Detect duplicate labels in label-sync validation

[petr-muller]

Summary

• The periodic-label-sync job started failing because a repo-specific label (ViaQ/vector: tide/merge-method-squash) duplicated a default label, which label_sync treats as invalid config
• The presubmit check-labels validation (hack/validate-labels.py) only checked description lengths, so the duplicate passed CI
• Add duplicate detection: repo labels vs default, org labels vs default, and repo labels vs their org labels

Test plan

• Verified current config passes validation
• Verified the script catches the exact duplicate that caused the periodic-label-sync failure (ViaQ/vector redefining tide/merge-method-squash from default)

🤖 Generated with Claude Code

Label validation added to prevent periodic label-sync failures

What changed:

• hack/validate-labels.py now performs duplicate-name checks in addition to description-length validation when validating core GitHub labels (core-services/prow/02_config/_labels.yaml).
• It collects default label names and then:
  • Validates default labels' description lengths.
  • For org-level labels: validates description lengths and reports any that duplicate a default label (error message: "orgs//: duplicates default label").
  • For repo-level labels: validates description lengths and reports duplicates against default labels ("repos//: duplicates default label") and against its parent org's labels ("repos//: duplicates org-level label from ").

Why it matters:

• The periodic-label-sync job fails when a repo defines a label name that duplicates a default or org-level label (label_sync treats those as invalid). Previously, CI (check-labels presubmit) only enforced description length, so such conflicts could be merged unnoticed.
• The change ensures repository and org label conflicts are caught during validation, preventing configuration that would break label-sync.

Scope / impact:

• Affects label validation for OpenShift release CI configuration (core-services/prow/_labels.yaml validation).
• Error output is printed as "Label validation errors:" followed by lines for each violation and causes the script to exit with status 1; otherwise it prints "All labels are valid."

Tests:

• The updated script was run against current config (passes).
• The script successfully detected the duplicate that caused the periodic failure (ViaQ/vector redefining tide/merge-method-squash).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8460901a-f0bc-4056-8333-1baf3bb6cfc2

📥 Commits

Reviewing files that changed from the base of the PR and between 37d0ebc and 0502c34.

📒 Files selected for processing (1)

• hack/validate-labels.py

🚧 Files skipped from review as they are similar to previous changes (1)

• hack/validate-labels.py

---

Walkthrough

hack/validate-labels.py is expanded to detect duplicate label names across the default, organization, and repository hierarchy levels. A new label_names() helper extracts label names, main() precomputes default label names, and validation logic for org and repo labels now checks for duplicates with hierarchical-level-specific error messages.

Changes

Label duplicate detection validation

Layer / File(s)	Summary
Label name extraction helper and main() initialization hack/validate-labels.py	New label_names() helper function extracts label names from label objects. main() is refactored to precompute default_labels and default_names at startup using the helper, preparing the foundation for duplicate detection.
Default label validation with updated messaging hack/validate-labels.py	Default-label description length is validated, with error messages updated to the concise "default/: …" format.
Org and repo-level duplicate detection hack/validate-labels.py	Org-level labels are validated for duplicates against default label names. Repo-level labels are validated for duplicates against both default and org-level label names, reporting "duplicates default label" or "duplicates org-level label from " respectively.
Error reporting finalization hack/validate-labels.py	Error header text and success message are updated to reflect the expanded validation scope. Exit behavior (status 1 on errors, 0 on success) and final "All labels are valid." output are preserved.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/release#79266: Resolves a duplicate label detection case by removing a repo-specific tide/merge-method-squash entry that conflicts with a default label.

Suggested labels

lgtm, ok-to-test

Suggested reviewers

• jcantrill

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Detect duplicate labels in label-sync validation' directly and clearly describes the main change: adding duplicate detection to the label validation script.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only hack/validate-labels.py (Python script). Custom check targets Ginkgo (Go testing framework) test naming. No Go test files modified, so check is not applicable.
Test Structure And Quality	✅ Passed	Not applicable. The PR modifies hack/validate-labels.py, a Python configuration validation script, not Ginkgo test code. The custom check is designed for testing quality in Ginkgo test suites.
Microshift Test Compatibility	✅ Passed	This PR only modifies hack/validate-labels.py, a Python validation script. No Ginkgo e2e tests are added or modified. The custom check is inapplicable as it applies only to new Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only hack/validate-labels.py, a Python validation script for GitHub labels. This check applies only to Ginkgo e2e tests, which are not present in this PR. Not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only hack/validate-labels.py, a GitHub label validation script. No deployment manifests, operator code, controllers, or Kubernetes scheduling constraints are present.
Ote Binary Stdout Contract	✅ Passed	Check is not applicable. The OTE Binary Stdout Contract applies to test binaries; this PR modifies only a Python validation script.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Custom check is not applicable. PR only modifies hack/validate-labels.py (Python label validation script), which contains no Ginkgo e2e tests. Check applies only to new Ginkgo e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/validate-labels.py`:
- Line 55: Remove the redundant f-string prefix from the print statement that
outputs "Label validation errors:"—replace print(f"Label validation errors:")
with a normal string literal print("Label validation errors:") and scan nearby
print statements for any other unnecessary f-prefixes to avoid Ruff F541.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0d93603a-9949-4599-9b52-594971049f05

📥 Commits

Reviewing files that changed from the base of the PR and between 16e4c03 and 37d0ebc.

📒 Files selected for processing (1)

• hack/validate-labels.py

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@petr-muller: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@petr-muller: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: petr-muller, Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Prucek]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment