ci: add GitHub Actions workflow mirroring Prow CI jobs

[sebrandon1]

Summary

Adds a GitHub Actions workflow (.github/workflows/pre-main.yml) that mirrors all 7 existing Prow CI jobs. This provides redundant CI coverage while the OpenShift CI cluster experiences capacity/scheduling issues (e.g., pod scheduling timeouts on ci/prow/verify-deps).

Supersedes #246 — that PR was closed because it bundled too many changes together (golangci-lint config migration to v2 format, source code fixes, golden file updates). This PR takes a minimal approach: only the workflow file is added, no other files are modified.

Jobs

GitHub Actions Job	Prow Equivalent	What it does
golint	ci/prow/golint	Runs golangci-lint v1.64 (pinned to v1.x for config compatibility)
modtidy	ci/prow/modtidy	Verifies go mod tidy produces no changes
verify-deps	ci/prow/verify-deps	Verifies vendor directory is in sync
unit	ci/prow/unit	Runs make test-all (pkg + addon tools)
security	ci/prow/security	Runs gosec + govulncheck (open-source alternative to Snyk)
images	ci/prow/images	Verifies linux/amd64 build compiles (Dockerfile uses private OpenShift base images)
markdownlint	ci/prow/markdownlint	Runs markdownlint-cli2 with existing config

Key decisions vs #246

• No .golangci.yml changes — the existing v1 config is used as-is
• No source code changes — purely CI infrastructure
• golangci-lint pinned to v1.64 since the config uses v1 format
• Security scanning uses gosec + govulncheck instead of Snyk (no API tokens needed)
• Image build verification compiles the Go binary only (OpenShift CI base images are private)

Test plan

• All 7 GitHub Actions jobs trigger and run on this PR
• Jobs that should pass do pass; any failures are CI config issues to iterate on
• Existing Prow checks continue to run alongside the new GHA checks

Summary by CodeRabbit

• Chores
  • Added an automated CI workflow for main-branch pull requests that runs code-quality linting, dependency hygiene and vendoring checks, unit tests, security scans, documentation linting, and a Linux/amd64 build verification.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bd2eeeda-332d-4217-93ed-43655e2dcb1b

📥 Commits

Reviewing files that changed from the base of the PR and between 6d4a721 and b2c2049.

📒 Files selected for processing (1)

• .github/workflows/pre-main.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/pre-main.yml

---

Walkthrough

Adds a new GitHub Actions workflow (.github/workflows/pre-main.yml) that runs on pushes and PRs to main and executes golangci-lint, go module tidy checks, vendoring verification, unit tests, security scans (gosec, govulncheck), a linux/amd64 build, and markdown linting.

Changes

Pre-Main CI workflow

Layer / File(s)	Summary
Workflow entry & triggers .github/workflows/pre-main.yml	Adds Pre-Main CI workflow triggered on pull_request and push to main with contents: read permissions.
Linting .github/workflows/pre-main.yml	Introduces golint job that sets up Go from go.mod and runs golangci-lint v1.64 with --verbose --print-resources-usage across ./....
Module hygiene .github/workflows/pre-main.yml	Adds modtidy job running go mod tidy and failing if go.mod/go.sum would change.
Vendoring verification .github/workflows/pre-main.yml	Adds verify-deps job that runs go mod tidy + go mod vendor and fails if any repository changes are produced.
Unit tests .github/workflows/pre-main.yml	Adds unit job that runs make test-all after setting up Go from go.mod.
Security scanning .github/workflows/pre-main.yml	Adds security job that installs and runs gosec (excluding generated code and vendor/) and runs govulncheck across ./....
Build verification .github/workflows/pre-main.yml	Adds images job that runs GOOS=linux GOARCH=amd64 make build to verify build output.
Markdown linting .github/workflows/pre-main.yml	Adds markdownlint job using markdownlint-cli2-action applied to **/*.md excluding vendor/**/*.md.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub as GitHub (PR / Push)
    participant Actions as GitHub Actions Runner
    participant Repo as Repository Workspace
    participant Tools as Linters & Scanners
    GitHub->>Actions: trigger workflow
    Actions->>Repo: checkout code
    Actions->>Tools: setup Go environment
    Actions->>Tools: run golangci-lint
    Tools-->>Actions: lint results
    Actions->>Tools: run go mod tidy (modtidy)
    Tools-->>Actions: modtidy diff result
    Actions->>Tools: run go mod vendor (verify-deps)
    Tools-->>Actions: vendor diff result
    Actions->>Tools: run tests (make test-all)
    Tools-->>Actions: test results
    Actions->>Tools: run gosec & govulncheck
    Tools-->>Actions: security results
    Actions->>Tools: run GOOS build
    Tools-->>Actions: build artifact/status
    Actions->>Tools: run markdownlint
    Tools-->>Actions: markdown lint results
    Actions->>GitHub: post status checks

Loading

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a GitHub Actions workflow that mirrors existing Prow CI jobs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check targets Ginkgo test names. PR only adds CI workflow file, not test code. Repository uses standard Go testing, not Ginkgo. Check not applicable.
Test Structure And Quality	✅ Passed	PR only adds GitHub Actions workflow. Repository uses Go testing package, not Ginkgo. No Ginkgo test code present. Check not applicable.
Microshift Test Compatibility	✅ Passed	This PR adds only a GitHub Actions workflow configuration file (.github/workflows/pre-main.yml). It does not add any Ginkgo e2e tests. The custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only adds a GitHub Actions workflow file and does not add any new Ginkgo e2e tests. The SNO compatibility check applies only when new tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only a GitHub Actions CI workflow file. Does not add or modify deployment manifests, operator code, or controllers. No Kubernetes scheduling constraints introduced. Check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR only adds a CI workflow file with no Go source code modifications. The OTE Binary Stdout Contract check applies to Go test binaries, not CI configuration files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only a CI workflow file, not Ginkgo e2e tests. The custom check applies only when new test code is added. No test code changes present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign pixelsoccupied for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/pre-main.yml (2)

3-10: ⚡ Quick win

Consider adding concurrency to cancel superseded runs (optional).

Since this workflow runs on every PR update and every push to main, adding a top-level concurrency block (cancel-in-progress: true) can reduce wasted compute when multiple commits land close together.

🟡 Optional concurrency block

 on:
   pull_request:
     branches:
       - main
   push:
     branches:
       - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pre-main.yml around lines 3 - 10, Add a top-level GitHub
Actions concurrency block to the workflow to cancel superseded runs: under the
top-level (same level as "on:") add a "concurrency" stanza with a descriptive
group key (e.g. using "${{ github.workflow }}-${{ github.ref }}" or similar) and
set "cancel-in-progress: true" so that when multiple commits/PR updates trigger
the workflow only the latest run proceeds; update the workflow metadata near the
existing "on:" block to include this "concurrency" key.

---

88-109: ⚖️ Poor tradeoff

Pin security scanner tool versions; verify CLI flags & whether vendor/ is scanned.

The security job installs both scanners with @latest:

• gosec ...@latest (Line 102)
• govulncheck ...@latest (Line 107)

This can break CI unpredictably when either tool changes behavior/defaults. Also, please verify two things:

1. The gosec flag -exclude-generated and -exclude-dir=vendor are valid for gosec/v2 as installed.
2. Whether govulncheck ./... effectively excludes vendor/ in module/package discovery (to avoid slow/duplicate scanning).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pre-main.yml around lines 88 - 109, Pin the scanner
installs in the security job by replacing the two `@latest` installs (the `go
install github.com/securego/gosec/v2/cmd/gosec@latest` and `go install
golang.org/x/vuln/cmd/govulncheck@latest` commands) with explicit, tested
version tags (e.g. `@vX.Y.Z`), then validate the gosec CLI flags
`-exclude-generated` and `-exclude-dir=vendor` used in the `gosec
-exclude-generated -exclude-dir=vendor ./...` line against the pinned gosec v2
release and correct them if the flag names differ; finally confirm whether
`govulncheck ./...` will include `vendor/` for the pinned govulncheck release
and if it does, change the invocation to either pass an explicit package list
that excludes vendor (via `go list` filtering) or use the govulncheck
flag/option supported by that pinned release to exclude vendor, so CI behavior
is stable and vendor is not scanned twice.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pre-main.yml:
- Around line 110-124: The images job's checkout step uses a shallow fetch which
can omit tags/history needed by make build's git describe --tag versioning;
update the actions/checkout@v4 step in the images job to fetch full history/tags
(e.g., set fetch-depth: 0 or otherwise enable fetching tags) so git describe
--tag (used by make build/BUILD_VERSION) can find tags and produce stable build
metadata.
- Around line 53-72: The verify-deps job currently regenerates the vendor dir
and then runs git diff --exit-code which misses untracked files; modify the
check step in the verify-deps job (the step after "Regenerate vendor directory"
that currently runs git diff --exit-code) to also detect untracked files — e.g.,
run git status --porcelain and fail if any output exists (or use git ls-files
--others --exclude-standard and fail on output) so untracked vendor changes
cause the job to fail.

---

Nitpick comments:
In @.github/workflows/pre-main.yml:
- Around line 3-10: Add a top-level GitHub Actions concurrency block to the
workflow to cancel superseded runs: under the top-level (same level as "on:")
add a "concurrency" stanza with a descriptive group key (e.g. using "${{
github.workflow }}-${{ github.ref }}" or similar) and set "cancel-in-progress:
true" so that when multiple commits/PR updates trigger the workflow only the
latest run proceeds; update the workflow metadata near the existing "on:" block
to include this "concurrency" key.
- Around line 88-109: Pin the scanner installs in the security job by replacing
the two `@latest` installs (the `go install
github.com/securego/gosec/v2/cmd/gosec@latest` and `go install
golang.org/x/vuln/cmd/govulncheck@latest` commands) with explicit, tested
version tags (e.g. `@vX.Y.Z`), then validate the gosec CLI flags
`-exclude-generated` and `-exclude-dir=vendor` used in the `gosec
-exclude-generated -exclude-dir=vendor ./...` line against the pinned gosec v2
release and correct them if the flag names differ; finally confirm whether
`govulncheck ./...` will include `vendor/` for the pinned govulncheck release
and if it does, change the invocation to either pass an explicit package list
that excludes vendor (via `go list` filtering) or use the govulncheck
flag/option supported by that pinned release to exclude vendor, so CI behavior
is stable and vendor is not scanned twice.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e848a127-7523-4d4f-a419-3850f9fc5531

📥 Commits

Reviewing files that changed from the base of the PR and between 0074fee and 6d4a721.

📒 Files selected for processing (1)

• .github/workflows/pre-main.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make verify-deps fail on untracked changes (not just diffs).

verify-deps regenerates vendor and then runs git diff --exit-code (Line 71). git diff won’t fail on newly-created untracked files. If regeneration introduces any untracked outputs (or if vendor/ isn’t fully tracked for some reason), the job can incorrectly pass.

✅ Suggested change (use `git status --porcelain` gate)

       - name: Check for changes
-        run: git diff --exit-code
+        run: |
+          git diff --exit-code
+          status="$(git status --porcelain)"
+          if [ -n "$status" ]; then
+            echo "$status"
+            exit 1
+          fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	verify-deps:
	name: Verify vendor dependencies
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- name: Regenerate vendor directory
	run: |
	go mod tidy
	go mod vendor
	- name: Check for changes
	run: git diff --exit-code
	verify-deps:
	name: Verify vendor dependencies
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- name: Regenerate vendor directory
	run: |
	go mod tidy
	go mod vendor
	- name: Check for changes
	run: |
	git diff --exit-code
	status="$(git status --porcelain)"
	if [ -n "$status" ]; then
	echo "$status"
	exit 1
	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pre-main.yml around lines 53 - 72, The verify-deps job
currently regenerates the vendor dir and then runs git diff --exit-code which
misses untracked files; modify the check step in the verify-deps job (the step
after "Regenerate vendor directory" that currently runs git diff --exit-code) to
also detect untracked files — e.g., run git status --porcelain and fail if any
output exists (or use git ls-files --others --exclude-standard and fail on
output) so untracked vendor changes cause the job to fail.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Ensure images checkout fetches git tags/history for make build versioning.

Your images job checks out with default depth, but make build (per the project Makefile) appears to use git describe --tag to derive BUILD_VERSION when OS_GIT_VERSION isn’t set. With a shallow checkout, tags may be missing, which can make build metadata unstable or fail the version extraction.

✅ Suggested change (fetch full history/tags in `images`)

       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	images:
	name: Build verification
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- name: Build for linux/amd64
	run: GOOS=linux GOARCH=amd64 make build
	images:
	name: Build verification
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- name: Build for linux/amd64
	run: GOOS=linux GOARCH=amd64 make build

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pre-main.yml around lines 110 - 124, The images job's
checkout step uses a shallow fetch which can omit tags/history needed by make
build's git describe --tag versioning; update the actions/checkout@v4 step in
the images job to fetch full history/tags (e.g., set fetch-depth: 0 or otherwise
enable fetching tags) so git describe --tag (used by make build/BUILD_VERSION)
can find tags and produce stable build metadata.

[openshift-ci]

@sebrandon1: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.