Skip to content

feat: Add konflux-kargo-bot bot to trusted applications for infra deployments#81377

Open
flacatus wants to merge 1 commit into
openshift:mainfrom
flacatus:trust_bot
Open

feat: Add konflux-kargo-bot bot to trusted applications for infra deployments#81377
flacatus wants to merge 1 commit into
openshift:mainfrom
flacatus:trust_bot

Conversation

@flacatus

@flacatus flacatus commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

This change updates the trusted app configuration for the redhat-appstudio/infra-deployments repository in OpenShift CI so konflux-kargo-bot can be used for infrastructure deployment automation. It expands the set of approved applications that can interact with this repo’s trusted trigger flow, while keeping the existing trusted bots in place.

…loyments

Signed-off-by: flacatus <flacatus@redhat.com>
@openshift-ci openshift-ci Bot requested review from arewm and oswcab July 2, 2026 09:36
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: flacatus
Once this PR has been reviewed and has the lgtm label, please assign mshaposhnik for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

This PR updates the Prow trigger plugin configuration for the redhat-appstudio/infra-deployments repository, adding an org_invite rule and extending the trusted_apps list with an additional bot entry.

Changes

Trigger Configuration Update

Layer / File(s) Summary
Trigger org_invite and trusted_apps update
core-services/prow/02_config/redhat-appstudio/infra-deployments/_pluginconfig.yaml
Adds an org_invite section with prominent: {} and extends the trusted_apps list for redhat-appstudio/infra-deployments to include konflux-kargo-bot, preserving existing entries.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change by adding konflux-kargo-bot to trusted applications for infra deployments.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only changes a prow plugin YAML; no Ginkgo test titles or test files were added or edited.
Test Structure And Quality ✅ Passed PR only changes a prow pluginconfig YAML; no Ginkgo tests or cluster-interaction test code were modified, so the checklist is not applicable.
Microshift Test Compatibility ✅ Passed PASS: The PR only updates a prow plugin YAML to trust konflux-kargo-bot; no Ginkgo/e2e tests were added or modified, so MicroShift compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only changes prow plugin config; no Ginkgo e2e tests or SNO-sensitive logic were added, so this check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Only Prow plugin config changed; no manifests/controllers or scheduling fields are present, so topology-aware scheduling constraints are not implicated.
Ote Binary Stdout Contract ✅ Passed Only a YAML pluginconfig change; no main/init/suite code or stdout writes were added, so the OTE stdout contract isn’t impacted.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only a Prow YAML trigger config changed; no new Ginkgo e2e tests or network code were added, so IPv4/disconnected checks are not applicable.
No-Weak-Crypto ✅ Passed Touched YAML only updates trusted app triggers; no weak-crypto, custom crypto, or secret-comparison code is present.
Container-Privileges ✅ Passed Scanned 741 changed manifest-like files; no privileged, hostNetwork/PID/IPC, SYS_ADMIN, or allowPrivilegeEscalation=true fields were added.
No-Sensitive-Data-In-Logs ✅ Passed The PR only updates a YAML plugin config; no log statements or sensitive-data-bearing code were added, and the touched file has no such terms.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@flacatus: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 2, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@core-services/prow/02_config/redhat-appstudio/infra-deployments/_pluginconfig.yaml`:
- Around line 69-70: Remove the unsupported nested prominent field from the
org_invite trigger config so only the valid org_invite entry remains. Update the
_pluginconfig.yaml org_invite block to match the accepted trigger configuration
shape and ensure no extra keys are present under org_invite, since strict
validation will reject them.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fe7ce14b-b695-4c8b-9fa1-39e94568dcd9

📥 Commits

Reviewing files that changed from the base of the PR and between d4f6fb2 and 9547960.

📒 Files selected for processing (1)
  • core-services/prow/02_config/redhat-appstudio/infra-deployments/_pluginconfig.yaml

Comment on lines +69 to +70
- org_invite:
prominent: {}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does the Prow trigger plugin config support an "org_invite" field with a "prominent" option?

💡 Result:

The Prow trigger plugin configuration does not support an "org_invite" field with a "prominent" option [1][2]. While the "trigger" plugin configuration does contain an "org_invite" field (as seen in the plugins.OrgInviteConfig Go struct used in Prow's configuration package [1]), there is no "prominent" option associated with it [1][2]. The "org_invite" configuration generally relates to managing organization invitations [1], and existing documentation and source code definitions for Trigger and related structures do not define or reference a "prominent" setting [2].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the local usage and surrounding context for org_invite/prominent.
git ls-files 'core-services/prow/02_config/redhat-appstudio/infra-deployments/_pluginconfig.yaml' \
  'core-services/prow/**/_pluginconfig.yaml' \
  'core-services/prow/**/plugin*.yaml' \
  'core-services/prow/**/plugins*.yaml' | sed -n '1,200p'

echo
echo "=== org_invite occurrences ==="
rg -n --hidden --glob '!**/.git/**' 'org_invite|prominent' core-services prow ci-operator services cluster projects 2>/dev/null || true

echo
echo "=== surrounding lines from target file ==="
sed -n '55,90p' core-services/prow/02_config/redhat-appstudio/infra-deployments/_pluginconfig.yaml

Repository: openshift/release

Length of output: 15364


🌐 Web query:

Prow trigger plugin org_invite prominent config.go prominent option

💡 Result:

There is no known prominent option or configuration parameter named prominent within the Prow trigger plugin or its configuration files (e.g., config.go) [1][2][3]. Regarding the org_invite functionality, it is a feature within Prow that prompts contributors to join an organization after they have met a specific threshold of merged pull requests [4]. As of April 2026, this feature has been a subject of discussion regarding making it configurable [4]. Suggested configuration patterns for this functionality have been proposed to include fields such as [4]: disabled: (bool) To enable or disable the invitation. merged_pr_threshold: (int) To specify how many PRs a contributor must have merged before receiving the invite. org_join_guidelines: (string) A URL pointing to contribution guidelines. message: (string) A custom template for the invitation message. These configurations are intended to be implemented within a substruct (e.g., org_invite) inside the trigger plugin configuration to avoid mixing these settings with existing test trigger configurations [4]. As of the current date, you should refer to the latest documentation in pkg/plugins/config.go or the official Prow plugin configuration guides to verify if these specific fields have been merged into the main codebase [1][5].

Citations:


Drop the nested prominent key from org_invite. org_invite is valid here, but prominent: {} is not a supported trigger config field and will fail strict config validation. core-services/prow/02_config/redhat-appstudio/infra-deployments/_pluginconfig.yaml:69-70

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@core-services/prow/02_config/redhat-appstudio/infra-deployments/_pluginconfig.yaml`
around lines 69 - 70, Remove the unsupported nested prominent field from the
org_invite trigger config so only the valid org_invite entry remains. Update the
_pluginconfig.yaml org_invite block to match the accepted trigger configuration
shape and ensure no extra keys are present under org_invite, since strict
validation will reject them.

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@flacatus: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/prow-config 9547960 link true /test prow-config

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant