Script to automate the rebase process

[siddhibhor-56]

• Introduced a CLI automation tool to streamline multi-step rebases with prerequisites checks, version auto-detection, and safety backups.
• Supports dry-run mode, per-step execution, and optional commit skipping for controlled, repeatable updates.
• Enhances visibility with colorized logs and clear summaries to guide users through the process.

[coderabbitai]

Walkthrough

A new Bash automation script is introduced to orchestrate the external-secrets-operator rebase process. The script handles dependency updates, Makefile variables, operand manifests, CSV metadata, and bundle manifest generation through five sequential steps, with support for dry-run mode, version auto-detection, and optional backups.

Changes

Cohort / File(s)	Summary
Rebase Automation Script rebase_automation.sh	New shell script providing orchestrated rebase workflow with environment setup, validation, backup capability, five sequential steps for version bumping and manifest updates, dry-run mode, step-specific execution, and optional commit generation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: siddhibhor-56
Once this PR has been reviewed and has the lgtm label, please assign bharath-b-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@rebase_automation.sh`:
- Line 14: Default TARGET_BRANCH value and usage text still reference "master"
while the repo uses "main"; update the variable and any help/usage strings to
"main". Edit the TARGET_BRANCH default assignment
(TARGET_BRANCH="${TARGET_BRANCH:-master}") to use "main" and search the script
for other occurrences of "master" in usage/help messages or comments (around the
other mention at lines ~30) and replace them with "main" so defaults and
guidance match the repository's main branch.
- Around line 45-56: The check_prerequisites() function lacks a guard ensuring a
clean git working tree, so uncommitted changes may be accidentally included by
later automated commits (notably where the script runs git add .); update
check_prerequisites() to run a git status --porcelain (or git diff --quiet &&
git diff --staged --quiet) and fail with log_error if output exists, instructing
the user to stash or commit changes, ensuring the script exits non‑zero when the
tree is dirty; reference check_prerequisites() and the places the script uses
git add . / git commit to locate where to add this validation.
- Around line 101-112: After each sed invocation in step2_update_makefile (the
two sed -i lines updating VERSION and EXTERNAL_SECRETS_VERSION) add a
verification check that greps the target file for the new value (e.g., grep -q
"VERSION ?= $NEW_BUNDLE_VERSION" Makefile and grep -q "EXTERNAL_SECRETS_VERSION
?= $NEW_EXTERNAL_SECRETS_VERSION" Makefile); if the grep fails, call log_error
with a clear message and exit non-zero so the script doesn't silently continue.
Apply the same pattern in step4_update_csv for the sed calls that update CSVs
(verify the new bundle/versions exist using grep -q for the exact new tokens you
expect after each sed), and use the existing logging helpers
(log_info/log_error) to report success or abort on failure.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Default TARGET_BRANCH should match the repo’s main branch.

The PR targets main, but the default and usage text still say master, which can mislead the next-steps guidance.

🛠️ Suggested fix

-TARGET_BRANCH="${TARGET_BRANCH:-master}"
+TARGET_BRANCH="${TARGET_BRANCH:-main}"

-  TARGET_BRANCH                Target git branch for PR (default: master)
+  TARGET_BRANCH                Target git branch for PR (default: main)

Also applies to: 30-30

🤖 Prompt for AI Agents

In `@rebase_automation.sh` at line 14, Default TARGET_BRANCH value and usage text
still reference "master" while the repo uses "main"; update the variable and any
help/usage strings to "main". Edit the TARGET_BRANCH default assignment
(TARGET_BRANCH="${TARGET_BRANCH:-master}") to use "main" and search the script
for other occurrences of "master" in usage/help messages or comments (around the
other mention at lines ~30) and replace them with "main" so defaults and
guidance match the repository's main branch.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -type f -name "rebase_automation.sh" | head -20

Repository: openshift/external-secrets-operator

Length of output: 101

---

🏁 Script executed:

cat -n rebase_automation.sh

Repository: openshift/external-secrets-operator

Length of output: 13624

---

Add a clean working tree guard before making commits.

The script performs multiple automated commits across 5 steps (lines 95, 115, 133, 165, 188). Without a preflight check for uncommitted changes, unrelated local modifications could interfere with git operations or be unexpectedly included in commits—particularly in step 5 where git add . is used. Add this validation to check_prerequisites():

Suggested fix

     log_info "Checking prerequisites..."
     if ! git rev-parse --git-dir > /dev/null 2>&1; then log_error "Not in a git repository"; exit 1; fi
+    if [[ -n "$(git status --porcelain)" ]]; then
+        log_error "Working tree has uncommitted changes. Please commit or stash before running."
+        exit 1
+    fi

🤖 Prompt for AI Agents

In `@rebase_automation.sh` around lines 45 - 56, The check_prerequisites()
function lacks a guard ensuring a clean git working tree, so uncommitted changes
may be accidentally included by later automated commits (notably where the
script runs git add .); update check_prerequisites() to run a git status
--porcelain (or git diff --quiet && git diff --staged --quiet) and fail with
log_error if output exists, instructing the user to stash or commit changes,
ensuring the script exits non‑zero when the tree is dirty; reference
check_prerequisites() and the places the script uses git add . / git commit to
locate where to add this validation.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "rebase_automation.sh" -type f

Repository: openshift/external-secrets-operator

Length of output: 101

---

🏁 Script executed:

wc -l ./rebase_automation.sh

Repository: openshift/external-secrets-operator

Length of output: 105

---

🏁 Script executed:

cat -n ./rebase_automation.sh

Repository: openshift/external-secrets-operator

Length of output: 13624

---

Add verification checks after sed operations to catch silent failures in Makefile and CSV updates.

sed -i succeeds with exit code 0 even when the pattern doesn't match, risking silent no-ops if file formats differ from expectations (e.g., due to merge conflicts or whitespace changes). The script will report success while leaving old versions in place. Add grep verification after each sed operation to ensure changes were applied, or use a more defensive approach.

Suggested verification pattern

     log_info "Updating VERSION: $OLD_BUNDLE_VERSION -> $NEW_BUNDLE_VERSION"
     sed -i "s/^VERSION ?= $OLD_BUNDLE_VERSION/VERSION ?= $NEW_BUNDLE_VERSION/" Makefile
+    grep -Fq "VERSION ?= $NEW_BUNDLE_VERSION" Makefile || { log_error "Failed to update VERSION in Makefile"; exit 1; }
     log_info "Updating EXTERNAL_SECRETS_VERSION: $OLD_EXTERNAL_SECRETS_VERSION -> $NEW_EXTERNAL_SECRETS_VERSION"
     sed -i "s|^EXTERNAL_SECRETS_VERSION ?= $OLD_EXTERNAL_SECRETS_VERSION|EXTERNAL_SECRETS_VERSION ?= $NEW_EXTERNAL_SECRETS_VERSION|" Makefile
+    grep -Fq "EXTERNAL_SECRETS_VERSION ?= $NEW_EXTERNAL_SECRETS_VERSION" Makefile || { log_error "Failed to update EXTERNAL_SECRETS_VERSION in Makefile"; exit 1; }

Apply the same pattern to CSV updates in step4_update_csv() (lines 152, 153, 155, 161).

🤖 Prompt for AI Agents

In `@rebase_automation.sh` around lines 101 - 112, After each sed invocation in
step2_update_makefile (the two sed -i lines updating VERSION and
EXTERNAL_SECRETS_VERSION) add a verification check that greps the target file
for the new value (e.g., grep -q "VERSION ?= $NEW_BUNDLE_VERSION" Makefile and
grep -q "EXTERNAL_SECRETS_VERSION ?= $NEW_EXTERNAL_SECRETS_VERSION" Makefile);
if the grep fails, call log_error with a clear message and exit non-zero so the
script doesn't silently continue. Apply the same pattern in step4_update_csv for
the sed calls that update CSVs (verify the new bundle/versions exist using grep
-q for the exact new tokens you expect after each sed), and use the existing
logging helpers (log_info/log_error) to report success or abort on failure.

[openshift-ci]

@siddhibhor-56: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.