ROSA-745: branch-protection for non-boilerplate repos#80263
Conversation
Require mandatory ci/prow/* presubmits (non-optional, always_run) for repos that do not inherit dependency automerge config from openshift/boilerplate#748. rosa: Konflux on-pull-request + mandatory prow (supersedes openshift#79948). aws-account-shredder: not in openshift/release — DPP-only for required checks. Repos: backplane-cli, backplane-tools, cluster-api-provider-aws, managed-cluster-config, osdctl, rosa
|
@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds ChangesBranch Protection and Tide Context Additions
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
determinize-prow-config requires alphabetical ordering under tide.context_options.orgs.openshift.repos.
Branch protection for MCC is already live via openshift#77430 (ci/prow/pr-check). No functional change needed for non-boilerplate ROSA-745 scope.
|
/label tide/merge-method-squash |
Add Red Hat Konflux / rh-rosa-cli-enterprise-contract / rosa alongside rosa-on-pull-request per release review; EC reports success on rosa dependency PRs (not neutral like most OSD operators). Co-authored-by: Cursor <cursoragent@cursor.com>
|
Updated
Sampled MintMaker/Konflux PRs on rosa — EC reports pass/fail (not neutral), so it is a reasonable merge gate here unlike most OSD operator repos in this batch. |
Soft-fork kept in sync with kubernetes-sigs/cluster-api-provider-aws; dependency updates flow via upstream rebase/sync, not downstream Dependabot/automerge (per maintainer review). Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
core-services/prow/02_config/openshift/cluster-api-provider-aws/_prowconfig.yaml (1)
1-156:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winCritical inconsistency: This file contains tide query modifications despite stated removal from PR scope.
The commit message states "removes cluster-api-provider-aws from this PR's branch-protection changes" and the PR description confirms cluster-api-provider-aws was dropped from scope after
@damdo's request. However, this file shows active modifications to the tide configuration, not a revert to the original state:
- Lines 3-20: New query block added for
main/masterbranches withacknowledge-critical-fixes-onlyandkeep-main-query-separatelabels- Line 53: Added
release-4.2to the included branches list- Lines 67, 86: Changed label requirement from
verifiedtoqe-approved,no-qe- Lines 78-79: Modified branch list to only include
openshift-4.19andrelease-4.19These are substantive changes to merge requirements and branch filtering for a repo whose maintainer explicitly requested: "leave our provider out of this change" and explained that cluster-api-provider-aws is a soft-fork synced upstream where dependency PRs should not be auto-merged via dependabot.
Action required: Either revert this entire file to match the main branch (no changes), or update the PR description and commit message to accurately reflect that tide configuration changes are being made to cluster-api-provider-aws and obtain maintainer approval for these specific modifications.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@core-services/prow/02_config/openshift/cluster-api-provider-aws/_prowconfig.yaml` around lines 1 - 156, This PR unexpectedly modifies tide queries in _prowconfig.yaml for the openshift/cluster-api-provider-aws repo (new main/master query with acknowledge-critical-fixes-only and keep-main-query-separate labels, addition of release-4.2 to includedBranches, replacement of verified with qe-approved,no-qe, and shrinking a query to only openshift-4.19/release-4.19); either revert the entire tide block back to the upstream/main state (undo the added query under tide -> queries, remove the release-4.2 entry from includedBranches, restore the label "verified" where it was changed, and restore the original branch lists that were shortened) or update the PR title/description and commit message to explicitly state these tide changes and obtain explicit maintainer approval from the cluster-api-provider-aws maintainers before merging.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In
`@core-services/prow/02_config/openshift/cluster-api-provider-aws/_prowconfig.yaml`:
- Around line 1-156: This PR unexpectedly modifies tide queries in
_prowconfig.yaml for the openshift/cluster-api-provider-aws repo (new
main/master query with acknowledge-critical-fixes-only and
keep-main-query-separate labels, addition of release-4.2 to includedBranches,
replacement of verified with qe-approved,no-qe, and shrinking a query to only
openshift-4.19/release-4.19); either revert the entire tide block back to the
upstream/main state (undo the added query under tide -> queries, remove the
release-4.2 entry from includedBranches, restore the label "verified" where it
was changed, and restore the original branch lists that were shortened) or
update the PR title/description and commit message to explicitly state these
tide changes and obtain explicit maintainer approval from the
cluster-api-provider-aws maintainers before merging.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: c990c934-d019-4410-a02b-178792b04947
📒 Files selected for processing (1)
core-services/prow/02_config/openshift/cluster-api-provider-aws/_prowconfig.yaml
| required_status_checks: | ||
| contexts: | ||
| - Red Hat Konflux / rosa-on-pull-request | ||
| - Red Hat Konflux / rh-rosa-cli-enterprise-contract / rosa |
There was a problem hiding this comment.
If _prowconfig.yaml is supposed to capture rosa’s always-run mandatory ci/prow/* jobs, this list is still incomplete. Real MintMaker PRs report ci/prow/e2e-presubmits-images, ci/prow/images-images, and ci/prow/images-release-images, but none of them gate merges here.
There was a problem hiding this comment.
Added the three always-run prow contexts (e2e-presubmits-images, images-images, images-release-images) to branch-protection in e146d48 alongside the Konflux checks. Conditional prow jobs (build, commits, lint, test) remain required-if-present-contexts in _config.yaml since they are not always-run on MintMaker/dep PRs.
Align branch-protection with always-run presubmits from openshift-osdctl-master-presubmits.yaml. Co-authored-by: Cursor <cursoragent@cursor.com>
- osdctl: format + verify-docs (prior commit) - backplane-cli: add always-run ci/prow/scan-optional - rosa: add always-run images/e2e-presubmits prow contexts - cluster-api-provider-aws: fully restore _prowconfig.yaml to main Co-authored-by: Cursor <cursoragent@cursor.com>
|
Review feedback addressed in
PR description updated to match. Thanks @olucasfreitas @damdo @amandahla for the reviews. |
The presubmit is optional: true in ci-operator; requiring it repo-wide would gate every PR on an advisory scan job. Co-authored-by: Cursor <cursoragent@cursor.com>
|
[REHEARSALNOTIFIER] Note: If this PR includes changes to step registry files ( Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
@MitaliBhalla: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@MitaliBhalla lgtm to me, but I don't I have the right access to approve this, I think one of the maintainers of openshift maintainers needs to approve this |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MitaliBhalla, Prucek The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@MitaliBhalla: Updated the following 2 configmaps:
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Summary
ROSA-745 branch protection for repos that do not inherit dependency automerge from openshift/boilerplate#748.
Boilerplate + Konflux OSD operators are already covered by earlier per-team
openshift/releasePRs and will pick up MintMaker/Dependabot config from #748 after merge. This PR is the release side for the remaining non-boilerplate repos (bp-cli pilot path: per-repo Dependabot + GHA automerge, once branch protection is live).What release owns here: required check names in
_prowconfig.yaml(+ tiderequired-if-present-contextsforrosaconditional prow jobs). DPP already enabled repo settings (auto-merge, merge commits, Actions).Repos in this PR
backplane-climainci/prow/build,coverage,images,lint,scan-optional,testbackplane-toolsmainci/prow/coverage,lint,unitosdctlmasterci/prow/build,format,lint,test,verify-docsrosamasterrosa-on-pull-request,rh-rosa-cli-enterprise-contract / rosa, plus always-run prow:e2e-presubmits-images,images-images,images-release-imagesOut of scope:
cluster-api-provider-aws— removed per @damdo (soft-fork; dependency updates handled upstream). Its_prowconfig.yamlis unchanged frommain.Layout
_prowconfig.yamlci/prow/*; Konflux primary on-pull-request (+ EC) forrosa_config.yamlrequired-if-present-contextsforrosaprow jobs that are not always-run (build,commits,lint,test)Not required: enterprise-contract / pr-group on OSD operators in this batch; Konflux e2e/pko/on-push; long-running conditional
rosae2e prow.Review feedback addressed
ci/prow/formatandci/prow/verify-docs(all five always-run presubmits).ci/prow/scan-optional._prowconfig.yamltomain— no branch-protection or tide edits.Test plan
ci/prow/prow-configgreen (re-run on latest push)gh pr checks <n> --required)backplane-toolsorosdctl)Summary by CodeRabbit
This PR implements GitHub branch protection rules for four OpenShift repositories that don't inherit dependency automerge settings from the openshift/boilerplate repository. The changes establish which Prow/CI checks must pass before code can be merged to the main development branches.
Changes by repository:
ci/prow/build,ci/prow/coverage,ci/prow/images,ci/prow/lint,ci/prow/test, andci/prow/scan-optionalci/prow/coverage,ci/prow/lint, andci/prow/unitci/prow/build,ci/prow/lint,ci/prow/test, plusformatandverify-docschecksrosa-on-pull-requestandrh-rosa-cli-enterprise-contract / rosa) plus three Prow image-related checksAdditionally, the tide configuration in
_config.yamlis updated to specifyrequired-if-present-contextsfor rosa's Prow jobs (ci/prow/build,ci/prow/commits,ci/prow/lint,ci/prow/test), accounting for jobs that may be skipped on certain PRs.This ensures that dependency PRs on these repositories will be gated by the same CI checks as direct PRs, preventing automatic merging until all required checks pass.