gcp-hcp-infra: configure Prow for gitops-promoter promotion branches

[patjlm]

Summary

• Protect environment/global-integration and environment/global-stage branches without requiring atlantis status checks
• Trust gcp-hcp-gitops-promoter GitHub App so promotion PRs skip needs-ok-to-test

Context

We're deploying gitops-promoter for progressive environment promotions (integration → stage) on gcp-hcp-infra. The promoter bot creates PRs targeting environment/global-* active branches. Without this change:

1. Prow requires atlantis status checks that don't apply to promotion PRs
2. Promotion PRs get needs-ok-to-test, requiring manual intervention

Related PRs on gcp-hcp-infra:

• https://github.com/openshift-online/gcp-hcp-infra/pull/645 (Atlantis branch filter)
• https://github.com/openshift-online/gcp-hcp-infra/pull/637 (initial gitops-promoter deployment)

Jira: GCP-837

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR configures Prow to support automated promotion workflows for the gcp-hcp-infra repository using the gcp-hcp-gitops-promoter GitHub App.

Changes made:

1. Trusted App Configuration (_pluginconfig.yaml): Added gcp-hcp-gitops-promoter to the trusted_apps list under Prow's trigger configuration. This allows promotion PRs created by the app to skip the needs-ok-to-test requirement, enabling automated testing without manual approval delays.

2. Branch Protection Rules (_prowconfig.yaml): Added protection to the environment/global-integration and environment/global-stage branches, requiring pull requests for all changes while explicitly excluding atlantis status checks (since these checks don't apply to promotion PRs created by the automation).

These changes enable the gitops-promoter bot to automatically create promotion PRs as part of a progressive deployment workflow, moving validated changes from the integration environment to staging without requiring manual intervention in the CI/CD process.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1bb0a34a-1d97-4062-957b-adb99dc932e4

📥 Commits

Reviewing files that changed from the base of the PR and between 716f5b4 and 254963c.

📒 Files selected for processing (1)

• core-services/prow/02_config/openshift-online/gcp-hcp-infra/_prowconfig.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• core-services/prow/02_config/openshift-online/gcp-hcp-infra/_prowconfig.yaml

---

Walkthrough

Two YAML config files for the gcp-hcp-infra Prow configuration are updated: gcp-hcp-gitops-promoter is added to the trusted_apps list in the plugin config, and branch protection is enabled (protect: true) for the environment/global-integration and environment/global-stage branches in the Prow config.

Changes

gcp-hcp-infra Prow Config Updates

Layer / File(s)	Summary
Trusted app and branch protection config core-services/prow/02_config/openshift-online/gcp-hcp-infra/_pluginconfig.yaml, core-services/prow/02_config/openshift-online/gcp-hcp-infra/_prowconfig.yaml	Adds gcp-hcp-gitops-promoter to the trusted_apps list under triggers, and introduces protect: true branch-protection entries for environment/global-integration and environment/global-stage.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• openshift/release#80675: Directly analogous change adding a different trusted GitHub App slug to trusted_apps in a _pluginconfig.yaml.
• openshift/release#80695: Also modifies trusted_apps under triggers in an openshift-online _pluginconfig.yaml, adding dependabot for a similar purpose.

Suggested labels

lgtm

Suggested reviewers

• theautoroboto
• kseiter-rh

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: configuring Prow for gitops-promoter on gcp-hcp-infra, which aligns with the PR objectives of setting up branch protection and GitHub App trust.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only Prow config YAML files, not Ginkgo tests. The check for stable test names is not applicable here.
Test Structure And Quality	✅ Passed	The custom check requires reviewing Ginkgo test code quality, but this PR only modifies YAML Prow configuration files (_pluginconfig.yaml and _prowconfig.yaml). No test code is present, making the...
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are purely Prow configuration (YAML files) for gitops-promoter setup, not test code.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only Prow infrastructure YAML configuration files and adds no Ginkgo e2e tests. The SNO test compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only Prow CI/CD configuration files (branch protection and GitHub app trust settings), not deployment manifests, operator code, or controllers; therefore topology-aware scheduling check...
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML configuration files for Prow (gcp-hcp-infra). The OTE Binary Stdout Contract check applies to Go test extension binaries with stdout writes in process-level code. This PR cont...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only Prow configuration YAML files (no Ginkgo e2e tests added), so the IPv6/disconnected network check for tests does not apply.
No-Weak-Crypto	✅ Passed	PR modifies only YAML configuration files for Prow CI/CD settings (branch protection and GitHub App trust). No cryptographic code, weak algorithms, or secret comparisons are present.
Container-Privileges	✅ Passed	The PR modifies only Prow CI/CD configuration files (_pluginconfig.yaml, _prowconfig.yaml) which are not container or Kubernetes manifests. No privileged container configurations, security contexts...
No-Sensitive-Data-In-Logs	✅ Passed	The PR modifies Prow configuration YAML files to add trusted app and branch protection settings. No logging statements are present, and no sensitive data (passwords, tokens, API keys, PII, session...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@patjlm: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[patjlm]

/retest

[openshift-ci]

@patjlm: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[apahim]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: apahim, patjlm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• core-services/prow/02_config/openshift-online/gcp-hcp-infra/OWNERS [apahim,patjlm]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@patjlm: Updated the following 2 configmaps:

• config configmap in namespace ci at cluster core-ci using the following files:
  • key core-services-prow-02_config-openshift-online-gcp-hcp-infra-_prowconfig.yaml using file core-services/prow/02_config/openshift-online/gcp-hcp-infra/_prowconfig.yaml
• config configmap in namespace ci at cluster app.ci using the following files:
  • key core-services-prow-02_config-openshift-online-gcp-hcp-infra-_prowconfig.yaml using file core-services/prow/02_config/openshift-online/gcp-hcp-infra/_prowconfig.yaml

Details

In response to this:

Summary

• Protect environment/global-integration and environment/global-stage branches without requiring atlantis status checks
• Trust gcp-hcp-gitops-promoter GitHub App so promotion PRs skip needs-ok-to-test

Context

We're deploying gitops-promoter for progressive environment promotions (integration → stage) on gcp-hcp-infra. The promoter bot creates PRs targeting environment/global-* active branches. Without this change:

1. Prow requires atlantis status checks that don't apply to promotion PRs
2. Promotion PRs get needs-ok-to-test, requiring manual intervention

Related PRs on gcp-hcp-infra:

• https://github.com/openshift-online/gcp-hcp-infra/pull/645 (Atlantis branch filter)
• https://github.com/openshift-online/gcp-hcp-infra/pull/637 (initial gitops-promoter deployment)

Jira: GCP-837

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR configures Prow to support automated promotion workflows for the gcp-hcp-infra repository using the gcp-hcp-gitops-promoter GitHub App.

Changes made:

1. Trusted App Configuration (_pluginconfig.yaml): Added gcp-hcp-gitops-promoter to the trusted_apps list under Prow's trigger configuration. This allows promotion PRs created by the app to skip the needs-ok-to-test requirement, enabling automated testing without manual approval delays.

2. Branch Protection Rules (_prowconfig.yaml): Added protection to the environment/global-integration and environment/global-stage branches, requiring pull requests for all changes while explicitly excluding atlantis status checks (since these checks don't apply to promotion PRs created by the automation).

These changes enable the gitops-promoter bot to automatically create promotion PRs as part of a progressive deployment workflow, moving validated changes from the integration environment to staging without requiring manual intervention in the CI/CD process.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.