Update boilerplate

[abyrne55]

Sync with latest boilerplate (61dbfdf)

Summary by CodeRabbit

• Chores
  • Implemented pre-commit validation workflows (linting, secrets scanning, manifest checks) to improve code quality
  • Configured code coverage status checks with minimum thresholds to maintain quality standards
  • Updated container base images to newer stable versions for improved security and stability
  • Updated CI/CD configuration referencing a newer build image tag
  • Removed outdated owner alias entries in repository metadata

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a9d185b3-c010-4e52-b25b-f39c82b15c91

📥 Commits

Reviewing files that changed from the base of the PR and between 1b26f77 and 3752706.

⛔ Files ignored due to path filters (8)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (6)

• .ci-operator.yaml
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry

💤 Files with no reviewable changes (1)

• OWNERS_ALIASES

✅ Files skipped from review due to trivial changes (3)

• .ci-operator.yaml
• build/Dockerfile.olm-registry
• build/Dockerfile

🚧 Files skipped from review as they are similar to previous changes (2)

• .codecov.yml
• .pre-commit-config.yaml

---

Walkthrough

Updates build and runtime base images, enables codecov status thresholds, adds a repository pre-commit configuration with multiple hooks, and removes a GitHub alias entry from OWNERS_ALIASES.

Changes

Build and CI Configuration

Layer / File(s)	Summary
CI build root image .ci-operator.yaml	build_root_image.tag updated from image-v8.3.5 → image-v8.3.6.
Docker builder & runtime images build/Dockerfile	Builder stage base image updated to quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.6 and runtime stage UBI tag updated to registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778461551.
OLM runtime base build/Dockerfile.olm-registry	Runtime base image tag updated to registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778461551.
Code coverage policy .codecov.yml	coverage.status changed from disabled to configured: project default target 35% (threshold 1%), patch default target 50% (threshold 1%).

Development Workflow and Team Management

Layer / File(s)	Summary
Pre-commit configuration .pre-commit-config.yaml	Adds tiered pre-commit hooks: upstream hooks (merge-conflict, trailing-whitespace with markdown handling, EOF-fix, YAML lint for deploy/), pinned gitleaks, pinned golangci-lint with repo config and timeout, and local hooks go-build, go-mod-tidy, rbac-wildcard-check (limited to deploy/).
Owners aliases update OWNERS_ALIASES	Removed abyrne55 from aliases.srep-functional-team-aurora and from aliases.srep-functional-leads.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is largely incomplete, missing most required template sections including 'What is being added?', testing checklist, manual testing steps, and reference tracking.	Complete the description following the template: add details about what boilerplate changes are being synced, mark the testing checklist items, provide manual testing steps, and include an issue reference.
Test Structure And Quality	⚠️ Warning	Tests lack assertion messages; "should not update the label" asserts multiple unrelated behaviors; timeout pattern in int_test.go has race conditions with uncancelled timers and reference capture.	Add assertion messages to all Expect calls; split multi-assertion tests; fix timeout using context.WithTimeout with proper cleanup.
Title check	❓ Inconclusive	The title 'Update boilerplate' is vague and generic, using a non-descriptive term that doesn't convey specific details about which boilerplate components were updated.	Consider a more descriptive title that specifies what boilerplate components were updated, such as 'Update boilerplate to image-v8.3.6 and configure coverage/linting' or similar.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No test files modified in this PR. All existing Ginkgo test names use stable, deterministic titles. Check is not applicable to this boilerplate/config update PR.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. Changes are only to configuration, GitHub metadata, and Docker build files. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Tests added are osde2e (OSD-specific) requiring OCM environment variables. Not part of standard OpenShift CI on SNO; not subject to SNO compatibility checks.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only CI config, code coverage, pre-commit hooks, ownership aliases, and Dockerfile updates. No deployment manifests or scheduling constraints are introduced or modified.
Ote Binary Stdout Contract	✅ Passed	PR modifies only configuration and Dockerfile files—no Go source files changed. No process-level code modified. No stdout writes introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add any new Ginkgo e2e tests. All changes are configuration and build file updates. Check is not applicable to this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.pre-commit-config.yaml:
- Around line 123-134: The hook named "rbac-wildcard-check" currently runs the
command specified in entry ("make rbac-wildcard-check") which will cause
pre-commit to fail on non-zero exit, so either update the comment to state that
this hook is blocking (remove "warn-only") or change the hook to be non-blocking
by altering the entry to swallow failures (e.g., keep "entry" referencing the
same make target but ensure it returns success by appending a no-fail wrapper
around "make rbac-wildcard-check"); reference the id "rbac-wildcard-check" and
the entry command "make rbac-wildcard-check" when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8f6f365c-1975-43fb-a152-7c6723f9c138

📥 Commits

Reviewing files that changed from the base of the PR and between 3b59c4f and 1b26f77.

⛔ Files ignored due to path filters (8)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (6)

• .ci-operator.yaml
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry

💤 Files with no reviewable changes (1)

• OWNERS_ALIASES

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

rbac-wildcard-check is blocking despite “warn-only” label.

The current hook will fail commits on non-zero exit, so it is not warn-only as described. Please align the comment (or the hook behavior) to avoid confusion.

Suggested minimal fix (docs aligned to actual behavior)

-      # 6. RBAC WILDCARD CHECK  |  target < 5s  |  warn-only (blocking after cleanup)
+      # 6. RBAC WILDCARD CHECK  |  target < 5s  |  blocking

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# 6. RBAC WILDCARD CHECK | target < 5s | warn-only (blocking after cleanup)
	# Rejects wildcard RBAC in deploy/ manifests (verbs/resources: ["*"]
	# or multi-line - '*' format). Logic lives in standard.mk target
	# 'rbac-wildcard-check' for readability and reuse.
	# Fix: replace wildcards with explicit verbs and resource names.
	# -----------------------------------------------------------------------
	- id: rbac-wildcard-check
	name: RBAC wildcard permissions
	language: system
	entry: bash -c 'make rbac-wildcard-check'
	files: ^deploy/.*\.ya?ml$
	pass_filenames: false
	# 6. RBAC WILDCARD CHECK | target < 5s | blocking
	# Rejects wildcard RBAC in deploy/ manifests (verbs/resources: ["*"]
	# or multi-line - '*' format). Logic lives in standard.mk target
	# 'rbac-wildcard-check' for readability and reuse.
	# Fix: replace wildcards with explicit verbs and resource names.
	# -----------------------------------------------------------------------
	- id: rbac-wildcard-check
	name: RBAC wildcard permissions
	language: system
	entry: bash -c 'make rbac-wildcard-check'
	files: ^deploy/.*\.ya?ml$
	pass_filenames: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 123 - 134, The hook named
"rbac-wildcard-check" currently runs the command specified in entry ("make
rbac-wildcard-check") which will cause pre-commit to fail on non-zero exit, so
either update the comment to state that this hook is blocking (remove
"warn-only") or change the hook to be non-blocking by altering the entry to
swallow failures (e.g., keep "entry" referencing the same make target but ensure
it returns success by appending a no-fail wrapper around "make
rbac-wildcard-check"); reference the id "rbac-wildcard-check" and the entry
command "make rbac-wildcard-check" when making the change.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abyrne55

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [abyrne55]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.60%. Comparing base (3b59c4f) to head (3752706).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #240   +/-   ##
=======================================
  Coverage   58.60%   58.60%           
=======================================
  Files           5        5           
  Lines         244      244           
=======================================
  Hits          143      143           
  Misses         87       87           
  Partials       14       14           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@abyrne55: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.