OSAC-1535: Add OSAC connected CI job

[eurijon]

Summary

• Make e2e-deployment.yml callable as a reusable workflow (workflow_call) with inputs for plugin chain, AAP license file, run mode selection, and cleanup/notification controls
• Add e2e-osac.yml — thin caller workflow that deploys the OSAC plugin stack (lvms → trust-manager → rhbk → authorino → aap → osac) in connected mode
• Add explicit deploy-plugin steps for each OSAC addon plugin (trust-manager, rhbk, authorino, aap, cnv, osac) to both connected and disconnected E2E jobs, conditionally run based on enabled-plugins
• Add AAP license file handling to deploy_plugin.sh for CI environments (copies license to LZ, generates osac.yaml with osacProfilesList: [caas])

The job calls make deploy-plugin separately for each addon because addon plugin installation from bootstrap.sh was temporarily removed in #476.

Depends on #525.

Changes to e2e-deployment.yml

• workflow_call trigger with inputs mirroring workflow_dispatch plus enabled-plugins and aap-license-file
• check-e2e-needed resolves run_connected/run_disconnected from caller inputs (needed because the inputs context is unreliable in workflow_call)
• Job conditions use resolved outputs instead of checking inputs directly
• ENABLED_PLUGINS and AAP_LICENSE_FILE env vars set from inputs
• Explicit conditional addon plugin deploy steps (trust-manager, rhbk, authorino, aap, cnv, osac) in both connected and disconnected jobs
• Cleanup conditions simplified (work for both dispatch and call)

Adding more OSAC CI modes

To add disconnected mode, update e2e-osac.yml:

run-disconnected: true

Or create a separate e2e-osac-disconnected.yml caller for independent triggers.

Test plan

• Verify yamllint passes on both workflow files
• Verify shellcheck passes on deploy_plugin.sh
• Verify existing E2E jobs are unaffected (no behavioral change when enabled-plugins is empty)
• Manual dispatch of E2E OSAC workflow deploys the full plugin chain

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • E2E deployment workflow now supports configurable inputs for deployment modes, plugin selection, and AAP license file support.
  • New OSAC-specific E2E deployment testing workflow added.

• Chores

  • Enhanced E2E deployment pipeline infrastructure and improved license file handling in deployments.

[coderabbitai]

Walkthrough

The e2e-deployment.yml workflow gains workflow_call support with new inputs for plugin chains, AAP license, and run-mode flags. A new e2e-osac.yml workflow invokes it as a caller in connected-only mode with a fixed OSAC plugin chain. deploy_plugin.sh is extended to transfer the AAP license file to the Landing Zone and generate osac.yaml when absent.

Changes

OSAC E2E Plugin Chain Support

Layer / File(s)	Summary
workflow_call interface and decision logic .github/workflows/e2e-deployment.yml	Adds workflow_call trigger with enabled-plugins, aap-license-file, run-connected, and run-disconnected inputs; updates Make decision step to resolve run-mode flags for workflow_call events with empty-input fallback to true; emits run_connected and run_disconnected as job outputs.
Conditional plugin deployment and cleanup gating .github/workflows/e2e-deployment.yml	Gates connected and disconnected jobs on run_connected/run_disconnected outputs; injects ENABLED_PLUGINS and AAP_LICENSE_FILE env vars in both modes; adds per-plugin conditional deploy steps for trust-manager, rhbk, authorino, aap, cnv, and osac; generalizes cleanup conditions to skip-cleanup only; extends failure-step name maps and ordering for all six new steps in both modes.
New e2e-osac.yml caller workflow .github/workflows/e2e-osac.yml	Adds a complete OSAC E2E workflow with workflow_dispatch and PR path-filter triggers, concurrency group keyed by PR or run id, minimal permissions, and a single job calling e2e-deployment.yml in connected-only mode with the lvms,trust-manager,rhbk,authorino,aap,osac plugin chain.
AAP license handling in deploy_plugin.sh scripts/deployment/deploy_plugin.sh	Adds AAP_LICENSE_FILE validation and SCP transfer to the Landing Zone, injects osacAapLicenseFile into EXTRA_VARS_CONTENT, and generates config/plugins/osac.yaml with the license path and a default osacProfilesList: [caas] when the file is not already present on the Landing Zone.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• rh-ecosystem-edge/enclave#478: Previously removed AAP license validation and secret creation from the plugin deployment flow; this PR reintroduces AAP license file handling in deploy_plugin.sh via osacAapLicenseFile injection and config/plugins/osac.yaml generation.

Suggested labels

plugins

Suggested reviewers

• javipolo
• rporres

Poem

⚙️ A license is copied, a YAML conjured anew,
Six plugins march forth — trust, rhbk, authorino too.
workflow_call opens the gate, connected or not,
OSAC stands ready, deployed to the spot.
🔐 Risk noted: that license file travels by SCP — keep it guarded and hot!

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Injection-Vectors	❌ Error	Multiple injection vectors detected: unconstrained storage-plugin input interpolated into shell/JSON (lines 164-165), substring matching vulnerability in plugin gating (lines 396-421, 842-867), u...	Validate storage-plugin input, use token-boundary checking for contains() calls (e.g., contains(format(',{0},', env.ENABLED_PLUGINS), ',plugin-name,')), quote variables in YAML output, and validate plugin names against regex pattern.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets found. All sensitive credentials properly reference GitHub Actions context variables (${{ secrets.* }}) and environment variables, not string literals.
No-Weak-Crypto	✅ Passed	No weak crypto algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom implementations, or non-constant-time secret comparisons detected in the PR files.
Container-Privileges	✅ Passed	PR modifies GitHub Actions workflows and a shell script, not container/K8s manifests. Custom check for container privileges is not applicable to these file types.
No-Sensitive-Data-In-Logs	✅ Passed	The PR adds logging and environment variables for AAP license file paths and plugin deployment configuration. All logged data are file paths and configuration values, not passwords, tokens, API key...
Ai-Attribution	✅ Passed	AI tool (Claude Code) usage is declared in PR description and commit includes proper Assisted-by trailer. No Co-Authored-By misuse detected.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective of the PR: adding an OSAC connected CI job via the new e2e-osac.yml workflow. It is specific, concise, and directly relates to the primary changes.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/osac-ci-e2e-reusable

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[eurijon]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e-deployment.yml:
- Around line 395-423: The `contains()` checks for plugin gating use substring
matching which can unintentionally match partial strings (e.g., 'osac' would
match 'myosac'). Update all the conditional statements in the deploy steps
(deploy_trust_manager, deploy_rhbk, deploy_authorino, deploy_aap, deploy_cnv,
deploy_osac) to use delimiter-based matching instead. Wrap the ENABLED_PLUGINS
environment variable and each plugin name with delimiters (such as commas) to
ensure only explicitly enabled plugins in the CSV list are matched, preventing
unintended deployments from substring collisions.
- Around line 157-165: The `inputs.storage-plugin` value is being directly
interpolated into shell commands and the GITHUB_OUTPUT without validation,
creating a critical injection vulnerability where malicious input could break
quoting, corrupt JSON output, or execute arbitrary shell code. Add validation to
ensure the storage-plugin input only contains allowed plugin names (whitelist
approach) before it is used in the PLUGIN assignment and the echo statement that
writes to storage_plugins in GITHUB_OUTPUT. Alternatively, properly escape or
quote the value to prevent shell injection when constructing the JSON output.

In @.github/workflows/e2e-osac.yml:
- Line 48: In the e2e-osac workflow file, replace the `secrets: inherit`
statement with explicit secret mapping to follow the principle of least
privilege. Instead of inheriting all repository secrets, explicitly define which
specific secrets are required for the called workflow by replacing `secrets:
inherit` with a `secrets:` block that lists only the necessary secrets with
their individual mappings. This reduces the blast radius and prevents accidental
exposure of sensitive information as the workflow evolves.
- Around line 23-28: The GitHub Actions workflow trigger configuration in the
e2e-osac.yml file is missing an entry for the lvms plugin in the paths filter.
Add `plugins/lvms/**` to the paths list in both the push trigger section (around
line 23-28) and the pull_request trigger section (around line 44) to ensure E2E
OSAC tests run whenever changes are made to the lvms plugin, which is part of
the OSAC plugin chain.

In `@scripts/deployment/deploy_plugin.sh`:
- Around line 151-156: The osacProfilesList in the heredoc is hardcoded to only
include the 'caas' profile, which overrides the default plugin configuration
that includes both 'caas' and 'vmaas' profiles. Update the osacProfilesList
section in the SSH command that creates the osac.yaml file to include both
'caas' and 'vmaas' profiles instead of just 'caas' to maintain the expected OSAC
capabilities.
- Around line 140-144: After the scp command that copies the AAP license file to
the Landing Zone (the line copying to ${LZ_SSH}:${LZ_AAP_LICENSE}), add a
follow-up ssh command that applies restrictive file permissions (chmod 600 or
similar least-privileged mode) to the copied license file on the remote Landing
Zone to reduce the risk of unauthorized disclosure of this sensitive file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 09dfb64e-3ad8-4478-a372-ada16c0809a7

📥 Commits

Reviewing files that changed from the base of the PR and between eb25aa2 and 5f3247e.

📒 Files selected for processing (3)

• .github/workflows/e2e-deployment.yml
• .github/workflows/e2e-osac.yml
• scripts/deployment/deploy_plugin.sh

[eurijon]

@coderabbitai approve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.