Skip to content

prow: fix tide context policy collisions for 7 repos#81365

Merged
openshift-merge-bot[bot] merged 2 commits into
openshift:mainfrom
petr-muller:fixup-bp-policy-conflicts
Jul 2, 2026
Merged

prow: fix tide context policy collisions for 7 repos#81365
openshift-merge-bot[bot] merged 2 commits into
openshift:mainfrom
petr-muller:fixup-bp-policy-conflicts

Conversation

@petr-muller

@petr-muller petr-muller commented Jul 1, 2026

Copy link
Copy Markdown
Member

Remove conditionally-triggered job contexts from branch-protection required_status_checks to prevent collisions with tide's required-if-present-contexts. When a context appears in both sets, GetTideContextPolicy validation fails and silently breaks tide for the entire subpool (kubernetes-sigs/prow#777). Follows the fix pattern from #81244.

Repos fixed: certman-operator, managed-node-metadata-operator, managed-upgrade-operator, ocm-agent, ocm-agent-operator, rbac-permissions-operator, dora-metrics/pelorus.

Also adds missing tide required-if-present-contexts entries for rbac-permissions-operator and dora-metrics/pelorus in _config.yaml.

Followup from https://redhat-internal.slack.com/archives/CBUT43E94/p1782948367195589?thread_ts=1782883307.967359&cid=CBUT43E94

There's a presubmit that's supposed to catch this via checkconfig - but checkconfig is broken. kubernetes-sigs/prow#791 shoudl fix it. With fixed checkconfig we get the following output:

/tmp/checkconfig --config-path=core-services/prow/02_config/_config.yaml \
                 --supplemental-prow-config-dir=core-services/prow/02_config \
                 --job-config-path=ci-operator/jobs \
                 --strict \
                 --warnings=tide-context-policy
{"component":"unset","file":"/home/afri/Projects/Worktrees/github.com/kubernetes-sigs/prow/777-triage/cmd/checkconfig/main.go:92","func":"main.reportWarning","level":"warning","msg":"[context policy for main branch in openshift/managed-node-metadata-operator is invalid: contexts ci/prow/coverage, ci/prow/lint, ci/prow/test, ci/prow/validate are defined as required and required if present, context policy for master branch in openshift/managed-upgrade-operator is invalid: contexts ci/prow/coverage, ci/prow/lint, ci/prow/test, ci/prow/validate are defined as required and required if present, context policy for master branch in openshift/ocm-agent is invalid: contexts ci/prow/coverage, ci/prow/lint, ci/prow/test are defined as required and required if present, context policy for master branch in openshift/ocm-agent-operator is invalid: contexts ci/prow/coverage, ci/prow/lint, ci/prow/test, ci/prow/validate are defined as required and required if present, context policy for master branch in openshift/certman-operator is invalid: contexts ci/prow/coverage, ci/prow/lint, ci/prow/test, ci/prow/validate are defined as required and required if present, context policy for master branch in openshift/rbac-permissions-operator is invalid: contexts ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/lint, ci/prow/test, ci/prow/validate are defined as required and required if present, context policy for master branch in dora-metrics/pelorus is invalid: contexts ci/prow/4.13-e2e-openshift are defined as required and required if present]","severity":"warning","time":"2026-07-02T01:23:14+02:00"}

I fed that to a Claude to fix this, which did #81365. When run against that branch, the fixed checkconfig passes:

 /tmp/checkconfig --config-path=core-services/prow/02_config/_config.yaml \
                  --supplemental-prow-config-dir=core-services/prow/02_config \
                  --job-config-path=ci-operator/jobs \
                  --strict \
                  --warnings=tide-context-policy
{"component":"unset","file":"/home/afri/Projects/Worktrees/github.com/kubernetes-sigs/prow/777-triage/cmd/checkconfig/main.go:249","func":"main.main","level":"info","msg":"checkconfig passes without any error!","severity":"info","time":"2026-07-02T01:21:41+02:00"}

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR updates Prow and Tide configuration for several OpenShift component repositories to avoid context policy collisions that can break Tide validation. In practice, it removes overlapping Prow status checks from branch protection where those jobs are already handled by Tide’s required-if-present-contexts, reducing the risk of subpool-wide Tide failures.

It also adds missing Tide context entries for rbac-permissions-operator and dora-metrics/pelorus, and adjusts ocm-agent so its always-run coverage, lint, and test checks remain enforced through branch protection instead of being treated as optional-if-present. As a result, CI requirements are now aligned more cleanly across branch protection and Tide for the affected repositories.

Remove conditionally-triggered job contexts from branch-protection
required_status_checks to prevent collisions with tide's
required-if-present-contexts. When a context appears in both sets,
GetTideContextPolicy validation fails and silently breaks tide for the
entire subpool (kubernetes-sigs/prow#777).

Repos fixed: certman-operator, managed-node-metadata-operator,
managed-upgrade-operator, ocm-agent, ocm-agent-operator,
rbac-permissions-operator, dora-metrics/pelorus.

Also adds missing tide required-if-present-contexts entries for
rbac-permissions-operator and dora-metrics/pelorus in _config.yaml.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

This PR updates Prow configuration for several repositories: removes several ci/prow/* contexts from required_status_checks.contexts in per-repo branch-protection files, adds a dora-metrics tide.context_options entry for pelorus, and explicitly sets required-if-present-contexts for rbac-permissions-operator in the global _config.yaml.

Changes

Prow branch-protection and tide configuration

Layer / File(s) Summary
dora-metrics pelorus context relocation
core-services/prow/02_config/dora-metrics/pelorus/_prowconfig.yaml, core-services/prow/02_config/_config.yaml
ci/prow/4.13-e2e-openshift is removed from pelorus branch-protection required contexts and added as a dora-metrics required-if-present-contexts entry in tide.context_options.
rbac-permissions-operator context relocation
core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml, core-services/prow/02_config/_config.yaml
Removes ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/lint, ci/prow/test, ci/prow/validate from branch-protection required contexts and explicitly adds them to tide.context_options required-if-present-contexts.
Required status checks trimming across repos
core-services/prow/02_config/openshift/certman-operator/_prowconfig.yaml, core-services/prow/02_config/openshift/managed-node-metadata-operator/_prowconfig.yaml, core-services/prow/02_config/openshift/managed-upgrade-operator/_prowconfig.yaml, core-services/prow/02_config/openshift/ocm-agent-operator/_prowconfig.yaml
Removes ci/prow/coverage, ci/prow/lint, ci/prow/test, and ci/prow/validate from required_status_checks.contexts, leaving only Konflux and ci/prow/images contexts.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • openshift/release#81341: Both PRs adjust core-services/prow/02_config/_config.yaml tide.context_options for openshift/rbac-permissions-operator, touching the same required-if-present-contexts configuration.

Suggested labels: lgtm, approved

Suggested reviewers: blublinsky, bparees, droslean, psalajova

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: fixing tide context policy collisions across seven Prow repositories.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only prow YAML configs changed; no Ginkgo test titles or test files were modified.
Test Structure And Quality ✅ Passed PASS: PR only changes Prow YAML configs; touched config subtrees contain no Go/Ginkgo test files, so the test-quality review is not applicable.
Microshift Test Compatibility ✅ Passed PR only changes prow YAML config; no new Ginkgo tests or test code were added, so MicroShift compatibility is not implicated.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only changes prow YAML configs; no Go files or new Ginkgo test declarations were added, so SNO test compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: The PR only edits Prow YAML configs under core-services/prow/02_config; no deployment manifests, operator code, or controllers were changed, so this check is not applicable.
Ote Binary Stdout Contract ✅ Passed Only prow YAML config changed; no OTE binary code or process-level stdout writes were touched.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR only changes prow YAML branch-protection/tide config; no Ginkgo e2e tests or network-dependent code were added.
No-Weak-Crypto ✅ Passed Only Prow YAML config changed; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparison code was introduced.
Container-Privileges ✅ Passed The PR only edits prow config YAMLs; no container/K8s manifests were touched, and no privileged/hostPID/hostNetwork/hostIPC/allowPrivilegeEscalation/SYS_ADMIN settings appear.
No-Sensitive-Data-In-Logs ✅ Passed Reviewed the touched prow YAMLs; they only adjust required status-check contexts and contain no added logs, secrets, tokens, PII, or hostnames.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from bmeng and charlesgong July 1, 2026 23:18
Unlike the other repos, ocm-agent's coverage, lint, and test jobs are
always_run: true. The collision for this repo comes from the tide
required-if-present-contexts entry, not from BP. Remove those three
from required-if-present and restore them in BP where they belong.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@petr-muller: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 1, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@petr-muller: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

required_status_checks:
contexts:
- dpulls
- ci/prow/4.13-e2e-openshift

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

conditional job - move to required-if-present-contexts

- ci/prow/coverage
- ci/prow/lint
- ci/prow/test
- ci/prow/validate

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

- ci/prow/coverage
- ci/prow/lint
- ci/prow/test
- ci/prow/validate

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

- ci/prow/images
- ci/prow/lint
- ci/prow/test
- ci/prow/validate

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

- ci/prow/images
- ci/prow/lint
- ci/prow/test
- ci/prow/validate

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All conditional

Added to required-if-present-contexts below

- ci/prow/coverage
- ci/prow/lint
- ci/prow/test
- ci/prow/e2e-binary-build-success

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only the last one is conditional

run_if_changed: ^(test/e2e/.*|go\.mod|go\.sum)$

Configured as always required in

- ci/prow/coverage
- ci/prow/images
- ci/prow/lint
- ci/prow/test

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: petr-muller, Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 2, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 1b55d5c into openshift:main Jul 2, 2026
2 of 12 checks passed
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@petr-muller: Updated the following 2 configmaps:

  • config configmap in namespace ci at cluster app.ci using the following files:
    • key config.yaml using file core-services/prow/02_config/_config.yaml
    • key core-services-prow-02_config-dora-metrics-pelorus-_prowconfig.yaml using file core-services/prow/02_config/dora-metrics/pelorus/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-certman-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/certman-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-managed-node-metadata-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/managed-node-metadata-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-managed-upgrade-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/managed-upgrade-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-ocm-agent-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/ocm-agent-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-rbac-permissions-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml
  • config configmap in namespace ci at cluster core-ci using the following files:
    • key config.yaml using file core-services/prow/02_config/_config.yaml
    • key core-services-prow-02_config-dora-metrics-pelorus-_prowconfig.yaml using file core-services/prow/02_config/dora-metrics/pelorus/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-certman-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/certman-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-managed-node-metadata-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/managed-node-metadata-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-managed-upgrade-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/managed-upgrade-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-ocm-agent-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/ocm-agent-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-rbac-permissions-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/rbac-permissions-operator/_prowconfig.yaml
Details

In response to this:

Remove conditionally-triggered job contexts from branch-protection required_status_checks to prevent collisions with tide's required-if-present-contexts. When a context appears in both sets, GetTideContextPolicy validation fails and silently breaks tide for the entire subpool (kubernetes-sigs/prow#777). Follows the fix pattern from #81244.

Repos fixed: certman-operator, managed-node-metadata-operator, managed-upgrade-operator, ocm-agent, ocm-agent-operator, rbac-permissions-operator, dora-metrics/pelorus.

Also adds missing tide required-if-present-contexts entries for rbac-permissions-operator and dora-metrics/pelorus in _config.yaml.

Followup from https://redhat-internal.slack.com/archives/CBUT43E94/p1782948367195589?thread_ts=1782883307.967359&cid=CBUT43E94

There's a presubmit that's supposed to catch this via checkconfig - but checkconfig is broken. kubernetes-sigs/prow#791 shoudl fix it. With fixed checkconfig we get the following output:

/tmp/checkconfig --config-path=core-services/prow/02_config/_config.yaml \
                --supplemental-prow-config-dir=core-services/prow/02_config \
                --job-config-path=ci-operator/jobs \
                --strict \
                --warnings=tide-context-policy
{"component":"unset","file":"/home/afri/Projects/Worktrees/github.com/kubernetes-sigs/prow/777-triage/cmd/checkconfig/main.go:92","func":"main.reportWarning","level":"warning","msg":"[context policy for main branch in openshift/managed-node-metadata-operator is invalid: contexts ci/prow/coverage, ci/prow/lint, ci/prow/test, ci/prow/validate are defined as required and required if present, context policy for master branch in openshift/managed-upgrade-operator is invalid: contexts ci/prow/coverage, ci/prow/lint, ci/prow/test, ci/prow/validate are defined as required and required if present, context policy for master branch in openshift/ocm-agent is invalid: contexts ci/prow/coverage, ci/prow/lint, ci/prow/test are defined as required and required if present, context policy for master branch in openshift/ocm-agent-operator is invalid: contexts ci/prow/coverage, ci/prow/lint, ci/prow/test, ci/prow/validate are defined as required and required if present, context policy for master branch in openshift/certman-operator is invalid: contexts ci/prow/coverage, ci/prow/lint, ci/prow/test, ci/prow/validate are defined as required and required if present, context policy for master branch in openshift/rbac-permissions-operator is invalid: contexts ci/prow/coverage, ci/prow/e2e-binary-build-success, ci/prow/lint, ci/prow/test, ci/prow/validate are defined as required and required if present, context policy for master branch in dora-metrics/pelorus is invalid: contexts ci/prow/4.13-e2e-openshift are defined as required and required if present]","severity":"warning","time":"2026-07-02T01:23:14+02:00"}

I fed that to a Claude to fix this, which did #81365. When run against that branch, the fixed checkconfig passes:

/tmp/checkconfig --config-path=core-services/prow/02_config/_config.yaml \
                 --supplemental-prow-config-dir=core-services/prow/02_config \
                 --job-config-path=ci-operator/jobs \
                 --strict \
                 --warnings=tide-context-policy
{"component":"unset","file":"/home/afri/Projects/Worktrees/github.com/kubernetes-sigs/prow/777-triage/cmd/checkconfig/main.go:249","func":"main.main","level":"info","msg":"checkconfig passes without any error!","severity":"info","time":"2026-07-02T01:21:41+02:00"}

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR updates Prow and Tide configuration for several OpenShift component repositories to avoid context policy collisions that can break Tide validation. In practice, it removes overlapping Prow status checks from branch protection where those jobs are already handled by Tide’s required-if-present-contexts, reducing the risk of subpool-wide Tide failures.

It also adds missing Tide context entries for rbac-permissions-operator and dora-metrics/pelorus, and adjusts ocm-agent so its always-run coverage, lint, and test checks remain enforced through branch protection instead of being treated as optional-if-present. As a result, CI requirements are now aligned more cleanly across branch protection and Tide for the affected repositories.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@petr-muller petr-muller deleted the fixup-bp-policy-conflicts branch July 2, 2026 08:54
krisnababu pushed a commit to oharan2/release that referenced this pull request Jul 3, 2026
* prow: fix tide context policy collisions for 7 repos

Remove conditionally-triggered job contexts from branch-protection
required_status_checks to prevent collisions with tide's
required-if-present-contexts. When a context appears in both sets,
GetTideContextPolicy validation fails and silently breaks tide for the
entire subpool (kubernetes-sigs/prow#777).

Repos fixed: certman-operator, managed-node-metadata-operator,
managed-upgrade-operator, ocm-agent, ocm-agent-operator,
rbac-permissions-operator, dora-metrics/pelorus.

Also adds missing tide required-if-present-contexts entries for
rbac-permissions-operator and dora-metrics/pelorus in _config.yaml.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* prow: fix ocm-agent — coverage/lint/test are always_run, not conditional

Unlike the other repos, ocm-agent's coverage, lint, and test jobs are
always_run: true. The collision for this repo comes from the tide
required-if-present-contexts entry, not from BP. Remove those three
from required-if-present and restore them in BP where they belong.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants