glibc/openssl mismatches. Consider digest-pinning the base image for reproducibility.
2-2: Replace deprecated MAINTAINER with LABEL to satisfy hadolint (DL4000).Modern Dockerfiles should not use MAINTAINER. Replace with LABEL.
-MAINTAINER CRC <[email protected]> +LABEL maintainer="CRC <[email protected]>"
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (18)
.devcontainer/devcontainer.json(1 hunks).github/workflows/choco-release.yml(1 hunks).github/workflows/macos-installer.yml(1 hunks).github/workflows/make-check-win.yml(1 hunks).github/workflows/make-check.yml(1 hunks).github/workflows/make-rpm.yml(1 hunks).github/workflows/qe-image.yml(1 hunks).github/workflows/test-okd-bundle.yml(1 hunks).github/workflows/verify-devcontainer.yml(1 hunks).github/workflows/windows-artifacts.yml(1 hunks).github/workflows/windows-chocolatey.yml(1 hunks)Makefile(1 hunks)go.mod(1 hunks)images/build-e2e/Containerfile(1 hunks)images/build-integration/Containerfile(1 hunks)images/build/Dockerfile(1 hunks)images/openshift-ci/Dockerfile(1 hunks)tools/go.mod(1 hunks)
✅ Files skipped from review due to trivial changes (2)
- go.mod
- Makefile
🚧 Files skipped from review as they are similar to previous changes (3)
- .devcontainer/devcontainer.json
- .github/workflows/verify-devcontainer.yml
- images/build-integration/Containerfile
🧰 Additional context used
🪛 Hadolint (2.12.0)
images/build/Dockerfile
[error] 2-2: MAINTAINER is deprecated
(DL4000)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)
- GitHub Check: build (ubuntu-22.04, 1.24)
- GitHub Check: Run OKD bundle with crc (1.24)
- GitHub Check: build (macOS-13, 1.24)
- GitHub Check: build (macOS-14, 1.24)
- GitHub Check: build (ubuntu-latest, 1.24)
- GitHub Check: build (windows-2022, 1.24)
- GitHub Check: build-qe (darwin, amd64)
- GitHub Check: build (windows-2022, 1.24)
- GitHub Check: build-qe (windows, amd64)
- GitHub Check: build-qe (linux, amd64)
- GitHub Check: build-qe (linux, arm64)
- GitHub Check: build (macOS-14, 1.24)
- GitHub Check: build-qe (darwin, arm64)
- GitHub Check: build-installer (windows-2022, 1.24)
- GitHub Check: verify-devcontainer
- GitHub Check: build (ubuntu-latest, 1.24)
- GitHub Check: Konflux kflux-prd-rh02 / crc-binary-on-pull-request
🔇 Additional comments (13)
.github/workflows/make-check-win.yml (1)
16-16: Go matrix bumped to 1.24 — looks goodAligned with the repo-wide upgrade and supported by
actions/setup-go@v5. No issues spotted..github/workflows/windows-artifacts.yml (1)
25-25: Installer job now targets Go 1.24 — OKConsistent with other workflows and images;
actions/setup-go@v5will pull the latest 1.24.x..github/workflows/macos-installer.yml (1)
23-23: Go version updated to 1.24 — OKMacOS installer builds will use Go 1.24 as intended. No action needed.
.github/workflows/make-check.yml (1)
19-19: Go 1.24 in CI matrix — OKMatches the global toolchain bump;
make goversioncheckon Linux should pass with this..github/workflows/test-okd-bundle.yml (1)
14-14: Go 1.24 Upgrade ConfirmedI ran the grep checks and found no remaining references to Go 1.23 or old rhel-8-release-golang tags. The workflow matrix and builder images now consistently use rhel-9/golang-1.24, and setup-go@v5 supports this version. Changes look good—approving the bump.
.github/workflows/qe-image.yml (1)
15-15: Go 1.24 bump is consistent with the rest of the repo.Matrix and setup-go usage are correct. No additional changes needed here.
.github/workflows/make-rpm.yml (1)
16-16: LGTM: Go 1.24 in the matrix.Matches Makefile/go.mod updates and the rhel-9 builder images elsewhere. setup-go@v5 will fetch the correct toolchain.
.github/workflows/choco-release.yml (1)
16-16: Go 1.24 bump approved.Windows-2022 runner with setup-go@v5 will provision Go 1.24 correctly; no further changes needed.
.github/workflows/windows-chocolatey.yml (1)
16-16: Matrix update to Go 1.24 looks correct.Consistent with the repo-wide version bump and tooling.
images/build/Dockerfile (2)
9-9: LGTM on the final COPY.Copying the build outputs from the builder stage to UBI9 remains correct.
1-1: No residual RHEL8 or Go 1.23 references detected
Ran ripgrep across the repository forrhel-8-release-golang,golang-1.23,go 1.23, andGOVERSION 1.23—no matches found. The Dockerfile’s builder image (rhel-9-release-golang-1.24-openshift-4.20) is consistent.images/build-e2e/Containerfile (1)
2-2: Builder base image bump is consistent with the repo-wide upgrade.This keeps the e2e build aligned with Go 1.24. No issues spotted with the stage name or downstream COPYs.
images/openshift-ci/Dockerfile (1)
4-4: Builder base image bump to rhel-9/go1.24 is good and matches the UBI9 runtime stage.Nice alignment; the artifacts copied later (linux/windows binaries and tests) remain unaffected by this change.
|
@praveenkumar: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anjannath The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
By default crc support 2 major release so better to update the images to rhel-9 since rhel-10 is released and available from quite some time.
Summary by CodeRabbit
These changes standardize and modernize the build environment.