Skip to content

rosa-745: branch protection for openshift-online/ocm-cli#81434

Open
MitaliBhalla wants to merge 1 commit into
openshift:mainfrom
MitaliBhalla:rosa-745-ocm-cli-branch-protection
Open

rosa-745: branch protection for openshift-online/ocm-cli#81434
MitaliBhalla wants to merge 1 commit into
openshift:mainfrom
MitaliBhalla:rosa-745-ocm-cli-branch-protection

Conversation

@MitaliBhalla

@MitaliBhalla MitaliBhalla commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

ROSA-745 — enable Tide-gated dependency automerge for openshift-online/ocm-cli, following the openshift/release#81412 pattern so no checks are left out.

Branch protection (_prowconfig.yaml) — all non-optional checks on main:

  • Red Hat Konflux / ocm-cli-on-pull-request
  • Red Hat Konflux / ocm-cli-enterprise-contract / ocm-cli
  • ci/prow/images-images (always-run Prow images build)
  • Lint, Test (ubuntu-latest), Test (macos-latest), Test (windows-latest) (GHA)

Pairs with openshift-online/ocm-cli#1122 (MintMaker renovate.json + Dependabot Tide labels).

Test plan

Summary by CodeRabbit

This updates OpenShift CI Prow configuration for openshift-online/ocm-cli by enabling branch protection on main. The main branch is now marked as protected and Tide auto-merge is gated until the required status checks succeed—Konflux (ocm-cli-on-pull-request and ocm-cli-enterprise-contract), Prow images (ci/prow/images-images), lint, and GitHub Actions tests on ubuntu-latest, macos-latest, and windows-latest.

This ensures dependency update PRs referenced by Tide only merge once the full set of CI verification checks is green.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 3, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: This pull request references rosa-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

ROSA-745 — enable Tide-gated dependency automerge for openshift-online/ocm-cli.

Adds Prow branch protection on main with required contexts so Tide merges labeled PRs only after:

  • Red Hat Konflux / ocm-cli-on-pull-request
  • Lint
  • Test (ubuntu-latest), Test (macos-latest), Test (windows-latest)

Pairs with openshift-online/ocm-cli#1122 (MintMaker renovate.json + Dependabot Tide labels).

Test plan

  • After merge: main shows required checks from this config
  • Labeled dependency PR with green Konflux + GHA merges via Tide

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

Adds branch protection for openshift-online/ocm-cli on main and requires Konflux, Prow image, lint, and OS-specific test status checks before merge.

Changes

Branch Protection Configuration

Layer / File(s) Summary
Add required checks for ocm-cli main
core-services/prow/02_config/openshift-online/ocm-cli/_prowconfig.yaml
Adds branch-protection with protect: true for main and sets required status-check contexts for Konflux, Prow images, lint, and Ubuntu, macOS, and Windows tests.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

  • openshift/release#81412: Also updates _prowconfig.yaml branch-protection required status checks for a repository.

Suggested labels: lgtm

Suggested reviewers: bear-redhat, Prucek, deepsm007

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only a branch-protection YAML changed; no Ginkgo test definitions or titles were added or modified.
Test Structure And Quality ✅ Passed Only _prowconfig.yaml changed; no Ginkgo test code or test patterns to review for this check.
Microshift Test Compatibility ✅ Passed Only _prowconfig.yaml changed; no Ginkgo test code or APIs were added, so MicroShift compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only adds branch-protection YAML; no Ginkgo e2e tests or SNO-sensitive code changed, so the check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Only branch-protection/Tide config changed; no deployment manifests, operators, or controllers were modified, so no topology-aware scheduling risk is introduced.
Ote Binary Stdout Contract ✅ Passed PR only adds branch-protection YAML; no process-level code or stdout-writing entrypoint changes are present.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only a prow branch-protection YAML changed; no Ginkgo e2e tests or network-sensitive code were added.
No-Weak-Crypto ✅ Passed The only change is branch-protection YAML; it adds required checks and contains no weak crypto, custom crypto, or secret comparisons.
Container-Privileges ✅ Passed PR only edits prow branch-protection in _prowconfig.yaml; no container/K8s manifests or privilege flags were added.
No-Sensitive-Data-In-Logs ✅ Passed The only changed file is a Prow config; it lists branch-protection/Tide checks and contains no passwords, tokens, PII, hostnames, or other sensitive data.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately describes the main change: adding branch protection for openshift-online/ocm-cli.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@MitaliBhalla MitaliBhalla force-pushed the rosa-745-ocm-cli-branch-protection branch from a1c563f to 5ab7dc9 Compare July 3, 2026 09:12
@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 3, 2026
@MitaliBhalla MitaliBhalla force-pushed the rosa-745-ocm-cli-branch-protection branch 2 times, most recently from c8c335c to ab55eb1 Compare July 3, 2026 09:19
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign miguelhbrito for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Require all non-optional checks on main: both Konflux pipelines
(enterprise-contract and on-pull-request), ci/prow/images-images, and
GHA Test/Lint so Tide merges dependency PRs only after CI is green.

Follows openshift#81412 pattern.

Co-authored-by: Cursor <cursoragent@cursor.com>
@MitaliBhalla MitaliBhalla force-pushed the rosa-745-ocm-cli-branch-protection branch from ab55eb1 to ba76de8 Compare July 3, 2026 09:21
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@MitaliBhalla: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

1 similar comment
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@MitaliBhalla: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants