Skip to content

RHAIENG-5608: Add patch to fix vsce-sign package for CodeServer on PPC64LE builds#2403

Open
daniellutz wants to merge 1 commit into
red-hat-data-services:rhoai-2.25from
daniellutz:rhoai-2.25-codeserver-ppc64
Open

RHAIENG-5608: Add patch to fix vsce-sign package for CodeServer on PPC64LE builds#2403
daniellutz wants to merge 1 commit into
red-hat-data-services:rhoai-2.25from
daniellutz:rhoai-2.25-codeserver-ppc64

Conversation

@daniellutz

@daniellutz daniellutz commented Jun 22, 2026

Copy link
Copy Markdown

With the CodeServer upgrade introduced in #2340 and #2350, a new failures started to happen regarding vsce-sign packages on ppc64le builds.

More information can be found on https://redhat.atlassian.net/browse/RHAIENG-5608

How Has This Been Tested?

Local builds have been done using Podman with PPC64LE emulation

Building linux/ppc64le images locally

First step is to install qemu on your podman machine VM and then restart it:

$ podman machine ssh -- sudo rpm-ostree install qemu-user-static
$ podman machine stop
$ podman machine start

After the installation and reboot, you can run the following quick test to ensure the emulation is working:

$ podman run --rm --platform linux/ppc64le registry.access.redhat.com/ubi9/ubi uname -m

Building the CodeServer image locally

To build the CodeServer image for PPC64LE, just send the BUILD_ARCH parameter to the make command:

$ make codeserver-ubi9-python-3.12 \
               -e BUILD_ARCH=linux/ppc64le \
               -e IMAGE_REGISTRY=quay.io/dlutz/workbench-images \
               -e RELEASE=2025b \
               -e RELEASE_PYTHON_VERSION="3.12" \
               -e PUSH_IMAGES="yes" \
               -e CONTAINER_BUILD_CACHE_ARGS=""

Self checklist (all need to be checked):

  • Ensure that you have run make test (gmake on macOS) before asking for review
  • Changes to everything except Dockerfile.konflux files should be done in odh/notebooks and automatically synced to rhds/notebooks. For Konflux-specific changes, modify Dockerfile.konflux files directly in rhds/notebooks as these require special attention in the downstream repository and flow to the upcoming RHOAI release.

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

  • Chores
    • Improved Code Server build process to better support ppc64le architecture systems through enhanced dependency handling.

@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

A ppc64le-specific block is added to get_code_server_rpm.sh. It reads the @vscode/vsce-sign version from package-lock.json, repacks the package into a temp directory with a patched postinstall.js that exits early on ppc64/s390x, then registers the resulting tarball as an override in lib/vscode/build/package.json before the normal install and build steps run.

Changes

ppc64le vsce-sign workaround

Layer / File(s) Summary
ppc64le vsce-sign repack and override injection
codeserver/ubi9-python-3.12/get_code_server_rpm.sh
On ppc64le, reads the @vscode/vsce-sign version from package-lock.json, repacks the dependency with a postinstall.js that exits 0 immediately on ppc64/s390x, and injects the patched tarball as a package.json override before the npm install, build, and packaging steps execute.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding a patch for vsce-sign on PPC64LE CodeServer builds, directly relating to the changeset.
Description check ✅ Passed The description includes all required sections: detailed explanation of the issue, comprehensive testing instructions with environment setup, and all self-checklist and merge criteria items marked complete.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@daniellutz daniellutz requested a review from jiridanek June 22, 2026 13:00
@github-actions

Copy link
Copy Markdown

@daniellutz — This PR is from a fork.
The build-rhoai CI job was skipped because subscription
builds (RHEL, AIPCC) need secrets unavailable to forks.
ODH builds and code quality checks still ran.

Recommended: Push your branch to the main repo for full CI:

git remote add upstream https://github.com/red-hat-data-services/notebooks.git
git push upstream HEAD:daniellutz/your-branch-name

Then open a new PR from that branch.

No push access? A maintainer will cherry-pick and test your changes.

See CONTRIBUTING.md for details.

