feat: adding operator gen check to CI

[tmonty12]

Overview:

This PR adds a check to the Operator CI that checks that the output of generated code, manifests, docs match what is expected on a given commit. It will fail the workflow if it does not match.

Example of properly catching a missing license header here

Details:

Where should the reviewer start?

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

• closes GitHub issue: #xxx

Summary by CodeRabbit

• Chores

  • Added validation checks to the build process to ensure consistency of container images, manifests, and deployment configurations before release.

• Documentation

  • Refined Kubernetes API reference documentation with enhanced formatting for field validation hints, data type information, and example configurations for improved usability and clarity.

[coderabbitai]

Walkthrough

This pull request introduces validation checkpoints for the operator build pipeline. A new GitHub Actions workflow step validates uncommitted changes, the Makefile defines a check target for pre-commit validation and adds NVIDIA header insertion to RBAC files, header comments are removed from role.yaml, and API documentation formatting is updated.

Changes

Cohort / File(s)	Summary
CI/CD Workflow .github/workflows/container-validation-backends.yml	Added validation step in operator job that executes make check after Docker build, with ECR_HOSTNAME from secrets
Build System deploy/cloud/operator/Makefile	Added new check phony target with dependency chain (generate, manifests, generate-api-docs) that validates git working tree is clean; enhanced manifests target to prepend NVIDIA SPDX header to RBAC YAML files if not already present
RBAC Configuration deploy/cloud/operator/config/rbac/role.yaml	Removed SPDX header comments (copyright and license) from top of file; ClusterRole definition remains unchanged
Documentation docs/kubernetes/api_reference.md	Updated field validation annotations and references, converting literal braces {} to escaped form \{\} in multiple table entries for consistency

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Makefile logic: Verify the bash scripting for header insertion (nested conditionals) and git status check does not have edge cases
• Workflow step placement: Confirm timing and error handling between the new validation step and subsequent Docker Tag and Push operations
• Header removal consistency: Ensure role.yaml header removal aligns with the Makefile logic that adds headers to RBAC files

Poem

🐰 A hop, skip, and check we go,
Building clean pipelines, as validations flow,
Headers dressed in NVIDIA's pride,
With git trees clean, bugs won't hide!
Documentation shines, braces escaped just right,
The operator now validates with might! 🐇✨

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. While the Overview section describes the PR purpose, the Details and Where should the reviewer start sections are entirely empty, and the Related Issues section is unfilled.	Complete the Details section with a comprehensive description of changes, specify files for review focus in the Where should the reviewer start section, and provide a valid GitHub issue reference or explanation if no issue exists.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: adding operator gen check to CI' clearly describes the main change: adding a generator check for the operator to the CI pipeline.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

deploy/cloud/operator/Makefile (1)

116-138: Verify role.yaml header consistency with Makefile logic.

The Makefile adds NVIDIA headers to all RBAC files (lines 116–138), but the AI summary indicates that deploy/cloud/operator/config/rbac/role.yaml has had its SPDX header comments removed. Confirm whether:

1. The header removal was intentional and should be respected (and the Makefile logic adjusted), or
2. The header should be restored and will be re-added by the Makefile on next generation.

This matters for CI stability—if the header is re-added by the Makefile, the make check validation could fail if the file is not committed with the new header.

🧹 Nitpick comments (1)

deploy/cloud/operator/Makefile (1)

116-138: Refactor duplicated header insertion logic.

Lines 116–138 duplicate the NVIDIA header insertion pattern from lines 84–106 (CRD files). Both blocks check for the header, prepare a temporary file, and atomically replace the original. Consider extracting this into a reusable helper function or separate script to follow the DRY principle. Note: The RBAC section includes a file-existence check ([ -f "$$file" ]) that the CRD section lacks—ensure consistency if refactored.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a9aeab and 8d98d6b.

📒 Files selected for processing (4)

• .github/workflows/container-validation-backends.yml (1 hunks)
• deploy/cloud/operator/Makefile (2 hunks)
• deploy/cloud/operator/config/rbac/role.yaml (0 hunks)
• docs/kubernetes/api_reference.md (9 hunks)

💤 Files with no reviewable changes (1)

• deploy/cloud/operator/config/rbac/role.yaml

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-11-05T20:23:29.509Z

Learnt from: nv-hwoo
Repo: ai-dynamo/dynamo PR: 4112
File: examples/backends/sglang/deploy/agg.yaml:76-78
Timestamp: 2025-11-05T20:23:29.509Z
Learning: In DynamoGraphDeployment (DGD) YAML manifests, the volumeMounts field uses `mountPoint` (not the standard Kubernetes `mountPath`) to specify where to mount volumes. This is defined in the DGD custom resource definition API.

Applied to files:

• docs/kubernetes/api_reference.md

📚 Learning: 2025-07-18T16:04:31.771Z

Learnt from: julienmancuso
Repo: ai-dynamo/dynamo PR: 2012
File: deploy/cloud/helm/crds/templates/nvidia.com_dynamocomponentdeployments.yaml:92-98
Timestamp: 2025-07-18T16:04:31.771Z
Learning: CRD schemas in files like deploy/cloud/helm/crds/templates/*.yaml are auto-generated from Kubernetes library upgrades and should not be manually modified as changes would be overwritten during regeneration.

Applied to files:

• deploy/cloud/operator/Makefile

🪛 checkmake (0.2.2)

deploy/cloud/operator/Makefile

[warning] 48-48: Target body for "check" exceeds allowed length of 5 (9).

(maxbodylength)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: operator (amd64)
• GitHub Check: trtllm (amd64)
• GitHub Check: operator (arm64)

🔇 Additional comments (3)

.github/workflows/container-validation-backends.yml (1)

91-97: Good integration of pre-push validation step.

The new "Check for uncommitted changes" step correctly validates that code generation steps (generate, manifests, generate-api-docs) produce consistent output before pushing the operator image. Placement after the build and before the tag/push is appropriate.

docs/kubernetes/api_reference.md (1)

80-80: Documentation formatting for proper Markdown rendering.

The changes consistently escape empty braces ({} → \{\}) in validation hint columns to prevent Markdown interpretation. This ensures the documentation renders correctly without unintended formatting. No behavioral changes to the API or documentation content—purely display formatting.

Also applies to: 98-102, 279-285, 302-307, 323-325, 419-421, 440-442, 477-477

deploy/cloud/operator/Makefile (1)

47-57: Validate logic is sound, but target body exceeds style guidelines.

The check target correctly validates that code generation steps leave the Git tree clean—a useful validation for CI. However, static analysis (checkmake) flags that the target body (9 lines) exceeds the default threshold of 5 lines. Consider either:

1. Accepting the style deviation for this validation step, or
2. Refactoring into a helper shell script to reduce target size.

This is noted by the static analysis tool but is acceptable for a validation target. Confirm whether your team's conventions permit this exception.