RHAIENG-5134: chore(ci) Fix RHOAI 3.3 CI test failures [rhoai-3.3]#2434
RHAIENG-5134: chore(ci) Fix RHOAI 3.3 CI test failures [rhoai-3.3]#2434mtchoum1 wants to merge 9 commits into
Conversation
…able composite action (opendatahub-io#3096) Consolidated various `apt-get` commands across GitHub workflows into a single `apt-install` composite action for improved maintainability. Refactored workflows to leverage the new action, reducing duplication and ensuring consistent behavior. Streamlined APT configuration by introducing CI-specific optimizations (e.g., disabling docs/man pages) and breaking steps into smaller, reusable blocks. Added `eatmydata` usage to enhance package installation performance.
…le and Dockerfile.konflux (opendatahub-io#3030)
The provision-k8s CI action fails intermittently when downloading the Kubernetes apt signing key from pkgs.k8s.io due to transient 403 errors from CloudFront WAF blocking GitHub Actions runner IPs. Add a retry_cmd helper with exponential backoff (3 attempts, 5/10/20s delays) and wrap the three failure-prone commands: - Kubernetes signing key fetch: retries primary URL (pkgs.k8s.io), then falls back to prod-cdn.packages.k8s.io if all primary attempts fail - CRI-O signing key fetch: retries with backoff - apt-get update: retries with backoff
…ing (opendatahub-io#3869) Co-authored-by: Jiri Daněk <jdanek@redhat.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Backport the TrustyAI papermill fix from odh/main: test data is already copied into the pod via kubectl cp, so remote raw.githubusercontent.com URLs are unnecessary and fail with 404. Co-authored-by: Cursor <cursoragent@cursor.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Warning Review limit reached
Next review available in: 30 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughThis PR updates CI and build workflow storage, dependency-install, and test gating flows, while also changing base images, runtime Dockerfiles, PDF dependency handling, RStudio repository usage, TrustyAI runtime setup, and llmcompressor notebook/test support. ChangesCI and build workflow updates
Estimated code review effort: 4 (Complex) | ~55 minutes Image and runtime updates
Estimated code review effort: 4 (Complex) | ~50 minutes Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
70d9268 to
22f676e
Compare
|
/build-konflux |
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
jupyter/utils/install_pdf_deps.sh (1)
20-24: 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick winNew ppc64le pandoc install path is unreachable dead code.
Lines 20-24 unconditionally
exit 0for boths390xandppc64lebefore the script ever reaches the newly addedpandocinstallation logic at Lines 92-104. The EPEL-basedppc64lebranch you just added (Lines 92-99) will never execute, since the script already exited earlier for that architecture. This defeats the purpose of the change (per the PR objectives, adding multi-arch pandoc support for ppc64le).You likely need to remove
ppc64lefrom the early skip condition (keeping the skip fors390xonly, since the GitHub tarball has nos390xbuild and no alternate install path exists for it), or otherwise restructure the flow so theppc64leEPEL branch is reachable.🐛 Proposed fix
-# Skip PDF export installation for s390x and ppc64le architectures -if [[ "$(uname -m)" == "s390x" || "$(uname -m)" == "ppc64le" ]]; then - echo "PDF export functionality is not supported on $(uname -m) architecture. Skipping installation." +# Skip PDF export installation for s390x architecture (no pandoc/texlive path available) +if [[ "$(uname -m)" == "s390x" ]]; then + echo "PDF export functionality is not supported on $(uname -m) architecture. Skipping installation." exit 0 fiAlso applies to: 92-104
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@jupyter/utils/install_pdf_deps.sh` around lines 20 - 24, The early architecture skip in install_pdf_deps.sh makes the new ppc64le pandoc install branch unreachable. Update the uname -m guard so only s390x exits early, and allow ppc64le to continue into the existing pandoc installation flow in install_pdf_deps.sh; verify the ppc64le EPEL logic remains reachable while the s390x fallback still skips as intended..github/workflows/build-notebooks-TEMPLATE.yaml (1)
78-90: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winMultiple GitHub Actions references are pinned to mutable tags, not commit SHAs.
