Skip to content

ROSA-745: require full prow checks for rbac-permissions-operator#80705

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
MitaliBhalla:rosa-745-rbac-branch-protection-fix
Jun 22, 2026
Merged

ROSA-745: require full prow checks for rbac-permissions-operator#80705
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
MitaliBhalla:rosa-745-rbac-branch-protection-fix

Conversation

@MitaliBhalla

@MitaliBhalla MitaliBhalla commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Summary

Follow-up to #79945: require all DPP prow presubmits on rbac-permissions-operator master, not only ci/prow/images.

MintMaker PR #367 merged via GitHub auto-merge while ci/prow/lint, ci/prow/test, ci/prow/coverage, and ci/prow/validate were red — GitHub only enforces checks listed in required_status_checks.contexts, not tide required-if-present-contexts.

Required contexts (7)

  • Konflux kflux-prd-rh03 / rbac-permissions-operator-on-pull-request
  • ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/images, ci/prow/lint, ci/prow/test, ci/prow/validate

Test plan

  • After merge + branch-protector (~6h), open MintMaker/Dependabot PR shows Konflux + all prow checks as required
  • Failed ci/prow/validate blocks GitHub auto-merge
  • Tide merge still works with lgtm + approved when all checks green

Made with Cursor

Summary by CodeRabbit

This PR expands the branch protection requirements for the rbac-permissions-operator repository's master branch by adding comprehensive prow check enforcement to the Prow configuration.

What changed: The branch protection rules for rbac-permissions-operator now require six additional prow status checks alongside the existing Konflux check:

  • ci/prow/coverage
  • ci/prow/e2e-binary-build-success
  • ci/prow/lint
  • ci/prow/test
  • ci/prow/validate

Previously, only ci/prow/images was required. This gap allowed a PR to be auto-merged via GitHub despite failing lint, test, coverage, and validation checks.

Why it matters: GitHub's branch protection enforcement only respects checks listed in required_status_checks.contexts. By expanding this list, the configuration ensures that PRs cannot merge unless all required prow checks pass, closing a loophole that allowed previously passing PRs with failing checks to be merged automatically.

Configuration affected: core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml (+5 lines)

openshift#79945 only required ci/prow/images alongside Konflux, so GitHub
auto-merge could squash with red lint/test/coverage/validate. Add
explicit DPP prow contexts to branch-protection required_status_checks.

Co-authored-by: Cursor <cursoragent@cursor.com>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 18, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Follow-up to #79945: require all DPP prow presubmits on rbac-permissions-operator master, not only ci/prow/images.

MintMaker PR #367 merged via GitHub auto-merge while ci/prow/lint, ci/prow/test, ci/prow/coverage, and ci/prow/validate were red — GitHub only enforces checks listed in required_status_checks.contexts, not tide required-if-present-contexts.

Required contexts (7)

  • Konflux kflux-prd-rh03 / rbac-permissions-operator-on-pull-request
  • ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/images, ci/prow/lint, ci/prow/test, ci/prow/validate

Test plan

  • After merge + branch-protector (~6h), open MintMaker/Dependabot PR shows Konflux + all prow checks as required
  • Failed ci/prow/validate blocks GitHub auto-merge
  • Tide merge still works with lgtm + approved when all checks green

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 18, 2026
@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jun 18, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@MitaliBhalla: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f63ccfad-b256-4f77-ae69-ee3d0a552d0c

📥 Commits

Reviewing files that changed from the base of the PR and between 261374d and 4ffaaa9.

📒 Files selected for processing (1)
  • core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml

Walkthrough

Five additional required Prow CI status check contexts (ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/lint, ci/prow/test, ci/prow/validate) are added to the master branch protection configuration for the rbac-permissions-operator repository, alongside the existing ci/prow/images context.

Changes

rbac-permissions-operator Branch Protection

Layer / File(s) Summary
Add required CI status contexts for master branch
core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml
Extends required_status_checks.contexts on the master branch with five new entries: ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/lint, ci/prow/test, and ci/prow/validate.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

  • danilo-gemoli
  • bear-redhat
🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically describes the main change: adding comprehensive prow check requirements to the rbac-permissions-operator configuration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR contains only YAML branch protection configuration changes with no Ginkgo tests, making the "Stable and Deterministic Test Names" check not applicable.
Test Structure And Quality ✅ Passed This PR modifies only Prow YAML configuration (branch protection rules), not test code. The check for Ginkgo test quality is not applicable to configuration-only changes.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in this PR. Changes are limited to Prow branch-protection YAML configuration for rbac-permissions-operator. The custom check for MicroShift test compatibility is...
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR only modifies Prow branch protection configuration (YAML) for rbac-permissions-operator, not adding any new Ginkgo e2e tests. The custom check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed PR modifies only Prow CI/CD branch protection config, not deployment manifests, operator code, or controllers. No scheduling constraints introduced.
Ote Binary Stdout Contract ✅ Passed PR modifies only Prow branch protection YAML configuration, not executable code or test code subject to OTE Binary Stdout Contract requirements.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added. The PR only modifies a YAML Prow configuration file for branch protection rules.
No-Weak-Crypto ✅ Passed PR modifies only a Prow CI configuration YAML file adding required status checks; no cryptographic code, weak crypto algorithms, or insecure implementations present.
Container-Privileges ✅ Passed PR modifies only Prow branch protection configuration (YAML), not container/Kubernetes manifests. No privileged container settings present.
No-Sensitive-Data-In-Logs ✅ Passed The PR modifies only a YAML configuration file that defines branch protection rules and required CI check contexts. It contains no logging statements, code, or any references to sensitive data like...

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

Comment on lines +12 to +17
- ci/prow/coverage
- ci/prow/e2e-binary-build-success
- ci/prow/images
- ci/prow/lint
- ci/prow/test
- ci/prow/validate

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These jobs are not always run. always_run: false.

If we are mandating these tests to pass, for those PRs which skip these tests, they won't be able to merge as those tests won't run. (that's my understanding, please correct me).

I understand the intention is to let the auto merge works, while preventing it from merging the failed test PRs.

If we need to urgent fix this, possible ideas:

(1) We can set those jobs to always_run: true. It could be a little bit waste of compute resources but it doesn't hurt to test all PRs.

(2) Let the auto merge to add the lgtm/approve label, so it can follow the tide process which needs all required tests to pass before it merges.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks — you're right that lint, test, coverage, validate, and e2e-binary-build-success are always_run: false in ci-operator today.

The motivation is MintMaker #367: it merged via GitHub auto-merge while those prow jobs were red. GitHub only enforces checks listed in required_status_checks.contexts; Tide required-if-present-contexts does not block platform auto-merge.

#79945 only required Konflux + ci/prow/images, so this follow-up adds the full DPP prow set explicitly so a failed validate/lint/etc. blocks auto-merge when those jobs run.

On the skip edge case: if a PR never triggers a conditional mandatory job, GitHub may show the context as pending/expected. Mitigations if that becomes painful:

  1. Flip the DPP prow presubmits to always_run: true for rbac-permissions-operator in a follow-up release PR (more compute, unambiguous gating).
  2. Keep Tide + lgtm/approved as the merge path for PRs where auto-merge is not appropriate.

Happy to do (1) in this PR or a fast follow-up if you prefer that over the current explicit-context approach.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MitaliBhalla Thanks for checking!

Let's merge this one first, so you can test and validate. Could you create a follow-up PR or card to flip always_run? I want to keep that on track.

@feichashao

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 22, 2026
@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feichashao, MitaliBhalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit bfbc9c8 into openshift:main Jun 22, 2026
12 checks passed
@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: Updated the following 2 configmaps:

  • config configmap in namespace ci at cluster app.ci using the following files:
    • key core-services-prow-02_config-openshift-rbac-permissions-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml
  • config configmap in namespace ci at cluster core-ci using the following files:
    • key core-services-prow-02_config-openshift-rbac-permissions-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml
Details

In response to this:

Summary

Follow-up to #79945: require all DPP prow presubmits on rbac-permissions-operator master, not only ci/prow/images.

MintMaker PR #367 merged via GitHub auto-merge while ci/prow/lint, ci/prow/test, ci/prow/coverage, and ci/prow/validate were red — GitHub only enforces checks listed in required_status_checks.contexts, not tide required-if-present-contexts.

Required contexts (7)

  • Konflux kflux-prd-rh03 / rbac-permissions-operator-on-pull-request
  • ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/images, ci/prow/lint, ci/prow/test, ci/prow/validate

Test plan

  • After merge + branch-protector (~6h), open MintMaker/Dependabot PR shows Konflux + all prow checks as required
  • Failed ci/prow/validate blocks GitHub auto-merge
  • Tide merge still works with lgtm + approved when all checks green

Made with Cursor

Summary by CodeRabbit

This PR expands the branch protection requirements for the rbac-permissions-operator repository's master branch by adding comprehensive prow check enforcement to the Prow configuration.

What changed: The branch protection rules for rbac-permissions-operator now require six additional prow status checks alongside the existing Konflux check:

  • ci/prow/coverage
  • ci/prow/e2e-binary-build-success
  • ci/prow/lint
  • ci/prow/test
  • ci/prow/validate

Previously, only ci/prow/images was required. This gap allowed a PR to be auto-merged via GitHub despite failing lint, test, coverage, and validation checks.

Why it matters: GitHub's branch protection enforcement only respects checks listed in required_status_checks.contexts. By expanding this list, the configuration ensures that PRs cannot merge unless all required prow checks pass, closing a loophole that allowed previously passing PRs with failing checks to be merged automatically.

Configuration affected: core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml (+5 lines)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

MitaliBhalla added a commit to MitaliBhalla/release that referenced this pull request Jun 22, 2026
Prowgen ignores always_run: true while skip_if_only_changed or
run_if_changed is set. Drop those filters so presubmits match generated
config and jobs run on every PR (feichashao openshift#80705 follow-up).

Co-authored-by: Cursor <cursoragent@cursor.com>
krisnababu pushed a commit to krisnababu/release that referenced this pull request Jun 29, 2026
…nshift#80705)

openshift#79945 only required ci/prow/images alongside Konflux, so GitHub
auto-merge could squash with red lint/test/coverage/validate. Add
explicit DPP prow contexts to branch-protection required_status_checks.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants