Prow onboarding for osd-fleet-manager

[Chee-Lu]

Summary

Onboard openshift-online/osd-fleet-manager to OpenShift CI (Prow):

• CI operator config (ci-operator/config/openshift-online/osd-fleet-manager/): Defines builds and tests using nested-podman for PostgreSQL-dependent unit and integration tests, with a custom golang-plus image
• Prow plugin/Tide config (core-services/prow/02_config/openshift-online/osd-fleet-manager/): Standard plugin set, external plugins, Tide merge rules with squash merge
• OWNERS files: Added to config, jobs, and prow config directories
• Generated jobs: Presubmit jobs for lint, unit-test, integration-test, and images

Test plan

• /pj-rehearse to run test rehearsals
• Verify lint, unit-test, and integration-test jobs pass
• /pj-rehearse ack after rehearsals pass

[openshift-ci]

Hi @Chee-Lu. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

Adds generated ownership files, Prow plugin and Tide configuration, and a new ci-operator job definition for openshift-online/osd-fleet-manager.

Changes

osd-fleet-manager onboarding

Layer / File(s)	Summary
Generated OWNERS metadata ci-operator/config/openshift-online/osd-fleet-manager/OWNERS, core-services/prow/02_config/openshift-online/osd-fleet-manager/OWNERS	Two autogenerated OWNERS files set approvers, reviewers, and empty options for the osd-fleet-manager config paths.
Prow plugins and Tide core-services/prow/02_config/openshift-online/osd-fleet-manager/_pluginconfig.yaml, core-services/prow/02_config/openshift-online/osd-fleet-manager/_prowconfig.yaml	The repo plugin config adds self-approval settings, external plugin endpoints, built-in plugin enablement, and trusted trigger apps; the Tide config adds squash merges and label-based merge requirements.
ci-operator job config ci-operator/config/openshift-online/osd-fleet-manager/openshift-online-osd-fleet-manager-main.yaml	A new ci-operator config defines the builder image, resource settings, and lint/unit/integration job command sequences for osd-fleet-manager.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

lgtm, approved, rehearsals-ack

Suggested reviewers

• hector-vido
• Prucek

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: onboarding osd-fleet-manager to Prow/OpenShift CI.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo test files were added; the PR only changes CI/Prow config and OWNERS. The new job names are static (lint/unit-test/integration-test).
Test Structure And Quality	✅ Passed	PR only adds CI/Prow config and OWNERS files; no Ginkgo test code changed, so the test-structure checklist is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes CI/Prow/OWNERS YAML, so nothing MicroShift-specific to flag.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PASS: The PR only adds CI/Prow YAML and OWNERS files; no new Ginkgo e2e tests or multi-node assumptions were introduced.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only adds CI/prow/OWNERS config; no deployment manifests, controllers, or scheduling constraints like node selectors, anti-affinity, or spread constraints were introduced.
Ote Binary Stdout Contract	✅ Passed	PR only adds YAML/OWNERS config; no Go/Ginkgo binary or suite setup code was introduced, so no process-level stdout writes to flag.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes CI/prow config and OWNERS files, so the IPv4/disconnected-network check is not applicable.
No-Weak-Crypto	✅ Passed	Changed files are only OWNERS and CI/Prow YAML configs; no weak-crypto terms or secret comparisons were present.
Container-Privileges	✅ Passed	No added manifest sets privileged/hostPID/hostNetwork/hostIPC/allowPrivilegeEscalation/SYS_ADMIN or runAsUser: 0; only nested-podman labels appear.
No-Sensitive-Data-In-Logs	✅ Passed	Only new log-like output is benign echo "Go Version: $(go version)"; no passwords, tokens, PII, hostnames, or customer data were found.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Chee-Lu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Chee-Lu: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-online-osd-fleet-manager-main-images	openshift-online/osd-fleet-manager	presubmit	Presubmit changed
pull-ci-openshift-online-osd-fleet-manager-main-integration-test	openshift-online/osd-fleet-manager	presubmit	Presubmit changed
pull-ci-openshift-online-osd-fleet-manager-main-lint	openshift-online/osd-fleet-manager	presubmit	Presubmit changed
pull-ci-openshift-online-osd-fleet-manager-main-unit-test	openshift-online/osd-fleet-manager	presubmit	Presubmit changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

🧹 Nitpick comments (2)

ci-operator/config/openshift-online/osd-fleet-manager/openshift-online-osd-fleet-manager-main.yaml (2)

54-61: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Optional: pin gotestsum and avoid fixed sleep.

Two small robustness nits in the unit/integration steps:

• go install gotest.tools/gotestsum@latest is non-reproducible; pinning a version keeps CI deterministic.
• sleep 5 after make db/setup is a fragile readiness assumption; a readiness poll (or pg_isready loop) is more reliable than a fixed wait.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-online/osd-fleet-manager/openshift-online-osd-fleet-manager-main.yaml`
around lines 54 - 61, The CI setup step uses an unpinned gotestsum install and a
fixed wait after database setup, both of which make the workflow fragile. Update
the step that runs `go install gotest.tools/gotestsum@latest` to use a pinned
version, and replace the `sleep 5` following `make db/setup` with a readiness
check or poll that waits for the database to be available before running `make
test`.

---

19-21: 🔒 Security & Privacy | 🔵 Trivial

Add SHA256 verification for the Go tarball. go1.25.7.linux-amd64.tar.gz should be checked before extraction; its SHA256 is 12e6d6a191091ae27dc31f6efc630e3a3b8ba409baf3573d955b196fdf086005.

♻️ Add checksum verification

-      RUN curl -LO https://go.dev/dl/go1.25.7.linux-amd64.tar.gz && \
-          tar -C /usr/local -xzf go1.25.7.linux-amd64.tar.gz && \
-          rm go1.25.7.linux-amd64.tar.gz
+      RUN curl -LO https://go.dev/dl/go1.25.7.linux-amd64.tar.gz && \
+          echo "12e6d6a191091ae27dc31f6efc630e3a3b8ba409baf3573d955b196fdf086005  go1.25.7.linux-amd64.tar.gz" | sha256sum -c - && \
+          tar -C /usr/local -xzf go1.25.7.linux-amd64.tar.gz && \
+          rm go1.25.7.linux-amd64.tar.gz

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-online/osd-fleet-manager/openshift-online-osd-fleet-manager-main.yaml`
around lines 19 - 21, The Go toolchain download step in the Dockerfile snippet
is missing checksum validation before extraction. Update the RUN sequence around
the go1.25.7.linux-amd64.tar.gz download to verify the tarball’s SHA256 against
12e6d6a191091ae27dc31f6efc630e3a3b8ba409baf3573d955b196fdf086005 before calling
tar, and keep the cleanup of the archive after verification.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/config/openshift-online/osd-fleet-manager/openshift-online-osd-fleet-manager-main.yaml`:
- Around line 54-61: The CI setup step uses an unpinned gotestsum install and a
fixed wait after database setup, both of which make the workflow fragile. Update
the step that runs `go install gotest.tools/gotestsum@latest` to use a pinned
version, and replace the `sleep 5` following `make db/setup` with a readiness
check or poll that waits for the database to be available before running `make
test`.
- Around line 19-21: The Go toolchain download step in the Dockerfile snippet is
missing checksum validation before extraction. Update the RUN sequence around
the go1.25.7.linux-amd64.tar.gz download to verify the tarball’s SHA256 against
12e6d6a191091ae27dc31f6efc630e3a3b8ba409baf3573d955b196fdf086005 before calling
tar, and keep the cleanup of the archive after verification.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2a75d91f-c5fa-4b6b-9096-01d7e766d0c5

📥 Commits

Reviewing files that changed from the base of the PR and between dfc2ca4 and 5c8925e.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/openshift-online/osd-fleet-manager/OWNERS is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-online/osd-fleet-manager/openshift-online-osd-fleet-manager-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (5)

• ci-operator/config/openshift-online/osd-fleet-manager/OWNERS
• ci-operator/config/openshift-online/osd-fleet-manager/openshift-online-osd-fleet-manager-main.yaml
• core-services/prow/02_config/openshift-online/osd-fleet-manager/OWNERS
• core-services/prow/02_config/openshift-online/osd-fleet-manager/_pluginconfig.yaml
• core-services/prow/02_config/openshift-online/osd-fleet-manager/_prowconfig.yaml

[Chee-Lu]

/pj-rehearse

[openshift-merge-bot]

@Chee-Lu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@Chee-Lu: needs-ok-to-test label found, no rehearsals will be run

[Chee-Lu]

/verify-owners

[openshift-ci]

The OWNERS file contains untrusted users, which makes it INVALID. The following users are mentioned in OWNERS file(s) but are untrusted for the following reasons. One way to make the user trusted is to add them as members of the openshift org. You can then trigger verification by writing /verify-owners in a comment.

• anfranci
  • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
  • ci-operator/config/openshift-online/osd-fleet-manager/OWNERS
  • ci-operator/jobs/openshift-online/osd-fleet-manager/OWNERS
  • core-services/prow/02_config/openshift-online/osd-fleet-manager/OWNERS
• anrocha
  • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
  • ci-operator/config/openshift-online/osd-fleet-manager/OWNERS
  • ci-operator/jobs/openshift-online/osd-fleet-manager/OWNERS
  • core-services/prow/02_config/openshift-online/osd-fleet-manager/OWNERS
• chlu
  • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
  • ci-operator/config/openshift-online/osd-fleet-manager/OWNERS
  • ci-operator/jobs/openshift-online/osd-fleet-manager/OWNERS
  • core-services/prow/02_config/openshift-online/osd-fleet-manager/OWNERS
• chuluo
  • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
  • ci-operator/config/openshift-online/osd-fleet-manager/OWNERS
  • ci-operator/jobs/openshift-online/osd-fleet-manager/OWNERS
  • core-services/prow/02_config/openshift-online/osd-fleet-manager/OWNERS

[Prucek]

/ok-to-test

[Chee-Lu]

/retest

[Chee-Lu]

/retest-required

[openshift-ci]

@Chee-Lu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/check-gh-automation	5c8925e	link	true	/test check-gh-automation
ci/prow/generated-config	5c8925e	link	true	/test generated-config

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.