Test orion url fix for Prow censoring

[mmnabeel317]

Summary

Temporarily points the Orion CI step to a fix branch (mmnabeel317/orion#fix/prow-url-censoring) to test a fix for broken build URLs in Orion's HTML visualizations.

Problem

When Orion generates --viz HTML artifacts, the buildUrl values (e.g. Prow job links) are embedded directly in the Plotly figure JSON. Prow's secret scanner detects ocp-qe-perfscale as part of a secret and replaces it with XXXXXXXX in the uploaded artifact files. This breaks the click-to-open-build functionality on changepoint markers in the visualization.

Fix being tested

The Orion fix base64-encodes all buildUrl values in the Plotly customdata field. The injected JavaScript click handler decodes them via atob() before calling window.open(). Since the base64 representation does not contain the literal secret string, Prow's scanner skips it and the URLs survive intact.

Orion PR branch: https://github.com/mmnabeel317/orion/tree/fix/prow-url-censoring

Changes in this PR

• ci-operator/step-registry/openshift-qe/orion/openshift-qe-orion-commands.sh: temporarily clones from the fix branch instead of the latest release tag. The original block is commented out for easy restoration.

/cc @mohit-sheth

Summary by CodeRabbit

• Bug Fixes

  • Improved CI test source acquisition to use a fixed repository branch for more reliable and consistent test retrieval.
  • Added an early debug log in cluster-density runs to aid troubleshooting.

• Chores

  • Updated CI orchestration scripts to streamline test initialization and environment setup.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mmnabeel317
Once this PR has been reviewed and has the lgtm label, please assign venkataanil for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/openshift-qe/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @mmnabeel317. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1e733d13-9d82-499f-9aa1-4fe996a5de56

📥 Commits

Reviewing files that changed from the base of the PR and between c1f5ea9 and c8429a3.

📒 Files selected for processing (2)

• ci-operator/step-registry/openshift-qe/cluster-density-v2/openshift-qe-cluster-density-v2-commands.sh
• ci-operator/step-registry/openshift-qe/orion/openshift-qe-orion-commands.sh

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/openshift-qe/cluster-density-v2/openshift-qe-cluster-density-v2-commands.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/openshift-qe/orion/openshift-qe-orion-commands.sh

---

Walkthrough

Orion cloning logic was simplified to always clone a specific GitHub repo branch; a separate CI script received a single debug echo insertion. Other orchestration and execution steps remain unchanged.

Changes

Cohort / File(s)	Summary
Orion clone logic ci-operator/step-registry/openshift-qe/orion/openshift-qe-orion-commands.sh	Removed dynamic tag-selection and GitHub latest-release fallback; now always clones https://github.com/openshift/orion.git on branch fix/prow-url-censoring. Previous tag logic left as commented reference.
Cluster density debug ci-operator/step-registry/openshift-qe/cluster-density-v2/openshift-qe-cluster-density-v2-commands.sh	Inserted a single debug output echo "hi" before OS and oc related commands.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Test orion url fix for Prow censoring' accurately reflects the main purpose of the PR: testing a fix for Orion URL handling related to Prow's secret censoring.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only shell scripts in CI operator step registry; no Go test files or Ginkgo test code present.
Test Structure And Quality	✅ Passed	This check is not applicable to the pull request. The custom check is designed to assess Ginkgo test code quality, but this PR modifies only bash shell scripts used for CI configuration and test orchestration.
Microshift Test Compatibility	✅ Passed	PR only modifies CI infrastructure shell scripts without adding new Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies CI operator shell scripts only; no Ginkgo e2e tests are introduced or modified.
Topology-Aware Scheduling Compatibility	✅ Passed	Modified files are CI operator step registry shell scripts for test automation, not Kubernetes deployment manifests, operator code, or controllers with scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check is not applicable to these files. The modified files are shell scripts in the CI step registry that execute benchmarking workloads, not OTE binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not add any new Ginkgo e2e tests. The changes consist solely of modifications to CI operator step registry shell scripts used for test orchestration and infrastructure setup.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ci-operator/step-registry/openshift-qe/orion/openshift-qe-orion-commands.sh`:
- Around line 13-21: The script currently hardcodes a personal fork and branch
in the git clone (the git clone --branch fix/prow-url-censoring
https://github.com/mmnabeel317/orion.git --depth 1 line), which ignores the
ORION_REPO and TAG knobs and creates a supply-chain risk; restore the original
logic that honors ORION_REPO and TAG (the conditional that sets LATEST_TAG from
the GitHub API when TAG == "latest" and then runs git clone --branch $LATEST_TAG
$ORION_REPO --depth 1) so callers can override repo/tag, and if you must test a
personal fix temporarily, gate it behind an explicit environment variable (e.g.,
ORION_FORK_OVERRIDE) and pin to a commit SHA (not a mutable branch) before
cloning; apply the same change to sibling scripts that clone Orion.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cd310061-22cf-4e26-87e2-dcdc02b1628d

📥 Commits

Reviewing files that changed from the base of the PR and between d9e4aff and c1f5ea9.

📒 Files selected for processing (1)

• ci-operator/step-registry/openshift-qe/orion/openshift-qe-orion-commands.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Do not merge: hardcoded clone of a personal fork branch targeting main.

This change pins Orion acquisition to https://github.com/mmnabeel317/orion.git on branch fix/prow-url-censoring. Two blocking concerns if this lands on main:

1. Supply-chain / reliability hazard. A personal fork + branch ref is mutable (force-push, rename, delete, visibility change) and not governed by the cloud-bulldozer/orion release process. Every job routed through openshift-qe-orion-commands.sh would silently execute whatever is at that ref, and would break the instant the branch moves or the fork disappears. A --depth 1 clone of a branch also provides no integrity pinning (no tag, no commit SHA).
2. Documented override surface is silently dropped. openshift-qe-orion-ref.yaml still declares ORION_REPO (default cloud-bulldozer/orion.git) and TAG (default latest) as user-overridable knobs, but this hunk ignores both. Any caller setting TAG=v... or ORION_REPO=... on this step will get unexpected behavior with no warning. Sibling scripts (olmv1, report, rhoso variants) still honor the knobs, so this step diverges from the rest of the family.

Recommended path forward (in order of preference):

• Land the base64 fix upstream in cloud-bulldozer/orion, cut a release, then bump via $TAG — no script change needed.
• If a temporary test is unavoidable, do it via a rehearsal / one-off job override or a gated env var, not by editing the shared step on main.

If you still want to keep the toggle in-script for a short-lived experiment, at minimum guard it behind an env var and pin to a commit SHA rather than a branch, e.g.:

🛠️ Suggested safer toggle (env-gated, SHA-pinned)

-# Temporary: test base64 URL encoding fix for Prow secret censoring
-# Original block should be restored after testing:
-#   if [[ $TAG == "latest" ]]; then
-#       LATEST_TAG=$(curl -s "https://api.github.com/repos/cloud-bulldozer/orion/releases/latest" | jq -r '.tag_name');
-#   else
-#       LATEST_TAG=$TAG
-#   fi
-#   git clone --branch $LATEST_TAG $ORION_REPO --depth 1
-git clone --branch fix/prow-url-censoring https://github.com/mmnabeel317/orion.git --depth 1
+if [[ -n "${ORION_TEST_FORK_URL:-}" && -n "${ORION_TEST_FORK_REF:-}" ]]; then
+    echo "WARNING: using experimental Orion fork ${ORION_TEST_FORK_URL}@${ORION_TEST_FORK_REF}"
+    git clone "${ORION_TEST_FORK_URL}" --depth 1
+    pushd orion
+    git fetch --depth 1 origin "${ORION_TEST_FORK_REF}"
+    git checkout FETCH_HEAD
+    popd
+else
+    if [[ $TAG == "latest" ]]; then
+        LATEST_TAG=$(curl -s "https://api.github.com/repos/cloud-bulldozer/orion/releases/latest" | jq -r '.tag_name')
+    else
+        LATEST_TAG=$TAG
+    fi
+    git clone --branch "$LATEST_TAG" "$ORION_REPO" --depth 1
+fi

Also worth noting: once the upstream fix is released, the sibling scripts (olmv1/openshift-qe-orion-olmv1-commands.sh, report, rhoso) will need the same bump to benefit from the Prow-censoring fix; please track that as part of the rollout.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Temporary: test base64 URL encoding fix for Prow secret censoring
	# Original block should be restored after testing:
	# if [[ $TAG == "latest" ]]; then
	# LATEST_TAG=$(curl -s "https://api.github.com/repos/cloud-bulldozer/orion/releases/latest" | jq -r '.tag_name');
	# else
	# LATEST_TAG=$TAG
	# fi
	# git clone --branch $LATEST_TAG $ORION_REPO --depth 1
	git clone --branch fix/prow-url-censoring https://github.com/mmnabeel317/orion.git --depth 1
	if [[ -n "${ORION_TEST_FORK_URL:-}" && -n "${ORION_TEST_FORK_REF:-}" ]]; then
	echo "WARNING: using experimental Orion fork ${ORION_TEST_FORK_URL}@${ORION_TEST_FORK_REF}"
	git clone "${ORION_TEST_FORK_URL}" --depth 1
	pushd orion
	git fetch --depth 1 origin "${ORION_TEST_FORK_REF}"
	git checkout FETCH_HEAD
	popd
	else
	if [[ $TAG == "latest" ]]; then
	LATEST_TAG=$(curl -s "https://api.github.com/repos/cloud-bulldozer/orion/releases/latest" | jq -r '.tag_name')
	else
	LATEST_TAG=$TAG
	fi
	git clone --branch "$LATEST_TAG" "$ORION_REPO" --depth 1
	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ci-operator/step-registry/openshift-qe/orion/openshift-qe-orion-commands.sh`
around lines 13 - 21, The script currently hardcodes a personal fork and branch
in the git clone (the git clone --branch fix/prow-url-censoring
https://github.com/mmnabeel317/orion.git --depth 1 line), which ignores the
ORION_REPO and TAG knobs and creates a supply-chain risk; restore the original
logic that honors ORION_REPO and TAG (the conditional that sets LATEST_TAG from
the GitHub API when TAG == "latest" and then runs git clone --branch $LATEST_TAG
$ORION_REPO --depth 1) so callers can override repo/tag, and if you must test a
personal fix temporarily, gate it behind an explicit environment variable (e.g.,
ORION_FORK_OVERRIDE) and pin to a commit SHA (not a mutable branch) before
cloning; apply the same change to sibling scripts that clone Orion.

[mohit-sheth]

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-payload-control-plane-6nodes

[openshift-merge-bot]

@mohit-sheth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@mohit-sheth: needs-ok-to-test label found, no rehearsals will be run

[mohit-sheth]

/ok-to-test

[mohit-sheth]

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-payload-control-plane-6nodes

[openshift-merge-bot]

@mohit-sheth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@mohit-sheth: job(s): periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-payload-control-plane-6nodes either don't exist or were not found to be affected, and cannot be rehearsed

[openshift-ci]

@mmnabeel317: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@mmnabeel317: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-stackrox-stackrox-master-perf-scale-24nodes-scale-test	stackrox/stackrox	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-5.0-nightly-x86-compact-cp-3nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-compact-cp-3nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.20-nightly-x86-compact-cp-3nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.23-nightly-x86-compact-cp-3nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.21-nightly-x86-compact-cp-3nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.21-nightly-x86-control-plane-24nodes-onperfsector	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.21-nightly-x86-control-plane-120nodes-onperfsector	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.21-nightly-x86-control-plane-249nodes-onperfsector-cdv2	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.21-nightly-x86-control-plane-498nodes-onperfsector-cdv2	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-24nodes-onperfsector	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-120nodes-onperfsector	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-249nodes-onperfsector-cdv2	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-nightly-x86-control-plane-498nodes-onperfsector-cdv2	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.23-nightly-x86-control-plane-24nodes-onperfsector	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.23-nightly-x86-control-plane-120nodes-onperfsector	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.23-nightly-x86-control-plane-249nodes-onperfsector-cdv2	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.23-nightly-x86-control-plane-498nodes-onperfsector-cdv2	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-5.0-nightly-x86-loaded-upgrade-from-4.22-loaded-upgrade-180nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-loaded-upgrade-from-4.21-loaded-upgrade-180nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa-4.22-candidate-x86-loaded-upgrade-from-4.21-loaded-upgrade-24nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa-4.22-candidate-x86-loaded-upgrade-from-4.21-loaded-upgrade-120nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa-4.22-candidate-x86-loaded-upgrade-from-4.21-loaded-upgrade-249nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-candidate-x86-loaded-upgrade-from-4.21-loaded-upgrade-24nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-rosa_hcp-4.22-candidate-x86-loaded-upgrade-from-4.21-loaded-upgrade-120nodes	openshift-eng/ocp-qe-perfscale-ci	presubmit	Registry content changed

A total of 494 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[mohit-sheth]

/pj-rehearse periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-payload-control-plane-6nodes

[openshift-merge-bot]

@mohit-sheth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.