ROSA-745: branch-protection for rbac-permissions-operator (Konflux + mandatory prow)#79945
Conversation
|
@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (2)
💤 Files with no reviewable changes (1)
WalkthroughProw configuration adds branch protection for the Changesrbac-permissions-operator branch protection
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
88382d1 to
2f21c59
Compare
|
Thanks @xiaoyu74 — agreed. Updated this PR to:
OWNERS-only / docs-only PRs should no longer wait on prow jobs that are skipped via |
|
Follow-up after Updated approach (commit 56294e1):
Same intent as above — conditional prow jobs gate merge when they run, but do not block OWNERS/docs-only PRs that skip them. |
|
/label tide/merge-method-squash |
Branch protection layout (ROSA-745) — CI greenSupplemental
Dependency PRs must pass prow/Konflux when those jobs run. OWNERS-only PRs are not blocked by checks that never trigger. |
|
/lgtm |
Require primary Konflux on-pull-request and mandatory ci/prow/* presubmits (non-optional only; derived from ci-operator presubmits + DPP-20685 list). Repo settings (auto-merge, merge commits) remain DPP. Repos: rbac-permissions-operator
Only require always-run checks in branch-protection (Konflux + ci/prow/images). Move conditional prow jobs to tide required-if-present-contexts so OWNERS-only and docs-only PRs are not blocked by checks that never run. Co-authored-by: Cursor <cursoragent@cursor.com>
Repo _prowconfig may only set branch-protection and tide.queries; move conditional prow contexts to tide required-if-present-contexts in _config.yaml (per openshift/release checkconfig). Co-authored-by: Cursor <cursoragent@cursor.com>
56294e1 to
e3220fd
Compare
|
[REHEARSALNOTIFIER] Note: If this PR includes changes to step registry files ( Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
@MitaliBhalla: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: krishvoor, MitaliBhalla, psalajova, smarthall The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@MitaliBhalla: Updated the following 2 configmaps:
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
…mandatory prow) (openshift#79945) * ROSA-745: branch-protection for srep (Konflux + mandatory prow) Require primary Konflux on-pull-request and mandatory ci/prow/* presubmits (non-optional only; derived from ci-operator presubmits + DPP-20685 list). Repo settings (auto-merge, merge commits) remain DPP. Repos: rbac-permissions-operator * ROSA-745: fix rbac branch-protection per review Only require always-run checks in branch-protection (Konflux + ci/prow/images). Move conditional prow jobs to tide required-if-present-contexts so OWNERS-only and docs-only PRs are not blocked by checks that never run. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix prow config validation for rbac branch-protection Repo _prowconfig may only set branch-protection and tide.queries; move conditional prow contexts to tide required-if-present-contexts in _config.yaml (per openshift/release checkconfig). Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com>
…mandatory prow) (openshift#79945) * ROSA-745: branch-protection for srep (Konflux + mandatory prow) Require primary Konflux on-pull-request and mandatory ci/prow/* presubmits (non-optional only; derived from ci-operator presubmits + DPP-20685 list). Repo settings (auto-merge, merge commits) remain DPP. Repos: rbac-permissions-operator * ROSA-745: fix rbac branch-protection per review Only require always-run checks in branch-protection (Konflux + ci/prow/images). Move conditional prow jobs to tide required-if-present-contexts so OWNERS-only and docs-only PRs are not blocked by checks that never run. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix prow config validation for rbac branch-protection Repo _prowconfig may only set branch-protection and tide.queries; move conditional prow contexts to tide required-if-present-contexts in _config.yaml (per openshift/release checkconfig). Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com>
…mandatory prow) (openshift#79945) * ROSA-745: branch-protection for srep (Konflux + mandatory prow) Require primary Konflux on-pull-request and mandatory ci/prow/* presubmits (non-optional only; derived from ci-operator presubmits + DPP-20685 list). Repo settings (auto-merge, merge commits) remain DPP. Repos: rbac-permissions-operator * ROSA-745: fix rbac branch-protection per review Only require always-run checks in branch-protection (Konflux + ci/prow/images). Move conditional prow jobs to tide required-if-present-contexts so OWNERS-only and docs-only PRs are not blocked by checks that never run. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix prow config validation for rbac branch-protection Repo _prowconfig may only set branch-protection and tide.queries; move conditional prow contexts to tide required-if-present-contexts in _config.yaml (per openshift/release checkconfig). Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com>
) #79945 only required ci/prow/images alongside Konflux, so GitHub auto-merge could squash with red lint/test/coverage/validate. Add explicit DPP prow contexts to branch-protection required_status_checks. Co-authored-by: Cursor <cursoragent@cursor.com>
…nshift#80705) openshift#79945 only required ci/prow/images alongside Konflux, so GitHub auto-merge could squash with red lint/test/coverage/validate. Add explicit DPP prow contexts to branch-protection required_status_checks. Co-authored-by: Cursor <cursoragent@cursor.com>
Summary
ROSA-745 branch-protection for SREP
rbac-permissions-operator(master).Requires Konflux primary on-pull-request and mandatory
ci/prow/*presubmits (non-optional only, fromci-operatorpresubmits). Fixes MintMaker auto-merge merging with red prow (e.g.validate/lint).Not in this PR:
managed-cluster-validating-webhooks(#79902),backplane-cli(no Konflux).DPP: repo settings only (auto-merge, merge commits, Actions) — check names owned here.
Required contexts (7)
Konflux kflux-prd-rh03 / rbac-permissions-operator-on-pull-requestci/prow/coverage,ci/prow/e2e-binary-build-success,ci/prow/images,ci/prow/lint,ci/prow/test,ci/prow/validateTest plan
ci/prow/validateblocks mergeSummary by CodeRabbit
This PR adds branch-protection for the openshift/rbac-permissions-operator repository (master) in the Prow configuration so GitHub auto-merge (MintMaker) is blocked when the Konflux primary pipeline or mandatory Prow checks fail.
What changed (practical impact)
These prevent MintMaker/GitHub auto-merge when Konflux or the always-run image job is red.
Why
Files updated
Notes / exclusions