Skip to content

Add k8s-rebase plugin for Kubernetes dependency rebases#617

Draft
dfarrell07 wants to merge 1 commit into
openshift-eng:mainfrom
dfarrell07:k8s-rebase-skill
Draft

Add k8s-rebase plugin for Kubernetes dependency rebases#617
dfarrell07 wants to merge 1 commit into
openshift-eng:mainfrom
dfarrell07:k8s-rebase-skill

Conversation

@dfarrell07

@dfarrell07 dfarrell07 commented Jul 13, 2026

Copy link
Copy Markdown

Automates k8s.io/* dependency rebases for Go projects. Handles dep bumps, codegen, version references, compilation fixes, lint migration, feature gate management, and antagonistic review.

The skill improves itself across runs: when a rebase surfaces a new breakage pattern (via gates, local validation, or CI), the agent fixes it and documents the pattern. The next repo or k8s version benefits from that pattern automatically — through autofix functions, gate checks, or patterns doc entries.

Scripts:

  • k8s-rebase.sh: deterministic rebase (deps, codegen, version refs)
  • k8s-rebase-autofix.sh: named fix functions for known breakage patterns (x/exp, reflect.Ptr, klog v1, FieldsV1, Eventf, CRDs, feature gates, KIND, MetalLB, KubeVirt, golangci-lint v1→v2)
  • k8s-rebase-validate.sh: build/vet/lint/test with skip detection
  • k8s-rebase-review.sh: antagonistic review via separate Claude instance

29 gate subagents across 4 verification steps verify the rebase before the agent proceeds. Count gates enforce hard constraints (build errors, version mismatches, test skips). Judge gates review diffs for correctness. Discovery gates read external signals (dep release notes, k8s changelog, CVE databases, go.mod risk classification) to catch issues that build/lint/test cannot detect.

Patterns doc catalogs 30+ breakage patterns with fix recipes and extension guide for future k8s versions.

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.

Summary by CodeRabbit

  • New Features
    • Introduced a new k8s-rebase marketplace plugin (v0.1.0) to automate Kubernetes k8s.io/* dependency rebases for Go repositories, including deterministic steps, code generation updates, repo reference syncing, validation, and fix review.
  • Documentation
    • Added a complete skill guide plus extensive Kubernetes rebase pattern references and step-by-step verification/checklists (build/vet, autofix review, CI readiness, correctness, CVE verification).

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 13, 2026
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dfarrell07

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 13, 2026
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

Hi @dfarrell07. Thanks for your PR.

I'm waiting for a openshift-eng member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. labels Jul 13, 2026
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

Adds the k8s-rebase marketplace plugin for automating Kubernetes dependency rebases in Go repositories, including dependency updates, code generation, deterministic autofixes, validation, antagonistic review, and read-only verification gates.

Changes

Kubernetes rebase plugin

Layer / File(s) Summary
Plugin contract and workflow guidance
.claude-plugin/marketplace.json, docs/index.html, plugins/k8s-rebase/{.claude-plugin/*,README.md,OWNERS}, plugins/k8s-rebase/docs/*, plugins/k8s-rebase/skills/*
Registers version 0.1.0 and documents usage, ownership, workflow stages, operational constraints, and Kubernetes rebase patterns.
Mechanical dependency rebase
plugins/k8s-rebase/scripts/k8s-rebase.sh
Adds version-aware dependency rebasing, container fallback, code generation, CRD preservation, repository version updates, optional tool bumps, and structured commits.
Deterministic autofix orchestration
plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh
Adds diagnostic checks and ordered fixes for API migrations, feature gates, CRDs, infrastructure versions, imports, mocks, and vet issues.
Validation and antagonistic review tooling
plugins/k8s-rebase/scripts/k8s-rebase-{validate,review}.sh, plugins/k8s-rebase/scripts/k8s-rebase-review-prompt.md
Adds multi-mode validation, CI-parity checks, privileged tests, failure summaries, and bounded commit reviews.
Verification gate checklists
plugins/k8s-rebase/gates/*
Adds read-only count-based and evidence-based checks for rebase completeness, compilation, autofix correctness, dependency consistency, CI readiness, security, and final review.

Estimated code review effort: 5 (Critical) | ~120 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Developer
  participant RebaseScript
  participant GoModules
  participant Autofix
  participant Validator
  participant ReviewAgent
  Developer->>RebaseScript: provide target Kubernetes version
  RebaseScript->>GoModules: update dependencies and regenerate code
  RebaseScript->>Autofix: run deterministic post-rebase fixes
  Autofix->>Validator: run build, lint, test, and vet validation
  Validator->>ReviewAgent: submit fix commit evidence
  ReviewAgent-->>Developer: return approval or rejection verdict
Loading

Suggested reviewers: bryan-cox

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 11

🧹 Nitpick comments (4)
plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh (1)

111-114: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Harden the in-container jq download. The binary is fetched over the network and executed without integrity verification, and /tmp/jq is a predictable path (symlink/TOCTOU-prone on shared hosts). Since it's the official jqlang release running in an ephemeral container the risk is limited, but consider pinning and checking a known SHA-256 (and/or mktemp) before chmod +x.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh` around lines 111 - 114,
Harden the jq installation block by downloading to a unique temporary path via
mktemp, verifying the downloaded binary against a pinned known SHA-256 checksum,
and only then making it executable and adding its directory to PATH. Update the
existing command chain guarded by command -v jq; remove the predictable /tmp/jq
path and ensure verification failure prevents execution or PATH export.

Source: Linters/SAST tools

plugins/k8s-rebase/scripts/k8s-rebase-validate.sh (2)

79-88: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Scope --privileged to modes that actually need it.

The container is launched with --privileged (and --security-opt label=disable) unconditionally, including --quick (build+vet) and --no-test, which never need elevated capabilities. Only privileged/namespace tests (--full, and the default mode's network tests) require it. Gate --privileged on the mode to reduce the blast radius for the common build/vet path.

♻️ Suggested approach
+      PRIV_FLAG=""
+      case "$MODE" in
+        full|default) PRIV_FLAG="--privileged" ;;
+      esac
       exec $CONTAINER_RT run --rm \
         --security-opt label=disable \
-        --privileged \
+        $PRIV_FLAG \
         $USERNS_FLAG \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-validate.sh` around lines 79 - 88,
Update the container invocation in the validation script so --privileged and its
associated security-opt label=disable are included only for modes requiring
namespace or network tests: --full and the default mode. Omit both options for
--quick and --no-test while preserving the existing run arguments and behavior.

240-241: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Harden env extraction from test-go.sh (avoid eval).

eval "$(grep "^export KUBE_FEATURE_" "$TEST_GO_SH")" re-parses lines from the target repo's hack/test-go.sh as shell code; a crafted export KUBE_FEATURE_X=...; <cmd> line would execute. The same concatenate-into-bash -c pattern recurs at Lines 405 and 588. Since the tool already runs that repo's build/test targets the incremental risk is limited, but prefer parsing KEY=value pairs and exporting them directly rather than executing arbitrary content.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-validate.sh` around lines 240 - 241,
Replace the eval-based environment extraction in the TEST_GO_SH handling and the
corresponding logic at the later occurrences with safe parsing of only
KUBE_FEATURE_ KEY=value assignments, then export each validated key/value
directly. Ensure crafted values or appended commands from test-go.sh are treated
as data and never executed, while preserving the intended feature-variable
imports.
plugins/k8s-rebase/gates/step3-autofix/e2e-infra.md (1)

7-10: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Tie the KubeVirt requirement to the target version matrix.

“Latest stable release” is a moving acceptance criterion: it can reject a valid pinned version or force an unrelated dependency upgrade. Require the exact version prescribed by the patterns document or target repository matrix, with “not nightly” as the additional constraint.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step3-autofix/e2e-infra.md` around lines 7 - 10,
Update the KubeVirt checklist item in the step3-autofix requirements to require
the exact version specified by the patterns document or target repository
version matrix, while retaining the constraint that it must not be a nightly
release; remove the vague “latest stable release” wording.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@plugins/k8s-rebase/gates/step3-autofix/dep-release-notes.md`:
- Around line 6-13: The release-note sources in the step 3 instructions are
incomplete and mutable. Update the KIND and KubeVirt GitHub API retrieval to
paginate through all release pages, pin MetalLB and golangci-lint raw URLs to
the requested version’s tag or commit instead of main, and explicitly report
when a requested version cannot be found.

In `@plugins/k8s-rebase/gates/step3-autofix/feature-gates.md`:
- Around line 1-6: Update the feature-gate verification instructions to filter
GATE_DEPS using the same active-gate logic as k8s-rebase-autofix.sh, considering
only gate symbols present under vendor/k8s.io. Count missing gates only among
those active dependencies while preserving the existing comparisons across
SetFromMap, os.Setenv/t.Setenv, and hack/test-go.sh exports.

In `@plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md`:
- Line 11: Update the verification command in the build-and-vet step so go vet
./... executes regardless of whether go build ./... fails; replace the &&
chaining between these checks with independent execution while preserving the
existing output handling, directory change, and combined failure reporting.

In `@plugins/k8s-rebase/gates/step4-verification/ci-prediction.md`:
- Around line 18-23: Update the stale codegen guidance in step4 verification to
remove the requirement for a dedicated codegen commit. Prefer running the
repository’s verify-update-codegen or equivalent diff verification when
available, and treat git log history only as supporting evidence while allowing
generated output in squashed or combined commits.

In `@plugins/k8s-rebase/gates/step4-verification/cleanliness.md`:
- Around line 3-4: Update the root-owned entry count command in the cleanliness
verification step to include the find predicate -type f, while preserving the
existing .git and vendor exclusions and user filter.

In `@plugins/k8s-rebase/gates/step4-verification/dep-cve-check.md`:
- Line 6: Update the dependency scan command in the verification step to process
every unique changed module instead of truncating output with head -50. Remove
the cap or implement batching/pagination that still queries the complete module
list.

In `@plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md`:
- Around line 11-12: Replace the broad golang.org/x/exp grep in
plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md:11-12 with
checks derived from the package-level x/exp migration map, flagging only
packages that have explicit replacements. Update
plugins/k8s-rebase/gates/step4-verification/go-version-check.md:20-23 to reuse
that same map while keeping x/slices and x/maps checks conditional on the
detected Go version.

In `@plugins/k8s-rebase/gates/step4-verification/gomod-diff-analysis.md`:
- Around line 17-19: Update the step4-verification reporting instructions to
require output for every classification the prompt asks agents to evaluate,
including pseudo-version pins, dependency additions/removals, and go directive
changes, rather than only counts for third-party minor-version jumps and
pre-release direct dependencies. Preserve the informational review guidance for
each reported category.

In `@plugins/k8s-rebase/gates/step4-verification/k8s-changelog.md`:
- Around line 1-2: Update the changelog retrieval command to use curl’s --fail
and --show-error options, explicitly report and fail when the changelog is
unavailable or empty, and replace the mutable master URL with a stable
Kubernetes release tag or commit while preserving the K8S_MINOR-based changelog
path.

In `@plugins/k8s-rebase/gates/step4-verification/version-completeness.md`:
- Line 3: Update the file-scope statement in version-completeness.md to include
.yaml alongside .yml, ensuring the scan covers both YAML extensions while
preserving the existing exclusions and count-gate behavior.

In `@plugins/k8s-rebase/README.md`:
- Line 45: Update the gate prompt file count in the README table to 29 files,
matching the gate totals documented in SKILL.md and the PR description; leave
the path and description unchanged.

---

Nitpick comments:
In `@plugins/k8s-rebase/gates/step3-autofix/e2e-infra.md`:
- Around line 7-10: Update the KubeVirt checklist item in the step3-autofix
requirements to require the exact version specified by the patterns document or
target repository version matrix, while retaining the constraint that it must
not be a nightly release; remove the vague “latest stable release” wording.

In `@plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh`:
- Around line 111-114: Harden the jq installation block by downloading to a
unique temporary path via mktemp, verifying the downloaded binary against a
pinned known SHA-256 checksum, and only then making it executable and adding its
directory to PATH. Update the existing command chain guarded by command -v jq;
remove the predictable /tmp/jq path and ensure verification failure prevents
execution or PATH export.

In `@plugins/k8s-rebase/scripts/k8s-rebase-validate.sh`:
- Around line 79-88: Update the container invocation in the validation script so
--privileged and its associated security-opt label=disable are included only for
modes requiring namespace or network tests: --full and the default mode. Omit
both options for --quick and --no-test while preserving the existing run
arguments and behavior.
- Around line 240-241: Replace the eval-based environment extraction in the
TEST_GO_SH handling and the corresponding logic at the later occurrences with
safe parsing of only KUBE_FEATURE_ KEY=value assignments, then export each
validated key/value directly. Ensure crafted values or appended commands from
test-go.sh are treated as data and never executed, while preserving the intended
feature-variable imports.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ec127345-a4c1-4949-b911-15f3f492325c

📥 Commits

Reviewing files that changed from the base of the PR and between 2a83f75 and 0b218ca.

📒 Files selected for processing (41)
  • .claude-plugin/marketplace.json
  • docs/index.html
  • plugins/k8s-rebase/.claude-plugin/plugin.json
  • plugins/k8s-rebase/OWNERS
  • plugins/k8s-rebase/README.md
  • plugins/k8s-rebase/docs/k8s-rebase-patterns.md
  • plugins/k8s-rebase/gates/step1-rebase/rebase-completeness.md
  • plugins/k8s-rebase/gates/step2-compilation/build-vet.md
  • plugins/k8s-rebase/gates/step2-compilation/diff-scope.md
  • plugins/k8s-rebase/gates/step2-compilation/fix-correctness.md
  • plugins/k8s-rebase/gates/step2-compilation/type-conversions.md
  • plugins/k8s-rebase/gates/step2-compilation/version-consistency.md
  • plugins/k8s-rebase/gates/step3-autofix/autofix-diff-review.md
  • plugins/k8s-rebase/gates/step3-autofix/autofix-result.md
  • plugins/k8s-rebase/gates/step3-autofix/crd-validation.md
  • plugins/k8s-rebase/gates/step3-autofix/dep-release-notes.md
  • plugins/k8s-rebase/gates/step3-autofix/deprecated-api-remnants.md
  • plugins/k8s-rebase/gates/step3-autofix/e2e-infra.md
  • plugins/k8s-rebase/gates/step3-autofix/feature-gates.md
  • plugins/k8s-rebase/gates/step3-autofix/logical-completeness.md
  • plugins/k8s-rebase/gates/step3-autofix/patterns-completeness.md
  • plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md
  • plugins/k8s-rebase/gates/step4-verification/ci-prediction.md
  • plugins/k8s-rebase/gates/step4-verification/ci-readiness.md
  • plugins/k8s-rebase/gates/step4-verification/cleanliness.md
  • plugins/k8s-rebase/gates/step4-verification/commit-messages.md
  • plugins/k8s-rebase/gates/step4-verification/correctness.md
  • plugins/k8s-rebase/gates/step4-verification/dep-cve-check.md
  • plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md
  • plugins/k8s-rebase/gates/step4-verification/go-version-check.md
  • plugins/k8s-rebase/gates/step4-verification/gomod-diff-analysis.md
  • plugins/k8s-rebase/gates/step4-verification/k8s-changelog.md
  • plugins/k8s-rebase/gates/step4-verification/logical-consistency.md
  • plugins/k8s-rebase/gates/step4-verification/maintainer-review.md
  • plugins/k8s-rebase/gates/step4-verification/version-completeness.md
  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh
  • plugins/k8s-rebase/scripts/k8s-rebase-review-prompt.md
  • plugins/k8s-rebase/scripts/k8s-rebase-review.sh
  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh
  • plugins/k8s-rebase/scripts/k8s-rebase.sh
  • plugins/k8s-rebase/skills/k8s-rebase/SKILL.md

Comment on lines +6 to +13
- KIND: gh api repos/kubernetes-sigs/kind/releases (has explicit
"Breaking Changes" headings in .body)
- MetalLB: curl the in-repo release notes at
raw.githubusercontent.com/metallb/metallb/main/website/content/release-notes/_index.md
- KubeVirt: gh api repos/kubevirt/kubevirt/releases (tagged by
SIG — focus on SIG-network, Deprecation, API change)
- golangci-lint: curl CHANGELOG.md from the repo
raw.githubusercontent.com/golangci/golangci-lint/main/CHANGELOG.md

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Make release-note retrieval complete and reproducible.

The GitHub API calls omit pagination, so releases outside the default first page can be missed. The raw URLs also point at mutable main branches, making gate results non-reproducible. Paginate API results, use tag/commit-pinned sources, and report when the requested versions cannot be found.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step3-autofix/dep-release-notes.md` around lines 6 -
13, The release-note sources in the step 3 instructions are incomplete and
mutable. Update the KIND and KubeVirt GitHub API retrieval to paginate through
all release pages, pin MetalLB and golangci-lint raw URLs to the requested
version’s tag or commit instead of main, and explicitly report when a requested
version cannot be found.

Comment on lines +1 to +6
If test files use feature gates (SetFromMap or KUBE_FEATURE_
env vars): find `k8s-rebase-autofix.sh` and read the GATE_DEPS
map near the top. Count files missing any gate from that map. Verify
gates match between SetFromMap calls, os.Setenv/t.Setenv
calls, and hack/test-go.sh exports. Report count of files
with missing gates.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Filter GATE_DEPS to gates active in the vendored Kubernetes version.

k8s-rebase-autofix.sh only considers parent/dependent gates whose symbols exist under vendor/k8s.io. This gate currently says to check “any gate from that map,” which can produce false failures for future gates on older targets. Mirror the script’s active-gate filtering before counting missing files.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step3-autofix/feature-gates.md` around lines 1 - 6,
Update the feature-gate verification instructions to filter GATE_DEPS using the
same active-gate logic as k8s-rebase-autofix.sh, considering only gate symbols
present under vendor/k8s.io. Count missing gates only among those active
dependencies while preserving the existing comparisons across SetFromMap,
os.Setenv/t.Setenv, and hack/test-go.sh exports.

Comment thread plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md Outdated
Comment on lines +18 to +23
- Stale codegen output? If hack/update-codegen.sh or a
Makefile codegen/generate/manifests target exists, check
that git log shows a codegen commit. If the repo has a
`verify-update-codegen` or `verify` CI job, stale output
will fail `git diff --exit-code`. Look for controller-gen
version annotations in CRD manifests matching the vendored

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Do not require a dedicated codegen commit.

A valid rebase may include generated output in a squashed or combined commit, so checking git log for a codegen commit can report a false failure. Prefer running the repository’s verify-update-codegen/diff verification when available, using commit history only as supporting evidence.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step4-verification/ci-prediction.md` around lines 18
- 23, Update the stale codegen guidance in step4 verification to remove the
requirement for a dedicated codegen commit. Prefer running the repository’s
verify-update-codegen or equivalent diff verification when available, and treat
git log history only as supporting evidence while allowing generated output in
squashed or combined commits.

Comment thread plugins/k8s-rebase/gates/step4-verification/cleanliness.md Outdated
Comment on lines +11 to +12
3. "golang.org/x/exp/" — promoted to stdlib
grep -rn '"golang.org/x/exp/' --include='*.go' . | grep -v vendor

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '--- file map ---\n'
git ls-files 'plugins/k8s-rebase/gates/step4-verification/*'

printf '\n--- outline: deprecated-imports.md ---\n'
wc -l plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md
cat -n plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md | sed -n '1,120p'

printf '\n--- outline: go-version-check.md ---\n'
wc -l plugins/k8s-rebase/gates/step4-verification/go-version-check.md
cat -n plugins/k8s-rebase/gates/step4-verification/go-version-check.md | sed -n '1,140p'

Repository: openshift-eng/ai-helpers

Length of output: 253


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- file map ---'
git ls-files 'plugins/k8s-rebase/gates/step4-verification/*'

echo
echo '--- deprecated-imports.md ---'
wc -l plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md
cat -n plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md | sed -n '1,120p'

echo
echo '--- go-version-check.md ---'
wc -l plugins/k8s-rebase/gates/step4-verification/go-version-check.md
cat -n plugins/k8s-rebase/gates/step4-verification/go-version-check.md | sed -n '1,140p'

Repository: openshift-eng/ai-helpers

Length of output: 3910


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- x/exp references ---'
rg -n '"golang.org/x/(exp|slices|maps|constraints)|x/exp|x/slices|x/maps' \
  plugins/k8s-rebase -g '*.md' -g '*.go' -g '*.sh' -g '*.yaml' -g '*.yml' || true

echo
echo '--- potential migration maps / package lists ---'
rg -n 'maps|slices|constraints|cmp|explicit migration map|promoted to stdlib' \
  plugins/k8s-rebase -g '*.md' -g '*.go' || true

Repository: openshift-eng/ai-helpers

Length of output: 5030


Use the package-level x/exp migration map

  • plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md#L11-L12: golang.org/x/exp/ is broader than the stdlib promotions; only flag packages with explicit replacements.
  • plugins/k8s-rebase/gates/step4-verification/go-version-check.md#L20-L23: keep the x/slices/x/maps check tied to the detected Go version and reuse the same package map.
📍 Affects 2 files
  • plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md#L11-L12 (this comment)
  • plugins/k8s-rebase/gates/step4-verification/go-version-check.md#L20-L23
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md` around
lines 11 - 12, Replace the broad golang.org/x/exp grep in
plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md:11-12 with
checks derived from the package-level x/exp migration map, flagging only
packages that have explicit replacements. Update
plugins/k8s-rebase/gates/step4-verification/go-version-check.md:20-23 to reuse
that same map while keeping x/slices and x/maps checks conditional on the
detected Go version.

Comment thread plugins/k8s-rebase/gates/step4-verification/gomod-diff-analysis.md Outdated
Comment on lines +1 to +2
Read the Kubernetes changelog for the target minor version:
curl -sL "https://raw.githubusercontent.com/kubernetes/kubernetes/master/CHANGELOG/CHANGELOG-1.${K8S_MINOR}.md"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Make changelog retrieval fail closed.

curl -sL does not fail on HTTP 404, so an unavailable changelog can be treated as an empty result and incorrectly pass the gate. Use --fail --show-error, report unavailable data explicitly, and pin the source to a stable Kubernetes tag or commit instead of master.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step4-verification/k8s-changelog.md` around lines 1
- 2, Update the changelog retrieval command to use curl’s --fail and
--show-error options, explicitly report and fail when the changelog is
unavailable or empty, and replace the mutable master URL with a stable
Kubernetes release tag or commit while preserving the K8S_MINOR-based changelog
path.

Comment thread plugins/k8s-rebase/gates/step4-verification/version-completeness.md Outdated
Comment thread plugins/k8s-rebase/README.md Outdated
| `scripts/k8s-rebase-validate.sh` | Build/lint/vet/test across all modules |
| `scripts/k8s-rebase-review.sh` | Antagonistic review via `claude -p` |
| `scripts/k8s-rebase-review-prompt.md` | Review agent prompt template |
| `gates/step{1,2,3,4}-*/*.md` | Subagent verification prompts (23 files) |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Gate file count is inaccurate. SKILL.md enumerates 29 gate prompts (step1=1, step2=5, step3=9, step4=14), and the PR description also says 29. Update "23 files" to match.

✏️ Proposed fix
-| `gates/step{1,2,3,4}-*/*.md` | Subagent verification prompts (23 files) |
+| `gates/step{1,2,3,4}-*/*.md` | Subagent verification prompts (29 files) |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
| `gates/step{1,2,3,4}-*/*.md` | Subagent verification prompts (23 files) |
| `gates/step{1,2,3,4}-*/*.md` | Subagent verification prompts (29 files) |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/README.md` at line 45, Update the gate prompt file count
in the README table to 29 files, matching the gate totals documented in SKILL.md
and the PR description; leave the path and description unchanged.

CONTRIBUTING.md). If the PR already exists, suggest `gh pr edit`.

Always suggest the CI monitoring loop alongside the PR command:
`/loop 5m check CI on the PR, explore any failures max carefully, find root causes`

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per our meeting you mentioned that the loop check the CI logs and errors.
However these are my findings from this updated PR which is the same as raised earlier that I don't find a logic for the loop.
From what I see is that the skill doesn't catch e2e-level breakage. It is not even defined in ai-helpers.
I also see there is no gh run, gh pr checks or or CI-log fetching in this plugin.
I even check the gates ci-prediction and ci-readiness and saw that it greps the repo and does not read CI.

I see that the skill only checks build, vet, lint and unit tests and it never runs e2e.
k8s-rebase-validate.sh runs go build (L346), go vet, golangci-lint (L365) and go test on the packages (L310). The test/e2e module is skipped at L339–342 because its vendor dir is gitignored, and nothing in the plugin ever starts a kind cluster or runs ginkgo. right ?

The problem is that the agent decides it's finished when these checks pass. So the rebase can look completely done and green, while still being broken. This is because the things that actually break an ovnk rebase don't show up in a build or a lint.
These issues will only show up when a real cluster is running the e2e suite like the test for RelaxedServiceNameValidation from k8s 1.36 binary, the KubeVirt live-migration lanes, the MetalLB/FRR image mismatch issue, kubeadm settings silently not applying, etc.

However please correct if I am wrong. cc @vinnie1110 @Jaanki

@miheer miheer Jul 13, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that the Step 5 in SKILL.md is where the skill stops and has the following:

"Generate a gh pr create command for the user. Do NOT run it. Read git log to build the title and body, then present the complete command for the user to review, edit, and execute."

then

"Always suggest the CI monitoring loop alongside the PR command:
/loop 5m check CI on the PR, explore any failures max carefully, find root causes"

then rm -rf .rebase-tmp/, and the skill ends.

So the skill prints two strings and exits. It doesn't open the PR, and it doesn't run /loop.
So someone has to manually create a PR using gh pr create and type type /loop 5m ... into the session, which re-prompts the agent every 5 minutes with that sentence.

Then I see agent does things by itself like run gh pr checks to find failing jobs, gh run view --log-failed to pull the logs, gh run download for the ginkgo artifacts, then reads them and decides what broke.

So, the point is this step is not really a part of the skill. Nothing calls it, no subagent runs it, nothing checks what it found. The skill only does build, vet, lint and unit tests locally. It skips e2e test whose failures can break ovn-k rebase.

In short this is manual process done by human who executes this command may be in claude code console which keeps on running by agent.

But I can understand that sometimes running e2e needs real clusters and running it locally isn't realistic.
However I think CI is where the actual validation happens and right now it is outside the skill.
Can we add it in a deterministic stage instead of a suggestion ?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For k8s 1.36, all the breakage patterns you listed are already encoded in the autofix scripts. fix_relaxed_service_name_validation, fix_kubevirt_version, fix_metallb_version, fix_kubeadm_v1beta4 all fire on every rebase (no-op on repos without the relevant files). The ovnk PR is CI green including kv-live-migration, BGP, and conformance. The skill doesn't need to run e2e to catch these, it prevents the failures before CI ever runs.

The harder question is k8s 1.37, where there will be new patterns nobody has seen yet. That's where the gate subagents matter most. The k8s-changelog gate reads the 1.37 release notes filtered by SIG Network and API Machinery and flags breaking changes that have no existing autofix pattern. The dep-release-notes gate reads changelogs for ecosystem deps like KIND, MetalLB, KubeVirt, and golangci-lint and flags incompatibilities between the old and new versions. The dep-cve gate scans whatever dependency versions 1.37 pins against the OSV vulnerability database. None of this content exists until the release, so it can't be scripted in advance.

For 1.36 the skill already prevents several issues that human reviewers had to flag on the manual PRs. The SKILL.md has explicit guidelines against adding config file comments that explain the PR (which danwinship flagged on openshift/cluster-network-operator#3017) and against commit messages that reference issue/PR numbers (which danwinship flagged for spamming GitHub notifications on the same PR). The version-consistency gate (step2) prevents partial module skew like openshift/cloud-network-config-controller#223 where kube-aggregator was left at v0.36.1 while all other k8s.io modules were at v0.36.2.

When something does slip through to CI, a genuinely novel pattern, the user runs /loop 5m check CI on the PR, explore any failures max carefully, find root causes and the agent reads the failure logs and investigates. The fix gets documented in the patterns doc and encoded as an autofix function. The next repo gets it automatically. That's how the 1.36 patterns got built in the first place: by running the skill on ovnk, finding what broke, fixing it, and documenting it. Now all 6 CORENET repos benefit from those patterns without discovering them independently.

Running e2e locally would need clusters and hours of compute. CI is the right place for that. The skill maximizes local coverage (build, vet, lint, unit tests, 30 gate checks) and uses /loop to close the CI feedback loop.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making CI monitoring a deterministic stage inside the skill would mean the skill pushes code to remote repos and triggers CI runs autonomously. The skill avoids this by design: the gh pr create command is generated but the skill does not run it, so the human controls what gets pushed and when. A rebase can produce a correct branch that the human decides not to push yet (waiting for library-go, coordinating with other PRs, etc.). Baking push+monitor into the skill removes that control.

/loop is a Claude Code built-in. The SKILL.md suggests /loop 5m check CI on the PR, explore any failures max carefully, find root causes after the user pushes. The agent runs gh pr checks, reads failure logs, and investigates root causes every 5 minutes until stopped. The user types one command and the agent handles the monitoring cycle.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed that once a pattern is generated it fires on every rebase, but that's exactly the problem for testing 1.37. These patterns are specific to a handful of ovnk issues (NetworkQoS int64, RelaxedServiceNameValidation, kubeadm v1beta4, MetalLB/FRR). They don't generalise to other repos, and they were seeded from my PR, not discovered by the skill.

You confirmed this yourself:

ovn-kubernetes/ovn-kubernetes#6525 (comment)
ovn-kubernetes/ovn-kubernetes#6525 (comment)

So 1.36 being green just shows those patterns replay. It doesn't test whether the skill can find an ovnk e2e failure on its own because the answers were already in the doc.

The /loop might well fix the 1.37 issues on its own next time that's the thing we actually want to test. So I think we should:

Empty the ovnk e2e patterns that came from my PR, so 1.37 is a real test of whether the skill discovers them rather than replays them.
First ask the human what steps are needed to bump for this repo, and feed that in.
Have the agent look at previous merged commits, not open PRs.

If /loop rediscovers the failures with the patterns emptied, that proves the capability and I'll be the first to say so. If it doesn't, we've learned the skill needs a human e2e pass per new version which is worth knowing before the fleet relies on it.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making CI monitoring a deterministic stage inside the skill would mean the skill pushes code to remote repos and triggers CI runs autonomously. The skill avoids this by design: the gh pr create command is generated but the skill does not run it, so the human controls what gets pushed and when. A rebase can produce a correct branch that the human decides not to push yet (waiting for library-go, coordinating with other PRs, etc.). Baking push+monitor into the skill removes that control.

/loop is a Claude Code built-in. The SKILL.md suggests /loop 5m check CI on the PR, explore any failures max carefully, find root causes after the user pushes. The agent runs gh pr checks, reads failure logs, and investigates root causes every 5 minutes until stopped. The user types one command and the agent handles the monitoring cycle.

The problem with /loop is not that it can't check CI. It can. And I'm fine with the human controlling the push.
The problem is /loop sits outside the skill. The fixes it pushes don't go into summary.txt, get no gate, get no review, and nothing records what it did. So if it fixes an e2e test and commits, we don't know what broke or why it picked that fix.
Also the skill deletes its state (rm -rf .rebase-tmp/) at Step 5, before CI even runs. So when CI fails the to-do list is already gone and /loop starts cold.
I think a Step 6 fixes this and keeps your push design:
Step 6 — check CI, after the human pushes the PR

Wait for CI: gh pr checks --watch. It waits till CI finishes and returns. No 5-minute loop, and it keeps the state.
Get the logs: gh run view --log-failed and gh run download for ginkgo (GitHub Actions). For prow, reuse the ci plugin.
Write each failure into summary.txt, same as a build failure. So it's tracked, not a loose suggestion.
Fix it the same way Steps 2–4 do: patterns doc first, one commit per fix, run the gate on it, run the review on it.
Give the fixes to the human to push. Same control as today. Then wait for CI again.
Delete .rebase-tmp/ only after CI is green. Right now it's deleted at Step 5, which is why the track is lost.

Human still controls the push. Nothing pushes on its own. The only change is the CI fixes now go through the same gates and review as everything else, and we have a record of what broke and why.
If you don't want a long-running run, Step 6 can be a separate command (/k8s-rebase:ci-check ) the user runs when CI is done.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also regarding clearing patterns to test 1.36 wont work because there might be a change the /loop agent to check exisiting open bump/rebase PRs.
So, as of now to test skills for bump will be testing k8s 1.37 for ovnk.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

point 6 if implemented can solve the issue of testing 1.36 as it will use the skills which should have, don't look for open PRs, look for only past commits. Also the main re-requisite is the patterns must be clear and the skills must be provided with info on how a human will bump or rebase k8s.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right now under /loop it's the Claude agent working the e2e tests, not our skill or a subagent. Nothing in the skill drives it or checks it, so we also have no track of which commits were made for which issue when the loop is involved.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@plugins/k8s-rebase/gates/step1-rebase/rebase-completeness.md`:
- Around line 6-9: Update the uncommitted-changes counting guidance in
rebase-completeness.md to include relevant untracked (??) generated or vendored
outputs, while filtering only unrelated pre-existing untracked files. Preserve
detection of staged-but-uncommitted go.mod, vendor, and generated files as
commit-step failures.
- Around line 10-16: Update the commit-counting procedure in the “Rebase
commits” section to inspect only commits from the current rebase attempt, using
the recorded rebase range or a run-specific manifest instead of the entire
branch history. Apply this scope consistently to Rebase, Codegen, and Version
refs commit checks.

In `@plugins/k8s-rebase/gates/step3-autofix/crd-validation.md`:
- Around line 3-4: Update the file-counting step in the CRD validation
instructions to inspect parsed YAML schema objects rather than relying on
adjacent lines. Identify objects containing both format: int32 and maximum:
4294967295 regardless of comments, blank lines, key order, or intervening
properties, and count those requiring format: int64.
- Around line 5-8: Update the CRD comparison instructions to derive the actual
merge base or target ref from the repository state instead of hardcoding a
main-then-master fallback. Use that resolved ref with git show when checking the
original CRD definitions, preserving the metadata.name pattern validation
comparison.
- Around line 1-2: Update the CRD discovery instructions in the “If CRD YAMLs
exist in helm/*/crds/” section so a missing helm/*/crds/ directory does not
produce a zero result or skip validation. Discover CRDs across the repository,
or require explicit target paths, and preserve validation for CRDs located
outside Helm directories.

In `@plugins/k8s-rebase/scripts/k8s-rebase-review-prompt.md`:
- Around line 7-23: Update the prompt template around ORIGINAL_ERROR, DIFF,
K8S_CHANGELOG, and PATTERN_HINT to explicitly classify all interpolated content
as untrusted data, never instructions. Add clear, unambiguous delimiters around
each rendered evidence block and instruct Claude to ignore any directives
embedded within them before determining the final verdict.
- Around line 11-15: Update the review prompt around the `${DIFF}` placeholder
to state that the input may contain only selected files or be truncated, and
require the reviewer to fail closed when the diff is incomplete. Ensure the
prompt requests all relevant dependency/build files and later hunks, and defines
an explicit truncation marker that must trigger rejection rather than approval.

In `@plugins/k8s-rebase/scripts/k8s-rebase-validate.sh`:
- Around line 90-99: Update the auto-containerize re-exec command in the
validation script to pass --privileged only when MODE_FLAG selects --full, using
the same conditional gating pattern as USERNS_FLAG. Ensure quick, no-test,
test-only, and default modes omit the privileged option while preserving
full-mode behavior.

In `@plugins/k8s-rebase/scripts/k8s-rebase.sh`:
- Around line 643-649: Restrict the bare-version replacement in the Pass 2 loop
to Kubernetes-specific documentation or lines with Kubernetes context, rather
than all Markdown files under docs/. Update both the file-selection grep and
replacement matching around OLD_SHORT so unrelated values such as percentages or
longer versions like 1.35.0 remain unchanged, while preserving replacements for
standalone Kubernetes prose versions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 564aa843-28a9-4051-8865-5728bbf2a0bc

📥 Commits

Reviewing files that changed from the base of the PR and between 0b218ca and c30d11d.

📒 Files selected for processing (41)
  • .claude-plugin/marketplace.json
  • docs/index.html
  • plugins/k8s-rebase/.claude-plugin/plugin.json
  • plugins/k8s-rebase/OWNERS
  • plugins/k8s-rebase/README.md
  • plugins/k8s-rebase/docs/k8s-rebase-patterns.md
  • plugins/k8s-rebase/gates/step1-rebase/rebase-completeness.md
  • plugins/k8s-rebase/gates/step2-compilation/build-vet.md
  • plugins/k8s-rebase/gates/step2-compilation/diff-scope.md
  • plugins/k8s-rebase/gates/step2-compilation/fix-correctness.md
  • plugins/k8s-rebase/gates/step2-compilation/type-conversions.md
  • plugins/k8s-rebase/gates/step2-compilation/version-consistency.md
  • plugins/k8s-rebase/gates/step3-autofix/autofix-diff-review.md
  • plugins/k8s-rebase/gates/step3-autofix/autofix-result.md
  • plugins/k8s-rebase/gates/step3-autofix/crd-validation.md
  • plugins/k8s-rebase/gates/step3-autofix/dep-release-notes.md
  • plugins/k8s-rebase/gates/step3-autofix/deprecated-api-remnants.md
  • plugins/k8s-rebase/gates/step3-autofix/e2e-infra.md
  • plugins/k8s-rebase/gates/step3-autofix/feature-gates.md
  • plugins/k8s-rebase/gates/step3-autofix/logical-completeness.md
  • plugins/k8s-rebase/gates/step3-autofix/patterns-completeness.md
  • plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md
  • plugins/k8s-rebase/gates/step4-verification/ci-prediction.md
  • plugins/k8s-rebase/gates/step4-verification/ci-readiness.md
  • plugins/k8s-rebase/gates/step4-verification/cleanliness.md
  • plugins/k8s-rebase/gates/step4-verification/commit-messages.md
  • plugins/k8s-rebase/gates/step4-verification/correctness.md
  • plugins/k8s-rebase/gates/step4-verification/dep-cve-check.md
  • plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md
  • plugins/k8s-rebase/gates/step4-verification/go-version-check.md
  • plugins/k8s-rebase/gates/step4-verification/gomod-diff-analysis.md
  • plugins/k8s-rebase/gates/step4-verification/k8s-changelog.md
  • plugins/k8s-rebase/gates/step4-verification/logical-consistency.md
  • plugins/k8s-rebase/gates/step4-verification/maintainer-review.md
  • plugins/k8s-rebase/gates/step4-verification/version-completeness.md
  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh
  • plugins/k8s-rebase/scripts/k8s-rebase-review-prompt.md
  • plugins/k8s-rebase/scripts/k8s-rebase-review.sh
  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh
  • plugins/k8s-rebase/scripts/k8s-rebase.sh
  • plugins/k8s-rebase/skills/k8s-rebase/SKILL.md
🚧 Files skipped from review as they are similar to previous changes (22)
  • plugins/k8s-rebase/gates/step4-verification/dep-cve-check.md
  • plugins/k8s-rebase/.claude-plugin/plugin.json
  • plugins/k8s-rebase/gates/step3-autofix/autofix-diff-review.md
  • plugins/k8s-rebase/gates/step4-verification/maintainer-review.md
  • .claude-plugin/marketplace.json
  • plugins/k8s-rebase/gates/step2-compilation/fix-correctness.md
  • plugins/k8s-rebase/gates/step3-autofix/patterns-completeness.md
  • plugins/k8s-rebase/gates/step2-compilation/version-consistency.md
  • plugins/k8s-rebase/gates/step4-verification/commit-messages.md
  • plugins/k8s-rebase/README.md
  • plugins/k8s-rebase/gates/step4-verification/cleanliness.md
  • plugins/k8s-rebase/OWNERS
  • plugins/k8s-rebase/gates/step3-autofix/e2e-infra.md
  • plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md
  • plugins/k8s-rebase/gates/step2-compilation/type-conversions.md
  • plugins/k8s-rebase/gates/step3-autofix/feature-gates.md
  • plugins/k8s-rebase/gates/step4-verification/ci-readiness.md
  • plugins/k8s-rebase/gates/step3-autofix/logical-completeness.md
  • plugins/k8s-rebase/gates/step4-verification/logical-consistency.md
  • plugins/k8s-rebase/gates/step4-verification/k8s-changelog.md
  • docs/index.html
  • plugins/k8s-rebase/gates/step3-autofix/dep-release-notes.md

Comment on lines +6 to +9
2. Uncommitted changes: count from `git status --short`
(exclude untracked files with `?`). Any staged-but-
uncommitted go.mod, vendor, or generated files indicate
the script's commit step failed.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Do not ignore relevant untracked outputs.

Excluding every status entry beginning with ? allows newly generated or vendored files to remain uncommitted while producing count 0, contradicting the failure condition described here. Count relevant ?? paths while filtering only unrelated pre-existing files.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step1-rebase/rebase-completeness.md` around lines 6
- 9, Update the uncommitted-changes counting guidance in rebase-completeness.md
to include relevant untracked (??) generated or vendored outputs, while
filtering only unrelated pre-existing untracked files. Preserve detection of
staged-but-uncommitted go.mod, vendor, and generated files as commit-step
failures.

Comment on lines +10 to +16
3. Rebase commits: check `git log --oneline` on the current
branch. Count MISSING expected commits:
- "Rebase" commits (at least 1 per go.mod with k8s.io deps,
excluding vendor/)
- Codegen commit (expected if hack/update-codegen.sh or
Makefile has generate/manifests/codegen targets)
- Version refs commit

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

Scope commit checks to the current rebase attempt.

Searching the entire branch with git log --oneline can satisfy the Rebase, codegen, and version-reference checks using commits from an earlier run. Use the recorded rebase range or a run-specific manifest instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step1-rebase/rebase-completeness.md` around lines 10
- 16, Update the commit-counting procedure in the “Rebase commits” section to
inspect only commits from the current rebase attempt, using the recorded rebase
range or a run-specific manifest instead of the entire branch history. Apply
this scope consistently to Rebase, Codegen, and Version refs commit checks.

Comment thread plugins/k8s-rebase/gates/step3-autofix/crd-validation.md Outdated
Comment on lines +3 to +4
1. Count files where `format: int32` immediately precedes
`maximum: 4294967295` (these need format: int64).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Match CRD schema semantics, not line adjacency.

This detects only the exact adjacent sequence format: int32 followed by maximum: 4294967295. Comments, blank lines, reordered keys, or other schema properties will produce a false zero count. Parse the YAML or inspect the containing schema object.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step3-autofix/crd-validation.md` around lines 3 - 4,
Update the file-counting step in the CRD validation instructions to inspect
parsed YAML schema objects rather than relying on adjacent lines. Identify
objects containing both format: int32 and maximum: 4294967295 regardless of
comments, blank lines, key order, or intervening properties, and count those
requiring format: int64.

Comment on lines +7 to +23
## Original Error

${ORIGINAL_ERROR}

## Fix Diff

```diff
${DIFF}
```

## K8s Release Notes (relevant excerpt)

${K8S_CHANGELOG}

## Matching Pattern (if any)

${PATTERN_HINT}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Treat interpolated sections as untrusted evidence.

Commit messages, diffs, changelogs, and pattern hints can contain instructions such as APPROVE:. Since the rendered prompt is sent directly to Claude, a malicious change can steer the verdict. Explicitly state that these blocks are data, never instructions, and use unambiguous delimiters before evaluating the final verdict.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-review-prompt.md` around lines 7 - 23,
Update the prompt template around ORIGINAL_ERROR, DIFF, K8S_CHANGELOG, and
PATTERN_HINT to explicitly classify all interpolated content as untrusted data,
never instructions. Add clear, unambiguous delimiters around each rendered
evidence block and instruct Claude to ignore any directives embedded within them
before determining the final verdict.

Comment on lines +11 to +15
## Fix Diff

```diff
${DIFF}
```

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Make the review fail closed on partial diffs.

The downstream plugins/k8s-rebase/scripts/k8s-rebase-review.sh only supplies selected file types and truncates ${DIFF} to 2,000 lines, while this template presents it as the complete fix. Dependency/build changes such as go.mod, go.sum, Makefile, or later diff hunks can therefore be approved without review. Include all relevant files and add an explicit truncation marker or reject incomplete input.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-review-prompt.md` around lines 11 - 15,
Update the review prompt around the `${DIFF}` placeholder to state that the
input may contain only selected files or be truncated, and require the reviewer
to fail closed when the diff is incomplete. Ensure the prompt requests all
relevant dependency/build files and later hunks, and defines an explicit
truncation marker that must trigger rejection rather than approval.

Comment thread plugins/k8s-rebase/scripts/k8s-rebase-validate.sh
Comment on lines +643 to +649
# Pass 2: bare version in doc prose (1.35 without v-prefix)
while IFS= read -r file; do
[[ -z "$file" ]] && continue
sed -i -E "s/\b${OLD_SHORT//./\\.}\b/${NEW_SHORT}/g" "$file"
CHANGED_FILES+="$file"$'\n'
info " Updated (short): $file"
done < <(grep -rln "\b${OLD_SHORT}\b" --include="*.md" docs/ 2>/dev/null | grep -v vendor || true)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant region with line numbers
sed -n '600,690p' plugins/k8s-rebase/scripts/k8s-rebase.sh | cat -n

printf '\n--- SEARCH OLD_SHORT/NEW_SHORT ---\n'
rg -n "OLD_SHORT|NEW_SHORT|OLD_MAJOR|OLD_MINOR|docs/" plugins/k8s-rebase/scripts/k8s-rebase.sh

printf '\n--- DOC FILE PATTERNS IN SCRIPT ---\n'
rg -n "grep -rln|sed -i -E|k8s|kubernetes|docs/" plugins/k8s-rebase/scripts/k8s-rebase.sh

Repository: openshift-eng/ai-helpers

Length of output: 13032


🏁 Script executed:

python3 - <<'PY'
import subprocess, textwrap, os, tempfile, pathlib, json

samples = [
    "Kubernetes 1.35 release notes",
    "tool version 1.35%",
    "version 1.35.0",
    "abc1.35def",
    "1.35",
]
pattern = r"\b1\.35\b"
for s in samples:
    p = subprocess.run(
        ["bash", "-lc", f"printf '%s\n' {s!r} | grep -n '{pattern}'"],
        capture_output=True, text=True
    )
    print("GREP", repr(s), "=>", "MATCH" if p.returncode == 0 else "NO")
    p2 = subprocess.run(
        ["bash", "-lc", f"printf '%s\n' {s!r} | sed -E 's/{pattern}/1.36/g'"],
        capture_output=True, text=True
    )
    print("SED ", repr(s), "=>", repr(p2.stdout.strip()))
PY

Repository: openshift-eng/ai-helpers

Length of output: 539


🏁 Script executed:

python3 - <<'PY'
import subprocess

samples = [
    "Kubernetes 1.35 release notes",
    "tool version 1.35%",
    "version 1.35.0",
    "abc1.35def",
    "1.35",
]
pattern = r"\b1\.35\b"

for s in samples:
    grep = subprocess.run(
        ["bash", "-lc", f"printf '%s\n' {s!r} | grep -n '{pattern}'"],
        capture_output=True, text=True
    )
    sed = subprocess.run(
        ["bash", "-lc", f"printf '%s\n' {s!r} | sed -E 's/{pattern}/1.36/g'"],
        capture_output=True, text=True
    )
    print(repr(s), "GREP=", grep.returncode == 0, "SED=", repr(sed.stdout.strip()))
PY

Repository: openshift-eng/ai-helpers

Length of output: 423


Restrict the bare-version docs replace to Kubernetes-specific prose. docs/**/*.md can still contain unrelated 1.35 tokens, and this pass rewrites them too (for example 1.35% and the leading part of 1.35.0). Narrow the match to k8s-specific docs or surrounding context.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase.sh` around lines 643 - 649, Restrict
the bare-version replacement in the Pass 2 loop to Kubernetes-specific
documentation or lines with Kubernetes context, rather than all Markdown files
under docs/. Update both the file-selection grep and replacement matching around
OLD_SHORT so unrelated values such as percentages or longer versions like 1.35.0
remain unchanged, while preserving replacements for standalone Kubernetes prose
versions.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

♻️ Duplicate comments (2)
plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md (1)

11-11: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Run go vet even when go build fails.

Because the commands are chained with &&, a build failure skips go vet, violating the gate’s requirement to run both checks and producing an incomplete error count.

  • plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md#L11-L11: replace the command chain with a subshell that executes both checks independently.
  • plugins/k8s-rebase/gates/step2-compilation/build-vet.md#L11-L11: apply the identical subshell replacement to ensure go vet is not skipped on build failure.
🛠️ Proposed fix (apply to both files)
-  cd "$mod_dir" && go build ./... 2>&1 && go vet ./... 2>&1; cd -
+  (
+    cd "$mod_dir" || exit 1
+    go build ./... 2>&1
+    go vet ./... 2>&1
+  )
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md` at line 11,
Update the command at
plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md:11-11 to run go
build and go vet independently within a subshell, ensuring go vet executes even
if the build fails. Apply the identical replacement at
plugins/k8s-rebase/gates/step2-compilation/build-vet.md:11-11.
plugins/k8s-rebase/gates/step4-verification/ci-prediction.md (1)

19-24: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Do not require a dedicated codegen commit in git log.

A valid rebase may include generated output in a squashed or combined commit. Checking git log can report a false failure. Update the guidance to prefer diff verification over checking the commit history.

🛠️ Proposed update
-  Makefile codegen/generate/manifests target exists, check
-  that git log shows a codegen commit. If the repo has a
-  `verify-update-codegen` or `verify` CI job, stale output
-  will fail `git diff --exit-code`. Look for controller-gen
-  version annotations in CRD manifests matching the vendored
-  controller-tools version.
+  Makefile codegen/generate/manifests target exists, verify
+  that stale output would not fail `git diff --exit-code` if
+  the repo has a `verify-update-codegen` or `verify` CI job.
+  Prefer running these verification scripts over checking
+  git history, as generated output may be part of squashed or
+  combined commits. Look for controller-gen version annotations
+  in CRD manifests matching the vendored controller-tools version.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step4-verification/ci-prediction.md` around lines 19
- 24, Update the guidance in the codegen verification section to remove the
requirement that git log contain a dedicated codegen commit. Instruct reviewers
to prefer verifying generated output through git diff --exit-code or the
repository’s existing verify-update-codegen/verify CI job, while retaining the
controller-gen version annotation check.
🧹 Nitpick comments (4)
plugins/k8s-rebase/gates/step2-compilation/diff-scope.md (1)

5-6: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Fix markdown formatting for directory paths.

The unescaped underscores in _output/ and third_party/ can trigger markdown rendering issues (MD037: spaces inside emphasis markers). Wrap the paths in backticks to treat them as literal code.

🛠️ Proposed fix
-.sh, .j2). Changes in generated/managed directories are also
-expected: vendor/, LICENSES/, _output/, third_party/.
+.sh, .j2). Changes in generated/managed directories are also
+expected: `vendor/`, `LICENSES/`, `_output/`, `third_party/`.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step2-compilation/diff-scope.md` around lines 5 - 6,
Update the directory-path list in the compilation diff-scope documentation to
wrap `_output/` and `third_party/` in backticks, preserving the existing wording
and formatting for the other paths.
plugins/k8s-rebase/docs/k8s-rebase-patterns.md (1)

154-154: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Add language specifiers to fenced code blocks.

These code blocks lack a language specifier, which triggers markdownlint (MD040) and degrades syntax highlighting.

  • plugins/k8s-rebase/docs/k8s-rebase-patterns.md#L154-L154: change ``` to ```text
  • plugins/k8s-rebase/docs/k8s-rebase-patterns.md#L266-L266: change ``` to ```text
  • plugins/k8s-rebase/docs/k8s-rebase-patterns.md#L270-L270: change ``` to ```text
  • plugins/k8s-rebase/docs/k8s-rebase-patterns.md#L294-L294: change ``` to ```text
  • plugins/k8s-rebase/docs/k8s-rebase-patterns.md#L329-L329: change ``` to ```text
  • plugins/k8s-rebase/docs/k8s-rebase-patterns.md#L463-L463: change ``` to ```go.mod
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/docs/k8s-rebase-patterns.md` at line 154, Update the
fenced code blocks in plugins/k8s-rebase/docs/k8s-rebase-patterns.md at lines
154, 266, 270, 294, and 329 to use the text language specifier, and use the
go.mod specifier at line 463. No other content changes are needed.
plugins/k8s-rebase/gates/step4-verification/go-version-check.md (1)

20-27: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Align this gate's output with the "count" contract other step4 gates use.

SKILL.md lists this as a (count) gate and requires "All count-checks must be 0," but the prompt only asks to "Report any mismatches or migration opportunities" — unlike sibling count gates (version-completeness.md, gomod-diff-analysis.md) which explicitly say "Report count of X." Free-form prose output makes it harder for the main agent to mechanically verify the zero/non-zero gate result.

♻️ Suggested wording
-Report any mismatches or migration opportunities.
+Report the count of mismatches and migration opportunities found above (0 = pass).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step4-verification/go-version-check.md` around lines
20 - 27, Update the x/ package opportunity check in the step4 verification
prompt to explicitly require reporting the count of detected mismatches or
migration opportunities, while preserving the existing read-only rule and grep
scope. Ensure the output is a numeric count so SKILL.md can enforce the
zero/non-zero gate contract.
plugins/k8s-rebase/scripts/k8s-rebase.sh (1)

37-59: 📐 Maintainability & Code Quality | 🔵 Trivial | 🏗️ Heavy lift

Containerize re-exec + commit-style helper logic is copy-pasted across all three scripts with no shared source of truth. _detect_commit_style/format_msg (k8s-rebase.sh, k8s-rebase-autofix.sh) and the "check Go version → pick podman/docker → re-exec in container" block (all three scripts) are near-identical, hand-duplicated blocks. This isn't just style: the previously-flagged --privileged scoping fix landed only in k8s-rebase-validate.sh's copy and never propagated, which is exactly the kind of drift this duplication invites.

  • plugins/k8s-rebase/scripts/k8s-rebase.sh#L37-L59: extract _detect_commit_style/format_msg into a small lib/rebase-common.sh sourced by all three scripts.
  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh#L42-L61: source the same shared helper instead of redefining it.
  • plugins/k8s-rebase/scripts/k8s-rebase.sh#L225-L263: extract the podman/docker-detection-and-re-exec block into a shared function parameterized by the script path and extra args.
  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh#L79-L113: use the shared re-exec function instead of its own copy.
  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh#L66-L102: use the shared re-exec function (with a mode-aware --privileged/--userns=keep-id parameter) instead of its own copy.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase.sh` around lines 37 - 59, Create
plugins/k8s-rebase/scripts/lib/rebase-common.sh with shared
_detect_commit_style, format_msg, and a parameterized container re-exec
function. In plugins/k8s-rebase/scripts/k8s-rebase.sh#37-59 and
k8s-rebase-autofix.sh#42-61, remove duplicated commit-style helpers and source
the shared library; replace re-exec blocks at k8s-rebase.sh#225-263,
k8s-rebase-autofix.sh#79-113, and k8s-rebase-validate.sh#66-102 with the shared
function, preserving script-specific arguments and mode-aware
--privileged/--userns=keep-id behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@plugins/k8s-rebase/gates/step4-verification/skill-improvement.md`:
- Around line 1-6: Update
plugins/k8s-rebase/gates/step4-verification/skill-improvement.md lines 1-6 to
require inspecting commit history with git log/git show before classifying
commits, using commit bodies to distinguish manual fixes from commits containing
“Applied:”. Update
plugins/k8s-rebase/gates/step4-verification/maintainer-review.md lines 1-10 and
21-25 to use commit history when reporting scope, commit messages, SHAs, and
per-commit file/line findings.
- Around line 1-4: Update the manual-fix commit classification in the
branch-diff verification instructions to avoid treating absence of “Applied:” as
definitive. Use an explicit autofix commit trailer, or require the autofix
workflow—including post-vet fix_uncommitted commits—to add the marker
consistently before relying on it for classification.

In `@plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh`:
- Around line 122-125: Replace the predictable /tmp/jq download location in the
jq-install blocks of plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh (lines
122-125) and plugins/k8s-rebase/scripts/k8s-rebase-validate.sh (lines 123-126)
with a directory created by mktemp -d, download jq there, and prepend that
directory to PATH in both scripts.

In `@plugins/k8s-rebase/scripts/k8s-rebase-review.sh`:
- Around line 30-59: Align the review workflow with the script’s per-commit
design: update the SKILL.md Step 4c invocation to run the review for each fix
commit with the actual error context, rather than once at the final HEAD with
the generic “k8s rebase” argument. Preserve the existing evidence collection in
the script, including PATTERN_HINT, K8S_CHANGELOG, and commit-scoped DIFF
behavior.

In `@plugins/k8s-rebase/scripts/k8s-rebase-validate.sh`:
- Around line 271-289: The root package classification in run_test_only uses an
unanchored regex and can incorrectly skip packages with matching substrings.
Make this check exact-match the same way as the make test sudo-fallback path,
preferably by reusing a shared helper or pattern based on ROOT_PKGS so both
paths cannot drift.
- Around line 248-253: Replace the eval-based loading in the feature-gate export
block with a loop over the matching export lines from TEST_GO_SH, parsing and
applying only literal KUBE_FEATURE_ assignments. Preserve the existing file
discovery and skip behavior when TEST_GO_SH is empty, while avoiding execution
of arbitrary shell code.

In `@plugins/k8s-rebase/skills/k8s-rebase/SKILL.md`:
- Around line 28-35: Choose one consistent container policy and apply it across
the documented and automated flows: either make podman with --userns=keep-id a
hard requirement by removing the docker fallback and making the
container-selection logic in k8s-rebase.sh, k8s-rebase-autofix.sh, and
k8s-rebase-validate.sh fail when podman is unavailable, or retain the fallback
and update SKILL.md plus all three scripts to visibly warn about docker’s
root-owned-file caveat when it is selected. Ensure all four affected files
reflect the same policy.

---

Duplicate comments:
In `@plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md`:
- Line 11: Update the command at
plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md:11-11 to run go
build and go vet independently within a subshell, ensuring go vet executes even
if the build fails. Apply the identical replacement at
plugins/k8s-rebase/gates/step2-compilation/build-vet.md:11-11.

In `@plugins/k8s-rebase/gates/step4-verification/ci-prediction.md`:
- Around line 19-24: Update the guidance in the codegen verification section to
remove the requirement that git log contain a dedicated codegen commit. Instruct
reviewers to prefer verifying generated output through git diff --exit-code or
the repository’s existing verify-update-codegen/verify CI job, while retaining
the controller-gen version annotation check.

---

Nitpick comments:
In `@plugins/k8s-rebase/docs/k8s-rebase-patterns.md`:
- Line 154: Update the fenced code blocks in
plugins/k8s-rebase/docs/k8s-rebase-patterns.md at lines 154, 266, 270, 294, and
329 to use the text language specifier, and use the go.mod specifier at line
463. No other content changes are needed.

In `@plugins/k8s-rebase/gates/step2-compilation/diff-scope.md`:
- Around line 5-6: Update the directory-path list in the compilation diff-scope
documentation to wrap `_output/` and `third_party/` in backticks, preserving the
existing wording and formatting for the other paths.

In `@plugins/k8s-rebase/gates/step4-verification/go-version-check.md`:
- Around line 20-27: Update the x/ package opportunity check in the step4
verification prompt to explicitly require reporting the count of detected
mismatches or migration opportunities, while preserving the existing read-only
rule and grep scope. Ensure the output is a numeric count so SKILL.md can
enforce the zero/non-zero gate contract.

In `@plugins/k8s-rebase/scripts/k8s-rebase.sh`:
- Around line 37-59: Create plugins/k8s-rebase/scripts/lib/rebase-common.sh with
shared _detect_commit_style, format_msg, and a parameterized container re-exec
function. In plugins/k8s-rebase/scripts/k8s-rebase.sh#37-59 and
k8s-rebase-autofix.sh#42-61, remove duplicated commit-style helpers and source
the shared library; replace re-exec blocks at k8s-rebase.sh#225-263,
k8s-rebase-autofix.sh#79-113, and k8s-rebase-validate.sh#66-102 with the shared
function, preserving script-specific arguments and mode-aware
--privileged/--userns=keep-id behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3e3591aa-e874-46c0-a843-96728207649f

📥 Commits

Reviewing files that changed from the base of the PR and between c30d11d and f06d1b9.

📒 Files selected for processing (42)
  • .claude-plugin/marketplace.json
  • docs/index.html
  • plugins/k8s-rebase/.claude-plugin/plugin.json
  • plugins/k8s-rebase/OWNERS
  • plugins/k8s-rebase/README.md
  • plugins/k8s-rebase/docs/k8s-rebase-patterns.md
  • plugins/k8s-rebase/gates/step1-rebase/rebase-completeness.md
  • plugins/k8s-rebase/gates/step2-compilation/build-vet.md
  • plugins/k8s-rebase/gates/step2-compilation/diff-scope.md
  • plugins/k8s-rebase/gates/step2-compilation/fix-correctness.md
  • plugins/k8s-rebase/gates/step2-compilation/type-conversions.md
  • plugins/k8s-rebase/gates/step2-compilation/version-consistency.md
  • plugins/k8s-rebase/gates/step3-autofix/autofix-diff-review.md
  • plugins/k8s-rebase/gates/step3-autofix/autofix-result.md
  • plugins/k8s-rebase/gates/step3-autofix/crd-validation.md
  • plugins/k8s-rebase/gates/step3-autofix/dep-release-notes.md
  • plugins/k8s-rebase/gates/step3-autofix/deprecated-api-remnants.md
  • plugins/k8s-rebase/gates/step3-autofix/e2e-infra.md
  • plugins/k8s-rebase/gates/step3-autofix/feature-gates.md
  • plugins/k8s-rebase/gates/step3-autofix/logical-completeness.md
  • plugins/k8s-rebase/gates/step3-autofix/patterns-completeness.md
  • plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md
  • plugins/k8s-rebase/gates/step4-verification/ci-prediction.md
  • plugins/k8s-rebase/gates/step4-verification/ci-readiness.md
  • plugins/k8s-rebase/gates/step4-verification/cleanliness.md
  • plugins/k8s-rebase/gates/step4-verification/commit-messages.md
  • plugins/k8s-rebase/gates/step4-verification/correctness.md
  • plugins/k8s-rebase/gates/step4-verification/dep-cve-check.md
  • plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md
  • plugins/k8s-rebase/gates/step4-verification/go-version-check.md
  • plugins/k8s-rebase/gates/step4-verification/gomod-diff-analysis.md
  • plugins/k8s-rebase/gates/step4-verification/k8s-changelog.md
  • plugins/k8s-rebase/gates/step4-verification/logical-consistency.md
  • plugins/k8s-rebase/gates/step4-verification/maintainer-review.md
  • plugins/k8s-rebase/gates/step4-verification/skill-improvement.md
  • plugins/k8s-rebase/gates/step4-verification/version-completeness.md
  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh
  • plugins/k8s-rebase/scripts/k8s-rebase-review-prompt.md
  • plugins/k8s-rebase/scripts/k8s-rebase-review.sh
  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh
  • plugins/k8s-rebase/scripts/k8s-rebase.sh
  • plugins/k8s-rebase/skills/k8s-rebase/SKILL.md
🚧 Files skipped from review as they are similar to previous changes (25)
  • plugins/k8s-rebase/gates/step2-compilation/type-conversions.md
  • plugins/k8s-rebase/scripts/k8s-rebase-review-prompt.md
  • plugins/k8s-rebase/gates/step3-autofix/logical-completeness.md
  • plugins/k8s-rebase/gates/step4-verification/k8s-changelog.md
  • plugins/k8s-rebase/gates/step4-verification/cleanliness.md
  • plugins/k8s-rebase/gates/step4-verification/ci-readiness.md
  • plugins/k8s-rebase/gates/step4-verification/commit-messages.md
  • plugins/k8s-rebase/OWNERS
  • plugins/k8s-rebase/.claude-plugin/plugin.json
  • plugins/k8s-rebase/gates/step2-compilation/version-consistency.md
  • plugins/k8s-rebase/gates/step2-compilation/fix-correctness.md
  • plugins/k8s-rebase/gates/step3-autofix/crd-validation.md
  • plugins/k8s-rebase/gates/step3-autofix/autofix-diff-review.md
  • plugins/k8s-rebase/gates/step3-autofix/dep-release-notes.md
  • plugins/k8s-rebase/gates/step4-verification/logical-consistency.md
  • plugins/k8s-rebase/gates/step1-rebase/rebase-completeness.md
  • plugins/k8s-rebase/gates/step3-autofix/e2e-infra.md
  • plugins/k8s-rebase/gates/step3-autofix/feature-gates.md
  • plugins/k8s-rebase/gates/step4-verification/dep-cve-check.md
  • plugins/k8s-rebase/gates/step3-autofix/deprecated-api-remnants.md
  • plugins/k8s-rebase/gates/step3-autofix/patterns-completeness.md
  • .claude-plugin/marketplace.json
  • plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md
  • docs/index.html
  • plugins/k8s-rebase/README.md

Comment thread plugins/k8s-rebase/gates/step4-verification/skill-improvement.md Outdated
Comment on lines +1 to +6
Read the branch diff (git diff of merge-base..HEAD). Identify
manual fix commits — those that do NOT have "Applied:" in the
commit body. Autofix commits always contain "Applied:" followed
by fix descriptions; commits without it are manual agent work.

For each manual fix commit, classify the change:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Add an explicit commit-history inspection step.

Both gates require commit-level classification, messages, SHAs, and bodies, but git diff <merge-base>..HEAD only shows an aggregate patch.

  • plugins/k8s-rebase/gates/step4-verification/skill-improvement.md#L1-L6: require git log/git show before classifying manual versus autofix commits.
  • plugins/k8s-rebase/gates/step4-verification/maintainer-review.md#L1-L10,21-L25: use commit history to support scope, message, SHA, and per-commit file/line findings.
📍 Affects 2 files
  • plugins/k8s-rebase/gates/step4-verification/skill-improvement.md#L1-L6 (this comment)
  • plugins/k8s-rebase/gates/step4-verification/maintainer-review.md#L1-L10
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step4-verification/skill-improvement.md` around
lines 1 - 6, Update
plugins/k8s-rebase/gates/step4-verification/skill-improvement.md lines 1-6 to
require inspecting commit history with git log/git show before classifying
commits, using commit bodies to distinguish manual fixes from commits containing
“Applied:”. Update
plugins/k8s-rebase/gates/step4-verification/maintainer-review.md lines 1-10 and
21-25 to use commit history when reporting scope, commit messages, SHAs, and
per-commit file/line findings.

Comment on lines +122 to +125
# Install jq if missing (needed by verify-third-party-licenses)
if ! command -v jq &>/dev/null; then
curl -sL https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64 -o /tmp/jq 2>/dev/null && chmod +x /tmp/jq && export PATH="/tmp:$PATH"
fi

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Same predictable /tmp/jq TOCTOU pattern copy-pasted into two scripts. Both scripts download jq to a hardcoded, predictable /tmp/jq path, chmod +x it, and prepend /tmp to PATH — a local attacker (or leftover file) can pre-place /tmp/jq and have it executed as jq for the rest of the run.

  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh#L122-L125: download to a mktemp -d directory and prepend that to PATH instead of /tmp.
  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh#L123-L126: apply the identical mktemp -d fix here too.
🧰 Tools
🪛 ast-grep (0.44.1)

[warning] 123-123: Writing to or reading from a hardcoded, predictable path under /tmp is vulnerable to symlink and TOCTOU attacks: a local attacker can pre-create the file (or a symlink pointing elsewhere) and hijack or corrupt the contents. Generate a unique, unpredictable temporary file with mktemp instead, e.g. tmpfile="$(mktemp)" (or mktemp -d for directories) and reference "$tmpfile".
Context: /tmp/jq
Note: [CWE-377] Insecure Temporary File.

(predictable-tmp-file-bash)


[warning] 123-123: Writing to or reading from a hardcoded, predictable path under /tmp is vulnerable to symlink and TOCTOU attacks: a local attacker can pre-create the file (or a symlink pointing elsewhere) and hijack or corrupt the contents. Generate a unique, unpredictable temporary file with mktemp instead, e.g. tmpfile="$(mktemp)" (or mktemp -d for directories) and reference "$tmpfile".
Context: /tmp/jq
Note: [CWE-377] Insecure Temporary File.

(predictable-tmp-file-bash)

📍 Affects 2 files
  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh#L122-L125 (this comment)
  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh#L123-L126
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh` around lines 122 - 125,
Replace the predictable /tmp/jq download location in the jq-install blocks of
plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh (lines 122-125) and
plugins/k8s-rebase/scripts/k8s-rebase-validate.sh (lines 123-126) with a
directory created by mktemp -d, download jq there, and prepend that directory to
PATH in both scripts.

Source: Linters/SAST tools

Comment thread plugins/k8s-rebase/scripts/k8s-rebase-review.sh
Comment thread plugins/k8s-rebase/scripts/k8s-rebase-validate.sh
Comment on lines +271 to +289
# Filter out root_pkgs (need CAP_NET_ADMIN, always fail unprivileged)
local test_go_sh
test_go_sh=$(find . -name "test-go.sh" -path "*/hack/*" -not -path "*/vendor/*" 2>/dev/null | head -1)
if [[ -n "$test_go_sh" ]]; then
local root_pkgs_pattern
root_pkgs_pattern=$(sed -n '/root_pkgs=(/,/)/p' "$test_go_sh" | grep -oE 'pkg/[^"]+' | tr '\n' '|' || true)
if [[ -n "$root_pkgs_pattern" ]]; then
local filtered=""
for pkg in $TEST_ONLY_PKGS; do
if echo "$pkg" | grep -qE "(${root_pkgs_pattern%|})"; then
echo ":: Skipping root_pkg $pkg (needs CAP_NET_ADMIN)"
else
filtered="$filtered $pkg"
fi
done
TEST_ONLY_PKGS="${filtered# }"
[[ -z "$TEST_ONLY_PKGS" ]] && { echo "All packages are root_pkgs — nothing to test unprivileged"; exit 0; }
fi
fi

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

root_pkgs filtering is unanchored here, but exact-matched elsewhere in this same file — pick one.

run_test_only() skips a package as privileged via an unanchored substring match:

if echo "$pkg" | grep -qE "(${root_pkgs_pattern%|})"; then

Later in the same file (the make test sudo-fallback path, ~lines 433/443) the equivalent check anchors the match: grep -qE "^(${ROOT_PKGS%|})$". Because the first check has no boundaries, a root_pkgs entry like pkg/ovn will also match an unrelated package such as pkg/ovnwebhook, silently skipping a non-privileged package from --test-only runs with no error — just a "Skipping root_pkg" message that looks correct. Consider extracting one shared helper/pattern for this classification so the two code paths can't drift.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-validate.sh` around lines 271 - 289,
The root package classification in run_test_only uses an unanchored regex and
can incorrectly skip packages with matching substrings. Make this check
exact-match the same way as the make test sudo-fallback path, preferably by
reusing a shared helper or pattern based on ROOT_PKGS so both paths cannot
drift.

Comment on lines +28 to +35
**Container commands:** When running containers, always use
`podman` with `--userns=keep-id`. Never use `docker run` —
it creates root-owned files that break subsequent operations.
`--security-opt label=disable` is required for SELinux hosts
(container writes to bind-mounted repo dirs fail without it).
```
podman run --rm --security-opt label=disable --userns=keep-id -v "$(pwd):$(pwd)" -w "$(pwd)" docker.io/library/golang:VERSION ...
```

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

SKILL.md's "Never use docker run" rule is silently contradicted by all three automation scripts. SKILL.md states plainly that docker must never be used because it "creates root-owned files that break subsequent operations," but every script that auto-containerizes falls back to docker automatically whenever podman isn't installed — exactly the failure mode SKILL.md warns about, without the human/agent ever being told it happened.

  • plugins/k8s-rebase/skills/k8s-rebase/SKILL.md#L28-L35: acknowledge the automatic docker fallback in the deterministic scripts (and its root-owned-file caveat), or state that podman is a hard requirement and the scripts should fail instead of silently falling back to docker.
  • plugins/k8s-rebase/scripts/k8s-rebase.sh#L236-L241: either drop the docker fallback (die when only docker is available) to match the documented policy, or emit a visible warning about root-owned files when it engages.
  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh#L87-L89: same choice — align with whichever policy is chosen for k8s-rebase.sh.
  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh#L81-L83: same choice — align with whichever policy is chosen for k8s-rebase.sh.
🧰 Tools
🪛 markdownlint-cli2 (0.23.0)

[warning] 33-33: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

📍 Affects 4 files
  • plugins/k8s-rebase/skills/k8s-rebase/SKILL.md#L28-L35 (this comment)
  • plugins/k8s-rebase/scripts/k8s-rebase.sh#L236-L241
  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh#L87-L89
  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh#L81-L83
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/skills/k8s-rebase/SKILL.md` around lines 28 - 35, Choose
one consistent container policy and apply it across the documented and automated
flows: either make podman with --userns=keep-id a hard requirement by removing
the docker fallback and making the container-selection logic in k8s-rebase.sh,
k8s-rebase-autofix.sh, and k8s-rebase-validate.sh fail when podman is
unavailable, or retain the fallback and update SKILL.md plus all three scripts
to visibly warn about docker’s root-owned-file caveat when it is selected.
Ensure all four affected files reflect the same policy.

Automates k8s.io/* dependency rebases for Go projects. Handles
dep bumps, codegen, version references, compilation fixes, lint
migration, feature gate management, and antagonistic review.

The skill improves itself across runs: when a rebase surfaces a
new breakage pattern (via gates, local validation, or CI), the
agent fixes it and documents the pattern. The next repo or k8s
version benefits from that pattern automatically — through
autofix functions, gate checks, or patterns doc entries.

Scripts:
- k8s-rebase.sh: deterministic rebase (deps, codegen, version refs)
- k8s-rebase-autofix.sh: named fix functions for known breakage
  patterns (x/exp, reflect.Ptr, klog v1, FieldsV1, Eventf, CRDs,
  feature gates, KIND, MetalLB, KubeVirt, golangci-lint v1→v2)
- k8s-rebase-validate.sh: build/vet/lint/test with skip detection
- k8s-rebase-review.sh: antagonistic review via separate Claude instance

29 gate subagents across 4 verification steps verify the rebase
before the agent proceeds. Count gates enforce hard constraints
(build errors, version mismatches, test skips). Judge gates
review diffs for correctness. Discovery gates read external
signals (dep release notes, k8s changelog, CVE databases,
go.mod risk classification) to catch issues that build/lint/test
cannot detect.

Patterns doc catalogs 30+ breakage patterns with fix recipes
and extension guide for future k8s versions.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown

The OWNERS file contains untrusted users, which makes it INVALID. The following users are mentioned in OWNERS file(s) but are untrusted for the following reasons. One way to make the user trusted is to add them as members of the openshift-eng org. You can then trigger verification by writing /verify-owners in a comment.

  • dfarrell07
    • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
    • plugins/k8s-rebase/OWNERS

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

♻️ Duplicate comments (5)
plugins/k8s-rebase/scripts/k8s-rebase.sh (1)

686-695: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Bare-version doc replace still isn't restricted to Kubernetes-specific prose.

The perl lookbehind/lookahead now correctly guards against IP-address and patch-version corruption (the two concrete examples from the earlier review), but the match is still purely numeric — any standalone 1.35-style token in docs/**/*.md unrelated to Kubernetes (e.g. a percentage, section/step number) will still be rewritten, since there's no check that the surrounding text is actually about Kubernetes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase.sh` around lines 686 - 695, Restrict
the bare-version replacement in the Pass 2 loop to Kubernetes-specific
documentation instead of matching every standalone numeric token under docs/.
Update the grep/perl selection around OLD_SHORT and NEW_SHORT to require an
appropriate Kubernetes context, while preserving the existing protections for IP
addresses, compound versions, and patch versions.
plugins/k8s-rebase/gates/step3-autofix/crd-validation.md (1)

6-7: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

CRD format: int32/maximum check still relies on line adjacency, not schema semantics.

This only detects the exact adjacent sequence format: int32 followed immediately by maximum: 4294967295. Comments, blank lines, reordered keys, or other intervening schema properties will still produce a false zero count for a read-only gate that's required to report exact counts.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step3-autofix/crd-validation.md` around lines 6 - 7,
Update the CRD validation instructions in step 3 so the count identifies schema
objects containing both format: int32 and maximum: 4294967295 regardless of key
order, comments, blank lines, or intervening properties; remove the
line-adjacency requirement and preserve exact reporting for the read-only gate.
plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh (1)

122-128: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Predictable /tmp/jq path is copy-pasted into both scripts — same TOCTOU root cause. Both download jq to a hardcoded, predictable path, chmod +x it, and prepend /tmp to PATH, allowing a local attacker (or leftover file) to hijack the binary.

  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh#L122-L128: download jq into a mktemp -d directory and prepend that directory to PATH instead of /tmp.
  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh#L125-L131: apply the identical mktemp -d fix here too.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh` around lines 122 - 128, The
jq bootstrap blocks in plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh lines
122-128 and plugins/k8s-rebase/scripts/k8s-rebase-validate.sh lines 125-131 use
a predictable shared /tmp/jq path. In both scripts, create a unique temporary
directory with mktemp -d, download and verify jq within that directory, make
that file executable, and prepend only the temporary directory to PATH.
plugins/k8s-rebase/scripts/k8s-rebase-review.sh (1)

30-59: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Evidence-gathering (PATTERN_HINT, K8S_CHANGELOG, commit-scoped DIFF) is still unreachable in practice.

SKILL.md's Step 4c still calls this script once at final HEAD with the literal string "k8s rebase" as ORIGINAL_ERROR — that string never matches any of the PATTERN_HINT keywords (L53), K8S_CHANGELOG (L48) is just whatever the last commit message says (not a real changelog), and DIFF (L40-42) covers the entire rebase range truncated to 2000 lines rather than one commit's diff. The antagonistic review still runs with much weaker context than the script's own design intends.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-review.sh` around lines 30 - 59, Update
the Step 4c invocation and the evidence preparation around PATTERN_HINT,
K8S_CHANGELOG, and DIFF so the review runs per rebased commit with that commit’s
actual error output, commit message, and scoped diff rather than once at final
HEAD with the literal “k8s rebase” value. Preserve the existing filtering and
fallback behavior while ensuring each invocation receives commit-specific
context before the review runs.
plugins/k8s-rebase/scripts/k8s-rebase-validate.sh (1)

277-295: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Unanchored root_pkgs regex duplicated between the script and its documentation snippet — same substring-match root cause. Both build a (pkg/a|pkg/b|...) alternation from root_pkgs and match it with only a leading ^\./ anchor, so a shorter root_pkgs entry (e.g. pkg/ovn) substring-matches an unrelated package (pkg/ovnwebhook) and silently drops it from testing. The correct anchored form already exists elsewhere in k8s-rebase-validate.sh (L439, L449: ^(...)$).

  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh#L277-L295: add the trailing $ anchor to the grep -qE pattern in run_test_only(), matching the anchored form used at L439/L449.
  • plugins/k8s-rebase/skills/k8s-rebase/SKILL.md#L426-L436: add the same trailing $ anchor to the Step 4b package-discovery snippet's grep -qE pattern.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-validate.sh` around lines 277 - 295,
Anchor the root package regex to the full package name by adding a trailing $ to
the grep -qE pattern in run_test_only() within
plugins/k8s-rebase/scripts/k8s-rebase-validate.sh lines 277-295. Apply the same
trailing anchor to the corresponding Step 4b package-discovery snippet in
plugins/k8s-rebase/skills/k8s-rebase/SKILL.md lines 426-436; both sites must
reject only exact root package paths.
🧹 Nitpick comments (2)
plugins/k8s-rebase/scripts/k8s-rebase.sh (1)

251-263: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Quote/array-ify the container exec args instead of relying on unquoted command substitution.

$([[ "$BUMP_TOOLS" == true ]] && echo "--bump-tools") at Line 263 is unquoted, which both ast-grep (flagged as CWE-78-style pattern) and shellcheck (SC2046) call out. In practice BUMP_TOOLS is fully internal (only ever true/false from the script's own arg parser), so this isn't currently exploitable, but the pattern is fragile and worth hardening to an explicit args array for clarity and defense against future refactors that might route less-trusted input through this path.

🛡️ Proposed fix using an args array
+  EXTRA_ARGS=()
+  [[ "$BUMP_TOOLS" == true ]] && EXTRA_ARGS+=("--bump-tools")
   exec $CONTAINER_RT run --rm \
     --security-opt label=disable \
     $USERNS_FLAG \
     -v "$REPO_ROOT:$REPO_ROOT" \
     -v "$(dirname "$SCRIPT_PATH"):$(dirname "$SCRIPT_PATH"):ro" \
     -w "$REPO_ROOT" \
     -e GIT_AUTHOR_NAME="$(git config user.name)" \
     -e GIT_AUTHOR_EMAIL="$(git config user.email)" \
     -e GIT_COMMITTER_NAME="$(git config user.name)" \
     -e GIT_COMMITTER_EMAIL="$(git config user.email)" \
     -e K8S_REBASE_IN_CONTAINER=1 \
     "$GO_IMAGE" \
-    bash "$SCRIPT_PATH" $([[ "$BUMP_TOOLS" == true ]] && echo "--bump-tools") "$VERSION_INPUT"
+    bash "$SCRIPT_PATH" "${EXTRA_ARGS[@]}" "$VERSION_INPUT"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase.sh` around lines 251 - 263, Replace the
unquoted conditional command substitution in the container execution command
with an explicit argument array, adding --bump-tools only when BUMP_TOOLS is
true and then expanding the array safely. Update the exec invocation in the
container run block while preserving the existing script, image, and version
arguments.
plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh (1)

172-217: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Gate-parent/dep computation duplicated 3× (run_checks twice, fix_feature_gates once).

_all_gate_names (L174-183) and _sfm_gates (L204-210) compute the identical set — active GATE_DEPS parents plus their vendor-present deps — twice within run_checks(), and fix_feature_gates() (L1112-1125) recomputes it a third time with arrays instead of strings. Any future change to how gates/deps are filtered risks drifting between the three copies.

♻️ Suggested direction

Extract one helper (e.g. _compute_active_gates) that echoes space-separated gate names, and reuse it for _all_gate_names, _sfm_gates, and fix_feature_gates's all_gates (via read -ra into an array where an array is needed).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh` around lines 172 - 217,
Extract the duplicated active gate/ dependency discovery into a single helper,
such as _compute_active_gates, that returns the vendor-present parent and
dependency names in a space-separated form. Update run_checks to reuse this
result for both _all_gate_names and _sfm_gates, and update fix_feature_gates to
populate its all_gates array from the helper output via read -ra, removing its
separate computation while preserving existing filtering behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@plugins/k8s-rebase/docs/k8s-rebase-patterns.md`:
- Line 154: Add language identifiers to every fenced code block in
k8s-rebase-patterns.md, including the blocks at the referenced locations. Use
text for diagnostic/output blocks and the appropriate language identifier for
each code or configuration block, eliminating all MD040 violations.
- Around line 459-470: Update the replace directive workaround guidance near the
example to require a trusted, reviewed fork and an immutable pinned version or
commit reference instead of the generic FORK placeholder. Retain the instruction
to remove the replace directive once the official library-go fix is available.

In `@plugins/k8s-rebase/gates/step3-autofix/autofix-result.md`:
- Around line 1-9: Update the autofix verification guidance to treat matching
git-log commit counts only as supporting evidence, not proof of execution.
Require corroborating diff, result, or script-output evidence so no-op and
squashed/combined successful runs are recognized, while preserving the
instruction to ignore stale gitignored vendor directories and avoid escalating
them.

In `@plugins/k8s-rebase/gates/step3-autofix/crd-validation.md`:
- Around line 8-11: Replace the brittle main/master merge-base fallback with
resolved default/target branch detection, mirroring the existing detection in
k8s-rebase.sh before comparing against the base. In
plugins/k8s-rebase/gates/step3-autofix/crd-validation.md lines 8-11, use the
resolved base for git show metadata.name comparisons; in
plugins/k8s-rebase/gates/step4-verification/go-version-check.md lines 4-9, reuse
the same resolved base for both go and toolchain directive git diff checks,
ensuring unresolved bases fail rather than silently producing zero differences.

In `@plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md`:
- Line 11: Update the subshell command in the build-and-vet verification step to
exit when changing to mod_dir fails, then run go build and go vet while
capturing each command’s status and return a failure if either command fails.
Preserve both commands’ output and ensure the combined status reflects both
checks.

In `@plugins/k8s-rebase/skills/k8s-rebase/SKILL.md`:
- Around line 1-9: Add an overlap-review summary to the k8s-rebase skill
documentation, covering the four-phase comparison against open PRs and existing
skills/commands. Include the required HIGH/MODERATE/LOW classification and
retain the existing front matter and skill instructions unchanged.

---

Duplicate comments:
In `@plugins/k8s-rebase/gates/step3-autofix/crd-validation.md`:
- Around line 6-7: Update the CRD validation instructions in step 3 so the count
identifies schema objects containing both format: int32 and maximum: 4294967295
regardless of key order, comments, blank lines, or intervening properties;
remove the line-adjacency requirement and preserve exact reporting for the
read-only gate.

In `@plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh`:
- Around line 122-128: The jq bootstrap blocks in
plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh lines 122-128 and
plugins/k8s-rebase/scripts/k8s-rebase-validate.sh lines 125-131 use a
predictable shared /tmp/jq path. In both scripts, create a unique temporary
directory with mktemp -d, download and verify jq within that directory, make
that file executable, and prepend only the temporary directory to PATH.

In `@plugins/k8s-rebase/scripts/k8s-rebase-review.sh`:
- Around line 30-59: Update the Step 4c invocation and the evidence preparation
around PATTERN_HINT, K8S_CHANGELOG, and DIFF so the review runs per rebased
commit with that commit’s actual error output, commit message, and scoped diff
rather than once at final HEAD with the literal “k8s rebase” value. Preserve the
existing filtering and fallback behavior while ensuring each invocation receives
commit-specific context before the review runs.

In `@plugins/k8s-rebase/scripts/k8s-rebase-validate.sh`:
- Around line 277-295: Anchor the root package regex to the full package name by
adding a trailing $ to the grep -qE pattern in run_test_only() within
plugins/k8s-rebase/scripts/k8s-rebase-validate.sh lines 277-295. Apply the same
trailing anchor to the corresponding Step 4b package-discovery snippet in
plugins/k8s-rebase/skills/k8s-rebase/SKILL.md lines 426-436; both sites must
reject only exact root package paths.

In `@plugins/k8s-rebase/scripts/k8s-rebase.sh`:
- Around line 686-695: Restrict the bare-version replacement in the Pass 2 loop
to Kubernetes-specific documentation instead of matching every standalone
numeric token under docs/. Update the grep/perl selection around OLD_SHORT and
NEW_SHORT to require an appropriate Kubernetes context, while preserving the
existing protections for IP addresses, compound versions, and patch versions.

---

Nitpick comments:
In `@plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh`:
- Around line 172-217: Extract the duplicated active gate/ dependency discovery
into a single helper, such as _compute_active_gates, that returns the
vendor-present parent and dependency names in a space-separated form. Update
run_checks to reuse this result for both _all_gate_names and _sfm_gates, and
update fix_feature_gates to populate its all_gates array from the helper output
via read -ra, removing its separate computation while preserving existing
filtering behavior.

In `@plugins/k8s-rebase/scripts/k8s-rebase.sh`:
- Around line 251-263: Replace the unquoted conditional command substitution in
the container execution command with an explicit argument array, adding
--bump-tools only when BUMP_TOOLS is true and then expanding the array safely.
Update the exec invocation in the container run block while preserving the
existing script, image, and version arguments.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8bf0d47c-2dbc-44f3-bbac-534fbd62c92a

📥 Commits

Reviewing files that changed from the base of the PR and between f06d1b9 and c0724a4.

📒 Files selected for processing (42)
  • .claude-plugin/marketplace.json
  • docs/index.html
  • plugins/k8s-rebase/.claude-plugin/plugin.json
  • plugins/k8s-rebase/OWNERS
  • plugins/k8s-rebase/README.md
  • plugins/k8s-rebase/docs/k8s-rebase-patterns.md
  • plugins/k8s-rebase/gates/step1-rebase/rebase-completeness.md
  • plugins/k8s-rebase/gates/step2-compilation/build-vet.md
  • plugins/k8s-rebase/gates/step2-compilation/diff-scope.md
  • plugins/k8s-rebase/gates/step2-compilation/fix-correctness.md
  • plugins/k8s-rebase/gates/step2-compilation/type-conversions.md
  • plugins/k8s-rebase/gates/step2-compilation/version-consistency.md
  • plugins/k8s-rebase/gates/step3-autofix/autofix-diff-review.md
  • plugins/k8s-rebase/gates/step3-autofix/autofix-result.md
  • plugins/k8s-rebase/gates/step3-autofix/crd-validation.md
  • plugins/k8s-rebase/gates/step3-autofix/dep-release-notes.md
  • plugins/k8s-rebase/gates/step3-autofix/deprecated-api-remnants.md
  • plugins/k8s-rebase/gates/step3-autofix/e2e-infra.md
  • plugins/k8s-rebase/gates/step3-autofix/feature-gates.md
  • plugins/k8s-rebase/gates/step3-autofix/logical-completeness.md
  • plugins/k8s-rebase/gates/step3-autofix/patterns-completeness.md
  • plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md
  • plugins/k8s-rebase/gates/step4-verification/ci-prediction.md
  • plugins/k8s-rebase/gates/step4-verification/ci-readiness.md
  • plugins/k8s-rebase/gates/step4-verification/cleanliness.md
  • plugins/k8s-rebase/gates/step4-verification/commit-messages.md
  • plugins/k8s-rebase/gates/step4-verification/correctness.md
  • plugins/k8s-rebase/gates/step4-verification/dep-cve-check.md
  • plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md
  • plugins/k8s-rebase/gates/step4-verification/go-version-check.md
  • plugins/k8s-rebase/gates/step4-verification/gomod-diff-analysis.md
  • plugins/k8s-rebase/gates/step4-verification/k8s-changelog.md
  • plugins/k8s-rebase/gates/step4-verification/logical-consistency.md
  • plugins/k8s-rebase/gates/step4-verification/maintainer-review.md
  • plugins/k8s-rebase/gates/step4-verification/skill-improvement.md
  • plugins/k8s-rebase/gates/step4-verification/version-completeness.md
  • plugins/k8s-rebase/scripts/k8s-rebase-autofix.sh
  • plugins/k8s-rebase/scripts/k8s-rebase-review-prompt.md
  • plugins/k8s-rebase/scripts/k8s-rebase-review.sh
  • plugins/k8s-rebase/scripts/k8s-rebase-validate.sh
  • plugins/k8s-rebase/scripts/k8s-rebase.sh
  • plugins/k8s-rebase/skills/k8s-rebase/SKILL.md
🚧 Files skipped from review as they are similar to previous changes (26)
  • plugins/k8s-rebase/gates/step2-compilation/fix-correctness.md
  • plugins/k8s-rebase/gates/step4-verification/cleanliness.md
  • plugins/k8s-rebase/gates/step3-autofix/autofix-diff-review.md
  • plugins/k8s-rebase/scripts/k8s-rebase-review-prompt.md
  • plugins/k8s-rebase/gates/step3-autofix/patterns-completeness.md
  • plugins/k8s-rebase/.claude-plugin/plugin.json
  • plugins/k8s-rebase/gates/step1-rebase/rebase-completeness.md
  • plugins/k8s-rebase/gates/step3-autofix/logical-completeness.md
  • plugins/k8s-rebase/gates/step2-compilation/type-conversions.md
  • plugins/k8s-rebase/gates/step3-autofix/deprecated-api-remnants.md
  • plugins/k8s-rebase/gates/step3-autofix/e2e-infra.md
  • .claude-plugin/marketplace.json
  • plugins/k8s-rebase/gates/step3-autofix/feature-gates.md
  • plugins/k8s-rebase/gates/step3-autofix/dep-release-notes.md
  • plugins/k8s-rebase/gates/step4-verification/logical-consistency.md
  • plugins/k8s-rebase/gates/step2-compilation/version-consistency.md
  • plugins/k8s-rebase/gates/step4-verification/maintainer-review.md
  • plugins/k8s-rebase/gates/step4-verification/commit-messages.md
  • plugins/k8s-rebase/gates/step4-verification/dep-cve-check.md
  • plugins/k8s-rebase/README.md
  • plugins/k8s-rebase/gates/step4-verification/skill-improvement.md
  • plugins/k8s-rebase/OWNERS
  • plugins/k8s-rebase/gates/step4-verification/ci-readiness.md
  • plugins/k8s-rebase/gates/step4-verification/k8s-changelog.md
  • plugins/k8s-rebase/gates/step4-verification/deprecated-imports.md
  • docs/index.html

The v0.2.0 conformance suite also expects `ClusterNetworkPolicy`
resources in `v1alpha2` API version. If the project only installs
`v1alpha1` CRDs, conformance tests fail with:
```

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add language identifiers to all fenced blocks.

markdownlint reports six MD040 violations. Mark diagnostic blocks as text and code/configuration blocks with their appropriate language to keep documentation checks green.

Also applies to: 266-266, 270-270, 294-294, 329-329, 463-463

🧰 Tools
🪛 markdownlint-cli2 (0.23.0)

[warning] 154-154: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/docs/k8s-rebase-patterns.md` at line 154, Add language
identifiers to every fenced code block in k8s-rebase-patterns.md, including the
blocks at the referenced locations. Use text for diagnostic/output blocks and
the appropriate language identifier for each code or configuration block,
eliminating all MD040 violations.

Source: Linters/SAST tools

Comment on lines +459 to +470
**Replace directive workaround:** If library-go hasn't merged
its k8s bump yet, use a `replace` directive in go.mod pointing
to a fork that has the fix:

```
replace github.com/openshift/library-go => github.com/FORK/library-go v0.0.0-DATE-HASH
```

This is the standard approach used by manual rebases (e.g.,
CNO PR #3017 uses `jubittajohn/library-go`). The `replace`
survives `go mod vendor` because it directs the module system
to fetch from the fork. Remove the `replace` when the official

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Require trusted, immutable fork references for the replace workaround.

A generic github.com/FORK/library-go replacement changes dependency provenance. Document that the fork must be trusted, reviewed, pinned to an immutable version, and removed once the upstream fix lands.

🧰 Tools
🪛 markdownlint-cli2 (0.23.0)

[warning] 463-463: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/docs/k8s-rebase-patterns.md` around lines 459 - 470,
Update the replace directive workaround guidance near the example to require a
trusted, reviewed fork and an immutable pinned version or commit reference
instead of the generic FORK placeholder. Retain the instruction to remove the
replace directive once the official library-go fix is available.

Comment on lines +1 to +9
Check the autofix results by examining git log for the autofix
commits. Look for commits matching patterns like "Migrate x/exp
imports", "Disable new default-true feature gates", "Update KIND
image", "Update version references and lint". Count how many
autofix commits were created. If zero, the autofix may not have
run. Ignore stale vendor in gitignored directories
(`git check-ignore -q <dir>/vendor`) — these are expected and
not maintained by the rebase. Do NOT escalate gitignored vendor
staleness as a blocker.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Do not infer autofix execution from commit-message patterns alone.

A no-op run or squashed/combined commit can produce zero matching commits even when autofix completed successfully. Require corroborating diff, result, or script-output evidence; treat the git-log count as supporting evidence only.

🧰 Tools
🪛 LanguageTool

[grammar] ~8-~8: Ensure spelling is correct
Context: ...intained by the rebase. Do NOT escalate gitignored vendor staleness as a blocker. Report ...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step3-autofix/autofix-result.md` around lines 1 - 9,
Update the autofix verification guidance to treat matching git-log commit counts
only as supporting evidence, not proof of execution. Require corroborating diff,
result, or script-output evidence so no-op and squashed/combined successful runs
are recognized, while preserving the instruction to ignore stale gitignored
vendor directories and avoid escalating them.

Comment on lines +8 to +11
2. Count CRDs that lost metadata.name pattern validation
compared to the base branch. Detect the base branch with
`git merge-base HEAD main 2>/dev/null || git merge-base HEAD master`,
then use `git show <base>:path` to check the original.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Same brittle main/master merge-base assumption repeated across gate prompts. Both gates resolve the comparison base with git merge-base HEAD main 2>/dev/null || git merge-base HEAD master; when the default branch is neither, the substitution is empty and git diff $(...)..HEAD degenerates to git diff ..HEAD (interpreted as HEAD..HEAD), silently reporting zero differences instead of erroring — the opposite of what a "read-only, must report exact counts" gate should do on an unresolvable base.

  • plugins/k8s-rebase/gates/step3-autofix/crd-validation.md#L8-L11: derive the actual default/target branch (e.g. via git symbolic-ref refs/remotes/origin/HEAD, mirroring the detection already done in k8s-rebase.sh at Line 300) before using git show <base>:path for the metadata.name comparison.
  • plugins/k8s-rebase/gates/step4-verification/go-version-check.md#L4-L9: apply the same resolved-base-ref approach to both the go directive and toolchain directive git diff invocations instead of hardcoding main/master.
📍 Affects 2 files
  • plugins/k8s-rebase/gates/step3-autofix/crd-validation.md#L8-L11 (this comment)
  • plugins/k8s-rebase/gates/step4-verification/go-version-check.md#L4-L9
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step3-autofix/crd-validation.md` around lines 8 -
11, Replace the brittle main/master merge-base fallback with resolved
default/target branch detection, mirroring the existing detection in
k8s-rebase.sh before comparing against the base. In
plugins/k8s-rebase/gates/step3-autofix/crd-validation.md lines 8-11, use the
resolved base for git show metadata.name comparisons; in
plugins/k8s-rebase/gates/step4-verification/go-version-check.md lines 4-9, reuse
the same resolved base for both go and toolchain directive git diff checks,
ensuring unresolved bases fail rather than silently producing zero differences.

continue
fi
echo "CHECK $mod_dir"
(cd "$mod_dir" && go build ./... 2>&1; go vet ./... 2>&1)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

set -euo pipefail

sed -n '1,120p' plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md

Repository: openshift-eng/ai-helpers

Length of output: 1100


🏁 Script executed:

sed -n '1,80p' plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md

Repository: openshift-eng/ai-helpers

Length of output: 1100


Preserve both exit codes in the subshell.

(cd "$mod_dir" && go build ./... 2>&1; go vet ./... 2>&1) still returns only go vet’s status, so a failed build can be reported as success. go vet also runs from the caller’s directory if cd fails. Guard the directory change and combine both exit codes before returning.

Suggested adjustment
-  (cd "$mod_dir" && go build ./... 2>&1; go vet ./... 2>&1)
+  (
+    cd "$mod_dir" || exit 1
+    build_rc=0
+    go build ./... 2>&1 || build_rc=$?
+    vet_rc=0
+    go vet ./... 2>&1 || vet_rc=$?
+    (( build_rc == 0 && vet_rc == 0 ))
+  )
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
(cd "$mod_dir" && go build ./... 2>&1; go vet ./... 2>&1)
(
cd "$mod_dir" || exit 1
build_rc=0
go build ./... 2>&1 || build_rc=$?
vet_rc=0
go vet ./... 2>&1 || vet_rc=$?
(( build_rc == 0 && vet_rc == 0 ))
)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/gates/step4-verification/build-vet-recheck.md` at line 11,
Update the subshell command in the build-and-vet verification step to exit when
changing to mod_dir fails, then run go build and go vet while capturing each
command’s status and return a failure if either command fails. Preserve both
commands’ output and ensure the combined status reflects both checks.

Comment on lines +1 to +9
---
name: k8s-rebase
description: Rebase a Go project to a new Kubernetes version by bumping all k8s.io/* dependencies, running codegen, updating version references, fixing build breakage with antagonistic review, and presenting a gh pr create command.
argument-hint: "[--bump-tools] <version> (e.g., 1.36.0 or --bump-tools 1.36.0)"
user-invocable: true
allowed-tools: Bash, Read, Agent
---

# Kubernetes Rebase

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh pr list --repo openshift-eng/ai-helpers --state open --json number,title,files \
  --jq '.[] | select(.files[].path | test("k8s-rebase|SKILL\\.md")) | {number, title}'

Repository: openshift-eng/ai-helpers

Length of output: 6075


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== Repo files ==\n'
git ls-files 'plugins/*/skills/*/SKILL.md' 'plugins/*/commands/*.md' | sed -n '1,200p'

printf '\n== Candidate related files ==\n'
git ls-files 'plugins/rebase-library-go/skills/*/SKILL.md' 'plugins/k8s-rebase/skills/*/SKILL.md' | sed -n '1,200p'

printf '\n== Outline k8s-rebase skill ==\n'
ast-grep outline plugins/k8s-rebase/skills/k8s-rebase/SKILL.md --view expanded || true

printf '\n== Outline rebase-library-go skill ==\n'
ast-grep outline plugins/rebase-library-go/skills/rebase-library-go/SKILL.md --view expanded || true

Repository: openshift-eng/ai-helpers

Length of output: 9494


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== PR 617 metadata ==\n'
gh pr view 617 --repo openshift-eng/ai-helpers --json number,title,body,files,comments,reviews \
  --jq '{number,title,body,files:[.files[].path],comments:[.comments[].body],reviews:[.reviews[].body]}'

Repository: openshift-eng/ai-helpers

Length of output: 50383


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "## related files"
git ls-files 'plugins/*/skills/*/SKILL.md' | sed -n '1,120p'

echo "## k8s-rebase skill"
cat -n plugins/k8s-rebase/skills/k8s-rebase/SKILL.md | sed -n '1,120p'

echo "## rebase-library-go skill"
cat -n plugins/rebase-library-go/skills/rebase-library-go/SKILL.md | sed -n '1,220p'

Repository: openshift-eng/ai-helpers

Length of output: 11672


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "## rebase-related files"
git ls-files 'plugins/*/*rebase*' 'plugins/*/commands/*rebase*.md' 'plugins/*/skills/*rebase*/SKILL.md' | sed -n '1,200p'

echo
echo "## search for k8s rebase references"
rg -n --glob 'plugins/**' -S 'k8s rebase|k8s-rebase|k8s\.io/\*|dependency rebase|rebase a Go project|bump-deps|rebase' plugins | sed -n '1,240p'

Repository: openshift-eng/ai-helpers

Length of output: 29890


🏁 Script executed:

#!/bin/bash
set -euo pipefail

for f in plugins/openshift/commands/rebase.md plugins/openshift/commands/bump-deps.md plugins/openshift/commands/create-cluster.md; do
  if [ -f "$f" ]; then
    echo "## $f"
    cat -n "$f" | sed -n '1,220p'
    echo
  fi
done

Repository: openshift-eng/ai-helpers

Length of output: 25755


🏁 Script executed:

#!/bin/bash
set -euo pipefail

gh pr view 617 --repo openshift-eng/ai-helpers --json files --jq '.files[].path' | sed -n '1,80p'

Repository: openshift-eng/ai-helpers

Length of output: 2500


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "## rebase-related files"
git ls-files 'plugins/*/*rebase*' 'plugins/*/commands/*rebase*.md' 'plugins/*/skills/*rebase*/SKILL.md' | sed -n '1,200p'

echo
echo "## k8s-rebase PR files"
gh pr view 617 --repo openshift-eng/ai-helpers --json files --jq '.files[].path' | sed -n '1,120p'

echo
echo "## search for overlap-relevant wording"
rg -n -S 'overlap|related PR|possibly related|similar|duplicate|rebase|k8s\.io/\*|dependency rebase|bump-deps' \
  plugins/k8s-rebase plugins/openshift plugins/ci plugins/code-review plugins/golang | sed -n '1,260p'

Repository: openshift-eng/ai-helpers

Length of output: 39182


Add the overlap-review summary for this new skill. PR #617 already notes related PRs, but this file still needs the 4-phase comparison against open PRs and existing skills/commands, plus the HIGH/MODERATE/LOW classification.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/k8s-rebase/skills/k8s-rebase/SKILL.md` around lines 1 - 9, Add an
overlap-review summary to the k8s-rebase skill documentation, covering the
four-phase comparison against open PRs and existing skills/commands. Include the
required HIGH/MODERATE/LOW classification and retain the existing front matter
and skill instructions unchanged.

Source: Coding guidelines

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants