Skip to content

ROSA-745: branch-protection for rbac-permissions-operator (Konflux + mandatory prow)#79945

Merged
openshift-merge-bot[bot] merged 3 commits into
openshift:mainfrom
MitaliBhalla:rosa-745-srep-konflux-branch-protection
Jun 3, 2026
Merged

ROSA-745: branch-protection for rbac-permissions-operator (Konflux + mandatory prow)#79945
openshift-merge-bot[bot] merged 3 commits into
openshift:mainfrom
MitaliBhalla:rosa-745-srep-konflux-branch-protection

Conversation

@MitaliBhalla

@MitaliBhalla MitaliBhalla commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Summary

ROSA-745 branch-protection for SREP rbac-permissions-operator (master).

Requires Konflux primary on-pull-request and mandatory ci/prow/* presubmits (non-optional only, from ci-operator presubmits). Fixes MintMaker auto-merge merging with red prow (e.g. validate / lint).

Not in this PR: managed-cluster-validating-webhooks (#79902), backplane-cli (no Konflux).

DPP: repo settings only (auto-merge, merge commits, Actions) — check names owned here.

Required contexts (7)

  • Konflux kflux-prd-rh03 / rbac-permissions-operator-on-pull-request
  • ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/images, ci/prow/lint, ci/prow/test, ci/prow/validate

Test plan

  • After merge + branch-protector (~6h), MintMaker PR shows Konflux + prow as required
  • Failed ci/prow/validate blocks merge

Summary by CodeRabbit

This PR adds branch-protection for the openshift/rbac-permissions-operator repository (master) in the Prow configuration so GitHub auto-merge (MintMaker) is blocked when the Konflux primary pipeline or mandatory Prow checks fail.

What changed (practical impact)

  • Branch-protection: master is protected and now requires two always-run status checks to pass before merge:
    • Konflux kflux-prd-rh03 / rbac-permissions-operator-on-pull-request
    • ci/prow/images
      These prevent MintMaker/GitHub auto-merge when Konflux or the always-run image job is red.
  • Tide configuration: conditional prow presubmits that should not block OWNERS-only/docs-only PRs were moved to tide.required-if-present-contexts so they only block when present. The conditional contexts are:
    • ci/prow/coverage
    • ci/prow/e2e-binary-build-success
    • ci/prow/lint
    • ci/prow/test
    • ci/prow/validate
  • DPP/repo settings: only repository settings (auto-merge, merge commits, Actions) were adjusted; no code changes.

Why

  • To enforce SREP policy (ROSA-745) that Konflux serves as the primary gate for this SREP-managed repo while allowing optional Prow presubmits to remain conditional so non-impacting PRs (OWNERS/docs-only) are not blocked.

Files updated

  • core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml — add branch-protection required_status_checks for master.
  • core-services/prow/02_config/_config.yaml — add repo entry under tide context options to place conditional prow jobs into required-if-present contexts.

Notes / exclusions

  • managed-cluster-validating-webhooks and backplane-cli were not included in this change.
  • Test plan (from PR): after merge and branch-protector rollout (~6h) verify MintMaker PR shows Konflux + ci/prow/images as required, and that a failing conditional job (when present) blocks merge as expected.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 2, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

ROSA-745: require Konflux on-pull-request for SREP pilot repo rbac-permissions-operator (master).

Blocks MintMaker/GitHub auto-merge when ci/prow/* or Konflux primary pipeline is red (see recent merges without required prow gates).

Not in this PR: managed-cluster-validating-webhooks (#79902), backplane-cli (no Konflux).

Test plan

  • After merge, open a MintMaker PR and confirm Konflux kflux-prd-rh03 / rbac-permissions-operator-on-pull-request is required
  • Confirm failed ci/prow/validate blocks merge

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e3dff3ca-ced6-4045-8cf9-7b9a8403b419

📥 Commits

Reviewing files that changed from the base of the PR and between d56cc2e and 56294e1.

📒 Files selected for processing (2)
  • core-services/prow/02_config/_config.yaml
  • core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml
💤 Files with no reviewable changes (1)
  • core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml

Walkthrough

Prow configuration adds branch protection for the master branch of openshift/rbac-permissions-operator and registers the repo in tide to require specific ci/prow/* contexts when present.

Changes

rbac-permissions-operator branch protection

Layer / File(s) Summary
Tide repo entry from branch-protection
core-services/prow/02_config/_config.yaml
Adds rbac-permissions-operator under tide.context_options.from-branch-protection.orgs.openshift.repos with a master rule that lists required-if-present-contexts (ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/lint, ci/prow/test, ci/prow/validate).
Master branch protection configuration
core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml
Adds a branch-protection block protecting master and listing required status-check contexts (Konflux rbac-permissions-operator-on-pull-request and ci/prow/images).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

lgtm

Suggested reviewers

  • clcollins
  • joshbranham
🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically identifies the main change: adding branch-protection configuration for rbac-permissions-operator with Konflux and prow requirements, referenced to ticket ROSA-745.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR only modifies Prow configuration YAML files for rbac-permissions-operator branch-protection; no Ginkgo test files are modified, making the test naming check not applicable.
Test Structure And Quality ✅ Passed PR contains only YAML configuration changes for Prow CI/CD, no Ginkgo test code. The custom check for test quality is not applicable.
Microshift Test Compatibility ✅ Passed PR contains only YAML Prow configuration changes, no Ginkgo e2e tests added. Check is not applicable to this pull request.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests were added in this PR; only Prow CI configuration YAML files were modified for branch-protection rules. Check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed PR modifies only Prow CI/CD configuration files with no deployment manifests, operator code, or scheduling constraints that would affect OpenShift topologies.
Ote Binary Stdout Contract ✅ Passed PR modifies only Prow YAML configuration files (branch-protection and tide settings); contains no Go code, binary code, or OTE binary-related changes that the check is designed to validate.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Check not applicable: PR contains only Prow CI configuration changes (YAML and Python files), no Ginkgo e2e test code additions.
No-Weak-Crypto ✅ Passed PR contains only YAML CI/CD configuration changes with no cryptographic code, weak crypto algorithms, or custom crypto implementations.
Container-Privileges ✅ Passed The PR modifies only Prow CI/CD configuration files that define branch protection and merge policies. These are not container/K8s manifests and contain no privileged container configurations.
No-Sensitive-Data-In-Logs ✅ Passed PR only modifies YAML configuration files for Prow CI/CD. No logging statements or sensitive data (passwords, tokens, API keys, PII, session IDs, etc.) are present in any changes.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 2, 2026
@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jun 2, 2026
@MitaliBhalla MitaliBhalla force-pushed the rosa-745-srep-konflux-branch-protection branch from 88382d1 to 2f21c59 Compare June 2, 2026 04:38
@MitaliBhalla MitaliBhalla changed the title ROSA-745: Konflux branch-protection (srep) ROSA-745: branch-protection for rbac-permissions-operator (Konflux + mandatory prow) Jun 2, 2026
Comment thread core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml Outdated
@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

Thanks @xiaoyu74 — agreed.

Updated this PR to:

  • branch-protection required_status_checks: Konflux + ci/prow/images only (always-run prow job)
  • tide required-if-present-contexts: coverage, lint, test, validate, e2e-binary-build-success

OWNERS-only / docs-only PRs should no longer wait on prow jobs that are skipped via skip_if_only_changed / run_if_changed.

@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

Follow-up after ci/prow/config failed: repo _prowconfig.yaml cannot set tide.context_options (only branch-protection and tide.queries are allowed in supplemental config).

Updated approach (commit 56294e1):

  • rbac-permissions-operator/_prowconfig.yaml: branch-protection requires Konflux + ci/prow/images only
  • core-services/prow/02_config/_config.yaml: tide.context_optionsopenshift/rbac-permissions-operatormasterrequired-if-present-contexts for coverage, lint, test, validate, e2e-binary-build-success

Same intent as above — conditional prow jobs gate merge when they run, but do not block OWNERS/docs-only PRs that skip them.

@openshift-ci openshift-ci Bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 2, 2026
@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

/label tide/merge-method-squash

@openshift-ci openshift-ci Bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jun 2, 2026
@MitaliBhalla

MitaliBhalla commented Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

Branch protection layout (ROSA-745) — CI green

Supplemental _prowconfig.yaml only allows branch-protection and tide.queries (not tide.context_options).

Layer What is required
branch-protection (_prowconfig.yaml) Konflux *-on-pull-request + ci/prow/images
tide (_config.yaml) required-if-present-contexts for coverage, e2e-binary-build-success, lint, test, validate

Dependency PRs must pass prow/Konflux when those jobs run. OWNERS-only PRs are not blocked by checks that never trigger.

@smarthall

Copy link
Copy Markdown
Member

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 3, 2026
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 3, 2026
MitaliBhalla and others added 3 commits June 3, 2026 18:29
Require primary Konflux on-pull-request and mandatory ci/prow/* presubmits
(non-optional only; derived from ci-operator presubmits + DPP-20685 list).

Repo settings (auto-merge, merge commits) remain DPP.

Repos: rbac-permissions-operator
Only require always-run checks in branch-protection (Konflux + ci/prow/images).
Move conditional prow jobs to tide required-if-present-contexts so OWNERS-only
and docs-only PRs are not blocked by checks that never run.

Co-authored-by: Cursor <cursoragent@cursor.com>
Repo _prowconfig may only set branch-protection and tide.queries; move
conditional prow contexts to tide required-if-present-contexts in
_config.yaml (per openshift/release checkconfig).

Co-authored-by: Cursor <cursoragent@cursor.com>
@MitaliBhalla MitaliBhalla force-pushed the rosa-745-srep-konflux-branch-protection branch from 56294e1 to e3220fd Compare June 3, 2026 13:02
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 3, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@MitaliBhalla: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@openshift-ci

openshift-ci Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@krishvoor

Copy link
Copy Markdown
Member

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 3, 2026
@openshift-ci

openshift-ci Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: krishvoor, MitaliBhalla, psalajova, smarthall

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit c5fc279 into openshift:main Jun 3, 2026
12 checks passed
@openshift-ci

openshift-ci Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: Updated the following 2 configmaps:

  • config configmap in namespace ci at cluster app.ci using the following files:
    • key config.yaml using file core-services/prow/02_config/_config.yaml
    • key core-services-prow-02_config-openshift-rbac-permissions-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml
  • config configmap in namespace ci at cluster core-ci using the following files:
    • key config.yaml using file core-services/prow/02_config/_config.yaml
    • key core-services-prow-02_config-openshift-rbac-permissions-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml
Details

In response to this:

Summary

ROSA-745 branch-protection for SREP rbac-permissions-operator (master).

Requires Konflux primary on-pull-request and mandatory ci/prow/* presubmits (non-optional only, from ci-operator presubmits). Fixes MintMaker auto-merge merging with red prow (e.g. validate / lint).

Not in this PR: managed-cluster-validating-webhooks (#79902), backplane-cli (no Konflux).

DPP: repo settings only (auto-merge, merge commits, Actions) — check names owned here.

Required contexts (7)

  • Konflux kflux-prd-rh03 / rbac-permissions-operator-on-pull-request
  • ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/images, ci/prow/lint, ci/prow/test, ci/prow/validate

Test plan

  • After merge + branch-protector (~6h), MintMaker PR shows Konflux + prow as required
  • Failed ci/prow/validate blocks merge

Summary by CodeRabbit

This PR adds branch-protection for the openshift/rbac-permissions-operator repository (master) in the Prow configuration so GitHub auto-merge (MintMaker) is blocked when the Konflux primary pipeline or mandatory Prow checks fail.

What changed (practical impact)

  • Branch-protection: master is protected and now requires two always-run status checks to pass before merge:
  • Konflux kflux-prd-rh03 / rbac-permissions-operator-on-pull-request
  • ci/prow/images
    These prevent MintMaker/GitHub auto-merge when Konflux or the always-run image job is red.
  • Tide configuration: conditional prow presubmits that should not block OWNERS-only/docs-only PRs were moved to tide.required-if-present-contexts so they only block when present. The conditional contexts are:
  • ci/prow/coverage
  • ci/prow/e2e-binary-build-success
  • ci/prow/lint
  • ci/prow/test
  • ci/prow/validate
  • DPP/repo settings: only repository settings (auto-merge, merge commits, Actions) were adjusted; no code changes.

Why

  • To enforce SREP policy (ROSA-745) that Konflux serves as the primary gate for this SREP-managed repo while allowing optional Prow presubmits to remain conditional so non-impacting PRs (OWNERS/docs-only) are not blocked.

Files updated

  • core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml — add branch-protection required_status_checks for master.
  • core-services/prow/02_config/_config.yaml — add repo entry under tide context options to place conditional prow jobs into required-if-present contexts.

Notes / exclusions

  • managed-cluster-validating-webhooks and backplane-cli were not included in this change.
  • Test plan (from PR): after merge and branch-protector rollout (~6h) verify MintMaker PR shows Konflux + ci/prow/images as required, and that a failing conditional job (when present) blocks merge as expected.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

IshwarKanse pushed a commit to IshwarKanse/release that referenced this pull request Jun 4, 2026
…mandatory prow) (openshift#79945)

* ROSA-745: branch-protection for srep (Konflux + mandatory prow)

Require primary Konflux on-pull-request and mandatory ci/prow/* presubmits
(non-optional only; derived from ci-operator presubmits + DPP-20685 list).

Repo settings (auto-merge, merge commits) remain DPP.

Repos: rbac-permissions-operator

* ROSA-745: fix rbac branch-protection per review

Only require always-run checks in branch-protection (Konflux + ci/prow/images).
Move conditional prow jobs to tide required-if-present-contexts so OWNERS-only
and docs-only PRs are not blocked by checks that never run.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Fix prow config validation for rbac branch-protection

Repo _prowconfig may only set branch-protection and tide.queries; move
conditional prow contexts to tide required-if-present-contexts in
_config.yaml (per openshift/release checkconfig).

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
fracappa pushed a commit to fracappa/release that referenced this pull request Jun 4, 2026
…mandatory prow) (openshift#79945)

* ROSA-745: branch-protection for srep (Konflux + mandatory prow)

Require primary Konflux on-pull-request and mandatory ci/prow/* presubmits
(non-optional only; derived from ci-operator presubmits + DPP-20685 list).

Repo settings (auto-merge, merge commits) remain DPP.

Repos: rbac-permissions-operator

* ROSA-745: fix rbac branch-protection per review

Only require always-run checks in branch-protection (Konflux + ci/prow/images).
Move conditional prow jobs to tide required-if-present-contexts so OWNERS-only
and docs-only PRs are not blocked by checks that never run.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Fix prow config validation for rbac branch-protection

Repo _prowconfig may only set branch-protection and tide.queries; move
conditional prow contexts to tide required-if-present-contexts in
_config.yaml (per openshift/release checkconfig).

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
TimurMP pushed a commit to TimurMP/release that referenced this pull request Jun 4, 2026
…mandatory prow) (openshift#79945)

* ROSA-745: branch-protection for srep (Konflux + mandatory prow)

Require primary Konflux on-pull-request and mandatory ci/prow/* presubmits
(non-optional only; derived from ci-operator presubmits + DPP-20685 list).

Repo settings (auto-merge, merge commits) remain DPP.

Repos: rbac-permissions-operator

* ROSA-745: fix rbac branch-protection per review

Only require always-run checks in branch-protection (Konflux + ci/prow/images).
Move conditional prow jobs to tide required-if-present-contexts so OWNERS-only
and docs-only PRs are not blocked by checks that never run.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Fix prow config validation for rbac branch-protection

Repo _prowconfig may only set branch-protection and tide.queries; move
conditional prow contexts to tide required-if-present-contexts in
_config.yaml (per openshift/release checkconfig).

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
openshift-merge-bot Bot pushed a commit that referenced this pull request Jun 22, 2026
)

#79945 only required ci/prow/images alongside Konflux, so GitHub
auto-merge could squash with red lint/test/coverage/validate. Add
explicit DPP prow contexts to branch-protection required_status_checks.

Co-authored-by: Cursor <cursoragent@cursor.com>
krisnababu pushed a commit to krisnababu/release that referenced this pull request Jun 29, 2026
…nshift#80705)

openshift#79945 only required ci/prow/images alongside Konflux, so GitHub
auto-merge could squash with red lint/test/coverage/validate. Add
explicit DPP prow contexts to branch-protection required_status_checks.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants