From ci
Debug failed Prow CI jobs for OpenShift by parsing job URLs, fetching metadata, classifying job types, and routing to specialized failure references.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ci:prow-job-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze failures in OpenShift Prow CI jobs. Identify the job type, inspect artifacts, classify
prow_job_artifact_search.pyreferences/aggregated.mdreferences/artifacts.mdreferences/ci-infrastructure-changes.mdreferences/cloud-provider-errors.mdreferences/disruption.mdreferences/flaky-test-identification.mdreferences/hypershift.mdreferences/install/general.mdreferences/install/metal.mdreferences/networking.mdreferences/operating-system-changes.mdreferences/resource-exhaustion.mdreferences/test-extension-binaries.mdreferences/test-failure.mdreferences/upgrade.mdAnalyze failures in OpenShift Prow CI jobs. Identify the job type, inspect artifacts, classify the failure, and route to the specialized reference for deep analysis.
The user will provide:
Prow job URL (required) — Prow UI or gcsweb URL
https://prow.ci.openshift.org/view/gs/test-platform-results/logs/<job>/<build_id>https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/...Test name (optional) — specific failed test to focus on
Flags (optional):
--backends <list> — focus disruption analysis on specific backendswhich python3which jqwhich gcloud — fastest access to the
public bucket (no auth required). Without it, every artifact operation works over
plain HTTPS: prow_job_artifact_search.py
(stdlib-only list/search/fetch) or curl against
https://storage.googleapis.com/test-platform-results/....test-platform-results/ in the URL and extract the bucket pathbuild_id — pattern (\d{10,}) in the pathgs://test-platform-results/{bucket-path}/Use the fetch-prowjob-json skill to get job metadata. Extract:
.spec.job--target= in ci-operator args.status.state.spec.refsParse the job name to determine the environment and expected failure modes:
| Pattern in Name | Job Type | Key Implications |
|---|---|---|
upgrade | Upgrade job | Installs first, then upgrades — see upgrade reference |
metal, baremetal | Bare metal | Uses dev-scripts + Metal3/Ironic — see metal install reference |
hypershift | HyperShift | Hosted control planes — see hypershift reference |
fips | FIPS-enabled | Watch for crypto/TLS errors |
ipv6, dualstack | IPv6/dualstack | Often disconnected, uses mirror registry |
single-node, sno | Single-node | Resource exhaustion more likely |
aggregated- prefix | Aggregated | Statistical analysis of multiple runs — see aggregated reference |
aws, gcp, azure | Cloud platform | Platform-specific errors — see cloud provider reference |
techpreview | Tech preview | Feature gates enabled, features may be unstable |
rhcos9, rhcos10, rhcos9_10, rt | RHCOS variant / RT kernel | OS variant pinned or heterogeneous; OS-level differences (kernel/systemd/SELinux) — see operating system changes reference |
mkdir -p .work/prow-job-analysis/{build_id}/logs
# Build log (always)
gcloud storage cp gs://test-platform-results/{bucket-path}/build-log.txt \
.work/prow-job-analysis/{build_id}/logs/ --no-user-output-enabled
# JUnit XML (always — identifies failed tests/steps)
gcloud storage ls "gs://test-platform-results/{bucket-path}/artifacts/**/junit*.xml" 2>/dev/null
# Node journals (always, when the job created a cluster) — required input for the
# Step 5 OS-layer check. Gzip-compressed WITHOUT a .gz extension: zcat/zgrep only.
gcloud storage cp -r \
"gs://test-platform-results/{bucket-path}/artifacts/{target}/gather-extra/artifacts/nodes" \
.work/prow-job-analysis/{build_id}/ --no-user-output-enabled 2>/dev/null || true
Examine the build log and JUnit results to classify the failure, then consult the appropriate reference file for detailed analysis procedures.
Operating-system (RHCOS) layer breakage frequently masquerades as an unrelated product failure: a single RHCOS bump swaps the kernel, cri-o, systemd, NetworkManager, and SELinux policy across the whole cluster at once, so the real cause surfaces as a symptom in some other domain. Before selecting a row from the routing table, complete BOTH steps:
1. Compare runtime versions across boots in the node journals (downloaded in
Step 4; gzip-compressed without a .gz extension — plain grep silently matches
nothing, use zcat/zgrep):
# Runtime versions per boot. End-of-run snapshots (oc_cmds/nodes, nodes.json)
# show only the final version; changes within the run are visible only here.
zgrep -hE "Starting CRI-O, version|Container runtime initialized" \
.work/prow-job-analysis/{build_id}/nodes/*/journal | sort | uniq -c
2. Scan the build log, JUnit, oc_cmds (node / clusteroperator status),
MachineConfig data, and the journals for these signals:
NetworkPluginNotReady, or a missing CNI config (/etc/cni/net.d empty / no CNI plugin)ContainerRuntimeVersion change on nodes (cri-o version bump between runs)passwd, files, or unitsNotReady after a rebootCreateContainerError, RunContainerError, or OCI runtime errors (crun / runc)panic, BUG, Oops, or soft lockup in node journals or the serial consoleavc: denied / SELinux denialsIf step 1 shows more than one runtime version on any node, or any step-2 signal is present, the RHCOS layer is implicated: still route via the table below using whichever reference matches the surface symptom, but also read operating-system-changes.md alongside it. Never clear the OS layer from end-of-run snapshots alone.
| Failure Signal | Reference | When to Use |
|---|---|---|
install should succeed fails in JUnit | Install — General | Install failed at config/infra/bootstrap/cluster-creation/operator-stability stage |
| Metal/baremetal job + install failure | Install — Metal | Bare-metal install (dev-scripts, Metal3/Ironic, libvirt) — use alongside Install — General |
| A test failed (start here) | Flaky Test Identification | Triage entry for any failing test: classify infra vs product regression vs flake, then route onward |
| Confirmed regression in a plain e2e test | Test Failure Root-Cause | Root-cause a real product regression in a plain (non-extension/install/upgrade) e2e test — e.g. [sig-network] ... should serve endpoints: test source, cluster state, originating error |
*-tests-ext extension binary error | Test Extension Binaries | OTE extension-binary extraction/discovery/version-skew failures — not core openshift-tests |
| Disruption events in intervals | Disruption | API backends stopped responding; interpret interval/timeline data (cause vs symptom vs noise) |
| Upgrade-phase failure or regression | Upgrade | CVO stuck, operators degraded, MCO drain/reboot stalls, or version skew during upgrade |
| HyperShift / HCP job failure | HyperShift | Hosted control planes — correlate management and hosted clusters |
aggregated- job failure | Aggregated Jobs | Statistical regression analysis across parallel child runs |
| Cloud API errors, quota, throttling | Cloud Provider Errors | AWS/GCP/Azure API/quota/provisioning failures before/during cluster creation |
| Node NotReady, OOM, disk pressure | Resource Exhaustion | CPU/memory/disk/PID/etcd exhaustion, eviction, unschedulable pods |
| DNS, OVN, registry/pull, ingress errors | Networking | OVN-Kubernetes/SDN, DNS, image pull/registry, load balancer/ingress, network policy |
| Container-start (cri-o), kernel panic, NetworkManager, RHCOS variant-isolated failure | Operating System Changes | Node OS (RHCOS) layer — cri-o/crun, kernel, systemd, NetworkManager, SELinux, or an RHCOS bump in the payload |
| Lease/quota, ci-operator, Prow infra | CI Infrastructure | Distinguish "product broke" from "CI config changed"; ci-operator, step registry, leases |
| Need a specific artifact file | Artifacts | Artifact directory structure, paths, and gcloud fetch commands |
These are the most frequently needed artifacts. See artifacts reference for the complete directory structure.
| Path | Description |
|---|---|
build-log.txt | Top-level ci-operator log |
artifacts/{target}/openshift-e2e-test/build-log.txt | E2E test console log |
artifacts/{target}/openshift-e2e-test/artifacts/junit/ | JUnit XML results |
artifacts/{target}/openshift-e2e-test/artifacts/junit/e2e-timelines_spyglass_*.json | Disruption timeline data |
artifacts/{target}/gather-extra/artifacts/oc_cmds/ | Cluster state snapshots |
artifacts/{target}/gather-extra/artifacts/pods/ | Pod logs by namespace |
artifacts/{target}/gather-extra/artifacts/audit_logs/ | API server audit logs |
artifacts/{target}/gather-must-gather/artifacts/must-gather.tar | Must-gather archive |
prowjob.json | Job metadata and timing |
Both formats are accepted and interchangeable:
# Prow UI
https://prow.ci.openshift.org/view/gs/test-platform-results/logs/{job}/{build_id}
# gcsweb (direct GCS browser)
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/{job}/{build_id}
The GCS bucket is always test-platform-results, publicly accessible, no auth required.
prowjob.json for timing, payload tag, and whether the job timed out.work/prow-job-analysis/{build_id}/ as the working directory for downloadsnpx claudepluginhub openshift-eng/ai-helpers --plugin ci4plugins reuse this skill
First indexed Jul 11, 2026
Fetches and extracts key metadata from a Prow job's prowjob.json artifact given a Prow job URL, including job status, timing, release annotations, and GCS artifact paths.
Diagnoses a failing CI run against an 11-pattern playbook, classifies the failure, cites relevant memory, and proposes the exact fix command without applying it.
Creates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.