Introduce executionEngine in CRD

[avasilevskii]

• Introduce executionEngine field in CRD
• Remove hardcoded forge resolver and use Tekton Pipeline Annotations to supply the forge image
• Adjust RBAC

Closes #62.

Summary by CodeRabbit

• New Features

  • Introduced a generic, pluggable execution engine model via spec.executionEngine with engine-specific config passthrough and a distinct Resolve/Execution Engine step.

• Documentation

  • Updated docs and examples to reflect execution-engine workflow, resolve-related settings, and updated examples/diagrams.

• Refactor

  • Nested engine configs under executionEngine and renamed resolve-image configuration to emphasize registry usage.

• Chores

  • Pipeline annotations and RBAC updated to supply and allow reading resolve-image metadata.

• Tests

  • Test payloads and descriptions updated to use executionEngine-based specs and generic resolution wording.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ashishkamra for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0f839b04-e2bb-486f-8364-7be32f88586e

📥 Commits

Reviewing files that changed from the base of the PR and between a12a70a and 4b7abd0.

📒 Files selected for processing (5)

• config/forge/workflows/pipeline-full.yaml
• config/forge/workflows/pipeline-test-only.yaml
• config/fournos-validation/workflows/pipeline-validate-only.yaml
• fournos/handlers/lifecycle.py
• tests/forge/deploy/orchestration/deploy.py

✅ Files skipped from review due to trivial changes (4)

• fournos/handlers/lifecycle.py
• config/fournos-validation/workflows/pipeline-validate-only.yaml
• config/forge/workflows/pipeline-full.yaml
• config/forge/workflows/pipeline-test-only.yaml

---

📝 Walkthrough

Walkthrough

The PR generalizes the Forge-specific resolve flow into a pluggable executionEngine model: CRD/specs and sample YAMLs use spec.executionEngine, resolve images come from a Tekton Pipeline fournos.dev/resolve-image annotation, ResolveClient.create_job accepts an explicit image, Tekton client gained pipeline fetch, RBAC updated, and tests/docs adjusted.

Changes

Execution Engine / Resolve flow

Layer / File(s)	Summary
Data Shape / API Surface manifests/crd.yaml, config/.../samples/*, dev/*.yaml, tests/*	Top-level spec.forge → spec.executionEngine (engine-name keyed opaque config). Sample and test job manifests updated to nest forge under executionEngine. CRD now requires executionEngine and preserves unknown fields.
Core Implementation fournos/settings.py, fournos/core/resolve.py, fournos/core/tekton.py	Settings.resolve_image → Settings.resolve_image_registry. ResolveClient.create_job gains image: str and uses it for Job container image. TektonClient adds get_pipeline and constants TEKTON_PIPELINE_PLURAL / ANNOTATION_RESOLVE_IMAGE.
Wiring / Handler Logic fournos/handlers/resolving.py, config/forge/resolve_job.yaml, config/forge/workflows/tasks.yaml, config/.../workflows/pipeline-*.yaml, dev/mock-pipelines/*, Makefile	resolving.py fetches the Tekton Pipeline (from spec.pipeline), reads fournos.dev/resolve-image annotation, fails the patch if missing or on API error, and passes the resolved image to ctx.resolve.create_job(..., image=...). Resolve Job YAML and pipeline manifests updated; Makefile uses FOURNOS_RESOLVE_IMAGE_REGISTRY.
RBAC manifests/rbac/role_fournos.yaml, manifests/ocpci-sa/*	Added get permission for Tekton pipelines and expanded rules to include fournosjobs/status subresource.
Tests / Documentation tests/*, Fournos_Design_Document.md, README.md	All affected tests updated to use executionEngine.forge payloads and wording changed from “Forge” to generic “execution engine”/“resolution”. Design doc and README updated to describe resolve-image annotation, registry setting, and handler changes.

Sequence Diagram(s)

sequenceDiagram
  participant Operator
  participant TektonAPI as Tekton Pipeline API
  participant ResolveJob as K8s Job (Resolve)
  participant API as Fournos API / CRD

  Operator->>API: receives FournosJob (spec.pipeline, spec.executionEngine)
  Operator->>TektonAPI: get_pipeline(name from spec.pipeline)
  TektonAPI-->>Operator: Pipeline object (includes annotation)
  Operator->>Operator: read annotation `fournos.dev/resolve-image`
  Operator->>ResolveJob: create Job with container.image = annotation value
  ResolveJob-->>Operator: patches FournosJob (hardware, secretRefs)
  Operator->>API: update FournosJob status -> Resolved / proceed to scheduling

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Replace individual FORGE params with FJOB_NAME + FOURNOS_NAMESPACE #72 — overlaps on resolve-job creation and ResolveClient.create_job signature changes.
• Add Resolving Phase #55 — earlier work on resolving-phase implementation and resolve-job handling.
• Relocate the manifests and introduce FORGE job configuration #9 — prior changes to Forge pipeline and sample manifests touched by this PR.

Suggested labels

lgtm

Poem

🐰 Hop, hop — a spec freshly spun,
Forge unshackled, engines run.
Pipelines whisper the image name,
Resolve Jobs patch and stake their claim.
A rabbit cheers: modular is fun!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: introducing an executionEngine field in the CRD to replace hardcoded FORGE configuration with a pluggable execution engine model.
Linked Issues check	✅ Passed	The PR successfully removes hardcoded FORGE resolver configuration by replacing the resolve_image field with resolve_image_registry, introducing executionEngine in the CRD, and sourcing the resolve image from Tekton Pipeline annotations instead of code.
Out of Scope Changes check	✅ Passed	All changes are directly related to the core objective of removing hardcoded FORGE resolver and introducing a pluggable executionEngine. RBAC updates support the new pipeline annotation mechanism, and all file updates consistently implement the execution engine abstraction.
Docstring Coverage	✅ Passed	Docstring coverage is 90.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

README.md (1)

79-81: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Documentation references outdated field paths.

The spec fields table still references spec.forge.project, spec.forge.args, and spec.forge.configOverrides, but the CRD now uses spec.executionEngineSpec.project, spec.executionEngineSpec.args, and spec.executionEngineSpec.configOverrides.

📝 Proposed fix

 | Field | Required | Description |
 |---|---|---|
-| `spec.forge.project` | yes | FORGE project path |
-| `spec.forge.args` | yes | List of arguments passed to FORGE |
-| `spec.forge.configOverrides` | no | Arbitrary YAML overrides passed to the test framework |
+| `spec.executionEngine` | yes | Execution engine to use (e.g. "forge") |
+| `spec.executionEngineSpec.resolveImage` | yes | Short image name for the resolve Job (e.g. "forge-core:main") |
+| `spec.executionEngineSpec.project` | yes | FORGE project path |
+| `spec.executionEngineSpec.args` | yes | List of arguments passed to FORGE |
+| `spec.executionEngineSpec.configOverrides` | no | Arbitrary YAML overrides passed to the test framework |

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 79 - 81, Update the README table to use the current
CRD field paths: replace references to spec.forge.project, spec.forge.args, and
spec.forge.configOverrides with spec.executionEngineSpec.project,
spec.executionEngineSpec.args, and spec.executionEngineSpec.configOverrides
respectively (ensure descriptions remain the same and YAML/markdown formatting
stays valid).

Fournos_Design_Document.md (1)

47-49: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Documentation references outdated field paths.

Similar to README.md, the spec table still references spec.forge.project, spec.forge.args, and spec.forge.configOverrides. These should be updated to reflect the new spec.executionEngineSpec.* paths.

📝 Proposed fix

 | Field                        | Required     | Description                                                                                      |
 | ---------------------------- | ------------ | ------------------------------------------------------------------------------------------------ |
-| `spec.forge.project`         | yes          | FORGE project path                                                                               |
-| `spec.forge.args`            | yes          | List of arguments passed to FORGE                                                                |
-| `spec.forge.configOverrides` | no           | Arbitrary YAML overrides passed to the test framework                                            |
+| `spec.executionEngine`       | yes          | Execution engine to use (e.g. "forge")                                                           |
+| `spec.executionEngineSpec.resolveImage` | yes | Short image name for the resolve Job (e.g. "forge-core:main")                                   |
+| `spec.executionEngineSpec.project` | yes     | FORGE project path                                                                               |
+| `spec.executionEngineSpec.args` | yes        | List of arguments passed to FORGE                                                                |
+| `spec.executionEngineSpec.configOverrides` | no | Arbitrary YAML overrides passed to the test framework                                          |

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Fournos_Design_Document.md` around lines 47 - 49, Update the documentation
table entries that reference deprecated fields `spec.forge.project`,
`spec.forge.args`, and `spec.forge.configOverrides` to use the new
`spec.executionEngineSpec.*` paths (e.g., `spec.executionEngineSpec.project`,
`spec.executionEngineSpec.args`, `spec.executionEngineSpec.configOverrides`) and
adjust their descriptions if needed to match the new naming; ensure any other
mentions of `spec.forge.*` in Fournos_Design_Document.md are replaced with the
corresponding `spec.executionEngineSpec.*` identifiers so the doc and README are
consistent.

fournos/handlers/resolving.py (1)

95-95: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Multiple stale "Forge" strings in user-facing messages contradict the PR objective.

The PR goal is explicitly to remove hardcoded Forge references, but the following strings still embed them:

Line	Current string
3–4 (docstring)	"launching a Forge resolve Job"
95	"Resolving job requirements via Forge"
119	"Forge resolution failed: …"
135 (docstring)	"Forge populates spec.hardware when absent"
162	"spec.hardware not populated after Forge resolution"
170	"(Forge may not have populated spec.hardware)"
278	"Forge resolution complete"

✏️ Suggested replacements

-Covers the Resolving phase: launching a Forge resolve Job that patches
+Covers the Resolving phase: launching a resolve Job that patches

-    patch.status["message"] = "Resolving job requirements via Forge"
+    patch.status["message"] = "Resolving job requirements via execution engine"

-            f"Forge resolution failed: {message}",
+            f"Resolution failed: {message}",

-    Forge populates ``spec.hardware`` when absent.  The GPU type is
+    The execution engine populates ``spec.hardware`` when absent.  The GPU type is

-                "No hardware requirements: spec.hardware not populated "
-                "after Forge resolution",
+                "No hardware requirements: spec.hardware not populated "
+                "after resolution",

-            "Workload will only request cluster-slot resources "
-            "(Forge may not have populated spec.hardware)",
+            "Workload will only request cluster-slot resources "
+            "(execution engine may not have populated spec.hardware)",

-        "Forge resolution complete",
+        "Resolution complete",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@fournos/handlers/resolving.py` at line 95, Several user-facing strings and
docstrings still hardcode "Forge" contrary to the PR goal; replace those
occurrences with a neutral term (e.g., "resolver", "resolution service", or
"resolution") so messages are generic. Specifically update the docstrings that
mention "launching a Forge resolve Job" and "Forge populates spec.hardware when
absent", change patch.status["message"] value ("Resolving job requirements via
Forge"), the error text thrown/logged ("Forge resolution failed: …" and
"spec.hardware not populated after Forge resolution" and "(Forge may not have
populated spec.hardware)"), and the completion message ("Forge resolution
complete") to use the neutral wording; ensure any tests or references that rely
on the old phrases are updated accordingly.

🧹 Nitpick comments (3)

manifests/ocpci-sa/role.yaml (1)

7-9: ⚡ Quick win

Split fournosjobs/status into its own rule with only applicable verbs.

fournosjobs/status is bundled with the parent resource, inheriting verbs (create, delete, list, watch) that the Kubernetes API server never honors on a /status subresource. This is an over-broad RBAC grant that violates least-privilege — auditing tools and policy scanners will flag it, even though the extra verbs are inert at runtime.

The operator's own role (manifests/rbac/role_fournos.yaml) avoids this pattern, using only get, list, watch, patch, update without mixing subresources and parent resources. Apply the same discipline here — determine whether the SA only reads status (get) or also writes it (patch/update), then split accordingly:

🔒 Proposed fix — separate the status subresource rule

-  - apiGroups: ["fournos.dev"]
-    resources: ["fournosjobs", "fournosjobs/status"]
-    verbs: ["create", "get", "list", "watch", "delete", "patch"]
+  - apiGroups: ["fournos.dev"]
+    resources: ["fournosjobs"]
+    verbs: ["create", "get", "list", "watch", "delete", "patch"]
+  - apiGroups: ["fournos.dev"]
+    resources: ["fournosjobs/status"]
+    verbs: ["get", "patch"]   # add "update" if PUT-based status writes are needed

The same fix should be applied to manifests/ocpci-sa/rbac-wip-ns.yaml Line 8.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@manifests/ocpci-sa/role.yaml` around lines 7 - 9, The RBAC rule currently
bundles "fournosjobs" and the subresource "fournosjobs/status" together granting
verbs like create/delete that don't apply to the /status subresource; split this
into two separate rules: one rule for the parent resource "fournosjobs" with
only the verbs the SA actually needs on the main resource (e.g.,
"create","get","list","watch","delete" if it needs them) and a separate rule for
"fournosjobs/status" that grants only applicable status verbs (e.g., "get" and,
if the SA must update status, "patch" and/or "update" — mirror the operator
pattern of "get","list","watch","patch","update" for status if writes are
needed). Apply the identical split/fixes to the other RBAC file that contains
the same combined entry for "fournosjobs/status".

manifests/crd.yaml (1)

86-89: 💤 Low value

Consider adding validation for executionEngine values.

The executionEngine field accepts any string, but currently only "forge" is a supported value. Consider adding an enum constraint to catch typos early and provide better UX.

This is optional since the execution engine validation could happen at runtime in the controller.

💡 Proposed schema constraint

 executionEngine:
   type: string
+  enum:
+    - forge
   description: >-
     Execution engine to use for this job (e.g. "forge").

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@manifests/crd.yaml` around lines 86 - 89, The CRD's executionEngine schema
currently allows any string; restrict it by adding an enum constraint on the
executionEngine property (the executionEngine field in the CRD schema) so only
supported values (e.g., "forge") are accepted, and update the description to
mention the allowed values; this will catch typos early and improve UX while the
controller can still perform runtime validation for additional engines.

fournos/core/resolve.py (1)

1-1: 💤 Low value

Stale module docstring.

"Resolve client — manages Forge resolve K8s Jobs." still references Forge specifically.

✏️ Suggested fix

-"""Resolve client — manages Forge resolve K8s Jobs."""
+"""Resolve client — manages execution-engine resolve K8s Jobs."""

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@fournos/core/resolve.py` at line 1, The module-level docstring in resolve.py
is stale (mentions "Forge"); update the top-of-file docstring to a generic,
accurate description such as "Resolve client — manages resolve Kubernetes Jobs"
or "Resolve client — manages K8s Jobs for content resolution", removing any
Forge-specific wording so the docstring accurately describes the Resolve client
module.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@fournos/handlers/resolving.py`:
- Around line 62-66: The code is calling .format() on the user-supplied
resolveImageRegistry and concatenating it directly with
engine_spec["resolveImage"], which causes KeyError on stray braces and malformed
image paths when the registry lacks a trailing slash. Replace the
.format(namespace=...) call with a targeted replace: substitute the literal
"{namespace}" token with settings.namespace (i.e. registry =
engine_spec.get("resolveImageRegistry",
settings.resolve_image_registry).replace("{namespace}", settings.namespace)).
Then normalize the separator before building resolve_image: ensure registry ends
with a single '/' (or that resolveImage does not start with '/'), adding a '/'
only when needed, and then set resolve_image = registry +
engine_spec["resolveImage"] so the final image path is well-formed.

---

Outside diff comments:
In `@Fournos_Design_Document.md`:
- Around line 47-49: Update the documentation table entries that reference
deprecated fields `spec.forge.project`, `spec.forge.args`, and
`spec.forge.configOverrides` to use the new `spec.executionEngineSpec.*` paths
(e.g., `spec.executionEngineSpec.project`, `spec.executionEngineSpec.args`,
`spec.executionEngineSpec.configOverrides`) and adjust their descriptions if
needed to match the new naming; ensure any other mentions of `spec.forge.*` in
Fournos_Design_Document.md are replaced with the corresponding
`spec.executionEngineSpec.*` identifiers so the doc and README are consistent.

In `@fournos/handlers/resolving.py`:
- Line 95: Several user-facing strings and docstrings still hardcode "Forge"
contrary to the PR goal; replace those occurrences with a neutral term (e.g.,
"resolver", "resolution service", or "resolution") so messages are generic.
Specifically update the docstrings that mention "launching a Forge resolve Job"
and "Forge populates spec.hardware when absent", change patch.status["message"]
value ("Resolving job requirements via Forge"), the error text thrown/logged
("Forge resolution failed: …" and "spec.hardware not populated after Forge
resolution" and "(Forge may not have populated spec.hardware)"), and the
completion message ("Forge resolution complete") to use the neutral wording;
ensure any tests or references that rely on the old phrases are updated
accordingly.

In `@README.md`:
- Around line 79-81: Update the README table to use the current CRD field paths:
replace references to spec.forge.project, spec.forge.args, and
spec.forge.configOverrides with spec.executionEngineSpec.project,
spec.executionEngineSpec.args, and spec.executionEngineSpec.configOverrides
respectively (ensure descriptions remain the same and YAML/markdown formatting
stays valid).

---

Nitpick comments:
In `@fournos/core/resolve.py`:
- Line 1: The module-level docstring in resolve.py is stale (mentions "Forge");
update the top-of-file docstring to a generic, accurate description such as
"Resolve client — manages resolve Kubernetes Jobs" or "Resolve client — manages
K8s Jobs for content resolution", removing any Forge-specific wording so the
docstring accurately describes the Resolve client module.

In `@manifests/crd.yaml`:
- Around line 86-89: The CRD's executionEngine schema currently allows any
string; restrict it by adding an enum constraint on the executionEngine property
(the executionEngine field in the CRD schema) so only supported values (e.g.,
"forge") are accepted, and update the description to mention the allowed values;
this will catch typos early and improve UX while the controller can still
perform runtime validation for additional engines.

In `@manifests/ocpci-sa/role.yaml`:
- Around line 7-9: The RBAC rule currently bundles "fournosjobs" and the
subresource "fournosjobs/status" together granting verbs like create/delete that
don't apply to the /status subresource; split this into two separate rules: one
rule for the parent resource "fournosjobs" with only the verbs the SA actually
needs on the main resource (e.g., "create","get","list","watch","delete" if it
needs them) and a separate rule for "fournosjobs/status" that grants only
applicable status verbs (e.g., "get" and, if the SA must update status, "patch"
and/or "update" — mirror the operator pattern of
"get","list","watch","patch","update" for status if writes are needed). Apply
the identical split/fixes to the other RBAC file that contains the same combined
entry for "fournosjobs/status".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 252baf6c-26c9-46ea-85d9-95081813d4b2

📥 Commits

Reviewing files that changed from the base of the PR and between 3fb0fac and 1542041.

📒 Files selected for processing (23)

• Fournos_Design_Document.md
• Makefile
• README.md
• config/forge/resolve_job.yaml
• config/forge/samples/job-full.yaml
• config/forge/samples/job-test-only.yaml
• config/forge/workflows/tasks.yaml
• config/fournos-validation/samples/test-connectivity-job.yaml
• dev/job-secret-demo.yaml
• dev/sample-job.yaml
• fournos/core/resolve.py
• fournos/handlers/resolving.py
• fournos/settings.py
• manifests/crd.yaml
• manifests/ocpci-sa/rbac-wip-ns.yaml
• manifests/ocpci-sa/role.yaml
• tests/test_exclusive.py
• tests/test_lifecycle.py
• tests/test_resolving.py
• tests/test_scheduling.py
• tests/test_secret_refs.py
• tests/test_shutdown.py
• tests/test_validation.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@manifests/crd.yaml`:
- Around line 85-91: The CRD currently allows any or multiple engines under
spec.executionEngine which causes runtime failures when the resolver expects a
single "forge" engine; update the executionEngine schema to require exactly the
forge key and validate its contents by replacing
x-kubernetes-preserve-unknown-fields: true with explicit properties: add a
required property "forge" of type object, define inside it the required field
"project" (and its type, e.g. string), and set additionalProperties: false on
spec.executionEngine so no other engine keys are permitted—this enforces
single-engine cardinality and ensures .spec.executionEngine.forge.project is
present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8224d6b3-2205-4050-93d7-575ba5bdf443

📥 Commits

Reviewing files that changed from the base of the PR and between 1542041 and a12a70a.

📒 Files selected for processing (28)

• Fournos_Design_Document.md
• Makefile
• README.md
• config/forge/resolve_job.yaml
• config/forge/samples/job-full.yaml
• config/forge/samples/job-test-only.yaml
• config/forge/workflows/pipeline-full.yaml
• config/forge/workflows/pipeline-test-only.yaml
• config/forge/workflows/tasks.yaml
• config/fournos-validation/samples/test-connectivity-job.yaml
• config/fournos-validation/workflows/pipeline-validate-only.yaml
• dev/job-secret-demo.yaml
• dev/mock-pipelines/pipeline-full.yaml
• dev/mock-pipelines/pipeline-run-only.yaml
• dev/mock-pipelines/tasks.yaml
• dev/sample-job.yaml
• fournos/core/tekton.py
• fournos/handlers/resolving.py
• fournos/settings.py
• manifests/crd.yaml
• manifests/rbac/role_fournos.yaml
• tests/test_exclusive.py
• tests/test_lifecycle.py
• tests/test_resolving.py
• tests/test_scheduling.py
• tests/test_secret_refs.py
• tests/test_shutdown.py
• tests/test_validation.py

💤 Files with no reviewable changes (2)

• Makefile
• fournos/settings.py

✅ Files skipped from review due to trivial changes (3)

• config/forge/workflows/pipeline-test-only.yaml
• config/forge/workflows/pipeline-full.yaml
• dev/mock-pipelines/pipeline-full.yaml

🚧 Files skipped from review as they are similar to previous changes (5)

• config/forge/resolve_job.yaml
• config/forge/workflows/tasks.yaml
• tests/test_scheduling.py
• tests/test_shutdown.py
• tests/test_lifecycle.py

[kpouget]

/test ?

[kpouget]

/test deploy-fournos-wip

[kpouget]

/test deploy-fournos-wip

[kpouget]

/test deploy-fournos-wip

[kpouget]

/test deploy-fournos-wip

[psap-forge-bot]

🔴 Test of 'fournos_deploy --project-source' failed after 00 hours 00 minutes 00 seconds 🔴

• Link to the test results.

• No reports index generated...

Test configuration:

/test deploy-fournos-wip

• Failure indicator:

## /logs/artifacts/FAILURE 
--- 📍TypeError STACKTRACE ---
--- 📍init() got an unexpected keyword argument 'strict'

   Traceback (most recent call last):
     File "/app/forge/projects/core/library/ci.py", line 121, in wrapper
       return command_func(*args, **kwargs)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     File "/app/forge/projects/fournos_deploy/orchestration/ci.py", line 28, in main
       fournos_deploy.init()
     File "/app/forge/projects/fournos_deploy/orchestration/deploy.py", line 255, in init
       _setup_kubeconfig_from_vault()
     File "/app/forge/projects/fournos_deploy/orchestration/deploy.py", line 223, in _setup_kubeconfig_from_vault
       vault.init(vaults, strict=False)
   TypeError: init() got an unexpected keyword argument 'strict'

[...]

• Execution logs

[kpouget]

/test deploy-fournos-wip

[psap-forge-bot]

🔴 Test of 'fournos_deploy --project-source' failed after 00 hours 00 minutes 00 seconds 🔴

• Link to the test results.

• No reports index generated...

Test configuration:

/test deploy-fournos-wip

• Failure indicator:

## /logs/artifacts/FAILURE 
--- 📍RuntimeError STACKTRACE ---
--- 📍One or more vaults failed validation

   Traceback (most recent call last):
     File "/app/forge/projects/core/library/ci.py", line 121, in wrapper
       return command_func(*args, **kwargs)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     File "/app/forge/projects/fournos_deploy/orchestration/ci.py", line 28, in main
       fournos_deploy.init()
     File "/app/forge/projects/fournos_deploy/orchestration/deploy.py", line 255, in init
       _setup_kubeconfig_from_vault()
     File "/app/forge/projects/fournos_deploy/orchestration/deploy.py", line 223, in _setup_kubeconfig_from_vault
       vault.init(vaults)
     File "/app/forge/projects/core/library/vault.py", line 411, in init
       _filter_and_validate_vaults(_vault_manager, vaults)
     File "/app/forge/projects/core/library/vault.py", line 364, in _filter_and_validate_vaults
       raise RuntimeError(msg)
   RuntimeError: One or more vaults failed validation

[...]

• Execution logs

[kpouget]

/test deploy-fournos-wip

[psap-forge-bot]

🟢 Test of 'fournos_deploy --project-source' succeeded after 00 hours 13 minutes 07 seconds 🟢

• Link to the test results.

• No reports index generated...

Test configuration:

/test deploy-fournos-wip

• Execution logs

[kpouget]

tested in openshift-psap/forge#51 (comment)

thanks @avasilevskii ,
/lgtm