Skip to content

feat: create separate PRs per branch for downstream repos in cve.fix #101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vmrh21 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: create separate PRs per branch for downstream repos in cve.fix #101

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 50 additions & 17 deletions workflows/cve-fixer/.claude/commands/cve.fix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,33 +140,66 @@ Summary:
- The CVE scan in Step 5 acts as the safety net — it will skip repos where the CVE doesn't exist
- Log a warning: "⚠️ Could not extract container from summary — processing all component repos"

**3.3: For each target repo, gather:**
- Repository name (e.g., "opendatahub-io/odh-dashboard")
- Default branch (e.g., "main")
- Active release branches (e.g., ["v2.29.0-fixes", "v2.28.0-fixes", "rhoai-3.0"])
- Primary target branch for CVE fixes (from `cve_fix_workflow.primary_target`)
- Backport targets from `cve_fix_workflow`
- Repository type (monorepo vs single package)
- Repo type: upstream or downstream (from `repo_type` field, defaults to upstream if absent)

**Multi-repo strategy**: When a container chain has upstream, midstream, and downstream repos:
- Fix upstream first, then apply the same fix to midstream and downstream
- Each repo gets its own clone, branch, PR, and verification cycle
- Steps 4 through 11 are repeated for EACH repository in the list
**3.3: For each target repo, determine target branches:**

The branches to fix depend on `repo_type`:

- **`upstream` or `midstream`**: target `default_branch` only (e.g., `main`)
- Fixes flow forward from there — no backports needed at this level
- **`downstream`**: target `default_branch` AND every branch in `active_release_branches`
- Each branch gets its own separate PR — never combine multiple branches in one PR
- If `active_release_branches` is empty, target `default_branch` only

```bash
# Determine target branches per repo
if [ "$REPO_TYPE" = "downstream" ]; then
TARGET_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
else
TARGET_BRANCHES=("$DEFAULT_BRANCH")
fi
Comment on lines +155 to +159
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

TARGET_BRANCHES needs deduplication to avoid duplicate PR attempts.

If ACTIVE_RELEASE_BRANCHES contains DEFAULT_BRANCH, this creates duplicate targets and can trigger redundant PR creation/push conflicts.

Suggested doc fix 
-  if [ "$REPO_TYPE" = "downstream" ]; then
-    TARGET_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
-  else
-    TARGET_BRANCHES=("$DEFAULT_BRANCH")
-  fi
+  if [ "$REPO_TYPE" = "downstream" ]; then
+    TARGET_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
+  else
+    TARGET_BRANCHES=("$DEFAULT_BRANCH")
+  fi
+
+  # Deduplicate while preserving order
+  UNIQUE_TARGET_BRANCHES=()
+  for b in "${TARGET_BRANCHES[@]}"; do
+    [[ -z "$b" ]] && continue
+    [[ " ${UNIQUE_TARGET_BRANCHES[*]} " == *" $b "* ]] || UNIQUE_TARGET_BRANCHES+=("$b")
+  done
+  TARGET_BRANCHES=("${UNIQUE_TARGET_BRANCHES[@]}")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if [ "$REPO_TYPE" = "downstream" ]; then
TARGET_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
else
TARGET_BRANCHES=("$DEFAULT_BRANCH")
fi
if [ "$REPO_TYPE" = "downstream" ]; then
TARGET_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
else
TARGET_BRANCHES=("$DEFAULT_BRANCH")
fi
# Deduplicate while preserving order
UNIQUE_TARGET_BRANCHES=()
for b in "${TARGET_BRANCHES[@]}"; do
[[ -z "$b" ]] && continue
[[ " ${UNIQUE_TARGET_BRANCHES[*]} " == *" $b "* ]] || UNIQUE_TARGET_BRANCHES+=("$b")
done
TARGET_BRANCHES=("${UNIQUE_TARGET_BRANCHES[@]}")
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md` around lines 155 - 159, The
TARGET_BRANCHES array construction can include duplicates if
ACTIVE_RELEASE_BRANCHES contains DEFAULT_BRANCH; change the logic that sets
TARGET_BRANCHES (the branch assembly around TARGET_BRANCHES, DEFAULT_BRANCH and
ACTIVE_RELEASE_BRANCHES) to deduplicate entries before use — for example, build
TARGET_BRANCHES by iterating DEFAULT_BRANCH and each element of
ACTIVE_RELEASE_BRANCHES and only appending branches not already present (or use
a temporary associative set) so TARGET_BRANCHES contains unique branch names and
avoids duplicate PR attempts.

```

**Example for llm-d inference-scheduler:**
```
upstream llm-d/llm-d-inference-scheduler → PR against: main
midstream opendatahub-io/llm-d-inference-scheduler → PR against: main
downstream red-hat-data-services/llm-d-inference-scheduler → PRs against:
- main
- rhoai-3.3
- rhoai-3.4
- rhoai-3.4-ea.1
- rhoai-3.4-ea.2
```
Comment on lines +163 to +172
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix fenced code-block markdownlint violations.

The changed examples use fenced blocks without language identifiers and missing blank-line framing per MD040/MD031.

Suggested doc fix 
-   ```
+   
+   ```text
    upstream  llm-d/llm-d-inference-scheduler          → PR against: main
    midstream opendatahub-io/llm-d-inference-scheduler  → PR against: main
    downstream red-hat-data-services/llm-d-inference-scheduler → PRs against:
      - main
      - rhoai-3.3
      - rhoai-3.4
      - rhoai-3.4-ea.1
      - rhoai-3.4-ea.2
    ```
+
...
-    ```bash
+    
+    ```bash
     # Clone once:
     # /tmp/red-hat-data-services/llm-d-inference-scheduler
     #
     # Then loop over branches — each gets its own PR:
     # PR 1 → base: main
     # PR 2 → base: rhoai-3.3
     # PR 3 → base: rhoai-3.4
     # PR 4 → base: rhoai-3.4-ea.1
     # PR 5 → base: rhoai-3.4-ea.2
     ```
+

Also applies to: 193-203

🧰 Tools
🪛 markdownlint-cli2 (0.22.0)

[warning] 163-163: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

[warning] 163-163: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md` around lines 163 - 172,
Update the fenced code blocks in workflows/cve-fixer/.claude/commands/cve.fix.md
to satisfy MD031/MD040 by adding explicit language identifiers (e.g., ```text
for the plain table and ```bash for the shell block) and ensuring there is a
blank line before and after each fenced block; locate the blocks using the
existing fence markers (``` and ```bash) and the shown content ("upstream 
llm-d/..." table and the "# Clone once:" shell example) and insert the missing
blank lines and the language tag on the opening fence for each block.


**Multi-repo + multi-branch strategy**:
- Fix upstream repos first, then midstream, then downstream
- For downstream: Steps 4 through 11 repeat for EACH branch independently
- Each branch produces its own PR with its own fix branch (e.g., `fix/cve-YYYY-XXXXX-<package>-rhoai-3.4-attempt-1`)
- Never combine fixes for multiple branches into a single PR

Comment on lines +174 to 179
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Branch naming rule is still inconsistent and can collide across target branches.

This section says branch names include the target branch, but the canonical naming rule later still omits it (fix/cve-...-<package>-attempt-1). That can overwrite/reuse the same fix branch name for multiple base branches.

Suggested doc fix 
-  - Use consistent naming: `fix/cve-YYYY-XXXXX-<package-name>-attempt-1`
+  - Use consistent naming: `fix/cve-YYYY-XXXXX-<package-name>-<target-branch>-attempt-1`
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md` around lines 174 - 179, The
branch naming guidance is inconsistent: the multi-branch example uses a
target-branch token (e.g., fix/cve-YYYY-XXXXX-<package>-rhoai-3.4-attempt-1) but
the canonical rule later omits it (fix/cve-...-<package>-attempt-1), risking
collisions across base branches; update the canonical naming rule to include a
target-branch placeholder (e.g., <target-branch> or the actual base branch name)
and make both the example and the canonical pattern consistent so every fix
branch (symbols: fix/cve-YYYY-XXXXX-<package>-<target-branch>-attempt-N)
uniquely identifies the base branch and prevents reuse/overwrite when repeating
steps 4–11 for each branch.

4. **Clone or Use Existing Repository**
- Always use `/tmp` for repository operations with unique dirs per repo
- For each repo, extract `REPO_ORG` and `REPO_NAME` from `github_url`, set `REPO_DIR="/tmp/${REPO_ORG}/${REPO_NAME}"`
- If `$REPO_DIR` exists, `cd` into it; otherwise `mkdir -p "/tmp/${REPO_ORG}"`, `git clone` the URL, `cd` in, and `git checkout` the target branch
- Clone the repo once: `git clone` into `REPO_DIR`, then `git fetch --all`
- **Configure git credentials** immediately after clone (needed for push):
1. `gh auth setup-git` (if `gh` is authenticated)
2. Else set `credential.helper` using `$GITHUB_TOKEN` or `$GH_TOKEN`
3. Else switch remote to SSH if `~/.ssh/id_rsa` or `id_ed25519` exists
4. Else warn: no credentials configured, push will fail
- **Multi-repo example**:
- Steps 5–11 then run in a loop over `TARGET_BRANCHES` — for each branch:
- `git checkout <branch>` and `git pull` to ensure it is up to date
- Apply fix and create PR targeting that branch
Comment on lines +183 to +191
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Branch isolation strategy conflicts with the PR objective and can leak state across targets.

Line 183-Line 191 says to clone once and loop branches in one checkout. That contradicts the stated independent per-target cycle and risks cross-branch contamination (uncommitted files, tool artifacts, lockfile drift) between iterations.

Suggested doc fix 
-   - Clone the repo once: `git clone` into `REPO_DIR`, then `git fetch --all`
+   - For each `TARGET_BRANCH`, create an independent working directory (fresh clone) to isolate fix/test/PR execution
+   - Recommended: `REPO_DIR="/tmp/${REPO_ORG}/${REPO_NAME}-${TARGET_BRANCH}"`
+   - In each branch-specific clone: checkout target branch, apply fix, run tests, create PR, then continue
...
-   - Steps 5–11 then run in a loop over `TARGET_BRANCHES` — for each branch:
-     - `git checkout <branch>` and `git pull` to ensure it is up to date
-     - Apply fix and create PR targeting that branch
+   - Steps 5–11 run independently per `TARGET_BRANCH` in its own clone:
+     - `git checkout <branch>` in the branch-specific clone
+     - Apply fix, test, and create PR targeting that branch
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- Clone the repo once: `git clone` into `REPO_DIR`, then `git fetch --all`
- **Configure git credentials** immediately after clone (needed for push):
1. `gh auth setup-git` (if `gh` is authenticated)
2. Else set `credential.helper` using `$GITHUB_TOKEN` or `$GH_TOKEN`
3. Else switch remote to SSH if `~/.ssh/id_rsa` or `id_ed25519` exists
4. Else warn: no credentials configured, push will fail
- **Multi-repo example**:
- Steps 5–11 then run in a loop over `TARGET_BRANCHES` — for each branch:
- `git checkout <branch>` and `git pull` to ensure it is up to date
- Apply fix and create PR targeting that branch
- For each `TARGET_BRANCH`, create an independent working directory (fresh clone) to isolate fix/test/PR execution
- Recommended: `REPO_DIR="/tmp/${REPO_ORG}/${REPO_NAME}-${TARGET_BRANCH}"`
- In each branch-specific clone: checkout target branch, apply fix, run tests, create PR, then continue
- **Configure git credentials** immediately after clone (needed for push):
1. `gh auth setup-git` (if `gh` is authenticated)
2. Else set `credential.helper` using `$GITHUB_TOKEN` or `$GH_TOKEN`
3. Else switch remote to SSH if `~/.ssh/id_rsa` or `id_ed25519` exists
4. Else warn: no credentials configured, push will fail
- Steps 5–11 run independently per `TARGET_BRANCH` in its own clone:
- `git checkout <branch>` in the branch-specific clone
- Apply fix, test, and create PR targeting that branch
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md` around lines 183 - 191, The
current flow that "Clone the repo once" then loops over TARGET_BRANCHES (steps
5–11) can leak state between branch iterations; update the procedure so each
target branch runs in an isolated workspace: for each branch in TARGET_BRANCHES
either (a) create a fresh clone (git clone into a new REPO_DIR per branch) or
(b) perform a strict reset (git fetch --all; git checkout <branch>; git reset
--hard origin/<branch>; git clean -fdx) before applying fixes, and ensure git
credentials configuration (gh auth setup-git / credential.helper / SSH fallback)
is applied for each cloned workspace so pushes/PRs cannot be affected by
artifacts, uncommitted changes, or lockfile drift from previous iterations.

- **Example for downstream with 4 active branches:**
```bash
# Upstream: /tmp/opendatahub-io/models-as-a-service (branch: main)
# Downstream: /tmp/red-hat-data-services/models-as-a-service (branch: rhoai-3.0)
# Clone once:
# /tmp/red-hat-data-services/llm-d-inference-scheduler
#
# Then loop over branches — each gets its own PR:
# PR 1 → base: main
# PR 2 → base: rhoai-3.3
# PR 3 → base: rhoai-3.4
# PR 4 → base: rhoai-3.4-ea.1
# PR 5 → base: rhoai-3.4-ea.2
```

4.5. **Load Global Fix Guidance from `.cve-fix/` Folder**
Expand Down
Loading