Skip to content

ROSA-745: branch-protection for non-boilerplate repos#80263

Merged
openshift-merge-bot[bot] merged 8 commits into
openshift:mainfrom
MitaliBhalla:rosa-745-non-boilerplate-branch-protection
Jun 29, 2026
Merged

ROSA-745: branch-protection for non-boilerplate repos#80263
openshift-merge-bot[bot] merged 8 commits into
openshift:mainfrom
MitaliBhalla:rosa-745-non-boilerplate-branch-protection

Conversation

@MitaliBhalla

@MitaliBhalla MitaliBhalla commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Summary

ROSA-745 branch protection for repos that do not inherit dependency automerge from openshift/boilerplate#748.

Boilerplate + Konflux OSD operators are already covered by earlier per-team openshift/release PRs and will pick up MintMaker/Dependabot config from #748 after merge. This PR is the release side for the remaining non-boilerplate repos (bp-cli pilot path: per-repo Dependabot + GHA automerge, once branch protection is live).

What release owns here: required check names in _prowconfig.yaml (+ tide required-if-present-contexts for rosa conditional prow jobs). DPP already enabled repo settings (auto-merge, merge commits, Actions).

Repos in this PR

Repo Branch Required checks
backplane-cli main ci/prow/build, coverage, images, lint, scan-optional, test
backplane-tools main ci/prow/coverage, lint, unit
osdctl master ci/prow/build, format, lint, test, verify-docs
rosa master Konflux rosa-on-pull-request, rh-rosa-cli-enterprise-contract / rosa, plus always-run prow: e2e-presubmits-images, images-images, images-release-images

Out of scope: cluster-api-provider-aws — removed per @damdo (soft-fork; dependency updates handled upstream). Its _prowconfig.yaml is unchanged from main.

Layout

Layer Where What
branch-protection _prowconfig.yaml Always-run mandatory ci/prow/*; Konflux primary on-pull-request (+ EC) for rosa
tide _config.yaml required-if-present-contexts for rosa prow jobs that are not always-run (build, commits, lint, test)

Not required: enterprise-contract / pr-group on OSD operators in this batch; Konflux e2e/pko/on-push; long-running conditional rosa e2e prow.

Review feedback addressed

  • osdctl (@olucasfreitas): added ci/prow/format and ci/prow/verify-docs (all five always-run presubmits).
  • rosa (@olucasfreitas): added always-run image/e2e-presubmits prow contexts; EC report added per @amandahla / @olucasfreitas.
  • backplane-cli: added always-run ci/prow/scan-optional.
  • cluster-api-provider-aws (@damdo, @olucasfreitas): fully restored _prowconfig.yaml to main — no branch-protection or tide edits.

Test plan

  • ci/prow/prow-config green (re-run on latest push)
  • Repo owners confirm required contexts match a recent PR (gh pr checks <n> --required)
  • After merge + branch-protector cycle (~6h), spot-check dependency PR gating on one prow-only repo (e.g. backplane-tools or osdctl)

Summary by CodeRabbit

This PR implements GitHub branch protection rules for four OpenShift repositories that don't inherit dependency automerge settings from the openshift/boilerplate repository. The changes establish which Prow/CI checks must pass before code can be merged to the main development branches.

Changes by repository:

  • backplane-cli (main branch): Requires six Prow checks: ci/prow/build, ci/prow/coverage, ci/prow/images, ci/prow/lint, ci/prow/test, and ci/prow/scan-optional
  • backplane-tools (main branch): Requires three Prow checks: ci/prow/coverage, ci/prow/lint, and ci/prow/unit
  • osdctl (master branch): Requires five checks including ci/prow/build, ci/prow/lint, ci/prow/test, plus format and verify-docs checks
  • rosa (master branch): Requires two Konflux checks (rosa-on-pull-request and rh-rosa-cli-enterprise-contract / rosa) plus three Prow image-related checks

Additionally, the tide configuration in _config.yaml is updated to specify required-if-present-contexts for rosa's Prow jobs (ci/prow/build, ci/prow/commits, ci/prow/lint, ci/prow/test), accounting for jobs that may be skipped on certain PRs.

This ensures that dependency PRs on these repositories will be gated by the same CI checks as direct PRs, preventing automatic merging until all required checks pass.

Require mandatory ci/prow/* presubmits (non-optional, always_run) for repos
that do not inherit dependency automerge config from openshift/boilerplate#748.

rosa: Konflux on-pull-request + mandatory prow (supersedes openshift#79948).

aws-account-shredder: not in openshift/release — DPP-only for required checks.

Repos: backplane-cli, backplane-tools, cluster-api-provider-aws, managed-cluster-config, osdctl, rosa
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 9, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Branch protection for ROSA-745 repos that do not inherit dependency automerge from openshift/boilerplate#748 (bp-cli pilot path).

Adds mandatory ci/prow/* (always_run, non-optional) and, for rosa, Konflux *-on-pull-request + tide required-if-present-contexts for conditional prow jobs.

Repo Required checks
backplane-cli build, coverage, images, lint, test
backplane-tools coverage, lint, unit
osdctl build, lint, test
cluster-api-provider-aws images, unit, verify, verify-deps
managed-cluster-config pr-check (normalize _prowconfig layout)
rosa Konflux on-pull-request + tide if-present for build/commits/lint/test

Not in openshift/release: aws-account-shredder — no ci-operator jobs; required checks via DPP only.

Supersedes #79948 (rosa-only).

Test plan

  • make prow-config / checkconfig green
  • After merge + branch-protector cycle, spot-check a dependency PR on backplane-tools or osdctl shows required prow contexts

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds branch-protection blocks to Prow config files for openshift/backplane-cli (main), openshift/backplane-tools (main), openshift/osdctl (master), and openshift/rosa (master), each enabling protection and listing required CI status check contexts. Also adds required-if-present-contexts for openshift/rosa master in the global tide configuration.

Changes

Branch Protection and Tide Context Additions

Layer / File(s) Summary
Per-repo branch-protection blocks
core-services/prow/02_config/openshift/backplane-cli/_prowconfig.yaml, core-services/prow/02_config/openshift/backplane-tools/_prowconfig.yaml, core-services/prow/02_config/openshift/osdctl/_prowconfig.yaml, core-services/prow/02_config/openshift/rosa/_prowconfig.yaml
Adds new top-level branch-protection sections to four repository prowconfig files, each enabling protect: true and listing required status check contexts for their default branches. backplane-cli requires 6 contexts, backplane-tools requires 3, osdctl requires 5, and rosa requires 5 (including two Red Hat Konflux contexts).
Global tide context_options for rosa
core-services/prow/02_config/_config.yaml
Adds required-if-present-contexts for openshift/rosa master (ci/prow/build, ci/prow/commits, ci/prow/lint, ci/prow/test) under the global tide context_options.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

  • openshift/release#80439: Modifies the same core-services/prow/02_config layer to adjust Prow/Tide required merge-blocking contexts, at the same config level as this PR.
  • openshift/release#79945: Updates core-services/prow/02_config/_config.yaml tide context_options to add repo-specific required-if-present Prow contexts, the same mechanism used here for openshift/rosa.

Suggested reviewers

  • samanthajayasinghe
  • feichashao
  • jmguzik
🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ROSA-745: branch-protection for non-boilerplate repos' clearly and concisely summarizes the main change: adding branch-protection configuration for repositories not inheriting from boilerplate, with specific reference to the Jira ticket.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed This PR contains only YAML configuration changes for Prow CI/CD and branch protection settings, with no Ginkgo test code or test titles present. The check does not apply.
Test Structure And Quality ✅ Passed PR contains only YAML configuration files (Prow branch protection settings), not Ginkgo test code. Custom check for test quality does not apply to this PR.
Microshift Test Compatibility ✅ Passed PR contains only Prow CI/CD YAML configuration changes for branch protection, not Ginkgo e2e tests, so MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR contains only Prow CI configuration changes (branch-protection and tide settings) with no Ginkgo e2e test code; the SNO test compatibility check does not apply.
Topology-Aware Scheduling Compatibility ✅ Passed This PR modifies only Prow CI/CD configuration files (_prowconfig.yaml, _config.yaml) for branch protection and tide settings. It does not contain deployment manifests, operator code, controllers,...
Ote Binary Stdout Contract ✅ Passed PR contains only YAML configuration changes to Prow branch-protection policies; no Go code or process-level stdout writes present that would violate OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No Ginkgo e2e tests are added in this PR. All changes are YAML configuration for Prow branch protection and tide merge automation. The IPv6/disconnected network compatibility check only applies whe...
No-Weak-Crypto ✅ Passed PR contains only Prow CI/CD YAML configuration files with no cryptographic code, weak algorithms, or security-sensitive implementations present.
Container-Privileges ✅ Passed PR contains only Prow configuration files (branch-protection and tide settings) with no container or Kubernetes manifests, so the container-privileges check is not applicable.
No-Sensitive-Data-In-Logs ✅ Passed PR contains only CI/CD configuration files with check context names, secret name references, and merge settings. No actual credentials, tokens, API keys, PII, or sensitive data exposed.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from damdo and danilo-gemoli June 9, 2026 05:03
@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jun 9, 2026
determinize-prow-config requires alphabetical ordering under
tide.context_options.orgs.openshift.repos.
Branch protection for MCC is already live via openshift#77430 (ci/prow/pr-check).
No functional change needed for non-boilerplate ROSA-745 scope.
Comment thread core-services/prow/02_config/openshift/cluster-api-provider-aws/_prowconfig.yaml Outdated
@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

/label tide/merge-method-squash

@openshift-ci openshift-ci Bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jun 9, 2026
Comment thread core-services/prow/02_config/openshift/rosa/_prowconfig.yaml
Add Red Hat Konflux / rh-rosa-cli-enterprise-contract / rosa alongside
rosa-on-pull-request per release review; EC reports success on rosa
dependency PRs (not neutral like most OSD operators).

Co-authored-by: Cursor <cursoragent@cursor.com>
@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

Updated openshift/rosa/_prowconfig.yaml to require both:

  • Red Hat Konflux / rosa-on-pull-request
  • Red Hat Konflux / rh-rosa-cli-enterprise-contract / rosa

Sampled MintMaker/Konflux PRs on rosa — EC reports pass/fail (not neutral), so it is a reasonable merge gate here unlike most OSD operator repos in this batch.

Soft-fork kept in sync with kubernetes-sigs/cluster-api-provider-aws;
dependency updates flow via upstream rebase/sync, not downstream
Dependabot/automerge (per maintainer review).

Co-authored-by: Cursor <cursoragent@cursor.com>
@MitaliBhalla

MitaliBhalla commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

@damdo Done — removed cluster-api-provider-aws from this PR (restored _prowconfig.yaml to match master). Also closed the draft Dependabot config PR on the provider repo. CAPA stays out of ROSA-745 scope.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
core-services/prow/02_config/openshift/cluster-api-provider-aws/_prowconfig.yaml (1)

1-156: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical inconsistency: This file contains tide query modifications despite stated removal from PR scope.

The commit message states "removes cluster-api-provider-aws from this PR's branch-protection changes" and the PR description confirms cluster-api-provider-aws was dropped from scope after @damdo's request. However, this file shows active modifications to the tide configuration, not a revert to the original state:

  1. Lines 3-20: New query block added for main/master branches with acknowledge-critical-fixes-only and keep-main-query-separate labels
  2. Line 53: Added release-4.2 to the included branches list
  3. Lines 67, 86: Changed label requirement from verified to qe-approved,no-qe
  4. Lines 78-79: Modified branch list to only include openshift-4.19 and release-4.19

These are substantive changes to merge requirements and branch filtering for a repo whose maintainer explicitly requested: "leave our provider out of this change" and explained that cluster-api-provider-aws is a soft-fork synced upstream where dependency PRs should not be auto-merged via dependabot.

Action required: Either revert this entire file to match the main branch (no changes), or update the PR description and commit message to accurately reflect that tide configuration changes are being made to cluster-api-provider-aws and obtain maintainer approval for these specific modifications.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@core-services/prow/02_config/openshift/cluster-api-provider-aws/_prowconfig.yaml`
around lines 1 - 156, This PR unexpectedly modifies tide queries in
_prowconfig.yaml for the openshift/cluster-api-provider-aws repo (new
main/master query with acknowledge-critical-fixes-only and
keep-main-query-separate labels, addition of release-4.2 to includedBranches,
replacement of verified with qe-approved,no-qe, and shrinking a query to only
openshift-4.19/release-4.19); either revert the entire tide block back to the
upstream/main state (undo the added query under tide -> queries, remove the
release-4.2 entry from includedBranches, restore the label "verified" where it
was changed, and restore the original branch lists that were shortened) or
update the PR title/description and commit message to explicitly state these
tide changes and obtain explicit maintainer approval from the
cluster-api-provider-aws maintainers before merging.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@core-services/prow/02_config/openshift/cluster-api-provider-aws/_prowconfig.yaml`:
- Around line 1-156: This PR unexpectedly modifies tide queries in
_prowconfig.yaml for the openshift/cluster-api-provider-aws repo (new
main/master query with acknowledge-critical-fixes-only and
keep-main-query-separate labels, addition of release-4.2 to includedBranches,
replacement of verified with qe-approved,no-qe, and shrinking a query to only
openshift-4.19/release-4.19); either revert the entire tide block back to the
upstream/main state (undo the added query under tide -> queries, remove the
release-4.2 entry from includedBranches, restore the label "verified" where it
was changed, and restore the original branch lists that were shortened) or
update the PR title/description and commit message to explicitly state these
tide changes and obtain explicit maintainer approval from the
cluster-api-provider-aws maintainers before merging.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c990c934-d019-4410-a02b-178792b04947

📥 Commits

Reviewing files that changed from the base of the PR and between 23098a2 and bc0807e.

📒 Files selected for processing (1)
  • core-services/prow/02_config/openshift/cluster-api-provider-aws/_prowconfig.yaml

required_status_checks:
contexts:
- Red Hat Konflux / rosa-on-pull-request
- Red Hat Konflux / rh-rosa-cli-enterprise-contract / rosa

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If _prowconfig.yaml is supposed to capture rosa’s always-run mandatory ci/prow/* jobs, this list is still incomplete. Real MintMaker PRs report ci/prow/e2e-presubmits-images, ci/prow/images-images, and ci/prow/images-release-images, but none of them gate merges here.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the three always-run prow contexts (e2e-presubmits-images, images-images, images-release-images) to branch-protection in e146d48 alongside the Konflux checks. Conditional prow jobs (build, commits, lint, test) remain required-if-present-contexts in _config.yaml since they are not always-run on MintMaker/dep PRs.

Comment thread core-services/prow/02_config/openshift/osdctl/_prowconfig.yaml
MitaliBhalla and others added 2 commits June 16, 2026 14:44
Align branch-protection with always-run presubmits from
openshift-osdctl-master-presubmits.yaml.

Co-authored-by: Cursor <cursoragent@cursor.com>
- osdctl: format + verify-docs (prior commit)
- backplane-cli: add always-run ci/prow/scan-optional
- rosa: add always-run images/e2e-presubmits prow contexts
- cluster-api-provider-aws: fully restore _prowconfig.yaml to main

Co-authored-by: Cursor <cursoragent@cursor.com>
@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

Review feedback addressed in e146d489 / 83f83d7:

  • osdctl: all five always-run presubmits (build, format, lint, test, verify-docs)
  • backplane-cli: added always-run scan-optional
  • rosa: Konflux + EC + always-run image/e2e-presubmits prow contexts; conditional prow stays in _config.yaml required-if-present-contexts
  • cluster-api-provider-aws: out of scope — file restored to main

PR description updated to match. Thanks @olucasfreitas @damdo @amandahla for the reviews.

Comment thread core-services/prow/02_config/openshift/backplane-cli/_prowconfig.yaml Outdated
The presubmit is optional: true in ci-operator; requiring it repo-wide
would gate every PR on an advisory scan job.

Co-authored-by: Cursor <cursoragent@cursor.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@MitaliBhalla: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@olucasfreitas

Copy link
Copy Markdown
Contributor

@MitaliBhalla lgtm to me, but I don't I have the right access to approve this, I think one of the maintainers of openshift maintainers needs to approve this

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 29, 2026
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MitaliBhalla, Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 29, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 5b06a40 into openshift:main Jun 29, 2026
12 checks passed
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: Updated the following 2 configmaps:

  • config configmap in namespace ci at cluster app.ci using the following files:
    • key config.yaml using file core-services/prow/02_config/_config.yaml
    • key core-services-prow-02_config-openshift-backplane-cli-_prowconfig.yaml using file core-services/prow/02_config/openshift/backplane-cli/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-backplane-tools-_prowconfig.yaml using file core-services/prow/02_config/openshift/backplane-tools/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-osdctl-_prowconfig.yaml using file core-services/prow/02_config/openshift/osdctl/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-rosa-_prowconfig.yaml using file core-services/prow/02_config/openshift/rosa/_prowconfig.yaml
  • config configmap in namespace ci at cluster core-ci using the following files:
    • key config.yaml using file core-services/prow/02_config/_config.yaml
    • key core-services-prow-02_config-openshift-backplane-cli-_prowconfig.yaml using file core-services/prow/02_config/openshift/backplane-cli/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-backplane-tools-_prowconfig.yaml using file core-services/prow/02_config/openshift/backplane-tools/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-osdctl-_prowconfig.yaml using file core-services/prow/02_config/openshift/osdctl/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-rosa-_prowconfig.yaml using file core-services/prow/02_config/openshift/rosa/_prowconfig.yaml
Details

In response to this:

Summary

ROSA-745 branch protection for repos that do not inherit dependency automerge from openshift/boilerplate#748.

Boilerplate + Konflux OSD operators are already covered by earlier per-team openshift/release PRs and will pick up MintMaker/Dependabot config from #748 after merge. This PR is the release side for the remaining non-boilerplate repos (bp-cli pilot path: per-repo Dependabot + GHA automerge, once branch protection is live).

What release owns here: required check names in _prowconfig.yaml (+ tide required-if-present-contexts for rosa conditional prow jobs). DPP already enabled repo settings (auto-merge, merge commits, Actions).

Repos in this PR

Repo Branch Required checks
backplane-cli main ci/prow/build, coverage, images, lint, scan-optional, test
backplane-tools main ci/prow/coverage, lint, unit
osdctl master ci/prow/build, format, lint, test, verify-docs
rosa master Konflux rosa-on-pull-request, rh-rosa-cli-enterprise-contract / rosa, plus always-run prow: e2e-presubmits-images, images-images, images-release-images

Out of scope: cluster-api-provider-aws — removed per @damdo (soft-fork; dependency updates handled upstream). Its _prowconfig.yaml is unchanged from main.

Layout

Layer Where What
branch-protection _prowconfig.yaml Always-run mandatory ci/prow/*; Konflux primary on-pull-request (+ EC) for rosa
tide _config.yaml required-if-present-contexts for rosa prow jobs that are not always-run (build, commits, lint, test)

Not required: enterprise-contract / pr-group on OSD operators in this batch; Konflux e2e/pko/on-push; long-running conditional rosa e2e prow.

Review feedback addressed

  • osdctl (@olucasfreitas): added ci/prow/format and ci/prow/verify-docs (all five always-run presubmits).
  • rosa (@olucasfreitas): added always-run image/e2e-presubmits prow contexts; EC report added per @amandahla / @olucasfreitas.
  • backplane-cli: added always-run ci/prow/scan-optional.
  • cluster-api-provider-aws (@damdo, @olucasfreitas): fully restored _prowconfig.yaml to main — no branch-protection or tide edits.

Test plan

  • ci/prow/prow-config green (re-run on latest push)
  • Repo owners confirm required contexts match a recent PR (gh pr checks <n> --required)
  • After merge + branch-protector cycle (~6h), spot-check dependency PR gating on one prow-only repo (e.g. backplane-tools or osdctl)

Summary by CodeRabbit

This PR implements GitHub branch protection rules for four OpenShift repositories that don't inherit dependency automerge settings from the openshift/boilerplate repository. The changes establish which Prow/CI checks must pass before code can be merged to the main development branches.

Changes by repository:

  • backplane-cli (main branch): Requires six Prow checks: ci/prow/build, ci/prow/coverage, ci/prow/images, ci/prow/lint, ci/prow/test, and ci/prow/scan-optional
  • backplane-tools (main branch): Requires three Prow checks: ci/prow/coverage, ci/prow/lint, and ci/prow/unit
  • osdctl (master branch): Requires five checks including ci/prow/build, ci/prow/lint, ci/prow/test, plus format and verify-docs checks
  • rosa (master branch): Requires two Konflux checks (rosa-on-pull-request and rh-rosa-cli-enterprise-contract / rosa) plus three Prow image-related checks

Additionally, the tide configuration in _config.yaml is updated to specify required-if-present-contexts for rosa's Prow jobs (ci/prow/build, ci/prow/commits, ci/prow/lint, ci/prow/test), accounting for jobs that may be skipped on certain PRs.

This ensures that dependency PRs on these repositories will be gated by the same CI checks as direct PRs, preventing automatic merging until all required checks pass.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants