updated fedramp specific template#678
Conversation
WalkthroughThe PR removes fedramp template parameters and VpcEndpoint objects, updates OWNERS mappings, and adds a Tekton PipelineRun that validates pull-request files and content. ChangesFedramp template cleanup
OWNERS updates
Tekton pull-request validation
Estimated code review effort: 3 (Moderate) | ~25 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #678 +/- ##
=======================================
Coverage 54.33% 54.33%
=======================================
Files 123 123
Lines 6212 6212
=======================================
Hits 3375 3375
Misses 2631 2631
Partials 206 206 🚀 New features to boost your workflow:
|
|
/retest-required |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml (2)
11-12: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueCEL expression relies on implicit YAML plain-scalar folding.
The multi-line plain scalar folds the newline into a space, producing the correct
event == "pull_request" && target_branch == "master". However, this is fragile — a future editor may not realize the line break is significant. Consider putting the expression on a single line or using a quoted string for clarity.♻️ Single-line CEL expression
- pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "master" + pipelinesascode.tekton.dev/on-cel-expression: "event == \"pull_request\" && target_branch == \"master\""🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml around lines 11 - 12, The CEL trigger expression for pipelinesascode.tekton.dev/on-cel-expression is relying on YAML plain-scalar folding across two lines, which is fragile. Update the expression in the Tekton config to use a single line or a quoted string so the full condition remains explicit and easy to maintain, and verify the value still matches the existing pull_request and target_branch checks.
51-51: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueConsider a lighter image for file-checking tasks.
Both
check-file-existenceandcheck-content-validationuse thegit-cloneimage. While it works (the image has a shell), it's semantically misleading and pulls a heavier image than needed for simple file/grep operations. A minimal image likealpineorbusyboxwould be clearer and reduce attack surface. This is optional since the image is likely already cached from the clone step.Also applies to: 102-102
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml at line 51, The file-checking tasks are using the git-clone image, which is heavier and semantically misleading for simple existence/content checks. Update the image used by check-file-existence and check-content-validation in the Tekton pipeline to a minimal shell-capable image such as alpine or busybox, keeping the task behavior the same while making the purpose clearer and reducing footprint.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml:
- Line 44: The `clone-repository` task’s `basic-auth` workspace binding does not
match the pipeline workspace name, which will break Tekton resolution. Update
the workspace reference in the `clone-repository` task and the pipeline
workspace declaration so they use the exact same name, specifically aligning the
`workspace` binding with `git-auth` across the affected YAML. Check the
`clone-repository` task definition and the pipeline workspace section together
to ensure the names are identical.
---
Nitpick comments:
In @.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml:
- Around line 11-12: The CEL trigger expression for
pipelinesascode.tekton.dev/on-cel-expression is relying on YAML plain-scalar
folding across two lines, which is fragile. Update the expression in the Tekton
config to use a single line or a quoted string so the full condition remains
explicit and easy to maintain, and verify the value still matches the existing
pull_request and target_branch checks.
- Line 51: The file-checking tasks are using the git-clone image, which is
heavier and semantically misleading for simple existence/content checks. Update
the image used by check-file-existence and check-content-validation in the
Tekton pipeline to a minimal shell-capable image such as alpine or busybox,
keeping the task behavior the same while making the purpose clearer and reducing
footprint.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: de211f49-8954-4c46-b0e2-196f3810b7b0
⛔ Files ignored due to path filters (3)
boilerplate/_data/last-boilerplate-commitis excluded by!boilerplate/**boilerplate/openshift/golang-osd-e2e/OWNERSis excluded by!boilerplate/**boilerplate/openshift/golang-osd-operator/updateis excluded by!boilerplate/**
📒 Files selected for processing (1)
.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml
| - name: output | ||
| workspace: workspace | ||
| - name: basic-auth | ||
| workspace: git-auth |
There was a problem hiding this comment.
🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win
Workspace name mismatch will cause PipelineRun failure.
The clone-repository task binds its basic-auth workspace to pipeline workspace git_auth (underscore) at Line 44, but the pipeline declares the workspace as git-auth (hyphen) at Line 210. Tekton requires exact name matching — this mismatch will cause the PipelineRun to fail validation or at runtime when the workspace cannot be resolved.
🔧 Fix: align workspace name to `git-auth`
- name: basic-auth
- workspace: git_auth
+ workspace: git-authAlso applies to: 210-210
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml at
line 44, The `clone-repository` task’s `basic-auth` workspace binding does not
match the pipeline workspace name, which will break Tekton resolution. Update
the workspace reference in the `clone-repository` task and the pipeline
workspace declaration so they use the exact same name, specifically aligning the
`workspace` binding with `git-auth` across the affected YAML. Check the
`clone-repository` task definition and the pipeline workspace section together
to ensure the names are identical.
|
@fsferraz-rh: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fsferraz-rh, tkong-redhat The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest-required |
What type of PR is this?
feature
What this PR does / why we need it?
updates the fedramp specific pko template
Which Jira/Github issue(s) this PR fixes?
ROSAENG-61397
Summary by CodeRabbit