Added github workflow to automatic update noobaa-core image tag

[aayushchouhan09]

Explain the changes

1. Github workflow to automatic update the noobaa-core ContainerImageTag in 'options.go'.

Issues: Fixed #xxx

1. Issue: https://issues.redhat.com/browse/MCGI-310

GAPS:

1. Currently, in this PR we have added a manual workflow requires container_image_tag as the input, once everything works fine we will automate the image tag as well.
2. Need to check for the GITHUB_TOKEN with the access for PRs write.

Testing Instructions:

1. Manual test run on repo:

• Test job : https://github.com/achouhan09/noobaa-operator/actions/runs/16174788914
• PR (merged by the action): Update ContainerImageTag to master-20250708 aayushchouhan09/noobaa-operator#12

Summary by CodeRabbit

• Chores
  • Added a new manual workflow to streamline updating the Noobaa-Core container image tag, automatically creating and merging a pull request for the update.

[coderabbitai]

Walkthrough

A new GitHub Actions workflow is added to automate updating the Noobaa-Core container image tag in the codebase. The workflow creates a pull request with the updated tag, waits for checks to pass, and merges the change automatically. It is manually triggered and requires the new tag as input.

Changes

File(s)	Change Summary
.github/workflows/update-noobaa-core-tag.yml	Introduced a workflow to update the container image tag, create a PR, wait for CI checks, and auto-merge upon success.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant GitHub Actions
    participant Repo

    User->>GitHub Actions: Trigger workflow with container_image_tag
    GitHub Actions->>Repo: Checkout master branch
    GitHub Actions->>Repo: Update ContainerImageTag in options.go
    GitHub Actions->>Repo: Commit and push new branch
    GitHub Actions->>Repo: Create pull request to master
    GitHub Actions->>GitHub Actions: Wait for PR checks
    GitHub Actions->>Repo: Merge PR and delete branch (if checks succeed)

Loading

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 92dc987 and b556750.

📒 Files selected for processing (1)

• .github/workflows/update-noobaa-core-tag.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/update-noobaa-core-tag.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-kms-dev-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: golangci-lint
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-admission-test
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-azure-vault-test
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-operator-tests
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-hac-test
• GitHub Check: run-cli-tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

.github/workflows/update-noobaa-core-tag.yaml (4)

31-39: Handle “no-change” & pre-existing branch scenarios

git checkout -b fails if the branch already exists, and git commit errors when there is nothing to commit (e.g., tag unchanged).
A more robust snippet:

-          git checkout -b update-core-tag-${{ github.event.inputs.container_image_tag }}
+          git checkout -B update-core-tag-${{ github.event.inputs.container_image_tag }}

-          git diff
-          git add pkg/options/options.go
-          git commit -m "chore: update noobaa-core image tag to ${{ github.event.inputs.container_image_tag }}"
+          if ! git diff --quiet; then
+            git add pkg/options/options.go
+            git commit -m "chore: update noobaa-core image tag to ${{ github.event.inputs.container_image_tag }}"
+          else
+            echo "No changes detected – skipping commit."
+            exit 0
+          fi

---

41-49: gh authentication can be skipped – reuse the existing token

actions/checkout already set up the remote with the PAT, and gh automatically picks up GITHUB_TOKEN.
You can drop the interactive login and rely on env-var auth:

-          gh auth login --with-token <<< "${{ secrets.GHACTION_TOKEN_WRITE }}"

If you keep the login step, add set -euo pipefail at the top of the script to fail fast on auth issues.

---

26-30: Minor formatting issues flagged by yamllint

Trailing spaces and an extra blank line break linting rules.

-26␠
-30␠
-53␠
-

Clean these up to keep the workflow lint-clean.

Also applies to: 53-54

---

51-51: Automate the “wait for tests & merge” TODO

Consider the peter-evans/wait-for-check and peter-evans/enable-pull-request-automerge actions to automatically merge once CI succeeds.
Happy to draft a follow-up patch if needed.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 975f7ef and cb96f37.

📒 Files selected for processing (1)

• .github/workflows/update-noobaa-core-tag.yaml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/update-noobaa-core-tag.yaml

[error] 26-26: trailing spaces

(trailing-spaces)

---

[error] 30-30: trailing spaces

(trailing-spaces)

---

[error] 53-53: trailing spaces

(trailing-spaces)

---

[warning] 54-54: too many blank lines

(1 > 0) (empty-lines)

⏰ Context from checks skipped due to timeout of 90000ms (13)

• GitHub Check: run-azure-vault-test
• GitHub Check: run-cli-tests
• GitHub Check: run-operator-tests
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-hac-test
• GitHub Check: golangci-lint
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-admission-test

🔇 Additional comments (1)

.github/workflows/update-noobaa-core-tag.yaml (1)

22-26: Ignore explicit token for checkout
The workflow’s job-level env already sets GITHUB_TOKEN: ${{ secrets.GHACTION_TOKEN_WRITE }}, and actions/checkout@v4 will default to using process.env.GITHUB_TOKEN. No additional token input is required.

• File: .github/workflows/update-noobaa-core-tag.yaml
– Lines 18–19 define
yaml env: GITHUB_TOKEN: ${{ secrets.GHACTION_TOKEN_WRITE }}
• Checkout step (lines 22–26) will inherit that token automatically.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/update-noobaa-core-tag.yaml (2)

26-26: Trim trailing whitespace to satisfy YAMLlint

The workflow currently violates the repository’s YAML lint rules (see static-analysis hints) because of trailing spaces on otherwise blank lines. While harmless to GitHub Actions, letting these accumulate adds noise to future diffs and breaks pre-commit hooks.

-          
+

Also applies to: 32-32, 55-55

---

56-63: Bound the wait loop to avoid hanging runs

gh pr checks … --watch waits indefinitely; if a check stalls the job will hit the 90-minute job timeout. Pass an explicit timeout/interval (supported since gh 2.50) or poll with a capped loop so the workflow fails fast and surfaces the underlying issue.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cb96f37 and 0bd3912.

📒 Files selected for processing (1)

• .github/workflows/update-noobaa-core-tag.yaml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/update-noobaa-core-tag.yaml

[error] 26-26: trailing spaces

(trailing-spaces)

---

[error] 32-32: trailing spaces

(trailing-spaces)

---

[error] 55-55: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (12)

• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-hac-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-operator-tests
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-cli-tests
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-admission-test
• GitHub Check: run-core-config-map-tests

🔇 Additional comments (1)

.github/workflows/update-noobaa-core-tag.yaml (1)

37-41: Sanitise branch names derived from user input

git checkout -b update-core-tag-${{ github.event.inputs.container_image_tag }} assumes the tag is a valid ref. Tags often contain /, :, or uppercase characters, all illegal or awkward in branch names and will cause the step to fail.

Consider:

branch_safe=$(echo "$tag" | tr '/:' '__' | tr '[:upper:]' '[:lower:]')
git checkout -b "update-core-tag-${branch_safe}"

[Neon-White]

Is there a reason to use GHACTION_TOKEN_WRITE over GITHUB_TOKEN?

[aayushchouhan09]

We need to merge the PR in this action, not sure if GHACTION_TOKEN_WRITE has such access.
@tangledbytes Can you pls confirm if it is possible to merge the PR with this token.

[tangledbytes]

Honestly, I am not sure. But from the documentation it seems that GITHUB_TOKEN when given permissions.pull-requests = true does grant access to the /merge endpoint. Let's try just with GITHUB_TOKEN and let's see if that works, if not we can fix it in a subsequent PR, WDYT?

[aayushchouhan09]

Sure Thanks, I will try that

[aayushchouhan09]

@tangledbytes I have tested it we need a token with below permissions:

1. repo (Full control of private repositories)
2. workflow (Update GitHub Action workflows)
3. read:org (Read org and team membership, read org projects)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

.github/workflows/update-noobaa-core-tag.yaml (4)

18-20: Prefer secrets.GITHUB_TOKEN over a custom PAT unless additional scopes are required

Overriding GITHUB_TOKEN with secrets.GHACTION_TOKEN_WRITE adds another secret to manage and audit.
The built-in GITHUB_TOKEN already has contents: write and pull-requests: write scopes (as configured under permissions:) and works with both the gh CLI and most third-party actions.

-    env:
-      GITHUB_TOKEN: ${{ secrets.GHACTION_TOKEN_WRITE }}
+    env:
+      # Use GitHub-provided token; it inherits the permissions block above
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

---

39-44: Guard against branch-name collisions on repeated runs

If the same tag is processed twice (or the first run fails after the push), subsequent pushes will error because the branch already exists.

-          git checkout -b update-core-tag-${{ github.event.inputs.container_image_tag }}
+          ts=$(date +%s)
+          git checkout -b update-core-tag-${{ github.event.inputs.container_image_tag }}-$ts

Alternatively add --force-with-lease on git push.
Without this, the workflow will exit early and the tag won’t be updated.

---

1-17: Consider adding a concurrency group to prevent simultaneous runs

If two operators trigger the workflow at the same time, concurrent jobs can stomp on each other’s branches and PRs.

concurrency:
  group: noobaa-core-tag-update
  cancel-in-progress: true

---

24-34: Strip trailing whitespace to appease YAMLlint

The linter flags lines 26, 34 and 57 for trailing spaces. Cleaning them avoids noisy CI failures.

-          ref: master␠
+          ref: master
...
-          regex: true␠
+          regex: true
...
-␠
+

Also applies to: 55-59

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0bd3912 and 9ed9341.

📒 Files selected for processing (1)

• .github/workflows/update-noobaa-core-tag.yaml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/update-noobaa-core-tag.yaml

[error] 26-26: trailing spaces

(trailing-spaces)

---

[error] 34-34: trailing spaces

(trailing-spaces)

---

[error] 57-57: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-operator-tests
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-hac-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-cli-tests
• GitHub Check: run-core-config-map-tests
• GitHub Check: golangci-lint
• GitHub Check: run-admission-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-kms-tls-sa-test

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

.github/workflows/update-noobaa-core-tag.yml (4)

24-26: Remove trailing whitespace to pass YAML lint

YAMLlint is currently failing on this line because of a stray space after master.
Clean-up avoids noisy CI failures.

-          ref: master␠
+          ref: master

---

31-34: Trim trailing whitespace in the with: block

More trailing spaces (after pkg/options/options.go). These will keep triggering YAML-lint.

-          include: 'pkg/options/options.go'␠
+          include: 'pkg/options/options.go'
-          regex: true␠
+          regex: true

---

54-57: Delete the blank line that contains spaces

Line 56 is an otherwise-empty line that still carries whitespace.
Kill it to stay lint-clean.

-       
+

---

14-17: Add a concurrency key to prevent overlapping runs

Parallel manual triggers with different tags could race to update the same file/branch.
Using a concurrency group guarantees one tag update at a time.

   update-tag:
+    concurrency:
+      group: core-tag-update
+      cancel-in-progress: false
     runs-on: ubuntu-latest

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9ed9341 and 5fb7df0.

📒 Files selected for processing (1)

• .github/workflows/update-noobaa-core-tag.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/update-noobaa-core-tag.yml

[error] 26-26: trailing spaces

(trailing-spaces)

---

[error] 34-34: trailing spaces

(trailing-spaces)

---

[error] 56-56: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: run-cli-tests
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-operator-tests
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-admission-test
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-hac-test
• GitHub Check: run-kms-kmip-test

[dannyzaken]

@achouhan09, What is the purpose of this PR? I may be missing some context.
IIUC, this PR adds an action that is dispatched manually and updates the core image. Why do we need an action for that?

[aayushchouhan09]

@dannyzaken yes you are correct.
This PR adds a GitHub Action that automates the process of updating the ContainerImageTag in options.go, which is currently done manually by creating PRs at regular intervals.
We streamline that workflow by automatically creating a PR with the updated tag, waiting for CI checks to pass, and merging it if successful. In this PR it requires manual triggering to update the image tag, but we can plan to make the process completely automated by generating tags dynamically and scheduling periodic updates without manual input in different PR (once we sure with the working).

[Neon-White]

Some suggestions, almost good to go