fix(tests): use regexes for better exclusions

[Molter73]

Description

The images we use from RHCOS may change from underneatch our feet, so we use regexes to exclude broader patterns that we know won't work with fact.

Checklist

• Patch has a change log entry OR does not need one.
• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

If any of these don't apply, please comment below.

Testing Performed

• Verify all expected RHCOS VMs run the tests
• Update collector ref to master before merging.

Summary by CodeRabbit

• Bug Fixes
  • Updated integration test image exclusion rules to reduce false failures caused by changes in RHCOS image naming.
  • Replaced specific excluded image identifiers with broader regex-style patterns to better match both x86_64 and aarch64 RHCOS variants, improving test stability.

[coderabbitai]

📝 Walkthrough

Walkthrough

The integration-test workflow updates generated vars.yml image exclusions from explicit rhcos GCP image strings to regex-style patterns covering x86-64 and aarch64 variants.

Changes

Integration Test Workflow Image Exclusions

Layer / File(s)	Summary
Regex-based image exclusions .github/workflows/integration-tests.yml	excluded_images switches from explicit rhcos GCP image strings to regex-style patterns for x86-64 and aarch64 variants.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 I hopped through the workflow, light and spry,
Patterns took over where old strings did lie.
rhcos now matches with regex delight,
And the test VM list is tidy tonight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: using regex-based exclusions in tests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description follows the required template and includes a clear summary, checklist, and testing notes, with only minor gaps in optional items.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch mauro/fix/exclude-broken-vms

---

_{Comment @coderabbitai help to get the list of available commands.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 32.23%. Comparing base (4a0025e) to head (46ca813).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #925   +/-   ##
=======================================
  Coverage   32.23%   32.23%           
=======================================
  Files          21       21           
  Lines        2736     2736           
  Branches     2736     2736           
=======================================
  Hits          882      882           
  Misses       1851     1851           
  Partials        3        3           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/integration-tests.yml (2)

39-43: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Pin the collector checkout. This job depends on the mutable mauro/ansible/exclude-by-regex branch in stackrox/collector, so CI can drift or break if that branch changes or disappears; use a commit SHA or another stable ref.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/integration-tests.yml around lines 39 - 43, The collector
checkout in the workflow is using a mutable branch ref, which can make the
integration job unstable. Update the actions/checkout configuration in the
collector step to use a pinned commit SHA or another immutable ref instead of
the current branch reference, keeping the existing repository and path setup
intact.

---

39-43: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Disable credential persistence on the collector checkout. .github/workflows/integration-tests.yml:39-43 Later steps only need the working tree, so set persist-credentials: false to keep the job token out of collector/.git/config.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/integration-tests.yml around lines 39 - 43, The collector
checkout in the integration-tests workflow is still persisting credentials,
which leaves the job token in the cloned repo config. Update the
actions/checkout step for the collector repository to set persist-credentials to
false so later steps only use the working tree; use the existing checkout step
targeting stackrox/collector as the place to make this change.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/integration-tests.yml:
- Around line 96-99: The RHCOS exclusion patterns in the integration tests
workflow use inconsistent version cutoffs for x86_64 and arm64, so update the
regexes together in the workflow rules to match the intended boundary. Adjust
the x86_64 and aarch64 entries in the relevant RHCOS matcher block so both stop
excluding the same versions, and verify the conditions around the workflow’s
RHCOS image filters keep 4.15 excluded while allowing 4.16+ as intended.

---

Outside diff comments:
In @.github/workflows/integration-tests.yml:
- Around line 39-43: The collector checkout in the workflow is using a mutable
branch ref, which can make the integration job unstable. Update the
actions/checkout configuration in the collector step to use a pinned commit SHA
or another immutable ref instead of the current branch reference, keeping the
existing repository and path setup intact.
- Around line 39-43: The collector checkout in the integration-tests workflow is
still persisting credentials, which leaves the job token in the cloned repo
config. Update the actions/checkout step for the collector repository to set
persist-credentials to false so later steps only use the working tree; use the
existing checkout step targeting stackrox/collector as the place to make this
change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Enterprise

Run ID: 6afcf66a-21ae-4c52-b40d-108e1feaaf00

📥 Commits

Reviewing files that changed from the base of the PR and between 893a061 and 781c781.

📒 Files selected for processing (1)

• .github/workflows/integration-tests.yml

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/integration-tests.yml (1)

96-99: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Line 96 re-allows RHCOS 4.15 on x86_64.

rhcos-41[0-4]-... only excludes 4.10 through 4.14, so 4.15 now slips back in. The repo learning for this workflow says x86_64 should re-include 4.16+, while aarch64 keeps excluding 4.x, so the x86 cutoff still looks one minor version too low.

Suggested change

-        - rhcos-41[0-4]-[-0-9]+-gcp-x86-64
+        - rhcos-41[0-5]-[-0-9]+-gcp-x86-64

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/integration-tests.yml around lines 96 - 99, The x86_64
RHCOS exclusion pattern is too narrow and lets 4.15 back into the
integration-tests workflow; update the matching rule in the workflow so the
x86_64 entry only excludes 4.10 through 4.15 and still re-includes 4.16+, while
leaving the aarch64 RHCOS 4.x exclusion unchanged. Use the existing RHCOS
version patterns in the workflow to locate and adjust the x86_64 regex entry
consistently with the intended repository learning.

Source: Learnings

🧹 Nitpick comments (1)

.github/workflows/integration-tests.yml (1)

39-43: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Drop persisted checkout credentials for the collector clone.

This job never pushes back to stackrox/collector, but actions/checkout will still leave a token in collector/.git/config by default. Since later steps execute code from that checkout, persist-credentials: false reduces secret exposure without changing the workflow behavior.

Suggested change

     - uses: actions/checkout@v4
       with:
         repository: stackrox/collector
         path: collector
         ref: master
+        persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/integration-tests.yml around lines 39 - 43, The collector
checkout in the workflow currently leaves persisted Git credentials in the
cloned repository, even though the job only reads from it. Update the
actions/checkout step for the collector clone to disable credential persistence
by setting persist-credentials to false, so later steps running code from that
checkout do not retain the token while preserving the existing behavior.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/integration-tests.yml:
- Around line 96-99: The x86_64 RHCOS exclusion pattern is too narrow and lets
4.15 back into the integration-tests workflow; update the matching rule in the
workflow so the x86_64 entry only excludes 4.10 through 4.15 and still
re-includes 4.16+, while leaving the aarch64 RHCOS 4.x exclusion unchanged. Use
the existing RHCOS version patterns in the workflow to locate and adjust the
x86_64 regex entry consistently with the intended repository learning.

---

Nitpick comments:
In @.github/workflows/integration-tests.yml:
- Around line 39-43: The collector checkout in the workflow currently leaves
persisted Git credentials in the cloned repository, even though the job only
reads from it. Update the actions/checkout step for the collector clone to
disable credential persistence by setting persist-credentials to false, so later
steps running code from that checkout do not retain the token while preserving
the existing behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Enterprise

Run ID: e960e43a-35d9-4290-a84a-f53775d2d7fc

📥 Commits

Reviewing files that changed from the base of the PR and between 781c781 and 573c9eb.

📒 Files selected for processing (1)

• .github/workflows/integration-tests.yml