Skip to content

OLS-3434 Add CI check for hermetic build hash file sync#2982

Open
vimalk78 wants to merge 1 commit into
openshift:mainfrom
vimalk78:worktree-ols-3434-verify-hermetic-deps
Open

OLS-3434 Add CI check for hermetic build hash file sync#2982
vimalk78 wants to merge 1 commit into
openshift:mainfrom
vimalk78:worktree-ols-3434-verify-hermetic-deps

Conversation

@vimalk78

@vimalk78 vimalk78 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Description

Summary

  • Add make verify-hermetic-requirements that verifies all runtime dependencies in uv.lock are present in the Konflux hermetic build hash files
    (requirements.hashes.source.txt / requirements.hashes.wheel.txt)
  • Runs as part of make verify (Prow CI), so PRs that add deps to pyproject.toml without updating hash files will fail
  • Also detects stale entries in the allowlist when packages are removed from uv.lock

Context

OLS-3417 fixed a production crash caused by missing opentelemetry and Bedrock deps in the hermetic build. Two PRs had updated pyproject.toml and uv.lock but
forgot to update the hash files. This check would have caught both before merge.

Test plan

  • make verify-hermetic-requirements passes on current main
  • Removing a package from hash files causes the check to fail
  • Adding a stale entry to the allowlist causes the check to fail
  • Prow verify job passes

Type of change

  • Refactor
  • New feature
  • Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up dependent library
  • Bump-up library or tool used for development (does not change the final image)
  • CI configuration change
  • Konflux configuration change

Related Tickets & Documents

  • Related Issue #
  • Closes #

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

  • Please provide detailed steps to perform tests related to this code change.
  • How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

  • Bug Fixes
    • Added a verification step to catch mismatches between dependency lock data and hermetic build hash files.
    • Improved validation so missing or outdated package entries are reported clearly before release.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Vimal Kumar <vimal78@gmail.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8c2cdc1d-e820-4c2a-a26d-79886143953e

📥 Commits

Reviewing files that changed from the base of the PR and between 9796f97 and 820c566.

📒 Files selected for processing (2)
  • Makefile
  • scripts/verify_hermetic_requirements.sh

📝 Walkthrough

Walkthrough

A new Bash script, verify_hermetic_requirements.sh, is added to check that hermetic build hash files stay in sync with uv.lock runtime dependencies, allowing a hardcoded exclusion list. The Makefile's verify target is updated to invoke this new check.

Changes

Hermetic build dependency verification

Layer / File(s) Summary
Script setup and data extraction
scripts/verify_hermetic_requirements.sh
Defines hash file paths and EXPECTED_MISSING allowlist, sets up temp directory cleanup via trap, adds logging/normalization helpers, and extracts/normalizes runtime deps from uv.lock and package names from hash files.
Stale allowlist and missing package checks
scripts/verify_hermetic_requirements.sh
Detects stale EXPECTED_MISSING entries no longer in uv.lock, computes packages missing from hermetic hash files, and reports errors with fix instructions or logs success.
Makefile wiring
Makefile
Adds verify-hermetic-requirements to .PHONY, makes it a prerequisite of verify, and defines the new target to run the script.

Estimated code review effort: 2 (Simple) | ~15 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Make as Makefile verify
  participant Script as verify_hermetic_requirements.sh
  participant UvLock as uv.lock
  participant HashFiles as hermetic hash files

  Make->>Script: run ./scripts/verify_hermetic_requirements.sh
  Script->>UvLock: uv export runtime deps
  Script->>HashFiles: parse package names from hash files
  Script->>Script: normalize, exclude EXPECTED_MISSING, diff sets
  alt missing packages found
    Script-->>Make: exit failure with package report
  else no missing packages
    Script-->>Make: exit success ("OK")
  end
Loading

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the new CI check that verifies hermetic build hash files stay in sync with uv.lock.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from bparees and xrajesh July 2, 2026 09:47
@JoaoFula

JoaoFula commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@raptorsun

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: raptorsun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 2, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD e2a260e and 2 for PR HEAD 820c566 in total

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 86e7b38 and 1 for PR HEAD 820c566 in total

@openshift-ci

openshift-ci Bot commented Jul 4, 2026

Copy link
Copy Markdown

@vimalk78: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify 820c566 link true /test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@raptorsun

Copy link
Copy Markdown
Contributor

@vimalk78 we may need to fix the error found in ci/prow/verify before merging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants