Skip to content

Require all Prow CI checks in branch protection for SRE operators#81412

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
dustman9000:sre-operator-branch-protection
Jul 2, 2026
Merged

Require all Prow CI checks in branch protection for SRE operators#81412
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
dustman9000:sre-operator-branch-protection

Conversation

@dustman9000

@dustman9000 dustman9000 commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

Several SRE operator repos only required ci/prow/images in branch protection, allowing PRs to merge with failing lint, test, coverage, and validate checks. Discovered when Dependabot auto-merge merged cloud-ingress-operator PRs #505-#511 with 3 failing checks.

Three changes per repo:

  1. Remove skip_if_only_changed and run_if_changed from CI configs so all tests become always_run. Trade-off: tests now run on docs-only PRs (sub-2-minute cost).

  2. Add all non-optional Prow checks to required_status_checks in branch protection prowconfigs. Branchprotector syncs these to GitHub every 6 hours.

  3. Replace required-if-present-contexts with skip-unknown-contexts in _config.yaml Tide context options (matching the rbac-permissions-operator pattern). This resolves the checkconfig --strict conflict where contexts can't be both required and required-if-present.

Repos updated (12):

Repo Branch Protection Checks Added
cloud-ingress-operator coverage, e2e-binary-build-success, lint, test, validate
configure-alertmanager-operator coverage, e2e-binary-build-success, lint, test, validate
deadmanssnitch-operator coverage, lint, test, validate
pagerduty-operator coverage, lint, test, validate
aws-account-operator coverage, lint, prek, test, validate
gcp-project-operator coverage, lint, test, validate
managed-velero-operator lint, test, validate
osd-cluster-ready lint, test
managed-cluster-validating-webhooks e2e-binary-build-success, pr-check
custom-domains-operator new section (all checks)
splunk-forwarder-operator new section (all checks)
must-gather-operator new section (all checks)

Test plan

  • ci/prow/config validation passes
  • Rehearsal jobs pass (pj-rehearse)
  • Verify branch protection applied after branchprotector sync

@openshift-ci openshift-ci Bot requested review from bmeng and boranx July 2, 2026 16:36
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

This change updates Prow branch-protection requirements for several OpenShift repositories and removes skip_if_only_changed gating from matching CI jobs, with some configs also adding or reworking coverage publishing steps.

Changes

Prow branch protection

Layer / File(s) Summary
Branch protection updates
core-services/prow/02_config/openshift/*/_prowconfig.yaml
Multiple repositories add required ci/prow/* contexts to required_status_checks.contexts, and two repos add new branch-protection blocks for master.

CI job config

Layer / File(s) Summary
CI job gating and coverage jobs
ci-operator/config/openshift/*/*-master.yaml
Several CI configs remove skip_if_only_changed filters from test/validate jobs; some also add or adjust publish-coverage jobs that use Codecov token secrets.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

Suggested labels: lgtm, approved

Suggested reviewers: psalajova, droslean, bmeng

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: expanding branch protection to require additional Prow CI checks for SRE operator repos.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only changes Prow/ci YAML configs; no Ginkgo test files or test titles were added or modified.
Test Structure And Quality ✅ Passed PR only edits YAML CI/branch-protection configs; no Ginkgo test code was added or modified, so the test-structure checklist isn't applicable.
Microshift Test Compatibility ✅ Passed PR only changes YAML branch/CI config; no new Ginkgo e2e tests or test code were added, so MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Diff is config-only; no Go/Ginkgo test files were added, so the SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Only prow/ci-operator YAML changed; no deployment manifests, operator code, or scheduling fields (affinity/nodeSelector/topologySpreadConstraints) were added.
Ote Binary Stdout Contract ✅ Passed PASS: The PR only changes YAML Prow/ci-operator configs; no OTE binary source or process-level stdout writes were added or modified.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR only changes YAML CI/branch-protection configs; no new Ginkgo e2e tests or network-sensitive code were added.
No-Weak-Crypto ✅ Passed Only YAML branch-protection/CI config changed; no weak-crypto, custom crypto, or secret-comparison code found.
Container-Privileges ✅ Passed Changed files are prow/ci config only; targeted scans found no privileged, host*, capabilities, or securityContext fields in the touched manifests.
No-Sensitive-Data-In-Logs ✅ Passed Touched files are CI/branch-protection YAML only; scans found secret references and CI context names, but no raw passwords, tokens, PII, or log output.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 2, 2026
@dustman9000 dustman9000 force-pushed the sre-operator-branch-protection branch from c3dbb3b to 103333a Compare July 2, 2026 16:41

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/rosa/cluster-lease/health/rosa-cluster-lease-health-commands.sh`:
- Around line 126-139: The cluster lease health check currently defaults missing
ocm-env to staging in the CLUSTER_OCM_ENV assignment, which can misclassify
leases from the script’s default OCM environment. Update the handling around
CLUSTER_OCM_ENV and ocm_ensure_env so missing ocm-env falls back to
OCM_LOGIN_ENV (or aborts the health check before any error patch is applied)
instead of staging. Keep the existing OCM_STATUS evaluation and patching logic
in rosa-cluster-lease-health-commands.sh gated on the corrected environment
resolution.
- Around line 45-50: The login flow in the cluster lease health script updates
CURRENT_OCM_ENV even when no ocm login actually happened, which can leave the
previous session active and make later checks use the wrong environment. Move
the CURRENT_OCM_ENV assignment so it only runs inside the successful login
branches in the rosa-cluster-lease-health-commands.sh logic, using the existing
SSO_CLIENT_ID/SSO_CLIENT_SECRET and OCM_TOKEN paths as the only valid places to
set it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: de2654fb-1bce-435e-91b0-bbb2f13e226a

📥 Commits

Reviewing files that changed from the base of the PR and between c25b193 and c3dbb3b.

📒 Files selected for processing (7)
  • ci-operator/step-registry/rosa/cluster-lease/controller/rosa-cluster-lease-controller-commands.sh
  • ci-operator/step-registry/rosa/cluster-lease/health/rosa-cluster-lease-health-commands.sh
  • core-services/prow/02_config/openshift/cloud-ingress-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/configure-alertmanager-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/custom-domains-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/pagerduty-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/splunk-forwarder-operator/_prowconfig.yaml

@dustman9000 dustman9000 force-pushed the sre-operator-branch-protection branch from 103333a to 21fc531 Compare July 2, 2026 16:58
@dustman9000 dustman9000 changed the title Add missing branch protection checks for SRE operators Add branch protection for SRE operators Jul 2, 2026
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 2, 2026
@dustman9000 dustman9000 force-pushed the sre-operator-branch-protection branch from 21fc531 to e1f985e Compare July 2, 2026 17:02
@dustman9000

Copy link
Copy Markdown
Member Author

/hold
testing the strict prowconfig check

@openshift-ci openshift-ci Bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. and removed approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 2, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@core-services/prow/02_config/openshift/cloud-ingress-operator/_prowconfig.yaml`:
- Around line 12-17: Remove the hardcoded ci/prow/coverage, ci/prow/lint,
ci/prow/test, and ci/prow/validate entries from the cloud-ingress-operator prow
config so it matches the PR’s intended design. In _prowconfig.yaml, keep only
the truly required always-on checks and rely on the existing
required-if-present-contexts wiring already defined for this repo in the shared
prow config. Use the cloud-ingress-operator required_status_checks section as
the target for cleanup.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f91ff484-8912-45aa-836b-033ecca107da

📥 Commits

Reviewing files that changed from the base of the PR and between 21fc531 and e1f985e.

📒 Files selected for processing (1)
  • core-services/prow/02_config/openshift/cloud-ingress-operator/_prowconfig.yaml

@dustman9000 dustman9000 force-pushed the sre-operator-branch-protection branch from e1f985e to 2252b24 Compare July 2, 2026 17:18
@dustman9000 dustman9000 changed the title Add branch protection for SRE operators Require all Prow CI checks in branch protection for SRE operators Jul 2, 2026
@openshift-merge-bot openshift-merge-bot Bot removed the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 2, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@core-services/prow/02_config/openshift/aws-account-operator/_prowconfig.yaml`:
- Around line 12-17: Remove the duplicated ci/prow/coverage, ci/prow/lint,
ci/prow/prek, ci/prow/test, and ci/prow/validate entries from the
required_status_checks.contexts block in _prowconfig.yaml. These checks are
already configured as required-if-present via the shared Prow config in
_config.yaml, so this local config should not hard-require them; keep only the
genuinely required contexts here to stay consistent with checkconfig --strict.

In
`@core-services/prow/02_config/openshift/configure-alertmanager-operator/_prowconfig.yaml`:
- Around line 12-17: Remove the `skip_if_only_changed`-gated contexts from
`required_status_checks.contexts` in `configure-alertmanager-operator`’s
`_prowconfig.yaml`; the affected entries are the ones added for coverage, lint,
test, and validate. Keep the existing required-if-present handling aligned with
the shared config by ensuring these checks remain under the
`required-if-present-contexts` mechanism instead of being hard-required in the
`required_status_checks` list.

In
`@core-services/prow/02_config/openshift/custom-domains-operator/_prowconfig.yaml`:
- Around line 9-17: The new branch-protection configuration is hard-requiring
Prow checks that are intended to be required-if-present. Update the
custom-domains-operator branch-protection block by removing the
skip_if_only_changed-based contexts from required_status_checks.contexts and
keep only the always-required checks such as the Konflux context,
ci/prow/images, and ci/prow/e2e-binary-build-success. Use the branch-protection
stanza in the _prowconfig.yaml config to ensure Tide can enforce the conditional
checks without conflicting with checkconfig --strict.

In
`@core-services/prow/02_config/openshift/deadmanssnitch-operator/_prowconfig.yaml`:
- Around line 12-16: The required status checks for deadmanssnitch-operator
currently include checks that the PR rationale says are registered as
required-if-present via skip_if_only_changed, which conflicts with checkconfig
--strict. Update the _prowconfig.yaml required_status_checks list to remove
ci/prow/coverage, ci/prow/lint, ci/prow/test, and ci/prow/validate, keeping only
the checks that should be strictly required; use the existing
required_status_checks block to make this adjustment.

In
`@core-services/prow/02_config/openshift/gcp-project-operator/_prowconfig.yaml`:
- Around line 12-16: Remove the newly added ci/prow/coverage, ci/prow/lint,
ci/prow/test, and ci/prow/validate entries from required_status_checks in the
_prowconfig.yaml configuration. Keep the required checks aligned with the PR’s
intended skip_if_only_changed behavior and the existing pattern used by
deadmanssnitch-operator, so only the non-gated checks remain required.

In
`@core-services/prow/02_config/openshift/must-gather-operator/_prowconfig.yaml`:
- Around line 1-16: Add only the branch-protection required_status_checks that
match the PR scope in the must-gather-operator config. In the branch-protection
entry for master, update the contexts list to keep just the intended Prow jobs
and remove the extra ci/prow/coverage, ci/prow/lint, and ci/prow/test
requirements; use the existing branch-protection block and its
required_status_checks contexts to locate the change.

In `@core-services/prow/02_config/openshift/osd-cluster-ready/_prowconfig.yaml`:
- Around line 13-14: Remove the newly added ci/prow/lint and ci/prow/test
entries from the required_status_checks list in the osd-cluster-ready Prow
config, since these jobs are skip_if_only_changed-gated and should not be
treated as required. Update the _prowconfig.yaml section that defines
required_status_checks so it only contains the checks that are meant to be
mandatory, keeping it consistent with the PR’s stated checkconfig --strict
intent.

In `@core-services/prow/02_config/openshift/pagerduty-operator/_prowconfig.yaml`:
- Around line 12-16: The required_status_checks.contexts list in the
pagerduty-operator Prow config is duplicating checks that are already covered by
required-if-present-contexts. Remove the skip_if_only_changed-gated entries from
the required_status_checks block and leave them only in the shared
required-if-present-contexts list, using the existing pagerduty-operator config
sections to locate the duplicate contexts.

In
`@core-services/prow/02_config/openshift/splunk-forwarder-operator/_prowconfig.yaml`:
- Around line 9-17: The new branch-protection entry in the _prowconfig.yaml
config is incorrectly hard-requiring checks that should remain
required-if-present. Update the required_status_checks.contexts for the
splunk-forwarder-operator branch protection block to remove the
skip_if_only_changed checks (ci/prow/coverage, ci/prow/lint, ci/prow/test,
ci/prow/validate) while keeping only the truly required contexts, using the same
pattern as the custom-domains-operator config to avoid checkconfig --strict
conflicts.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1c5bac4e-3b6f-4ddb-94f1-caead2748f2f

📥 Commits

Reviewing files that changed from the base of the PR and between e1f985e and 2252b24.

⛔ Files ignored due to path filters (10)
  • ci-operator/jobs/openshift/aws-account-operator/openshift-aws-account-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/cloud-ingress-operator/openshift-cloud-ingress-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/configure-alertmanager-operator/openshift-configure-alertmanager-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/custom-domains-operator/openshift-custom-domains-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/deadmanssnitch-operator/openshift-deadmanssnitch-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/gcp-project-operator/openshift-gcp-project-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/managed-velero-operator/openshift-managed-velero-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/must-gather-operator/openshift-must-gather-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/pagerduty-operator/openshift-pagerduty-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/splunk-forwarder-operator/openshift-splunk-forwarder-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
📒 Files selected for processing (22)
  • ci-operator/config/openshift/aws-account-operator/openshift-aws-account-operator-master.yaml
  • ci-operator/config/openshift/cloud-ingress-operator/openshift-cloud-ingress-operator-master.yaml
  • ci-operator/config/openshift/configure-alertmanager-operator/openshift-configure-alertmanager-operator-master.yaml
  • ci-operator/config/openshift/custom-domains-operator/openshift-custom-domains-operator-master.yaml
  • ci-operator/config/openshift/deadmanssnitch-operator/openshift-deadmanssnitch-operator-master.yaml
  • ci-operator/config/openshift/gcp-project-operator/openshift-gcp-project-operator-master.yaml
  • ci-operator/config/openshift/managed-velero-operator/openshift-managed-velero-operator-master.yaml
  • ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml
  • ci-operator/config/openshift/pagerduty-operator/openshift-pagerduty-operator-master.yaml
  • ci-operator/config/openshift/splunk-forwarder-operator/openshift-splunk-forwarder-operator-master.yaml
  • core-services/prow/02_config/openshift/aws-account-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/cloud-ingress-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/configure-alertmanager-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/custom-domains-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/deadmanssnitch-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/gcp-project-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/managed-cluster-validating-webhooks/_prowconfig.yaml
  • core-services/prow/02_config/openshift/managed-velero-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/must-gather-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/osd-cluster-ready/_prowconfig.yaml
  • core-services/prow/02_config/openshift/pagerduty-operator/_prowconfig.yaml
  • core-services/prow/02_config/openshift/splunk-forwarder-operator/_prowconfig.yaml
💤 Files with no reviewable changes (10)
  • ci-operator/config/openshift/must-gather-operator/openshift-must-gather-operator-master.yaml
  • ci-operator/config/openshift/managed-velero-operator/openshift-managed-velero-operator-master.yaml
  • ci-operator/config/openshift/splunk-forwarder-operator/openshift-splunk-forwarder-operator-master.yaml
  • ci-operator/config/openshift/pagerduty-operator/openshift-pagerduty-operator-master.yaml
  • ci-operator/config/openshift/deadmanssnitch-operator/openshift-deadmanssnitch-operator-master.yaml
  • ci-operator/config/openshift/aws-account-operator/openshift-aws-account-operator-master.yaml
  • ci-operator/config/openshift/cloud-ingress-operator/openshift-cloud-ingress-operator-master.yaml
  • ci-operator/config/openshift/custom-domains-operator/openshift-custom-domains-operator-master.yaml
  • ci-operator/config/openshift/gcp-project-operator/openshift-gcp-project-operator-master.yaml
  • ci-operator/config/openshift/configure-alertmanager-operator/openshift-configure-alertmanager-operator-master.yaml
✅ Files skipped from review due to trivial changes (1)
  • core-services/prow/02_config/openshift/managed-velero-operator/_prowconfig.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • core-services/prow/02_config/openshift/cloud-ingress-operator/_prowconfig.yaml

@dustman9000 dustman9000 force-pushed the sre-operator-branch-protection branch 2 times, most recently from 7f1384c to db5860d Compare July 2, 2026 17:40
@dustman9000

Copy link
Copy Markdown
Member Author

/retest config

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@dustman9000: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

/test boskos-config
/test boskos-config-generation
/test check-gh-automation
/test check-gh-automation-tide
/test check-trigger-trusted-apps
/test ci-operator-config
/test ci-operator-config-metadata
/test ci-operator-registry
/test ci-secret-bootstrap-config-validation
/test ci-testgrid-allow-list
/test cluster-manifest-verifier
/test clusterimageset-validate
/test config
/test core-valid
/test generated-config
/test generated-dashboards
/test hyperfleet-risk-scorer-test
/test image-mirroring-config-validation
/test jira-lifecycle-config
/test labels
/test openshift-image-mirror-mappings
/test ordered-prow-config
/test owners
/test pr-reminder-config
/test prow-config
/test prow-config-filenames
/test prow-config-semantics
/test pylint
/test release-config
/test release-controller-config
/test rover-groups-config-validation
/test secret-generator-config-valid
/test services-valid
/test stackrox-stackrox-stackrox-stackrox-check
/test step-registry-metadata
/test step-registry-shellcheck
/test sync-rover-groups
/test verified-config
/test yamllint

The following commands are available to trigger optional jobs:

/test check-cluster-profiles-config

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-release-check-gh-automation
pull-ci-openshift-release-check-gh-automation-tide
pull-ci-openshift-release-check-trigger-trusted-apps
pull-ci-openshift-release-main-boskos-config-generation
pull-ci-openshift-release-main-ci-operator-config
pull-ci-openshift-release-main-ci-operator-config-metadata
pull-ci-openshift-release-main-ci-operator-registry
pull-ci-openshift-release-main-config
pull-ci-openshift-release-main-core-valid
pull-ci-openshift-release-main-generated-config
pull-ci-openshift-release-main-ordered-prow-config
pull-ci-openshift-release-main-owners
pull-ci-openshift-release-main-prow-config
pull-ci-openshift-release-main-prow-config-filenames
pull-ci-openshift-release-main-prow-config-semantics
pull-ci-openshift-release-main-release-controller-config
pull-ci-openshift-release-openshift-image-mirror-mappings
pull-ci-openshift-release-yamllint
Details

In response to this:

/retest config

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Several SRE operator repos only required ci/prow/images in branch
protection, allowing PRs to merge with failing lint, test, coverage,
and validate checks. Discovered when Dependabot auto-merge merged
cloud-ingress-operator PRs openshift#505-openshift#511 with 3 failing checks.

Three changes per repo:
1. Remove skip_if_only_changed/run_if_changed from CI configs so
   all tests become always_run
2. Add all non-optional checks to required_status_checks in
   branch protection prowconfigs
3. Replace required-if-present-contexts in _config.yaml with
   skip-unknown-contexts (matching rbac-permissions-operator
   pattern) to avoid checkconfig conflict

Repos updated (12):
- cloud-ingress-operator
- configure-alertmanager-operator
- custom-domains-operator (new branch-protection)
- deadmanssnitch-operator
- splunk-forwarder-operator (new branch-protection)
- must-gather-operator (new branch-protection)
- aws-account-operator
- gcp-project-operator
- managed-velero-operator
- managed-cluster-validating-webhooks
- osd-cluster-ready
- pagerduty-operator
@dustman9000 dustman9000 force-pushed the sre-operator-branch-protection branch from db5860d to dee7a28 Compare July 2, 2026 17:55
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@dustman9000: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-openshift-splunk-forwarder-operator-master-coverage openshift/splunk-forwarder-operator presubmit Presubmit changed
pull-ci-openshift-splunk-forwarder-operator-master-e2e-binary-build-success openshift/splunk-forwarder-operator presubmit Presubmit changed
pull-ci-openshift-splunk-forwarder-operator-master-lint openshift/splunk-forwarder-operator presubmit Presubmit changed
pull-ci-openshift-splunk-forwarder-operator-master-test openshift/splunk-forwarder-operator presubmit Presubmit changed
pull-ci-openshift-splunk-forwarder-operator-master-validate openshift/splunk-forwarder-operator presubmit Presubmit changed
pull-ci-openshift-custom-domains-operator-master-coverage openshift/custom-domains-operator presubmit Presubmit changed
pull-ci-openshift-custom-domains-operator-master-e2e-binary-build-success openshift/custom-domains-operator presubmit Presubmit changed
pull-ci-openshift-custom-domains-operator-master-lint openshift/custom-domains-operator presubmit Presubmit changed
pull-ci-openshift-custom-domains-operator-master-test openshift/custom-domains-operator presubmit Presubmit changed
pull-ci-openshift-custom-domains-operator-master-validate openshift/custom-domains-operator presubmit Presubmit changed
pull-ci-openshift-gcp-project-operator-master-coverage openshift/gcp-project-operator presubmit Presubmit changed
pull-ci-openshift-gcp-project-operator-master-lint openshift/gcp-project-operator presubmit Presubmit changed
pull-ci-openshift-gcp-project-operator-master-test openshift/gcp-project-operator presubmit Presubmit changed
pull-ci-openshift-gcp-project-operator-master-validate openshift/gcp-project-operator presubmit Presubmit changed
pull-ci-openshift-must-gather-operator-master-coverage openshift/must-gather-operator presubmit Presubmit changed
pull-ci-openshift-must-gather-operator-master-lint openshift/must-gather-operator presubmit Presubmit changed
pull-ci-openshift-must-gather-operator-master-test openshift/must-gather-operator presubmit Presubmit changed
pull-ci-openshift-must-gather-operator-master-validate-boilerplate openshift/must-gather-operator presubmit Presubmit changed
pull-ci-openshift-managed-cluster-validating-webhooks-master-e2e-binary-build-success openshift/managed-cluster-validating-webhooks presubmit Presubmit changed
pull-ci-openshift-cloud-ingress-operator-master-coverage openshift/cloud-ingress-operator presubmit Presubmit changed
pull-ci-openshift-cloud-ingress-operator-master-e2e-binary-build-success openshift/cloud-ingress-operator presubmit Presubmit changed
pull-ci-openshift-cloud-ingress-operator-master-lint openshift/cloud-ingress-operator presubmit Presubmit changed
pull-ci-openshift-cloud-ingress-operator-master-test openshift/cloud-ingress-operator presubmit Presubmit changed
pull-ci-openshift-cloud-ingress-operator-master-validate openshift/cloud-ingress-operator presubmit Presubmit changed
pull-ci-openshift-configure-alertmanager-operator-master-coverage openshift/configure-alertmanager-operator presubmit Presubmit changed

A total of 49 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@dustman9000

Copy link
Copy Markdown
Member Author

/hold cancel

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 2, 2026
@dustman9000

Copy link
Copy Markdown
Member Author

/pj-rehearse ack

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@dustman9000: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 2, 2026
@joshbranham

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@hector-vido

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 2, 2026
@hector-vido

Copy link
Copy Markdown
Contributor

/approve

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dustman9000, hector-vido, joshbranham

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit 53c2439 into openshift:main Jul 2, 2026
20 checks passed
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@dustman9000: Updated the following 2 configmaps:

  • config configmap in namespace ci at cluster app.ci using the following files:
    • key config.yaml using file core-services/prow/02_config/_config.yaml
    • key core-services-prow-02_config-openshift-aws-account-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/aws-account-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-cloud-ingress-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/cloud-ingress-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-configure-alertmanager-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/configure-alertmanager-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-custom-domains-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/custom-domains-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-deadmanssnitch-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/deadmanssnitch-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-gcp-project-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/gcp-project-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-managed-cluster-validating-webhooks-_prowconfig.yaml using file core-services/prow/02_config/openshift/managed-cluster-validating-webhooks/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-managed-velero-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/managed-velero-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-must-gather-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/must-gather-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-osd-cluster-ready-_prowconfig.yaml using file core-services/prow/02_config/openshift/osd-cluster-ready/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-pagerduty-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/pagerduty-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-splunk-forwarder-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/splunk-forwarder-operator/_prowconfig.yaml
  • config configmap in namespace ci at cluster core-ci using the following files:
    • key config.yaml using file core-services/prow/02_config/_config.yaml
    • key core-services-prow-02_config-openshift-aws-account-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/aws-account-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-cloud-ingress-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/cloud-ingress-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-configure-alertmanager-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/configure-alertmanager-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-custom-domains-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/custom-domains-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-deadmanssnitch-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/deadmanssnitch-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-gcp-project-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/gcp-project-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-managed-cluster-validating-webhooks-_prowconfig.yaml using file core-services/prow/02_config/openshift/managed-cluster-validating-webhooks/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-managed-velero-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/managed-velero-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-must-gather-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/must-gather-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-osd-cluster-ready-_prowconfig.yaml using file core-services/prow/02_config/openshift/osd-cluster-ready/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-pagerduty-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/pagerduty-operator/_prowconfig.yaml
    • key core-services-prow-02_config-openshift-splunk-forwarder-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/splunk-forwarder-operator/_prowconfig.yaml
Details

In response to this:

Summary

Several SRE operator repos only required ci/prow/images in branch protection, allowing PRs to merge with failing lint, test, coverage, and validate checks. Discovered when Dependabot auto-merge merged cloud-ingress-operator PRs #505-#511 with 3 failing checks.

Three changes per repo:

  1. Remove skip_if_only_changed and run_if_changed from CI configs so all tests become always_run. Trade-off: tests now run on docs-only PRs (sub-2-minute cost).

  2. Add all non-optional Prow checks to required_status_checks in branch protection prowconfigs. Branchprotector syncs these to GitHub every 6 hours.

  3. Replace required-if-present-contexts with skip-unknown-contexts in _config.yaml Tide context options (matching the rbac-permissions-operator pattern). This resolves the checkconfig --strict conflict where contexts can't be both required and required-if-present.

Repos updated (12):

Repo Branch Protection Checks Added
cloud-ingress-operator coverage, e2e-binary-build-success, lint, test, validate
configure-alertmanager-operator coverage, e2e-binary-build-success, lint, test, validate
deadmanssnitch-operator coverage, lint, test, validate
pagerduty-operator coverage, lint, test, validate
aws-account-operator coverage, lint, prek, test, validate
gcp-project-operator coverage, lint, test, validate
managed-velero-operator lint, test, validate
osd-cluster-ready lint, test
managed-cluster-validating-webhooks e2e-binary-build-success, pr-check
custom-domains-operator new section (all checks)
splunk-forwarder-operator new section (all checks)
must-gather-operator new section (all checks)

Test plan

  • ci/prow/config validation passes
  • Rehearsal jobs pass (pj-rehearse)
  • Verify branch protection applied after branchprotector sync

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants