Utilize clonerefs sparse checkout

[Prucek]

Summary

• Re-implement sparse checkout for prow jobs that only need Dockerfiles (image builds)
• Compute minimal file list from ci-operator config: .ci-operator.yaml + Dockerfile paths
• Fix three bugs that caused the original implementation to be reverted in Revert "prowgen: utilize sparse checkout" #5145:
  • Rehearsal: DecorationConfig.SparseCheckoutFiles leaked to the release repo primary ref, causing "unrelated histories" errors
  • Source build: sparse checkout left repos without source code, breaking binary_build_commands
  • Periodic jobs: SparseCheckoutFiles was not propagated from DecorationConfig to extra_refs[0]

Context

The original sparse checkout feature (353a4a0) was reverted in #5145 due to multiple bugs.
Upstream prow PR kubernetes-sigs/prow#639 added SparseCheckoutFiles support
on Refs, which is consumed by clonerefs to limit the working tree.

How it works

• sparseCheckoutFiles() computes the file list from ReleaseBuildConfiguration:
  • .ci-operator.yaml if from_repository is set
  • All dockerfile_path entries (respecting context_dir, skipping dockerfile_literal and external ref)
• Jobs with images get DecorationConfig.SparseCheckoutFiles instead of skip_cloning: true
• Jobs without images still get skip_cloning: true (no change)
• The src image build (pkg/steps/source.go) always clears sparse checkout to get a full clone
• Rehearsal jobs clear sparse checkout from DecorationConfig when the primary ref differs from the target repo
• Periodic jobs propagate sparse checkout from DecorationConfig to extra_refs[0]

Other job types verified safe

• Multi-PR payload jobs (prpqr_reconciler): ExtraRefs are replaced with fresh refs; PeriodicSpec() doesn't call CompletePrimaryRefs
• Multi-PR presubmits (multi-pr-prow-plugin): ExtraRefs are rebuilt; CompletePrimaryRefs only applies to the primary ref
• Promotion postsubmits: sparse checkout applies to the correct repo; src build fix handles full clone
• Aggregator/ephemeral: ExtraRefs explicitly cleared or handcrafted

Testing

• Handcrafted presubmit prowjob with sparse checkout on addon-operator: pull-ci-openshift-addon-operator-main-images
• Handcrafted periodic prowjob with sparse checkout on hypershift: periodic-ci-openshift-hypershift-main-dependabot-triage
• Rehearsal testing with pj-rehearse-plugin-alpha: Test sparse checkout with alpha pj-rehearse Prucek/release#7
  • rehearse-7-pull-ci-openshift-addon-operator-main-images
  • rehearse-7-pull-ci-openshift-addon-operator-main-lint
  • rehearse-7-pull-ci-openshift-addon-operator-main-precommit-check

🤖 Generated with Claude Code

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors cloning behavior from a skip-cloning approach to a repository-aware sparse-checkout strategy. Production code now determines which files to sparse-checkout based on repository and image configuration, with updated fixture files reflecting the new YAML output format.

Changes

Sparse Checkout Migration

Layer / File(s)	Summary
Core Logic & Helpers pkg/prowgen/jobbase.go	New fromRepositorySet() and sparseCheckoutFiles() helpers determine sparse checkout requirements. skipCloning() function removed. DecorationConfig initialized as non-nil empty struct. Clone decisions now set SkipCloning or SparseCheckoutFiles conditionally based on computed sparse files. GitHub token provisioning updated to align with new decision flow.
Propagation to Periodic Jobs pkg/prowgen/prowgen.go	GeneratePeriodicForTest() now propagates SparseCheckoutFiles from base job's DecorationConfig into extra refs (ref) attached to periodic jobs.
Rehearsal Job Cleanup pkg/rehearse/jobs.go	makeRehearsalPresubmit() clears SparseCheckoutFiles from DecorationConfig when present, preventing sparse checkout in rehearsal runs.
Source Build Cleanup pkg/steps/source.go	Loop added in CreateBuild() to clear SparseCheckoutFiles from all collected refs before constructing cloneref workflow, removing residual sparse-checkout configuration.
Test Fixtures cmd/ci-operator-prowgen/testdata/*, pkg/prowgen/testdata/*	16 fixture YAML files updated to replace skip_cloning: true with sparse_checkout_files entries containing Dockerfile or .ci-operator.yaml, reflecting expected output of new sparse checkout logic.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Coverage For New Features	⚠️ Warning	New functions sparseCheckoutFiles() and fromRepositorySet() lack explicit unit tests. Source.go sparse checkout clearing lacks regression test coverage.	Add unit tests for sparseCheckoutFiles() and fromRepositorySet() with table-driven cases. Add regression test for sparse checkout clearing in source builds. Expand periodic test to verify sparse checkout propagation.
Ote Binary Stdout Contract	❓ Inconclusive	No result was produced after verification. Marking as INCONCLUSIVE.	Re-run the check or adjust instructions to produce a final result.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Utilize clonerefs sparse checkout' clearly and directly summarizes the main technical change: implementing sparse checkout functionality for Prow jobs.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Go Error Handling	✅ Passed	PR follows proper Go error handling: errors wrapped with fmt.Errorf %w, ignored errors have justification, nil checks precede dereferences, panic calls pre-existed. No new violations.
Stable And Deterministic Test Names	✅ Passed	Custom check is not applicable. Repository uses Go testing.T, not Ginkgo. No Ginkgo test code found. PR modifies source and fixture files only.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo tests. All test files use standard Go testing.T with table-driven patterns. The custom check for Ginkgo test structure and quality is not applicable to this codebase.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. It modifies job generation source code and updates YAML test fixtures. The MicroShift Test Compatibility check only applies when new e2e tests are added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. Changes are limited to CI job generation logic and test fixtures. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies Prow job configuration generation tooling, not cluster deployment manifests or operators. No scheduling constraints or topology assumptions are introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests. Changes are limited to Prow job generation logic and YAML test fixtures, which are outside the scope of this IPv6/disconnected network compatibility check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Prucek]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Prucek]

/label tide/merge-method-squash

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/prowgen/jobbase.go (1)

95-104: Verify the openshift/release consumer before merging.

This changes prowgen output from skip_cloning to sparse_checkout_files. The linked openshift/release findings still show validation/generation code paths keyed on skip_cloning, so please run make jobs and the release-side validators there to make sure this schema change does not break the downstream repo.

As per coding guidelines, "pkg/prowgen/**: Changes here require running make jobs in the openshift/release repo to verify no unexpected diffs appear".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/prowgen/jobbase.go` around lines 95 - 104, This change replaces setting
DecorationConfig.SkipCloning with DecorationConfig.SparseCheckoutFiles; before
merging, run the downstream verification: pull the openshift/release repo, run
make jobs and the release-side validators to ensure no unexpected diffs or
validation errors; if failures occur, either preserve backward compatibility by
still setting b.base.UtilityConfig.DecorationConfig.SkipCloning when
sparseCheckoutFiles is empty (in the same block that calls sparseCheckoutFiles)
or update the release-side generation/validation to accept SparseCheckoutFiles
instead of SkipCloning (check the places that consume SkipCloning in release
validators and job generation).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_Input_is_YAML_and_it_is_correctly_processed.yaml`:
- Around line 66-67: The fixture sets image-style sparse checkout for a
non-image unit presubmit: remove or change the sparse_checkout_files entry that
lists "Dockerfile" for the job with "--target=unit" so the unit presubmit is not
limited to image files; specifically locate the YAML block that contains
sparse_checkout_files and the job metadata referencing "--target=unit" and
either delete the sparse_checkout_files key or replace it with a general
checkout (or an appropriate non-image file list) so the fixture matches the
"image-build jobs only" intent.

---

Nitpick comments:
In `@pkg/prowgen/jobbase.go`:
- Around line 95-104: This change replaces setting DecorationConfig.SkipCloning
with DecorationConfig.SparseCheckoutFiles; before merging, run the downstream
verification: pull the openshift/release repo, run make jobs and the
release-side validators to ensure no unexpected diffs or validation errors; if
failures occur, either preserve backward compatibility by still setting
b.base.UtilityConfig.DecorationConfig.SkipCloning when sparseCheckoutFiles is
empty (in the same block that calls sparseCheckoutFiles) or update the
release-side generation/validation to accept SparseCheckoutFiles instead of
SkipCloning (check the places that consume SkipCloning in release validators and
job generation).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 78c043d6-fdce-416d-a3dc-28ccfbb28c15

📥 Commits

Reviewing files that changed from the base of the PR and between 4bc1753 and 58a15fb.

📒 Files selected for processing (17)

• cmd/ci-operator-prowgen/testdata/zz_fixture_postsubmit_TestFromCIOperatorConfigToProwYaml_Custom_test_timeout.yaml
• cmd/ci-operator-prowgen/testdata/zz_fixture_postsubmit_TestFromCIOperatorConfigToProwYaml_Input_is_YAML_and_it_is_correctly_processed.yaml
• cmd/ci-operator-prowgen/testdata/zz_fixture_postsubmit_TestFromCIOperatorConfigToProwYaml_Using_a_variant_config__one_test_and_images__one_existing_job._Expect_one_presubmit__pre_post_submit_images_jobs._Existing_job_should_not_be_changed..yaml
• cmd/ci-operator-prowgen/testdata/zz_fixture_postsubmit_TestFromCIOperatorConfigToProwYaml_one_test_and_images__no_previous_jobs._Expect_test_presubmit__pre_post_submit_images_jobs.yaml
• cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_Custom_test_timeout.yaml
• cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_Input_is_YAML_and_it_is_correctly_processed.yaml
• cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_Using_a_variant_config__one_test_and_images__one_existing_job._Expect_one_presubmit__pre_post_submit_images_jobs._Existing_job_should_not_be_changed..yaml
• cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_one_test_and_images__no_previous_jobs._Expect_test_presubmit__pre_post_submit_images_jobs.yaml
• pkg/prowgen/jobbase.go
• pkg/prowgen/prowgen.go
• pkg/prowgen/testdata/zz_fixture_TestGenerateJobs_Promotion_configuration_causes_promote_job_with_unique_targets.yaml
• pkg/prowgen/testdata/zz_fixture_TestGenerateJobs_promotion_postsubmit_and_periodic_.yaml
• pkg/prowgen/testdata/zz_fixture_TestNewProwJobBaseBuilderForTest_simple_container_based_test_with_timeout_and_no_decoration.yaml
• pkg/prowgen/testdata/zz_fixture_TestProwJobBaseBuilder_job_with_image_builds_in_of_openshift_release_main__does_not_have_no_builds__label.yaml
• pkg/prowgen/testdata/zz_fixture_TestProwJobBaseBuilder_private_job_with_cloning__including_podspec.yaml
• pkg/rehearse/jobs.go
• pkg/steps/source.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/prowgen/prowgen.go
• pkg/prowgen/testdata/zz_fixture_TestGenerateJobs_Promotion_configuration_causes_promote_job_with_unique_targets.yaml
• cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_Custom_test_timeout.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Non-image unit presubmit should not be sparse-checked out to only Dockerfile.

At Line 66-Line 67, this fixture sets image-style sparse checkout on a --target=unit job, which conflicts with the PR objective (“image-build jobs only”) and can encode incorrect expected output.

Proposed fixture correction

     decoration_config:
-      sparse_checkout_files:
-      - Dockerfile
+      skip_cloning: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	sparse_checkout_files:
	- Dockerfile
	skip_cloning: true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_Input_is_YAML_and_it_is_correctly_processed.yaml`
around lines 66 - 67, The fixture sets image-style sparse checkout for a
non-image unit presubmit: remove or change the sparse_checkout_files entry that
lists "Dockerfile" for the job with "--target=unit" so the unit presubmit is not
limited to image files; specifically locate the YAML block that contains
sparse_checkout_files and the job metadata referencing "--target=unit" and
either delete the sparse_checkout_files key or replace it with a general
checkout (or an appropriate non-image file list) so the fixture matches the
"image-build jobs only" intent.

[Prucek]

/test e2e
/hold

[openshift-ci]

@Prucek: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/checkconfig	58a15fb	link	true	/test checkconfig
ci/prow/integration	58a15fb	link	true	/test integration
ci/prow/breaking-changes	58a15fb	link	false	/test breaking-changes

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.