ISSUE-114: Separate OKD build and push phases

[kasturinarra]

Resolves #114

Rearrange the workflow so OKD images are pushed after testing process.
Build OKD images, push to OKD staging registry
Build MicroShift RPMs (using images from staging)
Build MicroShift bootc image (using local images)
Test MicroShift (validates the OKD images work)
ONLY IF TESTS PASS → Push OKD images to ghcr.io prod repository.

Summary by CodeRabbit

• Chores
  • Formalized staging and production image workflows: builds run in staging and are promoted to production on success.
  • Explicit mode selection (staging / production / cleanup) controls build, publish, retag, and cleanup flows.
  • Production push is gated on successful staging; staging images are retagged for promotion.
  • Added always-run cleanup to remove staging artifacts with tolerant error handling.
  • RPM and container builds follow the staging→production promotion path and skip non-applicable architectures.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

CI now supports mode-driven OKD image flows: builds images into a derived staging registry for testing, conditionally promotes (retags/pushes) them to a production registry on success, and always runs a best-effort cleanup of staging packages. The build script gained MODE and derived STAGING/PRODUCTION registries.

Changes

Cohort / File(s)	Change Summary
Workflow orchestration /.github/actions/build-okd/action.yaml	Add mode-based steps: mode=staging to build/push staging images, expose staging refs to downstream steps, success-gated mode=production promotion, and an always-run mode=cleanup. Introduce STAGING_REGISTRY / PRODUCTION_REGISTRY derivation and ARM-specific release image env.
Build script modes & logic src/okd/build_images.sh	Replace single-path script with MODE dispatch (`staging

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub Actions
    participant Action as build-okd Action
    participant Script as build_images.sh
    participant Staging as Staging Registry
    participant Tests as MicroShift Build/Test
    participant Prod as Production Registry

    GH->>Action: trigger (mode=staging)
    Action->>Script: run mode=staging (env: STAGING_REGISTRY...)
    Script->>Staging: build & push staging images (manifests, sha)
    GH->>Tests: run MicroShift build/tests using staging refs
    alt tests pass
        GH->>Action: trigger (mode=production)
        Action->>Script: run mode=production (env: PRODUCTION_REGISTRY...)
        Script->>Staging: pull staging tags
        Script->>Prod: retag staging → production, push manifests
        GH->>Action: trigger (mode=cleanup)
        Action->>Script: run mode=cleanup
        Script->>Staging: delete staging packages (best-effort)
    else tests fail
        GH->>Action: trigger (mode=cleanup)
        Action->>Script: run mode=cleanup
        Script->>Staging: delete staging packages (best-effort)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• MicroShift builds on ARM with custom OKD images #105 — Prior changes to OKD image build/push logic affecting src/okd/build_images.sh.

Suggested reviewers

• praveenkumar
• ggiguash
• pmtk

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective: separating OKD build and push phases into distinct stages with testing in between.
Linked Issues check	✅ Passed	The PR implements all core requirements from #114: staging OKD images, building/testing MicroShift with staged images, and pushing to production only after validation.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing the build-stage-test-push workflow for OKD images; no unrelated modifications detected.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e6c3708 and 3ce55e0.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/actions/build-okd/action.yaml

🧰 Additional context used

📓 Path-based instructions (2)

**/*.sh

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.sh: Shell scripts should pass linting with shellcheck as part of the make check validation step
Build scripts must detect architecture automatically via uname -m to determine between x86_64 or aarch64

Files:

• src/okd/build_images.sh

src/okd/**

📄 CodeRabbit inference engine (CLAUDE.md)

OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Files:

• src/okd/build_images.sh

🧠 Learnings (11)

📓 Common learnings

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Applied to files:

• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Applied to files:

• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Applied to files:

• src/okd/build_images.sh

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Applied to files:

• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Applied to files:

• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Applied to files:

• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to **/*.sh : Build scripts must detect architecture automatically via `uname -m` to determine between x86_64 or aarch64

Applied to files:

• src/okd/build_images.sh

📚 Learning: 2025-12-22T06:35:50.684Z

Learnt from: kasturinarra
Repo: microshift-io/microshift PR: 162
File: src/cncf/run_sonobuoy_tests.sh:43-45
Timestamp: 2025-12-22T06:35:50.684Z
Learning: In src/cncf/run_sonobuoy_tests.sh, architecture detection via `uname -m` is not needed because all container images (docker.io/sonobuoy/sonobuoy, docker.io/sonobuoy/systemd-logs, registry.k8s.io/conformance) are multi-arch manifests that automatically pull the correct architecture variant for the host platform.

Applied to files:

• src/okd/build_images.sh

📚 Learning: 2025-10-17T10:31:57.408Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

Applied to files:

• src/okd/build_images.sh

🔇 Additional comments (4)

src/okd/build_images.sh (4)

7-11: Registry derivation logic looks good.

The staging registry is correctly derived by replacing the production path with a sibling /okd-staging directory, avoiding nested paths.

---

17-28: Usage documentation is clear and comprehensive.

Effectively describes both modes and their target registries.

---

332-406: Functions are well-structured and correctly separated.

The mode-specific workflows are cleanly implemented. Local variables are properly declared, and the retagging logic correctly transforms staging references to production.

---

471-476: Mode dispatch is clean and straightforward.

The conditional execution based on validated mode is correctly implemented.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 61e7990 and 846b22d.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml (2 hunks)
• src/okd/build_images.sh (4 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: ubuntu-rpm2deb
• GitHub Check: fedora-bootc (ubuntu-24.04-arm)
• GitHub Check: isolated-network (kindnet, ubuntu-24.04, 0)
• GitHub Check: fedora-bootc (ubuntu-24.04)
• GitHub Check: isolated-network (ovnk, ubuntu-24.04, 1)
• GitHub Check: centos10-bootc
• GitHub Check: centos9-bootc
• GitHub Check: quick-start-and-clean (ubuntu-24.04-arm)
• GitHub Check: quick-start-and-clean (ubuntu-24.04)

🔇 Additional comments (5)

src/okd/build_images.sh (1)

14-19: Usage message now displays registry values after variable definitions.

Once STAGING_REGISTRY and PRODUCTION_REGISTRY are defined (per the first comment), the usage message will correctly display them. No further action needed here after the variable definitions are added.

.github/actions/build-okd/action.yaml (4)

48-59: Mode parameter is correctly positioned as first argument.

The build phase correctly invokes build_images.sh build with mode as the mandatory first parameter, addressing prior review feedback.

---

61-73: Staging registry reference is consistent with build_images.sh.

Line 72 hardcodes ghcr.io/microshift-io/okd-staging, which aligns with the STAGING_REGISTRY value that should be defined in build_images.sh (per the critical fix in the first file).

---

102-115: Conditional push to production mirrors test success.

The if: success() guard correctly ensures push only occurs after all prior steps (build, RPM build, bootc build, and tests) complete successfully, enforcing the build→test→push sequencing per PR objectives.

---

117-125: Cleanup step is informational only.

The "Cleanup staging registry on failure" step logs advisory messages but performs no actual cleanup (no skopeo delete, podman rmi, etc.). This is acceptable for now since staging images will be overwritten on the next build, though true cleanup could be added later if needed.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/actions/build-okd/action.yaml (1)

117-124: Cleanup step does not actually remove staging artifacts.

This step only logs messages; it does not delete or clean up images from the staging registry. If staging images should be retained temporarily (to allow re-runs or inspection) or cleaned up atomically by the next build, consider clarifying the intent in the comment or implementing actual cleanup logic (e.g., using podman rmi or a registry deletion API call).

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 846b22d and 7030690.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml (2 hunks)
• src/okd/build_images.sh (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/okd/build_images.sh

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• .github/actions/build-okd/action.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: isolated-network (ovnk, ubuntu-24.04, 1)
• GitHub Check: fedora-bootc (ubuntu-24.04-arm)
• GitHub Check: isolated-network (kindnet, ubuntu-24.04, 0)
• GitHub Check: quick-start-and-clean (ubuntu-24.04-arm)
• GitHub Check: fedora-bootc (ubuntu-24.04)
• GitHub Check: quick-start-and-clean (ubuntu-24.04)
• GitHub Check: centos10-bootc
• GitHub Check: centos9-bootc
• GitHub Check: ubuntu-rpm2deb

🔇 Additional comments (4)

.github/actions/build-okd/action.yaml (4)

61-73: Reference to staging registry in OKD_RELEASE_IMAGE is clear.

The RPM build step correctly pulls from the staging registry path, which aligns with the two-stage workflow. The hardcoded staging registry path ghcr.io/microshift-io/okd-staging is appropriate for this intermediate step.

---

102-115: Push step with if: success() is correct.

The conditional execution ensures OKD images are only promoted to production after all prior steps (build, RPM build, bootc build, and tests) succeed. The mode=push invocation aligns with the expected re-tagging and production registry promotion.

---

22-24: Unable to verify due to repository access issues.

The repository could not be cloned, preventing verification of whether the target-registry input is still used in workflows or the build step. Without access to the codebase, I cannot confirm if this input is referenced by downstream workflows, consumed in build steps, or truly obsolete.

---

48-59: Unfortunately, I'm unable to access the microshift-io/microshift repository to examine the build_images.sh script directly—the repository clone is failing consistently. Additionally, general web searches don't reveal the specific implementation details of this script's "build" mode.

Given this constraint, I cannot definitively verify whether the "build" mode in build_images.sh actually performs a staging registry push or if the step name is misleading.

Step name does not match invoked mode: "Build OKD images and push to staging" executes build_images.sh build, not build_images.sh push.

The step name suggests images will be pushed to staging, but the script is invoked with build mode only. Without access to the script, I cannot confirm whether:

• The build mode internally handles the staging push, making the step name accurate but obscure, or
• The build mode only builds locally, making the step name incorrect.

Recommendation: Verify the build_images.sh implementation directly. If build mode includes staging push, clarify the step name (e.g., "Build OKD images and stage to registry"). If build mode does not push, either rename the step or restructure to explicitly invoke staging push logic.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/actions/build-okd/action.yaml (1)

120-127: Cleanup step provides visibility but lacks action.

The informational logging documents that staging images may be overwritten on the next build. While helpful for troubleshooting, consider whether explicit cleanup (registry deletion) is needed if images linger unexpectedly. Current approach is reasonable for a staging registry, but evaluate based on retention policies.

Is intentional overwriting of staging images on next build acceptable, or should orphaned staging images be explicitly purged? This may depend on your container registry's retention and quota policies.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7030690 and c32164b.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml (2 hunks)
• src/okd/build_images.sh (4 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-10-17T10:31:57.408Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

Applied to files:

• .github/actions/build-okd/action.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: ubuntu-rpm2deb
• GitHub Check: centos10-bootc
• GitHub Check: fedora-bootc (ubuntu-24.04-arm)
• GitHub Check: fedora-bootc (ubuntu-24.04)
• GitHub Check: centos9-bootc
• GitHub Check: isolated-network (kindnet, ubuntu-24.04, 0)
• GitHub Check: isolated-network (ovnk, ubuntu-24.04, 1)
• GitHub Check: quick-start-and-clean (ubuntu-24.04)
• GitHub Check: quick-start-and-clean (ubuntu-24.04-arm)

🔇 Additional comments (10)

src/okd/build_images.sh (6)

7-11: Registry definitions now properly initialized.

The PRODUCTION_REGISTRY and STAGING_REGISTRY are correctly defined with appropriate defaults and derivation. This resolves the previous undefined-variable issue.

---

335-348: Parameter parsing and mode validation are correct.

The mandatory 4-parameter contract is enforced, and mode validation properly gates build vs. push execution. Implementation aligns with prior review feedback.

---

364-374: TARGET_REGISTRY derivation by MODE is sound.

The conditional logic correctly routes to staging for build mode and production for push mode, enabling the staged promotion workflow.

---

399-413: build_okd_images correctly builds locally without pushing.

The function builds all images and populates images_sha with local image references only, deferring push to push_okd_images. The haproxy-router skip (lines 404–406) correctly handles the arm64-only constraint with clear comments.

---

416-422: push_okd_images correctly orchestrates push and release creation.

Delegates to push_image_manifests and create_new_okd_release, providing clear output messaging about the published image location.

---

425-433: build_images correctly chains build→push for staging workflow.

Calls build_okd_images then push_okd_images in sequence, and outputs helpful instructions for the subsequent production push. Workflow intent is clear.

.github/actions/build-okd/action.yaml (4)

48-61: Build step correctly invokes build mode.

The step runs the script with "build" mode and all required arguments. Comments clearly explain that build mode produces staging-tagged images and pushes to the staging registry.

---

63-76: RPM build correctly references staging OKD release image.

Line 75 derives OKD_RELEASE_IMAGE from the staging registry path (target-registry/okd-staging), ensuring MicroShift RPM build uses the locally-tested staging images. Comments document this intent clearly.

---

78-102: Tests execute against staging images, enabling validation before production push.

The bootc build and test execution flow now runs against staging artifacts, satisfying the PR objective to validate OKD images before publishing to production.

---

105-118: Production push step correctly gates on success and invokes push mode.

The step runs only when prior steps succeed (if: success()), invokes the script in "push" mode with correct arguments, and includes instructive comments. This ensures images are promoted to production only after validation.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

src/okd/build_images.sh (1)

436-461: Critical bug in staging image path construction at line 446.

The staging image derivation uses ${images[$key]#*/} which removes only the first path component. For a production image like ghcr.io/microshift-io/okd/cli:4.16-arm64, this yields microshift-io/okd/cli:4.16-arm64, resulting in a doubled path when prepended: ghcr.io/microshift-io/okd-staging/microshift-io/okd/cli:4.16-arm64. The podman image exists check at line 449 will fail because the actual locally-built image is tagged as ghcr.io/microshift-io/okd-staging/cli:4.16-arm64.

Extract only the short name (image:tag) using ##*/ (longest match) instead of #*/ (shortest match).

Apply this diff:

-    staging_image="${STAGING_REGISTRY}/${images[$key]#*/}"
+    staging_image="${STAGING_REGISTRY}/${images[$key]##*/}"

Alternatively, directly substitute the registry prefix:

-    staging_image="${STAGING_REGISTRY}/${images[$key]#*/}"
+    staging_image="${images[$key]/${PRODUCTION_REGISTRY}/${STAGING_REGISTRY}}"

🧹 Nitpick comments (1)

.github/actions/build-okd/action.yaml (1)

120-127: Cleanup step is informational only; doesn't remove staging images.

The step logs a message but doesn't actually delete or clean up staging images on failure. This means staging images remain in the registry if a build fails, and will be overwritten on the next successful build. Consider whether this aligns with your cleanup strategy, or if you need to add cleanup logic (e.g., podman rmi or registry API calls) to remove orphaned staging images.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c32164b and c592ac4.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml (2 hunks)
• src/okd/build_images.sh (4 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-10-17T10:31:57.408Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

Applied to files:

• .github/actions/build-okd/action.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: fedora-bootc (ubuntu-24.04)
• GitHub Check: isolated-network (ovnk, ubuntu-24.04, 1)
• GitHub Check: isolated-network (kindnet, ubuntu-24.04, 0)
• GitHub Check: fedora-bootc (ubuntu-24.04-arm)
• GitHub Check: ubuntu-rpm2deb
• GitHub Check: quick-start-and-clean (ubuntu-24.04)
• GitHub Check: quick-start-and-clean (ubuntu-24.04-arm)
• GitHub Check: centos9-bootc
• GitHub Check: centos10-bootc

🔇 Additional comments (7)

src/okd/build_images.sh (4)

7-11: Registry configuration is well-structured. ✓

The separation of PRODUCTION_REGISTRY (from input) and derived STAGING_REGISTRY provides flexibility and clarity.

---

335-348: Mode validation looks good. ✓

Proper argument count check and mode validation logic.

---

364-371: Conditional TARGET_REGISTRY assignment is correct. ✓

Cleanly branches registry selection based on mode.

---

399-413: Build function correctly populates images_sha with local image names.

Skips haproxy-router for non-ARM64 as intended.

.github/actions/build-okd/action.yaml (3)

48-61: Build step correctly invokes build mode. ✓

Passes the build mode argument and targets the staging registry via the script's derived STAGING_REGISTRY path.

---

63-76: RPM build correctly references staging OKD release image.

Line 75 hardcodes the staging path derivation (/okd-staging/okd-release-...), which aligns with how build_images.sh derives STAGING_REGISTRY = PRODUCTION_REGISTRY/okd-staging. This ensures RPM builds consume the locally-staged OKD images.

---

105-118: Push step conditionally executes only on test success. ✓

The if: success() gate ensures images are promoted to production only after passing the test suite. Correctly invokes build_images.sh in push mode with matching arguments.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

src/okd/build_images.sh (2)

48-48: Fix step name to clarify sequence.

Current step name "Build OKD images and push to staging" may mislead; the full workflow (build → test → push to production) is orchestrated by the action, not this step alone. Consider naming it "Build OKD images and push to staging registry" to match the action.yaml context, or accept as-is if clarity is not a concern.

---

404-405: Comment line reference is off by one.

The comment "Skip haproxy-router for non-ARM64 architectures (see TODO at line 93)" refers to line 99 in the router_image() function where haproxy-router handling occurs. Update the reference for accuracy.

.github/actions/build-okd/action.yaml (1)

75-75: Include version tag in OKD_RELEASE_IMAGE for clarity and safety.

The OKD_RELEASE_IMAGE variable is missing the version tag. While the script and build system may handle this (given OKD_VERSION_TAG is passed separately), it's safer and more explicit to include the full image reference with tag to avoid ambiguity.

Apply this diff:

         make rpm \
           USHIFT_GITREF="${{ inputs.ushift-gitref }}" \
           OKD_VERSION_TAG="${{ inputs.okd-version-tag }}" \
-          OKD_RELEASE_IMAGE="${{ inputs.target-registry }}/okd-staging/okd-release-${{ steps.detect-cpu-arch.outputs.go_arch }}" \
+          OKD_RELEASE_IMAGE="${{ inputs.target-registry }}/okd-staging/okd-release-${{ steps.detect-cpu-arch.outputs.go_arch }}:${{ inputs.okd-version-tag }}" \
           RPM_OUTDIR=/mnt/rpms

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c592ac4 and 9ff24fe.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml (2 hunks)
• src/okd/build_images.sh (4 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-10-17T10:31:57.408Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

Applied to files:

• .github/actions/build-okd/action.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: ubuntu-rpm2deb
• GitHub Check: fedora-bootc (ubuntu-24.04)
• GitHub Check: centos10-bootc
• GitHub Check: centos9-bootc
• GitHub Check: quick-start-and-clean (ubuntu-24.04)
• GitHub Check: quick-start-and-clean (ubuntu-24.04-arm)

🔇 Additional comments (1)

.github/actions/build-okd/action.yaml (1)

105-118: Verify integration of staging-to-production promotion after tests.

The push step correctly gates on if: success() to ensure tests pass before pushing to production. The re-tagging flow in build_images.sh (push_images function) reconstructs staging image references and promotes them to production. Ensure that podman image storage persists across the build and push steps within the same job (it should, given single container).

Can you confirm that podman image storage is shared across steps in this GitHub Actions job? If steps run in separate containers, the staging images built in the build step will not be available for re-tagging in the push step, and the logic will fail.

[kasturinarra]

@coderabbitai

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@kasturinarra, hello! How can I assist you with this PR? I can:

• Review the changes
• Answer questions about the implementation
• Analyze specific aspects of the code
• Run scripts to gather additional information
• Or help with anything else you need

What would you like me to do?

[kasturinarra]

Tip

For best results, initiate chat on the files or code changes.

@kasturinarra, hello! How can I assist you with this PR? I can:

• Review the changes
• Answer questions about the implementation
• Analyze specific aspects of the code
• Run scripts to gather additional information
• Or help with anything else you need

What would you like me to do?

Review the changes

[kasturinarra]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/okd/build_images.sh (2)

340-341: Verify TODO line reference.

The comment references line 99, but the haproxy28 TODO appears at line 101. If line numbers shifted during edits, update the reference to line 101.

---

365-367: Consider extracting repeated haproxy-router skip logic.

The comment and skip logic for haproxy-router appears in multiple functions (lines 340-343, 365-369, 413-416). Consider extracting to a helper function like should_skip_haproxy_router() to reduce duplication.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e878b2b and a38b6e9.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

🧰 Additional context used

📓 Path-based instructions (2)

**/*.sh

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.sh: Shell scripts should pass linting with shellcheck as part of the make check validation step
Build scripts must detect architecture automatically via uname -m to determine between x86_64 or aarch64

Files:

• src/okd/build_images.sh

src/okd/**

📄 CodeRabbit inference engine (CLAUDE.md)

OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Files:

• src/okd/build_images.sh

🧠 Learnings (14)

📓 Common learnings

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Always build SRPM before RPM, and RPM before bootc image to maintain dependency chain

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-10-17T10:31:57.408Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to ansible/** : Ansible roles should support automated builds and deployments for both containerized and host-based MicroShift installations

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-04T13:35:05.230Z

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-10-17T10:53:08.461Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: .github/workflows/builders.yaml:75-84
Timestamp: 2025-10-17T10:53:08.461Z
Learning: In the microshift repository, the RPM-to-Debian conversion workflow follows this pattern: `convert.sh` receives an RPM directory as input and outputs .deb files to a `deb/` subdirectory within that directory. The `install.sh` script expects to receive the parent RPM directory (not the deb subdirectory) and uses recursive `find` commands to locate the .deb files in subdirectories.

Applied to files:

• .github/actions/build-okd/action.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: quick-rpm-and-clean (ubuntu-24.04)
• GitHub Check: quick-rpm-and-clean (ubuntu-24.04-arm)
• GitHub Check: ubuntu-rpm2deb
• GitHub Check: fedora-bootc (ubuntu-24.04)
• GitHub Check: fedora-bootc (ubuntu-24.04-arm)
• GitHub Check: isolated-network (kindnet, ubuntu-24.04, 0)
• GitHub Check: centos9-bootc
• GitHub Check: centos10-bootc
• GitHub Check: isolated-network (ovnk, ubuntu-24.04, 1)

🔇 Additional comments (12)

src/okd/build_images.sh (8)

7-11: LGTM! Registry derivation is clean and flexible.

The staging registry derivation using dirname avoids nested paths and allows TARGET_REGISTRY override. This addresses previous feedback about hardcoding and path nesting.

---

17-30: LGTM! Clear mode descriptions.

The updated usage clearly documents the three-mode workflow and target registries for each mode.

---

351-358: LGTM! Push logic cleanly encapsulated.

Function appropriately delegates to existing helpers and provides clear status messages.

---

360-384: LGTM! Retagging logic is solid.

String substitution correctly derives staging image names from production references. Error handling guides users to run staging mode first if local images are missing.

---

386-405: LGTM! Mode orchestration implements the intended flow.

These functions correctly implement the staged workflow: staging builds and pushes to staging, production retags and promotes to production. Output messages guide users through the multi-step process.

---

407-427: LGTM! Cleanup prevents staging registry bloat.

The cleanup mode addresses the concern about accumulating unused staging images. Using || true ensures the cleanup continues even if some images are already deleted.

---

432-466: LGTM! Mode-based registry selection is correct.

The main flow correctly validates mode and sets TARGET_REGISTRY accordingly, ensuring the images array is populated with the appropriate registry for each mode.

---

492-499: LGTM! Mode dispatch completes the refactoring.

Clean dispatch to mode-specific functions. The refactoring successfully separates build, push, and cleanup concerns as requested in past reviews.

.github/actions/build-okd/action.yaml (4)

48-61: LGTM! Staging mode invocation is correct.

The step correctly calls the script in staging mode with clear documentation about staging registry derivation. This addresses previous critical issues about mode mismatches.

---

63-78: LGTM! RPM build correctly consumes staging images.

The step properly computes STAGING_REGISTRY and uses it for OKD_RELEASE_IMAGE, ensuring RPMs are built with staging images for validation before production promotion.

---

107-120: LGTM! Production push guarded by test success.

The if: success() condition correctly implements the PR objective: OKD images are promoted to production only after successful testing. Clear comments document the validation requirement.

---

122-136: LGTM! Cleanup prevents staging registry bloat.

The cleanup step correctly runs on always() to prevent accumulating unused staging images, addressing the maintainer's concern. Using continue-on-error: true ensures cleanup issues don't break the workflow.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/okd/build_images.sh (1)

478-545: Architecture handling: parameter vs auto-detection.

The script accepts TARGET_ARCH as a parameter rather than detecting it via uname -m. This is acceptable for CI/CD workflows that may cross-compile, but consider adding a comment explaining why auto-detection isn't used here.

Based on learnings, this approach is consistent with how the CI workflows orchestrate builds for multiple architectures.

Optional: Add clarifying comment

 MODE="$1"
 OKD_VERSION="$2"
 OCP_BRANCH="$3"
+# TARGET_ARCH is passed as parameter to support CI cross-compilation workflows
+# For local builds, pass $(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
 TARGET_ARCH="$4"

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5f2bf9f and cab3541.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

🧰 Additional context used

📓 Path-based instructions (2)

**/*.sh

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.sh: Shell scripts should pass linting with shellcheck as part of the make check validation step
Build scripts must detect architecture automatically via uname -m to determine between x86_64 or aarch64

Files:

• src/okd/build_images.sh

src/okd/**

📄 CodeRabbit inference engine (CLAUDE.md)

OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Files:

• src/okd/build_images.sh

🧠 Learnings (14)

📓 Common learnings

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Always build SRPM before RPM, and RPM before bootc image to maintain dependency chain

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-10-17T10:31:57.408Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to ansible/** : Ansible roles should support automated builds and deployments for both containerized and host-based MicroShift installations

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-04T13:35:05.230Z

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-11-26T06:46:33.353Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 137
File: src/quickrpm.sh:83-98
Timestamp: 2025-11-26T06:46:33.353Z
Learning: In the microshift-io/microshift repository, the quickrpm.sh script only supports RHEL 9 or above (and equivalent CentOS/Fedora versions), where util-linux includes the `--nooverlap` flag for losetup.

Applied to files:

• .github/actions/build-okd/action.yaml

🔇 Additional comments (12)

.github/actions/build-okd/action.yaml (3)

54-61: LGTM - staging mode correctly invoked.

The mode argument and comments accurately reflect the staging workflow. The script will build images locally and push to the derived staging registry.

---

107-120: LGTM - production push correctly gated by test success.

The conditional execution ensures OKD images are only promoted to production after successful testing, aligning with the PR objectives.

---

122-138: LGTM - cleanup step appropriately tolerates errors.

The always() condition ensures staging images are cleaned up regardless of test outcome, addressing the concern about accumulating unused images. The continue-on-error: true flag prevents cleanup failures from failing the workflow.

src/okd/build_images.sh (9)

7-11: LGTM - registry derivation is correct and flexible.

The dirname logic correctly derives the staging registry path, and the TARGET_REGISTRY override allows this to work in private forks.

---

17-30: LGTM - usage documentation is clear.

The updated usage text accurately describes all three modes and their purposes.

---

334-349: LGTM - build function correctly populates local references.

The function builds images locally and populates images_sha with image names for subsequent operations.

---

351-358: LGTM - push function correctly orchestrates manifest and release creation.

The function appropriately delegates to existing push logic and provides clear feedback.

---

360-387: LGTM - retagging logic is correct.

The substitution ${production_image/${PRODUCTION_REGISTRY}/${STAGING_REGISTRY}} correctly transforms production registry paths to staging paths. The existence check and error message provide good safeguards.

---

389-400: LGTM - staging workflow correctly orchestrated.

The function appropriately checks prerequisites, builds, and pushes to staging, with helpful output guiding the next step.

---

402-408: LGTM - production workflow correctly orchestrated.

The function appropriately retags staging images and pushes to production with idempotency checks.

---

410-437: LGTM - package deletion logic is robust.

The parsing, URL encoding, and error handling (treating "Not Found" as success) are all correct. The GH_TOKEN environment variable is properly set in the action.yaml at line 127.

---

439-473: LGTM - cleanup efficiently deduplicates deletions.

The deduplication logic prevents redundant API calls, and separately handling the release image ensures complete cleanup.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Check Makefile for OKD_RELEASE_IMAGE variable patterns
rg -n "OKD_RELEASE_IMAGE" --type makefile

Repository: microshift-io/microshift

Length of output: 100

---

🏁 Script executed:

# Check if there's build documentation
find . -name "build.md" -o -name "BUILD.md" | head -5

Repository: microshift-io/microshift

Length of output: 83

---

🏁 Script executed:

# Check the workflow file to understand context
rg -n "OKD_RELEASE_IMAGE" .github/actions/build-okd/action.yaml -A 3 -B 3

Repository: microshift-io/microshift

Length of output: 384

---

🏁 Script executed:

# Search for OKD_RELEASE_IMAGE in all files
rg -n "OKD_RELEASE_IMAGE"

Repository: microshift-io/microshift

Length of output: 2116

---

🏁 Script executed:

# Read the build.md documentation to understand the architecture handling
head -200 ./docs/build.md

Repository: microshift-io/microshift

Length of output: 5340

---

🏁 Script executed:

# Check the full action.yaml file to see if there's any AMD64 handling elsewhere
cat .github/actions/build-okd/action.yaml

Repository: microshift-io/microshift

Length of output: 5224

---

Add OKD_RELEASE_IMAGE_X86_64 override for x86_64 builds.

Line 77 sets OKD_RELEASE_IMAGE_AARCH64 to staging registry, but when the workflow runs with target-arch=x86_64, there's no corresponding OKD_RELEASE_IMAGE_X86_64 override. The x86_64 build will use the default production image instead of the staging registry, breaking symmetry with the aarch64 build.

🤖 Prompt for AI Agents

.github/actions/build-okd/action.yaml around lines 63 to 78: the workflow sets
OKD_RELEASE_IMAGE_AARCH64 to the staging registry but does not set
OKD_RELEASE_IMAGE_X86_64, so x86_64 builds will still pull the production image;
add an override by exporting
OKD_RELEASE_IMAGE_X86_64="${STAGING_REGISTRY}/okd-release" alongside the
existing OKD_RELEASE_IMAGE_AARCH64 assignment in the make rpm invocation so both
architectures use the staging images consistently.

[kasturinarra]

since this flow is specific to arm may be we do not need this ?

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check how the build-okd action is invoked in workflow files
echo "=== Searching for uses of build-okd action ==="
rg -n "uses:.*build-okd" .github/workflows/

echo ""
echo "=== Checking target-arch values passed to build-okd ==="
rg -n -A10 "uses:.*build-okd" .github/workflows/ | grep -E "(uses:|target-arch:)"

echo ""
echo "=== Checking release-okd.yaml for architecture specifics ==="
cat .github/workflows/release-okd.yaml | head -100

Length of output: 2445

---

@kasturinarra You're absolutely right! Based on the workflow configuration, this action is only used for ARM builds. The release-okd.yaml workflow hardcodes target-arch: arm64 and explicitly names the job "Build OKD release images for ARM". Since the workflow never runs with x86_64, the OKD_RELEASE_IMAGE_X86_64 override is not needed.

The action is designed to be reusable with the target-arch input, but in practice it's ARM-specific, so only the OKD_RELEASE_IMAGE_AARCH64 override is necessary.

---

🧠 Learnings used

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

---

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

---

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

---

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

---

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

---

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

---

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

---

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

---

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to ansible/** : Ansible roles should support automated builds and deployments for both containerized and host-based MicroShift installations

---

Learnt from: kasturinarra
Repo: microshift-io/microshift PR: 162
File: src/cncf/run_sonobuoy_tests.sh:43-45
Timestamp: 2025-12-22T06:35:50.684Z
Learning: In src/cncf/run_sonobuoy_tests.sh, architecture detection via `uname -m` is not needed because all container images (docker.io/sonobuoy/sonobuoy, docker.io/sonobuoy/systemd-logs, registry.k8s.io/conformance) are multi-arch manifests that automatically pull the correct architecture variant for the host platform.

---

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to **/*.sh : Build scripts must detect architecture automatically via `uname -m` to determine between x86_64 or aarch64

---

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

[ggiguash]

Why is this change necessary now?

[kasturinarra]

Looking at the logs, with out this change it was using --build-arg OKD_RELEASE_IMAGE_AARCH64="ghcr.io/microshift-io/okd/okd-release-arm64"

[ggiguash]

This code must be generic. It's true that we now only build for arm64 platform, but the same code should work on both. Please, remove the hardcoded platform.

[ggiguash]

I think we should separate this functionality into a script or into the workflow because this is GitHub-specific.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/okd/build_images.sh (1)

7-11: Consider allowing STAGING_REGISTRY override.

While PRODUCTION_REGISTRY can be overridden via TARGET_REGISTRY, the STAGING_REGISTRY is always derived and cannot be independently overridden. For testing or fork scenarios, allowing STAGING_REGISTRY override would provide flexibility.

🔎 Proposed enhancement

 # Production registry - must be provided via TARGET_REGISTRY environment variable
 # or defaults to the upstream registry if not specified
 PRODUCTION_REGISTRY="${TARGET_REGISTRY:-ghcr.io/microshift-io/okd}"
 # Automatically derive staging registry by appending '/okd-staging' subpath
-STAGING_REGISTRY="$(dirname "${PRODUCTION_REGISTRY}")/okd-staging"
+STAGING_REGISTRY="${STAGING_REGISTRY:-$(dirname "${PRODUCTION_REGISTRY}")/okd-staging}"

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cab3541 and 114d0a5.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

🧰 Additional context used

📓 Path-based instructions (2)

**/*.sh

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.sh: Shell scripts should pass linting with shellcheck as part of the make check validation step
Build scripts must detect architecture automatically via uname -m to determine between x86_64 or aarch64

Files:

• src/okd/build_images.sh

src/okd/**

📄 CodeRabbit inference engine (CLAUDE.md)

OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Files:

• src/okd/build_images.sh

🧠 Learnings (16)

📓 Common learnings

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Always build SRPM before RPM, and RPM before bootc image to maintain dependency chain

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-10-17T10:31:57.408Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to **/*.sh : Build scripts must detect architecture automatically via `uname -m` to determine between x86_64 or aarch64

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-22T06:35:50.684Z

Learnt from: kasturinarra
Repo: microshift-io/microshift PR: 162
File: src/cncf/run_sonobuoy_tests.sh:43-45
Timestamp: 2025-12-22T06:35:50.684Z
Learning: In src/cncf/run_sonobuoy_tests.sh, architecture detection via `uname -m` is not needed because all container images (docker.io/sonobuoy/sonobuoy, docker.io/sonobuoy/systemd-logs, registry.k8s.io/conformance) are multi-arch manifests that automatically pull the correct architecture variant for the host platform.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to ansible/** : Ansible roles should support automated builds and deployments for both containerized and host-based MicroShift installations

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-04T13:35:05.230Z

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-11-26T06:46:33.353Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 137
File: src/quickrpm.sh:83-98
Timestamp: 2025-11-26T06:46:33.353Z
Learning: In the microshift-io/microshift repository, the quickrpm.sh script only supports RHEL 9 or above (and equivalent CentOS/Fedora versions), where util-linux includes the `--nooverlap` flag for losetup.

Applied to files:

• .github/actions/build-okd/action.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: quick-start-and-clean (ubuntu-24.04-arm)
• GitHub Check: quick-start-and-clean (ubuntu-24.04)
• GitHub Check: quick-rpm-and-clean (ubuntu-24.04)
• GitHub Check: quick-rpm-and-clean (ubuntu-24.04-arm)
• GitHub Check: isolated-network (ovnk, ubuntu-24.04, 1)
• GitHub Check: fedora-bootc (ubuntu-24.04)
• GitHub Check: ubuntu-rpm2deb
• GitHub Check: isolated-network (kindnet, ubuntu-24.04, 0)
• GitHub Check: centos9-bootc
• GitHub Check: centos10-bootc
• GitHub Check: fedora-bootc (ubuntu-24.04-arm)

🔇 Additional comments (12)

src/okd/build_images.sh (8)

17-28: LGTM!

The usage documentation clearly explains the mode-based operation and shows the registry paths for both staging and production modes.

---

332-347: LGTM!

The function correctly builds images locally and populates the images_sha array. The haproxy-router exception for non-ARM64 architectures is properly handled with a reference to the TODO comment.

---

349-356: LGTM!

Clean wrapper function that orchestrates the push workflow.

---

358-385: LGTM!

The retagging logic correctly substitutes the production registry prefix with the staging registry prefix. The error message provides a helpful command to run if staging images are missing.

---

387-398: LGTM!

The staging workflow is well-orchestrated with clear prerequisite checks and helpful output messages guiding the user on next steps.

---

400-406: LGTM!

The production workflow correctly retags staging images to production names before pushing.

---

411-424: LGTM!

Clear argument parsing with proper mode validation and helpful error messages.

---

440-447: LGTM!

The registry selection correctly sets TARGET_REGISTRY based on the mode, ensuring OKD_RELEASE_IMAGE is computed with the appropriate registry prefix.

.github/actions/build-okd/action.yaml (4)

48-61: LGTM!

The build step correctly uses staging mode and includes clear comments explaining the staging registry derivation.

---

63-78: LGTM!

The RPM build correctly uses the staging registry for OKD images, ensuring that the RPMs are built with the staged images before they're promoted to production.

---

107-120: LGTM!

The production push is correctly conditioned on test success and uses the production mode, implementing the desired build→test→push workflow sequence.

---

122-167: Verify cleanup success detection logic.

Line 159 checks if the gh api output contains "204" using grep -q "204", but the GitHub CLI may not output the status code in a grep-able format. Consider checking the exit code instead:

-          if gh api --method DELETE "/users/${OWNER}/packages/container/${encoded_package}" \
-             -H "Accept: application/vnd.github+json" 2>&1 | grep -q "204"; then
+          if gh api --method DELETE "/users/${OWNER}/packages/container/${encoded_package}" \
+             -H "Accept: application/vnd.github+json" 2>&1; then
             echo "  ✓ Deleted"
           else
             echo "  ⚠ Failed or already deleted"
           fi

Since the step uses continue-on-error: true, this won't break the workflow, but it would provide more accurate feedback.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 114d0a5 and 41dd80a.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

🧰 Additional context used

📓 Path-based instructions (2)

**/*.sh

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.sh: Shell scripts should pass linting with shellcheck as part of the make check validation step
Build scripts must detect architecture automatically via uname -m to determine between x86_64 or aarch64

Files:

• src/okd/build_images.sh

src/okd/**

📄 CodeRabbit inference engine (CLAUDE.md)

OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Files:

• src/okd/build_images.sh

🧠 Learnings (16)

📓 Common learnings

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Applied to files:

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Always build SRPM before RPM, and RPM before bootc image to maintain dependency chain

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-10-17T10:31:57.408Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to **/*.sh : Build scripts must detect architecture automatically via `uname -m` to determine between x86_64 or aarch64

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-22T06:35:50.684Z

Learnt from: kasturinarra
Repo: microshift-io/microshift PR: 162
File: src/cncf/run_sonobuoy_tests.sh:43-45
Timestamp: 2025-12-22T06:35:50.684Z
Learning: In src/cncf/run_sonobuoy_tests.sh, architecture detection via `uname -m` is not needed because all container images (docker.io/sonobuoy/sonobuoy, docker.io/sonobuoy/systemd-logs, registry.k8s.io/conformance) are multi-arch manifests that automatically pull the correct architecture variant for the host platform.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to ansible/** : Ansible roles should support automated builds and deployments for both containerized and host-based MicroShift installations

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-04T13:35:05.230Z

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-11-26T06:46:33.353Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 137
File: src/quickrpm.sh:83-98
Timestamp: 2025-11-26T06:46:33.353Z
Learning: In the microshift-io/microshift repository, the quickrpm.sh script only supports RHEL 9 or above (and equivalent CentOS/Fedora versions), where util-linux includes the `--nooverlap` flag for losetup.

Applied to files:

• .github/actions/build-okd/action.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: isolated-network (ovnk, ubuntu-24.04, 1)
• GitHub Check: isolated-network (kindnet, ubuntu-24.04, 0)
• GitHub Check: ubuntu-rpm2deb
• GitHub Check: centos9-bootc
• GitHub Check: fedora-bootc (ubuntu-24.04-arm)
• GitHub Check: centos10-bootc
• GitHub Check: fedora-bootc (ubuntu-24.04)
• GitHub Check: quick-rpm-and-clean (ubuntu-24.04-arm)
• GitHub Check: quick-start-and-clean (ubuntu-24.04-arm)
• GitHub Check: quick-rpm-and-clean (ubuntu-24.04)
• GitHub Check: quick-start-and-clean (ubuntu-24.04)

🔇 Additional comments (8)

.github/actions/build-okd/action.yaml (3)

48-61: LGTM: Clear staging workflow with helpful comments.

The staging mode invocation and comments accurately describe the build-and-push-to-staging flow.

---

63-78: LGTM: Staging registry derivation is consistent.

The dirname derivation matches the script's approach and correctly points RPM build to staging images.

---

107-120: LGTM: Production push correctly gated on test success.

The if: success() condition and production mode invocation implement the required test-before-push sequence.

src/okd/build_images.sh (5)

7-11: LGTM: Registry derivation is clear and consistent.

The dirname approach correctly derives the staging registry path and matches the action.yaml implementation.

---

17-28: LGTM: Usage clearly documents mode-based operation.

The updated usage helpfully displays the actual registry values and clearly explains staging vs. production modes.

---

332-406: LGTM: Mode-specific functions are well-structured.

The refactoring into discrete functions improves readability, and the retagging logic correctly substitutes registry paths using parameter expansion.

---

411-424: LGTM: Argument parsing with proper mode validation.

The validation ensures only valid modes are accepted, with a clear error message for invalid input.

---

440-476: LGTM: Clean mode-based dispatch.

The registry selection and function dispatch correctly implement the staging/production workflow split.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6a5ab4b and e6c3708.

📒 Files selected for processing (2)

• .github/actions/build-okd/action.yaml
• src/okd/build_images.sh

🧰 Additional context used

📓 Path-based instructions (2)

**/*.sh

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.sh: Shell scripts should pass linting with shellcheck as part of the make check validation step
Build scripts must detect architecture automatically via uname -m to determine between x86_64 or aarch64

Files:

• src/okd/build_images.sh

src/okd/**

📄 CodeRabbit inference engine (CLAUDE.md)

OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Files:

• src/okd/build_images.sh

🧠 Learnings (16)

📓 Common learnings

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Applied to files:

• src/okd/build_images.sh
• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Always build SRPM before RPM, and RPM before bootc image to maintain dependency chain

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-10-17T10:31:57.408Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to **/*.sh : Build scripts must detect architecture automatically via `uname -m` to determine between x86_64 or aarch64

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-22T06:35:50.684Z

Learnt from: kasturinarra
Repo: microshift-io/microshift PR: 162
File: src/cncf/run_sonobuoy_tests.sh:43-45
Timestamp: 2025-12-22T06:35:50.684Z
Learning: In src/cncf/run_sonobuoy_tests.sh, architecture detection via `uname -m` is not needed because all container images (docker.io/sonobuoy/sonobuoy, docker.io/sonobuoy/systemd-logs, registry.k8s.io/conformance) are multi-arch manifests that automatically pull the correct architecture variant for the host platform.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to ansible/** : Ansible roles should support automated builds and deployments for both containerized and host-based MicroShift installations

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-12-04T13:35:05.230Z

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Applied to files:

• .github/actions/build-okd/action.yaml

📚 Learning: 2025-11-26T06:46:33.353Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 137
File: src/quickrpm.sh:83-98
Timestamp: 2025-11-26T06:46:33.353Z
Learning: In the microshift-io/microshift repository, the quickrpm.sh script only supports RHEL 9 or above (and equivalent CentOS/Fedora versions), where util-linux includes the `--nooverlap` flag for losetup.

Applied to files:

• .github/actions/build-okd/action.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: fedora-bootc (ubuntu-24.04)
• GitHub Check: centos9-bootc
• GitHub Check: isolated-network (ovnk, ubuntu-24.04, 1)
• GitHub Check: isolated-network (kindnet, ubuntu-24.04, 0)
• GitHub Check: quick-rpm-and-clean (ubuntu-24.04-arm)
• GitHub Check: centos10-bootc
• GitHub Check: fedora-bootc (ubuntu-24.04-arm)
• GitHub Check: ubuntu-rpm2deb
• GitHub Check: quick-start-and-clean (ubuntu-24.04)
• GitHub Check: quick-start-and-clean (ubuntu-24.04-arm)
• GitHub Check: quick-rpm-and-clean (ubuntu-24.04)

🔇 Additional comments (10)

src/okd/build_images.sh (6)

7-12: Registry configuration looks good.

Staging registry is correctly derived using dirname to avoid the /okd/okd-staging nesting issue from prior reviews.

---

17-28: Usage documentation updated appropriately.

Mode parameter is now mandatory and well-documented with registry destinations shown.

---

332-347: Build function is well-structured.

Cleanly separates build logic, populates images_sha with tags for downstream use, and correctly skips haproxy-router for non-ARM64.

---

358-385: Retag function handles staging→production correctly.

• Uses local declarations (per prior review)
• String substitution ${production_image/${PRODUCTION_REGISTRY}/${STAGING_REGISTRY}} correctly derives staging reference
• Clear error message when staging images are missing

---

387-406: Mode-specific push functions are clean and well-organized.

push_staging handles the full staging flow (login, build, push), while push_production handles retagging and promotion. Good separation of concerns.

---

471-476: Mode dispatch is straightforward.

Cleanly routes to the appropriate function based on validated mode parameter.

.github/actions/build-okd/action.yaml (4)

48-61: Build step correctly uses staging mode.

Comments clearly document the staging registry derivation and purpose. Mode mismatch from prior review is resolved.

---

63-78: RPM build correctly references staging images.

Registry derivation logic mirrors the shell script, ensuring consistency. The OKD_RELEASE_IMAGE_AARCH64 override ensures RPMs embed references to the staged (tested) images.

---

107-120: Production push gated on success.

This ensures broken OKD images don't reach production. Aligns with the PR objective of build→test→push sequence.

---

122-158: Cleanup step has good resilience patterns.

• if: always() ensures cleanup runs regardless of prior step outcomes
• continue-on-error: true prevents cleanup failures from failing the workflow
• Both user and org API endpoints are tried for flexibility across account types
• --paginate handles large package lists

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# View the relevant sections of build_images.sh
echo "=== Lines 1-20 (initial variable setup) ==="
head -20 src/okd/build_images.sh

echo ""
echo "=== Lines 440-450 (TARGET_REGISTRY reassignment) ==="
sed -n '440,450p' src/okd/build_images.sh

echo ""
echo "=== Full search for registry variable assignments ==="
rg -n "TARGET_REGISTRY|PRODUCTION_REGISTRY|STAGING_REGISTRY" src/okd/build_images.sh

Repository: microshift-io/microshift

Length of output: 3626

---

🏁 Script executed:

#!/bin/bash
# Check shellcheck compliance and OKD version auto-detection
echo "=== Running shellcheck ==="
shellcheck src/okd/build_images.sh 2>&1 || echo "Shellcheck completed"

echo ""
echo "=== Searching for OKD version/tag auto-detection logic ==="
rg -n "latest-amd64|latest-arm64|uname|TARGET_ARCH" src/okd/build_images.sh | head -20

Repository: microshift-io/microshift

Length of output: 2137

---

🏁 Script executed:

#!/bin/bash
# Check how TARGET_ARCH is determined and OKD version detection
echo "=== Searching for TARGET_ARCH initialization ==="
rg -n "TARGET_ARCH=" src/okd/build_images.sh

echo ""
echo "=== Searching for OKD_VERSION and version detection logic ==="
rg -n "OKD_VERSION|OKD_RELEASE" src/okd/build_images.sh | head -30

echo ""
echo "=== Check function signatures and script parameters ==="
sed -n '20,35p' src/okd/build_images.sh

Repository: microshift-io/microshift

Length of output: 3023

---

🏁 Script executed:

#!/bin/bash
# Check how parameters are validated and used
echo "=== Parameter validation and usage ==="
sed -n '410,425p' src/okd/build_images.sh

echo ""
echo "=== Check if architecture auto-detection exists anywhere ==="
rg -n "uname" src/okd/build_images.sh

Repository: microshift-io/microshift

Length of output: 442

---

Script violates OKD build guidelines by requiring manual parameter input instead of auto-detecting architecture and version.

The TARGET_REGISTRY assignment order is correct, but the script fails to meet coding requirements:

1. Architecture not auto-detected: Guidelines require uname -m to automatically detect x86_64 or aarch64, but TARGET_ARCH is currently a required parameter (line 418).

2. OKD version not auto-detected: Guidelines require version auto-detection from latest-amd64 or latest-arm64 tags based on detected architecture, but OKD_VERSION is currently a required parameter (line 416).

Implement automatic detection for both TARGET_ARCH (via uname -m) and OKD_VERSION (via tag queries), with optional manual parameter overrides for testing.

[ggiguash]

We cannot duplicate this "knowledge" in the workflow. Can we add an option to the script to returh this list?