chore(SREP-4482, SREP-4486, SREP-4800: Boilerplate Update for Agentic SDLC Rollout)

[charlesgong]

What type of PR is this?
boilerplate

What this PR does / why we need it?
This PR moves the changes introduced in boilerplate for Agentic SDLC Rollout into MVP for ocm-agent-operator.
Related BP MRs

• SREP-4482: Update golangci-lint configuration with enhanced linters boilerplate#716
• SREP-4484: Enable Codecov Enforcement boilerplate#720
• [SREP-4485] add pre-commit hooks to golang-osd-operator convention boilerplate#723

Which Jira/Github issue(s) this PR fixes?
Part of Rollout for Agentic SDLC -

• Lint -https://redhat.atlassian.net/browse/SREP-4482
• Pre-Commit Hook - https://redhat.atlassian.net/browse/SREP-4486
• CodeCov - https://redhat.atlassian.net/browse/SREP-4800

Special notes for your reviewer:
Pre-checks (if applicable):

• Tested latest changes against a cluster
• Ran make generate command locally to validate code changes
• Included documentation changes with PR

Summary by CodeRabbit

• Chores

  • Updated build tooling and base container images across Dockerfiles and CI configurations
  • Established new pre-commit configuration with enhanced security scanning and linting
  • Enabled codecov coverage targets for project and patch validation
  • Updated development TLS certificates and test fixtures
  • Removed team member entries from project aliases

• Bug Fixes

  • Improved webhook operation handling for Delete and Connect actions
  • Enhanced status condition handling for consistency across monitoring and metrics collection

• Tests

  • Refined integration test conditions to prevent interference from additional status fields

[openshift-ci-robot]

@charlesgong: This pull request references SREP-4482 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4486 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4800 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?
boilerplate

What this PR does / why we need it?
This PR moves the changes introduced in boilerplate for Agentic SDLC Rollout into MVP for ocm-agent-operator.
Related BP MRs

• SREP-4482: Update golangci-lint configuration with enhanced linters boilerplate#716
• SREP-4484: Enable Codecov Enforcement boilerplate#720
• [SREP-4485] add pre-commit hooks to golang-osd-operator convention boilerplate#723

Which Jira/Github issue(s) this PR fixes?
Part of Rollout for Agentic SDLC -

• Lint -https://redhat.atlassian.net/browse/SREP-4482
• Pre-Commit Hook - https://redhat.atlassian.net/browse/SREP-4486
• CodeCov - https://redhat.atlassian.net/browse/SREP-4800

Special notes for your reviewer:
Pre-checks (if applicable):

• Tested latest changes against a cluster
• Ran make generate command locally to validate code changes
• Included documentation changes with PR

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR updates build container images, reconfigures pre-commit hooks with a tiered golden-rules approach and secret scanning, explicitly handles status conditions and operations in core logic for clarity, rotates development certificates, and cleans up manifests and organizational metadata.

Changes

Infrastructure, Linting, and Code Quality

Layer / File(s)	Summary
Build container image updates .ci-operator.yaml, build/Dockerfile, build/Dockerfile.olm-registry, build/Dockerfile.webhook	Coordinated bumps of CI operator build_root_image tag and all Dockerfile base images: builder stage updated from image-v8.3.4 to image-v8.3.6, and UBI minimal runtime updated from 9.7-1776104705 to 9.8-1779809423.
Pre-commit golden rules configuration and coverage checks .pre-commit-config.yaml, .codecov.yml	Replace pre-commit hooks with a tiered Tier 1 set including merge-conflict, trailing-whitespace, end-of-file fixer, YAML syntax check, gitleaks for secrets (v8.18.0), golangci-lint (v2.0.2), and local hooks for go-build, go-mod-tidy with idempotency enforcement via git diff --exit-code, and rbac-wildcard-check. Enable Codecov project (35% target) and patch (50% target) coverage status checks with 1% thresholds.
Pre-commit agentic procedure documentation .claude/commands/pre-commit.md	Document three invocation modes and a seven-step pre-commit flow: preflight checks, hook execution with stdout/stderr capture, result parsing by hook ID and location, staging and re-running after auto-fixes, retry logic bounded to two attempts for non-security failures, human escalation on security failures or timeouts, and structured reporting. Enumerate constraints: never bypass hooks, modify config to suppress, exceed retries, or auto-fix security failures; always stage before re-running and report all changes.

Core Logic Condition Handling

Layer / File(s)	Summary
Explicit condition and operation handling controllers/addon/monitoring_stack_reconciler.go, controllers/addon/phase_observe_operatorresource.go, internal/metrics/recorder.go, internal/webhooks/addon_webhook.go, integration/monitoring_stack_test.go	Add explicit switch cases for status conditions (Available, Reconciled, ResourceDiscoveryCondition, ConditionUnknown) and admission operations (Delete, Connect) in reconcilers, metrics, webhooks, and tests. Replace implicit defaults with named cases to prevent silent fallthrough and clarify intent for each condition or operation type.

Development Certificates and Manifest Cleanup

Layer / File(s)	Summary
TLS certificate rotation and manifest updates deploy-extras/development/*, deploy/80_addon-sermon-fedaration-token.yaml, deploy_pko/..., hack/hypershift/..., integration/fixtures_test.go, integration/metrics_collection_test.go, fips.go	Rotate metrics server and webhook TLS secrets with new certificate material, update webhook ValidatingWebhookConfiguration caBundle, remove trailing whitespace from manifest fields, clean up YAML comments and blank lines in test fixtures and templates, reformat lint suppression comments in integration tests, and explicitly discard return values in FIPS build initialization.
Organization ownership metadata cleanup OWNERS_ALIASES	Remove abyrne55 from srep-functional-team-aurora and srep-functional-leads aliases, and remove jharrington22 from srep-architects alias.

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	fips.go:15 contains fmt.Println() in init() function (process-level code), which writes to stdout and violates OTE Binary Stdout Contract.	Redirect output to stderr: use fmt.Fprintf(os.Stderr, "***** Starting with FIPS crypto enabled *****\n") or call klog.SetOutput(os.Stderr) and use klog instead.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New test TestReconcileErrorMetrics uses hardcoded "localhost:8443" in curl commands, which assumes IPv4 and will fail in IPv6-only disconnected environments.	Run /payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv6 to test IPv6 compatibility. Replace hardcoded "localhost" with IPv6-compatible hostname handling.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: a boilerplate update for the Agentic SDLC rollout, referencing the three related Jira stories (SREP-4482, SREP-4486, SREP-4800) that correspond to changes across multiple files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Project uses standard Go testing, not Ginkgo. All test names are static without dynamic info (UUIDs, timestamps, etc.). PR doesn't modify test names.
Test Structure And Quality	✅ Passed	Repository uses standard Go testing.T and Testify suite, not Ginkgo. Custom check for Ginkgo is not applicable. Modified tests follow quality patterns correctly.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests (It/Describe/Context/When) are added in this PR. All test file changes are comment formatting, lint suppression updates, or modifications to existing tests only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds test files but none are Ginkgo e2e tests. All use standard Go testing.T (no ginkgo imports). Custom check applies only to new Ginkgo e2e tests, so not applicable here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no new scheduling constraints. All changes are image/config updates, cert data changes, whitespace cleanup, or minor logic modifications with no topology-aware scheduling impact.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in PR changes.
Container-Privileges	✅ Passed	No privilege escalation found: no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN capabilities, root users, or allowPrivilegeEscalation: true.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements in the PR expose sensitive data like passwords, tokens, API keys, PII, or credentials. All logging is generic operational messages.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.21%. Comparing base (a240827) to head (d580ef4).

Files with missing lines	Patch %	Lines
...ontrollers/addon/phase_observe_operatorresource.go	0.00%	2 Missing ⚠️

❌ Your patch status has failed because the patch coverage (0.00%) is below the target coverage (50.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #724      +/-   ##
==========================================
- Coverage   59.24%   59.21%   -0.03%     
==========================================
  Files          62       62              
  Lines        4125     4127       +2     
==========================================
  Hits         2444     2444              
- Misses       1532     1534       +2     
  Partials      149      149              

Files with missing lines	Coverage Δ
...ontrollers/addon/phase_observe_operatorresource.go	72.28% <0.00%> (-1.79%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

controllers/addon/phase_observe_operatorresource.go (1)

97-104: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing fallback in CSV phase switch causes false-ready path.

The switch no longer handles empty/unexpected phases, so unresolved CSV states can fall through as success (resultNil) instead of staying unready/retrying.

Proposed fix

 switch phase {
 case operatorsv1alpha1.CSVPhaseSucceeded:
 	// do nothing here
 case operatorsv1alpha1.CSVPhaseFailed:
 	message = "failed"
 case operatorsv1alpha1.CSVPhasePending, operatorsv1alpha1.CSVPhaseInstallReady, operatorsv1alpha1.CSVPhaseInstalling, operatorsv1alpha1.CSVPhaseUnknown, operatorsv1alpha1.CSVPhaseReplacing, operatorsv1alpha1.CSVPhaseDeleting, operatorsv1alpha1.CSVPhaseAny:
 	message = "unknown/pending"
+default:
+	message = "unknown/pending"
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/addon/phase_observe_operatorresource.go` around lines 97 - 104,
The switch on the CSV state variable phase (using
operatorsv1alpha1.CSVPhaseSucceeded/Failed/Pending/etc.) lacks a
default/fallback, so unexpected or empty phases fall through as success; update
the switch in controllers/addon/phase_observe_operatorresource.go to include a
default case that sets message (the same variable used for status) to an
"unknown/pending" or equivalent non-ready value and ensure the calling code does
not treat that path as resultNil/success (i.e., cause a retry or mark not-ready)
so unresolved CSV states don't incorrectly signal readiness.

deploy-extras/development/01-metrics-server-tls-secret.yaml (1)

1-14: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Stale validity comment after cert rotation.

The header comment claims this cert is valid until May 21 12:11:09 3021 GMT, but the rotated cert in ca-bundle.crt/tls.crt decodes to NotAfter: Jan 6 03:42:55 2034 GMT (~10 years from NotBefore: Jan 9 2024). Update the comment so dev users don't assume a far-future expiry.

📝 Proposed fix

 # This Secret is only for testing / dev.
-# This cert is valid till May 21 12:11:09 3021 GMT
+# This cert is valid till Jan  6 03:42:55 2034 GMT
 # When deployed as an OLM Bundle, OLM will handle injecting TLS secrets
 # CN = addon-operator-metrics.addon-operator.svc

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy-extras/development/01-metrics-server-tls-secret.yaml` around lines 1 -
14, The top header comment is stale; update the comment above the Secret
(metadata.name: manager-metrics-tls) to reflect the certificate's actual
NotAfter value (NotAfter: Jan 6 03:42:55 2034 GMT) instead of "May 21 12:11:09
3021 GMT" so devs won't be misled; edit the first few comment lines to state the
correct expiry (and optionally note NotBefore: Jan 9 2024) while leaving the
rest of the Secret (ca-bundle.crt, tls.crt, tls.key) untouched.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/commands/pre-commit.md:
- Around line 77-84: The fenced code block that begins with the triple backticks
around the "PRE-COMMIT SUMMARY" text lacks a language identifier; update the
opening fence in .claude/commands/pre-commit.md so it includes a language token
(for example "text" or "plain") immediately after the ``` to satisfy markdown
linting. Locate the block which contains the "PRE-COMMIT SUMMARY" header and
change the opening ``` to ```text (or another appropriate language) so the
linter recognizes the code fence.

---

Outside diff comments:
In `@controllers/addon/phase_observe_operatorresource.go`:
- Around line 97-104: The switch on the CSV state variable phase (using
operatorsv1alpha1.CSVPhaseSucceeded/Failed/Pending/etc.) lacks a
default/fallback, so unexpected or empty phases fall through as success; update
the switch in controllers/addon/phase_observe_operatorresource.go to include a
default case that sets message (the same variable used for status) to an
"unknown/pending" or equivalent non-ready value and ensure the calling code does
not treat that path as resultNil/success (i.e., cause a retry or mark not-ready)
so unresolved CSV states don't incorrectly signal readiness.

In `@deploy-extras/development/01-metrics-server-tls-secret.yaml`:
- Around line 1-14: The top header comment is stale; update the comment above
the Secret (metadata.name: manager-metrics-tls) to reflect the certificate's
actual NotAfter value (NotAfter: Jan 6 03:42:55 2034 GMT) instead of "May 21
12:11:09 3021 GMT" so devs won't be misled; edit the first few comment lines to
state the correct expiry (and optionally note NotBefore: Jan 9 2024) while
leaving the rest of the Secret (ca-bundle.crt, tls.crt, tls.key) untouched.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e6ddd226-f5cf-4464-a3f0-79b9780fd956

📥 Commits

Reviewing files that changed from the base of the PR and between ee483fd and 04bb6f9.

⛔ Files ignored due to path filters (14)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/README.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/TEST_README.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/app-sre.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.sh is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/test_olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (25)

• .ci-operator.yaml
• .claude/commands/pre-commit.md
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry
• build/Dockerfile.webhook
• controllers/addon/monitoring_stack_reconciler.go
• controllers/addon/phase_observe_operatorresource.go
• deploy-extras/development/01-metrics-server-tls-secret.yaml
• deploy-extras/development/webhook/00-tls-secret.yaml
• deploy-extras/development/webhook/validatingwebhookconfig.yaml
• deploy/80_addon-sermon-fedaration-token.yaml
• deploy_pko/.test-fixtures/config-with-proxy/Cleanup-OLM-Job.yaml
• deploy_pko/Cleanup-OLM-Job.yaml
• fips.go
• hack/hypershift/package/.test-fixtures/namespace-scope/hcp/addon-operator.yaml
• hack/hypershift/package/hcp/addon-operator.yaml.gotmpl
• hack/hypershift/package/manifest.yaml
• integration/fixtures_test.go
• integration/metrics_collection_test.go
• integration/monitoring_stack_test.go
• internal/metrics/recorder.go
• internal/webhooks/addon_webhook.go

💤 Files with no reviewable changes (2)

• integration/fixtures_test.go
• OWNERS_ALIASES

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.pre-commit-config.yaml:
- Around line 41-52: The hooks list for the pre-commit-hooks repo is missing the
large-file protection; add the check-added-large-files hook to the existing
hooks under repo: https://github.com/pre-commit/pre-commit-hooks rev: v5.0.0 by
inserting an entry with id: check-added-large-files (optionally with args like
--maxkb=<value> to match repo policy) alongside check-merge-conflict,
trailing-whitespace, end-of-file-fixer and check-yaml so large files are
rejected at commit time; update the hooks block that currently contains id:
check-merge-conflict and id: trailing-whitespace to include id:
check-added-large-files.
- Around line 76-99: Add a new pre-commit hook entry alongside the existing
go-build and go-mod-tidy hooks: create a hook with id "go-fmt" (name "go fmt")
that uses the system language and executes the Go formatter over staged Go files
(targeting .go files or using types: [go]); ensure it runs before other checks,
sets appropriate file matching (e.g., .go files), and configures pass_filenames
so formatting applies to staged files, keeping the hook consistent with the
existing go-mod-tidy and go-build entries.

In `@AGENTS.md`:
- Around line 1-3: The document's top-level heading is incorrect: replace the
first-line title "# CLAUDE.md" with "# AGENTS.md" so the file title matches the
filename and conforms to the guideline for AGENTS.md; update only the heading
line at the top of the file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 35d0e577-e9ed-4322-b055-7f639e4c18a6

📥 Commits

Reviewing files that changed from the base of the PR and between ca9026b and 37cac1d.

⛔ Files ignored due to path filters (14)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/README.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/TEST_README.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/app-sre.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.sh is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/test_olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (20)

• .ci-operator.yaml
• .claude/commands/pre-commit.md
• .codecov.yml
• .pre-commit-config.yaml
• AGENTS.md
• CLAUDE.md
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry
• build/Dockerfile.webhook
• deploy-extras/development/01-metrics-server-tls-secret.yaml
• deploy-extras/development/webhook/00-tls-secret.yaml
• deploy-extras/development/webhook/validatingwebhookconfig.yaml
• deploy/80_addon-sermon-fedaration-token.yaml
• deploy_pko/.test-fixtures/config-with-proxy/Cleanup-OLM-Job.yaml
• deploy_pko/Cleanup-OLM-Job.yaml
• fips.go
• hack/hypershift/package/.test-fixtures/namespace-scope/hcp/addon-operator.yaml
• hack/hypershift/package/hcp/addon-operator.yaml.gotmpl
• hack/hypershift/package/manifest.yaml

✅ Files skipped from review due to trivial changes (12)

• build/Dockerfile.webhook
• CLAUDE.md
• hack/hypershift/package/manifest.yaml
• .codecov.yml
• fips.go
• deploy_pko/Cleanup-OLM-Job.yaml
• hack/hypershift/package/.test-fixtures/namespace-scope/hcp/addon-operator.yaml
• OWNERS_ALIASES
• hack/hypershift/package/hcp/addon-operator.yaml.gotmpl
• .ci-operator.yaml
• deploy_pko/.test-fixtures/config-with-proxy/Cleanup-OLM-Job.yaml
• deploy/80_addon-sermon-fedaration-token.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• build/Dockerfile.olm-registry
• build/Dockerfile
• deploy-extras/development/webhook/validatingwebhookconfig.yaml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

controllers/addon/phase_observe_operatorresource.go (1)

97-104: ⚠️ Potential issue | 🔴 Critical | ⚖️ Poor tradeoff

Missing explicit handling for empty CSV phase.

The getCSVPhase function can return an empty string when csvReference is nil (line 115) or when the CSV has no "Succeeded" condition (line 128). With the removal of the default case, an empty phase will not match any case in this switch, leaving message as an empty string. This causes the check at line 106 to fail, and the function returns resultNil, nil without calling reportUnreadyCSV, effectively treating the addon as ready.

An empty phase likely indicates the CSV was not found in the operator status or is malformed, which should be treated as "not ready" rather than implicitly allowing the addon to appear available.

🔧 Proposed fix to handle empty phase

 var message string
 switch phase {
 case operatorsv1alpha1.CSVPhaseSucceeded:
 	// do nothing here
 case operatorsv1alpha1.CSVPhaseFailed:
 	message = "failed"
 case operatorsv1alpha1.CSVPhasePending, operatorsv1alpha1.CSVPhaseInstallReady, operatorsv1alpha1.CSVPhaseInstalling, operatorsv1alpha1.CSVPhaseUnknown, operatorsv1alpha1.CSVPhaseReplacing, operatorsv1alpha1.CSVPhaseDeleting, operatorsv1alpha1.CSVPhaseAny:
 	message = "unknown/pending"
+case "":
+	message = "missing or unknown"
+default:
+	message = "unexpected phase"
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/addon/phase_observe_operatorresource.go` around lines 97 - 104,
The switch in getCSVPhase leaves message empty for an empty CSV phase, causing
the function to return early and not call reportUnreadyCSV; update the switch in
getCSVPhase (and/or the caller logic around reportUnreadyCSV) to explicitly
handle an empty phase (e.g., add a case "" or a default branch) and set message
to the same "unknown/pending" (or another "not ready") string so that
reportUnreadyCSV is invoked when csvReference is nil or the CSV lacks a
Succeeded condition.

♻️ Duplicate comments (3)

.pre-commit-config.yaml (2)

59-69: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add required large-file protection hook.

The check-added-large-files hook is missing from the pre-commit-hooks configuration. This allows oversized artifacts to slip into commits.

➕ Add large-file check

       - id: check-yaml
         name: YAML syntax (deploy/)
         files: ^deploy/.*\.ya?ml$
         args: [--allow-multiple-documents]
+      - id: check-added-large-files
+        args: [--maxkb=500]

As per coding guidelines, "Pre-commit hooks configured in .pre-commit-config.yaml should include go-fmt, go-mod-tidy, and large file checks".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 59 - 69, The pre-commit config is
missing the check-added-large-files hook; add the hook entry (id:
check-added-large-files) under the hooks list for the pre-commit-hooks repo
block so added files exceeding the allowed size are blocked. Include sensible
args (e.g., --maxkb or similar flag) per pre-commit-hooks docs and ensure it
sits alongside existing hooks like check-merge-conflict and trailing-whitespace
so it runs for all commits. Reference the repo block that currently contains
hooks: check-merge-conflict, trailing-whitespace, end-of-file-fixer, check-yaml.

---

102-143: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add required go-fmt hook.

The go-fmt hook is missing from the local hooks configuration. While go-mod-tidy is present, formatting enforcement is required by policy.

➕ Add go-fmt hook

       - id: go-build
         name: go build
         language: system
         entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 30s} go build ./...'
         types: [go]
         pass_filenames: false
 
+      # -----------------------------------------------------------------------
+      # Go formatting check  |  target < 2s  |  auto-fix
+      # -----------------------------------------------------------------------
+      - id: go-fmt
+        name: go fmt
+        language: system
+        entry: bash -c 'gofmt -w -l .'
+        types: [go]
+        pass_filenames: false
+
       # -----------------------------------------------------------------------
       # 5. DEPENDENCY DRIFT  |  target < 10s  |  error

As per coding guidelines, "Pre-commit hooks configured in .pre-commit-config.yaml should include go-fmt, go-mod-tidy, and large file checks".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 102 - 143, The local pre-commit hooks
are missing a go-fmt hook; add a new hook with id "go-fmt" (adjacent to the
existing "go-mod-tidy" and "rbac-wildcard-check" entries) that runs the Go
formatter (e.g., using "gofmt -s -w" or equivalent) as a system-language hook,
targets Go files (files: '(\.go$)' or types: [go]), and sets
pass_filenames:false and an appropriate timeout similar to
"go-build"/"go-mod-tidy" so formatting is enforced by the pre-commit pipeline.

.claude/commands/pre-commit.md (1)

47-84: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify attempt counting terminology in workflow and report.

The attempt counting logic is internally consistent but the final report template may confuse implementers. Line 47 starts attempt_count at 1, line 64 references "2 fix-and-retry attempts," and line 57 stops when count reaches 3 (1 initial + 2 retries). However, line 84's report template says "Attempts: of 2 maximum" without clarifying whether N counts total attempts (1-3) or retry attempts (0-2).

📝 Recommended clarification

-Attempts:   <N> of 2 maximum
+Retry attempts: <N> of 2 maximum  (total runs: <N+1>)

Or alternatively, use total attempt terminology consistently throughout:

-**Stop retrying when:**
-- All hooks pass → report success
-- `attempt_count` reaches 3 → stop, escalate to human (see Step 6)
+**Stop retrying when:**
+- All hooks pass → report success
+- Total attempts reach 3 (initial + 2 retries) → stop, escalate to human (see Step 6)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/commands/pre-commit.md around lines 47 - 84, The workflow uses
attempt_count starting at 1 but mixes "retries" and "total attempts"
terminology; update language and the final report to be consistent by choosing
total-attempts wording: revise all references (e.g., the variable attempt_count,
the stop condition "stop when attempt_count reaches 3", and the sentence "2
fix-and-retry attempts") to read "2 retries (3 total attempts)" and change the
final report template line from "Attempts: <N> of 2 maximum" to "Attempts: <N>
of 3 total (including initial)"; ensure any logic/checks that compare
attempt_count use the same convention (stop when attempt_count >= 3 or when
retries >= 2) and reflect that in the human-escalation text and summary output
so implementers unambiguously know whether N counts retries or total attempts.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@build/Dockerfile.webhook`:
- Line 15: The Dockerfile uses a pinned Red Hat UBI base image tag in the FROM
instruction (registry.access.redhat.com/ubi9/ubi-minimal:9.8-1779809423); change
that pinned tag to a floating Red Hat-managed tag (for example use :9.8 or :9)
so the base image receives RH-managed updates and security patches—update the
FROM line in the Dockerfile accordingly and ensure no other lines reference the
specific build identifier.

---

Outside diff comments:
In `@controllers/addon/phase_observe_operatorresource.go`:
- Around line 97-104: The switch in getCSVPhase leaves message empty for an
empty CSV phase, causing the function to return early and not call
reportUnreadyCSV; update the switch in getCSVPhase (and/or the caller logic
around reportUnreadyCSV) to explicitly handle an empty phase (e.g., add a case
"" or a default branch) and set message to the same "unknown/pending" (or
another "not ready") string so that reportUnreadyCSV is invoked when
csvReference is nil or the CSV lacks a Succeeded condition.

---

Duplicate comments:
In @.claude/commands/pre-commit.md:
- Around line 47-84: The workflow uses attempt_count starting at 1 but mixes
"retries" and "total attempts" terminology; update language and the final report
to be consistent by choosing total-attempts wording: revise all references
(e.g., the variable attempt_count, the stop condition "stop when attempt_count
reaches 3", and the sentence "2 fix-and-retry attempts") to read "2 retries (3
total attempts)" and change the final report template line from "Attempts: <N>
of 2 maximum" to "Attempts: <N> of 3 total (including initial)"; ensure any
logic/checks that compare attempt_count use the same convention (stop when
attempt_count >= 3 or when retries >= 2) and reflect that in the
human-escalation text and summary output so implementers unambiguously know
whether N counts retries or total attempts.

In @.pre-commit-config.yaml:
- Around line 59-69: The pre-commit config is missing the
check-added-large-files hook; add the hook entry (id: check-added-large-files)
under the hooks list for the pre-commit-hooks repo block so added files
exceeding the allowed size are blocked. Include sensible args (e.g., --maxkb or
similar flag) per pre-commit-hooks docs and ensure it sits alongside existing
hooks like check-merge-conflict and trailing-whitespace so it runs for all
commits. Reference the repo block that currently contains hooks:
check-merge-conflict, trailing-whitespace, end-of-file-fixer, check-yaml.
- Around line 102-143: The local pre-commit hooks are missing a go-fmt hook; add
a new hook with id "go-fmt" (adjacent to the existing "go-mod-tidy" and
"rbac-wildcard-check" entries) that runs the Go formatter (e.g., using "gofmt -s
-w" or equivalent) as a system-language hook, targets Go files (files: '(\.go$)'
or types: [go]), and sets pass_filenames:false and an appropriate timeout
similar to "go-build"/"go-mod-tidy" so formatting is enforced by the pre-commit
pipeline.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7b6d43f2-51bf-4474-999d-1c926a1d6686

📥 Commits

Reviewing files that changed from the base of the PR and between 37cac1d and dd55a61.

⛔ Files ignored due to path filters (11)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/dependabot.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/docs/pre-commit.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (25)

• .ci-operator.yaml
• .claude/commands/pre-commit.md
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry
• build/Dockerfile.webhook
• controllers/addon/monitoring_stack_reconciler.go
• controllers/addon/phase_observe_operatorresource.go
• deploy-extras/development/01-metrics-server-tls-secret.yaml
• deploy-extras/development/webhook/00-tls-secret.yaml
• deploy-extras/development/webhook/validatingwebhookconfig.yaml
• deploy/80_addon-sermon-fedaration-token.yaml
• deploy_pko/.test-fixtures/config-with-proxy/Cleanup-OLM-Job.yaml
• deploy_pko/Cleanup-OLM-Job.yaml
• fips.go
• hack/hypershift/package/.test-fixtures/namespace-scope/hcp/addon-operator.yaml
• hack/hypershift/package/hcp/addon-operator.yaml.gotmpl
• hack/hypershift/package/manifest.yaml
• integration/fixtures_test.go
• integration/metrics_collection_test.go
• integration/monitoring_stack_test.go
• internal/metrics/recorder.go
• internal/webhooks/addon_webhook.go

💤 Files with no reviewable changes (1)

• integration/fixtures_test.go

✅ Files skipped from review due to trivial changes (10)

• hack/hypershift/package/manifest.yaml
• controllers/addon/monitoring_stack_reconciler.go
• deploy/80_addon-sermon-fedaration-token.yaml
• .codecov.yml
• hack/hypershift/package/.test-fixtures/namespace-scope/hcp/addon-operator.yaml
• .ci-operator.yaml
• deploy_pko/.test-fixtures/config-with-proxy/Cleanup-OLM-Job.yaml
• deploy_pko/Cleanup-OLM-Job.yaml
• OWNERS_ALIASES
• integration/metrics_collection_test.go

🚧 Files skipped from review as they are similar to previous changes (5)

• hack/hypershift/package/hcp/addon-operator.yaml.gotmpl
• build/Dockerfile
• deploy-extras/development/webhook/validatingwebhookconfig.yaml
• fips.go
• build/Dockerfile.olm-registry

[devppratik]

/test images

[charlesgong]

/test images

[charlesgong]

/test images

[charlesgong]

/test images

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: charlesgong, erdii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [erdii]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[erdii]

/lgtm

[openshift-ci]

@charlesgong: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/precommit-check	c3ec759	link	unknown	/test precommit-check

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.