Skip to content

LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main#2023

Open
syedriko wants to merge 1 commit into
lightspeed-core:mainfrom
syedriko:syedriko-rhoai-3.4-main
Open

LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main#2023
syedriko wants to merge 1 commit into
lightspeed-core:mainfrom
syedriko:syedriko-rhoai-3.4-main

Conversation

@syedriko

@syedriko syedriko commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Description

Migrate to RHOAI 3.4 + PyPI on the main branch:

Type of change

  • Refactor
  • New feature
  • Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up service version
  • Bump-up dependent library
  • Bump-up library or tool used for development (does not change the final image)
  • CI configuration change
  • Konflux configuration change
  • Unit tests improvement
  • Integration tests improvement
  • End to end tests improvement
  • Benchmarks improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

  • Assisted-by: Cursor
  • Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

  • Please provide detailed steps to perform tests related to this code change.
  • How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

  • New Features

    • Added improved build and dependency generation support for the current Python/container stack.
    • Added updated Konflux/Tekton build settings for wheel, source, and binary package handling.
  • Bug Fixes

    • Updated container images, package indexes, and pinned dependencies to newer releases for more reliable builds.
    • Refreshed runtime and build-time RPMs to include required TLS, XML, and crypto components.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

This PR adds a Konflux dependency resolution script, refreshes Konflux configuration and requirement inputs, updates RPM and Tekton build data, adjusts the Containerfile and pyproject settings, and introduces an RPM lock generation script.

Changes

Konflux resolution and build infrastructure update

Layer / File(s) Summary
konflux_resolve.py dependency resolution script
scripts/konflux_resolve.py
Adds parsing, index clients, resolver logic, hashed requirements output, Tekton patching, and the end-to-end orchestration flow.
Konflux config and requirements inputs
.konflux/build-args-konflux.conf, .konflux/profiles.toml, .konflux/pypi_wheel_only.txt, .konflux/requirements-build.txt, .konflux/requirements.hashes.*, .konflux/requirements.hermetic.txt, .konflux/requirements.overrides.txt
Updates the base image, adds Konflux profile and wheel-only inputs, and regenerates the requirements and hash constraint files.
RPM lockfiles and upgrade list
.konflux/rpms.in.yaml, .konflux/rpms.lock.yaml
Adds RPM upgrade targets and matching locked package entries for both architectures.
Tekton prefetch package lists
.tekton/lightspeed-stack-0-6-pull-request.yaml, .tekton/lightspeed-stack-0-6-push.yaml, .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml
Adds the wheel PyPI hashes file and replaces the binary.packages allowlists in all four pipeline definitions.
Containerfile and pyproject updates
deploy/lightspeed-stack/Containerfile, pyproject.toml
Changes the build/runtime container steps and updates the torch pin plus Black target version.
generate-rpm-lock.sh script
scripts/generate-rpm-lock.sh
Adds a containerized RPM lockfile generation script with subscription and entitlement handling.

Estimated code review effort: 4 (Complex) | ~75 minutes

Possibly related issues

Possibly related PRs

Suggested reviewers: tisnik, radofuchs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed Docstring coverage is 86.36% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: migrating main to RHOAI 3.4 with PyPI support.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@syedriko

Copy link
Copy Markdown
Contributor Author

/retest

@syedriko syedriko force-pushed the syedriko-rhoai-3.4-main branch from 08928c9 to c7171c2 Compare June 29, 2026 16:32
@syedriko

Copy link
Copy Markdown
Contributor Author

/retest

@syedriko syedriko force-pushed the syedriko-rhoai-3.4-main branch 2 times, most recently from f0176e3 to ccc3010 Compare June 30, 2026 18:44
@syedriko syedriko marked this pull request as ready for review June 30, 2026 19:55

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.tekton/lightspeed-stack-0-6-pull-request.yaml (1)

35-63: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Add maturin to the prefetch inputsbinary.packages includes maturin, but it is missing from all of the referenced hash files, so the hermetic prefetch set is incomplete. If it is no longer needed, remove it from binary.packages instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/lightspeed-stack-0-6-pull-request.yaml around lines 35 - 63, The
prefetch configuration in the lightspeed stack is incomplete because `maturin`
is listed in `prefetch-input` under `binary.packages` but is missing from the
referenced requirements hash files. Update the `prefetch-input` entry so
`maturin` is either added to the appropriate hash/requirements files used by
this stack or removed from `binary.packages` if it is no longer needed, keeping
the `prefetch-input` list consistent with the hermetic dependency set.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/generate-rpm-lock.sh`:
- Around line 5-33: The fallback base image in generate-rpm-lock.sh is still
using the old registry.redhat.io/rhai/base-image-cpu-rhel9:3.4 value, so update
the DEFAULT_BASE_IMAGE constant to the migrated Konflux image used by this PR.
Make sure the logic in the build-args fallback path continues to prefer
BUILDER_BASE_IMAGE from .konflux/build-args-konflux.conf, but when it is
missing, BASE_IMAGE should resolve to the new
quay.io/aipcc/base-images/cpu:3.4.2-1782270165 image instead of the legacy one.
- Around line 108-109: The repo disable step in generate-rpm-lock.sh is
hardcoded to x86_64 and will fail on non-x86_64 containers. Update the
repository handling around the subscription-manager repos call to derive the
repo IDs from the container architecture (or check availability before
disabling) instead of unconditionally disabling rhel-9-for-x86_64-* entries.
Keep the existing echo/logging, but make the disable logic architecture-aware so
the script works for aarch64 as well.

In `@scripts/konflux_resolve.py`:
- Around line 447-471: The package resolution flow in the wheel selection logic
only keeps a version when any target arch matches, which can miss incomplete
wheel sets for other configured architectures. Update the resolution path in the
parser/collector and the version selection in find_best() so all configured
target architectures from profiles.toml must be satisfied before accepting a
release, and ensure the stored package data tracks per-arch wheel availability
consistently across the affected code paths.
- Around line 548-591: The marker handling in _eval_single_marker and the
surrounding marker parser is doing string-based comparisons and defaulting
unparsed expressions to True, which can produce incorrect results. Replace this
logic with a real PEP 508 marker evaluator, or at minimum make _MARKER_CMP_OPS
and _eval_single_marker version-aware for fields like python_version and
platform values. Ensure unsupported or malformed markers are not silently
accepted as True, and keep the existing marker evaluation entry point so the fix
is localized.
- Around line 1274-1283: Step 7 is hardcoding the uv executable instead of
reusing the resolved binary path. Update the pybuild-deps compile call in
uv_resolve() to use uv_resolved, which already handles $UV_BINARY and the
repo-local fallback, so requirements-build.txt generation works on all hosts.
Keep the change localized to the subprocess.run invocation in uv_resolve().

---

Outside diff comments:
In @.tekton/lightspeed-stack-0-6-pull-request.yaml:
- Around line 35-63: The prefetch configuration in the lightspeed stack is
incomplete because `maturin` is listed in `prefetch-input` under
`binary.packages` but is missing from the referenced requirements hash files.
Update the `prefetch-input` entry so `maturin` is either added to the
appropriate hash/requirements files used by this stack or removed from
`binary.packages` if it is no longer needed, keeping the `prefetch-input` list
consistent with the hermetic dependency set.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a9272d86-0d7e-4606-8ad7-5a58861debc8

📥 Commits

Reviewing files that changed from the base of the PR and between 56ae5fd and ccc3010.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (19)
  • .konflux/build-args-konflux.conf
  • .konflux/profiles.toml
  • .konflux/pypi_wheel_only.txt
  • .konflux/requirements-build.txt
  • .konflux/requirements.hashes.source.txt
  • .konflux/requirements.hashes.wheel.pypi.txt
  • .konflux/requirements.hashes.wheel.txt
  • .konflux/requirements.hermetic.txt
  • .konflux/requirements.overrides.txt
  • .konflux/rpms.in.yaml
  • .konflux/rpms.lock.yaml
  • .tekton/lightspeed-stack-0-6-pull-request.yaml
  • .tekton/lightspeed-stack-0-6-push.yaml
  • .tekton/lightspeed-stack-pull-request.yaml
  • .tekton/lightspeed-stack-push.yaml
  • deploy/lightspeed-stack/Containerfile
  • pyproject.toml
  • scripts/generate-rpm-lock.sh
  • scripts/konflux_resolve.py
💤 Files with no reviewable changes (1)
  • .konflux/requirements.hermetic.txt
📜 Review details
⏰ Context from checks skipped due to timeout. (2)
  • GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
  • GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-0-6-on-pull-request
⚠️ CI failures not shown inline (4)

GitHub Actions: OpenAPI (Spectral) / 0_spectral.txt: Migrate to RHOAI 3.4 + PyPI - main

Conclusion: failure

View job details

##[group]Run set -euo pipefail
 �[36;1mset -euo pipefail�[0m
 �[36;1muv run python scripts/generate_openapi_schema.py /tmp/openapi-generated.json�[0m
 �[36;1mif ! diff -u docs/openapi.json /tmp/openapi-generated.json; then�[0m
 �[36;1m  echo "::error::docs/openapi.json is out of date. Regenerate with: uv run scripts/generate_openapi_schema.py docs/openapi.json"�[0m

GitHub Actions: Unit tests / 1_unit_tests (3.12).txt: Migrate to RHOAI 3.4 + PyPI - main

Conclusion: failure

View job details

##[group]Run uv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing
 �[36;1muv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing�[0m
 shell: /usr/bin/bash -e {0}
 env:
   UV_PYTHON: 3.12
   VIRTUAL_ENV: /home/runner/work/lightspeed-stack/lightspeed-stack/.venv
   UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache
 ##[endgroup]
 Uninstalled 1 package in 2ms
 Installed 1 package in 12ms
 ============================= test session starts ==============================
 platform linux -- Python 3.12.3, pytest-9.1.1, pluggy-1.6.0
 benchmark: 5.2.3 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000)
 rootdir: /home/runner/work/lightspeed-stack/lightspeed-stack
 configfile: pyproject.toml
 plugins: asyncio-1.4.0, benchmark-5.2.3, anyio-4.14.1, order-1.5.0, mock-3.15.1, cov-7.1.0, logfire-4.37.0
 asyncio: mode=Mode.AUTO, debug=False, asyncio_default_fixture_loop_scope=None, asyncio_default_test_loop_scope=function
 collected 2928 items
 tests/unit/a2a_storage/test_in_memory_context_store.py ........          [  0%]
 tests/unit/a2a_storage/test_sqlite_context_store.py ..........           [  0%]
 tests/unit/a2a_storage/test_storage_factory.py ...........               [  0%]
 tests/unit/app/endpoints/test_a2a.py ..............................      [  2%]
 tests/unit/app/endpoints/test_authorized.py ...                          [  2%]
 tests/unit/app/endpoints/test_config.py ..                               [  2%]
 tests/unit/app/endpoints/test_conversations.py ......................... [  3%]
 .................                                                        [  3%]
 tests/unit/app/endpoints/test_conversations_v2.py ...................... [  4%]
 ...............                                                          [  4%]
 tests/unit/app/endpoints/test_feedback.py .......................        [  5%]
 tests/unit/ap...

GitHub Actions: Unit tests / 0_unit_tests (3.13).txt: Migrate to RHOAI 3.4 + PyPI - main

Conclusion: failure

View job details

##[group]Run uv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing
 �[36;1muv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing�[0m
 shell: /usr/bin/bash -e {0}
 env:
   UV_PYTHON: 3.13
   VIRTUAL_ENV: /home/runner/work/lightspeed-stack/lightspeed-stack/.venv
   UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache
 ##[endgroup]
 Uninstalled 1 package in 2ms
 Installed 1 package in 3ms
 ============================= test session starts ==============================
 platform linux -- Python 3.13.14, pytest-9.1.1, pluggy-1.6.0
 benchmark: 5.2.3 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000)
 rootdir: /home/runner/work/lightspeed-stack/lightspeed-stack
 configfile: pyproject.toml
 plugins: asyncio-1.4.0, benchmark-5.2.3, anyio-4.14.1, order-1.5.0, mock-3.15.1, cov-7.1.0, logfire-4.37.0
 asyncio: mode=Mode.AUTO, debug=False, asyncio_default_fixture_loop_scope=None, asyncio_default_test_loop_scope=function
 collected 2928 items
 tests/unit/a2a_storage/test_in_memory_context_store.py ........          [  0%]
 tests/unit/a2a_storage/test_sqlite_context_store.py ..........           [  0%]
 tests/unit/a2a_storage/test_storage_factory.py ...........               [  0%]
 tests/unit/app/endpoints/test_a2a.py ..............................      [  2%]
 tests/unit/app/endpoints/test_authorized.py ...                          [  2%]
 tests/unit/app/endpoints/test_config.py ..                               [  2%]
 tests/unit/app/endpoints/test_conversations.py ......................... [  3%]
 .................                                                        [  3%]
 tests/unit/app/endpoints/test_conversations_v2.py ...................... [  4%]
 ...............                                                          [  4%]
 tests/unit/app/endpoints/test_feedback.py .......................        [  5%]
 tests/unit/ap...

GitHub Actions: PR Title Checker / 0_check.txt: Migrate to RHOAI 3.4 + PyPI - main

Conclusion: failure

View job details

##[group]Run thehanimo/pr-title-checker@v1.4.3
 with:
   GITHUB_***REDACTED***
   pass_on_octokit_error: false
   configuration_path: .github/pr-title-checker-config.json
 ##[endgroup]
 (node:2162) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
 Using config file .github/pr-title-checker-config.json from repo lightspeed-core/lightspeed-stack [ref: 56ae5fdc6bce2da7499bfeffad1c0c30baf32c8e]
 (Use `node --trace-deprecation ...` to show where the warning was created)
 (node:2162) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
 Creating label (title needs formatting)...
 Label (title needs formatting) already created.
 Adding label (title needs formatting) to PR...
 HttpError: Resource not accessible by integration
 ##[error]Failed to add label (title needs formatting) to PR
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2026-05-12T15:14:34.788Z
Learnt from: syedriko
Repo: lightspeed-core/lightspeed-stack PR: 1727
File: scripts/konflux_requirements.sh:9-15
Timestamp: 2026-05-12T15:14:34.788Z
Learning: In this repo, the `.konflux/` directory is committed/tracked and is guaranteed to exist in a fresh clone. Therefore, shell scripts that write output under `.konflux/` (e.g., create files like `.konflux/<...>`) should not waste effort by calling `mkdir -p .konflux` first. Only add directory-creation logic if the script may run in an environment/repo state where `.konflux/` might not be present.

Applied to files:

  • scripts/generate-rpm-lock.sh
📚 Learning: 2026-06-24T13:45:37.249Z
Learnt from: Jdubrick
Repo: lightspeed-core/lightspeed-stack PR: 1971
File: src/utils/markdown_repair.py:31-36
Timestamp: 2026-06-24T13:45:37.249Z
Learning: In the lightspeed-stack repository, docstrings must use the section header name "Parameters:" (not "Args:") for function arguments, even if the project references Google Python docstring conventions. Ensure docstrings follow the project’s established "Parameters:" header format for any documented function parameters.

Applied to files:

  • scripts/konflux_resolve.py
🪛 ast-grep (0.44.0)
scripts/konflux_resolve.py

[error] 1040-1040: Use of unsanitized data to create processes
Context: subprocess.run(cmd, capture_output=True, text=True, check=True)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

(os-system-unsanitized-data)


[warning] 204-204: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(pyproject_path, "rb")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 914-914: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(output_path, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 925-925: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(yaml_path)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 932-932: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(yaml_path, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 950-950: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(profiles_path, "rb")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 972-972: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(path)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 1151-1151: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_file)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 1166-1166: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_file, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 1269-1269: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(tmp_sdist_file, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 1293-1293: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_output, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 417-417: Request-controlled URL passed to urlopen; validate against an allowlist to prevent SSRF.
Context: urllib.request.urlopen(url, timeout=30)
Note: [CWE-918] Server-Side Request Forgery (SSRF).

(urlopen-unsanitized-data)


[warning] 609-609: Request-controlled URL passed to urlopen; validate against an allowlist to prevent SSRF.
Context: urllib.request.urlopen(url, timeout=30)
Note: [CWE-918] Server-Side Request Forgery (SSRF).

(urlopen-unsanitized-data)


[error] 1040-1040: Command coming from incoming request
Context: subprocess.run(cmd, capture_output=True, text=True, check=True)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

(subprocess-from-request)


[error] 1273-1283: Command coming from incoming request
Context: subprocess.run(
[
"uv",
"run",
"pybuild-deps",
"compile",
f"--output-file={build_output}",
tmp_sdist_file,
],
check=True,
)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

(subprocess-from-request)

🔇 Additional comments (11)
pyproject.toml (2)

189-189: LGTM!


241-243: 📐 Maintainability & Code Quality

[tool.black] is already wired into the workflow The repo runs Black via Makefile and .github/workflows/black.yaml, so this config isn’t dead or duplicate tooling.

			> Likely an incorrect or invalid review comment.
.konflux/rpms.lock.yaml (1)

49-55: LGTM!

Also applies to: 91-118, 165-171, 207-234

.konflux/rpms.in.yaml (1)

10-15: 🗄️ Data Integrity & Integration

No change needed for upgradePackages rpm-lockfile-prototype supports this input key, and it uses the same list schema as packages.

			> Likely an incorrect or invalid review comment.
.konflux/pypi_wheel_only.txt (1)

1-5: 🩺 Stability & Availability

Leave .konflux/pypi_wheel_only.txt empty. The binary-heavy packages are already landing in .konflux/requirements.hashes.wheel.txt, not the PyPI wheel bucket.

.konflux/requirements-build.txt (1)

5-48: LGTM!

.konflux/requirements.hashes.source.txt (1)

2-23: LGTM!

.konflux/requirements.hashes.wheel.pypi.txt (1)

1-2: LGTM!

.konflux/requirements.overrides.txt (1)

2-3: LGTM!

.konflux/requirements.hashes.wheel.txt (1)

1-443: 🎯 Functional Correctness

Drop the maturin hash-file concern. maturin is handled as a bootstrap/extra wheel (EXTRA_WHEELS and bootstrap_packages), so it does not need an entry in .konflux/requirements.hashes.wheel.txt.

			> Likely an incorrect or invalid review comment.
.tekton/lightspeed-stack-0-6-push.yaml (1)

36-64: 🎯 Functional Correctness

binary.packages is already aligned with the pull-request pipeline; the only open point is whether .konflux/requirements.hermetic.txt is an expected generated artifact for this target.

Comment thread scripts/generate-rpm-lock.sh
Comment thread scripts/generate-rpm-lock.sh
Comment thread scripts/konflux_resolve.py
Comment thread scripts/konflux_resolve.py
Comment thread scripts/konflux_resolve.py
@syedriko syedriko changed the title Migrate to RHOAI 3.4 + PyPI - main LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main Jun 30, 2026
@syedriko syedriko force-pushed the syedriko-rhoai-3.4-main branch from ccc3010 to b1286b5 Compare July 4, 2026 14:17

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.tekton/lightspeed-stack-pull-request.yaml (1)

36-40: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Keep uv and pip in binary.packages
The resolver still shells out to uv pip compile, and scripts/konflux_requirements.sh still adds uv,pip,maturin to the wheel allowlist. Dropping them here will break the hermetic prefetch path; apply the same fix to the matching Tekton manifests too.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/lightspeed-stack-pull-request.yaml around lines 36 - 40, Keep uv and
pip listed in binary.packages because the resolver still invokes uv pip compile
and scripts/konflux_requirements.sh depends on uv,pip,maturin for the wheel
allowlist. Restore these packages in the Tekton manifest and make the same
update in the matching Tekton manifests so hermetic prefetch continues to work.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/generate-rpm-lock.sh`:
- Line 9: The CONTAINER_IMAGE value is unpinned and currently resolves to
latest, so update the generate-rpm-lock.sh script to use a specific immutable
tag for the container image instead of registry.access.redhat.com/ubi9/ubi. Keep
the change centered on the CONTAINER_IMAGE assignment so the script runs against
the same UBI base image across executions.
- Around line 122-124: The rpm-lockfile-prototype install in the
generate-rpm-lock.sh flow is pulling a GitHub tarball without integrity
verification; update the installation step to use a pinned, verifiable source in
the script’s pip install command. Add hash/checksum pinning or an equivalent
integrity check around the rpm-lockfile-prototype version reference so the
download is validated before use, keeping the change localized to the install
block that echoes “Installing rpm-lockfile-prototype...”.
- Around line 136-145: The entitlement certificate lookup in
generate-rpm-lock.sh can leave DNF_VAR_SSL_CLIENT_KEY and
DNF_VAR_SSL_CLIENT_CERT empty, so add an explicit check in the bash -c block
before calling rpm-lockfile-prototype. Use the existing find-based lookup and,
if no key file is found, fail fast with a clear error message about missing
entitlement certs instead of proceeding; keep the validation close to the
DNF_VAR_SSL_CLIENT_KEY/DNF_VAR_SSL_CLIENT_CERT setup so the failure is easy to
locate.

In `@scripts/konflux_resolve.py`:
- Around line 1070-1114: The legacy resolver path is now dead code:
reclassify_with_rhoai, Resolver, and parse_direct_deps are no longer referenced
because main() performs classification inline. Remove these unused definitions
and any related wiring from the script, keeping the current inline
classification flow intact and updating any nearby imports or helpers that
become unused.

---

Outside diff comments:
In @.tekton/lightspeed-stack-pull-request.yaml:
- Around line 36-40: Keep uv and pip listed in binary.packages because the
resolver still invokes uv pip compile and scripts/konflux_requirements.sh
depends on uv,pip,maturin for the wheel allowlist. Restore these packages in the
Tekton manifest and make the same update in the matching Tekton manifests so
hermetic prefetch continues to work.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7bf5db6f-a1f0-43be-b47d-d19f4890b2fa

📥 Commits

Reviewing files that changed from the base of the PR and between ccc3010 and b1286b5.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (19)
  • .konflux/build-args-konflux.conf
  • .konflux/profiles.toml
  • .konflux/pypi_wheel_only.txt
  • .konflux/requirements-build.txt
  • .konflux/requirements.hashes.source.txt
  • .konflux/requirements.hashes.wheel.pypi.txt
  • .konflux/requirements.hashes.wheel.txt
  • .konflux/requirements.hermetic.txt
  • .konflux/requirements.overrides.txt
  • .konflux/rpms.in.yaml
  • .konflux/rpms.lock.yaml
  • .tekton/lightspeed-stack-0-6-pull-request.yaml
  • .tekton/lightspeed-stack-0-6-push.yaml
  • .tekton/lightspeed-stack-pull-request.yaml
  • .tekton/lightspeed-stack-push.yaml
  • deploy/lightspeed-stack/Containerfile
  • pyproject.toml
  • scripts/generate-rpm-lock.sh
  • scripts/konflux_resolve.py
💤 Files with no reviewable changes (1)
  • .konflux/requirements.hermetic.txt
📜 Review details
⏰ Context from checks skipped due to timeout. (12)
  • GitHub Check: build-pr
  • GitHub Check: integration_tests (3.13)
  • GitHub Check: integration_tests (3.12)
  • GitHub Check: E2E Tests for Lightspeed Evaluation job
  • GitHub Check: E2E: library mode / ci / group 3
  • GitHub Check: E2E: library mode / ci / group 1
  • GitHub Check: E2E: server mode / ci / group 3
  • GitHub Check: E2E: library mode / ci / group 2
  • GitHub Check: E2E: server mode / ci / group 1
  • GitHub Check: E2E: server mode / ci / group 2
  • GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-0-6-on-pull-request
  • GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
⚠️ CI failures not shown inline (4)

GitHub Actions: OpenAPI (Spectral) / 0_spectral.txt: LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main

Conclusion: failure

View job details

##[group]Run set -euo pipefail
 �[36;1mset -euo pipefail�[0m
 �[36;1muv run python scripts/generate_openapi_schema.py /tmp/openapi-generated.json�[0m
 �[36;1mif ! diff -u docs/openapi.json /tmp/openapi-generated.json; then�[0m
 �[36;1m  echo "::error::docs/openapi.json is out of date. Regenerate with: uv run scripts/generate_openapi_schema.py docs/openapi.json"�[0m

GitHub Actions: OpenAPI (Spectral) / spectral: LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main

Conclusion: failure

View job details

##[group]Run set -euo pipefail
 �[36;1mset -euo pipefail�[0m
 �[36;1muv run python scripts/generate_openapi_schema.py /tmp/openapi-generated.json�[0m
 �[36;1mif ! diff -u docs/openapi.json /tmp/openapi-generated.json; then�[0m
 �[36;1m  echo "::error::docs/openapi.json is out of date. Regenerate with: uv run scripts/generate_openapi_schema.py docs/openapi.json"�[0m

GitHub Actions: Unit tests / 0_unit_tests (3.12).txt: LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main

Conclusion: failure

View job details

##[group]Run uv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing
 �[36;1muv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing�[0m
 shell: /usr/bin/bash -e {0}
 env:
   UV_PYTHON: 3.12
   VIRTUAL_ENV: /home/runner/work/lightspeed-stack/lightspeed-stack/.venv
   UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache
 ##[endgroup]
 Uninstalled 1 package in 4ms
 Installed 1 package in 3ms
 ============================= test session starts ==============================
 platform linux -- Python 3.12.3, pytest-9.1.1, pluggy-1.6.0
 benchmark: 5.2.3 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000)
 rootdir: /home/runner/work/lightspeed-stack/lightspeed-stack
 configfile: pyproject.toml
 plugins: asyncio-1.4.0, benchmark-5.2.3, anyio-4.14.1, order-1.5.0, mock-3.15.1, cov-7.1.0, logfire-4.37.0
 asyncio: mode=Mode.AUTO, debug=False, asyncio_default_fixture_loop_scope=None, asyncio_default_test_loop_scope=function
 collected 2928 items
 tests/unit/a2a_storage/test_in_memory_context_store.py ........          [  0%]
 tests/unit/a2a_storage/test_sqlite_context_store.py ..........           [  0%]
 tests/unit/a2a_storage/test_storage_factory.py ...........               [  0%]
 tests/unit/app/endpoints/test_a2a.py ..............................      [  2%]
 tests/unit/app/endpoints/test_authorized.py ...                          [  2%]
 tests/unit/app/endpoints/test_config.py ..                               [  2%]
 tests/unit/app/endpoints/test_conversations.py ......................... [  3%]
 .................                                                        [  3%]
 tests/unit/app/endpoints/test_conversations_v2.py ...................... [  4%]
 ...............                                                          [  4%]
 tests/unit/app/endpoints/test_feedback.py .......................        [  5%]
 tests/unit/app...

GitHub Actions: Unit tests / unit_tests (3.12): LCORE-2874: Migrate to RHOAI 3.4 + PyPI - main

Conclusion: failure

View job details

##[group]Run uv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing
 �[36;1muv run pytest tests/unit --cov=src --cov=runner --cov-report term-missing�[0m
 shell: /usr/bin/bash -e {0}
 env:
   UV_PYTHON: 3.12
   VIRTUAL_ENV: /home/runner/work/lightspeed-stack/lightspeed-stack/.venv
   UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache
 ##[endgroup]
 Uninstalled 1 package in 4ms
 Installed 1 package in 3ms
 ============================= test session starts ==============================
 platform linux -- Python 3.12.3, pytest-9.1.1, pluggy-1.6.0
 benchmark: 5.2.3 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000)
 rootdir: /home/runner/work/lightspeed-stack/lightspeed-stack
 configfile: pyproject.toml
 plugins: asyncio-1.4.0, benchmark-5.2.3, anyio-4.14.1, order-1.5.0, mock-3.15.1, cov-7.1.0, logfire-4.37.0
 asyncio: mode=Mode.AUTO, debug=False, asyncio_default_fixture_loop_scope=None, asyncio_default_test_loop_scope=function
 collected 2928 items
 tests/unit/a2a_storage/test_in_memory_context_store.py ........          [  0%]
 tests/unit/a2a_storage/test_sqlite_context_store.py ..........           [  0%]
 tests/unit/a2a_storage/test_storage_factory.py ...........               [  0%]
 tests/unit/app/endpoints/test_a2a.py ..............................      [  2%]
 tests/unit/app/endpoints/test_authorized.py ...                          [  2%]
 tests/unit/app/endpoints/test_config.py ..                               [  2%]
 tests/unit/app/endpoints/test_conversations.py ......................... [  3%]
 .................                                                        [  3%]
 tests/unit/app/endpoints/test_conversations_v2.py ...................... [  4%]
 ...............                                                          [  4%]
 tests/unit/app/endpoints/test_feedback.py .......................        [  5%]
 tests/unit/app...
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2026-05-12T15:14:34.788Z
Learnt from: syedriko
Repo: lightspeed-core/lightspeed-stack PR: 1727
File: scripts/konflux_requirements.sh:9-15
Timestamp: 2026-05-12T15:14:34.788Z
Learning: In this repo, the `.konflux/` directory is committed/tracked and is guaranteed to exist in a fresh clone. Therefore, shell scripts that write output under `.konflux/` (e.g., create files like `.konflux/<...>`) should not waste effort by calling `mkdir -p .konflux` first. Only add directory-creation logic if the script may run in an environment/repo state where `.konflux/` might not be present.

Applied to files:

  • scripts/generate-rpm-lock.sh
📚 Learning: 2026-06-24T13:45:37.249Z
Learnt from: Jdubrick
Repo: lightspeed-core/lightspeed-stack PR: 1971
File: src/utils/markdown_repair.py:31-36
Timestamp: 2026-06-24T13:45:37.249Z
Learning: In the lightspeed-stack repository, docstrings must use the section header name "Parameters:" (not "Args:") for function arguments, even if the project references Google Python docstring conventions. Ensure docstrings follow the project’s established "Parameters:" header format for any documented function parameters.

Applied to files:

  • scripts/konflux_resolve.py
🪛 ast-grep (0.44.0)
scripts/konflux_resolve.py

[warning] 204-204: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(pyproject_path, "rb")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 914-914: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(output_path, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 925-925: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(yaml_path)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 932-932: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(yaml_path, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 950-950: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(profiles_path, "rb")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 972-972: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(path)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 1151-1151: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_file)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 1166-1166: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_file, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 1269-1269: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(tmp_sdist_file, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[warning] 1293-1293: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(build_output, "w")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)


[error] 1040-1040: Command coming from incoming request
Context: subprocess.run(cmd, capture_output=True, text=True, check=True)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

(subprocess-from-request)


[error] 1273-1283: Command coming from incoming request
Context: subprocess.run(
[
"uv",
"run",
"pybuild-deps",
"compile",
f"--output-file={build_output}",
tmp_sdist_file,
],
check=True,
)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

(subprocess-from-request)


[warning] 417-417: Request-controlled URL passed to urlopen; validate against an allowlist to prevent SSRF.
Context: urllib.request.urlopen(url, timeout=30)
Note: [CWE-918] Server-Side Request Forgery (SSRF).

(urlopen-unsanitized-data)


[warning] 609-609: Request-controlled URL passed to urlopen; validate against an allowlist to prevent SSRF.
Context: urllib.request.urlopen(url, timeout=30)
Note: [CWE-918] Server-Side Request Forgery (SSRF).

(urlopen-unsanitized-data)


[error] 1040-1040: Use of unsanitized data to create processes
Context: subprocess.run(cmd, capture_output=True, text=True, check=True)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

(os-system-unsanitized-data)

🔇 Additional comments (21)
.tekton/lightspeed-stack-push.yaml (1)

51-58: Same uv/pip allowlist concern flagged in .tekton/lightspeed-stack-pull-request.yaml (lines 36-40, 55-62) applies here since the package list is identical.

.tekton/lightspeed-stack-0-6-pull-request.yaml (1)

50-57: LGTM!

.tekton/lightspeed-stack-0-6-push.yaml (1)

51-58: LGTM!

scripts/generate-rpm-lock.sh (2)

5-5: 🗄️ Data Integrity & Integration

Fallback base image still stale.

DEFAULT_BASE_IMAGE still points at the old registry.redhat.io/rhai/base-image-cpu-rhel9:3.4, not the migrated quay.io/aipcc/base-images/cpu:3.4.2-1782270165. If .konflux/build-args-konflux.conf is missing/misses BUILDER_BASE_IMAGE, this generates the lockfile against the wrong image. Already flagged in a previous review on an earlier commit; still unresolved.


108-109: 🩺 Stability & Availability

Hardcoded x86_64 repo disable will fail on aarch64.

Under set -e, disabling rhel-9-for-x86_64-* repos unconditionally will error out on an aarch64 host, even though the lockfile now carries aarch64 entries too. Already flagged in a previous review on an earlier commit; still unresolved.

.konflux/rpms.in.yaml (1)

10-15: LGTM!

.konflux/rpms.lock.yaml (1)

49-55: LGTM!

Also applies to: 91-118, 165-171, 207-234

scripts/konflux_resolve.py (3)

534-591: Marker operands are compared as strings and unparsed expressions default to True, so version markers like python_version < "3.9" misfire (lexical compare) and unsupported markers pass silently. This was raised previously.


489-506: find_best/_ensure_loaded accept a RHOAI version when any configured arch has a compatible wheel, while uv pip compile is pinned to x86_64-manylinux_2_28, so aarch64 wheel gaps can slip through. Previously flagged.


1274-1283: Step 7 hardcodes "uv" instead of reusing the resolved binary ($UV_BINARY/repo-local fallback) used in uv_resolve(). Previously flagged.

.konflux/profiles.toml (1)

1-14: LGTM!

.konflux/pypi_wheel_only.txt (1)

1-6: LGTM!

.konflux/requirements.hashes.source.txt (1)

2-23: LGTM!

.konflux/requirements.hashes.wheel.pypi.txt (1)

1-1: LGTM!

.konflux/requirements.overrides.txt (1)

2-3: LGTM!

.konflux/requirements-build.txt (1)

5-48: 🩺 Stability & Availability

No issue: the active Konflux resolver already generates requirements-build.txt from a sorted sdist list, and the _tmp_sdist_list.txt reference is just a stale comment.

			> Likely an incorrect or invalid review comment.
.konflux/build-args-konflux.conf (1)

1-4: 🩺 Stability & Availability

Check the new base image tag
quay.io/aipcc/base-images/cpu:3.4.2-1782270165 must be published for both target architectures and include dnf; otherwise the Konflux build can fail before dependency resolution.

.konflux/requirements.hashes.wheel.txt (1)

1-443: 🩺 Stability & Availability

Shared wheel lock already covers both architectures. requirements.hashes.wheel.txt is generated from the combined x86_64/aarch64 profile and is consumed by both Konflux pipelines, so there isn’t a separate per-arch hash set to regenerate.

			> Likely an incorrect or invalid review comment.
deploy/lightspeed-stack/Containerfile (2)

27-28: LGTM!

Also applies to: 103-105, 121-122, 146-146


70-77: 🎯 Functional Correctness

Document the wheel-pruning heuristic or replace it with real wheel parsing. The regex only matches build-tagged/numeric-version wheels here (10 of 1481 wheel filenames in uv.lock), so the common dotted-version wheels are left untouched. If that narrow shape is intentional for cachi2 output, add an inline note with an example; otherwise move this into a small helper and parse filenames with packaging.utils.parse_wheel_filename.

pyproject.toml (1)

189-189: LGTM! Verified 2.10.0 was released 01/21/2026, and Black's --target-version option accepts py312 as a valid choice, consistent with the Python 3.12 base image bump.

Also applies to: 241-243

Comment thread scripts/generate-rpm-lock.sh
Comment thread scripts/generate-rpm-lock.sh
Comment thread scripts/generate-rpm-lock.sh
Comment thread scripts/konflux_resolve.py
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant