Merge branch 'main' into fix/tempo-null-data-handling

Author: kpunwatk

.coderabbit.yaml

@@ -5,6 +5,16 @@
 inheritance: true
 
 reviews:
+  path_instructions:
+    - path: "**/*.py"
+      instructions: |
+        - This project targets Python 3.14 (requires-python = '==3.14.*').
+        - Per PEP 758 (https://peps.python.org/pep-0758/), bare 'except ExcA, ExcB:' without parentheses is valid syntax in Python 3.14+ and means catching both exceptions. Do not flag this as a Python 2-style except clause or suggest adding parentheses.
+        - Focus on security, test structure and coding style adherence in new code introduced
+        - Code should follow python, pytest best practices
+        - Ensure we use https://github.com/RedHatQE/openshift-python-wrapper/ instead of direct oc calls when possible
+        - Code reuse, test parameterization, proper test dependency should be also encouraged
+        - Check CONSTITUTION and AGENTS files
   review_status: false
   changed_files_summary: true
   suggested_labels: true

.github/CODEOWNERS

@@ -11,8 +11,11 @@
 *       @opendatahub-io/opendatahub-tests-contributors
 
 # Test directory specific rules
-tests/model_explainability/       @sheltoncyril @kpunwatk
-tests/model_registry/             @dbasunag @lugi0 @fege
-tests/model_serving/              @mwaykole @Raghul-M @brettmthompson @threcc @malhajfr
-tests/rag/                        @jgarciao @jiripetrlik
-tests/workbenches                 @jstourac @andyatmiami @jiridanek @harshad16
+tests/model_explainability/                    @sheltoncyril @kpunwatk
+tests/model_registry/                          @dbasunag @lugi0 @fege
+tests/model_serving/                           @mwaykole @Raghul-M @brettmthompson @threcc @rpancham @SB159
+tests/model_serving/model_runtime/             @Raghul-M @brettmthompson @rpancham
+tests/model_serving/model_server/              @threcc @mwaykole
+tests/model_serving/maas_billing/ @SB159
+tests/rag/                                     @jgarciao @jiripetrlik
+tests/workbenches                              @jstourac @andyatmiami @jiridanek @harshad16

.github/ISSUE_TEMPLATE/bug_report.md

@@ -14,10 +14,16 @@ assignees: ''
 
 <!-- Add any steps to reproduce the issue being reported or add any relevant stacktrace -->
 
+## Expected behavior
+
+A clear and concise description of what you expected to happen.
+
 ## Proposed Solution
 
 <!-- If you have a suggestion for how to fix this, describe it here -->
 
 ## Additional Context
 
-<!-- Any other information that might be helpful -->
+### Environment
+
+<!-- Any other information that might be helpful, including environment -->

.github/pull_request_template.md

@@ -10,7 +10,7 @@
 - Fixes: <!-- github issue -->
 - JIRA: <!-- Jira information -->
 
-## How it has been tested
+## Please review and indicate how it has been tested
 
 - [ ] Locally
 - [ ] Jenkins

.github/workflows/scripts/pr_workflow.py

@@ -1,3 +1,4 @@
+import logging
 import os
 import re
 import sys
@@ -23,9 +24,8 @@
 from github.PullRequest import PullRequest
 from github.Repository import Repository
 from github.Team import Team
-from simple_logger.logger import get_logger
 
-LOGGER = get_logger(name="pr_labeler")
+LOGGER = logging.getLogger("pr_labeler")
 
 
 class PrBaseClass:
@@ -109,7 +109,7 @@ def verify_allowed_user(self) -> bool:
             # check if the user is a member of opendatahub-tests-contributors
             membership = team.get_team_membership(member=self.user_login)
             LOGGER.info(f"User {self.user_login} is a member of the test contributor team. {membership}")
-            return True  # noqa: TRY300
+            return True
         except UnknownObjectException:
             LOGGER.error(f"User {self.user_login} is not allowed for this action. Exiting.")
             return False

.gitleaks.toml

@@ -10,6 +10,16 @@
 [allowlist]
   description = "Exclude test fixtures, mock data, sample configs, and CI resources"
   paths = [
+    # Go test files (commonly contain mock credentials)
+    '''.*_test\.go$''',
+
+    # JS/TS test files (.spec.ts, .test.tsx, etc.)
+    '''.*\.spec\.(ts|tsx|js|jsx)$''',
+    '''.*\.test\.(ts|tsx|js|jsx)$''',
+
+    # JS/TS test directories
+    '''__tests__/''',
+
     # Go testdata directories
     '''testdata/''',
 

.pre-commit-config.yaml

@@ -1,8 +1,13 @@
+ci:
+    autofix_prs: true
+    autoupdate_schedule: weekly
+    autoupdate_commit_msg: "chore: update pre-commit hooks"
+
 minimum_pre_commit_version: 3.3.0
 default_install_hook_types: [pre-commit, commit-msg]
 
 default_language_version:
-  python: python3.13
+  python: python3.14
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -36,19 +41,11 @@ repos:
         exclude: .*/__snapshots__/.*|.*-input\.json$|^semgrep\.yaml$
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.4
+    rev: v0.15.8
     hooks:
       - id: ruff
       - id: ruff-format
 
-  # https://github.com/renovatebot/pre-commit-hooks/issues/2621
-  # This hook goes over the 250MiB limit that pre-commit.ci imposes
-  # Disable unless a solution is found.
-  # - repo: https://github.com/renovatebot/pre-commit-hooks
-  #   rev: 39.45.0
-  #   hooks:
-  #     - id: renovate-config-validator
-
   - repo: https://github.com/gitleaks/gitleaks
     rev: v8.30.0
     hooks:
@@ -62,6 +59,18 @@ repos:
         exclude: ^(docs/|.*test.*\.py$|utilities/manifests/.*|utilities/plugins/tgis_grpc/.*)
 
 
+  - repo: local
+    hooks:
+      - id: check-signoff
+        name: Check Signed-off-by
+        stages: [commit-msg]
+        language: system
+        entry: >
+          bash -c 'grep -q "^Signed-off-by: .* <.*@.*>" "$1" ||
+          { echo "ERROR: Commit message must include a valid Signed-off-by trailer.";
+          echo "  Use: git commit -s";
+          echo "  Or add manually: Signed-off-by: Your Name <your@email.com>"; exit 1; }' --
+
   - repo: https://github.com/espressif/conventional-precommit-linter
     rev: v1.11.0
     hooks:
@@ -81,12 +90,12 @@ repos:
           pass_filenames: false
 
   - repo: https://github.com/rhysd/actionlint
-    rev: v1.7.11
+    rev: v1.7.12
     hooks:
       - id: actionlint
 
   - repo: https://github.com/DavidAnson/markdownlint-cli2
-    rev: v0.21.0
+    rev: v0.22.0
     hooks:
       - id: markdownlint-cli2
         args:

AGENTS.md

@@ -88,6 +88,7 @@ utilities/                # Shared utility functions
 - Moving fixtures to shared locations
 - Adding new markers to `pytest.ini`
 - Modifying session-scoped fixtures
+- Adding new binaries or system-level dependencies (must also update `Dockerfile` and verify with `make build`)
 
 ### 🚫 Never
 

CONSTITUTION.md

@@ -79,8 +79,12 @@ All code MUST consider security implications.
 - Avoid running destructive commands without explicit user confirmation
 - Use detect-secrets and gitleaks pre-commit hooks to prevent secret leakage
 - Test code MUST NOT introduce vulnerabilities into the tested systems
+- Use `utilities.path_utils.resolve_repo_path` to resolve and validate any user-supplied or parameterized file paths, preventing path-traversal and symlink-escape outside the repository root
+- JIRA ticket links are allowed in PRs and commit messages (our Jira is public)
+- Do NOT reference internal-only resources (Jenkins, Confluence, Slack threads) in code, PRs, or commit messages
+- Do NOT link embargoed or security-restricted (RH-employee-only) tickets
 
-**Rationale**: Tests interact with production-like clusters; security lapses can have real consequences.
+**Rationale**: Tests interact with production-like clusters; security lapses can have real consequences. This is a public repository — only reference publicly accessible resources.
 
 ## Test Development Standards
 

Dockerfile

@@ -1,19 +1,19 @@
-FROM fedora:42
+FROM fedora:43
 
 ARG USER=odh
 ARG HOME=/home/$USER
 ARG TESTS_DIR=$HOME/opendatahub-tests/
-ENV UV_PYTHON=python3.13
+ENV UV_PYTHON=python3.14
 ENV UV_COMPILE_BYTECODE=1
 ENV UV_NO_SYNC=1
 ENV UV_NO_CACHE=1
 
 ENV BIN_DIR="$HOME_DIR/.local/bin"
 ENV PATH="$PATH:$BIN_DIR"
 
-# Install Python 3.13 and other dependencies using dnf
+# Install system dependencies using dnf
 RUN dnf update -y \
-    && dnf install -y python3.13 python3.13-pip ssh gnupg curl gpg wget vim httpd-tools rsync openssl openssl-devel\
+    && dnf install -y python3 python3-pip ssh gnupg curl gpg wget vim httpd-tools rsync openssl openssl-devel skopeo\
     && dnf clean all \
     && rm -rf /var/cache/dnf
 
@@ -22,6 +22,9 @@ RUN curl -sSL "https://github.com/fullstorydev/grpcurl/releases/download/v1.9.2/
     && tar xvf /tmp/grpcurl_1.2.tar.gz --no-same-owner \
     && mv grpcurl /usr/bin/grpcurl
 
+# Install cosign
+COPY --from=quay.io/securesign/cli-cosign@sha256:a8289d488491991d454a32784de19476f2c984917eb7a33b4544e55512f2747c /usr/local/bin/cosign /usr/bin/cosign
+
 RUN useradd -ms /bin/bash $USER
 USER $USER
 WORKDIR $HOME_DIR