chore: add operator integration tests workflow

[kramaranya]

Summary

Adds a caller workflow that triggers the MLflow operator's integration tests

Depends on: opendatahub-io/mlflow-operator#123

RHOAIENG-62014

Upstream / Downstream Impact

• Downstream-only change for opendatahub-io/mlflow
• Also affects upstream mlflow/mlflow
• No upstream impact / not applicable

If relevant, add any upstream issue or follow-up link here:

Testing

• CI
• Unit tests
• Manual testing
• Not run (explain why)

Summary by CodeRabbit

• Chores
  • Added integration test workflow for continuous integration
  • Updated policy validation to accommodate reusable workflows
  • Refined action reference filtering in development tooling

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign humairak for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow operator-integration-tests.yml is added, triggering on pull_request, push to master/main/rhoai-*, and workflow_dispatch. Its sole job delegates execution to a reusable workflow in opendatahub-io/mlflow-operator pinned to commit d76a54cb14617d048ed64c3936fc4702efcc4636, forwarding github.repository and github.ref as inputs with contents: read permissions. The OPA policy in .github/policy.rego is updated so reusable-workflow jobs (job.uses) are excluded from the jobs_without_timeout check. The dev/check_actions.py script is updated to also skip uses: references containing /.github/workflows/ during action reference validation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Supply chain surface (CWE-494, CWE-829):

The caller passes ${{ github.ref }} directly to the reusable workflow as mlflow_ref. If the reusable workflow at d76a54cb ever uses that ref to check out code without sanitization, an attacker controlling a branch name could influence execution — though the pinned commit SHA does bound the blast radius to what that specific commit does with mlflow_ref.

Verify that opendatahub-io/mlflow-operator at d76a54cb does not use mlflow_ref in a git checkout or actions/checkout ref: without explicit restriction. The SHA pin is correct practice, but the mlflow_ref input propagation still warrants inspection in the callee.

The policy exclusion (not job.uses) and script exclusion for /.github/workflows/ are logically necessary to support reusable workflows, but together they represent a reduction in enforcement coverage — future reusable workflow jobs will not be checked for timeouts or action pinning. Confirm whether the callee workflow itself enforces timeouts.

🚥 Pre-merge checks | ✅ 4 | ❌ 6

❌ Failed checks (6 inconclusive)

Check name	Status	Explanation	Resolution
Contribution Quality And Spam Detection	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No Hardcoded Secrets	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No Weak Cryptography	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No Injection Vectors	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No Privileged Containers	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No Sensitive Data In Logs	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: add operator integration tests workflow' accurately describes the main change—adding a new GitHub Actions workflow file for operator integration tests.
Description check	✅ Passed	The PR description covers required sections with summary, Jira link, and upstream/downstream impact clearly marked. However, the Testing section is incomplete—no testing method is selected or explained.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[kramaranya]

/hold I'll need to update this PR with the new SHA once opendatahub-io/mlflow-operator#123 is merged

[kramaranya]

needed this for reusable workflow jobs, since they can't set timeout-minutes

[kramaranya]

needed so the pin check doesn't misread our reusable workflow call as a regular action

[kramaranya]

/unhold
@mprahl @HumairAK could you take a look please?

[mprahl]

Could you add rhoai-* and main as well so sync to RHDS doesn't require a diff.

[mprahl]

Is there a way to make this dynamic to use the matching release branch?

[kramaranya]

I don’t think we can make uses: dynamic, GitHub requires a static value as per https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_iduses
I think reusing this workflow downstream should still be fine, wdyt?

[mprahl]

I think this exposes a limitation of reusable workflows since jobs.<job_id>.uses has to be a fully static reference. Ideally, we want to be running the MLflow operator tests from the same GitHub org and same target branch (exception being master vs main in ODH).

We may need to switch to either:

1. a normal job that triggers mlflow-operator via workflow_dispatch / repository_dispatch, passing the org + branch dynamically, or
2. a normal job that checks out ${{ github.repository_owner }}/mlflow-operator at the matching branch and runs the integration test entrypoint directly.

Both of those support dynamic org/branch selection at runtime, while uses: does not. What are your thoughts?

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@dev/check_action_pins.py`:
- Line 108: The condition that skips validation for reusable workflow references
(the check using action.startswith("./") and the string "/.github/workflows/" in
the variable action) must be removed so jobs.<id>.uses entries are subject to
the same 40-char SHA pin, inline "# vX.Y.Z" comment, and SHA↔tag consistency
checks; update the logic in the function that iterates over action (in
dev/check_action_pins.py) to treat any non-local "./" reference the same
regardless of "/.github/workflows/" and ensure the existing validators for SHA
pinning and version comment are invoked for those entries, then update the
reusable-workflow uses lines in the repo to include the required "# vX.Y.Z"
comment matching the pinned SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dc4d3ce8-1e67-4475-9484-958f41ba7a69

📥 Commits

Reviewing files that changed from the base of the PR and between 28fc92f and 83b9729.

📒 Files selected for processing (3)

• .github/policy.rego
• .github/workflows/operator-integration-tests.yml
• dev/check_action_pins.py

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/operator-integration-tests.yml

[coderabbitai]

🧹 Nitpick comments (2)

dev/check_actions.py (2)

207-215: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Path validation may produce false positives for future files.

_check_paths() requires patterns to match currently tracked files. This breaks for:

1. Patterns protecting against future file additions (paths-ignore)
2. Files not yet committed
3. Patterns for files in .gitignore

Consider whether paths-ignore should be validated differently, or if a warning (not error) is more appropriate.

Example: separate handling for ignore patterns

 def _check_paths() -> Iterator[str]:
     files = _list_tracked_files()
     for path in sorted(_iter_workflow_files()):
         for event, key, pattern in _iter_path_patterns(path):
+            # Skip validation for ignore patterns (they protect against future files)
+            if key == "paths-ignore":
+                continue
             if not _pattern_matches(pattern, files):
                 yield (
                     f"{path}: [on.{event}.{key}] pattern {pattern!r} does not"
                     " match any tracked file"
                 )

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dev/check_actions.py` around lines 207 - 215, The _check_paths() function
treats all patterns equally, but paths-ignore patterns are meant to protect
against future files and should not be validated against currently tracked
files. Modify the function to differentiate between regular path patterns and
paths-ignore patterns by checking the key returned from _iter_path_patterns().
For paths-ignore patterns, either skip the validation entirely or emit a warning
instead of an error yield, since these patterns are designed to prevent triggers
on files that may be added in the future or are intentionally ignored in git.

---

143-173: 📐 Maintainability & Code Quality | 🔵 Trivial

Add support for ? and [] glob metacharacters in path filter conversion.

_LITERAL_CHARS rejects ? and [], which GitHub Actions minimatch explicitly supports. The code will raise ValueError for workflows using these valid patterns. Note: brace expansion ({}) is intentionally unsupported by GitHub Actions, so rejecting it is correct.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dev/check_actions.py` around lines 143 - 173, The _glob_to_regex function
needs to support two additional glob metacharacters that are valid in GitHub
Actions minimatch patterns but are currently unsupported. Add a new condition to
handle the `?` character which should match any single character except forward
slash (convert to `[^/]` in regex), and add another condition to handle bracket
expressions `[]` which should match any character within the brackets by parsing
from the opening bracket to the closing bracket, escaping special regex
characters within, and appending the resulting character class. Insert these new
conditions in the while loop before the _LITERAL_CHARS.match check to give them
proper precedence over literal character matching.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@dev/check_actions.py`:
- Around line 207-215: The _check_paths() function treats all patterns equally,
but paths-ignore patterns are meant to protect against future files and should
not be validated against currently tracked files. Modify the function to
differentiate between regular path patterns and paths-ignore patterns by
checking the key returned from _iter_path_patterns(). For paths-ignore patterns,
either skip the validation entirely or emit a warning instead of an error yield,
since these patterns are designed to prevent triggers on files that may be added
in the future or are intentionally ignored in git.
- Around line 143-173: The _glob_to_regex function needs to support two
additional glob metacharacters that are valid in GitHub Actions minimatch
patterns but are currently unsupported. Add a new condition to handle the `?`
character which should match any single character except forward slash (convert
to `[^/]` in regex), and add another condition to handle bracket expressions
`[]` which should match any character within the brackets by parsing from the
opening bracket to the closing bracket, escaping special regex characters
within, and appending the resulting character class. Insert these new conditions
in the while loop before the _LITERAL_CHARS.match check to give them proper
precedence over literal character matching.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4a6ae3e5-e609-4015-9b25-6509ef1c33ee

📥 Commits

Reviewing files that changed from the base of the PR and between 83b9729 and 4c2a874.

📒 Files selected for processing (3)

• .github/policy.rego
• .github/workflows/operator-integration-tests.yml
• dev/check_actions.py

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/operator-integration-tests.yml
• .github/policy.rego