Skip to content

[ROSAENG-61017] Onboard openshift-online/rosa-trusted-actions to Prow#81734

Draft
bergmannf wants to merge 1 commit into
openshift:mainfrom
bergmannf:add-rosa-trusted-actions
Draft

[ROSAENG-61017] Onboard openshift-online/rosa-trusted-actions to Prow#81734
bergmannf wants to merge 1 commit into
openshift:mainfrom
bergmannf:add-rosa-trusted-actions

Conversation

@bergmannf

@bergmannf bergmannf commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Enable Prow merge automation (Tide + plugins) and add an OpenAPI spec validation presubmit job for rosa-trusted-actions.

This is a draft as we are still in the process of renaming the repository from rosa-trusted-actions-server to rosa-trusted-actions

Summary by CodeRabbit

  • Onboards openshift-online/rosa-trusted-actions to OpenShift CI and Prow.
  • Adds a validate-spec presubmit job that runs make validate-spec using the repository’s Node.js 22 build environment.
  • Enables Tide squash merging, requiring approved and lgtm labels while blocking configured merge-prevention labels.
  • Configures Prow plugins, triggers, approval policy, and the needs-rebase external plugin.
  • Adds repository-specific approvers and reviewers for CI and Prow configuration.

Enable Prow merge automation (Tide + plugins) and add an OpenAPI
spec validation presubmit job for rosa-trusted-actions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 10, 2026
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

The change onboards openshift-online/rosa-trusted-actions with generated ownership files, a visible CI validation job, Prow plugin and trigger settings, and Tide requirements for squash merging.

Changes

ROSA Trusted Actions onboarding

Layer / File(s) Summary
Repository CI and ownership
ci-operator/config/openshift-online/rosa-trusted-actions/*, core-services/prow/02_config/openshift-online/rosa-trusted-actions/OWNERS
Defines matching approver and reviewer lists and adds an exposed validate-spec job using UBI9 Node.js 22 with configured resource requests.
Prow plugins and triggers
core-services/prow/02_config/openshift-online/rosa-trusted-actions/_pluginconfig.yaml
Configures approval rules, the external needs-rebase plugin, enabled Prow plugins, and the openshift-merge-bot trusted application.
Tide merge policy
core-services/prow/02_config/openshift-online/rosa-trusted-actions/_prowconfig.yaml
Requires approved and lgtm labels, excludes configured blocking labels, and selects squash merging.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: onboarding openshift-online/rosa-trusted-actions to Prow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only Prow/ci-operator YAML changed; no Go tests or Ginkgo titles were added, and searches found no It/Describe/Context/When usage.
Test Structure And Quality ✅ Passed No Ginkgo test code changed; the PR only adds Prow/ci-operator config, so the test-structure checklist is not applicable.
Microshift Test Compatibility ✅ Passed The PR only adds Prow/ci config files and an OpenAPI validation job; it introduces no new Ginkgo e2e tests or MicroShift-unsafe API usage.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The PR only changes Prow/ci-operator YAML and OWNERS files; no new Ginkgo e2e tests or SNO-sensitive test logic were added.
Topology-Aware Scheduling Compatibility ✅ Passed PR only adds CI/Prow config and OWNERS files; no deployment manifests, controllers, replicas, affinity, nodeSelector, or topology-spread settings were changed.
Ote Binary Stdout Contract ✅ Passed Only OWNERS and Prow/ci config YAML changed; no process-level code or stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No Ginkgo e2e test code was added; the diff only changes Prow/CI config and OWNERS files, so the IPv6/disconnected test check is not applicable.
No-Weak-Crypto ✅ Passed Changed files are Prow/ci config only; scans found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons.
Container-Privileges ✅ Passed Touched YAMLs contain no privileged/host* or allowPrivilegeEscalation settings; the job image explicitly runs as USER 1001.
No-Sensitive-Data-In-Logs ✅ Passed Only Prow/CI config and OWNERS files changed; no logging statements or emitted sensitive data were added.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bergmannf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 10, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@bergmannf: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-openshift-online-rosa-trusted-actions-main-validate-spec openshift-online/rosa-trusted-actions presubmit Presubmit changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
ci-operator/config/openshift-online/rosa-trusted-actions/openshift-online-rosa-trusted-actions-main.yaml (1)

4-4: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the build-root image instead of using :latest.

Use an immutable digest or explicitly versioned image tag so CI behavior cannot change without a reviewed configuration change.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-online/rosa-trusted-actions/openshift-online-rosa-trusted-actions-main.yaml`
at line 4, Replace the floating :latest tag in the build-root image declaration
with an immutable digest or explicitly versioned Node.js image tag, ensuring
future image updates require a reviewed configuration change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/config/openshift-online/rosa-trusted-actions/openshift-online-rosa-trusted-actions-main.yaml`:
- Line 4: Replace the floating :latest tag in the build-root image declaration
with an immutable digest or explicitly versioned Node.js image tag, ensuring
future image updates require a reviewed configuration change.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f4d0de2d-efda-46b4-9b57-1143a0f2c3c4

📥 Commits

Reviewing files that changed from the base of the PR and between 454aaa9 and 359afff.

⛔ Files ignored due to path filters (2)
  • ci-operator/jobs/openshift-online/rosa-trusted-actions/OWNERS is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift-online/rosa-trusted-actions/openshift-online-rosa-trusted-actions-main-presubmits.yaml is excluded by !ci-operator/jobs/**
📒 Files selected for processing (5)
  • ci-operator/config/openshift-online/rosa-trusted-actions/OWNERS
  • ci-operator/config/openshift-online/rosa-trusted-actions/openshift-online-rosa-trusted-actions-main.yaml
  • core-services/prow/02_config/openshift-online/rosa-trusted-actions/OWNERS
  • core-services/prow/02_config/openshift-online/rosa-trusted-actions/_pluginconfig.yaml
  • core-services/prow/02_config/openshift-online/rosa-trusted-actions/_prowconfig.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant