RHAIENG-2846 Prefetch: COMPONENT_DIR from Makefile, local build default, Tekton discovery

[ysok]

RHAIENG-2846 Post-hermetic cleanup

• GHA: Derive COMPONENT_DIR from Makefile; fail clearly if missing.
• Makefile: Always pass LOCAL_BUILD=true for hermetic targets; require cachi2/output when prefetch-input exists; fix empty-variable warning.
• prefetch-all.sh: Add find_tekton_yaml (ODH/RHDS by dockerfile param); remove --tekton-file and package-lock fallback; allow running without variant dir.
• download-npm.sh: Exit 0 when Tekton file has no npm entries.
• Regenerate artifacts.lock.yaml and pylock.cpu.toml; update README.

Summary by CodeRabbit

• Chores
  • Updated build infrastructure with improved component directory derivation and error handling.
  • Updated ripgrep dependencies across multiple architectures with corrected checksums.
  • Enhanced lockfile generation with variant-aware inputs and improved documentation.
  • Improved npm discovery process to gracefully handle missing entries.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ysok for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors component directory derivation and prefetch logic to use Makefile-based extraction instead of simple path conversion. It introduces variant-aware npm discovery with a new helper function, updates lock file headers and artifact checksums, and revises the prefetch workflow documentation to reflect these changes.

Changes

Cohort / File(s)	Summary
Build Orchestration .github/workflows/build-notebooks-TEMPLATE.yaml, Makefile	Refactored COMPONENT_DIR derivation to extract from Makefile output with guard checks. Updated hermetic build logic with LOCAL_BUILD_ARG and conservative mount handling based on prefetch-input presence.
Lock File Updates codeserver/ubi9-python-3.12/prefetch-input/odh/artifacts.lock.yaml, codeserver/ubi9-python-3.12/uv.lock.d/pylock.cpu.toml	Updated ripgrep artifact URLs and checksums for aarch64, powerpc64le, and s390x architectures. Revised uv lock file header with versioned metadata.
Script and Documentation Refactoring scripts/lockfile-generators/README.md, scripts/lockfile-generators/download-npm.sh, scripts/lockfile-generators/prefetch-all.sh	Updated documentation for variant-aware lockfile generation with component-dir inputs. Introduced find_tekton_yaml helper function for npm discovery. Changed npm error handling to gracefully exit when no entries exist rather than fail.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~35 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main changes: COMPONENT_DIR derivation from Makefile, local build default, and Tekton discovery improvements.
Description check	✅ Passed	The PR description includes a clear reference to the issue, concise bullet points covering all major changes, and sufficient detail about modifications to GHA workflows, Makefile, shell scripts, and supporting files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Makefile`:
- Around line 90-96: The $(error ...) guard (triggered via the conditional that
checks $(wildcard $(BUILD_DIR)prefetch-input) and cachi2/output) is being
evaluated at parse/expansion time (even during make -n) and must be deferred;
replace the top-level $(if ... $(error ...)) with a runtime check inside the
recipe (or skip it when MAKEFLAGS includes -n). Concretely, remove the $(error
...) usage from the global expansion and instead perform the prefetch guard in
shell code within the relevant target's recipe (use the same tests on
$(BUILD_DIR)prefetch-input and cachi2/output), or wrap the existing check with a
guard that detects dry-run via $(filter -n,$(MAKEFLAGS))/$(MAKEFLAGS) so the
error is suppressed during make -n; keep references to LOCAL_BUILD_ARG,
CACHI2_VOLUME and the same messages but ensure the check runs at execution time
not parse time.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 3c7287e and f771fe7.

📒 Files selected for processing (7)

• .github/workflows/build-notebooks-TEMPLATE.yaml
• Makefile
• codeserver/ubi9-python-3.12/prefetch-input/odh/artifacts.lock.yaml
• codeserver/ubi9-python-3.12/uv.lock.d/pylock.cpu.toml
• scripts/lockfile-generators/README.md
• scripts/lockfile-generators/download-npm.sh
• scripts/lockfile-generators/prefetch-all.sh

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

$(error) triggers during make -n dry-run, breaking COMPONENT_DIR derivation.

The pipeline failures show this error occurring at line 96. The issue is that the GHA workflow (line 285) runs make -n "${{ inputs.target }}" to derive COMPONENT_DIR before running prefetch-all.sh. However, the $(error ...) on line 96 is evaluated during Makefile parsing/expansion—even during a dry-run—causing the workflow to fail before it can determine whether to run prefetch.

The $(if ...) with $(error ...) is evaluated when the recipe is expanded, which happens during make -n to show what commands would run.

Consider either:

1. Move the guard to shell code within the recipe so it only runs during actual execution, not dry-run
2. Skip the guard during dry-run by checking a variable or using a different pattern

🐛 Proposed fix: Move guard to shell code in the recipe

 	# Fail fast with a clear message if team runs make without prefetching first.
-	$(if $(wildcard $(BUILD_DIR)prefetch-input),$(if $(wildcard cachi2/output),,$(error Prefetch required for hermetic build. Run: scripts/lockfile-generators/prefetch-all.sh --component-dir $(patsubst %/,%,$(BUILD_DIR)) — see scripts/lockfile-generators/README.md)),)
+	$(eval PREFETCH_GUARD := $(if $(wildcard $(BUILD_DIR)prefetch-input),$(if $(wildcard cachi2/output),,FAIL),))

 	$(info # Building $(IMAGE_NAME) using $(DOCKERFILE_NAME) with $(CONF_FILE) and $(BUILD_ARGS)...)

+	$(if $(PREFETCH_GUARD),`@echo` "Error: Prefetch required for hermetic build. Run: scripts/lockfile-generators/prefetch-all.sh --component-dir $(patsubst %/,%,$(BUILD_DIR)) — see scripts/lockfile-generators/README.md" >&2 && exit 1)
 	$(ROOT_DIR)/scripts/sandbox.py --dockerfile '$(2)' --platform '$(BUILD_ARCH)' -- \

Alternatively, use a shell check inside the recipe:

-	$(if $(wildcard $(BUILD_DIR)prefetch-input),$(if $(wildcard cachi2/output),,$(error Prefetch required for hermetic build. Run: scripts/lockfile-generators/prefetch-all.sh --component-dir $(patsubst %/,%,$(BUILD_DIR)) — see scripts/lockfile-generators/README.md)),)

 	$(info # Building $(IMAGE_NAME) using $(DOCKERFILE_NAME) with $(CONF_FILE) and $(BUILD_ARGS)...)

 	$(ROOT_DIR)/scripts/sandbox.py --dockerfile '$(2)' --platform '$(BUILD_ARCH)' -- \
-		$(CONTAINER_ENGINE) build $(CONTAINER_BUILD_CACHE_ARGS) $(LOCAL_BUILD_ARG) $(CACHI2_VOLUME) --platform=$(BUILD_ARCH) --label release=$(RELEASE) --tag $(IMAGE_NAME) --file '$(2)' $(BUILD_ARGS) {}\;
+		sh -c 'if [ -d "$(BUILD_DIR)prefetch-input" ] && [ ! -d "cachi2/output" ]; then echo "Error: Prefetch required for hermetic build. Run: scripts/lockfile-generators/prefetch-all.sh --component-dir $(patsubst %/,%,$(BUILD_DIR)) — see scripts/lockfile-generators/README.md" >&2; exit 1; fi' && \
+		$(CONTAINER_ENGINE) build $(CONTAINER_BUILD_CACHE_ARGS) $(LOCAL_BUILD_ARG) $(CACHI2_VOLUME) --platform=$(BUILD_ARCH) --label release=$(RELEASE) --tag $(IMAGE_NAME) --file '$(2)' $(BUILD_ARGS) {}\;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 90 - 96, The $(error ...) guard (triggered via the
conditional that checks $(wildcard $(BUILD_DIR)prefetch-input) and
cachi2/output) is being evaluated at parse/expansion time (even during make -n)
and must be deferred; replace the top-level $(if ... $(error ...)) with a
runtime check inside the recipe (or skip it when MAKEFLAGS includes -n).
Concretely, remove the $(error ...) usage from the global expansion and instead
perform the prefetch guard in shell code within the relevant target's recipe
(use the same tests on $(BUILD_DIR)prefetch-input and cachi2/output), or wrap
the existing check with a guard that detects dry-run via $(filter
-n,$(MAKEFLAGS))/$(MAKEFLAGS) so the error is suppressed during make -n; keep
references to LOCAL_BUILD_ARG, CACHI2_VOLUME and the same messages but ensure
the check runs at execution time not parse time.

[openshift-ci]

@ysok: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/codeserver-ubi9-python-3-12-pr-image-mirror	f771fe7	link	true	/test codeserver-ubi9-python-3-12-pr-image-mirror

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.