Build hypershift-cli in ci-operator; remove supplemental BC

[deepsm007]

Problem

ci/hypershift-cli:latest (QCI: quay.io/openshift/ci:ci_hypershift-cli_latest) was produced by a supplemental BuildConfig (clusters/core-ci/supplemental-ci-images/hypershift/hypershift-cli.yaml) that wraps hypershift/hypershift-operator:latest and installs jq. That path is decoupled in time from openshift/hypershift image promotion. Downstream jobs (e.g. openshift/ci-tools image builds) import pipeline:hypershift at job start; when QCI tag moves and older manifests are no longer served, pulls by stale digest fail with manifest unknown on quay-proxy.ci.openshift.org/openshift/ci@sha256:….

Building and promoting hypershift-cli in the same ci-operator promotion run as hypershift-operator aligns the hypershift CLI image with the operator image and uses the normal ci-operator → QCI promotion path (including the intended …_prune_… tag behavior documented around QCI GC — see hack/qci_registry_pruner.py).

What this change does

• Adds a hypershift-cli image to openshift/hypershift maoin ci-operator config: FROM hypershift-operator + yum install -y jq, promoted to ci/hypershift-cli:latest (same QCI monorepo tag as today: ci_hypershift-cli_latest).
• Mirrors the same in openshift-priv/hypershift main.
• Adds --target=hypershift-cli to the images presubmit and postsubmit jobs.
• Deletes the hypershift-cli BuildConfig manifest under clusters/core-ci/supplemental-ci-images/hypershift/ so core-ci no longer maintains a separate rebuild path.

/cc @openshift/test-platform

Summary by CodeRabbit

• New Features

  • Introduced hypershift-cli as a new buildable and promotable image artifact.

• Chores

  • Updated CI pipeline configuration to include hypershift-cli in build and promotion workflows.
  • Simplified deployment process to retag existing images rather than rebuild.
  • Removed legacy build configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 2b4bc10b-cc7d-4748-9f7b-f88ac31826a2

📥 Commits

Reviewing files that changed from the base of the PR and between 552cb25 and d817d97.

📒 Files selected for processing (5)

• Makefile
• ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml
• ci-operator/jobs/openshift/hypershift/openshift-hypershift-main-postsubmits.yaml
• ci-operator/jobs/openshift/hypershift/openshift-hypershift-main-presubmits.yaml
• clusters/core-ci/supplemental-ci-images/hypershift/hypershift-cli.yaml

💤 Files with no reviewable changes (1)

• clusters/core-ci/supplemental-ci-images/hypershift/hypershift-cli.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• ci-operator/jobs/openshift/hypershift/openshift-hypershift-main-postsubmits.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml
• ci-operator/jobs/openshift/hypershift/openshift-hypershift-main-presubmits.yaml

---

Walkthrough

The changes migrate the hypershift-cli build process from a Kubernetes BuildConfig resource to a ci-operator-based approach. A new dockerfile_literal image is defined that builds from hypershift-operator and installs jq. The image is promoted via new ci-operator promotion rules while the old BuildConfig is removed and the Makefile is updated to retag instead of rebuild.

Changes

Cohort / File(s)	Summary
CI Operator Configuration ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml	Added new hypershift-cli image build using dockerfile_literal based on hypershift-operator, configured promotion rules for ocp stream (excludes hypershift-cli) and new ci stream (promotes only hypershift-cli).
CI Job Configuration ci-operator/jobs/openshift/hypershift/openshift-hypershift-main-postsubmits.yaml, ci-operator/jobs/openshift/hypershift/openshift-hypershift-main-presubmits.yaml	Added --target=hypershift-cli argument to both postsubmit and presubmit job ci-operator container commands.
BuildConfig Removal clusters/core-ci/supplemental-ci-images/hypershift/hypershift-cli.yaml	Deleted the existing BuildConfig resource that previously built and pushed hypershift-cli image to quay.io, including build triggers and history retention configuration.
Build Script Update Makefile	Changed build-hypershift-deployment target to retag existing hypershift-cli:latest image to $(TAG) instead of triggering a new build.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Build hypershift-cli in ci-operator; remove supplemental BC' directly and clearly summarizes the main changes: moving hypershift-cli build from a supplemental BuildConfig into ci-operator and deleting the old build configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic Ginkgo test names is not applicable to this pull request. The PR exclusively modifies CI/CD infrastructure configuration files (YAML files for ci-operator image definitions and job configurations, a BuildConfig manifest, and a Makefile build target). None of the changed files contain Ginkgo test definitions, test code, or test titles that could include dynamic information.
Test Structure And Quality	✅ Passed	This PR contains no Ginkgo test files; it only modifies YAML configuration and Makefile, which are outside the scope of test code quality review.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; only CI/CD infrastructure configuration files modified.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only CI/build infrastructure configuration without adding or modifying Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI/build infrastructure files (ci-operator configs, Prow jobs, Makefile) without introducing any topology-aware scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR modifies only infrastructure and configuration files (YAML, Makefile); no Go source code changes to OTE binaries or process-level code affected by OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies CI operator and job configuration files only; no new Ginkgo e2e tests are added, so IPv4/external connectivity assumptions are not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[deepsm007]

/pj-rehearse pull-ci-openshift-hypershift-main-images

[openshift-merge-bot]

@deepsm007: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[danilo-gemoli]

/lgtm

[coderabbitai]

🧹 Nitpick comments (1)

Makefile (1)

531-533: Add a preflight check before retagging hypershift-cli:latest.

This makes failures clearer when the postsubmit image has not been promoted yet.

Suggested patch

 build-hypershift-deployment: TAG ?= $(shell date +%Y%m%d)
 build-hypershift-deployment:
 	echo "Tagging ci/hypershift-cli snapshot as $(TAG) (built by branch-ci-openshift-hypershift-main-images)."
+	oc --context app.ci -n ci get istag hypershift-cli:latest >/dev/null
 	oc --context app.ci -n ci --as system:admin tag hypershift-cli:latest hypershift-cli:$(TAG)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 531 - 533, Add a preflight check in the
build-hypershift-deployment Makefile target to verify the postsubmit image
exists before running the retag; use the same oc context/namespace (oc --context
app.ci -n ci) to query the imagestreamtag (e.g., check imagestreamtag
hypershift-cli:latest with oc get imagestreamtag or istag) and if the resource
is missing emit a clear error and exit non‑zero, otherwise proceed to run the
existing oc --context app.ci -n ci --as system:admin tag hypershift-cli:latest
hypershift-cli:$(TAG).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Makefile`:
- Around line 531-533: Add a preflight check in the build-hypershift-deployment
Makefile target to verify the postsubmit image exists before running the retag;
use the same oc context/namespace (oc --context app.ci -n ci) to query the
imagestreamtag (e.g., check imagestreamtag hypershift-cli:latest with oc get
imagestreamtag or istag) and if the resource is missing emit a clear error and
exit non‑zero, otherwise proceed to run the existing oc --context app.ci -n ci
--as system:admin tag hypershift-cli:latest hypershift-cli:$(TAG).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 7b6ee83f-5c49-4fc2-92be-0180d0f2fafc

📥 Commits

Reviewing files that changed from the base of the PR and between ada7080 and 552cb25.

📒 Files selected for processing (7)

• Makefile
• ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml
• ci-operator/jobs/openshift-priv/hypershift/openshift-priv-hypershift-main-postsubmits.yaml
• ci-operator/jobs/openshift-priv/hypershift/openshift-priv-hypershift-main-presubmits.yaml
• ci-operator/jobs/openshift/hypershift/openshift-hypershift-main-postsubmits.yaml
• ci-operator/jobs/openshift/hypershift/openshift-hypershift-main-presubmits.yaml
• clusters/core-ci/supplemental-ci-images/hypershift/hypershift-cli.yaml

💤 Files with no reviewable changes (5)

• ci-operator/jobs/openshift-priv/hypershift/openshift-priv-hypershift-main-presubmits.yaml
• ci-operator/jobs/openshift/hypershift/openshift-hypershift-main-postsubmits.yaml
• ci-operator/jobs/openshift-priv/hypershift/openshift-priv-hypershift-main-postsubmits.yaml
• ci-operator/jobs/openshift/hypershift/openshift-hypershift-main-presubmits.yaml
• clusters/core-ci/supplemental-ci-images/hypershift/hypershift-cli.yaml

[danilo-gemoli]

/lgtm

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@deepsm007: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-hypershift-main-images	openshift/hypershift	presubmit	Presubmit changed
pull-ci-openshift-hypershift-main-address-review-comments	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-agentic-qe-aws	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aks	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aks-4-22	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aks-override	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aws	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aws-4-22	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aws-autonode	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aws-metrics	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aws-minimal	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aws-override	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aws-techpreview	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-aws-upgrade-hypershift-operator	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-azure-aks-ovn-conformance	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-azure-kubevirt-ovn	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-azure-self-managed	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-conformance	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-gke	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-kubevirt-aws-ovn	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-kubevirt-aws-ovn-reduced	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-kubevirt-azure-ovn	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-openstack-aws	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-openstack-aws-conformance	openshift/hypershift	presubmit	Ci-operator config changed
pull-ci-openshift-hypershift-main-e2e-openstack-aws-csi-cinder	openshift/hypershift	presubmit	Ci-operator config changed

A total of 40 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[deepsm007]

/pj-rehearse ack

[openshift-merge-bot]

@deepsm007: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danilo-gemoli, deepsm007, Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Prucek,danilo-gemoli,deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepsm007]

/label priority/ci-critical

[deepsm007]

/test app-ci-config-dry

[deepsm007]

/override ci/build-farm/app-ci-config-dry

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/build-farm/app-ci-config-dry

Details

In response to this:

/override ci/build-farm/app-ci-config-dry

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.