[DPTP-5001] feat(prpqr-reconciler): inject credentials and hide jobs for openshift-priv PRs#5287
[DPTP-5001] feat(prpqr-reconciler): inject credentials and hide jobs for openshift-priv PRs#5287smith-xyz wants to merge 7 commits into
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: automatic mode |
📝 WalkthroughWalkthroughAdds a ChangesPrivate repo propagation and hidden job handling
Estimated code review effort: 3 (Moderate) | ~25 minutes Poem A rabbit hops through repos dark and private, 🚥 Pre-merge checks | ✅ 16 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (16 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: smith-xyz The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Pull request overview
Adds special handling for PRPQR runs targeting openshift-priv repositories so that resulting ProwJobs are hidden in Deck and have GitHub credentials injected for private repo access, plus a config-resolution fallback in the payload-testing prow plugin.
Changes:
- Hide PRPQR-generated ProwJobs (including aggregator jobs) when any PR under test is in
openshift-priv. - Inject GitHub OAuth token secret +
--oauth-token-pathinto ProwJobs foropenshift-privPRs. - Add a new PRPQR reconciler test case + fixtures for the
openshift-privbehavior; addopenshift-priv→openshiftci-operator config fallback in the payload-testing plugin.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/controller/prpqr_reconciler/prpqr_reconciler.go | Implements openshift-priv detection; sets Hidden and injects GitHub token/decoration config. |
| pkg/controller/prpqr_reconciler/prpqr_reconciler_test.go | Adds a reconciler test case for openshift-priv PR behavior. |
| pkg/controller/prpqr_reconciler/testdata/zz_fixture_prpqr_TestReconcile_openshift_priv_PR_sets_hidden_and_injects_credentials.yaml | Golden fixture for expected PRPQR object state for openshift-priv. |
| pkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_openshift_priv_PR_sets_hidden_and_injects_credentials.yaml | Golden fixture for expected ProwJob output (hidden + oauth secret + token arg). |
| cmd/payload-testing-prow-plugin/server.go | Adds fallback to resolve ci-operator config from openshift when org is openshift-priv and config lookup fails. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
🧹 Nitpick comments (2)
pkg/controller/prpqr_reconciler/prpqr_reconciler_test.go (1)
259-273: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winCover the aggregated private-PR path too.
This case only exercises the non-aggregated
generateProwjobflow, so the newaggregatorJob.Spec.Hidden = truebranch inpkg/controller/prpqr_reconciler/prpqr_reconciler.gostill has no regression coverage. Please add anAggregatedCount > 0case and assert that the generated aggregator ProwJob is hidden.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/controller/prpqr_reconciler/prpqr_reconciler_test.go` around lines 259 - 273, Add regression coverage for the aggregated private-PR path in the prpqr_reconciler_test case named “openshift-priv PR sets hidden and injects credentials”: this scenario currently only exercises generateProwjob, so it does not validate the aggregator path in prpqr_reconciler.go. Extend the test with an AggregatedCount > 0 setup and assert that the generated aggregator ProwJob has Spec.Hidden set to true, using the existing prpqr reconciler flow and aggregator job creation symbols to locate the right branch.cmd/payload-testing-prow-plugin/server.go (1)
431-435: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd a regression test for the
openshift-privfallback path.This new branch changes behavior in a CLI entrypoint, but there’s no accompanying
server_test.gocoverage in this PR context. A small table-driven case that makes the first lookup fail and asserts the retry againstopenshiftwould keep this from regressing silently. As per path instructions, “Prefer table-driven tests.”🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/payload-testing-prow-plugin/server.go` around lines 431 - 435, Add a regression test in server_test.go for the openshift-priv fallback path: make the initial s.ciOpConfigResolver.Config call fail when Metadata.Org is openshift-priv, then assert the code retries with Org set to openshift and logs the fallback behavior. Use a small table-driven case around the ciOpConfigResolver.Config call and the openshift-priv branch in server.go so this retry path is covered and won’t regress silently.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@cmd/payload-testing-prow-plugin/server.go`:
- Around line 431-435: Add a regression test in server_test.go for the
openshift-priv fallback path: make the initial s.ciOpConfigResolver.Config call
fail when Metadata.Org is openshift-priv, then assert the code retries with Org
set to openshift and logs the fallback behavior. Use a small table-driven case
around the ciOpConfigResolver.Config call and the openshift-priv branch in
server.go so this retry path is covered and won’t regress silently.
In `@pkg/controller/prpqr_reconciler/prpqr_reconciler_test.go`:
- Around line 259-273: Add regression coverage for the aggregated private-PR
path in the prpqr_reconciler_test case named “openshift-priv PR sets hidden and
injects credentials”: this scenario currently only exercises generateProwjob, so
it does not validate the aggregator path in prpqr_reconciler.go. Extend the test
with an AggregatedCount > 0 setup and assert that the generated aggregator
ProwJob has Spec.Hidden set to true, using the existing prpqr reconciler flow
and aggregator job creation symbols to locate the right branch.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 4a966847-2d60-4348-b460-8ee869d37867
📒 Files selected for processing (5)
cmd/payload-testing-prow-plugin/server.gopkg/controller/prpqr_reconciler/prpqr_reconciler.gopkg/controller/prpqr_reconciler/prpqr_reconciler_test.gopkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_openshift_priv_PR_sets_hidden_and_injects_credentials.yamlpkg/controller/prpqr_reconciler/testdata/zz_fixture_prpqr_TestReconcile_openshift_priv_PR_sets_hidden_and_injects_credentials.yaml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift/release(manual)openshift/ci-docs(manual)openshift/release-controller(manual)openshift/ci-chat-bot(manual)
There was a problem hiding this comment.
🧹 Nitpick comments (3)
cmd/payload-testing-prow-plugin/server.go (2)
888-895: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueFunction takes 5 parameters.
resolveCIOpConfig(resolver ciOpConfigResolver, org, repo, branch string, logger *logrus.Entry)exceeds the 3-4 parameter guidance; consider groupingorg, repo, branchintoapi.Metadatadirectly (which is what's constructed internally anyway) to shrink the signature.As per path instructions, "Keep function signatures small — if a function takes more than 3-4 parameters, consider grouping them into an options struct."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/payload-testing-prow-plugin/server.go` around lines 888 - 895, The resolveCIOpConfig function has too many parameters; replace the separate org, repo, and branch arguments with a single api.Metadata input so the signature stays small. Update the fallback logic inside resolveCIOpConfig to read from that metadata object when calling resolver.Config, and adjust any callers accordingly so the logger and ciOpConfigResolver usage remain unchanged.Source: Path instructions
882-895: 🩺 Stability & Availability | 🔵 Trivial | 🏗️ Heavy liftFragile 404 detection via error-string substring match.
isConfigResolverNotFoundmatches onerr.Error()containing"got unexpected http 404 status code from configresolver", a literal string owned bypkg/registry/server/client.go. Any wording/format change there (or wrapping that reformats the message) silently breaks the openshift-priv fallback with no compile-time signal — the code will just stop falling back, and no test in a different package would catch it. Idiomatic Go favors a sentinel/typed error exposed by the configresolver client that callers can check witherrors.Is/errors.Asinstead of string matching.♻️ Suggested direction
-func isConfigResolverNotFound(err error) bool { - return err != nil && strings.Contains(err.Error(), "got unexpected http 404 status code from configresolver") -} +// isConfigResolverNotFound reports whether err represents a 404 from the +// configresolver client. Prefer errors.Is/As against a sentinel exported by +// pkg/registry/server/client.go if one exists, rather than matching on the +// error message text.Please confirm whether
pkg/registry/server/client.go(or another shared package) already exposes a typed/sentinel error for a 404 response that this could use instead of string matching.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/payload-testing-prow-plugin/server.go` around lines 882 - 895, The 404 fallback in resolveCIOpConfig is relying on a fragile err.Error() substring match in isConfigResolverNotFound, so switch it to a shared sentinel or typed error from the configresolver client if one already exists. Check pkg/registry/server/client.go (or another common package) for an exported 404 error and update resolveCIOpConfig to use errors.Is or errors.As instead of string matching. If no shared error exists, add one at the client boundary and make the fallback path in isConfigResolverNotFound consume that exported error.cmd/payload-testing-prow-plugin/server_test.go (1)
1354-1370: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueDuplicate test double alongside
fakeCIOpConfigResolver.
recordingCIOpConfigResolver.Configlargely repeatsfakeCIOpConfigResolver.Config(lines 1342-1352) — same "openshift org → promoted config, else empty config" branching — just adding call recording and per-org error injection. Consider extendingfakeCIOpConfigResolverwith these fields instead of maintaining two near-identical fakes.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/payload-testing-prow-plugin/server_test.go` around lines 1354 - 1370, The test double in recordingCIOpConfigResolver duplicates the same Config behavior already implemented by fakeCIOpConfigResolver, so refactor the existing fake to support call recording and per-org error injection instead of keeping two near-identical resolvers. Update the Config method on fakeCIOpConfigResolver to preserve its current openshift-vs-empty config behavior while also tracking requested metadata and returning org-specific errors, then remove the redundant recordingCIOpConfigResolver implementation and switch the affected tests to use the enhanced fake.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@cmd/payload-testing-prow-plugin/server_test.go`:
- Around line 1354-1370: The test double in recordingCIOpConfigResolver
duplicates the same Config behavior already implemented by
fakeCIOpConfigResolver, so refactor the existing fake to support call recording
and per-org error injection instead of keeping two near-identical resolvers.
Update the Config method on fakeCIOpConfigResolver to preserve its current
openshift-vs-empty config behavior while also tracking requested metadata and
returning org-specific errors, then remove the redundant
recordingCIOpConfigResolver implementation and switch the affected tests to use
the enhanced fake.
In `@cmd/payload-testing-prow-plugin/server.go`:
- Around line 888-895: The resolveCIOpConfig function has too many parameters;
replace the separate org, repo, and branch arguments with a single api.Metadata
input so the signature stays small. Update the fallback logic inside
resolveCIOpConfig to read from that metadata object when calling
resolver.Config, and adjust any callers accordingly so the logger and
ciOpConfigResolver usage remain unchanged.
- Around line 882-895: The 404 fallback in resolveCIOpConfig is relying on a
fragile err.Error() substring match in isConfigResolverNotFound, so switch it to
a shared sentinel or typed error from the configresolver client if one already
exists. Check pkg/registry/server/client.go (or another common package) for an
exported 404 error and update resolveCIOpConfig to use errors.Is or errors.As
instead of string matching. If no shared error exists, add one at the client
boundary and make the fallback path in isConfigResolverNotFound consume that
exported error.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 132de267-7816-4d97-8fb8-b783e5c167ab
📒 Files selected for processing (6)
cmd/payload-testing-prow-plugin/server.gocmd/payload-testing-prow-plugin/server_test.gopkg/controller/prpqr_reconciler/prpqr_reconciler.gopkg/controller/prpqr_reconciler/prpqr_reconciler_test.gopkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_openshift_priv_aggregated_PR_sets_aggregator_hidden.yamlpkg/controller/prpqr_reconciler/testdata/zz_fixture_prpqr_TestReconcile_openshift_priv_aggregated_PR_sets_aggregator_hidden.yaml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift/release(manual)openshift/ci-docs(manual)openshift/release-controller(manual)openshift/ci-chat-bot(manual)
✅ Files skipped from review due to trivial changes (1)
- pkg/controller/prpqr_reconciler/testdata/zz_fixture_prpqr_TestReconcile_openshift_priv_aggregated_PR_sets_aggregator_hidden.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- pkg/controller/prpqr_reconciler/prpqr_reconciler.go
|
|
||
| func resolveCIOpConfig(resolver ciOpConfigResolver, org, repo, branch string, logger *logrus.Entry) (*api.ReleaseBuildConfiguration, error) { | ||
| ciOpConfig, err := resolver.Config(&api.Metadata{Org: org, Repo: repo, Branch: branch}) | ||
| if err != nil && org == openShiftPrivOrg && isConfigResolverNotFound(err) { |
There was a problem hiding this comment.
I don't see how the resolution and the fallback is related to what you need to introduce in this PR.
There was a problem hiding this comment.
yeah looking at this again I was missing some bigger context where metadata already existed, so all these fallbacks aren't necessary. Reshaped the PR with a cleaner approach, I hope
| func resolveCIOpConfig(resolver ciOpConfigResolver, org, repo, branch string, logger *logrus.Entry) (*api.ReleaseBuildConfiguration, error) { | ||
| ciOpConfig, err := resolver.Config(&api.Metadata{Org: org, Repo: repo, Branch: branch}) | ||
| if err != nil && org == openShiftPrivOrg && isConfigResolverNotFound(err) { | ||
| logger.WithField("fallback", "openshift").Info("falling back to openshift org config for openshift-priv repo") |
There was a problem hiding this comment.
The fallback is wrong. There are dedicated configuration for the openshift private. Consider them as a different repos.
|
I don't think that this is the right approach and it seems like a hack/workaround. The plugin should already know if the repo is private or not, which is not directly related to openshift private. Also the decoration config which needs to be different on private repos, is only related to Prow and not ci-operator. |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
pkg/controller/prpqr_reconciler/prpqr_reconciler_test.go (1)
586-588: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueConsider exact org match instead of substring.
strings.Contains(base.Org, "openshift-priv")would also match orgs merely containing that substring (e.g."not-openshift-priv"). Since this only fakes resolver behavior for tests, low risk, but an exact equality/prefix check is more precise and matches howopenshift-privorg detection is generally understood.♻️ Proposed tweak
- if strings.Contains(base.Org, "openshift-priv") { + if base.Org == "openshift-priv" { cfg.Prowgen = &api.ProwgenOverrides{Private: true} }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/controller/prpqr_reconciler/prpqr_reconciler_test.go` around lines 586 - 588, The private-org test setup in prpqr_reconciler_test.go uses a substring check that can match unrelated org names, so tighten the condition in the test helper around base.Org and cfg.Prowgen. Replace the strings.Contains("openshift-priv") check with an exact org match or a stricter prefix/equality check that only marks the intended openshift-priv org as private.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pkg/controller/prpqr_reconciler/prpqr_reconciler.go`:
- Around line 328-330: The aggregator job hiding logic in PRPQR reconciliation
is missing the same private/expose condition used by prowgen job generation,
causing inconsistent visibility for configs that set both flags. Update the
aggregator job path in the PRPQR reconciler to mirror the `jobbase.go` contract
by checking both `Prowgen.Private` and `Prowgen.Expose` before setting
`aggregatorJob.Spec.Hidden`, using the same `ciopConfig.Prowgen` fields and
related aggregator job setup code.
---
Nitpick comments:
In `@pkg/controller/prpqr_reconciler/prpqr_reconciler_test.go`:
- Around line 586-588: The private-org test setup in prpqr_reconciler_test.go
uses a substring check that can match unrelated org names, so tighten the
condition in the test helper around base.Org and cfg.Prowgen. Replace the
strings.Contains("openshift-priv") check with an exact org match or a stricter
prefix/equality check that only marks the intended openshift-priv org as
private.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 0e21a89a-55a6-4307-9388-2468a6edb85a
📒 Files selected for processing (5)
pkg/controller/prpqr_reconciler/prpqr_reconciler.gopkg/controller/prpqr_reconciler/prpqr_reconciler_test.gopkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_openshift_priv_PR_sets_hidden_and_injects_credentials.yamlpkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_openshift_priv_aggregated_PR_sets_aggregator_hidden.yamlpkg/registry/server/server.go
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift/release(manual)openshift/ci-docs(manual)openshift/release-controller(manual)openshift/ci-chat-bot(manual)
🚧 Files skipped from review as they are similar to previous changes (2)
- pkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_openshift_priv_PR_sets_hidden_and_injects_credentials.yaml
- pkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_openshift_priv_aggregated_PR_sets_aggregator_hidden.yaml
| } | ||
| continue | ||
| } | ||
| if ciopConfig.Prowgen != nil && ciopConfig.Prowgen.Private && !ciopConfig.Prowgen.Expose { |
There was a problem hiding this comment.
The prowgen stanza in the ci-operator config is no being used anywhere but only from prowgen. The controller doesn't care about it. If you make the check here, which makes sense, we will just have another dependency of a configuration that is being used by a specific tool only. When the plugin receives the github comment event, it should know if its private or not. Perhaps it would be better to pass that information through the prpqr resource.
There was a problem hiding this comment.
🧹 Nitpick comments (1)
cmd/payload-testing-prow-plugin/server_test.go (1)
674-756: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winMissing test coverage for additional-PR privacy detection.
Tests cover privacy detection via the primary triggering PR, but the branch that sets
builder.private = truefrom an additional PR's repo visibility (server.go lines 557-559) has no test exercising it — e.g., a/payload-with-prs//payload-aggregate-with-prscase where the primary repo is public but an additional PR (like the existingprivatePRat id 456) is private. Since this flag drives credential injection and job hiding downstream, it's worth covering explicitly.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/payload-testing-prow-plugin/server_test.go` around lines 674 - 756, Add a test in TestHandle that exercises the additional-PR privacy path in server.Handle: use a public primary PR plus an extra PR entry with a private repo (the existing privatePR in the fakegithub client), then trigger a /payload-with-prs or /payload-aggregate-with-prs request so the code in server.go that sets builder.private from additional PRs is hit. Assert the resulting behavior/flag reflects private=true, ensuring the additional PR visibility branch is covered.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@cmd/payload-testing-prow-plugin/server_test.go`:
- Around line 674-756: Add a test in TestHandle that exercises the additional-PR
privacy path in server.Handle: use a public primary PR plus an extra PR entry
with a private repo (the existing privatePR in the fakegithub client), then
trigger a /payload-with-prs or /payload-aggregate-with-prs request so the code
in server.go that sets builder.private from additional PRs is hit. Assert the
resulting behavior/flag reflects private=true, ensuring the additional PR
visibility branch is covered.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 0de85a7f-8bb0-427b-8a49-8a947d4475a6
📒 Files selected for processing (10)
cmd/payload-testing-prow-plugin/server.gocmd/payload-testing-prow-plugin/server_test.gopkg/api/pullrequestpayloadqualification/v1/ci.openshift.io_pullrequestpayloadqualificationruns.yamlpkg/api/pullrequestpayloadqualification/v1/types.gopkg/controller/prpqr_reconciler/prpqr_reconciler.gopkg/controller/prpqr_reconciler/prpqr_reconciler_test.gopkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_private_repo_aggregated_sets_aggregator_hidden.yamlpkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_private_repo_sets_hidden_and_injects_credentials.yamlpkg/controller/prpqr_reconciler/testdata/zz_fixture_prpqr_TestReconcile_private_repo_aggregated_sets_aggregator_hidden.yamlpkg/controller/prpqr_reconciler/testdata/zz_fixture_prpqr_TestReconcile_private_repo_sets_hidden_and_injects_credentials.yaml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift/release(manual)openshift/ci-docs(manual)openshift/release-controller(manual)openshift/ci-chat-bot(manual)
💤 Files with no reviewable changes (2)
- pkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_private_repo_sets_hidden_and_injects_credentials.yaml
- pkg/controller/prpqr_reconciler/testdata/zz_fixture_prowjobs_TestReconcile_private_repo_aggregated_sets_aggregator_hidden.yaml
✅ Files skipped from review due to trivial changes (1)
- pkg/controller/prpqr_reconciler/testdata/zz_fixture_prpqr_TestReconcile_private_repo_aggregated_sets_aggregator_hidden.yaml
|
@smith-xyz: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Adds cred injection for prpqr usage in openshift-priv repositories
This update teaches the PR payload qualification flow to recognize private repositories and handle them like CI needs to for OpenShift private repos.
In practice,
payload-testing-prow-pluginnow marks a PRPQR as private when any participating repository is private, and theprpqr-reconcileruses that signal to inject GitHub credentials and hide the generated ProwJobs. That applies to both regular and aggregated jobs, so private PR processing can run without exposing those jobs publicly.The API/CRD was extended with a new
spec.privateflag to carry this state through the PRPQR object, and tests were added to cover private-repo behavior end to end.