Add rebase automation script

[arun717]

Summary

• Adds rebase_automation.sh, a helper script to automate cert-manager-operator version rebases (dependency bumps, Makefile/CSV updates, and related replacements).
• Script is driven by environment variables such as NEW_CERT_MANAGER_VERSION, NEW_BUNDLE_VERSION, and OLD_BUNDLE_VERSION.

Test plan

• Review script usage via ./rebase_automation.sh --help
• Optionally run with --dry-run against a test branch to confirm expected steps

Made with Cursor

Summary by CodeRabbit

Release Notes

• New Features
  • Added an automation script that streamlines a multi-step rebase/version bump workflow across dependencies, the build/packaging metadata, and related manifests/configurations.
  • Includes colored CLI logging, prerequisite checks, semver validation, and automatic version detection from the project.
  • Supports dry-run mode, running individual steps, skipping commits when appropriate, and safe repository-wide version replacement.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 914c7fdf-888f-4baf-b65a-7866786b4fe2

📥 Commits

Reviewing files that changed from the base of the PR and between 282b48d and 5d65a2f.

📒 Files selected for processing (1)

• rebase_automation.sh

---

Walkthrough

A new Bash script rebase_automation.sh (685 lines) automates the cert-manager-operator rebase workflow. It provides a 4-step pipeline—Go dependency updates, Makefile version edits, CSV/OLM metadata updates, and broad manual string replacements—with colored logging, semver validation, prerequisite checking, dry-run mode, per-step execution, and optional commit suppression.

Changes

Rebase Automation Script

Layer / File(s)	Summary
Script bootstrap, logging, and CLI usage rebase_automation.sh	Defines shebang, strict mode, ANSI color constants, NEW_*/OLD_* env variable defaults, four color-coded logging helpers (info/success/warning/error), comprehensive usage() documentation describing required environment variables, supported flags (--dry-run, --step, --skip-commit, --help), and example invocations.
Version detection and prerequisite validation rebase_automation.sh	detect_current_versions() reads OLD_* from Makefile via grep and helper functions, auto-fills missing NEW_* values from detected OLD_*, logs before/after summary. check_prerequisites() verifies git repo presence, required external tool availability (git, go, make, sed, cmp), enforces at least one NEW_* version provided, and validates all versions match semver X.Y.Z format. Helper functions extract Makefile variable assignments and resolve single-level $(VAR) indirections.
Step 1-4 workflow implementations rebase_automation.sh	step1_bump_deps() runs go get, applies go mod edit -replace directives, executes go mod tidy and go mod vendor, optionally commits. step2_update_makefile() detects which components changed, uses sed to update Makefile variables and CHANNELS when bundle version changes, runs make update and make bundle, optionally commits. step3_update_csv() edits CSV YAML fields (version, CSV name, replaces, olm.skipRange), updates channel references in bundle.Dockerfile and bundle/metadata/annotations.yaml, runs make update-bindata, optionally commits. step4_manual_replacements() uses a safe_replace_version() helper that applies context-specific regex-based sed patterns on temporary copies, compares with cmp for actual changes, and applies only when modifications are detected; searches repository files (excluding vendor/, .git/, testbin/, go.sum) for old cert-manager, istio-csr (if provided), and bundle version strings; skips URL-corruption cases; de-duplicates modified file list; runs make manifests bundle; optionally commits when working tree is dirty.
Pipeline orchestration and CLI dispatch rebase_automation.sh	run_all_steps() executes steps 1–4 in sequence and prints version change summary. main() parses --dry-run, --step 1-4, --skip-commit, --help arguments, exports control flags for step functions, runs prerequisite and version detection, dispatches either a single requested step or the full pipeline via run_all_steps(), and prints final completion status. Script entry point invokes main "$@" with all provided CLI arguments.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Ginkgo tests added lack meaningful assertion failure messages across multiple files (istio_csr_operand_test.go: 0%, overrides_test.go: 3%, trustmanager_test.go: 14%), violating requirement 4 for di...	Add failure messages to all Expect() assertions lacking them. Example: Expect(err).NotTo(HaveOccurred(), "failed to create issuer") instead of Expect(err).NotTo(HaveOccurred()).

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add rebase automation script' directly and clearly describes the main change: introducing a new automation script for the rebase workflow.
Docstring Coverage	✅ Passed	Docstring coverage is 82.35% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR adds only rebase_automation.sh, a bash automation script. No Go test files or Ginkgo tests were modified or added, so the check for stable test names is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only rebase_automation.sh, a Bash automation script. No Ginkgo e2e tests (It/Describe/Context/When) are being added, so MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only rebase_automation.sh, a Bash automation script with no Ginkgo e2e tests. The SNO compatibility check applies only to new Ginkgo e2e tests, which are not present in this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds rebase_automation.sh, a shell automation script with no Kubernetes manifests or scheduling constraints. The check applies to deployment manifests/operator code; this PR is a helper script o...
Ote Binary Stdout Contract	✅ Passed	This PR adds rebase_automation.sh, a Bash helper script for automating cert-manager-operator rebases. The OTE Binary Stdout Contract applies to Go binary process-level code (main, init, TestMain, s...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only rebase_automation.sh, a Bash automation script with no Ginkgo e2e tests. Custom check for IPv6/disconnected network compatibility only applies to new Ginkgo tests, which are not present.
No-Weak-Crypto	✅ Passed	The PR adds rebase_automation.sh, a shell script for automating version bumps and file updates. The script contains no cryptographic implementations, no weak crypto algorithms (MD5, SHA1, DES, RC4,...
Container-Privileges	✅ Passed	The PR introduces only a Bash automation script with no container privilege escalations; no manifests with privileged settings, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation flags are...
No-Sensitive-Data-In-Logs	✅ Passed	Script logs only non-sensitive data: version numbers (e.g., 1.19.0), public repository URLs, file paths, and operational status. No passwords, tokens, API keys, PII, session IDs, or customer data a...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: arun717
Once this PR has been reviewed and has the lgtm label, please assign trilokgeer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

rebase_automation.sh (2)

413-419: ⚡ Quick win

Use mapfile for safer array population from command output.

Shellcheck SC2207 flags this pattern because word splitting on command substitution can break on filenames with spaces. While unlikely in this repo, using mapfile is more robust.

♻️ Suggested improvement

     # Find files that might contain version references (excluding vendor and .git)
-    local files_to_check=(
-        $(find . -type f \( -name "*.go" -o -name "*.yaml" -o -name "*.yml" -o -name "*.json" -o -name "*.md" -o -name "*.Dockerfile" \) \
-          -not -path "./vendor/*" \
-          -not -path "./.git/*" \
-          -not -path "./testbin/*" \
-          | grep -v "go.sum")
-    )
+    local files_to_check=()
+    mapfile -t files_to_check < <(find . -type f \( -name "*.go" -o -name "*.yaml" -o -name "*.yml" -o -name "*.json" -o -name "*.md" -o -name "*.Dockerfile" \) \
+        -not -path "./vendor/*" \
+        -not -path "./.git/*" \
+        -not -path "./testbin/*" \
+        | grep -v "go.sum")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rebase_automation.sh` around lines 413 - 419, The `files_to_check` array
population uses command substitution with word splitting, which is unsafe for
filenames containing spaces or special characters. Replace the array assignment
pattern with the `mapfile` builtin command, piping the find command output
directly to `mapfile -t files_to_check` where the `-t` option removes trailing
newlines from each element. This approach safely handles filenames with spaces
and special characters without relying on word splitting.

Source: Linters/SAST tools

---

268-276: 💤 Low value

Address Shellcheck warnings for robustness.

Shellcheck SC2155 warns about masking return values when declaring and assigning in one statement. SC2086 warns about unquoted variables.

♻️ Suggested improvements

         if [[ "$bundle_changing" == "true" ]]; then
-            echo "  CHANNELS: stable-v1,stable-v$(echo $OLD_BUNDLE_VERSION | cut -d'.' -f1,2) -> stable-v1,stable-v$(echo $NEW_BUNDLE_VERSION | cut -d'.' -f1,2)"
+            echo "  CHANNELS: stable-v1,stable-v$(echo "$OLD_BUNDLE_VERSION" | cut -d'.' -f1,2) -> stable-v1,stable-v$(echo "$NEW_BUNDLE_VERSION" | cut -d'.' -f1,2)"
         fi
...
     # Extract major.minor versions for channels
-    local old_channel_version=$(echo "$OLD_BUNDLE_VERSION" | cut -d'.' -f1,2)
-    local new_channel_version=$(echo "$NEW_BUNDLE_VERSION" | cut -d'.' -f1,2)
+    local old_channel_version
+    old_channel_version=$(echo "$OLD_BUNDLE_VERSION" | cut -d'.' -f1,2)
+    local new_channel_version
+    new_channel_version=$(echo "$NEW_BUNDLE_VERSION" | cut -d'.' -f1,2)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rebase_automation.sh` around lines 268 - 276, The Shellcheck warnings SC2155
and SC2086 need to be addressed in the variable assignments. For SC2155, split
the declaration and assignment for old_channel_version and new_channel_version
into separate statements to avoid masking return values from the command
substitution. For SC2086, ensure all variable references like
$OLD_BUNDLE_VERSION and $NEW_BUNDLE_VERSION are wrapped in double quotes to
prevent word splitting, particularly in the echo statements that reference these
bundle version variables.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@rebase_automation.sh`:
- Around line 593-596: The `-s|--step` option handler is missing validation to
ensure a step argument is provided. Before assigning `$2` to SPECIFIC_STEP in
the case block for `-s|--step`, add a check to verify that `$2` exists and is
not empty. If the argument is missing, display a clear error message to the user
and exit with a non-zero status code. This prevents the cryptic "unbound
variable" error and provides better user experience.
- Around line 139-165: The version extraction and replacement patterns have a
mismatch with the actual Makefile format. First, in the
detect_current_versions() function, fix the grep patterns for BUNDLE_VERSION,
CERT_MANAGER_VERSION, and ISTIO_CSR_VERSION to properly handle the actual
unquoted Makefile values and any variable references (like $(DEFAULT_VERSION))
by improving the sed/cut chains to strip unwanted characters and dereference
variables. Second, update the sed replacement patterns (lines 291 and 297) to
match unquoted values instead of searching for quoted patterns with the "v"
prefix—change the patterns to search for the actual format found in Makefile
(without quotes) to ensure the replacements match and execute successfully
rather than failing silently.

---

Nitpick comments:
In `@rebase_automation.sh`:
- Around line 413-419: The `files_to_check` array population uses command
substitution with word splitting, which is unsafe for filenames containing
spaces or special characters. Replace the array assignment pattern with the
`mapfile` builtin command, piping the find command output directly to `mapfile
-t files_to_check` where the `-t` option removes trailing newlines from each
element. This approach safely handles filenames with spaces and special
characters without relying on word splitting.
- Around line 268-276: The Shellcheck warnings SC2155 and SC2086 need to be
addressed in the variable assignments. For SC2155, split the declaration and
assignment for old_channel_version and new_channel_version into separate
statements to avoid masking return values from the command substitution. For
SC2086, ensure all variable references like $OLD_BUNDLE_VERSION and
$NEW_BUNDLE_VERSION are wrapped in double quotes to prevent word splitting,
particularly in the echo statements that reference these bundle version
variables.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cfc0c7de-8d76-47f8-b981-3b3fefdb9d5d

📥 Commits

Reviewing files that changed from the base of the PR and between a31bc8f and 282b48d.

📒 Files selected for processing (1)

• rebase_automation.sh

[openshift-ci]

@arun717: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator-tech-preview	5d65a2f	link	false	/test e2e-operator-tech-preview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.