Merge upstream 2026-03-09

[MahnoorAsghar]

Summary by CodeRabbit

• New Features

  • Added PCI address support for network interfaces, enabling better hardware identification and management.

• Deprecations

  • FirmwareConfig is now deprecated; use HostFirmwareSettings instead.

• Breaking Changes

  • Removed IRMC BMC driver support; ensure your infrastructure uses alternative drivers (e.g., Redfish).

• Chores

  • Updated Go toolchain and dependencies to latest versions.
  • Enhanced testing infrastructure with upgraded operator versions and improved e2e configurations.

[coderabbitai]

Walkthrough

PR introduces static analysis workflow, updates Go toolchain/dependencies, adds NIC PCIAddress field across APIs and schemas, deprecates firmware fields, removes IRMC BMC driver, updates e2e test overlays to release-0.12, refactors IRSO deployment handling in upgrade tests, renames test API package alias to vbmctlapi, and refactors error handling by discarding unused return values.

Changes

Cohort / File(s)	Summary
CI/Build Infrastructure .github/workflows/zizmor.yml, Dockerfile, Makefile, go.mod, hack/ci-e2e.sh	New GitHub Actions workflow for zizmor static analysis; Go version bumps to 1.25.8; updated gophercloud and indirect dependencies; updated BMO overlay reference from release-0.9 to release-0.12 in CI script.
API Type Definitions apis/metal3.io/v1alpha1/baremetalhost_types.go, apis/metal3.io/v1alpha1/hardwaredata_types.go	Added deprecation documentation to FirmwareConfig; added PCIAddress field to NIC struct.
CRD Configuration config/base/crds/bases/metal3.io_baremetalhosts.yaml, config/base/crds/bases/metal3.io_hardwaredata.yaml, config/render/capm3.yaml	Added pciAddress field to NIC schema across CRDs; updated firmware field description to deprecation notice.
Overlay Configurations config/overlays/e2e-release-0.12/kustomization.yaml, config/overlays/fixture-release-0.12/kustomization.yaml	Updated kustomization references and baremetal-operator image tags from release-0.9 to release-0.12.
IRMC BMC Driver Removal pkg/hardwareutils/bmc/irmc.go, pkg/hardwareutils/bmc/access_test.go	Deleted entire IRMC BMC driver implementation; removed irmc test cases and test coverage.
Hardware Details Implementation pkg/provisioner/ironic/hardwaredetails/hardwaredetails.go, pkg/provisioner/ironic/hardwaredetails/hardwaredetails_test.go	Added PCIAddress field population to NIC entries in IPv4 and IPv6 paths; updated test data to include PCIAddress.
Validation and Test Updates internal/webhooks/metal3.io/v1alpha1/baremetalhost_validation_test.go, pkg/provisioner/ironic/raid_test.go	Updated test cases from IRMC to Redfish address syntax; removed deprecated FirmwareWithSupportBMC test; changed raidInterface references from irmc to redfish.
Error Handling Refactoring cmd/make-bm-worker/main.go, internal/controller/metal3.io/hostfirmwaresettings_controller.go, pkg/provisioner/ironic/factory.go, pkg/provisioner/ironic/testserver/server.go, pkg/provisioner/ironic/testserver/ironic_test.go, pkg/provisioner/ironic/factory_test.go	Refactored error handling by assigning return values to blank identifiers; wrapped deferred Close calls with func() to ignore errors; ignored Setenv/Unsetenv return values in tests.
E2E Configuration and Tests test/e2e/config/fixture.yaml, test/e2e/config/ironic.yaml, test/e2e/e2e_config.go, test/e2e/upgrade_test.go	Updated fixture overlays from release-0.9/0.10/0.11 to 0.12; added IRSO container image entries and kustomization variants; introduced deployIRSO parameter to RunUpgradeTest; added IrsoKustomization field to BMOIronicUpgradeInput.
IRSO Operator Overlays test/e2e/data/ironic-standalone-operator/ironic/overlays/e2e-release-32.0/kustomization.yaml, test/e2e/data/ironic-standalone-operator/ironic/overlays/e2e-release-33.0/kustomization.yaml, test/e2e/data/ironic-standalone-operator/operator/irso-v0.5/kustomization.yaml, test/e2e/data/ironic-standalone-operator/operator/irso-v0.7/kustomization.yaml	New Kustomize overlays for Ironic releases 32.0 and 33.0; updated IRSO v0.5 URL to v0.5.3; added new IRSO v0.7 configuration with IPA_BASEURI environment variable injection.
Test vbmctl Package Refactoring test/vbmctl/pkg/api/types.go, test/vbmctl/pkg/api/types_test.go, test/vbmctl/pkg/config/config.go, test/vbmctl/pkg/config/config_test.go, test/vbmctl/pkg/libvirt/pool.go, test/vbmctl/pkg/libvirt/templates.go, test/vbmctl/pkg/libvirt/vm.go, test/vbmctl/cmd/vbmctl/main.go, test/vbmctl/main.go	Renamed package from api to vbmctlapi; updated all type references, import aliases, method signatures, and test data to use vbmctlapi types across VM, Pool, Volume, and NetworkAttachment definitions.
Misc Test Updates pkg/provisioner/ironic/register_test.go	Added explicit error handling to prov.TryInit calls in two test cases.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	PR introduces Ginkgo test quality violations including unmanaged IRSO deployment outside lifecycle, missing field validation, absent assertion messages, and nil-pointer risks in cleanup.	Move IRSO deployment into BeforeEach with explicit namespace cleanup; add IrsoKustomization validation; add meaningful messages to all assertions; add nil checks in AfterEach.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Merge upstream 2026-03-09' accurately describes the primary purpose of this changeset, which is a merge of upstream changes dated 2026-03-09.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the modified PR remain stable and deterministic. Test setup uses dynamically-generated values only in test bodies, not in test titles. All It(), Describe(), and DescribeTable() declarations use static, descriptive strings.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MahnoorAsghar
Once this PR has been reviewed and has the lgtm label, please assign zaneb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

pkg/provisioner/ironic/register_test.go (2)

1345-1362: ⚠️ Potential issue | 🟠 Major

Missing .WithDrivers() will cause TryInit() to fail.

The test server setup lacks .WithDrivers(), but the newly added TryInit() call internally invokes checkIronicConductor(), which makes an HTTP GET request to /v1/drivers. Without proper endpoint setup, the server returns an empty or malformed response causing parsing errors that TryInit() now returns as a non-nil error—failing the test.

Other tests that explicitly or implicitly use TryInit() (e.g., TestRegisterDeprovisioningNeedsPreprovisioningImage at line 1407) include .WithDrivers() in their server setup.

🐛 Proposed fix to add missing driver configuration

 	// Set up ironic server to return the node
 	ironic := testserver.NewIronic(t).
+		WithDrivers().
 		Node(nodes.Node{
 			UUID: host.Status.Provisioning.ID,
 		}).NodeUpdate(nodes.Node{
 		UUID: host.Status.Provisioning.ID,
 	})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/provisioner/ironic/register_test.go` around lines 1345 - 1362, The test
server created by testserver.NewIronic(...) is missing a drivers endpoint,
causing prov.TryInit (which calls checkIronicConductor and issues a GET
/v1/drivers) to fail; fix by updating the NewIronic chain in register_test.go to
include .WithDrivers() on the ironic test server instance (the same place you
call NewIronic(...).Node(...).NodeUpdate(...)) so the drivers endpoint returns a
valid response for TryInit/checkIronicConductor.

---

1375-1392: ⚠️ Potential issue | 🟠 Major

Same issue: missing .WithDrivers() will cause TryInit() to fail.

Same problem as TestRegisterDisablePowerOff—the test server is configured with .WithVersion("1.87") but lacks .WithDrivers(). The TryInit() call will fail when querying /v1/drivers.

🐛 Proposed fix

 	// Set up ironic server to return the node
-	ironic := testserver.NewIronic(t).WithVersion("1.87").
+	ironic := testserver.NewIronic(t).WithVersion("1.87").WithDrivers().
 		Node(nodes.Node{
 			UUID: host.Status.Provisioning.ID,
 		}).NodeUpdate(nodes.Node{
 		UUID: host.Status.Provisioning.ID,
 	})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/provisioner/ironic/register_test.go` around lines 1375 - 1392, The test
server is missing a drivers list so prov.TryInit() fails when it queries
/v1/drivers; update the testserver setup chain (the
NewIronic(...).WithVersion("1.87") call before .Node(...) / .NodeUpdate(...)) to
include a .WithDrivers(...) call supplying the drivers that TryInit expects
(e.g., include the BMC/provisioning drivers used elsewhere such as "ipmi" or
whatever drivers your TryInit logic asserts), so the server responds to
/v1/drivers and TryInit succeeds.

pkg/provisioner/ironic/factory.go (1)

371-383: ⚠️ Potential issue | 🟠 Major

Don't swallow Close() errors here.

When writing the CA certificate file, ignoring the Close() error means the final flush to disk can fail silently. The function would still return a path to a potentially incomplete file, causing downstream TLS configuration errors that are disconnected from the actual I/O failure.

💾 Suggested fix

 func writeTempFile(prefix string, data []byte) (string, error) {
 	tmpFile, err := os.CreateTemp("", prefix)
 	if err != nil {
 		return "", err
 	}
-	defer func() { _ = tmpFile.Close() }()
-
-	_, err = tmpFile.Write(data)
-	if err != nil {
+	if _, err = tmpFile.Write(data); err != nil {
+		_ = tmpFile.Close()
+		return "", err
+	}
+	if err = tmpFile.Close(); err != nil {
 		return "", err
 	}
 
 	return tmpFile.Name(), nil
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/provisioner/ironic/factory.go` around lines 371 - 383, The writeTempFile
function currently defers and ignores tmpFile.Close() which can hide flush/close
errors; modify writeTempFile so Close() error is captured and returned if
non-nil (or combined with any existing write error) instead of being swallowed:
perform the write to tmpFile, then call tmpFile.Close() (capturing its error),
and if either the write or the Close returned an error return that error (or a
wrapped/combined error) and avoid returning a filename on failure; update
references to the tmpFile variable and the writeTempFile function accordingly.

test/vbmctl/pkg/config/config_test.go (1)

8-9: ⚠️ Potential issue | 🔴 Critical

Compilation error: vbmctlapi is undefined.

The import at line 8 brings in the api package with its default alias api, but lines 79, 165, and 198 reference vbmctlapi.VMConfig. This will fail to compile with "undefined: vbmctlapi".

Either alias the import as vbmctlapi or change the code to use api.VMConfig.

🐛 Proposed fix: Add import alias

 import (
 	"os"
 	"path/filepath"
 	"testing"

-	"github.com/metal3-io/baremetal-operator/test/vbmctl/pkg/api"
+	vbmctlapi "github.com/metal3-io/baremetal-operator/test/vbmctl/pkg/api"
 )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/vbmctl/pkg/config/config_test.go` around lines 8 - 9, The tests
reference vbmctlapi.VMConfig but the import brings in the package as api,
causing "undefined: vbmctlapi"; fix by either changing the import to use the
alias vbmctlapi (e.g., import vbmctlapi
"github.com/metal3-io/baremetal-operator/test/vbmctl/pkg/api") or update all
references to use api.VMConfig (and similar references at the locations that
currently use vbmctlapi), ensuring consistency for symbols like VMConfig across
the file.

🧹 Nitpick comments (5)

pkg/provisioner/ironic/testserver/server.go (1)

253-253: Surface response write failures here.

_, _ = fmt.Fprint(...) still swallows the write error, so this shared test helper can hide truncated/failed responses. If the write is worth making, it’s worth failing the test on err; otherwise a bare fmt.Fprint(...) call is clearer than the blank-identifier assignment.

Proposed fix

-	_, _ = fmt.Fprint(w, payload)
+	if _, err := fmt.Fprint(w, payload); err != nil {
+		m.t.Errorf("%s: failed to write response payload: %v", m.name, err)
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/provisioner/ironic/testserver/server.go` at line 253, The current helper
swallows errors by using "_, _ = fmt.Fprint(w, payload)"; change it to check the
returned error from fmt.Fprint(w, payload) and surface failures instead of
discarding them — e.g., replace the blank-assignment with an error check and
fail the test or propagate the error (call t.Fatalf/require.Fail or return the
error) when fmt.Fprint returns a non-nil err so truncated/failed writes are not
hidden.

internal/webhooks/metal3.io/v1alpha1/baremetalhost_validation_test.go (1)

107-107: Add one explicit irmc:// rejection case.

Lines 107, 139, 179, 345, and 361 correctly move the supported-path fixtures to Redfish, but that also removes direct regression coverage for the behavior this PR changes: irmc://... should now be rejected. Since validateHost now goes through bmc.NewAccessDetails in internal/webhooks/metal3.io/v1alpha1/baremetalhost_validation.go:40-80, keeping one negative irmc:// test would lock in the driver removal.

Example of the missing regression case

+		{
+			name: "removedIRMCBMCType",
+			newBMH: &metal3api.BareMetalHost{
+				TypeMeta:   tm,
+				ObjectMeta: om,
+				Spec: metal3api.BareMetalHostSpec{
+					BMC: metal3api.BMCDetails{
+						Address:         "irmc://127.0.1.1",
+						CredentialsName: "test1",
+					},
+				}},
+			oldBMH:    nil,
+			wantedErr: "Unknown BMC type 'irmc' for address irmc://127.0.1.1",
+		},

Also applies to: 139-139, 179-179, 345-345, 361-361

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/webhooks/metal3.io/v1alpha1/baremetalhost_validation_test.go` at
line 107, The test suite removed direct coverage for rejecting irmc:// BMC URLs;
add an explicit negative test case in
internal/webhooks/metal3.io/v1alpha1/baremetalhost_validation_test.go that
supplies Address: "irmc://bmc.example.com" and asserts validateHost (which now
calls bmc.NewAccessDetails) rejects it; specifically, add one test entry that
expects an error for an irmc:// access string to lock in the behavior change and
prevent regression of driver removal.

pkg/provisioner/ironic/factory_test.go (1)

31-33: Fail fast on env mutation errors in the test fixture.

Swallowing os.Setenv/os.Unsetenv errors here can leave a subtest running with a partially applied environment and turn a setup failure into a misleading assertion failure later. Since this is test infrastructure, it’s better to surface the error immediately.

Proposed fix

-func (f *EnvFixture) TearDown() {
+func (f *EnvFixture) TearDown(t *testing.T) {
+	t.Helper()
 	for e, v := range f.origEnv {
 		if v == "" {
-			_ = os.Unsetenv(e)
+			require.NoError(t, os.Unsetenv(e))
 		} else {
-			_ = os.Setenv(e, v)
+			require.NoError(t, os.Setenv(e, v))
 		}
 	}
 }
 
-func (f *EnvFixture) replace(env, value string) {
+func (f *EnvFixture) replace(t *testing.T, env, value string) {
+	t.Helper()
 	f.origEnv[env] = os.Getenv(env)
 	if value == "" {
-		_ = os.Unsetenv(env)
+		require.NoError(t, os.Unsetenv(env))
 	} else {
-		_ = os.Setenv(env, value)
+		require.NoError(t, os.Setenv(env, value))
 	}
 }
 
-func (f *EnvFixture) SetUp() {
+func (f *EnvFixture) SetUp(t *testing.T) {
 	f.origEnv = map[string]string{}
-	f.replace("IRONIC_ENDPOINT", f.ironicEndpoint)
-	f.replace("DEPLOY_KERNEL_URL", f.kernelURL)
-	f.replace("DEPLOY_RAMDISK_URL", f.ramdiskURL)
-	f.replace("DEPLOY_ISO_URL", f.isoURL)
-	f.replace("LIVE_ISO_FORCE_PERSISTENT_BOOT_DEVICE", f.liveISOForcePersistentBootDevice)
-	f.replace("DIRECT_DEPLOY_FORCE_PERSISTENT_BOOT_DEVICE", f.directDeployForcePersistentBootDevice)
-	f.replace("IRONIC_CACERT_FILE", f.ironicCACertFile)
-	f.replace("IRONIC_CLIENT_CERT_FILE", f.ironicClientCertFile)
-	f.replace("IRONIC_CLIENT_PRIVATE_KEY_FILE", f.ironicClientPrivateKeyFile)
-	f.replace("IRONIC_INSECURE", f.ironicInsecure)
-	f.replace("IRONIC_SKIP_CLIENT_SAN_VERIFY", f.ironicSkipClientSANVerify)
+	f.replace(t, "IRONIC_ENDPOINT", f.ironicEndpoint)
+	f.replace(t, "DEPLOY_KERNEL_URL", f.kernelURL)
+	f.replace(t, "DEPLOY_RAMDISK_URL", f.ramdiskURL)
+	f.replace(t, "DEPLOY_ISO_URL", f.isoURL)
+	f.replace(t, "LIVE_ISO_FORCE_PERSISTENT_BOOT_DEVICE", f.liveISOForcePersistentBootDevice)
+	f.replace(t, "DIRECT_DEPLOY_FORCE_PERSISTENT_BOOT_DEVICE", f.directDeployForcePersistentBootDevice)
+	f.replace(t, "IRONIC_CACERT_FILE", f.ironicCACertFile)
+	f.replace(t, "IRONIC_CLIENT_CERT_FILE", f.ironicClientCertFile)
+	f.replace(t, "IRONIC_CLIENT_PRIVATE_KEY_FILE", f.ironicClientPrivateKeyFile)
+	f.replace(t, "IRONIC_INSECURE", f.ironicInsecure)
+	f.replace(t, "IRONIC_SKIP_CLIENT_SAN_VERIFY", f.ironicSkipClientSANVerify)
 }

-				defer tc.env.TearDown()
-				tc.env.SetUp()
+				defer tc.env.TearDown(t)
+				tc.env.SetUp(t)

Also applies to: 41-43

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/provisioner/ironic/factory_test.go` around lines 31 - 33, The test
fixture currently ignores errors from os.Setenv/os.Unsetenv which can leave
subtests with a corrupt environment; update the environment setup in
pkg/provisioner/ironic/factory_test.go to check the return errors and fail the
test immediately (e.g., call t.Fatalf("failed to set env %s=%s: %v", e, v, err)
or use require.NoError(t, err)) inside the loop that calls
os.Setenv/os.Unsetenv, and apply the same change to the second occurrence (the
block around lines 41-43) so any env mutation error surfaces immediately rather
than being swallowed.

pkg/provisioner/ironic/hardwaredetails/hardwaredetails_test.go (1)

220-221: Cover PCIAddress on the IPv6 append path too.

The new expectation only exercises the IPv4 branch. getNICDetails now copies PCIAddress in both append sites, so a regression in the IPv6/dual-stack path would still pass.

🧪 Small test extension

 		{
 			Name:        "eth1",
 			IPV6Address: "2001:db8::1",
 			MACAddress:  "66:77:88:99:aa:bb",
+			PCIAddress:  "0000:00:01.0",
 			SpeedMbps:   1000},

 	if (!reflect.DeepEqual(nics[1], metal3api.NIC{
-		Name:      "eth1",
-		MAC:       "66:77:88:99:aa:bb",
-		IP:        "2001:db8::1",
-		SpeedGbps: 1,
+		Name:       "eth1",
+		MAC:        "66:77:88:99:aa:bb",
+		IP:         "2001:db8::1",
+		PCIAddress: "0000:00:01.0",
+		SpeedGbps:  1,
 	})) {

Also applies to: 242-246

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/provisioner/ironic/hardwaredetails/hardwaredetails_test.go` around lines
220 - 221, The test currently only asserts that PCIAddress is copied for the
IPv4 append branch; extend the expectations in hardwaredetails_test.go to also
assert PCIAddress for the IPv6/dual-stack append path so both branches of
getNICDetails are covered—locate the test that builds expected NIC entries (the
entries with MACAddress "00:11:22:33:44:55" and the second appended IPv6 entry)
and add PCIAddress: "0000:00:00.0" to the expected struct for the
IPv6/dual-stack entry (and any other appended entry created by getNICDetails) so
the test fails if PCIAddress is not propagated in the IPv6 path.

test/vbmctl/pkg/libvirt/templates.go (1)

141-143: Pick one owner for VM defaulting.

VMManager.Create already normalizes cfg before calling this helper, so this second Defaults() pass creates another place that has to stay behaviorally in sync when defaulting rules change. I'd keep the defaulting in one layer only.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/vbmctl/pkg/libvirt/templates.go` around lines 141 - 143,
VMConfigToTemplateData currently calls cfg.Defaults() again, duplicating
defaulting already performed by VMManager.Create; remove the extra cfg =
cfg.Defaults() line from VMConfigToTemplateData so defaulting is only done by
VMManager.Create, and ensure callers rely on VMManager.Create to normalize
VMConfig before invoking VMConfigToTemplateData (keep VMConfigToTemplateData
pure and document that it expects an already-defaulted cfg).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/make-bm-worker/main.go`:
- Line 107: The stdout write ignores fmt.Fprint(os.Stdout, result) errors;
change it to check the returned error from that call and propagate failures
instead of discarding them so the command exits non-zero on write errors. Locate
the fmt.Fprint invocation that writes the result variable and, on err != nil,
log the error and exit with a non-zero status (or return the error from main to
be handled consistently with the existing error pattern used earlier in this
file).

In `@go.mod`:
- Line 3: Multiple go.mod files declare different Go versions causing mismatch;
update the four module go.mod files (apis/go.mod, test/go.mod,
pkg/hardwareutils/go.mod, hack/tools/go.mod) to use the same Go version as the
root (change their "go" directive from 1.25.0 to 1.25.7) or, if you prefer the
older version, change the root go.mod "go" directive in the same way so all
modules align; ensure each file's "go" directive is identical across modules and
commit the changes.

In `@test/e2e/config/fixture.yaml`:
- Around line 70-80: The images preload list in test/e2e/config/fixture.yaml
lacks the quay.io/metal3-io/baremetal-operator:release-0.12 entry referenced by
the new initBMOKustomization (fixture-release-0.12); update the images array to
include quay.io/metal3-io/baremetal-operator:release-0.12 so the release-0.12
case uses the cached/tryLoad path instead of pulling from the registry. Ensure
the exact tag string quay.io/metal3-io/baremetal-operator:release-0.12 is added
alongside the existing release-0.11 entry.

In `@test/e2e/e2e_config.go`:
- Around line 66-67: Config.Validate() currently doesn't check the new
IrsoKustomization field, so typos only surface later; update Config.Validate to,
when c.IrsoKustomization is non-empty, call os.Stat on that path and return a
validation error if stat fails (wrap the underlying error and include the field
name "IrsoKustomization" and the given path in the message) so invalid paths are
caught during config load.

In `@test/e2e/upgrade_test.go`:
- Around line 48-63: The IRSO installation is created outside the same
setup/teardown lifecycle causing leftover namespaces and nil cleanup errors;
modify the logic that checks deployIRSO and calls BuildAndApplyKustomization
(the block using deployIRSO, input.IrsoKustomization and
BuildAndApplyKustomization) so that either (A) it runs after namespace/watch
initialization and registers the created resources in the test’s teardown (e.g.,
record the applied kustomization identifier and ensure AfterEach removes
"ironic-standalone-operator-system"), or (B) track the IRSO deployment with a
new variable (e.g., irsoApplied boolean or irsoCleanup func) and invoke that
cleanup from AfterEach alongside existing namespace/cancelWatches cleanup;
ensure AfterEach no longer assumes namespace/cancelWatches are non-nil before
attempting teardown.

In `@test/vbmctl/pkg/api/types.go`:
- Around line 1-3: Update the package documentation comment in types.go so it
names the current package (change "Package api" to "Package vbmctlapi"), and
update the example references in test/vbmctl/pkg/libvirt/doc.go to use the new
package qualifier by replacing occurrences of api.VMConfig, api.VolumeConfig,
and api.PoolConfig with vbmctlapi.VMConfig, vbmctlapi.VolumeConfig, and
vbmctlapi.PoolConfig respectively so the examples match the renamed package.

---

Outside diff comments:
In `@pkg/provisioner/ironic/factory.go`:
- Around line 371-383: The writeTempFile function currently defers and ignores
tmpFile.Close() which can hide flush/close errors; modify writeTempFile so
Close() error is captured and returned if non-nil (or combined with any existing
write error) instead of being swallowed: perform the write to tmpFile, then call
tmpFile.Close() (capturing its error), and if either the write or the Close
returned an error return that error (or a wrapped/combined error) and avoid
returning a filename on failure; update references to the tmpFile variable and
the writeTempFile function accordingly.

In `@pkg/provisioner/ironic/register_test.go`:
- Around line 1345-1362: The test server created by testserver.NewIronic(...) is
missing a drivers endpoint, causing prov.TryInit (which calls
checkIronicConductor and issues a GET /v1/drivers) to fail; fix by updating the
NewIronic chain in register_test.go to include .WithDrivers() on the ironic test
server instance (the same place you call
NewIronic(...).Node(...).NodeUpdate(...)) so the drivers endpoint returns a
valid response for TryInit/checkIronicConductor.
- Around line 1375-1392: The test server is missing a drivers list so
prov.TryInit() fails when it queries /v1/drivers; update the testserver setup
chain (the NewIronic(...).WithVersion("1.87") call before .Node(...) /
.NodeUpdate(...)) to include a .WithDrivers(...) call supplying the drivers that
TryInit expects (e.g., include the BMC/provisioning drivers used elsewhere such
as "ipmi" or whatever drivers your TryInit logic asserts), so the server
responds to /v1/drivers and TryInit succeeds.

In `@test/vbmctl/pkg/config/config_test.go`:
- Around line 8-9: The tests reference vbmctlapi.VMConfig but the import brings
in the package as api, causing "undefined: vbmctlapi"; fix by either changing
the import to use the alias vbmctlapi (e.g., import vbmctlapi
"github.com/metal3-io/baremetal-operator/test/vbmctl/pkg/api") or update all
references to use api.VMConfig (and similar references at the locations that
currently use vbmctlapi), ensuring consistency for symbols like VMConfig across
the file.

---

Nitpick comments:
In `@internal/webhooks/metal3.io/v1alpha1/baremetalhost_validation_test.go`:
- Line 107: The test suite removed direct coverage for rejecting irmc:// BMC
URLs; add an explicit negative test case in
internal/webhooks/metal3.io/v1alpha1/baremetalhost_validation_test.go that
supplies Address: "irmc://bmc.example.com" and asserts validateHost (which now
calls bmc.NewAccessDetails) rejects it; specifically, add one test entry that
expects an error for an irmc:// access string to lock in the behavior change and
prevent regression of driver removal.

In `@pkg/provisioner/ironic/factory_test.go`:
- Around line 31-33: The test fixture currently ignores errors from
os.Setenv/os.Unsetenv which can leave subtests with a corrupt environment;
update the environment setup in pkg/provisioner/ironic/factory_test.go to check
the return errors and fail the test immediately (e.g., call t.Fatalf("failed to
set env %s=%s: %v", e, v, err) or use require.NoError(t, err)) inside the loop
that calls os.Setenv/os.Unsetenv, and apply the same change to the second
occurrence (the block around lines 41-43) so any env mutation error surfaces
immediately rather than being swallowed.

In `@pkg/provisioner/ironic/hardwaredetails/hardwaredetails_test.go`:
- Around line 220-221: The test currently only asserts that PCIAddress is copied
for the IPv4 append branch; extend the expectations in hardwaredetails_test.go
to also assert PCIAddress for the IPv6/dual-stack append path so both branches
of getNICDetails are covered—locate the test that builds expected NIC entries
(the entries with MACAddress "00:11:22:33:44:55" and the second appended IPv6
entry) and add PCIAddress: "0000:00:00.0" to the expected struct for the
IPv6/dual-stack entry (and any other appended entry created by getNICDetails) so
the test fails if PCIAddress is not propagated in the IPv6 path.

In `@pkg/provisioner/ironic/testserver/server.go`:
- Line 253: The current helper swallows errors by using "_, _ = fmt.Fprint(w,
payload)"; change it to check the returned error from fmt.Fprint(w, payload) and
surface failures instead of discarding them — e.g., replace the blank-assignment
with an error check and fail the test or propagate the error (call
t.Fatalf/require.Fail or return the error) when fmt.Fprint returns a non-nil err
so truncated/failed writes are not hidden.

In `@test/vbmctl/pkg/libvirt/templates.go`:
- Around line 141-143: VMConfigToTemplateData currently calls cfg.Defaults()
again, duplicating defaulting already performed by VMManager.Create; remove the
extra cfg = cfg.Defaults() line from VMConfigToTemplateData so defaulting is
only done by VMManager.Create, and ensure callers rely on VMManager.Create to
normalize VMConfig before invoking VMConfigToTemplateData (keep
VMConfigToTemplateData pure and document that it expects an already-defaulted
cfg).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 62c94aaf-df1b-4bf0-98bd-efc635225dc7

📥 Commits

Reviewing files that changed from the base of the PR and between a382dd3 and 914839e.

⛔ Files ignored due to path filters (31)

• go.sum is excluded by !**/*.sum
• test/vendor/github.com/metal3-io/baremetal-operator/apis/metal3.io/v1alpha1/baremetalhost_types.go is excluded by !**/vendor/**
• test/vendor/github.com/metal3-io/baremetal-operator/apis/metal3.io/v1alpha1/hardwaredata_types.go is excluded by !**/vendor/**
• test/vendor/github.com/metal3-io/baremetal-operator/pkg/hardwareutils/bmc/irmc.go is excluded by !**/vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/openstack/baremetal/httpbasic/requests.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/openstack/baremetal/inventory/plugindata.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/openstack/baremetal/inventory/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/openstack/baremetal/v1/drivers/results.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/openstack/baremetal/v1/nodes/requests.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/openstack/baremetal/v1/nodes/results.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/openstack/baremetal/v1/ports/results.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/openstack/baremetalintrospection/v1/introspection/results.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/openstack/utils/choose_version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/pagination/pager.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/params.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/provider_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gophercloud/gophercloud/v2/results.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/metal3-io/baremetal-operator/apis/metal3.io/v1alpha1/baremetalhost_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/metal3-io/baremetal-operator/apis/metal3.io/v1alpha1/hardwaredata_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/metal3-io/baremetal-operator/pkg/hardwareutils/bmc/irmc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (43)

• .github/workflows/zizmor.yml
• Dockerfile
• Makefile
• apis/metal3.io/v1alpha1/baremetalhost_types.go
• apis/metal3.io/v1alpha1/hardwaredata_types.go
• cmd/make-bm-worker/main.go
• config/base/crds/bases/metal3.io_baremetalhosts.yaml
• config/base/crds/bases/metal3.io_hardwaredata.yaml
• config/overlays/e2e-release-0.12/ironic.env
• config/overlays/e2e-release-0.12/kustomization.yaml
• config/overlays/fixture-release-0.12/kustomization.yaml
• config/render/capm3.yaml
• go.mod
• hack/ci-e2e.sh
• internal/controller/metal3.io/hostfirmwaresettings_controller.go
• internal/webhooks/metal3.io/v1alpha1/baremetalhost_validation_test.go
• pkg/hardwareutils/bmc/access_test.go
• pkg/hardwareutils/bmc/irmc.go
• pkg/provisioner/ironic/factory.go
• pkg/provisioner/ironic/factory_test.go
• pkg/provisioner/ironic/hardwaredetails/hardwaredetails.go
• pkg/provisioner/ironic/hardwaredetails/hardwaredetails_test.go
• pkg/provisioner/ironic/raid_test.go
• pkg/provisioner/ironic/register_test.go
• pkg/provisioner/ironic/testserver/ironic_test.go
• pkg/provisioner/ironic/testserver/server.go
• test/e2e/config/fixture.yaml
• test/e2e/config/ironic.yaml
• test/e2e/data/ironic-standalone-operator/ironic/overlays/e2e-release-32.0/kustomization.yaml
• test/e2e/data/ironic-standalone-operator/ironic/overlays/e2e-release-33.0/kustomization.yaml
• test/e2e/data/ironic-standalone-operator/operator/irso-v0.5/kustomization.yaml
• test/e2e/data/ironic-standalone-operator/operator/irso-v0.7/kustomization.yaml
• test/e2e/e2e_config.go
• test/e2e/upgrade_test.go
• test/vbmctl/cmd/vbmctl/main.go
• test/vbmctl/main.go
• test/vbmctl/pkg/api/types.go
• test/vbmctl/pkg/api/types_test.go
• test/vbmctl/pkg/config/config.go
• test/vbmctl/pkg/config/config_test.go
• test/vbmctl/pkg/libvirt/pool.go
• test/vbmctl/pkg/libvirt/templates.go
• test/vbmctl/pkg/libvirt/vm.go

💤 Files with no reviewable changes (2)

• pkg/hardwareutils/bmc/access_test.go
• pkg/hardwareutils/bmc/irmc.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

wc -l cmd/make-bm-worker/main.go

Repository: openshift/baremetal-operator

Length of output: 102

---

🏁 Script executed:

head -120 cmd/make-bm-worker/main.go | tail -30

Repository: openshift/baremetal-operator

Length of output: 1113

---

Handle stdout write failures instead of discarding them.

Line 107 ignores the fmt.Fprint error. If this command is piped and the reader closes early, it silently returns success after emitting only part of the manifest. Propagate the write failure and exit non-zero to match the error handling pattern established above.

Suggested fix

 	result, err := template.Render()
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "ERROR: %s\n", err)
 		os.Exit(1)
 	}
 
-	_, _ = fmt.Fprint(os.Stdout, result)
+	if _, err := fmt.Fprint(os.Stdout, result); err != nil {
+		fmt.Fprintf(os.Stderr, "ERROR: %s\n", err)
+		os.Exit(1)
+	}
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	_, _ = fmt.Fprint(os.Stdout, result)
	result, err := template.Render()
	if err != nil {
	fmt.Fprintf(os.Stderr, "ERROR: %s\n", err)
	os.Exit(1)
	}
	if _, err := fmt.Fprint(os.Stdout, result); err != nil {
	fmt.Fprintf(os.Stderr, "ERROR: %s\n", err)
	os.Exit(1)
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/make-bm-worker/main.go` at line 107, The stdout write ignores
fmt.Fprint(os.Stdout, result) errors; change it to check the returned error from
that call and propagate failures instead of discarding them so the command exits
non-zero on write errors. Locate the fmt.Fprint invocation that writes the
result variable and, on err != nil, log the error and exit with a non-zero
status (or return the error from main to be handled consistently with the
existing error pattern used earlier in this file).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check Go version declarations across all go.mod files in the repo
# Expect: Consistent Go versions or documented reason for divergence

fd -t f -e mod 'go.mod' --exec grep -H '^go ' {}

Repository: openshift/baremetal-operator

Length of output: 205

---

Go version mismatch across modules.

The main go.mod declares go 1.25.7, while four other modules—apis/go.mod, test/go.mod, pkg/hardwareutils/go.mod, and hack/tools/go.mod—still declare go 1.25.0. This divergence in a multi-module workspace may cause build inconsistencies or CI issues when modules are built independently. Align Go versions across all modules or document why the mismatch is necessary.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, Multiple go.mod files declare different Go versions
causing mismatch; update the four module go.mod files (apis/go.mod, test/go.mod,
pkg/hardwareutils/go.mod, hack/tools/go.mod) to use the same Go version as the
root (change their "go" directive from 1.25.0 to 1.25.7) or, if you prefer the
older version, change the root go.mod "go" directive in the same way so all
modules align; ensure each file's "go" directive is identical across modules and
commit the changes.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add the matching release-0.12 image preload.

These upgrade specs now reference ../../config/overlays/fixture-release-0.12, but the images list in this file still stops at quay.io/metal3-io/baremetal-operator:release-0.11. That makes the new case fall back to a registry pull instead of the cached/tryLoad path, which is slower and more brittle in CI. Please add quay.io/metal3-io/baremetal-operator:release-0.12 to the preload list.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/config/fixture.yaml` around lines 70 - 80, The images preload list
in test/e2e/config/fixture.yaml lacks the
quay.io/metal3-io/baremetal-operator:release-0.12 entry referenced by the new
initBMOKustomization (fixture-release-0.12); update the images array to include
quay.io/metal3-io/baremetal-operator:release-0.12 so the release-0.12 case uses
the cached/tryLoad path instead of pulling from the registry. Ensure the exact
tag string quay.io/metal3-io/baremetal-operator:release-0.12 is added alongside
the existing release-0.11 entry.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Validate IrsoKustomization during config load.

This new path is not checked in Config.Validate(), so a typo survives config parsing and only fails later when the upgrade flow tries to apply it. Please stat it when the field is non-empty.

🛠️ Suggested validation

 	if _, err := os.Stat(spec.UpgradeEntityKustomization); err != nil {
 		return fmt.Errorf("UpgradeEntityKustomization file not found: %s. Error %w", spec.UpgradeEntityKustomization, err)
 	}
+	if spec.IrsoKustomization != "" {
+		if _, err := os.Stat(spec.IrsoKustomization); err != nil {
+			return fmt.Errorf("IRSO kustomization file not found: %s. Error %w", spec.IrsoKustomization, err)
+		}
+	}
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/e2e_config.go` around lines 66 - 67, Config.Validate() currently
doesn't check the new IrsoKustomization field, so typos only surface later;
update Config.Validate to, when c.IrsoKustomization is non-empty, call os.Stat
on that path and return a validation error if stat fails (wrap the underlying
error and include the field name "IrsoKustomization" and the given path in the
message) so invalid paths are caught during config load.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Bring IRSO setup under the same cleanup lifecycle.

This install path now runs before the namespace/watch handles exist, but AfterEach still assumes namespace/cancelWatches are initialized and only tears down baremetal-operator-system. In existing-cluster mode that leaves ironic-standalone-operator-system behind between cases, so the irso-v0.5 and irso-v0.7 entries become order-dependent; if IRSO setup fails early, cleanup can also trip over nil state and mask the real failure. Please move this under the same setup/teardown path or explicitly track and remove the applied IRSO kustomization.

Also applies to: 320-346, 353-359

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/upgrade_test.go` around lines 48 - 63, The IRSO installation is
created outside the same setup/teardown lifecycle causing leftover namespaces
and nil cleanup errors; modify the logic that checks deployIRSO and calls
BuildAndApplyKustomization (the block using deployIRSO, input.IrsoKustomization
and BuildAndApplyKustomization) so that either (A) it runs after namespace/watch
initialization and registers the created resources in the test’s teardown (e.g.,
record the applied kustomization identifier and ensure AfterEach removes
"ironic-standalone-operator-system"), or (B) track the IRSO deployment with a
new variable (e.g., irsoApplied boolean or irsoCleanup func) and invoke that
cleanup from AfterEach alongside existing namespace/cancelWatches cleanup;
ensure AfterEach no longer assumes namespace/cancelWatches are non-nil before
attempting teardown.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
sed -n '1,3p' test/vbmctl/pkg/api/types.go
sed -n '20,45p' test/vbmctl/pkg/libvirt/doc.go

Repository: openshift/baremetal-operator

Length of output: 851

---

Update package documentation comment to match renamed package.

The package comment at line 1 still refers to Package api while the package is now named vbmctlapi. Additionally, example code in test/vbmctl/pkg/libvirt/doc.go (lines 20–45) references the old api.VMConfig, api.VolumeConfig, and api.PoolConfig fully qualified names, which will be incorrect after this rename.

📝 Minimal fix for types.go

-// Package api defines the core types used by vbmctl for managing virtual
+// Package vbmctlapi defines the core types used by vbmctl for managing virtual
 // bare metal environments.
 package vbmctlapi

Update the example code references in libvirt/doc.go to use vbmctlapi. instead of api..

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Package api defines the core types used by vbmctl for managing virtual
	// bare metal environments.
	package api
	package vbmctlapi
	// Package vbmctlapi defines the core types used by vbmctl for managing virtual
	// bare metal environments.
	package vbmctlapi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/vbmctl/pkg/api/types.go` around lines 1 - 3, Update the package
documentation comment in types.go so it names the current package (change
"Package api" to "Package vbmctlapi"), and update the example references in
test/vbmctl/pkg/libvirt/doc.go to use the new package qualifier by replacing
occurrences of api.VMConfig, api.VolumeConfig, and api.PoolConfig with
vbmctlapi.VMConfig, vbmctlapi.VolumeConfig, and vbmctlapi.PoolConfig
respectively so the examples match the renamed package.