You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OCM-24672 | chore: consolidate checks under make pre-push-checks
Unify the module merge gate in Makefile (inline pre-push-checks),
add make tools for pinned CLI installs, extend the CI client image,
add verify-min-terraform workflow, remove test.yml, and align docs.
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
Copy file name to clipboardExpand all lines: AGENTS.md
+12-1Lines changed: 12 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -55,6 +55,17 @@ Useful skills for this codebase:
55
55
- Use **`sensitive`** on variables and outputs where values must not appear in logs or casual `terraform show` output; avoid echoing secrets in `local` values used only for debugging. Passthrough outputs (**`module.*` → root output**) must match submodule sensitivity—see **Security** in [`.cursor/rules/rosa-hcp-terraform.mdc`](.cursor/rules/rosa-hcp-terraform.mdc).
56
56
- Do not add logging, outputs, or comments that expose credentials or session tokens.
57
57
58
+
## CI client Dockerfile (Prow)
59
+
60
+
The root **`Dockerfile`** builds the **OpenShift Prow** client image (`terraform-rhcs-rosa-hcp-clients`). Treat it as a **minimal supply-chain surface**: include **only** what presubmit jobs in [`openshift/release`](https://github.com/openshift/release/tree/master/ci-operator/config/terraform-redhat/terraform-rhcs-rosa-hcp) need today (`make verify`, `make verify-gen`, `make run-example`, and the tools behind `make pre-push-checks`).
61
+
62
+
When changing the Dockerfile:
63
+
64
+
-**Minimize attack surface** — prefer **`ubi-minimal`** with a **pinned** minor tag (not `:latest`); end with a **non-root**`USER` (currently `65532:65532`); do not add OS packages, compilers, or CLIs “for convenience” without a job that uses them.
65
+
-**Pin versions** — base image, ROSA CLI, and Makefile tools; use **`# renovate:`** comments and existing patterns (`hack/install-release-tool.sh` release binaries, not `go install`, unless unavoidable).
66
+
-**Avoid bloat** — the image is tool-heavy (Terraform, AWS CLI, ROSA, lint binaries); do not grow it with extra runtimes, caches, or unrelated utilities. Prefer release tarballs over full language SDKs in the final image.
67
+
-**Security scans** — `make security-check` / `make security-check-image` are separate from `make pre-push-checks`; fix findings or document narrow suppressions per the **Trivy** section below.
68
+
58
69
## Trivy (IaC misconfiguration)
59
70
60
71
Repo config: root **`trivy.yaml`** (severity, scanners, skips; includes **`examples/`**). CodeRabbit may run Trivy when enabled in **`.coderabbit.yaml`**. References: [Trivy config file](https://trivy.dev/latest/docs/references/configuration/config-file/), [filtering / ignores](https://trivy.dev/latest/docs/configuration/filtering/).
@@ -93,4 +104,4 @@ Use mocks for AWS and RHCS resources to verify logic without requiring live cred
93
104
94
105
When module behavior branches on a **boolean variable** (e.g. **`count = var.x ? 1 : 0`**), prefer **more than one `run` block** (or clearly separated scenarios) so **both** outcomes are covered—typically **`true` / `count = 1`** and **`false` / `count = 0`**—not only the default or “happy” path. That avoids regressions where the positive case passes but the opt-out path breaks.
95
106
96
-
For exact commands and pass/fail criteria, follow**`CONTRIBUTING.md`**.
107
+
Before opening a PR, `make pre-push-checks` must pass locally; see**`CONTRIBUTING.md`** for commands and pass/fail criteria.
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+9-5Lines changed: 9 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,20 +17,24 @@ This repo is **ROSA HCP** only. The sibling **ROSA Classic** module is [`terrafo
17
17
## Before you open a PR
18
18
19
19
1.**Format** — `terraform fmt -recursive` (or format only dirs you changed).
20
-
2.**Validate** — `make verify` (runs `terraform init` + `validate` in each `examples/*` directory). Fix failures in examples you touch or that your change breaks.
20
+
2.**Validate** — `make verify` (runs `terraform init` + `validate` in each `examples/*` directory; compatible with the minimum Terraform version in root **`versions.tf`**, currently **>= 1.5.7**). Fix failures in examples you touch or that your change breaks.
21
21
3.**Docs** — If you changed variables, outputs, modules, or root wiring: run `make verify-gen` (runs `terraform-docs` via [`scripts/terraform-docs.sh`](scripts/terraform-docs.sh), then [`scripts/verify-gen.sh`](scripts/verify-gen.sh) to ensure README inject blocks are committed).
22
22
4.**Module tests** — If a submodule under `modules/<name>/tests/` has `*.tftest.hcl`, run `terraform init -backend=false && terraform test` from `modules/<name>/`, or run `make unit-tests` for all modules with tests.
23
-
5.**Documentation lint** — `make docs-lint` runs the pinned [Vale](https://docs.vale.sh/) CLI with Red Hat documentation styles (see [`.vale.ini`](.vale.ini)). Building Vale uses `CGO_ENABLED=1` and requires a C compiler toolchain on the first install.
23
+
5.**Documentation lint** — `make docs-lint` runs the pinned [Vale](https://docs.vale.sh/) CLI (release binary from [vale-cli/vale](https://github.com/vale-cli/vale)) with Red Hat documentation styles (see [`.vale.ini`](.vale.ini)).
24
24
6.**Provider** — Treat [`terraform-redhat/rhcs`](https://github.com/terraform-redhat/terraform-provider-rhcs) as the source of truth: mirror its schemas in variables and docs. Add `validation` / `precondition` only to echo the provider’s required fields and allowed values (fail fast); do not duplicate or tighten rules the provider already enforces.
25
25
7.**Module scope (AWS-only)** — If the change adds or expands **AWS-only** configuration (no `rhcs` surface), confirm it matches **`Module scope (AWS-only vs core HCP)`** in [`.cursor/rules/rosa-hcp-terraform.mdc`](.cursor/rules/rosa-hcp-terraform.mdc). In the PR, **link official Red Hat or cited ROSA HCP documentation** that supports shipping it in-repo, or explain why an exception is justified.
26
26
27
-
Run the full local verification flow (same steps planned for CI) with:
27
+
Run the full local verification flow (same steps as the planned single OpenShift Prow presubmit) with:
28
28
29
29
```shell
30
-
make basic-checks
30
+
make pre-push-checks
31
31
```
32
32
33
-
`make basic-checks` runs `verify`, `verify-gen`, `lint`, `unit-tests`, `license-check`, and `docs-lint` in order (fail-fast). Use `make run-checks -- basic --list-steps` or `--dry-run` to inspect the sequence without running it.
33
+
`make pre-push-checks` runs `tools` (installs pinned CLI versions from the Makefile), then `verify`, `verify-gen`, `lint`, `unit-tests`, `license-check`, and `docs-lint` in order (fail-fast). Install tools alone with `make tools`. Run individual check targets when debugging one step. OpenShift Prow will use `make pre-push-checks` as the presubmit merge gate after `openshift/release` is updated. Until then, GitHub Actions runs `make verify` at Terraform 1.5.7 via **`verify-min-terraform.yml`**; run `make pre-push-checks` locally before opening a PR.
34
+
35
+
**Security (separate from the merge gate):**`make security-check` runs [Trivy](https://trivy.dev/) IaC misconfiguration scans using [`trivy.yaml`](trivy.yaml) (HIGH/CRITICAL). `make security-check-image` builds the root [`Dockerfile`](Dockerfile) and scans the image with [`trivy-image.yaml`](trivy-image.yaml) (fails on **CRITICAL** vulnerabilities with a known fix). Install Trivy locally with `make security-check-bin`.
36
+
37
+
Until OpenShift Prow runs the client image scan, GitHub Actions runs `make security-check-image` on pull requests when the client [`Dockerfile`](Dockerfile), [`.dockerignore`](.dockerignore), [`Makefile`](Makefile), [`trivy-image.yaml`](trivy-image.yaml), [`hack/install-release-tool.sh`](hack/install-release-tool.sh), or [`.github/workflows/security-check-image.yaml`](.github/workflows/security-check-image.yaml) change ([setup-trivy](https://github.com/aquasecurity/setup-trivy)). A dedicated Prow presubmit in [`openshift/release`](https://github.com/openshift/release) will be investigated and added later. IaC scans (`make security-check`) remain local/Prow-only for now.
0 commit comments