From d1fcdb452470243cc15abb2b1d8252c64696f6e9 Mon Sep 17 00:00:00 2001 From: Kirk Bater Date: Tue, 9 Jun 2026 16:57:57 -0400 Subject: [PATCH] Boilerplate: Update to 8fb7c801f68dc7e06e8d2ae138c2a98f0b234b56 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Conventions: - openshift/golang-osd-operator: Update --- https://github.com/openshift/boilerplate/compare/2f25b66747494403fd6c00524e580f97982de853...8fb7c801f68dc7e06e8d2ae138c2a98f0b234b56 commit: 8fb7c801f68dc7e06e8d2ae138c2a98f0b234b56 author: Josh Branham Remove user no longer in the org commit: adf5de77e6238d9697351b1030ec7f4c3e793bac author: Mitali Bhalla ROSA-745: MintMaker gomod batch + automerge via boilerplate renovate (#748) Enable grouped gomod manager in shared renovate.json with Mon-Fri 02:00-04:59 UTC batch window; pre-label lgtm/approved on safe patch/minor/digest updates; major gomod and Tekton updates open for manual review. Add lgtm/approved and Mon 03:00 UTC schedule to Dependabot docker template. Co-authored-by: Cursor commit: fb6795dfd897e2b42b7d3b9646228812b57d98c8 author: Kirk Bater remove iamkirkbater from team leads alias commit: 1d09b759691974be7028624ad761eb25915d344c author: Christopher Collins Fix container-make leaving orphaned containers on interruption Add --rm to the detached container run so it self-removes when stopped. Add an EXIT trap to stop the container on abnormal exit (Ctrl+C, terminal close, SIGTERM). Disarm the trap before normal cleanup so the happy path uses the existing explicit rm -f without a redundant stop. Co-Authored-By: Claude Opus 4.6 (1M context) commit: e63f1e4045c75dec240c472fa10d34c6d17bb85e author: red-hat-konflux[bot] chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 30b786d Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 44a1272cb93ca85457f7179a5eb98b578e3ca6c5 author: red-hat-konflux[bot] chore(deps): update konflux references (#749) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 3909bdfa084fe68bff714f4d7e764860ada91018 author: MitaliBhalla Revert "Merge pull request #741 from MitaliBhalla/chore/renovate-gomod-automerge" This reverts commit b9feed9077bb86729e82a40dc46e9343da59a915, reversing changes made to 1628663baae4b9c1b7c55ed302a3d9e99376d8c6. commit: e5238f5ec6979b77e1853198f77fed08ba1713fc author: MitaliBhalla Revert "Merge pull request #746 from MitaliBhalla/chore/renovate-gomod-daily-batch" This reverts commit dd0c8513538cbc8e2c9df5ce3c2053740d733f34, reversing changes made to bbab1081503624f1e013b398e1cd2a0806b5d834. commit: 6ccbd825498f0c7c16c9860084c674ded4d2e1e2 author: MitaliBhalla Pilot: narrow gomod schedule to current UTC hour for testing Thu 06:00-06:59 UTC (~11:30 AM-12:30 PM IST) so MintMaker can run soon after merge. Production window 02:00-04:59 Mon-Fri in a follow-up. Co-authored-by: Cursor commit: eff876184ca983751b866c3cad7d7827c72438da author: MitaliBhalla Use short Thursday UTC window for MintMaker pilot test Temporary schedule 06:00-07:59 UTC (Thu) for immediate validation; restore 02:00-04:59 Mon-Fri in a follow-up after pilot sign-off. Co-authored-by: Cursor commit: d621c3a4fc0f200b400683ae744daa6c0296752d author: MitaliBhalla Batch MintMaker gomod updates on a UTC weekday schedule Group patch/minor gomod bumps into one PR per repo and open them only UTC 02:00-04:59 on weekdays. Keep lgtm/approved for tide automerge; merge gating relies on Prow required checks (DPP), not a GitHub Action. Co-authored-by: Cursor commit: a8be62527cc4192704c8f0f61a7f82fe287da4c8 author: Andrew Pantuso feat: add generation logic to propagate CRDs to deploy_pko if present commit: c7cd213a17e83b13b310d112b2aff882cd1d4d93 author: Christopher Collins Revert golangci-lint bump to v2.7.2 The Go 1.26 upgrade is no longer needed — downstream operators are bumping down the kube components version instead. Revert golangci-lint from v2.12.2 back to v2.7.2. The Python 3.9 compatibility fix from PR #743 is intentionally preserved. This reverts the golangci-lint portion of 43f0781. Created with assistance from Claude 🤖 Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Christopher Collins commit: 43f0781250bdbc42890ac475f032296285c59594 author: Christopher Collins Bump golangci-lint to v2.12.2 for Go 1.26 support (#743) * Bump golangci-lint to v2.12.2 for Go 1.26 support Kubernetes v0.36.1 and controller-runtime v0.24.1 declare go 1.26.0 in their go.mod. The previous golangci-lint v2.7.2 was built with Go 1.25 and refuses to lint code targeting Go 1.26. Bumping to v2.12.2 (built with Go 1.26) unblocks operators upgrading to these dependencies. Co-Authored-By: Claude Opus 4.6 (1M context) * Fix olm_pko_migration.py Python 3.9 compatibility The `str | None` union type syntax requires Python 3.10+. The boilerplate container image ships Python 3.9, causing the 08-pko-migration test to fail with TypeError. Use Optional[str] from typing instead. Created with assistance from Claude 🤖 Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Christopher Collins --------- Signed-off-by: Christopher Collins Co-authored-by: Claude Opus 4.6 (1M context) commit: 915fe611bee0958cec3c36f94294c533fcb7c740 author: devppratik Update pre-commit-yaml Add docs shorten the docs commit: f939c8d8d64f204a337372534003343078ab2341 author: MitaliBhalla Enable MintMaker automerge for gomod; pre-label Dependabot docker PRs Extend boilerplate renovate.json so gomod updates get the same automerge and lgtm/approved labels as Tekton. Keep Dependabot for /build docker; add lgtm and approved to the golang-osd-operator dependabot.yml template labels (with ok-to-test and area/dependency). Operators inherit renovate via extends; dependabot label changes apply on boilerplate-update. Co-authored-by: Cursor commit: 0fd7c667224a7d6987d3af367801d790d815e495 author: red-hat-konflux[bot] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 5c9b1484a283341e2d9aca8300bf97cfc665ca69 author: red-hat-konflux[bot] chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to f0ed531 (#738) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 203ecbf77405125ef1241944bf08eb1f342c609f author: red-hat-konflux[bot] chore(deps): update konflux references (#737) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: bed16abb324583e2d5196368f26adea310f738bd author: Josh Branham Update OWNERS_ALIASES commit: 6e8c892788d166f584d335354c6a01612e14dfe2 author: jdowni000 Adding Justin Downie to srep-functional-team-aurora commit: 3f9c427aea95d083add203bbffc9417b1c53fcac author: Anthony Byrne Fix incremental linting in CI for enhanced golangci config The enhanced golangci-lint config (d83e5ee) added `new: true` to only lint new code, but this silently falls back to linting everything in CI shallow clones where the required git history is unavailable. This breaks ci/prow/lint across all consumer repos on boilerplate update. Fix by passing --new-from-rev via standard.mk's go-check target: - In CI (Prow), use PULL_BASE_SHA which is guaranteed to exist - Locally, fall back to origin/HEAD via git symbolic-ref Co-Authored-By: Claude Opus 4.6 (1M context) commit: b6e7575196e8c17274c85d2c22178ad51290c237 author: red-hat-konflux[bot] chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 308d6f6 (#733) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 3c2045c22f3ca116ed23b0f7eec50d3ff4774d1f author: red-hat-konflux[bot] chore(deps): update konflux references (#732) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: a903a81cde2b197d153253df9ca148935687dc76 author: Trevor Nierman Re-enable std-error-handling exclusion for golang-osd-operator lint The golang-osd-operator golangci config was missing the std-error-handling exclusion preset, causing errcheck to flag unchecked return values from standard library functions like fmt.Printf and fmt.Println. The golang-lint convention already includes this preset. Also removes disable-default-exclusions which was redundant with the explicit preset. Co-Authored-By: Claude Opus 4.6 (1M context) commit: dc60b38466460c3b128d21fd569a2a23ca885eef author: George Adams Add geowa4 to OWNERS approvers and srep-functional-team-aurora Co-Authored-By: Claude Opus 4.6 commit: f76b2a3ebed41d057e74e9facbf21235053c161f author: devppratik Update lint to run on new changes only commit: 77970a51152ec0437f6b6845ceeb999bf80581fc author: jdowni000 Update UBI9 base image to 9.7-1778044007 for Go 1.25.9 Updates both builder and final stage to use UBI9:9.7-1778044007 which includes go-toolset-1.25.9 for fixing critical stdlib CVEs. This enables downstream projects (like aws-account-operator) to consume the latest Go stdlib security fixes. Fixes Go 1.25.9 stdlib CVEs including CVE-2026-27143 (Critical) and 11 other High/Medium severity vulnerabilities. Co-Authored-By: Claude Sonnet 4.5 commit: 0643771a04b7ebc8ec1b6d62dd85078ab864041f author: devppratik Minor fixes for pre-commit hooks and Lint commit: 636c91891f92b9d0109d45d768ff07694d3b865c author: cgong fix: renumber hooks, make RBAC check warn-only (SREP-4485) - Renumber hooks 1-6 after merging file hygiene and YAML syntax sections - Clean up inline golden-rule references from comments - Make rbac-wildcard-check warn-only (exit 0) to avoid blocking repos with pre-existing wildcard RBAC; will promote to blocking after cleanup - Add go-build binary note: compile-only, no artifacts written to repo Co-Authored-By: Claude Sonnet 4.6 (1M context) commit: 213c67c8e0ffd603b7c0935829709ba6496c9efc author: cgong fix: address review comments on pre-commit config (SREP-4485) - Merge duplicate pre-commit-hooks repo entries into one block - Move RBAC wildcard check logic to make target rbac-wildcard-check in standard.mk for readability and reuse; hook now calls make target - Clean up inline comments Co-Authored-By: Claude Sonnet 4.6 (1M context) commit: b854c349cc24ce530842764ad7982c74c8e1368c author: devppratik Update threshold values commit: 99e10d2419e0e4e7caa821eb953085ac9e44acce author: devppratik Update threshold values commit: 3bbe2cec84c927aca0c2ded28ec337e679d239be author: Anthony Byrne Remove myself from OWNERS Removed 'abyrne55' from srep-functional-team-aurora and srep-functional-leads aliases. commit: 2c24caf9372c0f117f6f4825b09c22007b80edaf author: cgong fix: remove Claude command from boilerplate MR (SREP-4485) Claude Code skill (.claude/commands/pre-commit.md) moved to SREP-4410. This MR now contains only the pre-commit-config.yaml addition. Co-Authored-By: Claude Sonnet 4.6 (1M context) commit: 298b1a437285a1031d7d6ba67c576cb694cc73ba author: cgong add: pre-commit hooks to golang-osd-operator convention (SREP-4485) Adds .pre-commit-config.yaml deployment to all operators subscribing to the golang-osd-operator boilerplate convention. Files added to convention: - pre-commit-config.yaml: Tier 1 common hooks mirroring ci/prow/lint (file hygiene, gitleaks, golangci-lint, go-build, go-mod-tidy, RBAC wildcard check) - commands/pre-commit.md: /pre-commit Claude Code agent with golden rule compliance (2-retry limit, security escalation, structured output) update script now deploys both files to operator repos: - .pre-commit-config.yaml at repo root - .claude/commands/pre-commit.md for Claude Code agent support Golden rules: SREP-4450 Co-Authored-By: Claude Sonnet 4.6 (1M context) commit: b945ce088eb8f53557f0128727141ea634127e9e author: red-hat-konflux[bot] chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 8244f60 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 599533cf8fcc65cf0edc89ec62b323f23ba0d50f author: red-hat-konflux[bot] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: bf40484c3a6951f1da4aba49a1fc723521267af5 author: devppratik SREP-4484: Enable codecov enforcement for repos commit: 09b0e58b9a006cc37e74fa5603fa6410a9be9f68 author: Anwardeen A Bumping ubi image commit: 7f92f3595ab6f86048fffeaaf2964011e6ff00d9 author: Anwardeen A Bumping ubi image commit: d960f6e9051781f162c9834c8c570d7b143e2634 author: red-hat-konflux[bot] chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 46f0892 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 8aa643951691f03c189c88749ef4cea5f5664640 author: red-hat-konflux[bot] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: ef5b692fe45d95701ea3f5cc3e3bb4c0cd4c239c author: Josh Branham remove jharrington22 commit: d83e5eea8cbd3b0c7fcaf70c612bcd538e943489 author: devppratik Update golangci-lint configuration with enhanced linters Enhance the golangci-lint configuration to include a more comprehensive set of linters organized by priority (Critical, High, Medium, Optional) with appropriate settings for error handling, security, and code quality checks. Co-Authored-By: Claude Sonnet 4.5 commit: 584d83057f7c30a136f890276b3b21f35431869f author: red-hat-konflux[bot] chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to a2b9823 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 1e4454023a21310295aa370b6aaa6af12a3194a0 author: red-hat-konflux[bot] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 02338011c4635e04784d62d8fc8305770f18178d author: red-hat-konflux[bot] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 29cfe5f111d97443b583dbbceea07969c07fd5d5 author: Christopher Collins Auto-install kubectl-package via ensure.sh Add kubectl-package to ensure.sh following the golangci-lint pattern so that validate-pko-fixtures and generate-pko-fixtures auto-install the binary if it is not already on $PATH. This unblocks Prow CI on older boilerplate image tags that do not include kubectl-package. Co-Authored-By: Claude Opus 4.6 (1M context) commit: e3f009d62af7f2238476d8e66285075a2b73aaf2 author: Christopher Collins Add PKO fixture validation targets and kubectl-package to backing image (#709) * Add PKO fixture validation targets and kubectl-package to backing image Add kubectl-package v1.18.6 to the backing container image for PKO (Package Operator) template snapshot validation. Add make targets for repos that deploy via PKO: - validate-pko-fixtures: validates committed fixtures match rendered template output. Wired into `make validate` so it runs automatically in `make container-validate` and CI. Silently skips repos without PKO test fixtures. - generate-pko-fixtures: regenerates fixtures after intentional template changes. - container-generate-pko-fixtures: container-wrapped variant for developers without kubectl-package installed locally. Repos opt in by adding a `test:` section to deploy_pko/manifest.yaml with test contexts. Repos without this section are silently skipped. Created with assistance from Claude 🤖 Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Christopher Collins * Document bind-mount behavior for container-generate-pko-fixtures Clarify that generated fixtures appear directly in the local checkout via bind mount — no manual copy step needed. Created with assistance from Claude 🤖 Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Christopher Collins * Add .dockerignore validation and auto-creation for PKO fixtures - validate-pko-fixtures now checks that .dockerignore/.containerignore exists and excludes .test-fixtures when fixtures are present - generate-pko-fixtures auto-creates deploy_pko/.dockerignore - Documents buildah COPY * dotfile behavior in README Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Christopher Collins * Fix generate-pko-fixtures to abort on validation failure Change `;` to `&&` after kubectl-package validate so that if validation fails after rm -rf deletes existing fixtures, the target stops instead of continuing to print a misleading "Fixtures regenerated" success message. Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Christopher Collins --------- Signed-off-by: Christopher Collins Co-authored-by: Claude Opus 4.6 (1M context) commit: ef22cf98ee1bbd017ea134894f723e9770841cc5 author: Abhishek Remove a7vicky from srep-functional-team-thor commit: 867304f4e506e7bffba777eb93369961a1cade1e author: red-hat-konflux[bot] chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 815d4b5 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: c0d7b3eb49f031966b7e47f3d4b09f282ff779ab author: red-hat-konflux[bot] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 6a68e14c382e302704222f25e6b845151af63e98 author: red-hat-konflux[bot] chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 69c5a7a Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: a791f9ad49f4f6dfdaae910d8a143376d77fe8f3 author: red-hat-konflux[bot] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: e9ba67abc6946d2448c47374cb7e2e6fd1bcc20b author: red-hat-konflux[bot] chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 1352e77 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: ef190a636e7de9682be0caedeb69b83f40bcd47c author: red-hat-konflux[bot] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 361f0026d39c31a9df67e89d9e34ed1351fd20f6 author: Chamal Abeywardhana Adding annotation for configmap PKO migration commit: 9af8b58293416a6ee52867a4ab70b97db9f13015 author: red-hat-konflux[bot] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> commit: 9103d7b45358eaadcde3742d57552191fea34a5d author: tkong fix the indentation error in the olm_pko_migration script when generate the manifest.yaml commit: 9dffaf77dff114aaa94887d47d24ac4d553d665d author: Anish Patel Update Konflux Tekton task bundle digests to latest trusted versions Update 8 task bundle references in docker-build-oci-ta pipeline to latest trusted versions verified via skopeo on 2026-03-10. Updated tasks: - clamav-scan:0.3 (security scan) - deprecated-image-check:0.5 (compliance check) - clair-scan:0.3 (vulnerability scan) - sast-unicode-check-oci-ta:0.4 (SAST) - sast-shell-check-oci-ta:0.1 (SAST) - sast-snyk-check-oci-ta:0.4 (SAST) - sast-coverity-check-oci-ta:0.3 (SAST) - coverity-availability-check:0.2 (compliance) - push-dockerfile-oci-ta:0.3 (build artifact) These updates resolve Enterprise Contract 'trusted_task.trusted' policy violations caused by outdated task bundle digests. All digests verified using: skopeo inspect --no-tags docker://quay.io/konflux-ci/tekton-catalog/task-{name}:{version} Fixes: Required task not from trusted task errors in Konflux builds --- .ci-operator.yaml | 4 +- .codecov.yml | 10 +- .pre-commit-config.yaml | 143 ++++++++++++++++++ OWNERS_ALIASES | 8 +- boilerplate/_data/backing-image-tag | 2 +- boilerplate/_data/last-boilerplate-commit | 2 +- boilerplate/_lib/container-make | 7 +- .../golang-osd-operator/.codecov.yml | 10 +- .../golang-osd-operator/OWNERS_ALIASES | 8 +- .../openshift/golang-osd-operator/README.md | 12 ++ .../golang-osd-operator/dependabot.yml | 5 + .../golang-osd-operator/docs/pre-commit.md | 123 +++++++++++++++ .../openshift/golang-osd-operator/ensure.sh | 17 +++ .../golang-osd-operator/golangci.yml | 85 ++++++++--- .../golang-osd-operator/olm_pko_migration.py | 8 +- .../pre-commit-config.yaml | 143 ++++++++++++++++++ .../openshift/golang-osd-operator/standard.mk | 118 ++++++++++++++- .../openshift/golang-osd-operator/update | 4 + build/Dockerfile | 4 +- build/Dockerfile.olm-registry | 2 +- 20 files changed, 661 insertions(+), 54 deletions(-) create mode 100644 .pre-commit-config.yaml create mode 100644 boilerplate/openshift/golang-osd-operator/docs/pre-commit.md create mode 100644 boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml diff --git a/.ci-operator.yaml b/.ci-operator.yaml index a3628cf24..188626d79 100644 --- a/.ci-operator.yaml +++ b/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: - name: release + name: boilerplate namespace: openshift - tag: rhel-9-release-golang-1.25-openshift-4.22 + tag: image-v8.3.6 diff --git a/.codecov.yml b/.codecov.yml index ba05647ad..20cbf543c 100644 --- a/.codecov.yml +++ b/.codecov.yml @@ -8,8 +8,14 @@ coverage: range: "20...100" status: - project: no - patch: no + project: + default: + target: 35% + threshold: 1% + patch: + default: + target: 50% + threshold: 1% changes: no parsers: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..94e5b26c8 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,143 @@ +# ============================================================================= +# Tier 1 — Common Pre-Commit Hooks for OSD Operators +# SREP-4485 | Golden rules: SREP-4450 +# ============================================================================= +# +# INSTALL +# For detailed setup instructions including uv (recommended) and pip, +# see: boilerplate/openshift/golang-osd-operator/docs/pre-commit.md +# +# Quick start (uv): +# uv sync && source .venv/bin/activate && pre-commit install +# +# Quick start (pip): +# pip install 'pre-commit==4.6.0' && pre-commit install +# +# USAGE +# pre-commit run # staged files only (developer / agent workflow) +# pre-commit run --all-files # full repo (CI / first-time setup) +# +# BYPASS (golden rule 16) +# Skip one hook: SKIP=hook-id git commit +# Never use: git commit --no-verify +# Agents: never bypass any hook +# Security hooks: never bypassable under any circumstances +# +# CI RELATIONSHIP (golden rule 17) +# These hooks mirror ci/prow/lint. CI remains the authoritative gate. +# Every check here also runs in CI. Pre-commit is developer convenience. +# +# AGENT USAGE (golden rule 1, 7, 19) +# Agents run: pre-commit run +# Output: PRE_COMMIT=1 is set automatically — hooks emit structured output +# Retry: max 2 fix-and-retry iterations before escalating to human +# +# TIMING TARGETS (golden rule 2, 3) +# Total run: <= 10s target / <= 60s hard limit on a 10-file changeset +# Hooks run fastest-first (golden rule 13). Each hook has a timeout guard. +# +# FIRST RUN NOTE +# Auto-fix hooks (trailing-whitespace, end-of-file-fixer) will correct +# pre-existing violations on the first run. Stage and commit those fixes +# separately before day-to-day use. +# +# Fix commits can be excluded from git blame +# https://git-scm.com/docs/git-blame#Documentation/git-blame.txt---ignore-revs-filefile +# +# ============================================================================= + +repos: + + # --------------------------------------------------------------------------- + # 1. FILE HYGIENE + YAML SYNTAX | target < 2s | auto-fix + error + # - check-merge-conflict: detects unresolved merge markers + # - trailing-whitespace: removes trailing spaces (auto-fix) + # - end-of-file-fixer: ensures single EOF newline (auto-fix) + # - check-yaml: validates YAML syntax in deploy/ manifests; + # mirrors ci/prow/lint: olm-deploy-yaml-validate + # --------------------------------------------------------------------------- + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 # pinned immutable tag + hooks: + - id: check-merge-conflict + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + - id: check-yaml + name: YAML syntax (deploy/) + files: ^deploy/.*\.ya?ml$ + args: [--allow-multiple-documents] + + # --------------------------------------------------------------------------- + # 2. SECRETS DETECTION | target < 5s | always blocking + # Scans all file types (YAML, shell, config) — gosec covers Go only. + # High-confidence findings block; configure .gitleaks.toml for allowlist. + # --------------------------------------------------------------------------- + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.0 # pinned immutable tag (golden rule 15) + hooks: + - id: gitleaks + + # --------------------------------------------------------------------------- + # 3. STATIC ANALYSIS | target < 15s cached | error + # Mirrors ci/prow/lint: go-check exactly (same version + config as CI). + # Linter config: boilerplate/openshift/golang-osd-operator/golangci.yml + # --------------------------------------------------------------------------- + - repo: https://github.com/golangci/golangci-lint + rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) + hooks: + - id: golangci-lint + args: + - --config=boilerplate/openshift/golang-osd-operator/golangci.yml + - --timeout=120s # graceful timeout (golden rule 3) + + # --------------------------------------------------------------------------- + # Local hooks — compile, dependency, security + # + # TIMEOUT NOTE (golden rule 3) + # Uses portable timeout detection: 'timeout' on Linux, 'gtimeout' on macOS. + # macOS: brew install coreutils + # Linux: timeout is available by default (GNU coreutils) + # --------------------------------------------------------------------------- + - repo: local + hooks: + + # ----------------------------------------------------------------------- + # 4. COMPILE CHECK | target < 10s cached | error + # Catches import cycles and type errors before golangci-lint runs. + # Note: go build ./... writes no binary to the repo (compile check only). + # Fix: resolve compilation errors reported by go build. + # ----------------------------------------------------------------------- + - id: go-build + name: go build + language: system + entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 30s} go build ./...' + types: [go] + pass_filenames: false + + # ----------------------------------------------------------------------- + # 5. DEPENDENCY DRIFT | target < 10s | error + # Detects uncommitted go.mod/go.sum changes after go mod tidy. + # Fix: run 'go mod tidy' and stage go.mod and go.sum. + # ----------------------------------------------------------------------- + - id: go-mod-tidy + name: go mod tidy + language: system + entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum' + files: '(\.go$|go\.(mod|sum)$)' + exclude: '^vendor/' + pass_filenames: false + + # ----------------------------------------------------------------------- + # 6. RBAC WILDCARD CHECK | target < 5s | warn-only (blocking after cleanup) + # Rejects wildcard RBAC in deploy/ manifests (verbs/resources: ["*"] + # or multi-line - '*' format). Logic lives in standard.mk target + # 'rbac-wildcard-check' for readability and reuse. + # Fix: replace wildcards with explicit verbs and resource names. + # ----------------------------------------------------------------------- + - id: rbac-wildcard-check + name: RBAC wildcard permissions + language: system + entry: bash -c 'make rbac-wildcard-check' + files: ^deploy/.*\.ya?ml$ + pass_filenames: false diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 3c43bbc8b..12676f650 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -4,12 +4,12 @@ # ============================================================================= aliases: srep-functional-team-aurora: - - abyrne55 - AlexSmithGH + - BATMAN-JD - dakotalongRH - eth1030 + - geowa4 - joshbranham - - luis-falcon - reedcort srep-functional-team-fedramp: - theautoroboto @@ -61,7 +61,6 @@ aliases: - casey-williams-rh - boranx srep-functional-team-thor: - - a7vicky - diakovnec - MitaliBhalla - feichashao @@ -74,7 +73,6 @@ aliases: - yiqinzhang - varunraokadaparthi srep-functional-leads: - - abyrne55 - clcollins - bergmannf - theautoroboto @@ -83,7 +81,6 @@ aliases: - ravitri srep-team-leads: - rafael-azevedo - - iamkirkbater - dustman9000 - bmeng - typeid @@ -92,5 +89,4 @@ aliases: - maorfr - rogbas srep-architects: - - jharrington22 - cblecker diff --git a/boilerplate/_data/backing-image-tag b/boilerplate/_data/backing-image-tag index 77a6bbe44..ca21d244a 100644 --- a/boilerplate/_data/backing-image-tag +++ b/boilerplate/_data/backing-image-tag @@ -1 +1 @@ -image-v8.3.4 +image-v8.3.6 diff --git a/boilerplate/_data/last-boilerplate-commit b/boilerplate/_data/last-boilerplate-commit index 73b13b819..3e14fd497 100644 --- a/boilerplate/_data/last-boilerplate-commit +++ b/boilerplate/_data/last-boilerplate-commit @@ -1 +1 @@ -2f25b66747494403fd6c00524e580f97982de853 +8fb7c801f68dc7e06e8d2ae138c2a98f0b234b56 diff --git a/boilerplate/_lib/container-make b/boilerplate/_lib/container-make index 77834586d..8da20031a 100755 --- a/boilerplate/_lib/container-make +++ b/boilerplate/_lib/container-make @@ -29,12 +29,14 @@ if [[ "${CONTAINER_ENGINE##*/}" == "podman" ]] && [[ $OSTYPE == *"linux"* ]]; th else CE_OPTS="${CE_OPTS} -v $REPO_ROOT:$CONTAINER_MOUNT" fi -container_id=$($CONTAINER_ENGINE run -d ${CE_OPTS} $IMAGE_PULL_PATH sleep infinity) +container_id=$($CONTAINER_ENGINE run --rm -d ${CE_OPTS} $IMAGE_PULL_PATH sleep infinity) if [[ $? -ne 0 ]] || [[ -z "$container_id" ]]; then err "Couldn't start detached container" fi +trap "$CONTAINER_ENGINE stop $container_id >/dev/null 2>&1" EXIT + # Now run our `make` command in it with the right UID and working directory args="exec -it -u $(id -u):0 -w $CONTAINER_MOUNT $container_id" banner "Running: make $@" @@ -52,6 +54,9 @@ if [[ $rc -ne 0 ]]; then fi fi +# Disarm the interrupt trap -- normal cleanup handles it from here +trap - EXIT + # Finally, remove the container banner "Cleaning up the container" $CONTAINER_ENGINE rm -f $container_id >/dev/null diff --git a/boilerplate/openshift/golang-osd-operator/.codecov.yml b/boilerplate/openshift/golang-osd-operator/.codecov.yml index ba05647ad..20cbf543c 100644 --- a/boilerplate/openshift/golang-osd-operator/.codecov.yml +++ b/boilerplate/openshift/golang-osd-operator/.codecov.yml @@ -8,8 +8,14 @@ coverage: range: "20...100" status: - project: no - patch: no + project: + default: + target: 35% + threshold: 1% + patch: + default: + target: 50% + threshold: 1% changes: no parsers: diff --git a/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES b/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES index 3c43bbc8b..12676f650 100644 --- a/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES +++ b/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES @@ -4,12 +4,12 @@ # ============================================================================= aliases: srep-functional-team-aurora: - - abyrne55 - AlexSmithGH + - BATMAN-JD - dakotalongRH - eth1030 + - geowa4 - joshbranham - - luis-falcon - reedcort srep-functional-team-fedramp: - theautoroboto @@ -61,7 +61,6 @@ aliases: - casey-williams-rh - boranx srep-functional-team-thor: - - a7vicky - diakovnec - MitaliBhalla - feichashao @@ -74,7 +73,6 @@ aliases: - yiqinzhang - varunraokadaparthi srep-functional-leads: - - abyrne55 - clcollins - bergmannf - theautoroboto @@ -83,7 +81,6 @@ aliases: - ravitri srep-team-leads: - rafael-azevedo - - iamkirkbater - dustman9000 - bmeng - typeid @@ -92,5 +89,4 @@ aliases: - maorfr - rogbas srep-architects: - - jharrington22 - cblecker diff --git a/boilerplate/openshift/golang-osd-operator/README.md b/boilerplate/openshift/golang-osd-operator/README.md index 0f415ee09..fea37f6af 100644 --- a/boilerplate/openshift/golang-osd-operator/README.md +++ b/boilerplate/openshift/golang-osd-operator/README.md @@ -119,6 +119,18 @@ Checks consist of: - `go generate`. This is a no-op if you have no `//go:generate` directives in your code. +## PKO (Package Operator) fixture validation + +Operators deployed via [Package Operator](https://package-operator.run/) can define snapshot test fixtures that validate `.gotmpl` template rendering. If `deploy_pko/manifest.yaml` exists and contains a `test:` section, the following targets are available: + +- `make validate-pko-fixtures` validates that committed fixtures in `deploy_pko/.test-fixtures/` match the current template output. This runs automatically as part of `make validate` (and therefore `make container-validate`). Repos without PKO test fixtures are silently skipped. +- `make generate-pko-fixtures` regenerates fixtures after intentional changes to `.gotmpl` files or `manifest.yaml` config. Review the diff and commit the updated fixtures alongside the template changes. +- `make container-generate-pko-fixtures` runs fixture generation inside the boilerplate backing container, which has `kubectl-package` pre-installed. Useful if you don't have `kubectl-package` installed locally. The repository is bind-mounted into the container, so the generated fixtures appear directly in your local `deploy_pko/.test-fixtures/` directory — no manual copy step needed. + +Both targets require `kubectl-package`. If it is not found, the target fails with installation instructions. The backing container image includes `kubectl-package`, so `make container-validate` and `make container-generate-pko-fixtures` always work. + +**Important:** Buildah's `COPY *` includes dotfiles and dotdirs (contrary to standard glob behavior), so `deploy_pko/.test-fixtures/` will be included in the PKO OCI image unless excluded. `make generate-pko-fixtures` automatically creates a `deploy_pko/.dockerignore` with `.test-fixtures` to prevent this. `make validate-pko-fixtures` verifies the exclusion exists. Without it, PKO will see duplicate objects and fail to deploy the ClusterPackage. + ## FIPS (Federal Information Processing Standards) To enable FIPS in your build there is a `make ensure-fips` target. diff --git a/boilerplate/openshift/golang-osd-operator/dependabot.yml b/boilerplate/openshift/golang-osd-operator/dependabot.yml index 45e5fe356..eae3de413 100644 --- a/boilerplate/openshift/golang-osd-operator/dependabot.yml +++ b/boilerplate/openshift/golang-osd-operator/dependabot.yml @@ -5,8 +5,13 @@ updates: labels: - "area/dependency" - "ok-to-test" + - "lgtm" + - "approved" schedule: interval: "weekly" + day: "monday" + time: "03:00" + timezone: "UTC" ignore: - dependency-name: "redhat-services-prod/openshift/boilerplate" # don't upgrade boilerplate via these means diff --git a/boilerplate/openshift/golang-osd-operator/docs/pre-commit.md b/boilerplate/openshift/golang-osd-operator/docs/pre-commit.md new file mode 100644 index 000000000..88ff5bca3 --- /dev/null +++ b/boilerplate/openshift/golang-osd-operator/docs/pre-commit.md @@ -0,0 +1,123 @@ +# Pre-Commit Hooks Setup Guide + +## Installation + +### Recommended: Using uv + +[uv](https://github.com/astral-sh/uv) is recommended for Python dependency management. It provides dependency locking with package hashes (supply-chain protection), virtual environment management, and is 10-100x faster than pip. + +**Install uv:** +```bash +# macOS/Linux +curl -LsSf https://astral.sh/uv/install.sh | sh + +# Windows +powershell -c "irm https://astral.sh/uv/install.ps1 | iex" + +# Via pip +pip install uv +``` + +**First-time setup:** +```bash +uv init --bare # creates pyproject.toml +uv add --dev pre-commit==4.6.0 # adds dependency, generates uv.lock +source .venv/bin/activate # macOS/Linux (.venv\Scripts\activate on Windows) +pre-commit install +``` + +**Subsequent setup** (when `pyproject.toml` and `uv.lock` exist): +```bash +uv sync +source .venv/bin/activate +pre-commit install +``` + +### Alternative: Using pip + +```bash +pip install 'pre-commit==4.6.0' # pinned version (Golden Rule 15) +pre-commit install +``` + +Add to `requirements-dev.txt`: `pre-commit==4.6.0` + +## First-Time Setup + +Run on all files to catch existing issues: +```bash +pre-commit run --all-files +``` + +Auto-fix hooks will modify files on first run. Stage and commit these separately: +```bash +git diff +git add . +git commit -m "Fix: Apply pre-commit auto-fixes" +``` + +**Exclude fix commits from git blame:** +```bash +# Create .git-blame-ignore-revs with commit hashes +git config blame.ignoreRevsFile .git-blame-ignore-revs +``` + +See [git-blame docs](https://git-scm.com/docs/git-blame#Documentation/git-blame.txt---ignore-revs-filefile). + +## Usage + +**Automatic** (runs on `git commit`): +```bash +git add +git commit -m "Message" +``` + +**Manual:** +```bash +pre-commit run # staged files only +pre-commit run --all-files # entire repo +pre-commit run --files path/to/file # specific files +``` + +**Bypass (use sparingly):** +```bash +SKIP=hook-id git commit -m "Message" # skip one hook +git commit --no-verify # NEVER use (Golden Rule 16) +``` + +Rules: Agents never bypass hooks. Security hooks (gitleaks) never bypassable. + +## Troubleshooting + +**macOS timeout issues:** +```bash +brew install coreutils # provides gtimeout +``` + +**Virtual environment not found:** +```bash +source .venv/bin/activate +uv sync +``` + +**Hooks not running:** +```bash +ls -la .git/hooks/pre-commit # verify installation +pre-commit install # reinstall +``` + +**Hook failures:** Read error messages and fix issues: +- `go-build`: Fix compilation errors +- `go-mod-tidy`: Run `go mod tidy` and stage go.mod/go.sum +- `check-yaml`: Fix YAML syntax + +## CI Integration + +Pre-commit mirrors `ci/prow/lint`. CI is authoritative; pre-commit is developer convenience. All hooks run in CI with same config. + +If pre-commit passes but CI fails: `pre-commit autoupdate` + +## Resources + +- [Pre-Commit Documentation](https://pre-commit.com/) +- [uv Documentation](https://github.com/astral-sh/uv) diff --git a/boilerplate/openshift/golang-osd-operator/ensure.sh b/boilerplate/openshift/golang-osd-operator/ensure.sh index fd5982037..4de1116e8 100755 --- a/boilerplate/openshift/golang-osd-operator/ensure.sh +++ b/boilerplate/openshift/golang-osd-operator/ensure.sh @@ -31,6 +31,23 @@ golangci-lint) fi ;; +kubectl-package) + KUBECTL_PACKAGE_VERSION="v1.18.6" + GOPATH=$(go env GOPATH) + if which kubectl-package ; then + exit + else + mkdir -p "${GOPATH}/bin" + if ! echo "${PATH}" | grep -q "${GOPATH}/bin"; then + echo "${GOPATH}/bin not in $PATH" + exit 1 + fi + DOWNLOAD_URL="https://github.com/package-operator/package-operator/releases/download/${KUBECTL_PACKAGE_VERSION}/kubectl-package_${GOOS}_amd64" + curl -sfL "${DOWNLOAD_URL}" -o "${GOPATH}/bin/kubectl-package" + chmod +x "${GOPATH}/bin/kubectl-package" + fi + ;; + opm) mkdir -p .opm/bin cd .opm/bin diff --git a/boilerplate/openshift/golang-osd-operator/golangci.yml b/boilerplate/openshift/golang-osd-operator/golangci.yml index 46fec0352..df1596ffc 100644 --- a/boilerplate/openshift/golang-osd-operator/golangci.yml +++ b/boilerplate/openshift/golang-osd-operator/golangci.yml @@ -1,39 +1,76 @@ version: "2" -run: - concurrency: 10 + linters: - default: none enable: + # Error Handling & Security - errcheck - - gosec - govet - - ineffassign - - misspell - staticcheck + - gosec + - bodyclose + - sqlclosecheck + - contextcheck + - noctx + + # Error Prevention + - errorlint + - nilerr + - nilnil + - revive + + # Code Quality + - ineffassign + - unconvert + - unparam - unused + - misspell + + # Maintainability + - prealloc + - nolintlint + - gocyclo + - exhaustive + - makezero + - containedctx + settings: + revive: + rules: + - name: package-comments + disabled: true + + errcheck: + check-type-assertions: true + check-blank: false + + exclusions: + presets: + - std-error-handling + + gocyclo: + min-complexity: 15 + + errorlint: + errorf: true + asserts: true + comparison: true + misspell: extra-words: - typo: openshit correction: OpenShift - exclusions: - generated: lax - presets: - - comments - - common-false-positives - - legacy - - std-error-handling - paths: - - third_party/ - - builtin/ - - examples/ + +run: + timeout: 5m + # Incremental linting (new-from-rev) is passed via the Makefile's + # go-check target. In CI it uses PULL_BASE_SHA (guaranteed to exist + # even in shallow clones); locally it falls back to origin/HEAD. + +formatters: + enable: + - gofmt + - goimports + issues: max-issues-per-linter: 0 max-same-issues: 0 -formatters: - exclusions: - generated: lax - paths: - - third_party/ - - builtin/ - - examples/ diff --git a/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py b/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py index 6b7b67bf3..e9866b3e5 100644 --- a/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py +++ b/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py @@ -11,7 +11,7 @@ import subprocess import sys from pathlib import Path -from typing import Any +from typing import Any, Optional import yaml @@ -446,8 +446,8 @@ def get_pko_manifest(operator_name: str) -> dict[str, Any]: "type": "string", "default": "None", }, + }, "type": "object", - } } }, }, @@ -563,6 +563,8 @@ def annotate_manifests(manifests: list[str]) -> list[dict[str, Any]]: annotated.append(manifest) elif kind == "ServiceMonitor": annotated.append(annotate(manifest, PHASE_DEPLOY)) + elif kind == "ConfigMap": + annotated.append(annotate(manifest, PHASE_DEPLOY)) else: print(f"Unhandled type: {kind}") annotated.append(manifest) @@ -627,7 +629,7 @@ def write_pko_dockerfile(): ) ) -def extract_deployment_selector() -> str | None: +def extract_deployment_selector() -> Optional[str]: """ Extract the clusterDeploymentSelector from hack/olm-registry/olm-artifacts-template.yaml. diff --git a/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml b/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml new file mode 100644 index 000000000..94e5b26c8 --- /dev/null +++ b/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml @@ -0,0 +1,143 @@ +# ============================================================================= +# Tier 1 — Common Pre-Commit Hooks for OSD Operators +# SREP-4485 | Golden rules: SREP-4450 +# ============================================================================= +# +# INSTALL +# For detailed setup instructions including uv (recommended) and pip, +# see: boilerplate/openshift/golang-osd-operator/docs/pre-commit.md +# +# Quick start (uv): +# uv sync && source .venv/bin/activate && pre-commit install +# +# Quick start (pip): +# pip install 'pre-commit==4.6.0' && pre-commit install +# +# USAGE +# pre-commit run # staged files only (developer / agent workflow) +# pre-commit run --all-files # full repo (CI / first-time setup) +# +# BYPASS (golden rule 16) +# Skip one hook: SKIP=hook-id git commit +# Never use: git commit --no-verify +# Agents: never bypass any hook +# Security hooks: never bypassable under any circumstances +# +# CI RELATIONSHIP (golden rule 17) +# These hooks mirror ci/prow/lint. CI remains the authoritative gate. +# Every check here also runs in CI. Pre-commit is developer convenience. +# +# AGENT USAGE (golden rule 1, 7, 19) +# Agents run: pre-commit run +# Output: PRE_COMMIT=1 is set automatically — hooks emit structured output +# Retry: max 2 fix-and-retry iterations before escalating to human +# +# TIMING TARGETS (golden rule 2, 3) +# Total run: <= 10s target / <= 60s hard limit on a 10-file changeset +# Hooks run fastest-first (golden rule 13). Each hook has a timeout guard. +# +# FIRST RUN NOTE +# Auto-fix hooks (trailing-whitespace, end-of-file-fixer) will correct +# pre-existing violations on the first run. Stage and commit those fixes +# separately before day-to-day use. +# +# Fix commits can be excluded from git blame +# https://git-scm.com/docs/git-blame#Documentation/git-blame.txt---ignore-revs-filefile +# +# ============================================================================= + +repos: + + # --------------------------------------------------------------------------- + # 1. FILE HYGIENE + YAML SYNTAX | target < 2s | auto-fix + error + # - check-merge-conflict: detects unresolved merge markers + # - trailing-whitespace: removes trailing spaces (auto-fix) + # - end-of-file-fixer: ensures single EOF newline (auto-fix) + # - check-yaml: validates YAML syntax in deploy/ manifests; + # mirrors ci/prow/lint: olm-deploy-yaml-validate + # --------------------------------------------------------------------------- + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 # pinned immutable tag + hooks: + - id: check-merge-conflict + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + - id: check-yaml + name: YAML syntax (deploy/) + files: ^deploy/.*\.ya?ml$ + args: [--allow-multiple-documents] + + # --------------------------------------------------------------------------- + # 2. SECRETS DETECTION | target < 5s | always blocking + # Scans all file types (YAML, shell, config) — gosec covers Go only. + # High-confidence findings block; configure .gitleaks.toml for allowlist. + # --------------------------------------------------------------------------- + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.0 # pinned immutable tag (golden rule 15) + hooks: + - id: gitleaks + + # --------------------------------------------------------------------------- + # 3. STATIC ANALYSIS | target < 15s cached | error + # Mirrors ci/prow/lint: go-check exactly (same version + config as CI). + # Linter config: boilerplate/openshift/golang-osd-operator/golangci.yml + # --------------------------------------------------------------------------- + - repo: https://github.com/golangci/golangci-lint + rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) + hooks: + - id: golangci-lint + args: + - --config=boilerplate/openshift/golang-osd-operator/golangci.yml + - --timeout=120s # graceful timeout (golden rule 3) + + # --------------------------------------------------------------------------- + # Local hooks — compile, dependency, security + # + # TIMEOUT NOTE (golden rule 3) + # Uses portable timeout detection: 'timeout' on Linux, 'gtimeout' on macOS. + # macOS: brew install coreutils + # Linux: timeout is available by default (GNU coreutils) + # --------------------------------------------------------------------------- + - repo: local + hooks: + + # ----------------------------------------------------------------------- + # 4. COMPILE CHECK | target < 10s cached | error + # Catches import cycles and type errors before golangci-lint runs. + # Note: go build ./... writes no binary to the repo (compile check only). + # Fix: resolve compilation errors reported by go build. + # ----------------------------------------------------------------------- + - id: go-build + name: go build + language: system + entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 30s} go build ./...' + types: [go] + pass_filenames: false + + # ----------------------------------------------------------------------- + # 5. DEPENDENCY DRIFT | target < 10s | error + # Detects uncommitted go.mod/go.sum changes after go mod tidy. + # Fix: run 'go mod tidy' and stage go.mod and go.sum. + # ----------------------------------------------------------------------- + - id: go-mod-tidy + name: go mod tidy + language: system + entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum' + files: '(\.go$|go\.(mod|sum)$)' + exclude: '^vendor/' + pass_filenames: false + + # ----------------------------------------------------------------------- + # 6. RBAC WILDCARD CHECK | target < 5s | warn-only (blocking after cleanup) + # Rejects wildcard RBAC in deploy/ manifests (verbs/resources: ["*"] + # or multi-line - '*' format). Logic lives in standard.mk target + # 'rbac-wildcard-check' for readability and reuse. + # Fix: replace wildcards with explicit verbs and resource names. + # ----------------------------------------------------------------------- + - id: rbac-wildcard-check + name: RBAC wildcard permissions + language: system + entry: bash -c 'make rbac-wildcard-check' + files: ^deploy/.*\.ya?ml$ + pass_filenames: false diff --git a/boilerplate/openshift/golang-osd-operator/standard.mk b/boilerplate/openshift/golang-osd-operator/standard.mk index 9e3249dfd..4f617e93b 100644 --- a/boilerplate/openshift/golang-osd-operator/standard.mk +++ b/boilerplate/openshift/golang-osd-operator/standard.mk @@ -172,10 +172,19 @@ docker-login: mkdir -p ${CONTAINER_ENGINE_CONFIG_DIR} @${CONTAINER_ENGINE} login -u="${REGISTRY_USER}" -p="${REGISTRY_TOKEN}" quay.io +# Only lint new/changed code. In Prow CI, PULL_BASE_SHA points to the +# base commit and is guaranteed to exist in the checkout (even shallow +# clones). Locally, fall back to the default branch ref. +ifdef PULL_BASE_SHA +LINT_NEW_FROM_REV := $(PULL_BASE_SHA) +else +LINT_NEW_FROM_REV := $(shell git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/||') +endif + .PHONY: go-check go-check: ## Golang linting and other static analysis ${CONVENTION_DIR}/ensure.sh golangci-lint - ${GOENV} GOLANGCI_LINT_CACHE=${GOLANGCI_LINT_CACHE} golangci-lint run -c ${CONVENTION_DIR}/golangci.yml ./... + ${GOENV} GOLANGCI_LINT_CACHE=${GOLANGCI_LINT_CACHE} golangci-lint run -c ${CONVENTION_DIR}/golangci.yml $(if $(LINT_NEW_FROM_REV),--new-from-rev=$(LINT_NEW_FROM_REV)) ./... .PHONY: go-generate go-generate: @@ -234,8 +243,28 @@ else $(info Did not find 'config/default' - skipping kustomize manifest generation) endif +.PHONY: sync-pko-crds +sync-pko-crds: +ifneq (,$(wildcard deploy_pko)) + @if [ -d deploy/crds ]; then \ + yq_yaml_flag=""; \ + if $(YQ) --version 2>&1 | grep -qE "^yq [0-9]"; then \ + yq_yaml_flag="-y"; \ + fi; \ + for crd in deploy/crds/*.yaml; do \ + [ -f "$$crd" ] || continue; \ + name=$$($(YQ) -r '.metadata.name' "$$crd"); \ + $(YQ) $$yq_yaml_flag '.metadata.annotations["package-operator.run/phase"] = "crds" | .metadata.annotations["package-operator.run/collision-protection"] = "IfNoController"' \ + "$$crd" > "deploy_pko/CustomResourceDefinition-$$name.yaml"; \ + echo "Synced CRD $$name to deploy_pko/"; \ + done; \ + fi +else + $(info deploy_pko/ not found - skipping PKO CRD sync) +endif + .PHONY: generate -generate: op-generate go-generate openapi-generate manifests +generate: op-generate go-generate openapi-generate manifests sync-pko-crds ifeq (${FIPS_ENABLED}, true) go-build: ensure-fips @@ -309,15 +338,94 @@ prow-config: # Targets used by prow ###################### +# validate-pko-fixtures: Validate PKO package templates against committed snapshot fixtures. +# Silently skips if deploy_pko/ has no manifest.yaml with a test section. +# Requires kubectl-package; see https://github.com/package-operator/package-operator/releases +.PHONY: validate-pko-fixtures +validate-pko-fixtures: + @if [ -d deploy_pko ] && grep -q '^test:' deploy_pko/manifest.yaml 2>/dev/null; then \ + ${CONVENTION_DIR}/ensure.sh kubectl-package; \ + echo "Validating PKO package fixtures..."; \ + kubectl-package validate deploy_pko/ || \ + (echo "ERROR: PKO fixture validation failed. Rendered templates do not match committed fixtures." >&2; \ + echo "If you intentionally changed a deploy_pko/ .gotmpl or manifest.yaml config, regenerate fixtures:" >&2; \ + echo " make generate-pko-fixtures" >&2; \ + echo " git diff deploy_pko/.test-fixtures/" >&2; \ + echo "Review the diff to confirm only your intended changes are reflected, then commit the updated fixtures." >&2; \ + echo "If you did NOT intend to change template output, your modifications may have introduced an unintended" >&2; \ + echo "regression in the rendered deployment manifests. Review your changes to deploy_pko/ carefully." >&2; \ + exit 1); \ + if [ -d deploy_pko/.test-fixtures ]; then \ + ignore_file=""; \ + if [ -f deploy_pko/.containerignore ]; then \ + ignore_file="deploy_pko/.containerignore"; \ + elif [ -f deploy_pko/.dockerignore ]; then \ + ignore_file="deploy_pko/.dockerignore"; \ + fi; \ + if [ -z "$$ignore_file" ]; then \ + echo "ERROR: deploy_pko/.test-fixtures/ exists but no .dockerignore or .containerignore found in deploy_pko/." >&2; \ + echo "Without it, test fixtures will be included in the PKO OCI image, causing Duplicate Object errors." >&2; \ + echo "Fix: run 'make generate-pko-fixtures' to auto-create deploy_pko/.dockerignore" >&2; \ + exit 1; \ + elif ! grep -q '\.test-fixtures' "$$ignore_file"; then \ + echo "ERROR: $$ignore_file exists but does not exclude .test-fixtures." >&2; \ + echo "Without this exclusion, test fixtures will be included in the PKO OCI image." >&2; \ + echo "Fix: add '.test-fixtures' to $$ignore_file" >&2; \ + exit 1; \ + fi; \ + fi; \ + fi + +# generate-pko-fixtures: Regenerate PKO snapshot fixtures after template changes. +# Requires kubectl-package; see https://github.com/package-operator/package-operator/releases +.PHONY: generate-pko-fixtures +generate-pko-fixtures: + @if [ -d deploy_pko ] && grep -q '^test:' deploy_pko/manifest.yaml 2>/dev/null; then \ + ${CONVENTION_DIR}/ensure.sh kubectl-package; \ + echo "Regenerating PKO test fixtures..."; \ + rm -rf deploy_pko/.test-fixtures; \ + kubectl-package validate deploy_pko/ && \ + if [ ! -f deploy_pko/.dockerignore ] && [ ! -f deploy_pko/.containerignore ]; then \ + echo ".test-fixtures" > deploy_pko/.dockerignore; \ + echo "Created deploy_pko/.dockerignore to exclude .test-fixtures from PKO image."; \ + elif [ -f deploy_pko/.dockerignore ] && ! grep -q '\.test-fixtures' deploy_pko/.dockerignore; then \ + echo ".test-fixtures" >> deploy_pko/.dockerignore; \ + echo "Added .test-fixtures to deploy_pko/.dockerignore."; \ + elif [ -f deploy_pko/.containerignore ] && ! grep -q '\.test-fixtures' deploy_pko/.containerignore; then \ + echo ".test-fixtures" >> deploy_pko/.containerignore; \ + echo "Added .test-fixtures to deploy_pko/.containerignore."; \ + fi; \ + echo "Fixtures regenerated. Review with 'git diff deploy_pko/.test-fixtures/' and commit."; \ + else \ + echo "No PKO test configuration found in deploy_pko/manifest.yaml, nothing to generate."; \ + fi + # validate: Ensure code generation has not been forgotten; and ensure # generated and boilerplate code has not been modified. .PHONY: validate -validate: boilerplate-freeze-check generate-check +validate: boilerplate-freeze-check generate-check validate-pko-fixtures # lint: Perform static analysis. .PHONY: lint lint: olm-deploy-yaml-validate go-check +# rbac-wildcard-check: Detect wildcard RBAC permissions in deploy/ manifests. +# Checks both inline (verbs: ["*"]) and multi-line (- '*' under verbs/resources:) +# formats. Called by the pre-commit rbac-wildcard-check hook. +# Currently warn-only (exits 0) to avoid breaking repos with pre-existing wildcards. +# Will become blocking once existing violations are resolved across the fleet. +.PHONY: rbac-wildcard-check +rbac-wildcard-check: + @python3 -c "\ +import sys,glob;\ +violations=[(f,n,l.rstrip()) for f in glob.glob('deploy/*.yaml')+glob.glob('deploy/*.yml') \ +for lines in [list(enumerate(open(f),1))] \ +for i,(n,l) in enumerate(lines) \ +if l.strip().lstrip('- ').strip(chr(39)+chr(34))=='*' \ +and any(lines[j][1].strip() in ('verbs:','resources:') for j in range(max(0,i-5),i))];\ +[print('WARNING: wildcard RBAC found: '+v[0]+'|'+str(v[1])+'|'+v[2]) for v in violations];\ +sys.exit(0)" + # test: "Local" unit and functional testing. .PHONY: test test: go-test @@ -396,6 +504,10 @@ container-validate: container-coverage: ${BOILERPLATE_CONTAINER_MAKE} coverage +.PHONY: container-generate-pko-fixtures +container-generate-pko-fixtures: + ${BOILERPLATE_CONTAINER_MAKE} generate-pko-fixtures + # Run all container-* validation targets in sequence. # Set NONINTERACTIVE=true to skip debug shells and fail fast for CI/automation. .PHONY: container-all diff --git a/boilerplate/openshift/golang-osd-operator/update b/boilerplate/openshift/golang-osd-operator/update index 7f2c702f2..5fe4a3859 100755 --- a/boilerplate/openshift/golang-osd-operator/update +++ b/boilerplate/openshift/golang-osd-operator/update @@ -110,6 +110,10 @@ echo " name: $IMAGE_NAME" echo " tag: $LATEST_IMAGE_TAG" ${SED?} "s/__NAMESPACE__/$IMAGE_NAMESPACE/; s/__NAME__/$IMAGE_NAME/; s/__TAG__/$LATEST_IMAGE_TAG/" ${HERE}/.ci-operator.yaml >$REPO_ROOT/.ci-operator.yaml +# Add pre-commit hooks configuration (SREP-4485) +echo "Copying pre-commit-config.yaml to .pre-commit-config.yaml" +cp ${HERE}/pre-commit-config.yaml $REPO_ROOT/.pre-commit-config.yaml + # Check for pipeline files in .tekton directory and centralize them TEKTON_DIR="${REPO_ROOT}/.tekton" if [ -d "$TEKTON_DIR" ]; then diff --git a/build/Dockerfile b/build/Dockerfile index 4c20a445c..8e7b556ed 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.4 AS builder +FROM quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.6 AS builder # Copy and download the dependecies so that they are cached locally in the stages. WORKDIR /go/src/github.com/openshift/must-gather-operator @@ -7,7 +7,7 @@ COPY . /go/src/github.com/openshift/must-gather-operator RUN make go-build -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1771346502 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1780378819 RUN microdnf install -y tar gzip openssh-clients wget shadow-utils procps sshpass nc && \ microdnf clean all diff --git a/build/Dockerfile.olm-registry b/build/Dockerfile.olm-registry index 0b73aec81..408bc99d5 100644 --- a/build/Dockerfile.olm-registry +++ b/build/Dockerfile.olm-registry @@ -4,7 +4,7 @@ COPY ${SAAS_OPERATOR_DIR} manifests RUN initializer --permissive # ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1771346502 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1780378819 COPY --from=builder /bin/registry-server /bin/registry-server COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe