CNTRLPLANE-3050: feat(ci): use Konflux-built image for GitHub Actions runners

[celebdor]

What this PR does / why we need it:

Switches the ARC runner image from the manually-built personal registry
image (quay.io/rh_ee_brcox/arc-runner) to the Konflux-built image
(quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest).

The image is now automatically built on every push to main that modifies
Dockerfile.github-actions-runner, producing multi-arch images (amd64 +
arm64) with pre-built golangci-lint and kube-api-linter plugin.

Updates the README to reflect the new automated build workflow and removes
the manual podman build instructions.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3050

Special notes for your reviewer:

The Helm upgrade has already been applied to the live ARC runner set. This
PR updates the checked-in values file and documentation to match.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Updated GitHub Actions runner documentation to reflect automated image builds via Konflux/Tekton
  • Added multi-architecture image support details (amd64, arm64)
  • Updated image verification and Helm upgrade procedures

• Chores

  • Updated runner image configuration to use latest tag from new repository

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@celebdor: This pull request references CNTRLPLANE-3050 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Switches the ARC runner image from the manually-built personal registry
image (quay.io/rh_ee_brcox/arc-runner) to the Konflux-built image
(quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest).

The image is now automatically built on every push to main that modifies
Dockerfile.github-actions-runner, producing multi-arch images (amd64 +
arm64) with pre-built golangci-lint and kube-api-linter plugin.

Updates the README to reflect the new automated build workflow and removes
the manual podman build instructions.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3050

Special notes for your reviewer:

The Helm upgrade has already been applied to the live ARC runner set. This
PR updates the checked-in values file and documentation to match.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated the GitHub Actions runner configuration to reflect automated image builds and publishing via Konflux/Tekton instead of manual podman build and podman push operations. The runner container image reference was changed from a digest-pinned image to a :latest tag pointing to a new repository at quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner. Documentation was updated to describe the new workflow, including multi-architecture image support (amd64 and arm64), image verification procedures using skopeo, and Helm-based rollout mechanisms. Added references to additional tooling including golangci-lint and a kube-api-linter plugin.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[bryan-cox]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, celebdor

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-03-27T12:17:50Z
• View Job
• View Job History

e2e-aks

• Status: ❌ FAIL
• Started: 2026-03-27T12:17:52Z
• View Job
• View Job History

[openshift-ci-robot]

@celebdor: This pull request references CNTRLPLANE-3050 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Switches the ARC runner image from the manually-built personal registry
image (quay.io/rh_ee_brcox/arc-runner) to the Konflux-built image
(quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest).

The image is now automatically built on every push to main that modifies
Dockerfile.github-actions-runner, producing multi-arch images (amd64 +
arm64) with pre-built golangci-lint and kube-api-linter plugin.

Updates the README to reflect the new automated build workflow and removes
the manual podman build instructions.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3050

Special notes for your reviewer:

The Helm upgrade has already been applied to the live ARC runner set. This
PR updates the checked-in values file and documentation to match.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

• Updated GitHub Actions runner documentation to reflect automated image builds via Konflux/Tekton

• Added multi-architecture image support details (amd64, arm64)

• Updated image verification and Helm upgrade procedures

• Chores

• Updated runner image configuration to use latest tag from new repository

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[celebdor]

/override "ci/prow/e2e-aks"
/override "ci/prow/e2e-kubevirt-aws-ovn-reduced"
/override "ci/prow/e2e-aws"
/override "ci/prow/e2e-azure-self-managed"

[openshift-ci]

@celebdor: Overrode contexts on behalf of celebdor: ci/prow/e2e-aks, ci/prow/e2e-aws, ci/prow/e2e-azure-self-managed, ci/prow/e2e-kubevirt-aws-ovn-reduced

Details

In response to this:

/override "ci/prow/e2e-aks"
/override "ci/prow/e2e-kubevirt-aws-ovn-reduced"
/override "ci/prow/e2e-aws"
/override "ci/prow/e2e-azure-self-managed"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/github-actions-runner/values.yaml`:
- Line 11: The image reference in the Helm values (key "image" in values.yaml)
uses the mutable tag ":latest"; replace it with an immutable reference by
pinning to a specific tag or preferably an image digest (e.g. use
quay.io/...@sha256:...) so deployments are deterministic and supply-chain
secure; update the "image" value in values.yaml (and any related image/tag
fields if present) to the chosen tag or digest and document the release/tag used
for future roll-forward via Helm.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 02a44da2-a651-4779-86fb-5dd948418893

📥 Commits

Reviewing files that changed from the base of the PR and between c503233 and 830e51d.

📒 Files selected for processing (2)

• hack/github-actions-runner/README.md
• hack/github-actions-runner/values.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use an immutable image reference instead of :latest.

Line 11 uses a mutable tag, which makes runner behavior non-deterministic and weakens supply-chain control for CI infrastructure. Prefer pinning to a Konflux commit tag (or digest) and rolling forward intentionally via Helm.

Proposed change

-        image: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest
+        image: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:<commit-sha>
+# or:
+#       image: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner@sha256:<digest>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/github-actions-runner/values.yaml` at line 11, The image reference in
the Helm values (key "image" in values.yaml) uses the mutable tag ":latest";
replace it with an immutable reference by pinning to a specific tag or
preferably an image digest (e.g. use quay.io/...@sha256:...) so deployments are
deterministic and supply-chain secure; update the "image" value in values.yaml
(and any related image/tag fields if present) to the chosen tag or digest and
document the release/tag used for future roll-forward via Helm.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@c74c40d). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8092   +/-   ##
=======================================
  Coverage        ?   26.56%           
=======================================
  Files           ?     1087           
  Lines           ?   105041           
  Branches        ?        0           
=======================================
  Hits            ?    27901           
  Misses          ?    74731           
  Partials        ?     2409           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bryan-cox]

/override ci/prow/e2e-azure-self-managed

[openshift-ci]

@celebdor: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.