Log rox-ci-image digest in stackrox prow steps

[davdhacs]

Summary

• Log the rox-ci-image (build root) image digest at the start of each prow step (begin, e2e-test, end)
• Uses kubectl get pod to query the container's imageID, falls back to CRI-O's /run/.containerenv
• Needed for traceability when using floating tags like stable or latest

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced CI build startup logging to improve diagnostics.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davdhacs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/stackrox/OWNERS [davdhacs]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The change adds startup logging to a shell script that outputs the container image identifier. It attempts to retrieve the image ID via kubectl, falls back to reading a local environment file if kubectl fails, and defaults to "unknown" if both attempts fail.

Changes

Cohort / File(s)	Summary
Startup Logging ci-operator/step-registry/stackrox/stackrox/begin/stackrox-stackrox-begin-commands.sh	Adds startup logging that prints container image identifier with kubectl-based resolution and fallback mechanisms (local file read and "unknown" default). Includes best-effort file access before existing control flow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Log rox-ci-image digest in stackrox prow steps' clearly and specifically describes the main change: adding logging of the rox-ci-image digest in stackrox prow steps. It is concise, directly related to the changeset, and provides meaningful context about what was modified.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The PR modifies a shell script file to add logging for container image digests. The repository contains only one Go file unrelated to Ginkgo tests. Since the custom check targets Ginkgo test names and this PR does not introduce or modify any Ginkgo test definitions, the check is not applicable and passes.
Test Structure And Quality	✅ Passed	The pull request modifies a bash shell script for CI/CD configuration. The custom check assesses Ginkgo test code quality, which is not applicable since no Ginkgo test code is being modified.
Microshift Test Compatibility	✅ Passed	PR contains only shell script changes to CI/CD infrastructure, not new Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only modifies a shell script for logging; no Ginkgo e2e tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only a bash CI script that adds logging for container image digests, not deployment manifests, operator code, or controllers.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check applies only to Go binaries, but the affected file is a bash shell script used for CI workflow configuration, not an OTE binary.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only a shell script for CI step registry, not Ginkgo e2e tests.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@ci-operator/step-registry/stackrox/stackrox/begin/stackrox-stackrox-begin-commands.sh`:
- Around line 5-7: The kubectl lookup can return an empty string with exit code
0, so replace the inline fallback chain using "kubectl get pod \"$HOSTNAME\" -o
jsonpath='{.status.containerStatuses[0].imageID}' || grep '^imageid='
/run/.containerenv || echo \"unknown\"" with a robust sequence that captures the
kubectl output into a variable (e.g., image=$(kubectl get pod ... 2>/dev/null ||
true)), if [ -z "$image" ] then try the grep fallback (image=$(grep '^imageid='
/run/.containerenv 2>/dev/null || true)); if still empty set image="unknown";
finally printf that variable. Apply the same change to the other identical
blocks that use the same kubectl jsonpath + grep fallback.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b1921e90-5392-480b-8d64-ec85e11fb85a

📥 Commits

Reviewing files that changed from the base of the PR and between e97824a and f53d34a.

📒 Files selected for processing (3)

• ci-operator/step-registry/stackrox/stackrox/begin/stackrox-stackrox-begin-commands.sh
• ci-operator/step-registry/stackrox/stackrox/e2e-test/stackrox-stackrox-e2e-test-commands.sh
• ci-operator/step-registry/stackrox/stackrox/end/stackrox-stackrox-end-commands.sh

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@davdhacs: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-stackrox-acs-fleet-manager-main-e2e	stackrox/acs-fleet-manager	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-aks-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-4.10-aks-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-4.9-aks-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-4.8-aks-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-x.y-aks-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-aro-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-4.10-aro-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-4.9-aro-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-4.8-aro-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-x.y-aro-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-eks-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-4.10-eks-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-4.9-eks-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-4.8-eks-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-release-x.y-eks-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-ibmcloudz-4-14-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-ibmcloudz-4-15-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-ibmcloudz-4-16-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-ibmcloudz-4-17-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-ocp-4-21-crun-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-ocp-next-candidate-qa-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-ocp-next-candidate-scanner-v4-install-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-ocp-next-candidate-operator-e2e-tests	stackrox/stackrox	presubmit	Registry content changed
pull-ci-stackrox-stackrox-master-ocp-next-candidate-sensor-integration-tests	stackrox/stackrox	presubmit	Registry content changed

A total of 317 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[davdhacs]

/cc @tommartensen

[openshift-ci]

@davdhacs: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tommartensen]

Do you have a rehearse job where I can see that kubectl get pod ... works?