ci: add gopls and pre-commit plugins to address-review workflow

[enxebre]

Summary

• Install gopls-lsp plugin for Go code intelligence during review comment resolution
• Install git@enxebre plugin to auto-setup pre-commit pre-push hooks (gates pushes with make verify)
• Add tool dependencies (gopls, pre-commit) needed by the plugins

Test plan

• Trigger /address-review-comments on a test PR and verify plugins load
• Confirm make verify runs before any push made by Claude

Summary by CodeRabbit

• Chores
  • Streamlined CI workflow to ensure required tooling is installed and configured, and to manage AI helper plugins via the marketplace for address-review automation.

Note: Internal infrastructure change only; no user-facing functionality was added or modified.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Please specify an area label

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5a3d4ec7-e8bd-4815-9c43-64ba870056cb

📥 Commits

Reviewing files that changed from the base of the PR and between 079205b and 225a731.

📒 Files selected for processing (1)

• .github/workflows/address-review-comments.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/address-review-comments.yaml

---

📝 Walkthrough

Walkthrough

The workflow .github/workflows/address-review-comments.yaml now installs local tool dependencies (installs gopls, appends $HOME/go/bin to PATH, and installs pre-commit via pip and appends $HOME/.local/bin). It replaces the previous manual ai-helpers cloning/config with claude CLI plugin commands: it adds openshift-eng/ai-helpers and enxebre/ai-scripts marketplaces, installs utils@ai-helpers, golang@ai-helpers, and git@enxebre, then runs claude address-reviews.

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant Runner
  participant GoToolchain
  participant PythonPip
  participant ClaudeCLI
  GitHubActions->>Runner: trigger address-review job
  Runner->>GoToolchain: install gopls
  Runner->>Runner: export PATH += $HOME/go/bin
  Runner->>PythonPip: pip install pre-commit
  Runner->>Runner: export PATH += $HOME/.local/bin
  Runner->>ClaudeCLI: claude plugin add openshift-eng/ai-helpers
  Runner->>ClaudeCLI: claude plugin install utils@ai-helpers, golang@ai-helpers
  Runner->>ClaudeCLI: claude plugin add enxebre/ai-scripts
  Runner->>ClaudeCLI: claude plugin install git@enxebre
  Runner->>ClaudeCLI: claude address-reviews

Loading

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The workflow passes GH_TOKEN (github.token) as an environment variable to the Claude CLI tool which could expose the token if Claude or its plugins log environment variables or process details.	Avoid passing GH_TOKEN to Claude via environment variables. Instead, use GitHub's built-in masking or restrict token scope and only pass it when strictly necessary through stdin/secure channels.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding gopls and pre-commit plugins to the address-review workflow, which aligns with the file modifications and PR objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only a GitHub Actions workflow file (.github/workflows/address-review-comments.yaml), not any Ginkgo test files. The custom check for stable test names is not applicable to this PR.
Test Structure And Quality	✅ Passed	The custom check for Ginkgo test quality is not applicable to this PR. The PR only modifies a GitHub Actions workflow file with no Ginkgo test code present.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only .github/workflows/address-review-comments.yaml (GitHub Actions workflow), not deployment manifests, operator code, or controllers. No Kubernetes scheduling constraints are introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to the address-review workflow YAML file, which only configures Claude tooling for automated code review.
No-Weak-Crypto	✅ Passed	PR only modifies workflow YAML to install dev tools and Claude plugins. No weak crypto patterns, custom implementations, or unsafe secret comparisons found.
Container-Privileges	✅ Passed	The PR modifies only a GitHub Actions workflow with no container privilege settings like privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/address-review-comments.yaml:
- Line 67: The workflow installs pre-commit (the pip install pre-commit step)
and configures git@enxebre, which allows execution of PR-controlled hooks; split
the job into two: keep this workflow from installing or invoking pre-commit or
any git hooks (remove or guard the "pip install pre-commit" and any git SSH
setup like "git@enxebre"), and create a separate trusted job that runs only
after maintainers approve which performs privileged actions (push/comment, use
GITHUB_TOKEN) and does not execute untrusted repository code; ensure the
untrusted job runs checks in read-only mode (no pre-commit installation, no SSH
git host setup, minimal GITHUB_TOKEN permissions, checkout with
read-only/fetch-depth and actions/checkout=ref) and the trusted job runs any
necessary push/comment steps but never executes PR-provided scripts.
- Around line 65-67: The CI step currently uses floating installers "go install
golang.org/x/tools/gopls@latest" and "pip install pre-commit"; change these to
pinned releases by replacing gopls@latest with a specific go module version
(e.g., gopls@vX.Y.Z) and install pre-commit from a pinned requirements file or
explicit version (e.g., pre-commit==X.Y.Z) instead of bare pip install; also add
or reference a pip lock/constraints file (with hashes or generated via
pip-compile/poetry lock) and update the workflow to install from that file (or
use --require-hashes) so the "go install" and "pip install" lines (the symbols
gopls and pre-commit) become deterministic and reproducible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: be4df48c-f31d-46c9-8072-8a7a142bed15

📥 Commits

Reviewing files that changed from the base of the PR and between a6c3012 and 782663f.

📒 Files selected for processing (1)

• .github/workflows/address-review-comments.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/address-review-comments.yaml"
if [ ! -f "$FILE" ]; then
  echo "Missing $FILE"
  exit 1
fi

echo "== File: $FILE =="
# print around the referenced lines
nl -ba "$FILE" | sed -n '45,90p'
echo "== End snippet =="
# search for gopls@ and pip install pre-commit in the file
echo "== rg checks =="
rg -n "gopls@|pip install pre-commit|pre-commit(==|@|$)" "$FILE" || true

# show if any pinned pip installs using -r or requirements
rg -n "pip (install|) -r |requirements|pre-commit" "$FILE" || true

Repository: openshift/hypershift

Length of output: 185

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/address-review-comments.yaml"
if [ ! -f "$FILE" ]; then
  echo "Missing $FILE"
  exit 1
fi

echo "== File: $FILE =="
nl -ba "$FILE" | sed -n '45,90p'

echo "== rg checks =="
rg -n "gopls@|pip install pre-commit|pre-commit(==|@|$)" "$FILE" || true

echo "== pip/requirements context =="
rg -n "pip (install|) -r |requirements|pre-commit" "$FILE" || true

Repository: openshift/hypershift

Length of output: 185

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/address-review-comments.yaml"
[ -f "$FILE" ] || { echo "Missing $FILE"; exit 1; }

echo "== Snippet (lines 50-85) =="
awk 'NR>=50 && NR<=85 {printf "%d:%s\n", NR, $0}' "$FILE"

echo "== rg: gopls + pre-commit installs =="
rg -n "gopls@|pip install pre-commit|pre-commit==" "$FILE" || true

echo "== rg: any other pinned versions =="
rg -n "pip install|go install" "$FILE" | head -n 200

Repository: openshift/hypershift

Length of output: 1971

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/address-review-comments.yaml"
echo "== rg: pre-commit pinning or requirements references =="
rg -n "pre-commit(==|@)|requirements\.txt|setup\.py|pyproject\.toml" "$FILE" || true

echo "== rg: go install pins (non-latest) =="
rg -n "go install .+@" "$FILE" || true

Repository: openshift/hypershift

Length of output: 215

---

Pin deterministic versions for gopls and pre-commit in CI

• In .github/workflows/address-review-comments.yaml (lines 65-67), go install golang.org/x/tools/gopls@latest and pip install pre-commit float to whatever versions are current, making runs non-reproducible and increasing supply-chain drift.
• Pin gopls and pre-commit to specific versions (ideally with hashes via --require-hashes and/or a constraints/lockfile).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/address-review-comments.yaml around lines 65 - 67, The CI
step currently uses floating installers "go install
golang.org/x/tools/gopls@latest" and "pip install pre-commit"; change these to
pinned releases by replacing gopls@latest with a specific go module version
(e.g., gopls@vX.Y.Z) and install pre-commit from a pinned requirements file or
explicit version (e.g., pre-commit==X.Y.Z) instead of bare pip install; also add
or reference a pip lock/constraints file (with hashes or generated via
pip-compile/poetry lock) and update the workflow to install from that file (or
use --require-hashes) so the "go install" and "pip install" lines (the symbols
gopls and pre-commit) become deterministic and reproducible.

Source: Coding guidelines

[github-actions]

Done. Pinned gopls@v0.22.0 and pre-commit==4.6.0 to make CI installs deterministic.

---

AI-assisted response via Claude Code

[coderabbitai]

Skipped: comment is from another GitHub bot.

[enxebre]

/address-review-comments

[github-actions]

🤖 Addressing review comments: workflow run

[github-actions]

Addressed the version pinning feedback from CodeRabbit — pinned gopls@v0.22.0 and pre-commit==4.6.0 for deterministic CI installs.

However, the push failed because the workflow's GITHUB_TOKEN lacks the workflows permission, which GitHub requires for modifying .github/workflows/ files. The commit is ready locally (5da3f8e6d) — a manual push from a token with workflows scope is needed, or the permissions block in the workflow needs to include actions: write (though workflows is a special scope only available on PATs, not GITHUB_TOKEN).

The author will need to push this change manually.

---

AI-assisted response via Claude Code

[openshift-ci]

@enxebre: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bryan-cox]

/lgtm

[openshift-merge-bot]

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

• The changed files don't match any pipeline_run_if_changed patterns
• All files match pipeline_skip_if_only_changed patterns
• No pipeline-controlled jobs are defined for the main branch

Use /test ? to see all available tests.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, enxebre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox,enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment