LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main#2023
Conversation
WalkthroughThis PR adds a Konflux dependency resolution script, refreshes Konflux configuration and requirement inputs, updates RPM and Tekton build data, adjusts the Containerfile and pyproject settings, and introduces an RPM lock generation script. ChangesKonflux resolution and build infrastructure update
Estimated code review effort: 4 (Complex) | ~75 minutes Possibly related issues
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/retest |
08928c9 to
c7171c2
Compare
|
/retest |
f0176e3 to
ccc3010
Compare
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.tekton/lightspeed-stack-0-6-pull-request.yaml (1)
35-63: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winAdd
maturinto the prefetch inputs —binary.packagesincludesmaturin, but it is missing from all of the referenced hash files, so the hermetic prefetch set is incomplete. If it is no longer needed, remove it frombinary.packagesinstead.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.tekton/lightspeed-stack-0-6-pull-request.yaml around lines 35 - 63, The prefetch configuration in the lightspeed stack is incomplete because `maturin` is listed in `prefetch-input` under `binary.packages` but is missing from the referenced requirements hash files. Update the `prefetch-input` entry so `maturin` is either added to the appropriate hash/requirements files used by this stack or removed from `binary.packages` if it is no longer needed, keeping the `prefetch-input` list consistent with the hermetic dependency set.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/generate-rpm-lock.sh`:
- Around line 5-33: The fallback base image in generate-rpm-lock.sh is still
using the old registry.redhat.io/rhai/base-image-cpu-rhel9:3.4 value, so update
the DEFAULT_BASE_IMAGE constant to the migrated Konflux image used by this PR.
Make sure the logic in the build-args fallback path continues to prefer
BUILDER_BASE_IMAGE from .konflux/build-args-konflux.conf, but when it is
missing, BASE_IMAGE should resolve to the new
quay.io/aipcc/base-images/cpu:3.4.2-1782270165 image instead of the legacy one.
- Around line 108-109: The repo disable step in generate-rpm-lock.sh is
hardcoded to x86_64 and will fail on non-x86_64 containers. Update the
repository handling around the subscription-manager repos call to derive the
repo IDs from the container architecture (or check availability before
disabling) instead of unconditionally disabling rhel-9-for-x86_64-* entries.
Keep the existing echo/logging, but make the disable logic architecture-aware so
the script works for aarch64 as well.
In `@scripts/konflux_resolve.py`:
- Around line 447-471: The package resolution flow in the wheel selection logic
only keeps a version when any target arch matches, which can miss incomplete
wheel sets for other configured architectures. Update the resolution path in the
parser/collector and the version selection in find_best() so all configured
target architectures from profiles.toml must be satisfied before accepting a
release, and ensure the stored package data tracks per-arch wheel availability
consistently across the affected code paths.
- Around line 548-591: The marker handling in _eval_single_marker and the
surrounding marker parser is doing string-based comparisons and defaulting
unparsed expressions to True, which can produce incorrect results. Replace this
logic with a real PEP 508 marker evaluator, or at minimum make _MARKER_CMP_OPS
and _eval_single_marker version-aware for fields like python_version and
platform values. Ensure unsupported or malformed markers are not silently
accepted as True, and keep the existing marker evaluation entry point so the fix
is localized.
- Around line 1274-1283: Step 7 is hardcoding the uv executable instead of
reusing the resolved binary path. Update the pybuild-deps compile call in
uv_resolve() to use uv_resolved, which already handles $UV_BINARY and the
repo-local fallback, so requirements-build.txt generation works on all hosts.
Keep the change localized to the subprocess.run invocation in uv_resolve().
---
Outside diff comments:
In @.tekton/lightspeed-stack-0-6-pull-request.yaml:
- Around line 35-63: The prefetch configuration in the lightspeed stack is
incomplete because `maturin` is listed in `prefetch-input` under
`binary.packages` but is missing from the referenced requirements hash files.
Update the `prefetch-input` entry so `maturin` is either added to the
appropriate hash/requirements files used by this stack or removed from
`binary.packages` if it is no longer needed, keeping the `prefetch-input` list
consistent with the hermetic dependency set.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: a9272d86-0d7e-4606-8ad7-5a58861debc8
⛔ Files ignored due to path filters (1)
uv.lockis excluded by!**/*.lock
📒 Files selected for processing (19)
.konflux/build-args-konflux.conf.konflux/profiles.toml.konflux/pypi_wheel_only.txt.konflux/requirements-build.txt.konflux/requirements.hashes.source.txt.konflux/requirements.hashes.wheel.pypi.txt.konflux/requirements.hashes.wheel.txt.konflux/requirements.hermetic.txt.konflux/requirements.overrides.txt.konflux/rpms.in.yaml.konflux/rpms.lock.yaml.tekton/lightspeed-stack-0-6-pull-request.yaml.tekton/lightspeed-stack-0-6-push.yaml.tekton/lightspeed-stack-pull-request.yaml.tekton/lightspeed-stack-push.yamldeploy/lightspeed-stack/Containerfilepyproject.tomlscripts/generate-rpm-lock.shscripts/konflux_resolve.py
💤 Files with no reviewable changes (1)
- .konflux/requirements.hermetic.txt
📜 Review details
⏰ Context from checks skipped due to timeout. (2)
- GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
- GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-0-6-on-pull-request
⚠️ CI failures not shown inline (4)
GitHub Actions: OpenAPI (Spectral) / 0_spectral.txt: Migrate to RHOAI 3.4 + PyPI - main
Conclusion: failure
##[group]Run set -euo pipefail
�[36;1mset -euo pipefail�[0m
�[36;1muv run python scripts/generate_openapi_schema.py /tmp/openapi-generated.json�[0m
�[36;1mif ! diff -u docs/openapi.json /tmp/openapi-generated.json; then�[0m
�[36;1m echo "::error::docs/openapi.json is out of date. Regenerate with: uv run scripts/generate_openapi_schema.py docs/openapi.json"�[0m
GitHub Actions: Unit tests / 1_unit_tests (3.12).txt: Migrate to RHOAI 3.4 + PyPI - main
Conclusion: failure
##[group]Run uv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing
�[36;1muv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing�[0m
shell: /usr/bin/bash -e {0}
env:
UV_PYTHON: 3.12
VIRTUAL_ENV: /home/runner/work/lightspeed-stack/lightspeed-stack/.venv
UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache
##[endgroup]
Uninstalled 1 package in 2ms
Installed 1 package in 12ms
============================= test session starts ==============================
platform linux -- Python 3.12.3, pytest-9.1.1, pluggy-1.6.0
benchmark: 5.2.3 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000)
rootdir: /home/runner/work/lightspeed-stack/lightspeed-stack
configfile: pyproject.toml
plugins: asyncio-1.4.0, benchmark-5.2.3, anyio-4.14.1, order-1.5.0, mock-3.15.1, cov-7.1.0, logfire-4.37.0
asyncio: mode=Mode.AUTO, debug=False, asyncio_default_fixture_loop_scope=None, asyncio_default_test_loop_scope=function
collected 2928 items
tests/unit/a2a_storage/test_in_memory_context_store.py ........ [ 0%]
tests/unit/a2a_storage/test_sqlite_context_store.py .......... [ 0%]
tests/unit/a2a_storage/test_storage_factory.py ........... [ 0%]
tests/unit/app/endpoints/test_a2a.py .............................. [ 2%]
tests/unit/app/endpoints/test_authorized.py ... [ 2%]
tests/unit/app/endpoints/test_config.py .. [ 2%]
tests/unit/app/endpoints/test_conversations.py ......................... [ 3%]
................. [ 3%]
tests/unit/app/endpoints/test_conversations_v2.py ...................... [ 4%]
............... [ 4%]
tests/unit/app/endpoints/test_feedback.py ....................... [ 5%]
tests/unit/ap...
GitHub Actions: Unit tests / 0_unit_tests (3.13).txt: Migrate to RHOAI 3.4 + PyPI - main
Conclusion: failure
##[group]Run uv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing
�[36;1muv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing�[0m
shell: /usr/bin/bash -e {0}
env:
UV_PYTHON: 3.13
VIRTUAL_ENV: /home/runner/work/lightspeed-stack/lightspeed-stack/.venv
UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache
##[endgroup]
Uninstalled 1 package in 2ms
Installed 1 package in 3ms
============================= test session starts ==============================
platform linux -- Python 3.13.14, pytest-9.1.1, pluggy-1.6.0
benchmark: 5.2.3 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000)
rootdir: /home/runner/work/lightspeed-stack/lightspeed-stack
configfile: pyproject.toml
plugins: asyncio-1.4.0, benchmark-5.2.3, anyio-4.14.1, order-1.5.0, mock-3.15.1, cov-7.1.0, logfire-4.37.0
asyncio: mode=Mode.AUTO, debug=False, asyncio_default_fixture_loop_scope=None, asyncio_default_test_loop_scope=function
collected 2928 items
tests/unit/a2a_storage/test_in_memory_context_store.py ........ [ 0%]
tests/unit/a2a_storage/test_sqlite_context_store.py .......... [ 0%]
tests/unit/a2a_storage/test_storage_factory.py ........... [ 0%]
tests/unit/app/endpoints/test_a2a.py .............................. [ 2%]
tests/unit/app/endpoints/test_authorized.py ... [ 2%]
tests/unit/app/endpoints/test_config.py .. [ 2%]
tests/unit/app/endpoints/test_conversations.py ......................... [ 3%]
................. [ 3%]
tests/unit/app/endpoints/test_conversations_v2.py ...................... [ 4%]
............... [ 4%]
tests/unit/app/endpoints/test_feedback.py ....................... [ 5%]
tests/unit/ap...
GitHub Actions: PR Title Checker / 0_check.txt: Migrate to RHOAI 3.4 + PyPI - main
Conclusion: failure
##[group]Run thehanimo/pr-title-checker@v1.4.3
with:
GITHUB_***REDACTED***
pass_on_octokit_error: false
configuration_path: .github/pr-title-checker-config.json
##[endgroup]
(node:2162) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
Using config file .github/pr-title-checker-config.json from repo lightspeed-core/lightspeed-stack [ref: 56ae5fdc6bce2da7499bfeffad1c0c30baf32c8e]
(Use `node --trace-deprecation ...` to show where the warning was created)
(node:2162) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
Creating label (title needs formatting)...
Label (title needs formatting) already created.
Adding label (title needs formatting) to PR...
HttpError: Resource not accessible by integration
##[error]Failed to add label (title needs formatting) to PR
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2026-05-12T15:14:34.788Z
Learnt from: syedriko
Repo: lightspeed-core/lightspeed-stack PR: 1727
File: scripts/konflux_requirements.sh:9-15
Timestamp: 2026-05-12T15:14:34.788Z
Learning: In this repo, the `.konflux/` directory is committed/tracked and is guaranteed to exist in a fresh clone. Therefore, shell scripts that write output under `.konflux/` (e.g., create files like `.konflux/<...>`) should not waste effort by calling `mkdir -p .konflux` first. Only add directory-creation logic if the script may run in an environment/repo state where `.konflux/` might not be present.
Applied to files:
scripts/generate-rpm-lock.sh
📚 Learning: 2026-06-24T13:45:37.249Z
Learnt from: Jdubrick
Repo: lightspeed-core/lightspeed-stack PR: 1971
File: src/utils/markdown_repair.py:31-36
Timestamp: 2026-06-24T13:45:37.249Z
Learning: In the lightspeed-stack repository, docstrings must use the section header name "Parameters:" (not "Args:") for function arguments, even if the project references Google Python docstring conventions. Ensure docstrings follow the project’s established "Parameters:" header format for any documented function parameters.
Applied to files:
scripts/konflux_resolve.py
🪛 ast-grep (0.44.0)
scripts/konflux_resolve.py
[error] 1040-1040: Use of unsanitized data to create processes
Context: subprocess.run(cmd, capture_output=True, text=True, check=True)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
(os-system-unsanitized-data)
[warning] 204-204: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(pyproject_path, "rb")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 914-914: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(output_path, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 925-925: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(yaml_path)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 932-932: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(yaml_path, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 950-950: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(profiles_path, "rb")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 972-972: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(path)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 1151-1151: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_file)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 1166-1166: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_file, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 1269-1269: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(tmp_sdist_file, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 1293-1293: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_output, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 417-417: Request-controlled URL passed to urlopen; validate against an allowlist to prevent SSRF.
Context: urllib.request.urlopen(url, timeout=30)
Note: [CWE-918] Server-Side Request Forgery (SSRF).
(urlopen-unsanitized-data)
[warning] 609-609: Request-controlled URL passed to urlopen; validate against an allowlist to prevent SSRF.
Context: urllib.request.urlopen(url, timeout=30)
Note: [CWE-918] Server-Side Request Forgery (SSRF).
(urlopen-unsanitized-data)
[error] 1040-1040: Command coming from incoming request
Context: subprocess.run(cmd, capture_output=True, text=True, check=True)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
(subprocess-from-request)
[error] 1273-1283: Command coming from incoming request
Context: subprocess.run(
[
"uv",
"run",
"pybuild-deps",
"compile",
f"--output-file={build_output}",
tmp_sdist_file,
],
check=True,
)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
(subprocess-from-request)
🔇 Additional comments (11)
pyproject.toml (2)
189-189: LGTM!
241-243: 📐 Maintainability & Code Quality
[tool.black]is already wired into the workflow The repo runs Black viaMakefileand.github/workflows/black.yaml, so this config isn’t dead or duplicate tooling.> Likely an incorrect or invalid review comment..konflux/rpms.lock.yaml (1)
49-55: LGTM!Also applies to: 91-118, 165-171, 207-234
.konflux/rpms.in.yaml (1)
10-15: 🗄️ Data Integrity & IntegrationNo change needed for
upgradePackagesrpm-lockfile-prototypesupports this input key, and it uses the same list schema aspackages.> Likely an incorrect or invalid review comment..konflux/pypi_wheel_only.txt (1)
1-5: 🩺 Stability & AvailabilityLeave
.konflux/pypi_wheel_only.txtempty. The binary-heavy packages are already landing in.konflux/requirements.hashes.wheel.txt, not the PyPI wheel bucket..konflux/requirements-build.txt (1)
5-48: LGTM!.konflux/requirements.hashes.source.txt (1)
2-23: LGTM!.konflux/requirements.hashes.wheel.pypi.txt (1)
1-2: LGTM!.konflux/requirements.overrides.txt (1)
2-3: LGTM!.konflux/requirements.hashes.wheel.txt (1)
1-443: 🎯 Functional CorrectnessDrop the
maturinhash-file concern.maturinis handled as a bootstrap/extra wheel (EXTRA_WHEELSandbootstrap_packages), so it does not need an entry in.konflux/requirements.hashes.wheel.txt.> Likely an incorrect or invalid review comment..tekton/lightspeed-stack-0-6-push.yaml (1)
36-64: 🎯 Functional Correctness
binary.packagesis already aligned with the pull-request pipeline; the only open point is whether.konflux/requirements.hermetic.txtis an expected generated artifact for this target.
ccc3010 to
b1286b5
Compare
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.tekton/lightspeed-stack-pull-request.yaml (1)
36-40: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick winKeep
uvandpipinbinary.packages
The resolver still shells out touv pip compile, andscripts/konflux_requirements.shstill addsuv,pip,maturinto the wheel allowlist. Dropping them here will break the hermetic prefetch path; apply the same fix to the matching Tekton manifests too.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.tekton/lightspeed-stack-pull-request.yaml around lines 36 - 40, Keep uv and pip listed in binary.packages because the resolver still invokes uv pip compile and scripts/konflux_requirements.sh depends on uv,pip,maturin for the wheel allowlist. Restore these packages in the Tekton manifest and make the same update in the matching Tekton manifests so hermetic prefetch continues to work.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/generate-rpm-lock.sh`:
- Line 9: The CONTAINER_IMAGE value is unpinned and currently resolves to
latest, so update the generate-rpm-lock.sh script to use a specific immutable
tag for the container image instead of registry.access.redhat.com/ubi9/ubi. Keep
the change centered on the CONTAINER_IMAGE assignment so the script runs against
the same UBI base image across executions.
- Around line 122-124: The rpm-lockfile-prototype install in the
generate-rpm-lock.sh flow is pulling a GitHub tarball without integrity
verification; update the installation step to use a pinned, verifiable source in
the script’s pip install command. Add hash/checksum pinning or an equivalent
integrity check around the rpm-lockfile-prototype version reference so the
download is validated before use, keeping the change localized to the install
block that echoes “Installing rpm-lockfile-prototype...”.
- Around line 136-145: The entitlement certificate lookup in
generate-rpm-lock.sh can leave DNF_VAR_SSL_CLIENT_KEY and
DNF_VAR_SSL_CLIENT_CERT empty, so add an explicit check in the bash -c block
before calling rpm-lockfile-prototype. Use the existing find-based lookup and,
if no key file is found, fail fast with a clear error message about missing
entitlement certs instead of proceeding; keep the validation close to the
DNF_VAR_SSL_CLIENT_KEY/DNF_VAR_SSL_CLIENT_CERT setup so the failure is easy to
locate.
In `@scripts/konflux_resolve.py`:
- Around line 1070-1114: The legacy resolver path is now dead code:
reclassify_with_rhoai, Resolver, and parse_direct_deps are no longer referenced
because main() performs classification inline. Remove these unused definitions
and any related wiring from the script, keeping the current inline
classification flow intact and updating any nearby imports or helpers that
become unused.
---
Outside diff comments:
In @.tekton/lightspeed-stack-pull-request.yaml:
- Around line 36-40: Keep uv and pip listed in binary.packages because the
resolver still invokes uv pip compile and scripts/konflux_requirements.sh
depends on uv,pip,maturin for the wheel allowlist. Restore these packages in the
Tekton manifest and make the same update in the matching Tekton manifests so
hermetic prefetch continues to work.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7bf5db6f-a1f0-43be-b47d-d19f4890b2fa
⛔ Files ignored due to path filters (1)
uv.lockis excluded by!**/*.lock
📒 Files selected for processing (19)
.konflux/build-args-konflux.conf.konflux/profiles.toml.konflux/pypi_wheel_only.txt.konflux/requirements-build.txt.konflux/requirements.hashes.source.txt.konflux/requirements.hashes.wheel.pypi.txt.konflux/requirements.hashes.wheel.txt.konflux/requirements.hermetic.txt.konflux/requirements.overrides.txt.konflux/rpms.in.yaml.konflux/rpms.lock.yaml.tekton/lightspeed-stack-0-6-pull-request.yaml.tekton/lightspeed-stack-0-6-push.yaml.tekton/lightspeed-stack-pull-request.yaml.tekton/lightspeed-stack-push.yamldeploy/lightspeed-stack/Containerfilepyproject.tomlscripts/generate-rpm-lock.shscripts/konflux_resolve.py
💤 Files with no reviewable changes (1)
- .konflux/requirements.hermetic.txt
📜 Review details
⏰ Context from checks skipped due to timeout. (12)
- GitHub Check: build-pr
- GitHub Check: integration_tests (3.13)
- GitHub Check: integration_tests (3.12)
- GitHub Check: E2E Tests for Lightspeed Evaluation job
- GitHub Check: E2E: library mode / ci / group 3
- GitHub Check: E2E: library mode / ci / group 1
- GitHub Check: E2E: server mode / ci / group 3
- GitHub Check: E2E: library mode / ci / group 2
- GitHub Check: E2E: server mode / ci / group 1
- GitHub Check: E2E: server mode / ci / group 2
- GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-0-6-on-pull-request
- GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
⚠️ CI failures not shown inline (4)
GitHub Actions: OpenAPI (Spectral) / 0_spectral.txt: LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main
Conclusion: failure
##[group]Run set -euo pipefail
�[36;1mset -euo pipefail�[0m
�[36;1muv run python scripts/generate_openapi_schema.py /tmp/openapi-generated.json�[0m
�[36;1mif ! diff -u docs/openapi.json /tmp/openapi-generated.json; then�[0m
�[36;1m echo "::error::docs/openapi.json is out of date. Regenerate with: uv run scripts/generate_openapi_schema.py docs/openapi.json"�[0m
GitHub Actions: OpenAPI (Spectral) / spectral: LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main
Conclusion: failure
##[group]Run set -euo pipefail
�[36;1mset -euo pipefail�[0m
�[36;1muv run python scripts/generate_openapi_schema.py /tmp/openapi-generated.json�[0m
�[36;1mif ! diff -u docs/openapi.json /tmp/openapi-generated.json; then�[0m
�[36;1m echo "::error::docs/openapi.json is out of date. Regenerate with: uv run scripts/generate_openapi_schema.py docs/openapi.json"�[0m
GitHub Actions: Unit tests / 0_unit_tests (3.12).txt: LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main
Conclusion: failure
##[group]Run uv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing
�[36;1muv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing�[0m
shell: /usr/bin/bash -e {0}
env:
UV_PYTHON: 3.12
VIRTUAL_ENV: /home/runner/work/lightspeed-stack/lightspeed-stack/.venv
UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache
##[endgroup]
Uninstalled 1 package in 4ms
Installed 1 package in 3ms
============================= test session starts ==============================
platform linux -- Python 3.12.3, pytest-9.1.1, pluggy-1.6.0
benchmark: 5.2.3 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000)
rootdir: /home/runner/work/lightspeed-stack/lightspeed-stack
configfile: pyproject.toml
plugins: asyncio-1.4.0, benchmark-5.2.3, anyio-4.14.1, order-1.5.0, mock-3.15.1, cov-7.1.0, logfire-4.37.0
asyncio: mode=Mode.AUTO, debug=False, asyncio_default_fixture_loop_scope=None, asyncio_default_test_loop_scope=function
collected 2928 items
tests/unit/a2a_storage/test_in_memory_context_store.py ........ [ 0%]
tests/unit/a2a_storage/test_sqlite_context_store.py .......... [ 0%]
tests/unit/a2a_storage/test_storage_factory.py ........... [ 0%]
tests/unit/app/endpoints/test_a2a.py .............................. [ 2%]
tests/unit/app/endpoints/test_authorized.py ... [ 2%]
tests/unit/app/endpoints/test_config.py .. [ 2%]
tests/unit/app/endpoints/test_conversations.py ......................... [ 3%]
................. [ 3%]
tests/unit/app/endpoints/test_conversations_v2.py ...................... [ 4%]
............... [ 4%]
tests/unit/app/endpoints/test_feedback.py ....................... [ 5%]
tests/unit/app...
GitHub Actions: Unit tests / unit_tests (3.12): LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main
Conclusion: failure
##[group]Run uv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing
�[36;1muv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing�[0m
shell: /usr/bin/bash -e {0}
env:
UV_PYTHON: 3.12
VIRTUAL_ENV: /home/runner/work/lightspeed-stack/lightspeed-stack/.venv
UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache
##[endgroup]
Uninstalled 1 package in 4ms
Installed 1 package in 3ms
============================= test session starts ==============================
platform linux -- Python 3.12.3, pytest-9.1.1, pluggy-1.6.0
benchmark: 5.2.3 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000)
rootdir: /home/runner/work/lightspeed-stack/lightspeed-stack
configfile: pyproject.toml
plugins: asyncio-1.4.0, benchmark-5.2.3, anyio-4.14.1, order-1.5.0, mock-3.15.1, cov-7.1.0, logfire-4.37.0
asyncio: mode=Mode.AUTO, debug=False, asyncio_default_fixture_loop_scope=None, asyncio_default_test_loop_scope=function
collected 2928 items
tests/unit/a2a_storage/test_in_memory_context_store.py ........ [ 0%]
tests/unit/a2a_storage/test_sqlite_context_store.py .......... [ 0%]
tests/unit/a2a_storage/test_storage_factory.py ........... [ 0%]
tests/unit/app/endpoints/test_a2a.py .............................. [ 2%]
tests/unit/app/endpoints/test_authorized.py ... [ 2%]
tests/unit/app/endpoints/test_config.py .. [ 2%]
tests/unit/app/endpoints/test_conversations.py ......................... [ 3%]
................. [ 3%]
tests/unit/app/endpoints/test_conversations_v2.py ...................... [ 4%]
............... [ 4%]
tests/unit/app/endpoints/test_feedback.py ....................... [ 5%]
tests/unit/app...
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2026-05-12T15:14:34.788Z
Learnt from: syedriko
Repo: lightspeed-core/lightspeed-stack PR: 1727
File: scripts/konflux_requirements.sh:9-15
Timestamp: 2026-05-12T15:14:34.788Z
Learning: In this repo, the `.konflux/` directory is committed/tracked and is guaranteed to exist in a fresh clone. Therefore, shell scripts that write output under `.konflux/` (e.g., create files like `.konflux/<...>`) should not waste effort by calling `mkdir -p .konflux` first. Only add directory-creation logic if the script may run in an environment/repo state where `.konflux/` might not be present.
Applied to files:
scripts/generate-rpm-lock.sh
📚 Learning: 2026-06-24T13:45:37.249Z
Learnt from: Jdubrick
Repo: lightspeed-core/lightspeed-stack PR: 1971
File: src/utils/markdown_repair.py:31-36
Timestamp: 2026-06-24T13:45:37.249Z
Learning: In the lightspeed-stack repository, docstrings must use the section header name "Parameters:" (not "Args:") for function arguments, even if the project references Google Python docstring conventions. Ensure docstrings follow the project’s established "Parameters:" header format for any documented function parameters.
Applied to files:
scripts/konflux_resolve.py
🪛 ast-grep (0.44.0)
scripts/konflux_resolve.py
[warning] 204-204: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(pyproject_path, "rb")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 914-914: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(output_path, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 925-925: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(yaml_path)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 932-932: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(yaml_path, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 950-950: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(profiles_path, "rb")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 972-972: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(path)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 1151-1151: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_file)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 1166-1166: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_file, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 1269-1269: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(tmp_sdist_file, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[warning] 1293-1293: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_output, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(open-filename-from-request)
[error] 1040-1040: Command coming from incoming request
Context: subprocess.run(cmd, capture_output=True, text=True, check=True)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
(subprocess-from-request)
[error] 1273-1283: Command coming from incoming request
Context: subprocess.run(
[
"uv",
"run",
"pybuild-deps",
"compile",
f"--output-file={build_output}",
tmp_sdist_file,
],
check=True,
)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
(subprocess-from-request)
[warning] 417-417: Request-controlled URL passed to urlopen; validate against an allowlist to prevent SSRF.
Context: urllib.request.urlopen(url, timeout=30)
Note: [CWE-918] Server-Side Request Forgery (SSRF).
(urlopen-unsanitized-data)
[warning] 609-609: Request-controlled URL passed to urlopen; validate against an allowlist to prevent SSRF.
Context: urllib.request.urlopen(url, timeout=30)
Note: [CWE-918] Server-Side Request Forgery (SSRF).
(urlopen-unsanitized-data)
[error] 1040-1040: Use of unsanitized data to create processes
Context: subprocess.run(cmd, capture_output=True, text=True, check=True)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
(os-system-unsanitized-data)
🔇 Additional comments (21)
.tekton/lightspeed-stack-push.yaml (1)
51-58: Sameuv/pipallowlist concern flagged in.tekton/lightspeed-stack-pull-request.yaml(lines 36-40, 55-62) applies here since the package list is identical..tekton/lightspeed-stack-0-6-pull-request.yaml (1)
50-57: LGTM!.tekton/lightspeed-stack-0-6-push.yaml (1)
51-58: LGTM!scripts/generate-rpm-lock.sh (2)
5-5: 🗄️ Data Integrity & IntegrationFallback base image still stale.
DEFAULT_BASE_IMAGEstill points at the oldregistry.redhat.io/rhai/base-image-cpu-rhel9:3.4, not the migratedquay.io/aipcc/base-images/cpu:3.4.2-1782270165. If.konflux/build-args-konflux.confis missing/missesBUILDER_BASE_IMAGE, this generates the lockfile against the wrong image. Already flagged in a previous review on an earlier commit; still unresolved.
108-109: 🩺 Stability & AvailabilityHardcoded x86_64 repo disable will fail on aarch64.
Under
set -e, disablingrhel-9-for-x86_64-*repos unconditionally will error out on an aarch64 host, even though the lockfile now carries aarch64 entries too. Already flagged in a previous review on an earlier commit; still unresolved..konflux/rpms.in.yaml (1)
10-15: LGTM!.konflux/rpms.lock.yaml (1)
49-55: LGTM!Also applies to: 91-118, 165-171, 207-234
scripts/konflux_resolve.py (3)
534-591: Marker operands are compared as strings and unparsed expressions default toTrue, so version markers likepython_version < "3.9"misfire (lexical compare) and unsupported markers pass silently. This was raised previously.
489-506:find_best/_ensure_loadedaccept a RHOAI version when any configured arch has a compatible wheel, whileuv pip compileis pinned tox86_64-manylinux_2_28, so aarch64 wheel gaps can slip through. Previously flagged.
1274-1283: Step 7 hardcodes"uv"instead of reusing the resolved binary ($UV_BINARY/repo-local fallback) used inuv_resolve(). Previously flagged..konflux/profiles.toml (1)
1-14: LGTM!.konflux/pypi_wheel_only.txt (1)
1-6: LGTM!.konflux/requirements.hashes.source.txt (1)
2-23: LGTM!.konflux/requirements.hashes.wheel.pypi.txt (1)
1-1: LGTM!.konflux/requirements.overrides.txt (1)
2-3: LGTM!.konflux/requirements-build.txt (1)
5-48: 🩺 Stability & AvailabilityNo issue: the active Konflux resolver already generates
requirements-build.txtfrom a sorted sdist list, and the_tmp_sdist_list.txtreference is just a stale comment.> Likely an incorrect or invalid review comment..konflux/build-args-konflux.conf (1)
1-4: 🩺 Stability & AvailabilityCheck the new base image tag
quay.io/aipcc/base-images/cpu:3.4.2-1782270165must be published for both target architectures and includednf; otherwise the Konflux build can fail before dependency resolution..konflux/requirements.hashes.wheel.txt (1)
1-443: 🩺 Stability & AvailabilityShared wheel lock already covers both architectures.
requirements.hashes.wheel.txtis generated from the combinedx86_64/aarch64profile and is consumed by both Konflux pipelines, so there isn’t a separate per-arch hash set to regenerate.> Likely an incorrect or invalid review comment.deploy/lightspeed-stack/Containerfile (2)
27-28: LGTM!Also applies to: 103-105, 121-122, 146-146
70-77: 🎯 Functional CorrectnessDocument the wheel-pruning heuristic or replace it with real wheel parsing. The regex only matches build-tagged/numeric-version wheels here (10 of 1481 wheel filenames in
uv.lock), so the common dotted-version wheels are left untouched. If that narrow shape is intentional for cachi2 output, add an inline note with an example; otherwise move this into a small helper and parse filenames withpackaging.utils.parse_wheel_filename.pyproject.toml (1)
189-189: LGTM! Verified 2.10.0 was released 01/21/2026, and Black's--target-versionoption acceptspy312as a valid choice, consistent with the Python 3.12 base image bump.Also applies to: 241-243
Description
Migrate to RHOAI 3.4 + PyPI on the main branch:
Type of change
Tools used to create PR
Identify any AI code assistants used in this PR (for transparency and review context)
Related Tickets & Documents
Checklist before requesting a review
Testing
Summary by CodeRabbit
New Features
Bug Fixes