SPLAT-2167: Added dedicated host support for AWS #374

vr4manta · 2025-10-01T19:02:22Z

Changes

Added dedicated host support for AWS
Created new dedicated host tests
Fixed tests that were breaking due to updates upstream that were pulled in
Added missing permission ec2:DescribeInstanceTypes to cluster api credentials request

Dependencies

Notes

There seems to be a required permission that was missing for dedicated host support. When running these changes, a warning event was observed in the cluster capi operator namespace.

6s          Warning   FailedDescribeInstanceTypes   awscluster/ngirard-dh-5bb5w                           insufficient permissions to describe instance types for instance type "m6i.xlarge", falling back to the default architecture of "x86_64": operation error EC2: DescribeInstanceTypes, https response error StatusCode: 403, RequestID: 387549b4-ab58-48af-b14d-3882b6c7da52, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::726924432237:user/ngirard-dh-5bb5w-openshift-cluster-api-aws-72f7q is not authorized to perform: ec2:DescribeInstanceTypes because no identity-based policy allows the ec2:DescribeInstanceTypes action

Summary by CodeRabbit

New Features
- AWS: host-affinity / dedicated-host placement support.
- CEL: YAML-serializable environment configs, regex library, new string.format v2, and math.sqrt; prompt tooling for authoring.
Improvements
- Broad dependency upgrades (Go/Kubernetes/tooling).
- fsnotify: more robust handling of transient filesystem edge cases.
- Cleaner, more consistent error and warning formatting.
Bug Fixes
- Stronger optional-field selection validation.
Tests
- Updated test expectations and added coverage for new scenarios.

openshift-ci-robot · 2025-10-01T19:02:27Z

@vr4manta: This pull request references SPLAT-2167 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

SPLAT-2167

Changes

Added dedicated host support for AWS

Dependencies

SPLAT-2206: Added AWS dedicated host support api#2484

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2025-10-01T19:02:28Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

coderabbitai · 2025-10-01T19:02:29Z

Note

`.coderabbit.yaml` has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'path_filters'

⚙️ Configuration instructions

Please see the configuration documentation for more information.
You can also validate your configuration using the online YAML validator.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Walkthrough

Updates module dependencies and vendored libraries; adds AWS HostAffinity ↔ HostPlacement conversion and tests; refactors fsnotify backends to a shared lifecycle; and applies broad API and behavior changes in vendored fxamacker/cbor and google/cel-go packages.

Changes

Cohort / File(s)	Summary
Go module bumps `e2e/go.mod`, `go.mod`, `hack/tools/go.mod`, `manifests-gen/go.mod`	Bump many dependencies: Kubernetes k8s.io/* → v0.34.1, golang.org/x/* updates, sigs.k8s.io/yaml v1.6.0, fsnotify v1.9.0, fxamacker/cbor v2.9.0, cel-go and related indirects.
AWS HostAffinity conversion `pkg/conversion/capi2mapi/aws.go`, `pkg/conversion/mapi2capi/aws.go`	Add conversion mapping CAPA HostAffinity ("default"/"host") ⇄ MAPI HostPlacement (AnyAvailable/DedicatedHost); validate HostID format; new helpers and error constants; populate HostAffinity/HostID in conversions.
AWS tests & fuzzers `pkg/conversion/capi2mapi/aws_fuzz_test.go`, `pkg/conversion/mapi2capi/aws_fuzz_test.go`, `pkg/conversion/capi2mapi/aws_test.go`, `pkg/conversion/mapi2capi/aws_test.go`	Extend fuzzers and table tests for host placement variants; add fuzz functions and test entries; adjust many expected error/warning string formats to more compact/JSON-like representations.
Other conversion test updates `pkg/conversion/*_test.go` (machine_test.go, openstack_test.go, powervs_test.go, mapi2capi/machine_test.go, mapi2capi/powervs_test.go)	Update expected error/warning message representations (durations, taints, resource refs) to new compact/JSON-like forms; no logic changes.
AWS IAM manifest `manifests/0000_30_cluster-api_01_credentials-request.yaml`	Add `ec2:DescribeInstanceTypes` to AWS provider statement entries.
fsnotify refactor & ergonomics `vendor/github.com/fsnotify/fsnotify/*` (backend_.go, shared.go, internal/, fsnotify.go, CHANGELOG/README/.cirrus.yml/staticcheck.conf)	Replace per-backend done channels with a shared lifecycle (`shared`), centralize event/error sending, improve error wrapping and symlink/not-exist handling, add defaultBufferSize, rename SyscallEACCES/UnixEACCES → ErrSyscallEACCES/ErrUnixEACCES, and update docs/CI/changelog.
fxamacker/cbor v2.9.0 `vendor/github.com/fxamacker/cbor/v2/` (encode.go, decode.go, stream.go, cache.go, bytestring.go, simplevalue.go, structfields.go, tag.go, omitzero_.go, README.md, common.go, etc.)	Major API changes: replace many interface{} usages with any (Marshal/Unmarshal/Decoder/Encoder), add TextMarshaler/TextUnmarshaler modes and Transcoder interface, UnmarshalCBOR well-formedness wrappers, omitzero support, reflect.Pointer updates, cache/isZero plumbing, and Go 1.24 compat files.
CEL-Go vendored upgrades & features `vendor/github.com/google/cel-go/**` (cel/, common/, ext/, interpreter/, checker/, templates/, BUILD.bazel, etc.)	Large vendored changes: config model (common/env) and FromConfig, Activation/PartialActivation aliases and NewActivation, ToConfig/ExtensionOptionFactory, documentation AST and docs APIs, overload docs/examples, string.format v2 and formatting_v2, list cost tracking, new extensions (regex, math.sqrt), ObservableInterpretable, PlannerOption/StatefulObserver/EvalState, and many public helper APIs.
Miscellaneous vendor / build `vendor/cel.dev/expr/MODULE.bazel`, various vendor BUILD files and added sources	Bazel and build updates: add new sources, templates, tests, and deps for newly vendored functionality (templates, prompt, formatting_v2, regex, format.go, etc.).

Sequence Diagram(s)

sequenceDiagram
    participant C as Converter
    participant CAPA as CAPI AWSMachine
    participant MAPI as MAPI ProviderSpec

    Note over C,CAPA: HostAffinity → HostPlacement mapping

    CAPA->>C: AWSMachine spec (HostAffinity, HostID)
    C->>C: validate HostAffinity/HostID (regex for dedicated host ID)
    alt HostAffinity == "host"
        C->>MAPI: HostPlacement = DedicatedHost{ID: HostID}
    else HostAffinity == "default" or nil
        C->>MAPI: HostPlacement = AnyAvailable
    else invalid
        C->>C: append errUnsupportedHostAffinityType / errHostIDRequred
    end
    C->>Caller: return providerSpec or errors

sequenceDiagram
    participant U as User
    participant W as fsnotify.Watcher
    participant S as shared

    Note over W,S: shared lifecycle for backends

    U->>W: newBackend(ev, errs)
    W->>S: shared = newShared(ev, errs)
    W->>W: start readEvents goroutine
    loop filesystem events
        W->>W: handleEvent(raw)
        W->>S: shared.sendEvent(Event{...})
        S->>U: deliver event on Events channel
    end
    U->>W: Close()
    W->>S: shared.close()
    S->>W: signal readEvents to drain/stop

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Focus areas for review:

CEL-Go interpreter/planner/stateful observer and ObservableInterpretable public API changes (vendor/github.com/google/cel-go/interpreter, interpretable).
fsnotify backend refactor across platforms (fen, inotify, kqueue, windows): shared lifecycle, Close/drain semantics, error wrapping and symlink/not-exist handling.
fxamacker/cbor public API changes (interface{} → any), new Transcoder/TextMarshaler/TextUnmarshaler options, and well-formedness/UnmarshalCBOR helpers.
AWS HostAffinity/HostID conversion logic and associated tests/fuzzers (pkg/conversion/*).
common/env FromConfig, ExtensionOptionFactory, templates and newly added vendored extensions (regex, formatting_v2) for integration and build correctness.

Poem

🐇 I hopped through modules, small and spry,
HostAffinity tucked beneath the sky.
fsnotify found a shared, steady beat,
CBOR and CEL learned new ways to meet.
A rabbit's cheer — merge, test, and fly!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 68.33% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly summarizes the primary feature: AWS dedicated host support. It's concise, specific, and directly reflects the main change in the changeset.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci-robot · 2025-10-01T19:02:32Z

@vr4manta: This pull request references SPLAT-2167 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

SPLAT-2167

Changes

Added dedicated host support for AWS

Dependencies

SPLAT-2206: Added AWS dedicated host support api#2484

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-11-11T14:12:05Z

@vr4manta: This pull request references SPLAT-2167 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

SPLAT-2167

Changes

Added dedicated host support for AWS

Dependencies

SPLAT-2206: Added AWS dedicated host support api#2484

SPLAT-2167: Added dedicated hosts support for AWS machine-api-operator#1419

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

vr4manta · 2025-11-11T17:19:14Z

/test all

vr4manta · 2025-11-11T18:56:24Z

/test all

openshift-ci-robot · 2025-11-13T14:53:44Z

@vr4manta: This pull request references SPLAT-2167 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

SPLAT-2167

Changes

Added dedicated host support for AWS

Dependencies

SPLAT-2206: Added AWS dedicated host support api#2484

SPLAT-2167: Added dedicated hosts support for AWS machine-api-operator#1419

SPLAT-2540: Added test support for AWS dedicated hosts cluster-api-actuator-pkg#446

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

mtulio · 2025-11-13T18:23:24Z

manifests/0000_30_cluster-api_01_credentials-request.yaml

      - ec2:DescribeDhcpOptions
      - ec2:DescribeImages
      - ec2:DescribeInstances
+      - ec2:DescribeInstanceTypes


I believe it would be nice to add this change to a new commit referencing the reason of adding it (upstream PR, jira feature, etc).

this would be used to document in the future and/or in managed services to eventually update the managed IAM.

Sure! There is a warning message that is caused by this missing. I am not 100% sure this feature introduced it, but I am happy to put into a separate commit.

mtulio · 2025-11-13T18:44:44Z

pkg/conversion/capi2mapi/aws.go

+			mapaProviderConfig.HostPlacement = &mapiv1beta1.HostPlacement{
+				Affinity: ptr.To(mapiv1beta1.HostAffinityDedicatedHost),
+				DedicatedHost: &mapiv1beta1.DedicatedHost{
+					ID: *m.awsMachine.Spec.HostID,


do we need to check HostID isnt nil to be safe or is there already a previous validation of this scenario?

good question. lots of these CRs have checks in their respective webhooks / CRDs. I can add a check here as well. I was on the fence about it.

openshift-ci-robot · 2025-11-14T13:15:41Z

@vr4manta: This pull request references SPLAT-2167 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

SPLAT-2167

Changes

Added dedicated host support for AWS

Created new dedicated host tests

Fixed tests that were breaking due to updates upstream that were pulled in

Added missing permission ec2:DescribeInstanceTypes to cluster api credentials request

Dependencies

SPLAT-2206: Added AWS dedicated host support api#2484

SPLAT-2167: Added dedicated hosts support for AWS machine-api-operator#1419

SPLAT-2540: Added test support for AWS dedicated hosts cluster-api-actuator-pkg#446

Notes

There seems to be a required permission that was missing for dedicated host support. When running these changes, a warning event was observed in the cluster capi operator namespace.
6s          Warning   FailedDescribeInstanceTypes   awscluster/ngirard-dh-5bb5w                           insufficient permissions to describe instance types for instance type "m6i.xlarge", falling back to the default architecture of "x86_64": operation error EC2: DescribeInstanceTypes, https response error StatusCode: 403, RequestID: 387549b4-ab58-48af-b14d-3882b6c7da52, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::726924432237:user/ngirard-dh-5bb5w-openshift-cluster-api-aws-72f7q is not authorized to perform: ec2:DescribeInstanceTypes because no identity-based policy allows the ec2:DescribeInstanceTypes action

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-11-17T17:55:12Z

@vr4manta: This pull request references SPLAT-2167 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

SPLAT-2167

Changes

Added dedicated host support for AWS

Created new dedicated host tests

Fixed tests that were breaking due to updates upstream that were pulled in

Added missing permission ec2:DescribeInstanceTypes to cluster api credentials request

Dependencies

SPLAT-2206: Added AWS dedicated host support api#2484

SPLAT-2167: Added dedicated hosts support for AWS machine-api-operator#1419

SPLAT-2540: Added test support for AWS dedicated hosts cluster-api-actuator-pkg#446

Notes

There seems to be a required permission that was missing for dedicated host support. When running these changes, a warning event was observed in the cluster capi operator namespace.
6s          Warning   FailedDescribeInstanceTypes   awscluster/ngirard-dh-5bb5w                           insufficient permissions to describe instance types for instance type "m6i.xlarge", falling back to the default architecture of "x86_64": operation error EC2: DescribeInstanceTypes, https response error StatusCode: 403, RequestID: 387549b4-ab58-48af-b14d-3882b6c7da52, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::726924432237:user/ngirard-dh-5bb5w-openshift-cluster-api-aws-72f7q is not authorized to perform: ec2:DescribeInstanceTypes because no identity-based policy allows the ec2:DescribeInstanceTypes action
Summary by CodeRabbit

New Features

AWS machine conversions now honor host-affinity and dedicated-host placement.

CEL: serializable YAML environment configs, regex functions, enhanced string-formatting, and math.sqrt added.

Improvements

Modernized Go/Kubernetes dependencies and tooling.

Cleaner, more consistent error/warning message formatting.

fsnotify robustness improvements for filesystem edge cases.

Expanded CEL standard library documentation and examples.

Bug Fixes

Optional-field selection validation tightened.

Various test expectation adjustments and increased coverage.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 3820d2b and d3fc5c3.

📒 Files selected for processing (12)

manifests/0000_30_cluster-api_01_credentials-request.yaml (1 hunks)
pkg/conversion/capi2mapi/aws.go (2 hunks)
pkg/conversion/capi2mapi/aws_fuzz_test.go (3 hunks)
pkg/conversion/capi2mapi/aws_test.go (6 hunks)
pkg/conversion/capi2mapi/machine_test.go (1 hunks)
pkg/conversion/capi2mapi/openstack_test.go (6 hunks)
pkg/conversion/capi2mapi/powervs_test.go (3 hunks)
pkg/conversion/mapi2capi/aws.go (2 hunks)
pkg/conversion/mapi2capi/aws_fuzz_test.go (3 hunks)
pkg/conversion/mapi2capi/aws_test.go (8 hunks)
pkg/conversion/mapi2capi/machine_test.go (1 hunks)
pkg/conversion/mapi2capi/powervs_test.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (7)

pkg/conversion/mapi2capi/powervs_test.go
manifests/0000_30_cluster-api_01_credentials-request.yaml
pkg/conversion/mapi2capi/machine_test.go
pkg/conversion/mapi2capi/aws.go
pkg/conversion/capi2mapi/machine_test.go
pkg/conversion/capi2mapi/openstack_test.go
pkg/conversion/capi2mapi/aws_fuzz_test.go

🔇 Additional comments (8)

pkg/conversion/mapi2capi/aws_fuzz_test.go (2)

167-180: LGTM! Well-structured fuzzing for HostPlacement.

The fuzzing function correctly exercises both valid HostAffinity variants (AnyAvailable and DedicatedHost with a valid host ID pattern), providing good coverage for the new HostPlacement feature.

140-140: Good - clearing CPUOptions for fuzzing.

This aligns with the pattern of clearing unsupported fields in the provider config during fuzzing.

pkg/conversion/capi2mapi/powervs_test.go (1)

100-100: LGTM! Test expectations updated for JSON-like error formatting.

The error message updates reflect a consistent pattern of representing nested objects in JSON-like format rather than Go struct notation, aligning with Kubernetes API conventions.

Also applies to: 125-125, 150-150

pkg/conversion/capi2mapi/aws.go (1)

172-194: HostAffinity conversion logic is sound.

The implementation correctly handles the three cases (host with HostID, default, and unsupported values) and properly validates that HostID is present when needed. The nil check on line 176 addresses the concern from the past review comment.

pkg/conversion/mapi2capi/aws_test.go (2)

96-121: Good test coverage for HostPlacement scenarios.

The test entries appropriately cover both valid HostPlacement configurations (AnyAvailable and DedicatedHost). The test structure integrates well with the existing table-driven test approach.

132-132: LGTM! Error message formatting updated consistently.

The JSON-like representation of nested objects in error messages aligns with Kubernetes API conventions and matches the formatting changes across other test files in this PR.

Also applies to: 211-211, 246-246, 258-258, 348-348, 394-394

pkg/conversion/capi2mapi/aws_test.go (2)

72-98: Comprehensive test coverage for HostAffinity conversion.

The three test entries thoroughly exercise the HostAffinity conversion logic: valid "default" affinity, valid "host" affinity with HostID, and unsupported affinity value with error handling. Good coverage of both positive and negative scenarios.

138-138: LGTM! Consistent error formatting across test expectations.

The JSON-like representation of complex objects in error messages maintains consistency with the broader error formatting improvements throughout this PR.

Also applies to: 147-147, 171-171, 179-179, 190-190, 203-203

pkg/conversion/capi2mapi/aws.go

openshift-ci-robot · 2025-11-17T18:12:13Z

@vr4manta: This pull request references SPLAT-2167 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

SPLAT-2167

Changes

Added dedicated host support for AWS

Created new dedicated host tests

Fixed tests that were breaking due to updates upstream that were pulled in

Added missing permission ec2:DescribeInstanceTypes to cluster api credentials request

Dependencies

SPLAT-2206: Added AWS dedicated host support api#2484

SPLAT-2167: Added dedicated hosts support for AWS machine-api-operator#1419

SPLAT-2540: Added test support for AWS dedicated hosts cluster-api-actuator-pkg#446

Notes

There seems to be a required permission that was missing for dedicated host support. When running these changes, a warning event was observed in the cluster capi operator namespace.
6s          Warning   FailedDescribeInstanceTypes   awscluster/ngirard-dh-5bb5w                           insufficient permissions to describe instance types for instance type "m6i.xlarge", falling back to the default architecture of "x86_64": operation error EC2: DescribeInstanceTypes, https response error StatusCode: 403, RequestID: 387549b4-ab58-48af-b14d-3882b6c7da52, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::726924432237:user/ngirard-dh-5bb5w-openshift-cluster-api-aws-72f7q is not authorized to perform: ec2:DescribeInstanceTypes because no identity-based policy allows the ec2:DescribeInstanceTypes action
Summary by CodeRabbit

New Features

AWS conversions: host-affinity / dedicated-host placement supported.

CEL: serializable YAML environment configs, regex library, new string-formatting v2, and math.sqrt.

Improvements

Upgraded Go/Kubernetes/tooling dependencies.

Cleaner, more consistent error and warning formatting.

fsnotify: more robust handling of transient filesystem edge cases.

Bug Fixes

Optional-field selection validation tightened.

Updated test expectations and added coverage.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

vendor/github.com/google/cel-go/cel/BUILD.bazel (1)

1-98: Incomplete vendoring of google/cel-go v0.26.0: missing test files and testdata directory will cause build failures.

The BUILD.bazel file references files and directories that do not exist in the vendored google/cel-go:

Line 70: prompt_test.go listed in test srcs — file not found in vendor/github.com/google/cel-go/cel/

Lines 79-81: embedsrcs references //cel/testdata:prompts — testdata/ directory does not exist

The vendored library version v0.26.0 is appropriate (no CVEs), but the vendor is incomplete. These missing files will cause Bazel build failures when the test target attempts to compile.

Re-vendor google/cel-go v0.26.0 to include the missing prompt_test.go file and testdata directory.
vendor/github.com/google/cel-go/ext/formatting.go (1)
313-341: Fix %e precision format string in stringFormatter.Scientific

The Scientific method builds the format string as fmt.Sprintf("%%%de", *precision), which produces "%3e" (field width 3) instead of "%.3e" (precision 3). The Fixed method at line 303 correctly uses fmt.Sprintf("%%.%df", *precision).

Change line 339 to:
- fmtStr := fmt.Sprintf("%%%de", *precision)
+ fmtStr := fmt.Sprintf("%%.%de", *precision)
This ensures the precision parameter is correctly applied to scientific notation output.
vendor/github.com/fsnotify/fsnotify/backend_windows.go (1)
79-89: sendError can steal the Close() handshake and deadlock shutdown

When Close() writes its reply channel into w.done and wakes the IO thread, there may still be pending completion events. For those, the IO thread runs the normal path (where watch != nil) and can call sendError. Because sendError currently does:
select {
case <-w.done:
    return false
case w.Errors <- err:
    return true
}
it may consume the handshake value from w.done before readEvents()’s watch == nil branch sees it. In that case:

The watch == nil branch’s select never receives ch, so the cleanup/close logic at Lines 496–517 is never executed.

Close() stays blocked on <-ch forever.

The IO thread keeps running and resources are leaked.

To preserve the handshake semantics and avoid this deadlock, sendError should mirror sendEvent by re‑queueing the channel and treating its presence as “watcher is closing”, without discarding it:
 func (w *readDirChangesW) sendError(err error) bool {
 	if err == nil {
 		return true
 	}
-	select {
-	case <-w.done:
-		return false
-	case w.Errors <- err:
-		return true
-	}
+	select {
+	case ch := <-w.done:
+		// Preserve the Close() handshake message for readEvents() and
+		// signal to callers that the watcher is closing.
+		w.done <- ch
+		return false
+	case w.Errors <- err:
+		return true
+	}
 }
This keeps the Close handshake intact while still allowing callers of sendError to detect that the watcher is shutting down.

Also applies to: 495-517
vendor/github.com/fsnotify/fsnotify/backend_inotify.go (1)
82-110: Recursive inotify removal can over‑remove watches due to plain HasPrefix

In watches.removePath, the recursive removal case uses:
for p, rwd := range w.path {
    if strings.HasPrefix(p, path) {
        delete(w.path, p)
        delete(w.wd, rwd)
        wds = append(wds, rwd)
    }
}
This treats any path that merely shares a string prefix as being “under” the recursive root. For example, removing /tmp/foo/... will also match /tmp/foobar, so a recursive watch on /tmp/foo can inadvertently tear down watches on /tmp/foobar.

Consider tightening the condition to be path‑separator aware so only true descendants are removed:
-	for p, rwd := range w.path {
-		if strings.HasPrefix(p, path) {
+	for p, rwd := range w.path {
+		if p == path || strings.HasPrefix(p, path+string(os.PathSeparator)) {
 			delete(w.path, p)
 			delete(w.wd, rwd)
 			wds = append(wds, rwd)
 		}
 	}
This preserves the intended recursive behavior without affecting unrelated paths that just happen to share a prefix.
vendor/github.com/fsnotify/fsnotify/backend_kqueue.go (1)
608-638: dirChange stops scanning the directory on benign per‑file errors

In dirChange, when iterating directory entries:
fi, err := f.Info()
if err != nil {
	if errors.Is(err, os.ErrNotExist) {
		return nil
	}
	return fmt.Errorf("fsnotify.dirChange: %w", err)
}
...
err = w.sendCreateIfNew(filepath.Join(dir, fi.Name()), fi)
if err != nil {
	// Don't need to send an error if this file isn't readable.
	if errors.Is(err, unix.EACCES) || errors.Is(err, unix.EPERM) || errors.Is(err, os.ErrNotExist) {
		return nil
	}
	return fmt.Errorf("fsnotify.dirChange: %w", err)
}
For races where a single file disappears between ReadDir and Info(), or where a specific file is unreadable, this code returns nil and stops processing the rest of the directory. That means subsequent files in the same directory will not get Create events in this pass, even though they are perfectly valid.

A more robust pattern is to skip only the problematic entry and continue scanning:
-		fi, err := f.Info()
-		if err != nil {
-			if errors.Is(err, os.ErrNotExist) {
-				return nil
-			}
-			return fmt.Errorf("fsnotify.dirChange: %w", err)
-		}
+		fi, err := f.Info()
+		if err != nil {
+			if errors.Is(err, os.ErrNotExist) {
+				// This entry disappeared; skip it but keep processing others.
+				continue
+			}
+			return fmt.Errorf("fsnotify.dirChange: %w", err)
+		}
@@
-		err = w.sendCreateIfNew(filepath.Join(dir, fi.Name()), fi)
-		if err != nil {
-			// Don't need to send an error if this file isn't readable.
-			if errors.Is(err, unix.EACCES) || errors.Is(err, unix.EPERM) || errors.Is(err, os.ErrNotExist) {
-				return nil
-			}
-			return fmt.Errorf("fsnotify.dirChange: %w", err)
-		}
+		err = w.sendCreateIfNew(filepath.Join(dir, fi.Name()), fi)
+		if err != nil {
+			// Don't need to send an error if this file isn't readable.
+			if errors.Is(err, unix.EACCES) || errors.Is(err, unix.EPERM) || errors.Is(err, os.ErrNotExist) {
+				// Skip this entry but keep walking the directory.
+				continue
+			}
+			return fmt.Errorf("fsnotify.dirChange: %w", err)
+		}
This preserves the intent of ignoring per‑file permission/disappearance issues without dropping events for other files in the same directory.

♻️ Duplicate comments (8)

vendor/github.com/google/cel-go/ext/README.md (1)
359-375: Math.Sqrt documentation contradicts behavior for negative inputs—duplicated concern.

This issue was flagged in a previous review: the description states "Throws error for negative or non-numeric inputs" (line 364), but the example shows math.sqrt(-15) // returns NaN (line 374). Go's math.Sqrt returns NaN when called with a negative number—it does not throw an error. Update the description to align with the example: "Returns NaN for negative numeric inputs; throws error for non-numeric inputs."

Suggested fix:
-Throws error for negative or non-numeric inputs
+Returns NaN for negative numeric inputs; throws error for non-numeric inputs
vendor/github.com/google/cel-go/checker/decls/decls.go (1)

94-103: The unused doc parameter issue persists

This issue was already flagged in a previous review. The NewFunctionWithDoc function accepts a doc parameter but never uses it (line 101 is commented out). Since this is vendored code from github.com/google/cel-go, consider reporting this upstream if not already done, as it creates a misleading API surface.

vendor/github.com/google/cel-go/ext/math.go (1)

328-344: Vendored code update approved; documentation inconsistency is an upstream issue.

The documentation inconsistency flagged in previous reviews (line 334 claims errors for negative inputs, but line 344 example and implementation both show NaN is returned for negatives) remains present. However, this is vendored code from github.com/google/cel-go and cannot be fixed directly in this PR. The actual sqrt implementation is correct—it follows standard Go math.Sqrt behavior (returning NaN for negative numeric inputs per IEEE 754).

If not already done, consider reporting the documentation issue to the upstream CEL-Go project.

Also applies to: 726-738
vendor/github.com/google/cel-go/ext/extension_option_factory.go (1)
24-42: Guard against nil *env.Extension to avoid a potential panic

If configElement is (*env.Extension)(nil), the type assertion succeeds (isExtension == true) but ext is nil. Accessing ext.Name, ext.Version, or calling ext.VersionNumber() will then panic.

A small defensive check keeps this robust against malformed configs:
func ExtensionOptionFactory(configElement any) (cel.EnvOption, bool) {
-	ext, isExtension := configElement.(*env.Extension)
-	if !isExtension {
+	ext, isExtension := configElement.(*env.Extension)
+	if !isExtension || ext == nil {
 		return nil, false
 	}
This preserves current behavior for valid inputs while avoiding a crash if a nil extension is ever passed through.
vendor/github.com/google/cel-go/ext/strings.go (1)

346-354: StringsValidateFormatCalls is now a deprecated no‑op (behavior change)

StringsValidateFormatCalls ignores its boolean and just returns the library unchanged, while validation is now always enabled for version >= 1 via the AST validators. Existing callers lose the ability to disable validation; this is effectively a behavioral change kept only for API compatibility.

If you haven’t already, it’s worth making this explicit in higher‑level docs/release notes so consumers don’t expect the flag to do anything.
vendor/github.com/google/cel-go/cel/env.go (1)
180-215: Handle errors from NewCustomEnv / Lib(lib) in ToConfig to avoid panics

ToConfig currently ignores both errors and may leave libEnv nil before calling libEnv.Functions():
libEnv, _ := NewCustomEnv()
libEnv, _ = Lib(lib)(libEnv)
for fnName, fnDecl := range libEnv.Functions() {
    ...
}
If either call fails, this will panic. Please propagate these errors (or at least bail out) before iterating:
-       libEnv, _ := NewCustomEnv()
-       libEnv, _ = Lib(lib)(libEnv)
+       libEnv, err := NewCustomEnv()
+       if err != nil {
+           return nil, fmt.Errorf("failed to construct library env for %q: %w", libName, err)
+       }
+       libEnv, err = Lib(lib)(libEnv)
+       if err != nil {
+           return nil, fmt.Errorf("failed to apply library %q: %w", libName, err)
+       }
This keeps ToConfig failure modes predictable and avoids nil-dereference crashes if a library setup ever fails.
vendor/github.com/google/cel-go/common/env/env.go (2)
257-267: Nil pointer dereference risk remains unaddressed.

This issue was previously flagged: v.GetType() can return nil (when both v.TypeDesc and v.Type are nil), and calling Validate() on a nil pointer will panic instead of returning a validation error.

Since this is vendored code from google/cel-go, the fix should be applied upstream first.

Please verify whether the upstream google/cel-go repository has addressed this issue in a newer version:
#!/bin/bash
# Check the upstream version being vendored and compare with latest
echo "=== Checking vendored version ==="
grep "github.com/google/cel-go" go.mod

echo -e "\n=== Checking for related upstream issues/PRs ==="
gh search issues --repo google/cel-go "GetType Validate nil" --limit 5

echo -e "\n=== Checking latest releases ==="
gh release list --repo google/cel-go --limit 5
399-421: Nil pointer dereference risks remain despite "addressed" status.

This issue was previously flagged and marked as "✅ Addressed in commits 5cf34cd to c7f7c0d", but the code still contains the problems:

Line 413: arg.Validate() is called without checking if arg is nil

Line 417: od.Return.Validate() is called without checking if od.Return is nil

These can panic when YAML configuration omits arg or return types. Since this is vendored code from google/cel-go, the fix should be applied upstream first.

The previous "addressed" status appears inconsistent with the current code. Please verify:
#!/bin/bash
# Check if the fix exists in commits mentioned
echo "=== Checking commits 5cf34cd to c7f7c0d ==="
git log --oneline --grep="Overload\|Validate\|nil" 5cf34cd..c7f7c0d 2>/dev/null || echo "Commits not found in current branch"

echo -e "\n=== Checking current vendored code for nil checks ==="
rg -n "for.*arg.*range.*Args" vendor/github.com/google/cel-go/common/env/env.go -A 3 -B 1
rg -n "od\.Return\.Validate" vendor/github.com/google/cel-go/common/env/env.go -A 1 -B 1

echo -e "\n=== Checking upstream for fixes ==="
gh search issues --repo google/cel-go "Overload Validate nil args return" --limit 5

🧹 Nitpick comments (14)

vendor/github.com/google/cel-go/ext/README.md (1)
415-415: Replace bold emphasis with proper Markdown headings (MD036).

Multiple sections use bold text instead of heading syntax, violating Markdown conventions. Each should be a level-4 heading (####) or adjusted to match the documentation style. For example:

Line 415: **Introduced in version 2 (cost support in version 3)**

Line 429: **Introduced in version 1 (cost support in version 3)**

Line 448, 461, 474, 487, 504: similar pattern

Apply this pattern to all occurrences:
-**Introduced in version X (cost support in version Y)**
+#### Introduced in version X (cost support in version Y)
Also applies to: 429-429, 448-448, 461-461, 474-474, 487-487, 504-504
vendor/github.com/google/cel-go/cel/io.go (1)

105-109: New ExprToString helper is a straightforward, useful export

The exported ExprToString wrapper around parser.Unparse looks correct and makes expression unparsing reusable from an ast.Expr + SourceInfo. Only tiny nit (optional): the doc comment is split with a blank // line in the middle of a sentence; if you touch this again, consider collapsing it into a single coherent paragraph.

vendor/github.com/google/cel-go/common/stdlib/standard.go (1)

945-1058: Time-zone helpers look correct; optional robustness considerations

The new timestampGet* helpers and inTimeZone correctly:

Reuse a shared inTimeZone path with either IANA locations or (+|-)HH:MM-style offsets.

Implement 0-based month/day-of-year/day-of-month and 1-based date semantics as per the docs.

Derive fixed-offset zones from minute offsets without overflow risk in the documented range.

Two optional hardening ideas if you expect user-supplied tz strings to be noisy:

Add defensive type checks in inTimeZone (e.g., verify ts is types.Timestamp and tz is types.String with safe casts) instead of relying solely on the type system to avoid panics.

Enforce the documented offset format (e.g., simple validation before parsing), so obviously invalid strings fail with a clearer error rather than producing a surprising offset.

Current implementation is functionally sound as-is; these would just improve resilience to bad inputs.

vendor/github.com/fxamacker/cbor/v2/bytestring.go (1)

41-62: ByteString unmarshal flow with explicit well-formedness check looks sound

Splitting ByteString decoding into:

an exported UnmarshalCBOR that validates well‑formedness via decoder.wellformed, and

an internal unmarshalCBOR that assumes well‑formed data, handles null/undefined as empty, and enforces the byte‑string type,

preserves existing semantics while making direct uses of UnmarshalCBOR consistent with package‑level Unmarshal. The duplicate nil‑receiver guard in both methods is safe (just slightly redundant) and not a blocker.

Also applies to: 64-90

vendor/github.com/fxamacker/cbor/v2/simplevalue.go (1)

50-72: SimpleValue unmarshal changes correctly separate validation from decoding

The new pattern where SimpleValue.UnmarshalCBOR:

performs a nil‑receiver check,

validates the CBOR item with wellformed, then

defers to an internal unmarshalCBOR that assumes well‑formed data and enforces the simple‑value type,

is consistent with the ByteString changes and keeps exported behavior backwards compatible while tightening validation. The small duplication between the two methods (nil check and decoder creation) is acceptable here and can be refactored later if desired.

Also applies to: 74-83, 84-98
vendor/github.com/fxamacker/cbor/v2/encode.go (1)
439-447: Minor doc fixes (optional).

“FieldNameToTextString encodes … byte string” comment is mismatched; should reference FieldNameToByteString.

“IEEE 764” -> “IEEE 754”.
- // FieldNameToTextString encodes struct fields to CBOR byte string (major type 2).
+ // FieldNameToByteString encodes struct fields to CBOR byte string (major type 2).
- // the 64-bit floating point value. I.e., the floating point encoding can be IEEE 764:
+ // the 64-bit floating point value. I.e., the floating point encoding can be IEEE 754:
Also applies to: 331-355
pkg/conversion/capi2mapi/aws_fuzz_test.go (1)

31-36: HostPlacement fuzzing looks good; consider clearing HostID and reusing helper for templates

The new HostPlacement fuzzing nicely exercises HostAffinity/HostID combinations and uses a valid-looking host ID.

Two optional improvements to consider:

When HostAffinity is nil or "default", HostID may still hold a random value from c.FillNoCustom(spec). If the conversion logic expects HostID to be nil unless affinity is "host", you might want to explicitly reset spec.HostID = nil in those branches to better represent valid “happy path” states.

For parity, you could reuse fuzzAWSMachineSpecHostPlacement inside awsMachineTemplateFuzzerFuncs (e.g., against &m.Spec.Template.Spec) so MachineSet/Template paths get the same HostPlacement coverage as standalone AWSMachine fuzzing.

Also applies to: 157-174, 211-221

vendor/github.com/google/cel-go/common/types/format.go (1)

1-42: New Format API is coherent; consider a small tweak to the fallback path

The Format / formatTo design is solid: it lets built-ins implement formattable, then gracefully falls back to list/map traits, and finally to generic formatting.

If you ever want to polish edge cases further, you might:

Treat a nil ref.Val specially (e.g., emit "null"/"<nil>"), and/or

Use %v instead of %s in the final fmt.Fprintf to avoid %!s(<nil>)-style diagnostics for non-string values.

Purely optional; current behavior is acceptable for a best-effort human-readable formatter.

pkg/conversion/mapi2capi/aws_test.go (1)

96-121: HostPlacement AnyAvailable/DedicatedHost test entries look good; consider negative cases if not covered elsewhere

Folding the dedicated host scenarios into the main DescribeTable and exercising both HostAffinityAnyAvailable and HostAffinityDedicatedHost with a realistic host ID gives nice coverage of the supported paths and keeps expectations (no errors/warnings) explicit.

If negative HostPlacement cases (e.g., missing/invalid host ID, unsupported affinity) are not already covered in other tests, it could be worth adding a couple of entries here to lock in the failure behavior as well. Otherwise this section looks solid.

Also applies to: 429-430
vendor/github.com/google/cel-go/ext/strings.go (1)
349-350: Use Go’s standard deprecation comment form

The lone // Deprecated marker won’t be picked up by Go tooling. To integrate with go doc and linters, it should start with Deprecated: and ideally explain the behavior.

For example:
-// Deprecated
-func StringsValidateFormatCalls(value bool) StringsOption {
+// Deprecated: StringsValidateFormatCalls is a no-op; validation is always enabled
+// for string.format() when version >= 1. Calls can be safely removed.
+func StringsValidateFormatCalls(value bool) StringsOption {
vendor/github.com/google/cel-go/cel/env.go (1)
589-592: Return a true copy from Validators() to avoid external mutation

Validators() currently returns a slice header pointing at the original backing array:
func (e *Env) Validators() []ASTValidator {
    return e.validators[:]
}
Callers can mutate this slice (append, re-order, replace elements) and affect the environment’s internal state.

For consistency with Functions() and Variables(), consider copying into a new slice:
func (e *Env) Validators() []ASTValidator {
-   return e.validators[:]
+   shallowCopy := make([]ASTValidator, len(e.validators))
+   copy(shallowCopy, e.validators)
+   return shallowCopy
}
This keeps Env’s validator configuration encapsulated.
vendor/github.com/google/cel-go/interpreter/interpreter.go (1)
260-272: Defensively guard against PlannerOption returning nil in NewInterpretable

NewInterpretable applies each PlannerOption in sequence:
p := newPlanner(...)
var err error
for _, o := range opts {
    p, err = o(p)
    if err != nil {
        return nil, err
    }
}
return p.Plan(checked.Expr())
If a PlannerOption accidentally returns nil without error, p.Plan will panic. Since PlannerOption is now part of the public surface, it’s cheap to harden this:
for _, o := range opts {
    p, err = o(p)
    if err != nil {
        return nil, err
    }
+   if p == nil {
+       return nil, errors.New("planner option returned nil planner")
+   }
}
This keeps failures in user-supplied planner options as normal errors instead of panics.
vendor/github.com/google/cel-go/ext/formatting.go (1)
705-713: formatError.Is compares by message; consider including the id for disambiguation

formatError.Is currently treats two errors as equal if their messages match:
func (e formatError) Is(target error) bool {
    return e.msg == target.Error()
}
This ignores the id field, so distinct errors on different expressions that happen to share the same message will be indistinguishable to errors.Is.

If you rely on errors.Is for matching specific format errors, consider also checking id (e.g., assert target is a formatError and compare both fields). If not, this is fine but worth being aware of.
vendor/github.com/fsnotify/fsnotify/CHANGELOG.md (1)

3-4: Markdown heading style inconsistency (vendored file).

Static analysis flagged that lines 3–4 and line 36 use setext-style headings (underlines with dashes) instead of ATX-style (##). However, the entire file consistently uses setext style, so this is not an isolated issue. If the project enforces ATX-style headings, this would require a full file reformat rather than a local change. Since this is a vendored dependency file, verify whether it should be manually edited at all, or if it's typically regenerated/updated from upstream.

Consider whether vendored changelogs are maintained manually or auto-generated from upstream. If manual edits are needed, ensure consistency with the file's existing style or standardize across the entire file.

Also applies to: 36-36

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between d3fc5c3 and c7f7c0d.

⛔ Files ignored due to path filters (6)

e2e/go.sum is excluded by !**/*.sum
go.sum is excluded by !**/*.sum
go.work.sum is excluded by !**/*.sum
hack/tools/go.sum is excluded by !**/*.sum
manifests-gen/go.sum is excluded by !**/*.sum
vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (107)

e2e/go.mod (5 hunks)
go.mod (7 hunks)
hack/tools/go.mod (4 hunks)
manifests-gen/go.mod (5 hunks)
manifests/0000_30_cluster-api_01_credentials-request.yaml (1 hunks)
pkg/conversion/capi2mapi/aws.go (3 hunks)
pkg/conversion/capi2mapi/aws_fuzz_test.go (3 hunks)
pkg/conversion/capi2mapi/aws_test.go (6 hunks)
pkg/conversion/capi2mapi/machine_test.go (1 hunks)
pkg/conversion/capi2mapi/openstack_test.go (6 hunks)
pkg/conversion/capi2mapi/powervs_test.go (3 hunks)
pkg/conversion/mapi2capi/aws.go (2 hunks)
pkg/conversion/mapi2capi/aws_fuzz_test.go (3 hunks)
pkg/conversion/mapi2capi/aws_test.go (8 hunks)
pkg/conversion/mapi2capi/machine_test.go (1 hunks)
pkg/conversion/mapi2capi/powervs_test.go (2 hunks)
vendor/cel.dev/expr/MODULE.bazel (4 hunks)
vendor/github.com/fsnotify/fsnotify/.cirrus.yml (1 hunks)
vendor/github.com/fsnotify/fsnotify/CHANGELOG.md (1 hunks)
vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md (1 hunks)
vendor/github.com/fsnotify/fsnotify/README.md (0 hunks)
vendor/github.com/fsnotify/fsnotify/backend_fen.go (13 hunks)
vendor/github.com/fsnotify/fsnotify/backend_inotify.go (13 hunks)
vendor/github.com/fsnotify/fsnotify/backend_kqueue.go (13 hunks)
vendor/github.com/fsnotify/fsnotify/backend_other.go (1 hunks)
vendor/github.com/fsnotify/fsnotify/backend_windows.go (6 hunks)
vendor/github.com/fsnotify/fsnotify/fsnotify.go (3 hunks)
vendor/github.com/fsnotify/fsnotify/internal/darwin.go (1 hunks)
vendor/github.com/fsnotify/fsnotify/internal/freebsd.go (1 hunks)
vendor/github.com/fsnotify/fsnotify/internal/unix.go (2 hunks)
vendor/github.com/fsnotify/fsnotify/internal/windows.go (1 hunks)
vendor/github.com/fsnotify/fsnotify/shared.go (1 hunks)
vendor/github.com/fsnotify/fsnotify/staticcheck.conf (1 hunks)
vendor/github.com/fxamacker/cbor/v2/README.md (14 hunks)
vendor/github.com/fxamacker/cbor/v2/bytestring.go (1 hunks)
vendor/github.com/fxamacker/cbor/v2/cache.go (7 hunks)
vendor/github.com/fxamacker/cbor/v2/common.go (2 hunks)
vendor/github.com/fxamacker/cbor/v2/decode.go (42 hunks)
vendor/github.com/fxamacker/cbor/v2/doc.go (5 hunks)
vendor/github.com/fxamacker/cbor/v2/encode.go (22 hunks)
vendor/github.com/fxamacker/cbor/v2/encode_map.go (1 hunks)
vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go (0 hunks)
vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go (1 hunks)
vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go (1 hunks)
vendor/github.com/fxamacker/cbor/v2/simplevalue.go (2 hunks)
vendor/github.com/fxamacker/cbor/v2/stream.go (2 hunks)
vendor/github.com/fxamacker/cbor/v2/structfields.go (7 hunks)
vendor/github.com/fxamacker/cbor/v2/tag.go (4 hunks)
vendor/github.com/google/cel-go/cel/BUILD.bazel (5 hunks)
vendor/github.com/google/cel-go/cel/decls.go (4 hunks)
vendor/github.com/google/cel-go/cel/env.go (13 hunks)
vendor/github.com/google/cel-go/cel/folding.go (9 hunks)
vendor/github.com/google/cel-go/cel/io.go (2 hunks)
vendor/github.com/google/cel-go/cel/library.go (15 hunks)
vendor/github.com/google/cel-go/cel/macro.go (1 hunks)
vendor/github.com/google/cel-go/cel/options.go (11 hunks)
vendor/github.com/google/cel-go/cel/program.go (14 hunks)
vendor/github.com/google/cel-go/cel/prompt.go (1 hunks)
vendor/github.com/google/cel-go/cel/templates/authoring.tmpl (1 hunks)
vendor/github.com/google/cel-go/cel/validator.go (6 hunks)
vendor/github.com/google/cel-go/checker/checker.go (1 hunks)
vendor/github.com/google/cel-go/checker/cost.go (1 hunks)
vendor/github.com/google/cel-go/checker/decls/decls.go (3 hunks)
vendor/github.com/google/cel-go/checker/errors.go (1 hunks)
vendor/github.com/google/cel-go/common/BUILD.bazel (2 hunks)
vendor/github.com/google/cel-go/common/ast/ast.go (2 hunks)
vendor/github.com/google/cel-go/common/ast/navigable.go (1 hunks)
vendor/github.com/google/cel-go/common/containers/container.go (4 hunks)
vendor/github.com/google/cel-go/common/decls/BUILD.bazel (1 hunks)
vendor/github.com/google/cel-go/common/decls/decls.go (24 hunks)
vendor/github.com/google/cel-go/common/doc.go (1 hunks)
vendor/github.com/google/cel-go/common/env/BUILD.bazel (1 hunks)
vendor/github.com/google/cel-go/common/env/env.go (1 hunks)
vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel (1 hunks)
vendor/github.com/google/cel-go/common/stdlib/standard.go (10 hunks)
vendor/github.com/google/cel-go/common/types/BUILD.bazel (1 hunks)
vendor/github.com/google/cel-go/common/types/bool.go (2 hunks)
vendor/github.com/google/cel-go/common/types/bytes.go (2 hunks)
vendor/github.com/google/cel-go/common/types/double.go (2 hunks)
vendor/github.com/google/cel-go/common/types/duration.go (2 hunks)
vendor/github.com/google/cel-go/common/types/format.go (1 hunks)
vendor/github.com/google/cel-go/common/types/int.go (2 hunks)
vendor/github.com/google/cel-go/common/types/list.go (1 hunks)
vendor/github.com/google/cel-go/common/types/map.go (2 hunks)
vendor/github.com/google/cel-go/common/types/null.go (2 hunks)
vendor/github.com/google/cel-go/common/types/object.go (2 hunks)
vendor/github.com/google/cel-go/common/types/optional.go (2 hunks)
vendor/github.com/google/cel-go/common/types/string.go (1 hunks)
vendor/github.com/google/cel-go/common/types/timestamp.go (1 hunks)
vendor/github.com/google/cel-go/common/types/types.go (3 hunks)
vendor/github.com/google/cel-go/common/types/uint.go (2 hunks)
vendor/github.com/google/cel-go/ext/BUILD.bazel (4 hunks)
vendor/github.com/google/cel-go/ext/README.md (8 hunks)
vendor/github.com/google/cel-go/ext/bindings.go (4 hunks)
vendor/github.com/google/cel-go/ext/extension_option_factory.go (1 hunks)
vendor/github.com/google/cel-go/ext/formatting.go (18 hunks)
vendor/github.com/google/cel-go/ext/formatting_v2.go (1 hunks)
vendor/github.com/google/cel-go/ext/lists.go (13 hunks)
vendor/github.com/google/cel-go/ext/math.go (4 hunks)
vendor/github.com/google/cel-go/ext/native.go (1 hunks)
vendor/github.com/google/cel-go/ext/regex.go (1 hunks)
vendor/github.com/google/cel-go/ext/sets.go (2 hunks)
vendor/github.com/google/cel-go/ext/strings.go (7 hunks)
vendor/github.com/google/cel-go/interpreter/activation.go (2 hunks)
vendor/github.com/google/cel-go/interpreter/attribute_patterns.go (1 hunks)
vendor/github.com/google/cel-go/interpreter/interpretable.go (13 hunks)
vendor/github.com/google/cel-go/interpreter/interpreter.go (5 hunks)

⛔ Files not processed due to max files limit (40)

vendor/github.com/google/cel-go/interpreter/planner.go
vendor/github.com/google/cel-go/interpreter/runtimecost.go
vendor/github.com/google/cel-go/parser/macro.go
vendor/github.com/google/gnostic-models/compiler/context.go
vendor/github.com/google/gnostic-models/compiler/extensions.go
vendor/github.com/google/gnostic-models/compiler/helpers.go
vendor/github.com/google/gnostic-models/compiler/reader.go
vendor/github.com/google/gnostic-models/jsonschema/models.go
vendor/github.com/google/gnostic-models/jsonschema/reader.go
vendor/github.com/google/gnostic-models/jsonschema/writer.go
vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.go
vendor/github.com/google/gnostic-models/openapiv2/document.go
vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.go
vendor/github.com/google/gnostic-models/openapiv3/document.go
vendor/github.com/modern-go/reflect2/safe_type.go
vendor/github.com/openshift/api/.ci-operator.yaml
vendor/github.com/openshift/api/.golangci.go-validated.yaml
vendor/github.com/openshift/api/.golangci.yaml
vendor/github.com/openshift/api/AGENTS.md
vendor/github.com/openshift/api/Dockerfile.ocp
vendor/github.com/openshift/api/Makefile
vendor/github.com/openshift/api/OWNERS
vendor/github.com/openshift/api/config/v1/register.go
vendor/github.com/openshift/api/config/v1/types_apiserver.go
vendor/github.com/openshift/api/config/v1/types_authentication.go
vendor/github.com/openshift/api/config/v1/types_cluster_operator.go
vendor/github.com/openshift/api/config/v1/types_cluster_version.go
vendor/github.com/openshift/api/config/v1/types_infrastructure.go
vendor/github.com/openshift/api/config/v1/types_insights.go
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusteroperators.crd.yaml
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml

💤 Files with no reviewable changes (2)

vendor/github.com/fsnotify/fsnotify/README.md
vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go

✅ Files skipped from review due to trivial changes (1)

pkg/conversion/mapi2capi/machine_test.go

🚧 Files skipped from review as they are similar to previous changes (28)

vendor/github.com/fsnotify/fsnotify/.cirrus.yml
vendor/github.com/fsnotify/fsnotify/internal/windows.go
vendor/github.com/fsnotify/fsnotify/staticcheck.conf
pkg/conversion/capi2mapi/aws_test.go
pkg/conversion/capi2mapi/powervs_test.go
vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go
vendor/github.com/google/cel-go/common/ast/ast.go
vendor/github.com/google/cel-go/cel/templates/authoring.tmpl
vendor/github.com/google/cel-go/common/types/null.go
vendor/cel.dev/expr/MODULE.bazel
hack/tools/go.mod
pkg/conversion/capi2mapi/openstack_test.go
vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md
vendor/github.com/google/cel-go/common/decls/BUILD.bazel
vendor/github.com/google/cel-go/ext/formatting_v2.go
vendor/github.com/fsnotify/fsnotify/fsnotify.go
vendor/github.com/google/cel-go/common/BUILD.bazel
vendor/github.com/google/cel-go/common/types/BUILD.bazel
vendor/github.com/google/cel-go/ext/sets.go
manifests/0000_30_cluster-api_01_credentials-request.yaml
vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go
vendor/github.com/google/cel-go/checker/cost.go
vendor/github.com/google/cel-go/common/types/object.go
pkg/conversion/capi2mapi/aws.go
vendor/github.com/fsnotify/fsnotify/internal/darwin.go
vendor/github.com/google/cel-go/ext/bindings.go
vendor/github.com/fsnotify/fsnotify/backend_other.go
vendor/github.com/google/cel-go/common/types/bool.go

🧰 Additional context used

🪛 LanguageTool

vendor/github.com/fxamacker/cbor/v2/README.md

[style] ~7-~7: In American English, abbreviations like “etc.” require a period.
Context: ...Averaison+fxamacker%2Fcbor&type=code), [etc](https://github.com/fxamacker/cbor#who-...

(ETC_PERIOD)

[style] ~726-~726: Some style guides suggest that commas should set off the year in a month-day-year date.
Context: ...5.0) was released on Sunday, August 13, 2023 with new features and important bug fix...

(MISSING_COMMA_AFTER_YEAR)

🪛 markdownlint-cli2 (0.18.1)

vendor/github.com/google/cel-go/ext/README.md

415-415: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

429-429: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

448-448: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

461-461: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

474-474: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

487-487: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

504-504: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

vendor/github.com/fxamacker/cbor/v2/README.md

13-13: Images should have alternate text (alt text)

(MD045, no-alt-text)

14-14: Images should have alternate text (alt text)

(MD045, no-alt-text)

16-16: Images should have alternate text (alt text)

(MD045, no-alt-text)

18-18: Images should have alternate text (alt text)

(MD045, no-alt-text)

108-108: Hard tabs
Column: 3

(MD010, no-hard-tabs)

109-109: Hard tabs
Column: 3

(MD010, no-hard-tabs)

110-110: Hard tabs
Column: 3

(MD010, no-hard-tabs)

111-111: Hard tabs
Column: 3

(MD010, no-hard-tabs)

117-117: Hard tabs
Column: 3

(MD010, no-hard-tabs)

118-118: Hard tabs
Column: 3

(MD010, no-hard-tabs)

119-119: Hard tabs
Column: 3

(MD010, no-hard-tabs)

120-120: Hard tabs
Column: 3

(MD010, no-hard-tabs)

121-121: Hard tabs
Column: 3

(MD010, no-hard-tabs)

122-122: Hard tabs
Column: 3

(MD010, no-hard-tabs)

125-125: Hard tabs
Column: 3

(MD010, no-hard-tabs)

126-126: Hard tabs
Column: 3

(MD010, no-hard-tabs)

130-130: Hard tabs
Column: 3

(MD010, no-hard-tabs)

131-131: Hard tabs
Column: 3

(MD010, no-hard-tabs)

133-133: Hard tabs
Column: 3

(MD010, no-hard-tabs)

134-134: Hard tabs
Column: 3

(MD010, no-hard-tabs)

135-135: Hard tabs
Column: 3

(MD010, no-hard-tabs)

159-159: Multiple spaces after blockquote symbol

(MD027, no-multiple-space-blockquote)

165-165: Bare URL used

(MD034, no-bare-urls)

175-175: Hard tabs
Column: 3

(MD010, no-hard-tabs)

176-176: Hard tabs
Column: 3

(MD010, no-hard-tabs)

177-177: Hard tabs
Column: 3

(MD010, no-hard-tabs)

179-179: Hard tabs
Column: 3

(MD010, no-hard-tabs)

183-183: Hard tabs
Column: 3

(MD010, no-hard-tabs)

187-187: Hard tabs
Column: 3

(MD010, no-hard-tabs)

188-188: Hard tabs
Column: 3

(MD010, no-hard-tabs)

192-192: Hard tabs
Column: 3

(MD010, no-hard-tabs)

193-193: Hard tabs
Column: 3

(MD010, no-hard-tabs)

197-197: Hard tabs
Column: 3

(MD010, no-hard-tabs)

198-198: Hard tabs
Column: 3

(MD010, no-hard-tabs)

200-200: Hard tabs
Column: 3

(MD010, no-hard-tabs)

201-201: Hard tabs
Column: 3

(MD010, no-hard-tabs)

205-205: Hard tabs
Column: 3

(MD010, no-hard-tabs)

206-206: Hard tabs
Column: 3

(MD010, no-hard-tabs)

208-208: Hard tabs
Column: 3

(MD010, no-hard-tabs)

209-209: Hard tabs
Column: 3

(MD010, no-hard-tabs)

213-213: Hard tabs
Column: 3

(MD010, no-hard-tabs)

214-214: Hard tabs
Column: 3

(MD010, no-hard-tabs)

215-215: Hard tabs
Column: 3

(MD010, no-hard-tabs)

220-220: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

255-255: Bare URL used

(MD034, no-bare-urls)

256-256: Bare URL used

(MD034, no-bare-urls)

364-364: Bare URL used

(MD034, no-bare-urls)

371-371: Hard tabs
Column: 1

(MD010, no-hard-tabs)

372-372: Hard tabs
Column: 1

(MD010, no-hard-tabs)

374-374: Hard tabs
Column: 1

(MD010, no-hard-tabs)

379-379: Hard tabs
Column: 1

(MD010, no-hard-tabs)

380-380: Hard tabs
Column: 1

(MD010, no-hard-tabs)

381-381: Hard tabs
Column: 1

(MD010, no-hard-tabs)

382-382: Hard tabs
Column: 1

(MD010, no-hard-tabs)

386-386: Hard tabs
Column: 1

(MD010, no-hard-tabs)

387-387: Hard tabs
Column: 1

(MD010, no-hard-tabs)

388-388: Hard tabs
Column: 1

(MD010, no-hard-tabs)

389-389: Hard tabs
Column: 1

(MD010, no-hard-tabs)

390-390: Hard tabs
Column: 1

(MD010, no-hard-tabs)

392-392: Hard tabs
Column: 1

(MD010, no-hard-tabs)

393-393: Hard tabs
Column: 1

(MD010, no-hard-tabs)

394-394: Hard tabs
Column: 1

(MD010, no-hard-tabs)

395-395: Hard tabs
Column: 1

(MD010, no-hard-tabs)

397-397: Hard tabs
Column: 1

(MD010, no-hard-tabs)

398-398: Hard tabs
Column: 1

(MD010, no-hard-tabs)

400-400: Hard tabs
Column: 1

(MD010, no-hard-tabs)

401-401: Hard tabs
Column: 1

(MD010, no-hard-tabs)

403-403: Hard tabs
Column: 1

(MD010, no-hard-tabs)

404-404: Hard tabs
Column: 1

(MD010, no-hard-tabs)

405-405: Hard tabs
Column: 1

(MD010, no-hard-tabs)

406-406: Hard tabs
Column: 1

(MD010, no-hard-tabs)

407-407: Hard tabs
Column: 1

(MD010, no-hard-tabs)

408-408: Hard tabs
Column: 1

(MD010, no-hard-tabs)

483-483: Hard tabs
Column: 1

(MD010, no-hard-tabs)

531-531: Hard tabs
Column: 1

(MD010, no-hard-tabs)

554-554: Hard tabs
Column: 3

(MD010, no-hard-tabs)

555-555: Hard tabs
Column: 3

(MD010, no-hard-tabs)

556-556: Hard tabs
Column: 3

(MD010, no-hard-tabs)

562-562: Hard tabs
Column: 1

(MD010, no-hard-tabs)

563-563: Hard tabs
Column: 1

(MD010, no-hard-tabs)

564-564: Hard tabs
Column: 1

(MD010, no-hard-tabs)

566-566: Hard tabs
Column: 1

(MD010, no-hard-tabs)

576-576: Hard tabs
Column: 1

(MD010, no-hard-tabs)

580-580: Hard tabs
Column: 1

(MD010, no-hard-tabs)

587-587: Hard tabs
Column: 1

(MD010, no-hard-tabs)

588-588: Hard tabs
Column: 1

(MD010, no-hard-tabs)

589-589: Hard tabs
Column: 1

(MD010, no-hard-tabs)

590-590: Hard tabs
Column: 1

(MD010, no-hard-tabs)

591-591: Hard tabs
Column: 1

(MD010, no-hard-tabs)

593-593: Hard tabs
Column: 1

(MD010, no-hard-tabs)

594-594: Hard tabs
Column: 1

(MD010, no-hard-tabs)

595-595: Hard tabs
Column: 1

(MD010, no-hard-tabs)

596-596: Hard tabs
Column: 1

(MD010, no-hard-tabs)

597-597: Hard tabs
Column: 1

(MD010, no-hard-tabs)

599-599: Hard tabs
Column: 1

(MD010, no-hard-tabs)

600-600: Hard tabs
Column: 1

(MD010, no-hard-tabs)

608-608: Hard tabs
Column: 1

(MD010, no-hard-tabs)

609-609: Hard tabs
Column: 1

(MD010, no-hard-tabs)

610-610: Hard tabs
Column: 1

(MD010, no-hard-tabs)

611-611: Hard tabs
Column: 1

(MD010, no-hard-tabs)

612-612: Hard tabs
Column: 1

(MD010, no-hard-tabs)

614-614: Hard tabs
Column: 1

(MD010, no-hard-tabs)

615-615: Hard tabs
Column: 1

(MD010, no-hard-tabs)

616-616: Hard tabs
Column: 1

(MD010, no-hard-tabs)

617-617: Hard tabs
Column: 1

(MD010, no-hard-tabs)

619-619: Hard tabs
Column: 1

(MD010, no-hard-tabs)

620-620: Hard tabs
Column: 1

(MD010, no-hard-tabs)

621-621: Hard tabs
Column: 1

(MD010, no-hard-tabs)

622-622: Hard tabs
Column: 1

(MD010, no-hard-tabs)

623-623: Hard tabs
Column: 1

(MD010, no-hard-tabs)

625-625: Hard tabs
Column: 1

(MD010, no-hard-tabs)

626-626: Hard tabs
Column: 1

(MD010, no-hard-tabs)

631-631: Hard tabs
Column: 1

(MD010, no-hard-tabs)

636-636: Hard tabs
Column: 1

(MD010, no-hard-tabs)

637-637: Hard tabs
Column: 1

(MD010, no-hard-tabs)

638-638: Hard tabs
Column: 1

(MD010, no-hard-tabs)

642-642: Hard tabs
Column: 1

(MD010, no-hard-tabs)

643-643: Hard tabs
Column: 1

(MD010, no-hard-tabs)

644-644: Hard tabs
Column: 1

(MD010, no-hard-tabs)

645-645: Hard tabs
Column: 1

(MD010, no-hard-tabs)

647-647: Hard tabs
Column: 1

(MD010, no-hard-tabs)

648-648: Hard tabs
Column: 1

(MD010, no-hard-tabs)

649-649: Hard tabs
Column: 1

(MD010, no-hard-tabs)

650-650: Hard tabs
Column: 1

(MD010, no-hard-tabs)

652-652: Hard tabs
Column: 1

(MD010, no-hard-tabs)

654-654: Hard tabs
Column: 1

(MD010, no-hard-tabs)

655-655: Hard tabs
Column: 1

(MD010, no-hard-tabs)

656-656: Hard tabs
Column: 1

(MD010, no-hard-tabs)

657-657: Hard tabs
Column: 1

(MD010, no-hard-tabs)

658-658: Hard tabs
Column: 1

(MD010, no-hard-tabs)

660-660: Hard tabs
Column: 1

(MD010, no-hard-tabs)

661-661: Hard tabs
Column: 1

(MD010, no-hard-tabs)

662-662: Hard tabs
Column: 1

(MD010, no-hard-tabs)

663-663: Hard tabs
Column: 1

(MD010, no-hard-tabs)

vendor/github.com/fsnotify/fsnotify/CHANGELOG.md

3-3: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

36-36: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

coderabbitai · 2025-11-17T18:20:43Z

vendor/github.com/fsnotify/fsnotify/backend_kqueue.go

 func (w *kqueue) Close() error {
-	w.doneMu.Lock()
-	if w.isClosed() {
-		w.doneMu.Unlock()
+	if w.shared.close() {
 		return nil
 	}
-	close(w.done)
-	w.doneMu.Unlock()

 	pathsToRemove := w.watches.listPaths(false)
 	for _, name := range pathsToRemove {
 		w.Remove(name)
 	}

-	// Send "quit" message to the reader goroutine.
-	unix.Close(w.closepipe[1])
+	unix.Close(w.closepipe[1]) // Send "quit" message to readEvents
 	return nil
 }


⚠️ Potential issue | 🟠 Major

Closing kqueue marks watcher closed before removing watches, leaking fds

Close() currently does:

func (w *kqueue) Close() error { if w.shared.close() { return nil } pathsToRemove := w.watches.listPaths(false) for _, name := range pathsToRemove { w.Remove(name) } unix.Close(w.closepipe[1]) // Send "quit" message to readEvents return nil }

But remove() immediately returns when the watcher is closed:

func (w *kqueue) remove(name string, unwatchFiles bool) error { if w.isClosed() { return nil } // ... unix.Close(info.wd) // ... }

Because shared.close() closes done, subsequent calls to w.Remove/w.remove see w.isClosed() == true and no‑op. That means the per‑path watch descriptors (info.wd) are never unregistered or closed, leaking file descriptors until the process exits.

Reorder Close() so that watches are removed before the shared closed state is set:

func (w *kqueue) Close() error { - if w.shared.close() { - return nil - } - - pathsToRemove := w.watches.listPaths(false) - for _, name := range pathsToRemove { - w.Remove(name) - } - - unix.Close(w.closepipe[1]) // Send "quit" message to readEvents - return nil + if w.isClosed() { + return nil + } + + pathsToRemove := w.watches.listPaths(false) + for _, name := range pathsToRemove { + _ = w.Remove(name) // Ignore ErrNonExistentWatch, consistent with current behavior. + } + + if w.shared.close() { + // Already closed concurrently; nothing left to signal. + return nil + } + + // Send "quit" message to readEvents. + unix.Close(w.closepipe[1]) + return nil }

This ensures all watches are deregistered and their descriptors closed before the watcher is marked closed and the IO loop is signaled to exit, while keeping Close() idempotent.

Also applies to: 286-317

coderabbitai · 2025-11-17T18:20:43Z

vendor/github.com/google/cel-go/cel/prompt.go

+func (p *Prompt) Render(userPrompt string) string {
+	var buffer strings.Builder
+	vars := make([]*common.Doc, len(p.env.Variables()))
+	for i, v := range p.env.Variables() {
+		vars[i] = v.Documentation()
+	}
+	sort.SliceStable(vars, func(i, j int) bool {
+		return vars[i].Name < vars[j].Name
+	})
+	macs := make([]*common.Doc, len(p.env.Macros()))
+	for i, m := range p.env.Macros() {
+		macs[i] = m.(common.Documentor).Documentation()
+	}
+	funcs := make([]*common.Doc, 0, len(p.env.Functions()))
+	for _, f := range p.env.Functions() {
+		if _, hidden := hiddenFunctions[f.Name()]; hidden {
+			continue
+		}
+		funcs = append(funcs, f.Documentation())
+	}
+	sort.SliceStable(funcs, func(i, j int) bool {
+		return funcs[i].Name < funcs[j].Name
+	})
+	inst := &promptInst{
+		Prompt:     p,
+		Variables:  vars,
+		Macros:     macs,
+		Functions:  funcs,
+		UserPrompt: userPrompt}
+	p.tmpl.Execute(&buffer, inst)
+	return buffer.String()
+}


⚠️ Potential issue | 🟡 Minor

Missing error handling in template rendering.

Line 111 calls p.tmpl.Execute(&buffer, inst) but ignores the returned error. If template execution fails, the method returns a potentially incomplete or empty string with no indication of failure.

While this is vendored code from upstream, it's worth noting that callers have no way to detect rendering failures.

🤖 Prompt for AI Agents

In vendor/github.com/google/cel-go/cel/prompt.go around lines 82 to 113, the call to p.tmpl.Execute(&buffer, inst) ignores its returned error; update Render to return (string, error) instead of just string, capture the error from p.tmpl.Execute, and if non-nil return an empty string and the error; update all callers to handle the new (string, error) signature and propagate or log the error as appropriate.

coderabbitai · 2025-11-17T18:20:43Z

vendor/github.com/google/cel-go/common/decls/decls.go

 	if f == nil {
 		return fmt.Errorf("nil function cannot add overload: %s", overload.ID())
 	}
+	if overload == nil {
+		return fmt.Errorf("cannot add nil overload to funciton: %s", f.Name())
+	}


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

Fix typo in AddOverload error message

if overload == nil { return fmt.Errorf("cannot add nil overload to funciton: %s", f.Name()) }

Minor nit: "funciton" → "function".

- return fmt.Errorf("cannot add nil overload to funciton: %s", f.Name()) + return fmt.Errorf("cannot add nil overload to function: %s", f.Name())

Purely cosmetic, but easy to fix.

🏁 Script executed:

#!/bin/bash # Verify the typo in the vendor file if [ -f "vendor/github.com/google/cel-go/common/decls/decls.go" ]; then echo "File found. Checking lines 260-265:" sed -n '260,265p' vendor/github.com/google/cel-go/common/decls/decls.go echo "" echo "Searching for 'funciton' typo:" rg "funciton" vendor/github.com/google/cel-go/common/decls/decls.go -n else echo "File not found at expected path. Searching for decls.go files:" find . -name "decls.go" -path "*/cel-go/*" 2>/dev/null | head -20 fi

Length of output: 335

Fix typo in AddOverload error message

Line 264 of vendor/github.com/google/cel-go/common/decls/decls.go contains a typo in the error message: "funciton" should be "function".

- return fmt.Errorf("cannot add nil overload to funciton: %s", f.Name()) + return fmt.Errorf("cannot add nil overload to function: %s", f.Name())

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

if f == nil {

return fmt.Errorf("nil function cannot add overload: %s", overload.ID())

}

if overload == nil {

return fmt.Errorf("cannot add nil overload to funciton: %s", f.Name())

}

if f == nil {

return fmt.Errorf("nil function cannot add overload: %s", overload.ID())

}

if overload == nil {

return fmt.Errorf("cannot add nil overload to function: %s", f.Name())

}

🤖 Prompt for AI Agents

In vendor/github.com/google/cel-go/common/decls/decls.go around lines 260 to 265, fix the typo in the error message by changing "funciton" to "function" so the fmt.Errorf call reads "cannot add nil overload to function: %s" (use f.Name() as before); update only the string literal to correct the spelling.

coderabbitai · 2025-11-17T18:20:43Z

vendor/github.com/google/cel-go/common/stdlib/standard.go

 		// Timestamp / duration functions
 		function(overloads.TimeGetFullYear,
+			decls.FunctionDocs(`get the 0-based full year from a timestamp, UTC unless an IANA timezone is specified.`),
 			decls.MemberOverload(overloads.TimestampToYear,
-				argTypes(types.TimestampType), types.IntType),
+				argTypes(types.TimestampType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getFullYear() // 2023`),
+				decls.UnaryBinding(func(ts ref.Val) ref.Val {
+					return timestampGetFullYear(ts, utcTZ)
+				})),
 			decls.MemberOverload(overloads.TimestampToYearWithTz,
-				argTypes(types.TimestampType, types.StringType), types.IntType)),
+				argTypes(types.TimestampType, types.StringType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-01-01T05:30:00Z').getFullYear('-08:00') // 2022`),
+				decls.BinaryBinding(timestampGetFullYear))),

 		function(overloads.TimeGetMonth,
+			decls.FunctionDocs(`get the 0-based month from a timestamp, UTC unless an IANA timezone is specified.`),
 			decls.MemberOverload(overloads.TimestampToMonth,
-				argTypes(types.TimestampType), types.IntType),
+				argTypes(types.TimestampType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getMonth() // 6`), // July is month 6
+				decls.UnaryBinding(func(ts ref.Val) ref.Val {
+					return timestampGetMonth(ts, utcTZ)
+				})),
 			decls.MemberOverload(overloads.TimestampToMonthWithTz,
-				argTypes(types.TimestampType, types.StringType), types.IntType)),
+				argTypes(types.TimestampType, types.StringType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-01-01T05:30:00Z').getMonth('America/Los_Angeles') // 11`), // December is month 11
+				decls.BinaryBinding(timestampGetMonth))),

 		function(overloads.TimeGetDayOfYear,
+			decls.FunctionDocs(`get the 0-based day of the year from a timestamp, UTC unless an IANA timezone is specified.`),
 			decls.MemberOverload(overloads.TimestampToDayOfYear,
-				argTypes(types.TimestampType), types.IntType),
+				argTypes(types.TimestampType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-01-02T00:00:00Z').getDayOfYear() // 1`),
+				decls.UnaryBinding(func(ts ref.Val) ref.Val {
+					return timestampGetDayOfYear(ts, utcTZ)
+				})),
 			decls.MemberOverload(overloads.TimestampToDayOfYearWithTz,
-				argTypes(types.TimestampType, types.StringType), types.IntType)),
+				argTypes(types.TimestampType, types.StringType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-01-01T05:00:00Z').getDayOfYear('America/Los_Angeles') // 364`),
+				decls.BinaryBinding(timestampGetDayOfYear))),

 		function(overloads.TimeGetDayOfMonth,
+			decls.FunctionDocs(`get the 0-based day of the month from a timestamp, UTC unless an IANA timezone is specified.`),
 			decls.MemberOverload(overloads.TimestampToDayOfMonthZeroBased,
-				argTypes(types.TimestampType), types.IntType),
+				argTypes(types.TimestampType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getDayOfMonth() // 13`),
+				decls.UnaryBinding(func(ts ref.Val) ref.Val {
+					return timestampGetDayOfMonthZeroBased(ts, utcTZ)
+				})),
 			decls.MemberOverload(overloads.TimestampToDayOfMonthZeroBasedWithTz,
-				argTypes(types.TimestampType, types.StringType), types.IntType)),
+				argTypes(types.TimestampType, types.StringType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-01T05:00:00Z').getDayOfMonth('America/Los_Angeles') // 29`),
+				decls.BinaryBinding(timestampGetDayOfMonthZeroBased))),

 		function(overloads.TimeGetDate,
+			decls.FunctionDocs(`get the 1-based day of the month from a timestamp, UTC unless an IANA timezone is specified.`),
 			decls.MemberOverload(overloads.TimestampToDayOfMonthOneBased,
-				argTypes(types.TimestampType), types.IntType),
+				argTypes(types.TimestampType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getDate() // 14`),
+				decls.UnaryBinding(func(ts ref.Val) ref.Val {
+					return timestampGetDayOfMonthOneBased(ts, utcTZ)
+				})),
 			decls.MemberOverload(overloads.TimestampToDayOfMonthOneBasedWithTz,
-				argTypes(types.TimestampType, types.StringType), types.IntType)),
+				argTypes(types.TimestampType, types.StringType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-01T05:00:00Z').getDate('America/Los_Angeles') // 30`),
+				decls.BinaryBinding(timestampGetDayOfMonthOneBased))),

 		function(overloads.TimeGetDayOfWeek,
+			decls.FunctionDocs(`get the 0-based day of the week from a timestamp, UTC unless an IANA timezone is specified.`),
 			decls.MemberOverload(overloads.TimestampToDayOfWeek,
-				argTypes(types.TimestampType), types.IntType),
+				argTypes(types.TimestampType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getDayOfWeek() // 5`), // Friday is day 5
+				decls.UnaryBinding(func(ts ref.Val) ref.Val {
+					return timestampGetDayOfWeek(ts, utcTZ)
+				})),
 			decls.MemberOverload(overloads.TimestampToDayOfWeekWithTz,
-				argTypes(types.TimestampType, types.StringType), types.IntType)),
+				argTypes(types.TimestampType, types.StringType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-16T05:00:00Z').getDayOfWeek('America/Los_Angeles') // 6`), // Saturday is day 6
+				decls.BinaryBinding(timestampGetDayOfWeek))),

 		function(overloads.TimeGetHours,
+			decls.FunctionDocs(`get the hours portion from a timestamp, or convert a duration to hours`),
 			decls.MemberOverload(overloads.TimestampToHours,
-				argTypes(types.TimestampType), types.IntType),
+				argTypes(types.TimestampType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getHours() // 10`),
+				decls.UnaryBinding(func(ts ref.Val) ref.Val {
+					return timestampGetHours(ts, utcTZ)
+				})),
 			decls.MemberOverload(overloads.TimestampToHoursWithTz,
-				argTypes(types.TimestampType, types.StringType), types.IntType),
+				argTypes(types.TimestampType, types.StringType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getHours('America/Los_Angeles') // 2`),
+				decls.BinaryBinding(timestampGetHours)),
 			decls.MemberOverload(overloads.DurationToHours,
-				argTypes(types.DurationType), types.IntType)),
+				argTypes(types.DurationType), types.IntType,
+				decls.OverloadExamples(`duration('3723s').getHours() // 1`),
+				decls.UnaryBinding(types.DurationGetHours))),

 		function(overloads.TimeGetMinutes,
+			decls.FunctionDocs(`get the minutes portion from a timestamp, or convert a duration to minutes`),
 			decls.MemberOverload(overloads.TimestampToMinutes,
-				argTypes(types.TimestampType), types.IntType),
+				argTypes(types.TimestampType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getMinutes() // 30`),
+				decls.UnaryBinding(func(ts ref.Val) ref.Val {
+					return timestampGetMinutes(ts, utcTZ)
+				})),
 			decls.MemberOverload(overloads.TimestampToMinutesWithTz,
-				argTypes(types.TimestampType, types.StringType), types.IntType),
+				argTypes(types.TimestampType, types.StringType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getMinutes('America/Los_Angeles') // 30`),
+				decls.BinaryBinding(timestampGetMinutes)),
 			decls.MemberOverload(overloads.DurationToMinutes,
-				argTypes(types.DurationType), types.IntType)),
+				argTypes(types.DurationType), types.IntType,
+				decls.OverloadExamples(`duration('3723s').getMinutes() // 62`),
+				decls.UnaryBinding(types.DurationGetMinutes))),

 		function(overloads.TimeGetSeconds,
+			decls.FunctionDocs(`get the seconds portion from a timestamp, or convert a duration to seconds`),
 			decls.MemberOverload(overloads.TimestampToSeconds,
-				argTypes(types.TimestampType), types.IntType),
+				argTypes(types.TimestampType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getSeconds() // 45`),
+				decls.UnaryBinding(func(ts ref.Val) ref.Val {
+					return timestampGetSeconds(ts, utcTZ)
+				})),
 			decls.MemberOverload(overloads.TimestampToSecondsWithTz,
-				argTypes(types.TimestampType, types.StringType), types.IntType),
+				argTypes(types.TimestampType, types.StringType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getSeconds('America/Los_Angeles') // 45`),
+				decls.BinaryBinding(timestampGetSeconds)),
 			decls.MemberOverload(overloads.DurationToSeconds,
-				argTypes(types.DurationType), types.IntType)),
+				argTypes(types.DurationType), types.IntType,
+				decls.OverloadExamples(`duration('3723.456s').getSeconds() // 3723`),
+				decls.UnaryBinding(types.DurationGetSeconds))),

 		function(overloads.TimeGetMilliseconds,
+			decls.FunctionDocs(`get the milliseconds portion from a timestamp`),
 			decls.MemberOverload(overloads.TimestampToMilliseconds,
-				argTypes(types.TimestampType), types.IntType),
+				argTypes(types.TimestampType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getMilliseconds() // 123`),
+				decls.UnaryBinding(func(ts ref.Val) ref.Val {
+					return timestampGetMilliseconds(ts, utcTZ)
+				})),
 			decls.MemberOverload(overloads.TimestampToMillisecondsWithTz,
-				argTypes(types.TimestampType, types.StringType), types.IntType),
+				argTypes(types.TimestampType, types.StringType), types.IntType,
+				decls.OverloadExamples(`timestamp('2023-07-14T10:30:45.123Z').getMilliseconds('America/Los_Angeles') // 123`),
+				decls.BinaryBinding(timestampGetMilliseconds)),
 			decls.MemberOverload(overloads.DurationToMilliseconds,
-				argTypes(types.DurationType), types.IntType)),
+				argTypes(types.DurationType), types.IntType,
+				decls.UnaryBinding(types.DurationGetMilliseconds))),
 	}


⚠️ Potential issue | 🟡 Minor

getFullYear doc wording is misleading (year is not 0‑based)

TimeGetFullYear returns t.Year() (calendar year), but the doc string says “get the 0-based full year…”, which is confusing since years are not 0-based. The other time docs (0-based month/day-of-year/day-of-month vs 1-based date) correctly match their implementations.

Consider updating the doc to drop “0-based”, e.g.:

- decls.FunctionDocs(`get the 0-based full year from a timestamp, UTC unless an IANA timezone is specified.`), + decls.FunctionDocs(`get the full year from a timestamp, UTC unless an IANA timezone is specified.`),

🤖 Prompt for AI Agents

vendor/github.com/google/cel-go/common/stdlib/standard.go around lines 743 to 888: the FunctionDocs for TimeGetFullYear incorrectly says "0-based full year" while the implementation returns the calendar year (t.Year()); update the doc string to remove "0-based" — e.g. change it to "get the full year from a timestamp, UTC unless an IANA timezone is specified." to match the behavior and be consistent with other time docs.

coderabbitai · 2025-11-17T18:20:43Z

vendor/github.com/google/cel-go/interpreter/activation.go

 // partialActivationConverter indicates whether an Activation implementation supports conversion to a PartialActivation
 type partialActivationConverter interface {
-	asPartialActivation() (PartialActivation, bool)
+	// AsPartialActivation converts the current activation to a PartialActivation
+	AsPartialActivation() (PartialActivation, bool)
 }


⚠️ Potential issue | 🟡 Minor

Guard AsPartialActivation against nil Activation to avoid panics

AsPartialActivation(vars Activation) will panic if called with a nil vars value, since vars.Parent() is invoked unconditionally when the type assertion fails. As an exported helper, it’s safer to treat nil as “no partial activation”.

A minimal defensive tweak:

func AsPartialActivation(vars Activation) (PartialActivation, bool) { - // Only internal activation instances may implement this interface - if pv, ok := vars.(partialActivationConverter); ok { + if vars == nil { + return nil, false + } + // Only internal activation instances may implement this interface + if pv, ok := vars.(partialActivationConverter); ok { return pv.AsPartialActivation() } // Since Activations may be hierarchical, test whether a parent converts to a PartialActivation - if vars.Parent() != nil { - return AsPartialActivation(vars.Parent()) - } - return nil, false + if parent := vars.Parent(); parent != nil { + return AsPartialActivation(parent) + } + return nil, false }

Also applies to: 176-179, 181-191

🤖 Prompt for AI Agents

In vendor/github.com/google/cel-go/interpreter/activation.go around lines 159-163 (and similarly for the related code at 176-179 and 181-191), the AsPartialActivation helper assumes the passed-in Activation is non-nil and may call vars.Parent() leading to a panic; update the function to first check if vars == nil and immediately return (nil, false) when it is nil, and apply the same nil guard before any Parent() calls or type assertions in the other referenced blocks so nil Activation is treated as “no partial activation.”

6s Warning FailedDescribeInstanceTypes awscluster/ngirard-dh-5bb5w insufficient permissions to describe instance types for instance type "m6i.xlarge", falling back to the default architecture of "x86_64": operation error EC2: DescribeInstanceTypes, https response error StatusCode: 403, RequestID: 387549b4-ab58-48af-b14d-3882b6c7da52, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::726924432237:user/ngirard-dh-5bb5w-openshift-cluster-api-aws-72f7q is not authorized to perform: ec2:DescribeInstanceTypes because no identity-based policy allows the ec2:DescribeInstanceTypes action

openshift-ci-robot · 2025-11-17T18:33:54Z

@vr4manta: This pull request references SPLAT-2167 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

SPLAT-2167

Changes

Added dedicated host support for AWS

Created new dedicated host tests

Fixed tests that were breaking due to updates upstream that were pulled in

Added missing permission ec2:DescribeInstanceTypes to cluster api credentials request

Dependencies

SPLAT-2206: Added AWS dedicated host support api#2484

SPLAT-2167: Added dedicated hosts support for AWS machine-api-operator#1419

SPLAT-2540: Added test support for AWS dedicated hosts cluster-api-actuator-pkg#446

Notes

There seems to be a required permission that was missing for dedicated host support. When running these changes, a warning event was observed in the cluster capi operator namespace.
6s          Warning   FailedDescribeInstanceTypes   awscluster/ngirard-dh-5bb5w                           insufficient permissions to describe instance types for instance type "m6i.xlarge", falling back to the default architecture of "x86_64": operation error EC2: DescribeInstanceTypes, https response error StatusCode: 403, RequestID: 387549b4-ab58-48af-b14d-3882b6c7da52, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::726924432237:user/ngirard-dh-5bb5w-openshift-cluster-api-aws-72f7q is not authorized to perform: ec2:DescribeInstanceTypes because no identity-based policy allows the ec2:DescribeInstanceTypes action
Summary by CodeRabbit

New Features

AWS: host-affinity / dedicated-host placement support.

CEL: YAML-serializable environment configs, regex library, new string.format v2, and math.sqrt; prompt tooling for authoring.

Improvements

Broad dependency upgrades (Go/Kubernetes/tooling).

fsnotify: more robust handling of transient filesystem edge cases.

Cleaner, more consistent error and warning formatting.

Bug Fixes

Stronger optional-field selection validation.

Tests

Updated test expectations and added coverage for new scenarios.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/conversion/capi2mapi/aws_fuzz_test.go (1)
211-221: Consider explicitly clearing HostID for non-host affinity cases.

When HostAffinity is nil or "default", the HostID should be explicitly set to nil to prevent test pollution from the earlier c.FillNoCustom(spec) call at line 158, which may have set random values.

Apply this diff:
 func fuzzAWSMachineSpecHostPlacement(spec *awsv1.AWSMachineSpec, c randfill.Continue) {
 	switch c.Int31n(3) {
 	case 0:
 		spec.HostAffinity = nil
+		spec.HostID = nil
 	case 1:
 		spec.HostAffinity = ptr.To("default")
+		spec.HostID = nil
 	case 2:
 		spec.HostAffinity = ptr.To("host")
 		spec.HostID = ptr.To("h-0123456789abcdef0")
 	}
 }

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between c7f7c0d and 72c30d3.

📒 Files selected for processing (12)

manifests/0000_30_cluster-api_01_credentials-request.yaml (1 hunks)
pkg/conversion/capi2mapi/aws.go (3 hunks)
pkg/conversion/capi2mapi/aws_fuzz_test.go (3 hunks)
pkg/conversion/capi2mapi/aws_test.go (6 hunks)
pkg/conversion/capi2mapi/machine_test.go (1 hunks)
pkg/conversion/capi2mapi/openstack_test.go (6 hunks)
pkg/conversion/capi2mapi/powervs_test.go (3 hunks)
pkg/conversion/mapi2capi/aws.go (2 hunks)
pkg/conversion/mapi2capi/aws_fuzz_test.go (3 hunks)
pkg/conversion/mapi2capi/aws_test.go (8 hunks)
pkg/conversion/mapi2capi/machine_test.go (1 hunks)
pkg/conversion/mapi2capi/powervs_test.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (6)

pkg/conversion/capi2mapi/openstack_test.go
pkg/conversion/mapi2capi/machine_test.go
pkg/conversion/capi2mapi/aws.go
manifests/0000_30_cluster-api_01_credentials-request.yaml
pkg/conversion/capi2mapi/aws_test.go
pkg/conversion/mapi2capi/aws.go

🔇 Additional comments (13)

pkg/conversion/capi2mapi/machine_test.go (1)

75-89: LGTM! Improved error message readability.

The test expectations have been correctly updated to reflect improved duration formatting in error messages. The change from verbose duration representations to the standard Go duration string format "1s" enhances readability while maintaining test correctness.

pkg/conversion/mapi2capi/powervs_test.go (2)

124-124: LGTM! Error message formatting improved.

The error expectation now uses JSON formatting instead of Go struct string representation, improving readability and consistency with standard error message formats.

139-139: LGTM! Consistent error formatting improvement.

The metadata error expectation now uses concise JSON formatting, consistent with the loadBalancers change on Line 124.

pkg/conversion/capi2mapi/powervs_test.go (3)

100-100: LGTM! Correct null representation.

Removing quotes around null is semantically correct—null is not a string literal and should appear unquoted in error messages.

125-125: LGTM! Consistent null formatting.

This change matches the correction on Line 100, ensuring consistent null representation across error expectations.

150-150: LGTM! Simplified empty struct representation.

The error expectation now uses {} instead of a verbose Go struct representation, providing a cleaner and more concise format for the empty struct.

pkg/conversion/capi2mapi/aws_fuzz_test.go (2)

32-32: LGTM! Import needed for fuzzing.

The k8s.io/utils/ptr import is correctly added to support pointer creation in the new fuzzAWSMachineSpecHostPlacement function.

162-162: LGTM! Fuzzing hook properly integrated.

The host placement fuzzing is correctly integrated into the AWSMachineSpec fuzzing flow.

pkg/conversion/mapi2capi/aws_fuzz_test.go (3)

140-140: LGTM! Appropriate field clearing.

Clearing CPUOptions is consistent with other unsupported fields being cleared in this function. This appears to address test failures mentioned in the PR description related to upstream updates.

167-180: LGTM! Host placement fuzzing correctly implemented.

The fuzzer appropriately covers the two valid HostPlacement states: AnyAvailable (with DedicatedHost cleared) and DedicatedHost (with a valid ID). The explicit clearing of DedicatedHost for the AnyAvailable case prevents invalid state combinations.

276-276: LGTM! Fuzzer properly registered.

The fuzzHostPlacement function is correctly added to the fuzzer function list, ensuring HostPlacement fields are appropriately fuzzed during machine set conversion testing.

pkg/conversion/mapi2capi/aws_test.go (2)

132-132: LGTM! Improved error message formatting.

The error messages have been updated to use JSON-like formatting, making them more structured and easier to parse. This improves test readability and better matches the actual error output format.

Also applies to: 211-211, 246-246, 258-258, 348-348, 394-394

429-429: LGTM! Helpful documentation comment.

The comment clearly documents that dedicated host tests were relocated into the DescribeTable above, making the test reorganization transparent to future maintainers.

coderabbitai · 2025-11-17T18:36:15Z

pkg/conversion/mapi2capi/aws_test.go

+		// Dedicated host positive/negative cases
+		Entry("With HostPlacement AnyAvailable", awsMAPI2CAPIConversionInput{
+			machineBuilder: awsMAPIMachineBase.WithProviderSpecBuilder(
+				awsBaseProviderSpec.
+					WithHostPlacement(&mapiv1beta1.HostPlacement{
+						Affinity: ptr.To(mapiv1beta1.HostAffinityAnyAvailable),
+					}),
+			),
+			infra:            infra,
+			expectedErrors:   []string{},
+			expectedWarnings: []string{},
+		}),
+		Entry("With HostPlacement DedicatedHost", awsMAPI2CAPIConversionInput{
+			machineBuilder: awsMAPIMachineBase.WithProviderSpecBuilder(
+				awsBaseProviderSpec.
+					WithHostPlacement(&mapiv1beta1.HostPlacement{
+						Affinity: ptr.To(mapiv1beta1.HostAffinityDedicatedHost),
+						DedicatedHost: &mapiv1beta1.DedicatedHost{
+							ID: "h-0123456789abcdef0",
+						},
+					}),
+			),
+			infra:            infra,
+			expectedErrors:   []string{},
+			expectedWarnings: []string{},
+		}),


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

LGTM! Positive test cases well covered.

The two new test entries appropriately cover the valid HostPlacement scenarios: AnyAvailable and DedicatedHost with a valid ID. Both tests correctly expect successful conversion with no errors or warnings.

The comment at line 96 mentions "positive/negative cases," but only positive cases are present. Consider verifying that negative test cases (e.g., invalid HostID format, missing DedicatedHost ID when affinity is DedicatedHost) are covered elsewhere in the test suite or in the conversion validation logic.

🏁 Script executed:

#!/bin/bash # Search for negative test cases or validation logic for HostPlacement rg -n -C3 --type=go 'HostPlacement|HostAffinity|DedicatedHost' -g '*test*.go' -g '!vendor/'

Length of output: 7234

I'll search for the conversion logic to understand if negative test cases should exist for the mapi2capi direction.

🏁 Script executed:

#!/bin/bash # Find the conversion logic for HostPlacement in mapi2capi rg -n 'HostPlacement|HostAffinity' --type=go -g '!*test*.go' -g '!vendor/' pkg/conversion/mapi2capi/

Length of output: 65

🏁 Script executed:

#!/bin/bash # Find conversion logic for HostPlacement fd -e '.go' -path '*/mapi2capi/*' -not -path '*/vendor/*' -not -name '*test*' | head -20

Length of output: 168

🏁 Script executed:

#!/bin/bash # Search for HostPlacement conversion logic across mapi2capi rg -n 'func.*Convert|HostPlacement|HostAffinity' --type=go -g '!*test*' -g '!vendor/' 2>/dev/null | head -50

Length of output: 1781

🏁 Script executed:

#!/bin/bash # Get the full implementation of the mapi2capi conversion functions rg -n -A 15 'func convertAWSHostAffinityToCAPI|func convertAWSHostIDToCAPI' --type=go pkg/conversion/mapi2capi/aws.go

Length of output: 1104

Update comment at line 96 to reflect actual test coverage.

The comment states "Dedicated host positive/negative cases" but the code only contains positive test cases. This is correct by design—the mapi2capi conversion logic silently converts or returns nil for unknown values (no validation errors). Unlike the reverse direction (capi2mapi), which validates and rejects unsupported values, negative test cases don't apply here.

Update line 96 comment from:

// Dedicated host positive/negative cases

to:

// Dedicated host cases

🤖 Prompt for AI Agents

In pkg/conversion/mapi2capi/aws_test.go around lines 96 to 121 the comment "// Dedicated host positive/negative cases" is inaccurate because the tests only cover positive cases; change the comment to "// Dedicated host cases" to reflect actual test coverage; update that single-line comment accordingly without modifying test logic.

vr4manta · 2025-11-18T17:25:29Z

/retest

nrb · 2025-11-20T17:52:40Z

/lgtm
/approve

openshift-ci-robot · 2025-11-20T17:53:38Z

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-techpreview
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

openshift-ci · 2025-11-20T17:54:05Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nrb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [nrb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

damdo · 2025-11-21T09:17:33Z

/retest

vr4manta · 2025-11-24T12:44:10Z

/verified by @vr4manta by manual tests
Installer function is not merged so hard to test for now. I'll also run a /payload-test with installer to fully test

vr4manta · 2025-11-24T12:44:24Z

/retest

openshift-ci-robot · 2025-11-24T12:44:25Z

@vr4manta: This PR has been marked as verified by @vr4manta by manual tests.

In response to this:

/verified by @vr4manta by manual tests
Installer function is not merged so hard to test for now. I'll also run a /payload-test with installer to fully test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-11-24T15:09:59Z

/retest-required

Remaining retests: 0 against base HEAD 509ccfd and 2 for PR HEAD 72c30d3 in total

vr4manta · 2025-11-26T12:28:05Z

/retest

openshift-ci · 2025-11-26T14:32:42Z

@vr4manta: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	`3820d2b`	link	false	`/test okd-scos-e2e-aws-ovn`
ci/prow/e2e-openstack-ovn-techpreview	`72c30d3`	link	true	`/test e2e-openstack-ovn-techpreview`
ci/prow/e2e-openstack-capi-techpreview	`72c30d3`	link	true	`/test e2e-openstack-capi-techpreview`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

vr4manta · 2025-11-26T19:51:11Z

It seems the openstack techpreview have been having issues for a while:

@damdo Is there any known issues with these two jobs? If so, is it possible to override them here so we can get this merged? I am not wanting to keep retrying because TRT may assume that w/ all the failures, this PR may be the cause (which is why I am putting the above links to show other PRs hit same install issue this PR is)

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Oct 1, 2025

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 1, 2025

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 1, 2025

vr4manta force-pushed the SPLAT-2167 branch from 60f648d to 8fb882b Compare October 1, 2025 19:08

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 1, 2025

This was referenced Oct 16, 2025

SPLAT-2171: Added AWS dedicated host scripts and job openshift/release#70274

Merged

SPLAT-2206: Added AWS dedicated host support openshift/api#2484

Merged

vr4manta force-pushed the SPLAT-2167 branch 2 times, most recently from 6355141 to 7ba97c3 Compare November 10, 2025 16:22

vr4manta force-pushed the SPLAT-2167 branch 2 times, most recently from dc53d82 to e5cbce2 Compare November 11, 2025 17:16

vr4manta force-pushed the SPLAT-2167 branch from e5cbce2 to ed501ad Compare November 11, 2025 18:56

vr4manta force-pushed the SPLAT-2167 branch 2 times, most recently from ed41da7 to 320eac0 Compare November 13, 2025 14:40

vr4manta mentioned this pull request Nov 13, 2025

SPLAT-2167: Added dedicated hosts support for AWS openshift/machine-api-operator#1419

Merged

mtulio reviewed Nov 13, 2025

View reviewed changes

vr4manta mentioned this pull request Nov 13, 2025

SPLAT-2172: AWS dedicate host support openshift/installer#10079

Open

mtulio reviewed Nov 13, 2025

View reviewed changes

vr4manta force-pushed the SPLAT-2167 branch from 320eac0 to 3820d2b Compare November 14, 2025 13:12

vr4manta marked this pull request as ready for review November 14, 2025 13:15

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 14, 2025

vr4manta force-pushed the SPLAT-2167 branch from 3820d2b to d3fc5c3 Compare November 17, 2025 17:51

coderabbitai bot reviewed Nov 17, 2025

View reviewed changes

pkg/conversion/capi2mapi/aws.go Show resolved Hide resolved

vr4manta added 2 commits November 17, 2025 13:08

go.mod updates

5cf34cd

vendor updates

7a729df

vr4manta force-pushed the SPLAT-2167 branch from d3fc5c3 to c7f7c0d Compare November 17, 2025 18:08

coderabbitai bot reviewed Nov 17, 2025

View reviewed changes

vr4manta added 3 commits November 17, 2025 13:30

Added dedicated host support for AWS

fd32877

Added AWS dedicated host tests

c1557e4

vr4manta force-pushed the SPLAT-2167 branch from c7f7c0d to 72c30d3 Compare November 17, 2025 18:31

coderabbitai bot reviewed Nov 17, 2025

View reviewed changes

openshift-ci bot assigned nrb Nov 20, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 20, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 20, 2025

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Nov 24, 2025

SPLAT-2167: Added dedicated host support for AWS #374

Are you sure you want to change the base?

SPLAT-2167: Added dedicated host support for AWS #374

Uh oh!

Conversation

vr4manta commented Oct 1, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Dependencies

Notes

Summary by CodeRabbit

Uh oh!

openshift-ci-robot commented Oct 1, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Dependencies

Uh oh!

openshift-ci bot commented Oct 1, 2025

Uh oh!

coderabbitai bot commented Oct 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

.coderabbit.yaml has unrecognized properties

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Poem

Pre-merge checks and finishing touches

Uh oh!

openshift-ci-robot commented Oct 1, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Dependencies

Uh oh!

openshift-ci-robot commented Nov 11, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Dependencies

Uh oh!

vr4manta commented Nov 11, 2025

Uh oh!

vr4manta commented Nov 11, 2025

Uh oh!

openshift-ci-robot commented Nov 13, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Dependencies

Uh oh!

mtulio Nov 13, 2025

Choose a reason for hiding this comment

Uh oh!

vr4manta Nov 14, 2025

Choose a reason for hiding this comment

Uh oh!

mtulio Nov 13, 2025

Choose a reason for hiding this comment

Uh oh!

vr4manta Nov 14, 2025

Choose a reason for hiding this comment

Uh oh!

openshift-ci-robot commented Nov 14, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Dependencies

Notes

Uh oh!

openshift-ci-robot commented Nov 17, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Dependencies

Notes

Summary by CodeRabbit

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

openshift-ci-robot commented Nov 17, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

vr4manta commented Oct 1, 2025 •

edited by coderabbitai bot

Loading

openshift-ci-robot commented Oct 1, 2025 •

edited by openshift-ci bot

Loading

coderabbitai bot commented Oct 1, 2025 •

edited

Loading

`.coderabbit.yaml` has unrecognized properties

openshift-ci-robot commented Oct 1, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Nov 11, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Nov 13, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Nov 14, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Nov 17, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Nov 17, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Nov 17, 2025 •

edited by openshift-ci bot

Loading