Fix gcr-io supplemental image build triggers

[petr-muller]

Summary

• Fix broken CronJob build triggers: All 8 CronJobs in gcr-io/ namespace have been failing because the builder SA lacks buildconfigs/instantiate permission (only has system:image-builder which doesn't include it). Introduces a dedicated build-trigger ServiceAccount with a Role granting exactly create on buildconfigs/instantiate, and switches all CronJobs to use it.
• Retarget commenter BuildConfig: The ci_commenter_latest image tag is now actively managed by the openshift/ci-tools-standalone promotion pipeline. Retargets this BuildConfig's output to ci_test-infra-commenter_latest to avoid dual-provenance conflict.

Context

The CronJob triggers have never worked — the September 2025 builds (the last successful ones) were triggered manually. All trigger pods fail with:

Error from server (Forbidden): buildconfigs.build.openshift.io "label-sync"
is forbidden: User "system:serviceaccount:gcr-io:builder" cannot create
resource "buildconfigs/instantiate" in API group "build.openshift.io"
in the namespace "gcr-io"

This means all 8 images (boskos, checkconfig, cleaner, commenter, gcsweb, git, label-sync, reaper) have been stale for ~8 months.

Test plan

• Verify the build-trigger SA, Role, and RoleBinding are created in gcr-io namespace after merge
• Create a manual Job from one of the CronJobs to confirm oc start-build succeeds with the new SA
• Verify the commenter BuildConfig produces ci_test-infra-commenter_latest (not ci_commenter_latest)

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

Fix broken supplemental image build triggers in gcr-io namespace

This PR fixes failing CronJob build triggers in the OpenShift CI gcr-io namespace that have been unable to instantiate builds since September 2025. The underlying issue is that the existing builder ServiceAccount lacks the necessary permission to execute the buildconfigs/instantiate action required by the oc start-build commands triggered by the scheduled jobs.

Solution:

• Introduces a new build-trigger ServiceAccount in the gcr-io namespace with a corresponding Role that explicitly grants the create verb on buildconfigs/instantiate resources
• Updates eight CronJobs (boskos, checkconfig, cleaner, commenter, gcsweb, git, label-sync, reaper) to use the new ServiceAccount instead of the outdated builder account
• This restores the ability for the scheduled build triggers to instantiate builds and keep supplemental container images current

Related change:
Retargets the commenter BuildConfig output image tag from ci_commenter_latest to ci_test-infra-commenter_latest to resolve a dual-provenance conflict, as the openshift/ci-tools-standalone promotion pipeline now owns the ci_commenter_latest tag.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@petr-muller: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3eff852a-f4da-4cce-ab1e-dd300c7a9eba

📥 Commits

Reviewing files that changed from the base of the PR and between 16e4c03 and e4db6f8.

📒 Files selected for processing (10)

• clusters/app.ci/supplemental-ci-images/gcr-io/README.md
• clusters/app.ci/supplemental-ci-images/gcr-io/admin_build-trigger_rbac.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/boskos.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/checkconfig.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/cleaner.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/commenter.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/gcsweb.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/git.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/label-sync.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/reaper.yaml

---

Walkthrough

This PR establishes a new Kubernetes service account with restricted RBAC permissions and migrates all supplemental CI image build trigger CronJobs to use it instead of the generic builder account, reducing privilege scope. Documentation and image references are updated accordingly.

Changes

Build Trigger Service Account Migration

Layer / File(s)	Summary
Create build-trigger ServiceAccount and RBAC permissions clusters/app.ci/supplemental-ci-images/gcr-io/admin_build-trigger_rbac.yaml	Adds ServiceAccount/build-trigger, a Role granting create on buildconfigs/instantiate in build.openshift.io, and a RoleBinding connecting them in the gcr-io namespace.
Migrate CronJob definitions to build-trigger service account clusters/app.ci/supplemental-ci-images/gcr-io/boskos.yaml, checkconfig.yaml, cleaner.yaml, commenter.yaml, gcsweb.yaml, git.yaml, label-sync.yaml, reaper.yaml	Updates serviceAccount from builder to build-trigger in the pod templates of all trigger CronJob definitions.
Update documentation and commenter image reference clusters/app.ci/supplemental-ci-images/gcr-io/README.md, commenter.yaml	README documents the new commenter image target; commenter.yaml BuildConfig output tag changes from ci_commenter_latest to ci_test-infra-commenter_latest.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

lgtm, approved, rehearsals-ack

Suggested reviewers

• jgbernalp

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Fix gcr-io supplemental image build triggers' directly summarizes the main change: fixing broken CronJob build triggers in the gcr-io namespace by introducing a dedicated ServiceAccount and updating trigger configurations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains only Kubernetes manifests and documentation (YAML and Markdown files). No Ginkgo tests are present. The custom check is not applicable to this PR.
Test Structure And Quality	✅ Passed	This PR contains only YAML manifests and README documentation changes. It does not include any Ginkgo test code. The custom check for test structure and quality is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	The custom check for MicroShift test compatibility is not applicable to this PR. The PR contains only Kubernetes manifest YAML files and documentation updates—no Ginkgo e2e tests are being added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR contains no new Ginkgo e2e tests. All changes are to YAML manifests and documentation in the gcr-io supplemental images directory. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	No scheduling constraints introduced. PR modifies only RBAC and CronJob serviceAccount fields, without topology-incompatible constraints.
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML manifests and README documentation. No Go source code is modified. The OTE Binary Stdout Contract check applies only to Go binaries and is not applicable here.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Check not applicable. This PR contains only Kubernetes manifests (YAML) and README documentation. No Ginkgo e2e tests are added. The custom check applies only when new Ginkgo test code is introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: petr-muller
Once this PR has been reviewed and has the lgtm label, please assign deepsm007 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• clusters/app.ci/supplemental-ci-images/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@petr-muller: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.