chore: enable pre-releases for subscriptions

[Roming22]

This script should be useful to developers and QE. It might be useful to the occasional customer that would want to validate an upcoming fix in an ephemeral environment.

Summary by CodeRabbit

• New Features
  • Introduced a script to automate the setup of pre-release subscriptions for multiple products in OpenShift, including Red Hat Developer Hub, GitOps, Pipelines, and Trusted Artifact Signer.
  • Added support for command-line options to select products, enable debug mode, and display help.
  • Enhanced error handling and progress messaging during the configuration process.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Roming22

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Roming22]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Roming22]

/retest

[xinredhat]

/retest

[Roming22]

/retest

[dperaza4dustbit]

One question

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[lcarva]

Is this still relevant?

[Roming22]

@lcarva While the specific versions might not be, I believe the process is.

[jkopriva]

/lgtm

[coderabbitai]

Walkthrough

A new Bash script, hack/pre-release.sh, has been introduced to automate pre-release subscription setup for various OpenShift products. The script supports multiple products, parses command-line arguments, manages temporary resources, applies product-specific configurations, and updates a Helm values YAML file accordingly.

Changes

Cohort / File(s)	Change Summary
New Pre-release Automation Script hack/pre-release.sh	Added a Bash script to automate pre-release subscription configuration for multiple OpenShift products, including argument parsing, product-specific setup, and Helm values file updates.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant pre-release.sh
    participant OpenShift Cluster
    participant Helm Values File

    User->>pre-release.sh: Run script with product options
    pre-release.sh->>pre-release.sh: Parse arguments
    pre-release.sh->>pre-release.sh: Init temp directory
    loop For each product
        pre-release.sh->>OpenShift Cluster: Apply product-specific configuration
        pre-release.sh->>Helm Values File: Update subscription values
    end
    pre-release.sh->>User: Output progress and completion message

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

• jkopriva
• xinredhat

Poem

A script now hops into the fold,
With Bashy paws both brave and bold.
It sets up subs for every need,
And updates YAML with lightning speed.
Debug or help, it’s all in hand—
Pre-release magic, just as planned!
🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

hack/pre-release.sh (1)

64-68: DEBUG variable is set but never used
parse_args exports $DEBUG, yet no other code reads it. Either hook it into verbose tooling or drop the dead code.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 522d0d1 and 77c2911.

📒 Files selected for processing (1)

• hack/pre-release.sh (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: Roming22
PR: redhat-appstudio/rhtap-cli#1000
File: installer/charts/tssc-gitops/Chart.yaml:6-7
Timestamp: 2025-07-07T15:41:17.668Z
Learning: For the rhtap-cli repository, chart version bumps in Helm charts are handled at release time, not when appVersion is updated during development. The team follows a workflow where appVersion can be updated in PRs but the chart version field is only incremented during the release process.

🪛 Gitleaks (8.27.2)

hack/pre-release.sh

174-174: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

[coderabbitai]

🛠️ Refactor suggestion

Possible rm -rf of current $PWD
cleanup runs while the process is still inside $SHARED_DIR; removing the directory you are cd-ed into can fail or leave you in a deleted cwd. cd / (or back to $PROJECT_DIR) before deletion, or use trap 'cd …; cleanup'.

🤖 Prompt for AI Agents

In hack/pre-release.sh around lines 83 to 92, the cleanup function removes the
directory stored in $SHARED_DIR while the current working directory is still
inside it, which can cause errors or leave the shell in a deleted directory. To
fix this, modify the trap to first change directory to a safe location like / or
$PROJECT_DIR before calling cleanup, or update the cleanup function to cd out of
$SHARED_DIR before running rm -rf on it.

[coderabbitai]

🛠️ Refactor suggestion

Blind execution of remote script – add integrity / safety checks
curl … | bash-style patterns are dangerous. At minimum, verify the SHA256 of the downloaded script or pin to a commit hash so supply-chain attacks don’t silently own the cluster.

🤖 Prompt for AI Agents

In hack/pre-release.sh around lines 119 to 125, the script blindly downloads and
executes a remote install script without verifying its integrity, which is a
security risk. To fix this, modify the script to download the install script
first, then verify its SHA256 checksum against a known good value before making
it executable and running it. Alternatively, pin the URL to a specific commit
hash to ensure the script content is fixed and trusted. This prevents
supply-chain attacks by ensuring only verified code is executed.

[coderabbitai]

⚠️ Potential issue

Hard-coded registry credentials leak – remove immediately
The base64 string injected into .auth is a real credential (Gitleaks flagged it). Committing secrets makes the token irretrievable and opens the registry to anyone who reads the repo. Parameterise or source the value from a secure location (env-var, oc registry login, or a vault) and make the script fail fast if it is missing.

-        | jq -c '.auths."registry.stage.redhat.io" = {
-            "auth": "MTEwMDkxMDN8cmhhZHM6ZXlKaGJHY2l...",
-            "email": ""
-        }'
+        | jq -c --arg auth "${RHTAS_REGISTRY_AUTH:?Unset RHTAS_REGISTRY_AUTH}" \
+              '.auths."registry.stage.redhat.io" = {auth:$auth, email:""}'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	DOCKERCONFIGJSON=$(
	oc get secrets \
	-n openshift-config pull-secret \
	-o jsonpath='{.data.\.dockerconfigjson}' \
	| base64 -d
	)
	DOCKERCONFIGJSON=$(
	echo "$DOCKERCONFIGJSON" \
	| jq -c '.auths."registry.stage.redhat.io" = {
	"auth": "MTEwMDkxMDN8cmhhZHM6ZXlKaGJHY2lPaUpTVXpVeE1pSjkuZXlKemRXSWlPaUk0T0RsaE1XWTJPR0ZsWVdVMFptTTNZVE13WWpBNVlXUmpOR1JsWVRneVlpSjkuSXZrVDZqQ001ZU9wUnJQeDVzOVk4NFlaY1NfcWpDX0RpZ0s1bmwtd3NCQ0Y4cGFVdG13b25RbE5GTm9sYXBQTGZUeFFUaWxUUDluYllIRGV4TGxGWnZUWGNRWmg4YllqMmFGOUhZaHR2bFpCbmxpS0tyakNVN24tUE5rb09DY296QmdfN21fZFU4Z1lIUGt4Q3pISC1obG53Y2dneklwMG5jV0xQTDhFTkM4R0lJV2pQZ0t4bm1vTDQ2TUNUUDl6amhNNG5LYUlnT1RuNzdCZGVqRHY4WGRoZVNKRHFJUEEyTjA0TnUwMWhaSE95U3NpX3NCdjR2OThZYllOdFhNLUtHSXdtYWtMcWNZTzFONFUwa0RJaUc5OWdMZ2V0ZGVYT1ZPWkl3ajVpRGFkZXd2cnoxdFlucGZvZ1JhT2pWU3pDcnVBTDkyM1IzdEV2M3FvMjNPWXdXS1hGZlBTMU9YbzBwNFE3YldKRUFmMnEtM1gxM0lOQ19UTmJ3MGZCRHdMS05XN1k2TEVoQmJZVFNZd1BET20tTTJSVXpMQzdKYjV1c2pOZjYxM01XZWt5RmVRVVlJSTNUc0xLeUExQ0s1cE9SdXNFS256MERjZ1lya0V0ZE9ENkVtYjBmdUdNbElhN0JiX1UwZjVxUmszdFFXbWdTejRkQ1VDMXhlM0NDT25kVGU4bDA2RUVzSGVVU2I5NUd0bWtudUVkME03eERZaURjUURRVXlQblhmRFl5WF9xcF9BZ2l1M19meExLcl9LOGplYzJlcHlIUFBFN3FhR2hHeEViVVlUc0dsZ1B0Z0ExUFRlS3h1dklyM0d6ajg4SF85bGVYU1lwR0d5Ujl6dXh1TXVNaFZFS19Jc25OYTl3bHBaTG1RdW0xM1lRelN5ajMtMFVWUEVma3M=",
	"email": ""
	}'
	DOCKERCONFIGJSON=$(
	oc get secrets \
	-n openshift-config pull-secret \
	-o jsonpath='{.data.\.dockerconfigjson}' \
	| base64 -d
	)
	DOCKERCONFIGJSON=$(
	echo "$DOCKERCONFIGJSON" \
	| jq -c --arg auth "${RHTAS_REGISTRY_AUTH:?Unset RHTAS_REGISTRY_AUTH}" \
	'.auths."registry.stage.redhat.io" = {auth:$auth, email:""}'
	)

🧰 Tools

🪛 Gitleaks (8.27.2)

174-174: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🤖 Prompt for AI Agents

In hack/pre-release.sh around lines 164 to 176, the script contains a hard-coded
base64-encoded registry credential string inside the jq command, which leaks
sensitive information. Remove this hard-coded credential and instead modify the
script to source the registry authentication token securely from an environment
variable, an external secret manager, or by running a secure login command like
`oc registry login`. Add error handling to make the script fail immediately if
the credential is not available to prevent unauthorized access.

[coderabbitai]

🛠️ Refactor suggestion

No product selected results in silent no-op
If the user forgets --product, the script exits successfully without doing anything. Fail fast to avoid false confidence:

main() {
   parse_args "$@"
+  if [[ ${#PRODUCT_LIST[@]} -eq 0 ]]; then
+      echo "[ERROR] No product specified." >&2
+      usage
+      exit 1
+  fi
   init

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	main() {
	parse_args "$@"
	init
	for PRODUCT in $(echo "${PRODUCT_LIST[@]}" | tr " " "\n" | sort); do
	h1 "Configuring $PRODUCT"
	"configure_$PRODUCT"
	configure_subscription
	echo
	done
	echo "Done"
	main() {
	parse_args "$@"
	if [[ ${#PRODUCT_LIST[@]} -eq 0 ]]; then
	echo "[ERROR] No product specified." >&2
	usage
	exit 1
	fi
	init
	for PRODUCT in $(echo "${PRODUCT_LIST[@]}" | tr " " "\n" | sort); do
	h1 "Configuring $PRODUCT"
	"configure_$PRODUCT"
	configure_subscription
	echo
	done
	echo "Done"
	}

🤖 Prompt for AI Agents

In hack/pre-release.sh around lines 207 to 216, the script silently does nothing
and exits successfully if no product is selected via --product. Add a check
after parsing arguments to verify that PRODUCT_LIST is not empty; if it is,
print an error message and exit with a non-zero status to fail fast and avoid
false confidence.