actions/checkout@v6(Lines 78, 85),actions/setup-go@v6(Lines 141, 481),docker/login-action@v3(Line 149), andastral-sh/setup-uv@v7(Line 327) are all referenced by tag. Elsewhere in this same PR's files, actions are consistently pinned by commit SHA with a trailing version comment (e.g.actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5,actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2). Mutable tags can be repointed (supply-chain risk), which is exactly the convention this repo's SHA-pinning flow is meant to prevent.As per coding guidelines, "When editing GitHub Actions or action metadata, follow the SHA pinning flow described in
.github/AGENTS.md."Also applies to: 140-149, 326-329, 475-491
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/build-notebooks-TEMPLATE.yaml around lines 78 - 90, The workflow is still using mutable action tags, so update each referenced action in the affected steps to a full commit SHA and keep the trailing version comment consistent with the repo’s pinning convention. Apply this to the checkout logic in the current block, plus the other occurrences of actions/setup-go, docker/login-action, and astral-sh/setup-uv in the workflow. Use the existing SHA-pinning pattern already used elsewhere in the repository and follow the `.github/AGENTS.md` guidance for action metadata edits.Source: Coding guidelines
ci/cached-builds/make_test.py (1)
80-80: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
wait_for_stabilitynever receivestarget, so the heavy-target timeout is dead code.
run_testscallswait_for_stability(pod)at Line 80 without thetargetargument, sotargetalways defaults to"", meaningany(h in target for h in _HEAVY_TARGETS)never matches and heavy images (jupyter-datascience,jupyter-trustyai) never get the intended 200s timeout — they'll keep using the 100s timeout that presumably caused flakiness in the first place.🐛 Proposed fix
check_call(f"make {deploy}-{deploy_target}", shell=True) - wait_for_stability(pod) + wait_for_stability(pod, target)Also applies to: 142-152
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci/cached-builds/make_test.py` at line 80, `wait_for_stability` is always called without the `target` value, so its heavy-target timeout branch in `wait_for_stability` never triggers. Update the `run_tests` call sites (including the ones around the other `wait_for_stability` usages) to pass the current `target` through, and make sure the `wait_for_stability(pod, target)` signature is used consistently so `_HEAVY_TARGETS` can correctly select the longer timeout for heavy images.
♻️ Duplicate comments (1)
jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu (1)
83-88: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winSame missing-retry concern as the non-konflux CPU variant.
Same issue as
jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu: direct./utils/install_pdf_deps.shcall bypasses the retry wrapper used elsewhere (install_with_retry.sh texlive-install), reintroducing network-flakiness risk during builds.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu` around lines 83 - 88, The PDF export dependency install in the Dockerfile.konflux.cpu variant is calling the script directly instead of using the retry wrapper, which reintroduces flaky build failures. Update the `RUN ./utils/install_pdf_deps.sh` step to use the same retry mechanism as other Dockerfiles by invoking `install_with_retry.sh texlive-install`, and keep the surrounding `PDF export` block unchanged.
🧹 Nitpick comments (5)
scripts/test_jupyter_with_papermill.sh (3)
304-320: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueDocstring is now stale.
The comment still says "copies the relevant test_notebook.ipynb file," but
_run_test(via_run_test_notebooks_only) now copies the entire test directory ("${repo_test_directory}/."), not just the single notebook file.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/test_jupyter_with_papermill.sh` around lines 304 - 320, The `_run_test` function’s docstring is stale because it still says the runner copies a single `test_notebook.ipynb`, but the current flow through `_run_test_notebooks_only` copies the whole test directory. Update the comment above `_run_test` to describe the actual behavior, keeping the reference to `_run_test_notebooks_only` and the test directory copy so the documentation matches the implementation.
274-283: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd the same shellcheck suppression used elsewhere for this intentional single-quote pattern.
Static analysis flags SC2016 here, but
$fis meant to be expanded inside the remote/bin/sh -cscript, not locally — the same intentional pattern already documented with# shellcheck disable=SC2016a few lines above (around_create_test_versions_source_of_truth). Adding the same comment here keeps the lint output clean and consistent with the established convention in this file.🧹 Suggested fix
+ # shellcheck disable=SC2016 "${kbin}" exec "${notebook_workload_name}" -- /bin/sh -c 'f="'"${output_file_prefix}"'_error.txt"; [ -f "$f" ] || : >"$f"'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/test_jupyter_with_papermill.sh` around lines 274 - 283, The remote /bin/sh -c cleanup command in scripts/test_jupyter_with_papermill.sh is using an intentional single-quote expansion pattern that triggers SC2016. Add the same shellcheck suppression convention already used elsewhere in this script (around _create_test_versions_source_of_truth) immediately before the "${kbin}" exec invocation, so the $f expansion remains local to the remote shell script and the lint stays consistent.Source: Linters/SAST tools
146-149: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winHardcoded os/python-flavor string is brittle to future version bumps.
Unlike the neighboring cases which match against variables (
$jupyter_minimal_notebook_id,$rocm_target_prefix), this new case hardcodes the fullubi9-python-3-12suffix. If the Python/OS flavor for this image changes later, this exact-match case silently stops matching and falls through to the default branch, silently reverting to the wrong (non-shortened) workload name.♻️ Suggested fix using dynamic os/python flavor
- jupyter-pytorch-llmcompressor-ubi9-python-3-12) + jupyter-pytorch-llmcompressor-"${os_flavor}-${python_flavor//./-}") # Kustomize uses shortened namePrefix/label (llmc) for this notebook notebook_name="jupyter-pytorch-llmc-ubi9-python-3-12" ;;🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/test_jupyter_with_papermill.sh` around lines 146 - 149, The case in scripts/test_jupyter_with_papermill.sh is hardcoding the full jupyter-pytorch-llmcompressor-ubi9-python-3-12 image name, which makes the match brittle when the OS/Python flavor changes. Update the matching logic around the notebook_name assignment to use the same dynamic pattern as neighboring cases (for example, derive the suffix from existing flavor variables used in the script) so the shortened jupyter-pytorch-llmc-ubi9-python-3-12 name is selected without depending on an exact version string.jupyter/utils/install_pdf_deps.sh (1)
100-102: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low valuePredictable
/tmppath for downloaded tarball.Static analysis flags
/tmp/pandoc.tar.gzas a predictable temp path (TOCTOU/symlink risk). In an isolated, single-process container build this risk is minimal, butmktempwould be a trivial hardening.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@jupyter/utils/install_pdf_deps.sh` around lines 100 - 102, The pandoc download step uses a predictable /tmp/pandoc.tar.gz path, which is flagged as a temp-file hardening issue. Update the install_pdf_deps.sh flow to use a unique temp file created with mktemp for the curl download, then pass that generated path into the existing tar extraction step and clean it up afterward; keep the change localized around the pandoc download/extract commands.Source: Linters/SAST tools
.github/actions/install-podman-action/action.yml (1)
66-74: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winStorage-prep block duplicated across three files.
This
mkdir /mnt/containers/storage(+tmp)/chown -Rsequence is repeated near-identically here, insoftware-versions.yaml("Configure Podman"/"Prepare build environment"), and inbuild-notebooks-TEMPLATE.yaml("Prepare build environment"). Any future change to the storage path or permissions model needs to be applied in three places consistently.Consider factoring this into a small composite action (similar to
free-up-disk-spaceorinstall-podman-actionitself) that all three call sites can reuse.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/actions/install-podman-action/action.yml around lines 66 - 74, The Podman storage-prep sequence is duplicated in this action and in the other two build workflows, so any path or permission change must be made in multiple places. Extract the shared mkdir/chown setup into a small reusable composite action or helper step, then have install-podman-action, the software-versions workflow, and the build-notebooks template invoke that shared logic instead of keeping separate copies.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build-notebooks-TEMPLATE.yaml:
- Around line 356-359: The “Check if we have tests or not” step in the workflow
is still directly interpolating the target expression in the run command, so
update the have-tests step to pass inputs.target through an environment variable
instead of embedding it inline. Apply the same env-var pattern used elsewhere in
this workflow, and keep the change localized to the step with id have-tests /
the has_tests.py invocation.
- Around line 260-267: The workflow still interpolates inputs.target directly
into shell commands, which risks template injection in the Prefetch hermetic
build dependencies step and the later make invocation. Move the GitHub input
into a step-level env variable such as TARGET for the relevant steps in
build-notebooks-TEMPLATE.yaml, then reference that variable inside the run
scripts instead of using ${{ inputs.target }} directly. Update the COMPONENT_DIR
assignment in the prefetch step and the make call in the same job to use the
env-backed TARGET value, keeping the existing sed transformation and command
behavior intact.
- Around line 298-310: The background stats loop in the “Build: make ${{
inputs.target }}” step is started without lifecycle management, so it can
continue after make finishes. Update this step to capture the PID of the `(while
true; do ... sleep 30; done) &` process, run `make ${{ inputs.target }}`, and
then ensure the loop is terminated and waited on before the step exits. Use the
existing shell block in build-notebooks-TEMPLATE.yaml to add cleanup around the
make invocation.
- Around line 260-297: The prefetch step is using an incomplete target-to-path
conversion in the Prefetch hermetic build dependencies script, so targets with
multiple hyphens can’t resolve to the correct component directory. Update the
COMPONENT_DIR derivation in the workflow step to use the same target→path
mapping logic used elsewhere, and verify the check against prefetch-input and
the downstream calls to prefetch-all.sh and post-prefetch.sh all use the
corrected path.
In `@jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu`:
- Around line 94-99: The PDF export dependency setup in the Dockerfile.cpu block
is missing the retry wrapper used by the ROCm variant, so it can fail on
transient network issues. Update the dependency install step to use the same
retry path as Dockerfile.rocm by invoking install_with_retry.sh with the
texlive-install target instead of calling install_pdf_deps.sh directly, while
keeping the PATH export unchanged.
In `@tests/manifests.py`:
- Around line 328-331: The runtime llmcompressor manifest mapping is pointing at
the base notebook imagestream instead of the llmcompressor imagestream. Update
the manifests mapping entry for
runtime-cuda-pytorch-llmcompressor-ubi9-python-3.12 in tests/manifests.py so it
references jupyter-pytorch-llmcompressor-imagestream.yaml, keeping it aligned
with the cuda-jupyter-pytorch-llmcompressor-ubi9-python-3.12 target.
---
Outside diff comments:
In @.github/workflows/build-notebooks-TEMPLATE.yaml:
- Around line 78-90: The workflow is still using mutable action tags, so update
each referenced action in the affected steps to a full commit SHA and keep the
trailing version comment consistent with the repo’s pinning convention. Apply
this to the checkout logic in the current block, plus the other occurrences of
actions/setup-go, docker/login-action, and astral-sh/setup-uv in the workflow.
Use the existing SHA-pinning pattern already used elsewhere in the repository
and follow the `.github/AGENTS.md` guidance for action metadata edits.
In `@ci/cached-builds/make_test.py`:
- Line 80: `wait_for_stability` is always called without the `target` value, so
its heavy-target timeout branch in `wait_for_stability` never triggers. Update
the `run_tests` call sites (including the ones around the other
`wait_for_stability` usages) to pass the current `target` through, and make sure
the `wait_for_stability(pod, target)` signature is used consistently so
`_HEAVY_TARGETS` can correctly select the longer timeout for heavy images.
In `@jupyter/utils/install_pdf_deps.sh`:
- Around line 20-24: The early architecture skip in install_pdf_deps.sh makes
the new ppc64le pandoc install branch unreachable. Update the uname -m guard so
only s390x exits early, and allow ppc64le to continue into the existing pandoc
installation flow in install_pdf_deps.sh; verify the ppc64le EPEL logic remains
reachable while the s390x fallback still skips as intended.
---
Duplicate comments:
In `@jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu`:
- Around line 83-88: The PDF export dependency install in the
Dockerfile.konflux.cpu variant is calling the script directly instead of using
the retry wrapper, which reintroduces flaky build failures. Update the `RUN
./utils/install_pdf_deps.sh` step to use the same retry mechanism as other
Dockerfiles by invoking `install_with_retry.sh texlive-install`, and keep the
surrounding `PDF export` block unchanged.
---
Nitpick comments:
In @.github/actions/install-podman-action/action.yml:
- Around line 66-74: The Podman storage-prep sequence is duplicated in this
action and in the other two build workflows, so any path or permission change
must be made in multiple places. Extract the shared mkdir/chown setup into a
small reusable composite action or helper step, then have install-podman-action,
the software-versions workflow, and the build-notebooks template invoke that
shared logic instead of keeping separate copies.
In `@jupyter/utils/install_pdf_deps.sh`:
- Around line 100-102: The pandoc download step uses a predictable
/tmp/pandoc.tar.gz path, which is flagged as a temp-file hardening issue. Update
the install_pdf_deps.sh flow to use a unique temp file created with mktemp for
the curl download, then pass that generated path into the existing tar
extraction step and clean it up afterward; keep the change localized around the
pandoc download/extract commands.
In `@scripts/test_jupyter_with_papermill.sh`:
- Around line 304-320: The `_run_test` function’s docstring is stale because it
still says the runner copies a single `test_notebook.ipynb`, but the current
flow through `_run_test_notebooks_only` copies the whole test directory. Update
the comment above `_run_test` to describe the actual behavior, keeping the
reference to `_run_test_notebooks_only` and the test directory copy so the
documentation matches the implementation.
- Around line 274-283: The remote /bin/sh -c cleanup command in
scripts/test_jupyter_with_papermill.sh is using an intentional single-quote
expansion pattern that triggers SC2016. Add the same shellcheck suppression
convention already used elsewhere in this script (around
_create_test_versions_source_of_truth) immediately before the "${kbin}" exec
invocation, so the $f expansion remains local to the remote shell script and the
lint stays consistent.
- Around line 146-149: The case in scripts/test_jupyter_with_papermill.sh is
hardcoding the full jupyter-pytorch-llmcompressor-ubi9-python-3-12 image name,
which makes the match brittle when the OS/Python flavor changes. Update the
matching logic around the notebook_name assignment to use the same dynamic
pattern as neighboring cases (for example, derive the suffix from existing
flavor variables used in the script) so the shortened
jupyter-pytorch-llmc-ubi9-python-3-12 name is selected without depending on an
exact version string.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 5bdaca58-914e-4039-9054-11fc54944a2e
⛔ Files ignored due to path filters (1)
scripts/check-payload/go.sumis excluded by!**/*.sum
📒 Files selected for processing (47)
.github/actions/free-up-disk-space/action.yml.github/actions/install-podman-action/action.yml.github/actions/playwright-test/action.yml.github/actions/provision-k8s/action.yml.github/workflows/build-notebooks-TEMPLATE.yaml.github/workflows/code-quality.yaml.github/workflows/notebooks-digest-updater.yaml.github/workflows/params-env.yaml.github/workflows/pr-merge-image-delete.yml.github/workflows/sec-scan.yml.github/workflows/software-versions.yaml.github/workflows/test-install-podman.yaml.github/workflows/test-trivy-scan-action.yamlci/cached-builds/crio.confci/cached-builds/gha_lvm_overlay.shci/cached-builds/kubeadm.yamlci/cached-builds/make_test.pyci/cached-builds/storage.confjupyter/datascience/ubi9-python-3.12/build-args/cpu.confjupyter/datascience/ubi9-python-3.12/kustomize/base/statefulset.yamljupyter/minimal/ubi9-python-3.12/Dockerfile.cpujupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpujupyter/minimal/ubi9-python-3.12/kustomize/base/statefulset.yamljupyter/pytorch+llmcompressor/ubi9-python-3.12/pylock.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/test/test_notebook.ipynbjupyter/trustyai/ubi9-python-3.12/Dockerfile.cpujupyter/trustyai/ubi9-python-3.12/Dockerfile.konflux.cpujupyter/trustyai/ubi9-python-3.12/test/test_notebook.ipynbjupyter/utils/install_pandoc.shjupyter/utils/install_pdf_deps.shrstudio/c9s-python-3.12/Dockerfile.cpurstudio/c9s-python-3.12/Dockerfile.cudarstudio/rhel9-python-3.12/Dockerfile.cpurstudio/rhel9-python-3.12/Dockerfile.cudarstudio/rhel9-python-3.12/Dockerfile.konflux.cpurstudio/rhel9-python-3.12/Dockerfile.konflux.cudaruntimes/datascience/ubi9-python-3.12/Dockerfile.cpuruntimes/datascience/ubi9-python-3.12/Dockerfile.konflux.cpuruntimes/datascience/ubi9-python-3.12/build-args/cpu.confruntimes/minimal/ubi9-python-3.12/Dockerfile.cpuruntimes/minimal/ubi9-python-3.12/Dockerfile.konflux.cpuruntimes/minimal/ubi9-python-3.12/build-args/cpu.confscripts/check-payload/go.modscripts/test_jupyter_with_papermill.shtests/browser/package.json5tests/manifests.py
💤 Files with no reviewable changes (2)
- jupyter/utils/install_pandoc.sh
- ci/cached-builds/gha_lvm_overlay.sh
fcaa6b1 to
1b0d5b2
Compare
|
@coderabbitai full review |
|
/build-konflux |
✅ Action performedFull review finished. |
1b0d5b2 to
b3e96a4
Compare
|
/build-konflux |
b3e96a4 to
1559073
Compare
|
/build-konflux |
2 similar comments
|
/build-konflux |
|
/build-konflux |
7c4a72f to
9a0ba82
Compare
9a0ba82 to
1559073
Compare
|
/build-konflux |
5786688 to
c4438ef
Compare
|
/build-konflux |
Description
This PR addresses remaining CI failures on the RHOAI 3.3 branch across GHA build/test workflows, container payload validation, papermill e2e tests, and multi-arch (s390x/ppc64le) image builds.
CI / GHA infrastructure
.github/workflows/build-notebooks-TEMPLATE.yaml): improved matrix job orchestration, disk/prune tuning, and papermill test integration; removed obsoletegha_lvm_overlay.sh.apt-getusage across workflows via the sharedapt-installcomposite action (ISSUE#2668 backport)..github/actions/provision-k8s): bumped CRI-O and Kubernetes to 1.36; added retry with exponential backoff and fallback CDN for transient pkgs.k8s.io signing-key download failures (RHOAIENG-67536).tests/browser/package.json5for codeserver UI validation.free-up-disk-spaceandmake_test.py; fixed s390x FIPS scan via check-payload dependency update.Container / Dockerfile fixes
Dockerfile.cpuandDockerfile.konflux.cpu; consolidated logic intoinstall_pdf_deps.shand removed redundantinstall_pandoc.sh.Test / script fixes
scripts/test_jupyter_with_papermill.sh): improved derived-image version resolution and test orchestration.How Has This Been Tested?
mtchoum1/green-3.3: https://github.com/red-hat-data-services/notebooks/actions/runs/28614286081Self checklist (all need to be checked):
make test(gmakeon macOS) before asking for reviewDockerfile.konfluxfiles should be done inodh/notebooksand automatically synced torhds/notebooks. For Konflux-specific changes, modifyDockerfile.konfluxfiles directly inrhds/notebooksas these require special attention in the downstream repository and flow to the upcoming RHOAI release.Merge criteria:
Made with Cursor
Summary by CodeRabbit