@codecov-commenter

Copy link
Copy Markdown

❌ 3 Tests Failed:

Tests completed Failed Passed Skipped
56 3 53 0
View the top 3 failed test(s) by shortest run time
dockerfile::TestParseAllDockerfiles//home/runner/work/notebooks/notebooks/rstudio/rhel9-python-3.11/Dockerfile.konflux.cpu
Stack Traces | 0s run time
=== RUN   .../notebooks/rstudio/rhel9-python-3.11/Dockerfile.konflux.cpu
2026/06/22 13:01:57 InvalidDefaultArgInFrom%!(EXTRA string=Default value for global ARG results in an empty or invalid base image name, string=https://docs.docker..../dockerfile/rule/invalid-default-arg-in-from/, string=Default value for ARG ${BASE_IMAGE} results in empty or invalid base image name, []parser.Range=[{{14 0} {14 0}}])
2026/06/22 13:01:57 SecretsUsedInArgOrEnv%!(EXTRA string=Sensitive data should not be used in the ARG or ENV commands, string=https://docs.docker..../dockerfile/rule/secrets-used-in-arg-or-env/, string=Do not use ARG or ENV instructions for sensitive data (ARG "SECRET_DIR"), []parser.Range=[{{72 0} {72 0}}])
    buildinputs_test.go:54: dockerfile copies in a whole directory: rstudio/utils
    buildinputs_test.go:50: stat .../notebooks/rstudio/rhel9-python-3.12/nginx/api: no such file or directory
--- FAIL: .../notebooks/rstudio/rhel9-python-3.11/Dockerfile.konflux.cpu (0.00s)
dockerfile::TestParseAllDockerfiles//home/runner/work/notebooks/notebooks/rstudio/rhel9-python-3.11/Dockerfile.konflux.cuda
Stack Traces | 0s run time
=== RUN   .../notebooks/rstudio/rhel9-python-3.11/Dockerfile.konflux.cuda
2026/06/22 13:01:57 InvalidDefaultArgInFrom%!(EXTRA string=Default value for global ARG results in an empty or invalid base image name, string=https://docs.docker..../dockerfile/rule/invalid-default-arg-in-from/, string=Default value for ARG ${BASE_IMAGE} results in empty or invalid base image name, []parser.Range=[{{14 0} {14 0}}])
2026/06/22 13:01:57 SecretsUsedInArgOrEnv%!(EXTRA string=Sensitive data should not be used in the ARG or ENV commands, string=https://docs.docker..../dockerfile/rule/secrets-used-in-arg-or-env/, string=Do not use ARG or ENV instructions for sensitive data (ARG "SECRET_DIR"), []parser.Range=[{{72 0} {72 0}}])
    buildinputs_test.go:50: stat .../notebooks/rstudio/rhel9-python-3.12/httpd/rstudio-cgi.conf: no such file or directory
--- FAIL: .../notebooks/rstudio/rhel9-python-3.11/Dockerfile.konflux.cuda (0.00s)
dockerfile::TestParseAllDockerfiles
Stack Traces | 0.1s run time
=== RUN   TestParseAllDockerfiles
    buildinputs_test.go:34: found 51 Dockerfiles in .../work/notebooks/notebooks
--- FAIL: TestParseAllDockerfiles (0.10s)

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coderabbitai is this the same fix already present on main, or something new?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the fix exists on main branch
gh api repos/red-hat-data-services/notebooks/contents/codeserver/ubi9-python-3.12/get_code_server_rpm.sh?ref=main \
  --jq '.content' | base64 -d | grep -n "vsce-sign\|ppc64le\|postinstall" || echo "No matches found on main"

Length of output: 394


🏁 Script executed:

#!/bin/bash
# Check what exists in the codeserver directory on main
gh api "repos/red-hat-data-services/notebooks/contents/codeserver?ref=main" --jq '.[].name' 2>/dev/null || echo "codeserver dir not found on main"

# Check if the file exists at a different path on main
gh api "repos/red-hat-data-services/notebooks/git/trees/main?recursive=1" --jq '.tree[].path' 2>/dev/null | grep "get_code_server" || echo "No get_code_server file found on main"

Length of output: 563


🏁 Script executed:

#!/bin/bash
# Check the PR details
gh pr view 2403 --repo red-hat-data-services/notebooks --json title,baseRefName,headRefName,files

# Check what files exist in the codeserver/ubi9-python-3.12 directory on main
gh api "repos/red-hat-data-services/notebooks/contents/codeserver/ubi9-python-3.12?ref=main" --jq '.[].name' 2>/dev/null

# Check what files are changed in this PR
gh pr diff 2403 --repo red-hat-data-services/notebooks --name-only 2>/dev/null | head -30

Length of output: 1048


🏁 Script executed:

#!/bin/bash
# Check the rhoai-2.25 branch (base branch) version of the file
gh api "repos/red-hat-data-services/notebooks/contents/codeserver/ubi9-python-3.12/get_code_server_rpm.sh?ref=rhoai-2.25" \
  --jq '.content' | base64 -d | grep -n "vsce-sign\|postinstall\|ppc64" || echo "No matches on rhoai-2.25"

# Also check if main branch has the fix in any related file
gh api "repos/red-hat-data-services/notebooks/git/trees/main?recursive=1" --jq '.tree[].path' | grep -i "codeserver\|code.server\|vsce" || echo "No codeserver files on main"

# Check if there's a similar fix on main by searching recent PRs
gh pr list --repo red-hat-data-services/notebooks --state merged --search "vsce-sign ppc64" --json number,title,baseRefName 2>/dev/null | head -20

Length of output: 8972



@jiridanek This is a new fix — it does not exist anywhere else in the repository in this form:

  • The PR targets the rhoai-2.25 release branch, and the rhoai-2.25 base version of get_code_server_rpm.sh does not contain this workaround (no matches for vsce-sign or postinstall on the base branch).
  • The main branch does not have get_code_server_rpm.sh at all — it uses a completely different offline/prefetch build approach (prefetch-input/patches/code-server-v4.106.3/) rather than building code-server from source at runtime.

So this fix is being introduced fresh into the rhoai-2.25 branch's online build script. There's no equivalent fix on main to compare against.


🧠 Learnings used
Learnt from: daniellutz
Repo: red-hat-data-services/notebooks PR: 2340
File: codeserver/ubi9-python-3.12/Dockerfile.cpu:24-26
Timestamp: 2026-06-08T15:07:27.675Z
Learning: In red-hat-data-services/notebooks under `codeserver/ubi9-python-3.12/`, treat CODESERVER_VERSION and NODE_VERSION bumps (e.g., in `Dockerfile.cpu`, `Dockerfile.konflux.cpu`, and `get_code_server_rpm.sh`) as following an intentional incremental upgrade strategy. During review, do not flag these changes as requiring an immediate jump to the latest available versions; only verify that the bump is part of the planned controlled stepwise upgrade sequence (e.g., moving to the next agreed version rather than skipping ahead).

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch apply-patch.sh from main to compare
gh api "repos/red-hat-data-services/notebooks/contents/codeserver/ubi9-python-3.12/prefetch-input/patches/apply-patch.sh?ref=main" \
  --jq '.content' | base64 -d

Length of output: 8060



@jiridanek You're right — they solve the exact same problem with the same general concept: prevent @vscode/vsce-sign's postinstall script from running on ppc64le/s390x. The difference is the build context:

main (apply-patch.sh) This PR (get_code_server_rpm.sh)
Build type Hermetic/offline (Cachi2 prefetched tarballs) Online (downloads from npm registry)
Mechanism Patches the cached .tgz directly (removes postinstall from its package.json), sets hasInstallScript=false + strips integrity in lockfile npm packs from registry, wraps postinstall.js to early-exit, repacks, injects via npm overrides

The main branch fix can't npm pack from the internet (hermetic build), so it modifies the pre-fetched tarball in-place. This PR's rhoai-2.25 online build can reach the registry, so it uses the repack+override approach instead.

The main approach is arguably cleaner (removing postinstall entirely vs. wrapping it) — if desired, the PR could adopt the same strategy by patching the packed tarball's package.json to del(.scripts.postinstall) rather than wrapping the script. But both approaches are functionally equivalent for the goal of skipping the unsupported binary download on ppc64le.


🧠 Learnings used
Learnt from: daniellutz
Repo: red-hat-data-services/notebooks PR: 2340
File: codeserver/ubi9-python-3.12/Dockerfile.cpu:24-26
Timestamp: 2026-06-08T15:07:27.675Z
Learning: In red-hat-data-services/notebooks under `codeserver/ubi9-python-3.12/`, treat CODESERVER_VERSION and NODE_VERSION bumps (e.g., in `Dockerfile.cpu`, `Dockerfile.konflux.cpu`, and `get_code_server_rpm.sh`) as following an intentional incremental upgrade strategy. During review, do not flag these changes as requiring an immediate jump to the latest available versions; only verify that the bump is part of the planned controlled stepwise upgrade sequence (e.g., moving to the next agreed version rather than skipping ahead).

@daniellutz daniellutz marked this pull request as ready for review June 22, 2026 13:43
@openshift-ci openshift-ci Bot requested review from dibryant and jiridanek June 22, 2026 13:44

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@codeserver/ubi9-python-3.12/get_code_server_rpm.sh`:
- Around line 71-76: The vsceSignVersion variable extraction using jq can return
null if the package-lock.json structure changes, leading to unclear failures in
the subsequent npm pack and tar commands. Add an explicit validation check
immediately after the jq command extracts the vsceSignVersion to verify it is
not empty or null. If the version is empty or null, exit the script with a clear
error message indicating that the vsce-sign package version lookup failed. This
will provide a faster, more informative failure rather than letting the script
continue and fail later on the npm pack or tar extraction steps.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1099a4dc-ad64-44e9-97cd-156ca9e6a3c0

📥 Commits

Reviewing files that changed from the base of the PR and between 33b3113 and cff4b69.

📒 Files selected for processing (1)
  • codeserver/ubi9-python-3.12/get_code_server_rpm.sh

Comment on lines +71 to +76
vsceSignVersion=$(jq -r '.packages["node_modules/@vscode/vsce-sign"].version' lib/vscode/build/package-lock.json)
patchdir=$(mktemp -d)
extracted="$patchdir/extracted"
mkdir -p "$extracted"
npm pack "@vscode/vsce-sign@${vsceSignVersion}" --pack-destination="$patchdir"
tar -xzf "$patchdir/vscode-vsce-sign-${vsceSignVersion}.tgz" -C "$extracted" --strip-components=1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fail fast when @vscode/vsce-sign version lookup returns empty/null.

At Line 71, jq can return null if lockfile structure shifts, which then causes a later npm pack/tar failure with a less clear error. Add an explicit guard right after extraction.

Suggested patch
 	vsceSignVersion=$(jq -r '.packages["node_modules/@vscode/vsce-sign"].version' lib/vscode/build/package-lock.json)
+	if [[ -z "${vsceSignVersion}" || "${vsceSignVersion}" == "null" ]]; then
+		echo "Failed to resolve `@vscode/vsce-sign` version from lib/vscode/build/package-lock.json" >&2
+		exit 1
+	fi
 	patchdir=$(mktemp -d)
 	extracted="$patchdir/extracted"
 	mkdir -p "$extracted"
 	npm pack "`@vscode/vsce-sign`@${vsceSignVersion}" --pack-destination="$patchdir"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@codeserver/ubi9-python-3.12/get_code_server_rpm.sh` around lines 71 - 76, The
vsceSignVersion variable extraction using jq can return null if the
package-lock.json structure changes, leading to unclear failures in the
subsequent npm pack and tar commands. Add an explicit validation check
immediately after the jq command extracts the vsceSignVersion to verify it is
not empty or null. If the version is empty or null, exit the script with a clear
error message indicating that the vsce-sign package version lookup failed. This
will provide a faster, more informative failure rather than letting the script
continue and fail later on the npm pack or tar extraction steps.

@daniellutz

Copy link
Copy Markdown
Author

/build-konflux

@jiridanek jiridanek left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if this is the version from main, then I'm ok with that

@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jiridanek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants