Skip to content

OCM-24672: chore: consolidate checks under make pre-push-checks#150

Merged
openshift-merge-bot[bot] merged 1 commit into
terraform-redhat:mainfrom
amandahla:OCM-24672
Jun 2, 2026
Merged

OCM-24672: chore: consolidate checks under make pre-push-checks#150
openshift-merge-bot[bot] merged 1 commit into
terraform-redhat:mainfrom
amandahla:OCM-24672

Conversation

@amandahla

@amandahla amandahla commented May 20, 2026

Copy link
Copy Markdown
Member

PR Summary

Unifies module merge gate checks under make pre-push-checks with pinned CLI tool versions, adds hack/install-release-tool.sh for release binary installs with SHA256 verification, replaces Trivy with Checkov + Gitleaks, hardens the Prow CI Dockerfile (ubi-minimal, GPG-verified
AWS CLI, SHA256-verified ROSA), and adds GitHub Actions verify-min-terraform.yml.

Detailed Description of the Issue

Before this change, the module's local verification flow was fragmented across multiple Makefile targets (verify, verify-gen, lint, unit-tests, license-check, docs-lint), and the Prow CI image lacked supply-chain hardening (no signature verification for CLI downloads,
used full UBI instead of ubi-minimal). Security scanning relied on Trivy alone. Tool versions (terraform-docs, vale) were either hardcoded in scripts or required manual installs, making reproducible environments difficult.

This consolidation aligns the local developer flow with the planned single Prow presubmit, reduces attack surface in the CI client image, and brings security tooling in line with current best practices (Gitleaks for secrets, Checkov for Terraform static analysis).

Related Issues and PRs

  • Jira: OCM-24672
  • Fixes: N/A
  • Related PR(s): N/A
  • Related design/docs: N/A

Type of Change

  • feat - adds a new module capability or new user-facing behavior.
  • fix - resolves incorrect module behavior or bug.
  • docs - updates documentation only.
  • style - formatting/naming changes with no logic impact.
  • refactor - module code restructuring with no behavior change.
  • test - adds or updates tests only.
  • chore - maintenance work (tooling, housekeeping, non-product code).
  • build - changes build system, packaging, or dependencies for build output.
  • ci - changes CI pipelines, jobs, or automation workflows.
  • perf - improves performance without changing intended behavior.

Previous Behavior

  • Contributors ran make verify, make verify-gen, make lint, make unit-tests, make license-check, and make docs-lint individually or via the shell script hack/run-checks.sh basic (invoked as make basic-checks).
  • CLI tools (terraform-docs, vale) were installed on-demand by scripts that downloaded release tarballs into temporary directories or system paths, with versions pinned in scripts or environment variables.
  • The Prow CI Dockerfile used ubi9/ubi:latest and installed AWS CLI, ROSA CLI, and Terraform without cryptographic verification.
  • Trivy performed IaC misconfiguration scans; secrets detection was not enforced locally.
  • GitHub Actions ran separate workflows for license checks (license-check.yaml) and tests (test.yml).
  • PR template referenced make verify and make verify-gen individually.

Behavior After This Change

  • Contributors run make pre-push-checks once (equivalent to the planned single Prow presubmit); individual targets remain available for debugging.
  • make tools installs pinned CLI versions (addlicense, terraform-docs, tflint, vale, checkov, gitleaks) from GitHub releases into bin/ using hack/install-release-tool.sh, which verifies downloads with SHA256 checksums (or GPG for AWS CLI when building the Dockerfile).
  • The Prow CI Dockerfile uses ubi9/ubi-minimal:9.8 (pinned minor), verifies AWS CLI with GPG against hack/aws-cli-public-key.asc, verifies ROSA CLI with SHA256 from upstream sha256sum.txt, and installs Terraform via YUM repo at pinned TERRAFORM_VERSION.
  • make security-check (separate from merge gate) runs Gitleaks (secret scan) and Checkov (Terraform static analysis); Trivy is removed.
  • GitHub Actions verify-min-terraform.yml validates examples at the minimum Terraform version from root versions.tf; license-check.yaml and test.yml are consolidated into the planned Prow presubmit flow (Prow config pending in openshift/release).
  • PR template references make pre-push-checks with inline breakdown of steps.
  • .coderabbit.yaml disables Trivy (replaced by Checkov).
  • .gitleaks.toml allowlists bin/, .terraform/, and .terraform-docs-cache/; checkov.yaml skips modules/rosa-cluster-hcp/main.tf (lifecycle precondition parse limitation).
  • Renovate custom managers track Makefile tool versions and Dockerfile ARG versions.

How to Test (Step-by-Step)

Preconditions

  • Terraform >= 1.5.7 (root versions.tf minimum)
  • No special credentials required (local-only checks; no live AWS/RHCS)
  • Empty bin/ directory (or delete bin/ to force fresh install)

Test Steps

  1. Run make pre-push-checks from the repo root
  2. Observe tools step installing pinned CLIs into bin/
  3. Observe sequential execution of verify, verify-gen, lint, unit-tests, license-check, docs-lint
  4. (Optional) Run make security-check to test Gitleaks + Checkov
  5. (Optional) Build the Dockerfile: docker build -t test-client .
  6. (Optional) Inspect installed tool versions: bin/terraform-docs version, bin/vale --version, bin/addlicense --version, bin/tflint --version, bin/checkov --version, bin/gitleaks version

Expected Results

  • make pre-push-checks completes with exit 0 (all checks pass)
  • bin/ directory contains addlicense, terraform-docs, tflint, vale at Makefile-pinned versions
  • make security-check runs Gitleaks and Checkov with no CRITICAL or HIGH findings (exit 0)
  • Dockerfile builds successfully; terraform version, aws --version, rosa version output expected pinned versions

Proof of the Fix

  • Screenshots: N/A
  • Videos: N/A
  • Logs/CLI output: Successfully ran make pre-push-checks locally (all steps passed)
  • Other artifacts: N/A

Breaking Changes

  • No breaking changes
  • Yes, this PR introduces a breaking change (describe impact and migration plan below)

Breaking Change Details / Migration Plan

N/A

Developer Verification Checklist

  • AWS-only changes: If this PR is mainly AWS-only (no rhcs resources/variables), I linked official Red Hat or cited ROSA HCP documentation that supports reference alignment, or I explained why the change still belongs in-repo per Module scope (AWS-only vs core HCP) in .cursor/rules/rosa-hcp-terraform.mdc.
  • I checked if this affects terraform-rhcs-rosa-classic and submitted (or already submitted) a companion PR when needed.
  • Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
  • PR description clearly explains both what changed and why.
  • Relevant Jira/GitHub issues and related PRs are linked.
  • Tests were added/updated where appropriate.
  • I manually tested the change.
  • make pre-push-checks passes (or each step: verify, verify-gen, lint, unit-tests, license-check, docs-lint).
  • Documentation was added/updated where appropriate (see make terraform-docs).
  • Any risk, limitation, or follow-up work is documented.

Summary by CodeRabbit

  • New Features

    • Added security scanning with secret detection and Terraform static analysis to the merge gate.
    • Introduced unified pre-push validation workflow combining verification, formatting, unit tests, and license checks.
  • Bug Fixes

    • Fixed password output references in example configurations.
  • Documentation

    • Updated contributor testing and local validation guidance for the new unified workflow.

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 20, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

This PR consolidates the repository's verification and CI workflows into a unified make pre-push-checks gate while centralizing tool provisioning through Makefile and helper scripts. It updates the Docker image to a hardened minimal base with explicit version pinning and signature verification for critical tools (Terraform, AWS CLI, ROSA). GitHub Actions workflows are revised to leverage Makefile-provided targets and validate against the minimum supported Terraform version (1.5.7). Security scanning is separated from the merge gate with Checkov and Gitleaks configuration. Terraform example outputs are corrected to use proper attribute references. All contributor documentation is realigned to reflect the new workflow structure.

Changes

Tooling consolidation and verification workflow unification

Layer / File(s) Summary
Makefile: pre-push-checks and verification targets
Makefile
Introduces pre-push-checks composite target sequencing multiple checks; centralizes tool versions and local bin/ provisioning; refactors verify, lint, unit-tests with backendless Terraform operations; adds security-check target.
Tool installer script
hack/install-release-tool.sh
New cross-platform binary installer supporting addlicense, tflint, terraform-docs, vale, checkov, and gitleaks; validates SHA-256 checksums (upstream or repo-pinned); extracts and installs with correct permissions.
Helper script updates
scripts/add-license-header.sh, scripts/terraform-docs.sh, hack/aws-cli-public-key.asc
Scripts now require environment variables for tool paths and validate executability; new PGP public key file for AWS CLI signature verification in Docker.
Docker image hardening
Dockerfile, .dockerignore
Switches base to ubi-minimal:9.8; installs Terraform/AWS CLI/ROSA with pinned versions and signature verification; delegates terraform-docs to make tools; sets PATH and HOME; ignores git, bin, terraform cache directories.
GitHub Actions workflows
.github/workflows/verify-min-terraform.yml, generate-terraform-docs.yaml, check-commit-format.yml
Adds new workflow pinned to Terraform 1.5.7; updates terraform-docs install to use make terraform-docs-bin; removes Go setup; adds credential persistence protection.
Security configuration
checkov.yaml, hack/checksums/checkov-3.2.529.sha256sums, .gitleaks.toml, .trivyignore, trivy.yaml, .coderabbit.yaml
Introduces Checkov config with hard-fail thresholds; adds pinned checkov SHA256 checksums; extends gitleaks allowlist; updates trivy ignore rules; disables Trivy in CodeRabbit.
Terraform example outputs
examples/rosa-hcp-*/outputs.tf
Fixes password, client_id, and client_secret outputs to use .result attributes instead of bare resource references.
Terraform validation logic
main.tf, variables.tf
Simplifies precondition for additional control-plane security groups; updates validation to allow null or non-empty lists.
Contributor documentation
PR template, AGENTS.md, CONTRIBUTING.md, README.md
Consolidates verification into make pre-push-checks gate; documents hardened Dockerfile scope; details Gitleaks/Checkov workflow; clarifies testing discovery and minimum Terraform version.
Renovate configuration
renovate.json
Adds regex managers for Makefile and Dockerfile version extraction with automerge disabled and grouping rules.
Cleanup
modules/bastion-host/main.tf, modules/oidc-config-and-provider/main.tf, .gitignore
Removes Trivy ignore comments; updates comment documentation for version source.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

Suggested labels

ok-to-test

Suggested reviewers

  • gdbranco
  • robpblake
  • davidleerh
🚥 Pre-merge checks | ✅ 4 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Pr Checklist Claims Vs Evidence (Generic) ❓ Inconclusive Cannot access actual PR body with checked checklist items to verify claims. The PR template exists but specific checked items are not visible in provided context (only PR summary/objectives given). Provide the actual PR body/description showing which checklist items were marked [x] to enable verification against the implementation.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main objective: consolidating multiple checks under a unified make pre-push-checks target, which is the primary structural change across the PR.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 21: Replace the unsafe "curl | bash" install of tflint with a pinned
release-install flow: choose a specific tflint release tag (e.g., vX.Y.Z),
download the corresponding release artifact (binary or archive) from the GitHub
releases URL for that tag, fetch the accompanying checksum/signature file for
the same tag, verify the checksum/signature before extracting/installing into
/usr/local/bin, and remove the pipe-to-shell line; reference the current tflint
install invocation (the curl -sL
https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh
| bash -s -- -b /usr/local/bin line) and replace it with the pinned-download +
checksum verification steps.

In `@Makefile`:
- Around line 37-39: The verify loop in the Makefile (the for d in examples/*;
... loop) can mask failures and break on non-directory entries; change it to
iterate directories only (e.g. examples/*/), run each example inside a subshell
(cd "$d" && rm -rf .terraform .terraform.lock.hcl && terraform init && terraform
validate) and enable strict failure behavior so the first failing example stops
the target (use set -euo pipefail or ensure the subshell returns a non-zero
status to Make). Ensure you do not suppress errors with trailing && cd - that
hides failures—let the subshell propagate its exit code so Make fails fast on
terraform init/validate errors.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 21bcef65-dc0a-4878-bf1d-9ad81dfb9a5a

📥 Commits

Reviewing files that changed from the base of the PR and between 863dcb4 and 120a811.

📒 Files selected for processing (9)
  • .github/pull_request_template.md
  • .github/workflows/generate-terraform-docs.yaml
  • .github/workflows/verify-min-terraform.yml
  • AGENTS.md
  • CONTRIBUTING.md
  • Dockerfile
  • Makefile
  • README.md
  • hack/run-checks.sh
💤 Files with no reviewable changes (1)
  • hack/run-checks.sh

Comment thread Dockerfile Outdated
Comment thread Makefile Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Around line 12-15: The Dockerfile currently hardcodes the x86_64 AWS CLI ZIP
URL; update the RUN that downloads and installs the AWS CLI so it is
architecture-aware by selecting the proper package based on the build
architecture (e.g., check uname -m or use the Docker build ARG TARGETARCH),
choose the correct AWS CLI archive (linux-x86_64.zip vs linux-aarch64.zip),
download that URL instead of the fixed x86_64 URL, then proceed with unzip
./aws/install and cleanup as before; modify the RUN command in the Dockerfile
that contains the curl to dynamically pick the URL so arm64 builds use the
aarch64 package.

In `@README.md`:
- Around line 55-57: The README contains inconsistent Terraform version
requirements: the "make unit-tests" section says Terraform 1.6+, the
prerequisites paragraph (Terraform 1.4.6+) and the requirements table (>= 1.5.7)
disagree; update README.md so all references to Terraform version (prerequisites
paragraph, requirements table, and the "make unit-tests" line) state a single,
consistent minimum version (pick the intended minimum, e.g., 1.6.0) and ensure
the text for "make unit-tests" and the requirements table/paragraph are changed
accordingly to the chosen version string.

In `@renovate.json`:
- Line 42: The regex in the Dockerfile customManager matchString has a duplicate
named group and a bad version capture; update the pattern so group names are
unique and the version captures non-whitespace. Replace the second
"(?<depName>)" with a different name (e.g., "(?<image>)") and change
"(?<currentValue>\\s)" to "(?<currentValue>\\S+)" so the final string reads
like: "# renovate: datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)(?:
versioning=(?<versioning>\\S+))?\\nFROM (?<image>\\S+):(?<currentValue>\\S+)"
ensuring the matchString in the customManager is updated accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 41030388-df06-4ba7-be8f-7841ccc5a8cb

📥 Commits

Reviewing files that changed from the base of the PR and between 120a811 and f9d0181.

📒 Files selected for processing (19)
  • .dockerignore
  • .github/pull_request_template.md
  • .github/workflows/generate-terraform-docs.yaml
  • .github/workflows/license-check.yaml
  • .github/workflows/verify-min-terraform.yml
  • .gitignore
  • .trivyignore
  • AGENTS.md
  • CONTRIBUTING.md
  • Dockerfile
  • Makefile
  • README.md
  • hack/install-release-tool.sh
  • hack/run-checks.sh
  • renovate.json
  • scripts/add-license-header.sh
  • scripts/terraform-docs.sh
  • trivy-image.yaml
  • trivy.yaml
💤 Files with no reviewable changes (1)
  • hack/run-checks.sh
✅ Files skipped from review due to trivial changes (6)
  • trivy.yaml
  • .gitignore
  • .dockerignore
  • .trivyignore
  • .github/pull_request_template.md
  • AGENTS.md

Comment thread Dockerfile Outdated
Comment thread README.md
Comment thread renovate.json Outdated
@amandahla amandahla force-pushed the OCM-24672 branch 2 times, most recently from 82b7d1d to d5cfbd1 Compare May 20, 2026 18:37

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/security-check-image.yaml:
- Around line 8-12: The workflow's paths filter currently lists Dockerfile,
Makefile, trivy-image.yaml and hack/install-release-tool.sh but misses files
that can change the built image or the workflow itself; update the paths block
(the 'paths:' entries) to also include .dockerignore and the workflow file
itself and consider using globbed entries like '**/Dockerfile' and
'**/.dockerignore' so changes in subdirectories are caught and the scan cannot
be bypassed by editing image-context files.
- Line 20: Add explicit persist-credentials: false to the checkout step that
uses actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd so the job does
not persist the GITHUB_TOKEN; locate the checkout step (the line with "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd") and add the key
persist-credentials: false under that step to follow least-privilege security
best practices.

In `@hack/install-release-tool.sh`:
- Around line 39-153: Windows installs currently set dest_bin without a .exe
suffix (e.g. dest_bin="${dest_dir}/addlicense"), causing mismatches with
Makefile BIN_EXT; update each tool block (addlicense, tflint, terraform-docs,
vale, trivy) to append ".exe" for Windows targets by computing a bin suffix
(e.g. bin_ext="" and if [ "$os" = "windows" ]; then bin_ext=".exe"; fi) and then
set dest_bin="${dest_dir}/<toolname>${bin_ext}" (replace <toolname> with
addlicense, tflint, terraform-docs, vale, trivy) so installed binaries match
Makefile expectations on Windows.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 72349661-c4ad-4929-a474-0a64c23ddcc1

📥 Commits

Reviewing files that changed from the base of the PR and between f9d0181 and 82b7d1d.

📒 Files selected for processing (20)
  • .dockerignore
  • .github/pull_request_template.md
  • .github/workflows/generate-terraform-docs.yaml
  • .github/workflows/license-check.yaml
  • .github/workflows/security-check-image.yaml
  • .github/workflows/verify-min-terraform.yml
  • .gitignore
  • .trivyignore
  • AGENTS.md
  • CONTRIBUTING.md
  • Dockerfile
  • Makefile
  • README.md
  • hack/install-release-tool.sh
  • hack/run-checks.sh
  • renovate.json
  • scripts/add-license-header.sh
  • scripts/terraform-docs.sh
  • trivy-image.yaml
  • trivy.yaml
💤 Files with no reviewable changes (1)
  • hack/run-checks.sh
✅ Files skipped from review due to trivial changes (7)
  • .gitignore
  • .github/pull_request_template.md
  • trivy.yaml
  • .trivyignore
  • AGENTS.md
  • README.md
  • .dockerignore

Comment thread .github/workflows/security-check-image.yaml Outdated
Comment thread .github/workflows/security-check-image.yaml Outdated
Comment thread hack/install-release-tool.sh
@amandahla amandahla marked this pull request as ready for review May 20, 2026 18:42
@amandahla amandahla force-pushed the OCM-24672 branch 2 times, most recently from cce7cdc to 423218d Compare May 20, 2026 18:59

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (1)
hack/install-release-tool.sh (1)

55-56: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Windows install paths still miss .exe suffix handling.

dest_bin and extracted binary names are still Unix-only (addlicense, tflint, etc.). For Windows assets this can fail install/call paths (*.exe) and diverge from Makefile BIN_EXT usage.

Suggested minimal fix
+bin_ext=""
+if [[ "${os}" == windows* || "${os}" == mingw* || "${os}" == msys* || "${os}" == cygwin* ]]; then
+  bin_ext=".exe"
+fi
...
-    dest_bin="${dest_dir}/addlicense"
+    dest_bin="${dest_dir}/addlicense${bin_ext}"
...
-    install -m 0755 "${tmp}/addlicense" "$dest_bin"
+    install -m 0755 "${tmp}/addlicense${bin_ext}" "$dest_bin"
...
-    dest_bin="${dest_dir}/tflint"
+    dest_bin="${dest_dir}/tflint${bin_ext}"
-    install -m 0755 "${tmp}/tflint" "$dest_bin"
+    install -m 0755 "${tmp}/tflint${bin_ext}" "$dest_bin"
...
-    dest_bin="${dest_dir}/terraform-docs"
+    dest_bin="${dest_dir}/terraform-docs${bin_ext}"
-    install -m 0755 "${tmp}/terraform-docs" "$dest_bin"
+    install -m 0755 "${tmp}/terraform-docs${bin_ext}" "$dest_bin"
...
-    dest_bin="${dest_dir}/vale"
+    dest_bin="${dest_dir}/vale${bin_ext}"
-    install -m 0755 "${tmp}/vale" "$dest_bin"
+    install -m 0755 "${tmp}/vale${bin_ext}" "$dest_bin"
...
-    dest_bin="${dest_dir}/trivy"
+    dest_bin="${dest_dir}/trivy${bin_ext}"
-    install -m 0755 "${tmp}/trivy" "$dest_bin"
+    install -m 0755 "${tmp}/trivy${bin_ext}" "$dest_bin"

Also applies to: 66-67, 73-74, 80-81, 87-88, 94-95, 112-113, 123-124, 141-142, 152-153

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/install-release-tool.sh` around lines 55 - 56, The install script
hardcodes Unix binary names (e.g., dest_bin="${dest_dir}/addlicense") and
doesn't append the Windows extension; update each dest_bin and extracted-binary
assignment (e.g., the occurrences for addlicense, tflint, etc.) to include the
platform-aware extension by appending the existing BIN_EXT variable (or
${BIN_EXT:-} fallback) so Windows installs use *.exe; ensure all occurrences
noted in the comment (lines around the repeated dest_bin assignments) are
changed consistently to use the BIN_EXT-suffixed name.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Around line 9-11: The Dockerfile currently installs Terraform unpinned via the
command "microdnf install -y terraform"; update the Dockerfile to pin the
Terraform package to a specific, explicit version (for example by using a build
ARG like TERRAFORM_VERSION and installing "terraform-<version>" from the
HashiCorp repo or otherwise specifying the exact package name/version) so builds
are reproducible; ensure you update the RUN line that contains "microdnf install
-y terraform" to install the pinned package and document the chosen
TERRAFORM_VERSION ARG/default.

In `@renovate.json`:
- Around line 73-91: The Renovate package rule "Terraform CLI (CI)" currently
uses matchManagers: "custom.regex" and matchFileNames: ".github/workflows/**"
but there is no corresponding custom regex manager defined, so the rule never
matches; add a custom regex manager entry under customManagers (a manager key
that matches the "custom.regex" identifier) that targets ".github/workflows/**"
and provides a regex to find/update the terraform_version value (e.g., capture
terraform_version: "1.x.x") so the existing rule (groupName "Terraform CLI
(CI)", matchPackageNames "hashicorp/terraform") can detect and update the
hardcoded version in workflow files.

---

Duplicate comments:
In `@hack/install-release-tool.sh`:
- Around line 55-56: The install script hardcodes Unix binary names (e.g.,
dest_bin="${dest_dir}/addlicense") and doesn't append the Windows extension;
update each dest_bin and extracted-binary assignment (e.g., the occurrences for
addlicense, tflint, etc.) to include the platform-aware extension by appending
the existing BIN_EXT variable (or ${BIN_EXT:-} fallback) so Windows installs use
*.exe; ensure all occurrences noted in the comment (lines around the repeated
dest_bin assignments) are changed consistently to use the BIN_EXT-suffixed name.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7d915e88-0758-49ec-a29d-4e18d784dd34

📥 Commits

Reviewing files that changed from the base of the PR and between 44c409e and cce7cdc.

📒 Files selected for processing (20)
  • .dockerignore
  • .github/pull_request_template.md
  • .github/workflows/generate-terraform-docs.yaml
  • .github/workflows/license-check.yaml
  • .github/workflows/security-check-image.yaml
  • .github/workflows/verify-min-terraform.yml
  • .gitignore
  • .trivyignore
  • AGENTS.md
  • CONTRIBUTING.md
  • Dockerfile
  • Makefile
  • README.md
  • hack/install-release-tool.sh
  • hack/run-checks.sh
  • renovate.json
  • scripts/add-license-header.sh
  • scripts/terraform-docs.sh
  • trivy-image.yaml
  • trivy.yaml
💤 Files with no reviewable changes (2)
  • hack/run-checks.sh
  • .github/workflows/license-check.yaml
✅ Files skipped from review due to trivial changes (6)
  • .gitignore
  • .trivyignore
  • .github/pull_request_template.md
  • .dockerignore
  • trivy.yaml
  • README.md

Comment thread Dockerfile Outdated
Comment thread renovate.json Outdated
@amandahla amandahla force-pushed the OCM-24672 branch 5 times, most recently from 76a3790 to a2fff9a Compare May 20, 2026 19:52
@amandahla amandahla changed the title OCM-24672 | chore: consolidate checks under make pre-push-checks OCM-24672: chore: consolidate checks under make pre-push-checks May 20, 2026
@openshift-ci-robot

openshift-ci-robot commented May 20, 2026

Copy link
Copy Markdown

@amandahla: This pull request references OCM-24672 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

PR Summary

Consolidates the module merge gate under make pre-push-checks, adds make tools for pinned CLI installations, hardens the CI client Dockerfile (ubi-minimal, non-root, pinned versions), and aligns documentation with the new workflow.

Detailed Description of the Issue

The repository had fragmented pre-merge verification steps (make verify, make verify-gen, separate lint/test/license/docs-lint targets) without a unified entry point or consistent tool versioning. The CI client Dockerfile used :latest base images without renovate tracking,
ran as root, and installed tools via ad-hoc scripts. Contributors needed to manually install multiple CLI tools (terraform-docs, tflint, vale, addlicense) at unknown versions, leading to "works on my machine" inconsistencies. OpenShift Prow jobs and local development diverged in
which checks ran and how tools were installed.

This creates maintainability risk (tool version drift), security risk (root containers, unpinned base images), and developer friction (manual tool installation, unclear pre-PR checklist).

Related Issues and PRs

  • Jira: OCM-24672
  • Fixes: N/A
  • Related PR(s): N/A
  • Related design/docs: N/A

Type of Change

  • feat - adds a new module capability or new user-facing behavior.
  • fix - resolves incorrect module behavior or bug.
  • docs - updates documentation only.
  • style - formatting/naming changes with no logic impact.
  • refactor - module code restructuring with no behavior change.
  • test - adds or updates tests only.
  • chore - maintenance work (tooling, housekeeping, non-product code).
  • build - changes build system, packaging, or dependencies for build output.
  • ci - changes CI pipelines, jobs, or automation workflows.
  • perf - improves performance without changing intended behavior.

Previous Behavior

Makefile:

  • No unified pre-merge gate target; contributors ran make verify, make verify-gen, make lint, make unit-tests, make license-check, make docs-lint individually.
  • No tool version management; scripts (terraform-docs.sh, add-license-header.sh) expected tools on PATH or installed them via go install / manual downloads without pinning.
  • make basic-checks wrapper script (hack/run-checks.sh) existed but was not documented as the primary merge gate.
  • Vale installed via go install with CGO_ENABLED=1 (required C compiler).

Dockerfile (CI client image):

  • Based on ubi9/ubi:latest (unpinned minor release).
  • Installed packages via yum (not minimal); ran as root (no USER directive).
  • ROSA CLI downloaded from mirror without version pinning or renovate tracking.
  • terraform-docs version set via ARG but not renovate-tracked in Makefile.
  • No .dockerignore, resulting in .git, bin/, .terraform/ in build context.

CI workflows:

  • test.yml ran make lint and make unit-tests only (incomplete gate).
  • No Terraform minimum-version validation workflow.
  • No container image security scan (Trivy).

Scripts:

  • terraform-docs.sh: installed terraform-docs to /usr/local/bin (required sudo), checked version mismatch, downloaded manually.
  • add-license-header.sh: expected addlicense on PATH without version check.

Documentation:

  • CONTRIBUTING.md mentioned individual make targets but no single "run this before PR" command.
  • AGENTS.md lacked Dockerfile security/supply-chain guidance.

Behavior After This Change

Makefile:

  • New make pre-push-checks target runs the full merge gate: toolsverifyverify-genlintunit-testslicense-checkdocs-lint (fail-fast).
  • New make tools target installs pinned CLIs (addlicense, terraform-docs, tflint, vale) to bin/ via hack/install-release-tool.sh with SHA256 verification.
  • Tool versions centralized in Makefile with renovate comments (e.g., # renovate: datasource=github-releases depName=google/addlicense).
  • Individual check targets remain available for debugging; wrapper script hack/run-checks.sh removed.
  • New security targets (not in merge gate): make security-check (Trivy IaC), make security-check-image (Trivy container scan).

Dockerfile (CI client image):

  • Based on ubi9/ubi-minimal:9.8 (pinned minor, renovate-tracked).
  • Installs packages via microdnf (minimal attack surface).
  • ROSA CLI version pinned via ARG ROSA_VERSION with renovate comment; downloads from GitHub releases (architecture-aware).
  • Runs make tools to install Makefile-pinned CLIs into bin/.
  • Ends with USER 65532:65532 (non-root).
  • .dockerignore excludes .git, bin/, .terraform/, .terraform-docs-cache/.

CI workflows:

  • test.yml renamed to verify-min-terraform.yml; validates examples at Terraform 1.5.7 (minimum required version).
  • New security-check-image.yaml workflow runs make security-check-image (Trivy) on Dockerfile/Makefile/trivy-image.yaml changes.
  • generate-terraform-docs.yaml and license-check.yaml now call make terraform-docs-bin / make license-check-bin instead of inline installation.

Scripts:

  • New hack/install-release-tool.sh: generic installer for release binaries (addlicense, tflint, terraform-docs, vale, trivy) with SHA256 verification.
  • terraform-docs.sh: expects TERRAFORM_DOCS_BIN and TERRAFORM_DOCS_VERSION from Makefile; fails if version mismatches.
  • add-license-header.sh: expects ADDLICENSE_BIN from Makefile; no sudo required.

Documentation:

  • CONTRIBUTING.md: updated to say "run make pre-push-checks before opening a PR" (single command); explains it's the planned Prow merge gate.
  • AGENTS.md: new "CI client Dockerfile (Prow)" section with supply-chain, security, and minimalism guidance.
  • PR template: checklist item changed from "make verify + make verify-gen" to "make pre-push-checks (or each step: ...)" .

Renovate:

  • New custom regex managers track Makefile # renovate: comments for tool versions and Dockerfile ARG / FROM pinned versions.
  • Groups: "Makefile pre-push tools" and "CI client image".

Trivy:

  • .trivyignore simplified (removed Dockerfile-specific suppressions; now runs as non-root so DS-0002 doesn't fire).
  • New trivy-image.yaml config for container image scans (CRITICAL vulnerabilities, ignore-unfixed).

How to Test (Step-by-Step)

Preconditions

  • Terraform >= 1.5.7 on PATH
  • Docker (for make security-check-image)
  • Optional: Trivy installed locally via make security-check-bin (otherwise GitHub Actions runs it)

Test Steps

  1. Clean any existing tool binaries: rm -rf bin/
  2. Run the unified merge gate: make pre-push-checks
  3. Verify tools installed to bin/: ls -lh bin/
  4. Check tool versions match Makefile:
    bin/addlicense --version
    bin/terraform-docs --version
    bin/tflint --version
    bin/vale --version
  5. Run individual checks to confirm they still work:
    make verify
    make verify-gen
    make lint
    make unit-tests
    make license-check
    make docs-lint
  6. Build and scan the CI client image:
    docker build -t terraform-rhcs-rosa-hcp-clients:ci .
    make security-check-image
  7. Verify the image runs as non-root:
    docker run --rm terraform-rhcs-rosa-hcp-clients:ci id

Expected: uid=65532(nonroot) gid=65532(nonroot) groups=65532(nonroot)

  1. Verify examples validate at minimum Terraform version (simulates verify-min-terraform.yml):
    tfenv use 1.5.7 # or install Terraform 1.5.7 manually
    make verify

Expected Results

  • make pre-push-checks completes without errors (all 6 checks pass).
  • bin/ contains addlicense, terraform-docs, tflint, vale at Makefile-pinned versions.
  • make security-check-image completes with exit code 0 (no CRITICAL vulnerabilities with fixes).
  • CI client image runs as UID 65532 (non-root).
  • Examples validate successfully at Terraform 1.5.7.

Proof of the Fix

  • Screenshots: N/A
  • Videos: N/A
  • Logs/CLI output: Will be provided after local testing
  • Other artifacts: N/A

Breaking Changes

  • No breaking changes
  • Yes, this PR introduces a breaking change (describe impact and migration plan below)

Breaking Change Details / Migration Plan

N/A

Developer Verification Checklist

  • AWS-only changes: If this PR is mainly AWS-only (no rhcs resources/variables), I linked official Red Hat or cited ROSA HCP documentation that supports reference alignment, or I explained why the change still belongs in-repo per Module scope (AWS-only vs core HCP) in
    .cursor/rules/rosa-hcp-terraform.mdc.
  • I checked if this affects terraform-rhcs-rosa-classic and submitted (or already submitted) a companion PR when needed.
  • Commit subject/title follows [JIRA-TICKET] | [TYPE]: .
  • PR description clearly explains both what changed and why.
  • Relevant Jira/GitHub issues and related PRs are linked.
  • Tests were added/updated where appropriate.
  • I manually tested the change.
  • make pre-push-checks passes (or each step: verify, verify-gen, lint, unit-tests, license-check, docs-lint).
  • Documentation was added/updated where appropriate (see make terraform-docs).
  • Any risk, limitation, or follow-up work is documented.

Summary by CodeRabbit

  • New Features

  • Single pre-push-checks target to run verify, generate, lint, tests, license and docs checks.

  • CI image vulnerability scan and image-scan config that fail on critical findings.

  • Documentation

  • Updated contributor/testing guidance to require local pre-push checks and clarified Terraform test locations and tooling expectations.

  • Expanded agent/security guidance for image hardening and preflight checks.

  • Chores

  • Modernized container build and non-root runtime; centralized local tool bootstrapping and versions.

  • CI now validates examples against a minimum Terraform version and added a strict tool installer.

  • Cleaned Docker build context ignores and removed legacy aggregate run-checks helper.

Review Change Stack

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@amandahla amandahla marked this pull request as ready for review May 21, 2026 14:07
@openshift-ci openshift-ci Bot requested review from BraeTroutman and gdbranco May 21, 2026 14:07

@olucasfreitas olucasfreitas left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This condition calls length() before the null guard, so the default null value can fail with "argument must not be null". I think we could maybe check for null/private first, or use a ternary before touching length().

in the main.tf file

condition = ((length(var.aws_additional_control_plane_security_group_ids) >= 0 && var.private && tonumber(format("%03d%03d%03d", split(".", var.openshift_version)...)) >= 4017002) == true || var.aws_additional_control_plane_security_group_ids == null || var.private == false) == true

@amandahla amandahla force-pushed the OCM-24672 branch 4 times, most recently from 108ea4d to 0a834c0 Compare May 25, 2026 19:23
@amandahla

Copy link
Copy Markdown
Member Author

/test ci/prow/verify-format

@amandahla

Copy link
Copy Markdown
Member Author

/test verify-format

@amandahla

Copy link
Copy Markdown
Member Author

@coderabbitai review please

@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown

@amandahla: Sure! I'll review the changes in this PR now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
variables.tf (1)

254-260: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Document the OpenShift minimum for this feature in the variable docs.

Line 257 should explicitly state this input requires OpenShift 4.17.2+ (for private clusters), and the README should mirror the same minimum requirement.

💡 Suggested update
 variable "aws_additional_control_plane_security_group_ids" {
   type        = list(string)
   default     = null
-  description = "The additional security group IDs to be added to the control plane VPC endpoint."
+  description = "The additional security group IDs to be added to the control plane VPC endpoint. For private clusters, this requires OpenShift version 4.17.2 or later."
   validation {
     condition     = var.aws_additional_control_plane_security_group_ids == null ? true : length(var.aws_additional_control_plane_security_group_ids) > 0
     error_message = "Security group list cannot be empty."
   }
 }

As per coding guidelines: **/variables.tf: "Document minimum OpenShift version requirements in the variable description and README when a feature needs a specific minimum version."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@variables.tf` around lines 254 - 260, Update the variable description for
aws_additional_control_plane_security_group_ids to explicitly state the
OpenShift minimum requirement (e.g., "Requires OpenShift 4.17.2+ for private
clusters") and mirror that same minimum-version note in the module README;
ensure the wording appears in the variable's description block and the README's
feature/requirements section so users see the 4.17.2+ requirement clearly.
♻️ Duplicate comments (1)
hack/install-release-tool.sh (1)

17-19: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Windows installs still won't satisfy the Makefile targets.

os="$(uname ...)" never normalizes Git Bash/MSYS/Cygwin to windows, and these branches still install non-.exe paths from ZIP payloads. On Windows, make tools expects bin/<tool>.exe, so addlicense/tflint/terraform-docs/vale/checkov remain broken even though gitleaks already handles this correctly.

Suggested direction
+bin_ext=""
+case "$os" in
+  mingw*|msys*|cygwin*|windows*)
+    os="windows"
+    bin_ext=".exe"
+    ;;
+esac
...
-    dest_bin="${dest_dir}/addlicense"
+    dest_bin="${dest_dir}/addlicense${bin_ext}"

Apply the same bin_ext handling to the other Windows ZIP branches and install the extracted *.exe payloads when archive_ext="zip".

Also applies to: 57-68, 75-82, 89-96, 114-125, 143-154

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/install-release-tool.sh` around lines 17 - 19, The script currently sets
arch and os but doesn't normalize Git Bash/MSYS/Cygwin to "windows" and doesn't
set bin_ext/handle ZIP branches for tools other than gitleaks; update the os
detection so uname variants used by Git Bash/MSYS/Cygwin map to "windows" (so os
becomes "windows"), set archive_ext="zip" and bin_ext=".exe" when os is
"windows", and in each ZIP-handling branch for addlicense, tflint,
terraform-docs, vale, checkov (the blocks that currently extract zip archives)
ensure you install the extracted *.exe payloads into bin/<tool>.exe (using the
bin_ext variable) just like the gitleaks branch does; keep using the existing
variables arch, os, archive_ext, and bin_ext to locate and name the installed
files.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Makefile`:
- Around line 150-155: The skip case in the Makefile loop doesn't match because
d includes a trailing slash (e.g., modules/rosa-cluster-hcp/), so the pattern
case "$$d" in */rosa-cluster-hcp) never triggers; update the case to match the
trailing slash (e.g., change the pattern to */rosa-cluster-hcp/) or normalize
the value (e.g., use "${d%/}" in the case) so the rosa-cluster-hcp directory is
properly skipped in the for d in modules/*/; do ... CHECKOV invocation.

---

Outside diff comments:
In `@variables.tf`:
- Around line 254-260: Update the variable description for
aws_additional_control_plane_security_group_ids to explicitly state the
OpenShift minimum requirement (e.g., "Requires OpenShift 4.17.2+ for private
clusters") and mirror that same minimum-version note in the module README;
ensure the wording appears in the variable's description block and the README's
feature/requirements section so users see the 4.17.2+ requirement clearly.

---

Duplicate comments:
In `@hack/install-release-tool.sh`:
- Around line 17-19: The script currently sets arch and os but doesn't normalize
Git Bash/MSYS/Cygwin to "windows" and doesn't set bin_ext/handle ZIP branches
for tools other than gitleaks; update the os detection so uname variants used by
Git Bash/MSYS/Cygwin map to "windows" (so os becomes "windows"), set
archive_ext="zip" and bin_ext=".exe" when os is "windows", and in each
ZIP-handling branch for addlicense, tflint, terraform-docs, vale, checkov (the
blocks that currently extract zip archives) ensure you install the extracted
*.exe payloads into bin/<tool>.exe (using the bin_ext variable) just like the
gitleaks branch does; keep using the existing variables arch, os, archive_ext,
and bin_ext to locate and name the installed files.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: de14cd3f-1aab-459b-9192-f8aac7b7fbb2

📥 Commits

Reviewing files that changed from the base of the PR and between 44c409e and 0a834c0.

📒 Files selected for processing (35)
  • .coderabbit.yaml
  • .dockerignore
  • .github/pull_request_template.md
  • .github/workflows/check-commit-format.yml
  • .github/workflows/generate-terraform-docs.yaml
  • .github/workflows/license-check.yaml
  • .github/workflows/test.yml
  • .github/workflows/verify-min-terraform.yml
  • .gitignore
  • .gitleaks.toml
  • .trivyignore
  • AGENTS.md
  • CONTRIBUTING.md
  • Dockerfile
  • Makefile
  • README.md
  • checkov.yaml
  • examples/rosa-hcp-private-shared-vpc/outputs.tf
  • examples/rosa-hcp-private-with-additional-control-plane-security-groups/outputs.tf
  • examples/rosa-hcp-private/outputs.tf
  • examples/rosa-hcp-public-unmanaged-oidc/outputs.tf
  • examples/rosa-hcp-public-with-multiple-machinepools-and-idps/outputs.tf
  • examples/rosa-hcp-public/outputs.tf
  • hack/aws-cli-public-key.asc
  • hack/checksums/checkov-3.2.529.sha256sums
  • hack/install-release-tool.sh
  • hack/run-checks.sh
  • main.tf
  • modules/bastion-host/main.tf
  • modules/oidc-config-and-provider/main.tf
  • renovate.json
  • scripts/add-license-header.sh
  • scripts/terraform-docs.sh
  • trivy.yaml
  • variables.tf
💤 Files with no reviewable changes (7)
  • hack/run-checks.sh
  • trivy.yaml
  • modules/oidc-config-and-provider/main.tf
  • .github/workflows/test.yml
  • .github/workflows/license-check.yaml
  • .trivyignore
  • modules/bastion-host/main.tf
✅ Files skipped from review due to trivial changes (8)
  • .coderabbit.yaml
  • hack/checksums/checkov-3.2.529.sha256sums
  • .github/pull_request_template.md
  • .gitleaks.toml
  • examples/rosa-hcp-private-with-additional-control-plane-security-groups/outputs.tf
  • .dockerignore
  • README.md
  • .gitignore

Comment thread Makefile
Unify the module merge gate in Makefile (inline pre-push-checks),
add make tools for pinned CLI installs, extend the CI client image,
add verify-min-terraform workflow, remove test.yml, and align docs.

Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
@amandahla

Copy link
Copy Markdown
Member Author

@coderabbitai resolve

@coderabbitai

coderabbitai Bot commented May 27, 2026

Copy link
Copy Markdown
✅ Actions performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.

@amandahla amandahla requested a review from olucasfreitas May 27, 2026 14:28
Comment thread main.tf
@olucasfreitas

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@openshift-ci

openshift-ci Bot commented Jun 1, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amandahla, olucasfreitas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [amandahla,olucasfreitas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@amandahla

Copy link
Copy Markdown
Member Author

/override ci/prow/rosa-hcp-private
/override ci/prow/rosa-hcp-public

Failures not related to the PR: error while cleaning VPCs

@openshift-ci

openshift-ci Bot commented Jun 2, 2026

Copy link
Copy Markdown

@amandahla: Overrode contexts on behalf of amandahla: ci/prow/rosa-hcp-private, ci/prow/rosa-hcp-public

Details

In response to this:

/override ci/prow/rosa-hcp-private
/override ci/prow/rosa-hcp-public

Failures not related to the PR: error while cleaning VPCs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-bot openshift-merge-bot Bot merged commit 802ee75 into terraform-redhat:main Jun 2, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants