CNTRLPLANE-3674: Add generic jira-agent step registry for cross-team reuse

[bryan-cox]

Summary

• Add a generic, parameterized jira-agent step registry at ci-operator/step-registry/jira-agent/ that any team can reuse by creating a thin wrapper workflow
• The process script replaces 15+ hardcoded HyperShift values with configurable env vars (JIRA_AGENT_FORK_REPO, JIRA_AGENT_UPSTREAM_REPO, JIRA_AGENT_JQL, JIRA_AGENT_TARGET_STATUS, etc.)
• Convert the existing hypershift/jira-agent workflow to a thin wrapper that references the generic steps with HyperShift-specific configuration

Details

The generic step registry supports:

• Setup: Verifies Claude Code CLI availability with Vertex AI auth
• Process: 4-phase pipeline (solve → review → fix → PR) for each Jira issue
• Report: HTML report with per-phase token usage and cost breakdown

New env vars for team customization:

Variable	Description
JIRA_AGENT_FORK_REPO	Fork repo to clone and push branches
JIRA_AGENT_UPSTREAM_REPO	Upstream repo for PR creation
JIRA_AGENT_JQL	JQL query for issue discovery
JIRA_AGENT_TARGET_STATUS	JSON map of project→status transitions
JIRA_AGENT_ASSIGNEE	Auto-assignee display name
JIRA_AGENT_EXTRA_PLUGIN_COMMANDS	Additional Claude plugins
JIRA_AGENT_TOOL_SETUP_SCRIPT	Project-specific tool installs
JIRA_AGENT_REVIEW_LANGUAGE / JIRA_AGENT_REVIEW_PROFILE	Code review config

The HyperShift wrapper preserves full backward compatibility — the periodic job config (workflow: hypershift-jira-agent) is unchanged.

Test plan

• Verify make validate-step-registry passes
• Verify make registry-metadata generates correct metadata
• Verify the existing periodic-jira-agent job config still references hypershift-jira-agent workflow
• Verify generic refs have no broken cross-references
• Manual: trigger a test run of the periodic job to validate end-to-end

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR refactors OpenShift CI’s Jira-powered Claude Code automation into a reusable, parameterized step registry and updates the HyperShift Jira agent workflow to become a thin wrapper around those shared steps—reducing hardcoded HyperShift-specific logic and enabling cross-team adoption.

What changed (practical impact):

• Introduced a new generic registry at ci-operator/step-registry/jira-agent/ that standardizes how teams:
  • set up Claude Code CLI and Vertex/GCP auth (setup step)
  • run a per-Jira-issue 4-phase pipeline (process step): solve → review → fix → PR creation
  • produce an HTML report including per-phase token usage and cost breakdown (report step)
• Refactored ci-operator/step-registry/hypershift/jira-agent/hypershift-jira-agent-workflow.yaml to delegate its pre, test, and post phases to the new generic step refs (jira-agent-setup, jira-agent-process, jira-agent-report) while supplying HyperShift-specific configuration via environment variables.
• Preserved backward compatibility: the periodic job configuration (workflow: hypershift-jira-agent) remains unchanged.

Configurability for wrapper workflows:
The generic steps are designed to be controlled entirely by wrapper-provided environment variables, including (among others):

• JIRA_AGENT_FORK_REPO, JIRA_AGENT_UPSTREAM_REPO, JIRA_AGENT_JQL
• JIRA_AGENT_TARGET_STATUS, JIRA_AGENT_ASSIGNEE
• JIRA_AGENT_EXTRA_PLUGIN_COMMANDS, JIRA_AGENT_TOOL_SETUP_SCRIPT
• JIRA_AGENT_REVIEW_LANGUAGE, JIRA_AGENT_REVIEW_PROFILE

Additional repo/infrastructure updates included:

• Added registry documentation (ci-operator/step-registry/jira-agent/README.md) with a quick-start wrapper example and required/optional env var guidance.
• Added step/ownership metadata and access control (OWNERS, *.metadata.json, and step ref YAMLs) for the setup/process/report sub-steps.

Net result:
Teams can now implement their own Jira-Agent automation by creating a small wrapper workflow that points at the shared registry steps and supplies their team-specific repos, JQL, status/assignee rules, and Claude/tool setup configuration—without reimplementing the underlying multi-phase processing and reporting logic.

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-3674 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Add a generic, parameterized jira-agent step registry at ci-operator/step-registry/jira-agent/ that any team can reuse by creating a thin wrapper workflow
• The process script replaces 15+ hardcoded HyperShift values with configurable env vars (JIRA_AGENT_FORK_REPO, JIRA_AGENT_UPSTREAM_REPO, JIRA_AGENT_JQL, JIRA_AGENT_TARGET_STATUS, etc.)
• Convert the existing hypershift/jira-agent workflow to a thin wrapper that references the generic steps with HyperShift-specific configuration

Details

The generic step registry supports:

• Setup: Verifies Claude Code CLI availability with Vertex AI auth
• Process: 4-phase pipeline (solve → review → fix → PR) for each Jira issue
• Report: HTML report with per-phase token usage and cost breakdown

New env vars for team customization:

Variable	Description
JIRA_AGENT_FORK_REPO	Fork repo to clone and push branches
JIRA_AGENT_UPSTREAM_REPO	Upstream repo for PR creation
JIRA_AGENT_JQL	JQL query for issue discovery
JIRA_AGENT_TARGET_STATUS	JSON map of project→status transitions
JIRA_AGENT_ASSIGNEE	Auto-assignee display name
JIRA_AGENT_EXTRA_PLUGIN_COMMANDS	Additional Claude plugins
JIRA_AGENT_TOOL_SETUP_SCRIPT	Project-specific tool installs
JIRA_AGENT_REVIEW_LANGUAGE / JIRA_AGENT_REVIEW_PROFILE	Code review config

The HyperShift wrapper preserves full backward compatibility — the periodic job config (workflow: hypershift-jira-agent) is unchanged.

Test plan

• Verify make validate-step-registry passes
• Verify make registry-metadata generates correct metadata
• Verify the existing periodic-jira-agent job config still references hypershift-jira-agent workflow
• Verify generic refs have no broken cross-references
• Manual: trigger a test run of the periodic job to validate end-to-end

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR introduces a reusable, parameterized jira-agent workflow and step registry that automates Jira issue resolution via Claude Code CLI with setup verification, four-phase per-issue processing (solve→review→fix→PR creation), HTML report generation with token cost tracking, and updates the HyperShift workflow to adopt the generic steps with HyperShift-specific configuration.

Changes

Jira agent generalization and HyperShift adoption

Layer / File(s)	Summary
Workflow foundation and documentation ci-operator/step-registry/jira-agent/OWNERS, ci-operator/step-registry/jira-agent/README.md, ci-operator/step-registry/jira-agent/jira-agent-workflow.metadata.json, ci-operator/step-registry/jira-agent/jira-agent-workflow.yaml	Introduces the generic jira-agent workflow metadata and base YAML wiring three phases to setup/process/report steps. Comprehensive README documents the four-phase per-issue pipeline, required/optional environment variables, Vault secret schema with Vertex/GCP/Jira/GitHub credentials, quickstart wrapper pattern showing how teams reference generic steps and set their configuration, and notes that workflow-level env cannot override ref credentials blocks. Establishes OWNERS governance for the registry path.
Setup step: environment verification and preflight checks ci-operator/step-registry/jira-agent/setup/OWNERS, ci-operator/step-registry/jira-agent/setup/jira-agent-setup-commands.sh, ci-operator/step-registry/jira-agent/setup/jira-agent-setup-ref.metadata.json, ci-operator/step-registry/jira-agent/setup/jira-agent-setup-ref.yaml	Defines the setup step reference YAML with Vertex/GCP authentication environment variables and credential secret mounts to /var/run/claude-code-service-account. Implements preflight validation that checks Claude CLI availability with explicit error output and verifies GOOGLE_APPLICATION_CREDENTIALS is set and readable, failing fast on missing authentication. Establishes OWNERS governance for the setup step.
Process step: environment interface and configuration ci-operator/step-registry/jira-agent/process/OWNERS, ci-operator/step-registry/jira-agent/process/jira-agent-process-ref.metadata.json, ci-operator/step-registry/jira-agent/process/jira-agent-process-ref.yaml	Defines the comprehensive process step reference YAML with complete environment variable interface: Vertex/GCP auth, Jira agent configuration (fork/upstream repos, JQL, optional issue override, optional post-processing status transitions and assignee updates), GitHub App installation ID Vault key names for fork/upstream, optional Claude plugin and tool setup commands, code-review plugin language/profile settings, Slack emoji, Jira base URL, Kubernetes resource requests (500m CPU, 1Gi memory), and credential secret mount configuration. Embedded documentation describes the four-phase pipeline and lists required env vars with guidance to override the credential secret in wrapper workflows.
Process step: bootstrap, repositories, and credential handling ci-operator/step-registry/jira-agent/process/jira-agent-process-commands.sh (initialization through credential setup sections)	Implements process step initialization: prints header, applies Gangway overrides for issue key, validates required environment variables (fork/upstream repos, JQL or issue key), derives FORK_ORG, sets environment defaults (install-id key names, review language/profile, Slack emoji, JIRA_BASE_URL), clones openshift-eng/ai-helpers and configured fork repositories, copies jira-solve into fork's .claude/commands. Conditionally evaluates optional tool setup script, installs only openshift-eng/ai-helpers marketplace plugin, optionally runs extra plugin commands, configures git user identity and upstream remote. Generates fork and upstream GitHub App tokens with separate handling and fallback error behavior, loads Jira API credentials with trace toggles to prevent credential leakage.
Process step: Jira operations and state coordination ci-operator/step-registry/jira-agent/process/jira-agent-process-commands.sh (Jira transitions, assignee, and labeling)	Implements Jira API operations using configurable JIRA_BASE_URL: updates issue status using transitions derived from JIRA_AGENT_TARGET_STATUS with project-key prefix matching and HTTP code validation, performs assignee lookup via case-insensitive displayName regex matching JIRA_AGENT_ASSIGNEE, conditionally adds agent-processed label gated on ISSUE_SUCCESS and credential presence, and manages state with tracing toggles for credential protection.
Process step: issue selection and per-phase orchestration ci-operator/step-registry/jira-agent/process/jira-agent-process-commands.sh (phases 1–4 pipeline, PR creation, and state recording)	Implements per-issue processing pipeline: searches Jira by JQL or JIRA_AGENT_ISSUE_KEY override, solves issues using fork context with dynamic jira-solve loading, reviews code with dynamically built language/profile commands and security constraints, applies fixes with independent fork token refresh and graceful fallback, creates pull requests to JIRA_AGENT_UPSTREAM_REPO with embedded Jira link in PR body. Manages GitHub token refresh independently before phases 3–4 with continuation on failure. Sends Slack notifications with configurable emoji and fetches reviewer mentions from upstream repo PR review requests. Extracts PR URLs with ISSUE_SUCCESS gating to mark processing success/failure.
Report step: HTML generation with token cost aggregation ci-operator/step-registry/jira-agent/report/OWNERS, ci-operator/step-registry/jira-agent/report/jira-agent-report-commands.sh, ci-operator/step-registry/jira-agent/report/jira-agent-report-ref.metadata.json, ci-operator/step-registry/jira-agent/report/jira-agent-report-ref.yaml	Defines the report step reference YAML with JIRA_BASE_URL environment variable with default, resource requests (100m CPU, 256Mi memory), and documentation. Generates HTML report by collecting only existing per-phase token JSON files into an array, aggregating token counts and costs by Claude model using jq, computing cost totals with awk -v variable passing. Renders summary tables and collapsible issue cards with Jira issue hyperlinks using configurable ${JIRA_BASE_URL}/browse/${ISSUE_KEY}, and writes styled HTML with token usage and cost breakdown to artifact directory.
HyperShift workflow: delegation and configuration ci-operator/step-registry/hypershift/jira-agent/hypershift-jira-agent-workflow.yaml	Updates the HyperShift workflow to delegate pre/test/post phases to the generic jira-agent-setup/process/report step references. Adds workflow-level env block configuring the Jira agent with HyperShift-specific values: fork and upstream repositories, Jira JQL, target status transitions (mapped by project key), assignee search pattern, Vault key names for GitHub App installations, Claude plugin setup commands, review language and profile, and Slack emoji. Replaces detailed workflow documentation with brief wrapper description, credential usage notes, and onboarding instructions for other teams to create their own ref YAMLs or request credential configuration updates.

Sequence Diagram(s)

sequenceDiagram
  participant HyperShift as HyperShift Workflow
  participant Setup as jira-agent-setup
  participant Process as jira-agent-process
  participant Claude as Claude Code CLI
  participant GitHub as GitHub API
  participant Jira as Jira Cloud
  participant Report as jira-agent-report
  participant Slack as Slack

  HyperShift->>Setup: pre phase
  Setup->>Setup: verify Claude CLI & Vertex/GCP auth
  Setup-->>HyperShift: setup complete
  HyperShift->>Process: test phase
  Process->>Jira: search issues by JQL or key
  loop for each matched issue
    Process->>Claude: Phase 1: solve with fork context
    Process->>Claude: Phase 2: review code (lang/profile)
    Process->>Claude: Phase 3: fix (refresh fork token)
    Process->>GitHub: push branch
    Process->>Claude: Phase 4: draft PR (refresh tokens)
    Process->>GitHub: create PR to upstream
    Process->>Jira: transition status (project-key derived)
    Process->>Jira: assign user (displayName regex)
    Process->>Jira: add agent-processed label
    Process->>Slack: notify with emoji and reviewers
    Process->>Process: record tokens and outcome
  end
  HyperShift->>Report: post phase
  Report->>Report: aggregate token counts by model
  Report->>Report: render HTML with Jira links
  Report-->>HyperShift: report complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• openshift/release#80847: Also sets the Jira agent process step timeout to 4 hours, aligning with this PR's generic process step reference configuration.

Suggested labels

rehearsals-ack

Suggested reviewers

• csrwng
• enxebre

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main objective: adding a generic jira-agent step registry for cross-team reuse, which is the primary change across all modified files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo test files (*_test.go) or test declarations (It, Describe, Context, When); it only includes CI configuration YAML, shell scripts, JSON metadata, and documentation files....
Test Structure And Quality	✅ Passed	This PR contains no Ginkgo test code. The PR only modifies CI operator step registry configuration files (YAML, shell scripts, metadata JSON, and OWNERS files). The custom check is not applicable t...
Microshift Test Compatibility	✅ Passed	This PR adds CI step registry configurations and shell scripts, not Ginkgo e2e tests. The MicroShift Test Compatibility check applies only when new e2e tests are added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only adds CI operator step registry YAML files, bash scripts, and documentation. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR adds CI/CD infrastructure files (step-registry configs and automation scripts), not Kubernetes deployment manifests or operators. No scheduling constraints, affinity rules, or topology assu...
Ote Binary Stdout Contract	✅ Passed	PR adds CI step registry shell scripts and YAML config, not Go test binaries. OTE contract checks apply only to Go code with main() functions or Ginkgo suite setup—this PR has neither.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests; it only adds CI step registry configs, shell scripts, and documentation. The IPv6/disconnected network test compatibility check is not applicable.
No-Weak-Crypto	✅ Passed	No weak crypto algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) found. Only strong algorithms (SHA256 with RSA-256) and proper Base64 encoding are used. While simple string comparisons exist f...
Container-Privileges	✅ Passed	No privileged container configurations, elevated privilege settings, or root execution without justification found in any step registry YAML files or shell scripts.
No-Sensitive-Data-In-Logs	✅ Passed	All sensitive data (GitHub tokens, Jira credentials, Slack webhooks) are properly protected from logging with set +x/set -x bash tracing controls in all three locations where handled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/hypershift/jira-agent/OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

@bryan-cox, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not determine changed registry steps: could not load step registry: failed to load registry file /var/tmp/gitrepo2545339757/ci-operator/step-registry/hypershift/jira-agent/hypershift-jira-agent-workflow.yaml: error unmarshaling JSON: while decoding JSON: json: unknown field "env"

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/step-registry/jira-agent/process/jira-agent-process-commands.sh`:
- Around line 723-726: When Phase 4 (PR creation) fails as indicated by the
PR_EXIT_CODE check in the else block, the script currently continues to mark the
Jira issue as processed by adding the agent-processed label and recording a
SUCCESS status. This prevents the issue from being retried in future runs. After
the else block that handles the PR creation failure case (where PR_URL is set to
empty), add logic to skip the Jira issue update step that adds the
agent-processed label and records the SUCCESS status, ensuring that failed PR
creations do not permanently suppress retries. Apply the same fix to all similar
failure handling blocks referenced at lines 763-826 where Phase 4 failures
occur.
- Around line 242-247: The transition_issue function's curl command currently
returns success regardless of the HTTP response status from Jira. Modify the
curl command to capture the HTTP status code using the -w option and store it in
a variable, then add a conditional check to verify the status code is in the 2xx
success range before returning 0; if the status indicates an error (4xx or 5xx),
return a non-zero exit code instead to properly reflect the failure to the
caller.
- Around line 6-18: The validation loop that checks for required environment
variables runs before the override handling block, causing the script to always
require JIRA_AGENT_JQL even when executing in single-issue mode with
JIRA_AGENT_ISSUE_KEY. Move the override handling block (the if statement
checking MULTISTAGE_PARAM_OVERRIDE_JIRA_AGENT_ISSUE_KEY) to execute before the
validation loop, so that JIRA_AGENT_ISSUE_KEY can be properly set via override
before the required variables are checked. This allows single-issue mode to work
when only JIRA_AGENT_ISSUE_KEY is provided through overrides, making
JIRA_AGENT_JQL optional in that scenario.

In `@ci-operator/step-registry/jira-agent/README.md`:
- Around line 66-75: The README documentation lists incorrect Vault secret key
names that do not match the keys actually consumed by the process script. Update
the secret keys listed in the documented Vault secret section to use the correct
key names: replace `jira-token` with `jira-pat`, replace `jira-user` with
`jira-email`, replace `slack-webhook` with `slack-webhook-url`, replace
`github-app-id` with `app-id`, and replace `github-app-private-key` with
`private-key`. This ensures teams setting up Vault secrets according to the
README will use the correct key names expected by the process script.

In `@ci-operator/step-registry/jira-agent/report/jira-agent-report-commands.sh`:
- Around line 58-62: The sum_costs helper is interpolating untrusted values
directly into the awk program, which allows code injection instead of a plain
numeric sum. Update sum_costs to validate or coerce the inputs before use, and
pass the values to awk in a safe way (for example via awk variables or another
numeric-only approach) so only arithmetic is performed. Keep the fix localized
to sum_costs in jira-agent-report-commands.sh and preserve the existing fallback
behavior.

In `@ci-operator/step-registry/jira-agent/setup/jira-agent-setup-commands.sh`:
- Around line 6-9: Add an explicit Vertex AI credentials preflight in
jira-agent-setup-commands.sh instead of only checking Claude Code CLI
availability. In the setup flow around the existing claude --version check,
validate that GOOGLE_APPLICATION_CREDENTIALS is set and points to a readable
credentials file (or otherwise confirm ADC is usable), and fail fast with a
clear error message if it is missing or inaccessible. Keep the existing CLI
verification, but extend the setup script so authentication issues are detected
during setup rather than later.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0ddea49f-bb00-4f8e-86b7-48196c29e9b2

📥 Commits

Reviewing files that changed from the base of the PR and between 06cb91c and 0821a19.

📒 Files selected for processing (17)

• ci-operator/step-registry/hypershift/jira-agent/hypershift-jira-agent-workflow.yaml
• ci-operator/step-registry/jira-agent/OWNERS
• ci-operator/step-registry/jira-agent/README.md
• ci-operator/step-registry/jira-agent/jira-agent-workflow.metadata.json
• ci-operator/step-registry/jira-agent/jira-agent-workflow.yaml
• ci-operator/step-registry/jira-agent/process/OWNERS
• ci-operator/step-registry/jira-agent/process/jira-agent-process-commands.sh
• ci-operator/step-registry/jira-agent/process/jira-agent-process-ref.metadata.json
• ci-operator/step-registry/jira-agent/process/jira-agent-process-ref.yaml
• ci-operator/step-registry/jira-agent/report/OWNERS
• ci-operator/step-registry/jira-agent/report/jira-agent-report-commands.sh
• ci-operator/step-registry/jira-agent/report/jira-agent-report-ref.metadata.json
• ci-operator/step-registry/jira-agent/report/jira-agent-report-ref.yaml
• ci-operator/step-registry/jira-agent/setup/OWNERS
• ci-operator/step-registry/jira-agent/setup/jira-agent-setup-commands.sh
• ci-operator/step-registry/jira-agent/setup/jira-agent-setup-ref.metadata.json
• ci-operator/step-registry/jira-agent/setup/jira-agent-setup-ref.yaml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/step-registry/jira-agent/process/jira-agent-process-commands.sh`:
- Line 444: Relying on prompt text to prevent Claude from accessing GitHub
tokens via git credential helpers is ineffective. Instead of trying to restrict
Claude's commands through instructions, remove or unset the credential helper
before invoking Claude (in the FORK_CONTEXT variable and similar messages at
lines 519, 584, 602, 662, and 694), allow Claude to create commits locally only,
then have the wrapper script perform authenticated git push and PR operations
after Claude execution completes using a temporary credential helper. This moves
the security boundary outside Claude's execution context and aligns with coding
guidelines that protect sensitive credentials from being exposed in
step-registry command scripts.
- Around line 578-587: The issue is that GITHUB_TOKEN_FORK is assigned directly
from the generate_github_token function call before validating the result, so if
the function fails or returns null, the previous token value is lost even though
the code claims to be "continuing with previous token". To fix this, create a
temporary variable to capture the output of generate_github_token (for both
GITHUB_TOKEN_FORK and GITHUB_TOKEN_UPSTREAM as mentioned), then only assign the
result to the actual token variable inside the conditional block if the
temporary variable contains a valid value. This ensures the previous token is
preserved when the refresh fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d8a23e36-07a9-461a-9292-c1376f4fb60e

📥 Commits

Reviewing files that changed from the base of the PR and between 0821a19 and 686b564.

📒 Files selected for processing (9)

• ci-operator/step-registry/hypershift/jira-agent/README.md
• ci-operator/step-registry/hypershift/jira-agent/process/OWNERS
• ci-operator/step-registry/hypershift/jira-agent/process/hypershift-jira-agent-process-ref.yaml
• ci-operator/step-registry/hypershift/jira-agent/report/OWNERS
• ci-operator/step-registry/hypershift/jira-agent/report/hypershift-jira-agent-report-ref.yaml
• ci-operator/step-registry/hypershift/jira-agent/setup/OWNERS
• ci-operator/step-registry/jira-agent/README.md
• ci-operator/step-registry/jira-agent/process/jira-agent-process-commands.sh
• ci-operator/step-registry/jira-agent/report/jira-agent-report-commands.sh

💤 Files with no reviewable changes (6)

• ci-operator/step-registry/hypershift/jira-agent/process/hypershift-jira-agent-process-ref.yaml
• ci-operator/step-registry/hypershift/jira-agent/report/OWNERS
• ci-operator/step-registry/hypershift/jira-agent/process/OWNERS
• ci-operator/step-registry/hypershift/jira-agent/README.md
• ci-operator/step-registry/hypershift/jira-agent/setup/OWNERS
• ci-operator/step-registry/hypershift/jira-agent/report/hypershift-jira-agent-report-ref.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/jira-agent/README.md

[bryan-cox]

/pj-rehearse periodic-ci-openshift-hypershift-main-periodic-jira-agent

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bryan-cox]

/pj-rehearse periodic-ci-openshift-hypershift-main-periodic-jira-agent

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@bryan-cox, pj-rehearse: unable prepare a candidate for rehearsal; rehearsals will not be run. This could be due to a branch that needs to be rebased. ERROR:

couldn't checkout base SHA e506179213e607679de5e0702c062ad7d7364fa2: error checking out "e506179213e607679de5e0702c062ad7d7364fa2": exit status 128 fatal: unable to read tree (e506179213e607679de5e0702c062ad7d7364fa2)

[openshift-merge-bot]

@bryan-cox, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't checkout base SHA bc588a89d4c6e63a5bbca4d357a1c34b7ed674a4: error checking out "bc588a89d4c6e63a5bbca4d357a1c34b7ed674a4": exit status 128 fatal: unable to read tree (bc588a89d4c6e63a5bbca4d357a1c34b7ed674a4)

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[bryan-cox]

/pj-rehearse periodic-ci-openshift-hypershift-main-periodic-jira-agent

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/step-registry/jira-agent/setup/jira-agent-setup-ref.yaml`:
- Around line 31-34: The documentation comment on Line 34 states that teams can
override the credential secret name in their wrapper workflow, but this
contradicts the hardcoded credentials.name reference on Line 28, which does not
actually allow such overrides. Update the documentation comment to accurately
reflect the current implementation by either removing the misleading statement
about credential secret name overrides, or clarifying the exact limitations and
how teams should actually configure their wrapper workflows when using this ref.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0213be8c-e1de-4b18-8582-6d887ea4c0f5

📥 Commits

Reviewing files that changed from the base of the PR and between ff34e85 and 535e538.

📒 Files selected for processing (23)

• ci-operator/step-registry/hypershift/jira-agent/README.md
• ci-operator/step-registry/hypershift/jira-agent/hypershift-jira-agent-workflow.yaml
• ci-operator/step-registry/hypershift/jira-agent/process/OWNERS
• ci-operator/step-registry/hypershift/jira-agent/process/hypershift-jira-agent-process-ref.yaml
• ci-operator/step-registry/hypershift/jira-agent/report/OWNERS
• ci-operator/step-registry/hypershift/jira-agent/report/hypershift-jira-agent-report-ref.yaml
• ci-operator/step-registry/hypershift/jira-agent/setup/OWNERS
• ci-operator/step-registry/jira-agent/OWNERS
• ci-operator/step-registry/jira-agent/README.md
• ci-operator/step-registry/jira-agent/jira-agent-workflow.metadata.json
• ci-operator/step-registry/jira-agent/jira-agent-workflow.yaml
• ci-operator/step-registry/jira-agent/process/OWNERS
• ci-operator/step-registry/jira-agent/process/jira-agent-process-commands.sh
• ci-operator/step-registry/jira-agent/process/jira-agent-process-ref.metadata.json
• ci-operator/step-registry/jira-agent/process/jira-agent-process-ref.yaml
• ci-operator/step-registry/jira-agent/report/OWNERS
• ci-operator/step-registry/jira-agent/report/jira-agent-report-commands.sh
• ci-operator/step-registry/jira-agent/report/jira-agent-report-ref.metadata.json
• ci-operator/step-registry/jira-agent/report/jira-agent-report-ref.yaml
• ci-operator/step-registry/jira-agent/setup/OWNERS
• ci-operator/step-registry/jira-agent/setup/jira-agent-setup-commands.sh
• ci-operator/step-registry/jira-agent/setup/jira-agent-setup-ref.metadata.json
• ci-operator/step-registry/jira-agent/setup/jira-agent-setup-ref.yaml

💤 Files with no reviewable changes (6)

• ci-operator/step-registry/hypershift/jira-agent/report/hypershift-jira-agent-report-ref.yaml
• ci-operator/step-registry/hypershift/jira-agent/process/hypershift-jira-agent-process-ref.yaml
• ci-operator/step-registry/hypershift/jira-agent/README.md
• ci-operator/step-registry/hypershift/jira-agent/process/OWNERS
• ci-operator/step-registry/hypershift/jira-agent/setup/OWNERS
• ci-operator/step-registry/hypershift/jira-agent/report/OWNERS

✅ Files skipped from review due to trivial changes (8)

• ci-operator/step-registry/jira-agent/setup/jira-agent-setup-ref.metadata.json
• ci-operator/step-registry/jira-agent/process/OWNERS
• ci-operator/step-registry/jira-agent/jira-agent-workflow.metadata.json
• ci-operator/step-registry/jira-agent/process/jira-agent-process-ref.metadata.json
• ci-operator/step-registry/jira-agent/report/OWNERS
• ci-operator/step-registry/jira-agent/setup/OWNERS
• ci-operator/step-registry/jira-agent/README.md
• ci-operator/step-registry/jira-agent/report/jira-agent-report-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (8)

• ci-operator/step-registry/jira-agent/jira-agent-workflow.yaml
• ci-operator/step-registry/jira-agent/report/jira-agent-report-ref.yaml
• ci-operator/step-registry/hypershift/jira-agent/hypershift-jira-agent-workflow.yaml
• ci-operator/step-registry/jira-agent/OWNERS
• ci-operator/step-registry/jira-agent/process/jira-agent-process-ref.yaml
• ci-operator/step-registry/jira-agent/setup/jira-agent-setup-commands.sh
• ci-operator/step-registry/jira-agent/report/jira-agent-report-commands.sh
• ci-operator/step-registry/jira-agent/process/jira-agent-process-commands.sh

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Correct the credential override guidance.

Line 34 says wrapper workflows can override the secret name, but this ref hardcodes credentials.name (Line 28), so that instruction is misleading and can cause onboarding failures.

Suggested doc fix

- Teams should override the credential secret name in their wrapper workflow.
+ Teams onboarding this workflow should create team-specific ref YAMLs (or use a shared credential name), because the credential secret name is defined in the ref.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Generic setup step for the Jira agent periodic job.
	Verifies Claude Code CLI is available.
	Uses Vertex AI for Claude authentication via GCP service account.
	Teams should override the credential secret name in their wrapper workflow.
	Generic setup step for the Jira agent periodic job.
	Verifies Claude Code CLI is available.
	Uses Vertex AI for Claude authentication via GCP service account.
	Teams onboarding this workflow should create team-specific ref YAMLs (or use a shared credential name), because the credential secret name is defined in the ref.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/step-registry/jira-agent/setup/jira-agent-setup-ref.yaml` around
lines 31 - 34, The documentation comment on Line 34 states that teams can
override the credential secret name in their wrapper workflow, but this
contradicts the hardcoded credentials.name reference on Line 28, which does not
actually allow such overrides. Update the documentation comment to accurately
reflect the current implementation by either removing the misleading statement
about credential secret name overrides, or clarifying the exact limitations and
how teams should actually configure their wrapper workflows when using this ref.

[bryan-cox]

/pj-rehearse periodic-ci-openshift-hypershift-main-periodic-jira-agent

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bryan-cox]

/pj-rehearse

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bryan-cox]

/pj-rehearse periodic-ci-openshift-hypershift-main-periodic-jira-agent

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@bryan-cox: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-hypershift-main-periodic-jira-agent	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[bryan-cox]

/pj-rehearse periodic-ci-openshift-hypershift-main-periodic-jira-agent

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.