NO-ISSUE: On-board osac bare-metal-fulfillment-operator

[adriengentil]

Summary by CodeRabbit

This PR onboards the osac-project/bare-metal-fulfillment-operator into OpenShift CI by adding ci-operator config, Prow configuration, and OWNERS metadata so the operator can be built, validated, and participate in automated workflows.

Practical effects:

• Adds ci-operator config for osac-project/bare-metal-fulfillment-operator: defines a RHEL9 + Go 1.24 + OpenShift 4.21 build root, a single image built from the repository Containerfile named bare-metal-fulfillment-operator, and repository metadata (org: osac-project, repo: bare-metal-fulfillment-operator, branch: main). Promotion is present but left as an empty object (no promotion rules set). Default resource requests/limits are set (memory limit 4Gi, memory request 200Mi, cpu request 100m). A nightly OCP release candidate (product: ocp, stream: nightly, version: 4.20) is declared.
• Adds Prow plugin config (_pluginconfig.yaml): configures self-approval rules, registers multiple external plugin endpoints and event triggers, enables LGTM behavior with trusted apps, and enables repository plugins so automated checks and bots (e.g., openshift-merge-bot, dependabot) can operate.
• Adds Tide/Prow merge rules (_prowconfig.yaml): creates a Tide query scoped to the repository requiring the approved and lgtm labels and blocking merges when various do-not-merge, backport, or Jira/rebase-related labels are present.
• Adds OWNERS files (ci-operator/config and core-services/prow/02_config): populates approvers and reviewers (adriengentil, larsks, carbonin) to establish who can review/approve PRs for this repository.

Net result: the repository is integrated into OpenShift’s CI/Prow systems for automated build, testing, and merge workflows, with ownership and plugin behavior configured.

[openshift-ci-robot]

@adriengentil: This pull request explicitly references no jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/osac-project/bare-metal-fulfillment-operator/OWNERS is excluded by !ci-operator/jobs/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8fdb6f5a-4bb4-4bf3-942c-a260626dfcd9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Adds CI and automation configuration for the bare-metal-fulfillment-operator OSAC project: a ci-operator build/release config, Prow plugin and Tide configs for merge automation, and OWNERS files for approvers/reviewers.

Changes

OSAC bare-metal-fulfillment-operator project onboarding

Layer / File(s)	Summary
CI operator build and release configuration ci-operator/config/osac-project/bare-metal-fulfillment-operator/osac-project-bare-metal-fulfillment-operator-main.yaml	Defines build root image stream tag, a Containerfile-based image build for bare-metal-fulfillment-operator, promotion settings, latest release candidate targeting OCP nightly 4.20, wildcard default memory/cpu requests and limits, and generated repo metadata.
Prow plugin and merge automation configuration core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_pluginconfig.yaml, core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yaml	Adds repo-specific Prow _pluginconfig.yaml (external plugin endpoints, event bindings, LGTM/triggers/trusted apps) and a Tide query in _prowconfig.yaml requiring approved and lgtm and excluding do-not-merge/misc labels.
OWNERS metadata ci-operator/config/osac-project/bare-metal-fulfillment-operator/OWNERS, core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/OWNERS	Adds OWNERS files populating approvers and reviewers with the same three GitHub usernames (adriengentil, larsks, carbonin).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/release#80423: Similar Prow plugin updates adding dependabot to trusted apps for org-invite triggers.

Suggested labels

lgtm, rehearsals-ack

Suggested reviewers

• bear-redhat

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: on-boarding the osac bare-metal-fulfillment-operator, which aligns directly with the pull request's core objective of setting up configuration files for this new operator.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only OSAC/prow YAML + OWNERS; in those paths there are no *_test.go or *.go files and the YAML contains no Ginkgo It/Describe titles, so nothing to flag.
Test Structure And Quality	✅ Passed	PR #80425 changes only YAML/OWNERS CI/Prow config; no Ginkgo test code (no *_test.go / Describe / It) present in the diff, so the test-structure quality check is not applicable.
Microshift Test Compatibility	✅ Passed	PR 80425 changes only 5 ci-operator/prow YAML/OWNERS files (no .go sources); no new Ginkgo e2e tests were added, so the MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only adds ci-operator/osac-project and core-services/prow YAML/OWNERS for bare-metal-fulfillment-operator; no Ginkgo e2e test (Describe/It) code changes detected, so no SNO assumptions to validate.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only CI/CD configuration files (ci-operator config, Prow plugin/tide configs, OWNERS files) with no deployment manifests, operator code, or scheduling constraints that could assume HA topol...
Ote Binary Stdout Contract	✅ Passed	PR #80425 changes only ci-operator/core-services YAML/OWNERS/job configs (no .go files present), so there’s no OTE binary stdout/main/init-level code to violate the JSON-on-stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR #80425 only adds CI/Prow/OWNERS YAML (no .go files); searches for Ginkgo/It() in the PR files view found no matches, so no new e2e tests to flag.
No-Weak-Crypto	✅ Passed	Searched PR #80425 “files changed” content for MD5/SHA1/DES/RC4/3DES/Blowfish/ECB/constant-time/crypto and found no matches.
Container-Privileges	✅ Passed	In PR #80425’s added/changed YAML (ci-operator job specs, prow configs, OSAC release config, OWNERS), no matches for privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation/runAsU...
No-Sensitive-Data-In-Logs	✅ Passed	PR adds only CI/prow YAML and OWNERS for bare-metal-fulfillment-operator; scanned these files for token/password/secret/Authorization/log keys—none found.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[adriengentil]

/pj-rehearse

[openshift-merge-bot]

@adriengentil: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[adriengentil]

/pj-rehearse

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/osac-project/bare-metal-fulfillment-operator/osac-project-bare-metal-fulfillment-operator-main.yaml`:
- Around line 1-32: This config lacks a top-level tests: block so add presubmit,
postsubmit and periodic CI workflows that wire existing step-registry templates
for KUTTL/e2e and scorecard tests: create a tests: section referencing the built
image name bare-metal-fulfillment-operator and use the step-registry entries
under ci-operator/step-registry/openstack-k8s-operators/kuttl/ for KUTTL jobs
and the optional-operators/*/scorecard/ templates for scorecard runs; ensure
entries include job type (presubmit/postsubmit/periodic), appropriate from:
imageStreamTag or from: inputImage referencing the image stream tag defined
under images -> to: bare-metal-fulfillment-operator, and reuse resource/timeout
conventions from other operator configs so the jobs run on merge and on a
nightly periodic.
- Around line 12-13: The promotion is incorrectly excluding the image that
images.items[].to targets (bare-metal-fulfillment-operator), so the built image
will never be promoted; update promotion.to[].excluded_images to remove
"bare-metal-fulfillment-operator" (only exclude PR-only images or the dummy
component-image as in other OSAC configs) so the built image is eligible for
promotion and keep any PR-only or component-image entries instead.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 59fa2ec7-71ef-4565-9dcf-f65864f3d363

📥 Commits

Reviewing files that changed from the base of the PR and between 30aae60 and 2fea190.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/osac-project/bare-metal-fulfillment-operator/osac-project-bare-metal-fulfillment-operator-main-postsubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/osac-project/bare-metal-fulfillment-operator/osac-project-bare-metal-fulfillment-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (3)

• ci-operator/config/osac-project/bare-metal-fulfillment-operator/osac-project-bare-metal-fulfillment-operator-main.yaml
• core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_pluginconfig.yaml
• core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yaml

[adriengentil]

/pj-rehearse

[openshift-merge-bot]

@adriengentil: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[adriengentil]

/pj-rehearse

[openshift-merge-bot]

@adriengentil: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[adriengentil]

/pj-rehearse

[adriengentil]

/retest

[openshift-merge-bot]

@adriengentil: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/config/osac-project/bare-metal-fulfillment-operator/osac-project-bare-metal-fulfillment-operator-main.yaml (1)

1-27: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add CI tests for operator validation.

This config builds the operator image but defines no tests: section, so there are no presubmit, postsubmit, or periodic CI validations. For operator onboarding, you should wire existing step-registry test workflows.

Consider adding:

• Unit/KUTTL tests (see ci-operator/step-registry/openstack-k8s-operators/kuttl/)
• Scorecard tests (see ci-operator/step-registry/optional-operators/*/scorecard/)
• E2E workflows

Example structure:

tests:
- as: unit
  commands: make test
  container:
    from: src
- as: e2e-operator
  steps:
    cluster_profile: aws
    test:
    - as: test
      cli: latest
      commands: make test-e2e
      from: src
      resources:
        requests:
          cpu: 100m
          memory: 200Mi
    workflow: ipi-aws

Would you like me to help identify specific test workflows from the step-registry that would be appropriate for this operator?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/osac-project/bare-metal-fulfillment-operator/osac-project-bare-metal-fulfillment-operator-main.yaml`
around lines 1 - 27, The manifest is missing a tests: section so no CI
validations run; add a top-level tests: array that wires appropriate
step-registry workflows for this operator (e.g., add a unit entry that runs
"make test" in the src container, a KUTTL/functional entry referencing the kuttl
step-registry tests, a scorecard entry using the operator scorecard steps, and
an e2e/operator entry that selects a cluster_profile (aws or ipi-aws) and runs
the operator e2e make target), ensuring each test item uses the keys shown in
the example (as:, container/from, commands, steps/cluster_profile, workflow) and
refers to the src image named in images->items->to
(bare-metal-fulfillment-operator) so CI will pick up the correct image.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/osac-project/bare-metal-fulfillment-operator/osac-project-bare-metal-fulfillment-operator-main.yaml`:
- Line 10: The promotion block is currently an empty mapping ("promotion: {}")
which disables image promotion; change the promotion configuration to match
other osac-project main configs by setting a proper to: list (e.g., include an
entry with name: latest and namespace: osac-project) so images are promoted to
the osac-project namespace; update the promotion key in the manifest (replace
promotion: {} with a promotion block that defines to: - name: latest namespace:
osac-project) and ensure the YAML structure matches other configs (use the same
fields and indentation as the other osac-project/*-main.yaml files).

---

Outside diff comments:
In
`@ci-operator/config/osac-project/bare-metal-fulfillment-operator/osac-project-bare-metal-fulfillment-operator-main.yaml`:
- Around line 1-27: The manifest is missing a tests: section so no CI
validations run; add a top-level tests: array that wires appropriate
step-registry workflows for this operator (e.g., add a unit entry that runs
"make test" in the src container, a KUTTL/functional entry referencing the kuttl
step-registry tests, a scorecard entry using the operator scorecard steps, and
an e2e/operator entry that selects a cluster_profile (aws or ipi-aws) and runs
the operator e2e make target), ensuring each test item uses the keys shown in
the example (as:, container/from, commands, steps/cluster_profile, workflow) and
refers to the src image named in images->items->to
(bare-metal-fulfillment-operator) so CI will pick up the correct image.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: eba4ba55-1288-4bbd-9385-de2bf9f48f87

📥 Commits

Reviewing files that changed from the base of the PR and between 14859a8 and 28bf30b.

📒 Files selected for processing (3)

• ci-operator/config/osac-project/bare-metal-fulfillment-operator/OWNERS
• ci-operator/config/osac-project/bare-metal-fulfillment-operator/osac-project-bare-metal-fulfillment-operator-main.yaml
• core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/OWNERS

✅ Files skipped from review due to trivial changes (2)

• core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/OWNERS
• ci-operator/config/osac-project/bare-metal-fulfillment-operator/OWNERS

[adriengentil]

/pj-rehearse

[openshift-merge-bot]

@adriengentil: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[adriengentil]

/pj-rehearse

[openshift-merge-bot]

@adriengentil: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[adriengentil]

/pj-rehease

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@adriengentil: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-osac-project-bare-metal-fulfillment-operator-main-images	osac-project/bare-metal-fulfillment-operator	presubmit	Presubmit changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[adriengentil]

/pj-rehearse pull-ci-osac-project-bare-metal-fulfillment-operator-main-images

[openshift-merge-bot]

@adriengentil: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[adriengentil]

/test check-gh-automation

[adriengentil]

/pj-rehearse pull-ci-osac-project-bare-metal-fulfillment-operator-main-images

[openshift-merge-bot]

@adriengentil: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@adriengentil: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[danilo-gemoli]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adriengentil, danilo-gemoli

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment