NO-JIRA: Add manifests verify target

[RadekManak]

This PR adds make target that verifies ocp-manfiests does not produce a diff in the transport configmap.

It is taking the PROVIDER_VERSION from the generated file. Due to that, it won't be able to verify whether the version was updated or not.

[openshift-ci-robot]

@RadekManak: This pull request explicitly references no jira issue.

In response to this:

This PR adds make target that verifies ocp-manfiests does not produce a diff in the transport configmap.

It is taking the PROVIDER_VERSION from the generated file. Due to that, it won't be able to verify whether the version was updated or not.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Added two verification targets to openshift/Makefile (verify and verify-ocp-manifests) where verify-ocp-manifests extracts PROVIDER_VERSION from manifests and runs the manifest verification flow, and added openshift/verify-diff.sh to ensure no untracked or unstaged changes.

Changes

Cohort / File(s)	Summary
Makefile verification targets openshift/Makefile	Added verify target now depending on verify-ocp-manifests. Added verify-ocp-manifests which extracts PROVIDER_VERSION from manifests via yq, invokes the ocp-manifests flow with that version, and runs verify-diff.sh.
Verification utility script openshift/verify-diff.sh	New Bash script that collects untracked files with git ls-files -o --exclude-standard, fails if any exist (printing them), otherwise runs git diff --exit-code to ensure no unstaged changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "NO-JIRA: Add manifests verify target" accurately and concisely describes the main change in the changeset. The summary confirms that new make targets verify and verify-ocp-manifests are being introduced to verify ocp-manifests output. The title is specific about what is being added (a verify target for manifests) and is clear enough for a teammate to understand the primary change when scanning history.
Description Check	✅ Passed	The pull request description is directly related to the changeset. It explains that the PR adds a make target to verify ocp-manifests does not produce a diff in the transport configmap and clarifies the limitation that PROVIDER_VERSION is taken from the generated file, preventing verification of provider version updates. This description aligns with the actual changes summarized in the raw summary, which shows new verification targets and scripts being added.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 686cbdd and 5ccde04.

📒 Files selected for processing (2)

• openshift/Makefile (1 hunks)
• openshift/verify-diff.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• openshift/Makefile
• openshift/verify-diff.sh

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

openshift/verify-diff.sh (1)

1-11: Consider adding defensive script options for robustness.

Adding set -e or set -euo pipefail at the top of the script would catch unexpected failures early and prevent silent continuation on errors. This is a best practice for verification scripts.

Apply this diff to add defensive scripting:

 #!/bin/bash
+set -euo pipefail

 FILE_DIFF=$(git ls-files -o --exclude-standard)

openshift/Makefile (1)

22-22: Verify robustness of yq extraction for version label.

The yq command at line 22 depends on the exact key path .metadata.labels."provider.cluster.x-k8s.io/version" and file path. Consider documenting the expected manifest structure or adding error handling (e.g., check if extraction succeeds) to provide clearer failure messages if the manifest format changes.

If this warrants defensive coding, consider:

 @echo "Extracting provider version from existing manifest..."
-$(eval PROVIDER_VERSION := $(shell yq eval '.metadata.labels."provider.cluster.x-k8s.io/version"' manifests/0000_30_cluster-api_04_cm.infrastructure-aws.yaml))
+$(eval PROVIDER_VERSION := $(shell yq eval '.metadata.labels."provider.cluster.x-k8s.io/version"' manifests/0000_30_cluster-api_04_cm.infrastructure-aws.yaml || echo ""))
+ifndef PROVIDER_VERSION
+	$(error Failed to extract PROVIDER_VERSION from manifest)
+endif

However, this may be overkill if manifest stability is guaranteed.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 5393904 and 686cbdd.

📒 Files selected for processing (2)

• openshift/Makefile (1 hunks)
• openshift/verify-diff.sh (1 hunks)

🧰 Additional context used

🪛 checkmake (0.2.2)

openshift/Makefile

[warning] 15-15: Target "verify" should be declared PHONY.

(phonydeclared)

[openshift-ci]

@RadekManak: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	5ccde04	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn	5ccde04	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[chrischdi]

Isn't this a cyclic dependency?

Like if we did not run make manfiest-gen we might use the old version here?

[RadekManak]

Yes. If someone runs this instead of ocp-manfiests it will update the manifests, keep the old version number, print diff, error. Someone could theoretically commit that, and then it would pass in CI.

What about restricting this target to CI using environment variable?