Skip to content

updated fedramp specific template#678

Closed
fsferraz-rh wants to merge 3 commits into
openshift:masterfrom
fsferraz-rh:update-fedramp-specific-template
Closed

updated fedramp specific template#678
fsferraz-rh wants to merge 3 commits into
openshift:masterfrom
fsferraz-rh:update-fedramp-specific-template

Conversation

@fsferraz-rh

@fsferraz-rh fsferraz-rh commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

What type of PR is this?

feature

What this PR does / why we need it?

updates the fedramp specific pko template

Which Jira/Github issue(s) this PR fixes?

ROSAENG-61397

Summary by CodeRabbit

  • Chores
    • Updated the deployment package template to remove FedRAMP-specific private-link/VPC endpoint configuration and associated selector synchronization content.
    • Updated code ownership mappings, including revised approvers and expanded/changed team alias membership.
    • Added a Tekton PipelineRun to validate pull request documentation and quality gates (file presence, required sections, Codecov target threshold, required pre-commit hooks, and minimum content checks).

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Walkthrough

The PR removes fedramp template parameters and VpcEndpoint objects, updates OWNERS mappings, and adds a Tekton PipelineRun that validates pull-request files and content.

Changes

Fedramp template cleanup

Layer / File(s) Summary
Template parameters removed
hack/pko/clusterpackage.fedramp.yaml
CHANNEL and the OCM VPC endpoint inputs are removed from the Template parameters list.
Fedramp SelectorSyncSets removed
hack/pko/clusterpackage.fedramp.yaml
The east and west SelectorSyncSet objects for VpcEndpoint resources are deleted from the Template.

OWNERS updates

Layer / File(s) Summary
Approvers updated
OWNERS
The approvers list removes two entries and adds rosa-staff-engineers.
Aliases updated
OWNERS_ALIASES
The alias file adds members to one team alias, removes one alias block, and replaces several alias groups with new groups and member lists.

Tekton pull-request validation

Layer / File(s) Summary
PipelineRun definition and checks
.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml
A new PipelineRun defines metadata, task sequencing, workspace bindings, and shell checks for required files, CLAUDE.md, .codecov.yml, pre-commit hooks, and documentation length.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects the main FedRAMP template update in the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo tests were added or modified; the PR only changes YAML/OWNERS/boilerplate files and contains no It/Describe/When titles.
Test Structure And Quality ✅ Passed PASS: The PR only changes YAML/boilerplate files; no Ginkgo test code was added or modified, so this check is not applicable.
Microshift Test Compatibility ✅ Passed No Go test files or new Ginkgo defs were added; the diff only changes YAML/OWNERS and shows no MicroShift-unsupported APIs/features.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes a Tekton PipelineRun and metadata files, with no It/Describe/Context/When or SNO-topology assumptions in the diff.
Topology-Aware Scheduling Compatibility ✅ Passed No deployment/operator scheduling changes were introduced; the only new manifest is a Tekton PipelineRun and it has no nodeSelector, affinity, spread, replica, or taint assumptions.
Ote Binary Stdout Contract ✅ Passed PR only changes YAML/OWNERS files; no OTE binary or suite-setup code was added that could write non-JSON stdout.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The PR adds no new Ginkgo e2e tests; the diff only changes YAML/boilerplate files and contains no It/Describe/Context/When test additions or network/IP assumptions.
No-Weak-Crypto ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons appear in the changed files; only SHA256 digests and benign comparisons.
Container-Privileges ✅ Passed No changed manifest adds privileged flags, host networking/PID/IPC, SYS_ADMIN, or allowPrivilegeEscalation; Dockerfiles set USER 1001.
No-Sensitive-Data-In-Logs ✅ Passed The new pipeline and update script only echo repo metadata and status; no passwords, tokens, PII, hostnames, or customer data are logged.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from Tafhim and rbhilare July 7, 2026 19:49
@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.33%. Comparing base (512fbce) to head (a4be63e).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #678   +/-   ##
=======================================
  Coverage   54.33%   54.33%           
=======================================
  Files         123      123           
  Lines        6212     6212           
=======================================
  Hits         3375     3375           
  Misses       2631     2631           
  Partials      206      206           
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fsferraz-rh

Copy link
Copy Markdown
Contributor Author

/retest-required

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml (2)

11-12: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

CEL expression relies on implicit YAML plain-scalar folding.

The multi-line plain scalar folds the newline into a space, producing the correct event == "pull_request" && target_branch == "master". However, this is fragile — a future editor may not realize the line break is significant. Consider putting the expression on a single line or using a quoted string for clarity.

♻️ Single-line CEL expression
-    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
-      == "master"
+    pipelinesascode.tekton.dev/on-cel-expression: "event == \"pull_request\" && target_branch == \"master\""
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml around
lines 11 - 12, The CEL trigger expression for
pipelinesascode.tekton.dev/on-cel-expression is relying on YAML plain-scalar
folding across two lines, which is fragile. Update the expression in the Tekton
config to use a single line or a quoted string so the full condition remains
explicit and easy to maintain, and verify the value still matches the existing
pull_request and target_branch checks.

51-51: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider a lighter image for file-checking tasks.

Both check-file-existence and check-content-validation use the git-clone image. While it works (the image has a shell), it's semantically misleading and pulls a heavier image than needed for simple file/grep operations. A minimal image like alpine or busybox would be clearer and reduce attack surface. This is optional since the image is likely already cached from the clone step.

Also applies to: 102-102

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml at
line 51, The file-checking tasks are using the git-clone image, which is heavier
and semantically misleading for simple existence/content checks. Update the
image used by check-file-existence and check-content-validation in the Tekton
pipeline to a minimal shell-capable image such as alpine or busybox, keeping the
task behavior the same while making the purpose clearer and reducing footprint.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml:
- Line 44: The `clone-repository` task’s `basic-auth` workspace binding does not
match the pipeline workspace name, which will break Tekton resolution. Update
the workspace reference in the `clone-repository` task and the pipeline
workspace declaration so they use the exact same name, specifically aligning the
`workspace` binding with `git-auth` across the affected YAML. Check the
`clone-repository` task definition and the pipeline workspace section together
to ensure the names are identical.

---

Nitpick comments:
In @.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml:
- Around line 11-12: The CEL trigger expression for
pipelinesascode.tekton.dev/on-cel-expression is relying on YAML plain-scalar
folding across two lines, which is fragile. Update the expression in the Tekton
config to use a single line or a quoted string so the full condition remains
explicit and easy to maintain, and verify the value still matches the existing
pull_request and target_branch checks.
- Line 51: The file-checking tasks are using the git-clone image, which is
heavier and semantically misleading for simple existence/content checks. Update
the image used by check-file-existence and check-content-validation in the
Tekton pipeline to a minimal shell-capable image such as alpine or busybox,
keeping the task behavior the same while making the purpose clearer and reducing
footprint.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: de211f49-8954-4c46-b0e2-196f3810b7b0

📥 Commits

Reviewing files that changed from the base of the PR and between 6fecc18 and d6b020e.

⛔ Files ignored due to path filters (3)
  • boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
  • boilerplate/openshift/golang-osd-e2e/OWNERS is excluded by !boilerplate/**
  • boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**
📒 Files selected for processing (1)
  • .tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml

- name: output
workspace: workspace
- name: basic-auth
workspace: git-auth

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

Workspace name mismatch will cause PipelineRun failure.

The clone-repository task binds its basic-auth workspace to pipeline workspace git_auth (underscore) at Line 44, but the pipeline declares the workspace as git-auth (hyphen) at Line 210. Tekton requires exact name matching — this mismatch will cause the PipelineRun to fail validation or at runtime when the workspace cannot be resolved.

🔧 Fix: align workspace name to `git-auth`
           - name: basic-auth
-            workspace: git_auth
+            workspace: git-auth

Also applies to: 210-210

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/managed-upgrade-operator-agentic-sdlc-check-pull-request.yaml at
line 44, The `clone-repository` task’s `basic-auth` workspace binding does not
match the pipeline workspace name, which will break Tekton resolution. Update
the workspace reference in the `clone-repository` task and the pipeline
workspace declaration so they use the exact same name, specifically aligning the
`workspace` binding with `git-auth` across the affected YAML. Check the
`clone-repository` task definition and the pipeline workspace section together
to ensure the names are identical.

@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@fsferraz-rh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@tkong-redhat

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 8, 2026
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fsferraz-rh, tkong-redhat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 8, 2026
@fsferraz-rh

Copy link
Copy Markdown
Contributor Author

/retest-required

@fsferraz-rh fsferraz-rh closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants