OCPBUGS-85084: fix(ci): rewrite dependabot commit messages to pass gitlint

[jparrill]

Summary

• Adds a GitHub Actions workflow that triggers via workflow_run after the Gitlint check fails for dependabot PRs
• Parses the commit body to extract library names and version ranges, then reconstructs a clean message that passes gitlint validation
• Fixes the systemic issue where all dependabot PRs fail CI due to auto-generated body lines exceeding body-max-line-length=140
• Follows the repo's caller + reusable @main workflow pattern for consistency and security

Related: OCPBUGS-85084 | dependabot-core#2445

Structure

File	Role
dependabot-commit-fix.yaml	Caller — triggers on workflow_run (Gitlint failure + dependabot actor), delegates to reusable @main
dependabot-commit-fix-reusable.yaml	Reusable — receives head_sha and head_branch as inputs, rewrites the commit body and pushes

Flow

1. Dependabot opens PR → Gitlint runs → fails (body lines exceed 140 chars)
2. dependabot-commit-fix.yaml triggers → calls reusable workflow
3. Reusable checks out the exact commit (head_sha), parses Updates lines, reconstructs clean body
4. Pushes amended commit → Gitlint re-runs → passes

Example

Current dependabot commit (fails gitlint, 476 chars on one line):

Bumps the azure-github-dependencies group with 4 updates in the / directory: [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go), ...

After this workflow rewrites it:

build(deps): bump the azure-github-dependencies group

- azidentity: 1.8.2 => 1.9.0
- armstorage: 1.7.0 => 1.8.0
- azkeys: 1.3.0 => 1.4.0
- msi-dataplane: 1.1.0 => 1.2.0

Signed-off-by: dependabot[bot] <support@github.com>

cc @bryan-cox

Test plan

• Verify gitlint passes on reconstructed single-dep message (tested locally ✅)
• Verify gitlint passes on reconstructed multi-dep message (tested locally ✅)
• Verify fallback fold path passes gitlint with no duplicate Signed-off-by (tested locally ✅)
• YAML validation passes on both workflow files
• Merge and wait for next dependabot PR to validate end-to-end

🤖 Generated with Claude Code

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@jparrill: This pull request references Jira Issue OCPBUGS-85084, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• Adds a GitHub Actions workflow that triggers via workflow_run after the Gitlint check fails for dependabot PRs
• Parses the commit body to extract library names and version ranges, then reconstructs a clean message that passes gitlint validation
• Fixes the systemic issue where all dependabot PRs fail CI due to auto-generated body lines exceeding body-max-line-length=140

Related: OCPBUGS-85084 | dependabot-core#2445

Example — current dependabot commit (fails gitlint, 476 chars on one line):

Bumps the azure-github-dependencies group with 4 updates in the / directory: [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go), ...

After this workflow rewrites it:

build(deps): bump the azure-github-dependencies group

- azidentity: 1.8.2 => 1.9.0
- armstorage: 1.7.0 => 1.8.0
- azkeys: 1.3.0 => 1.4.0
- msi-dataplane: 1.1.0 => 1.2.0

Signed-off-by: dependabot[bot] <support@github.com>

cc @bryan-cox

Test plan

• Verify gitlint passes on reconstructed single-dep message (tested locally ✅)
• Verify gitlint passes on reconstructed multi-dep message (tested locally ✅)
• Merge and wait for next dependabot PR to validate end-to-end

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

A new reusable GitHub Actions workflow ("Fix Dependabot Commit Messages") and a wrapper workflow that triggers it were added. The wrapper listens for completed workflow_run events for Gitlint and invokes the reusable workflow only when the run failed and was initiated by Dependabot. The reusable workflow accepts head_sha and head_branch, checks out the repo, reads and parses the latest commit message (extracting dependency update lines or rewrapping the body), preserves a Signed-off-by line if present, amends the commit message, and force-pushes the amended commit back to the branch.

Sequence Diagram(s)

sequenceDiagram
  participant DependabotWorkflow as Dependabot Workflow
  participant Wrapper as Fix Dependabot Commit Messages (trigger)
  participant Reusable as Fix Dependabot Commit Messages (reusable)
  participant Runner as Actions Runner
  participant GitRepo as Git Repository

  DependabotWorkflow->>Wrapper: workflow_run (completed, failed)
  Wrapper->>Reusable: workflow_call (head_sha, head_branch)
  Reusable->>Runner: start job "fix-commit-message"
  Runner->>GitRepo: actions/checkout (fetch refs)
  Runner->>Runner: read last commit subject and body
  Runner->>Runner: parse dependency-update lines or wrap body
  Runner->>Runner: preserve Signed-off-by if present
  Runner->>GitRepo: git commit --amend (update message)
  Runner->>GitRepo: git push --force-with-lease

Loading

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding GitHub Actions workflows to rewrite dependabot commit messages to comply with gitlint requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only GitHub Actions workflow files (.github/workflows/), not Ginkgo test definitions. The check for stable test names does not apply to CI/CD workflow configurations.
Test Structure And Quality	✅ Passed	The check requires reviewing Ginkgo test code, but this PR adds only GitHub Actions workflow YAML files. No Go test code is present, making the check non-applicable.
Microshift Test Compatibility	✅ Passed	This PR adds only GitHub Actions workflow files (.yaml) for CI/CD automation, not Ginkgo e2e tests (.go). The custom check for MicroShift test compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds GitHub Actions workflow files for CI/CD automation only. SNO compatibility check applies exclusively to new Ginkgo e2e tests, which this PR does not contain.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds GitHub Actions CI/CD workflows only. No deployment manifests, operator code, controllers, or Kubernetes scheduling constraints are introduced. Check not applicable.
Ote Binary Stdout Contract	✅ Passed	PR only adds GitHub Actions workflow YAML files for CI automation. The OTE Binary Stdout Contract check applies only to Go process-level code. No such code is present in this PR.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Check not applicable: PR adds GitHub Actions workflow YAML files, not Ginkgo e2e tests. Custom check targets Ginkgo test constructs only.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jparrill]

/cc @bryan-cox PTAL :)

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-commit-fix.yaml:
- Around line 48-50: The current multiline quoted assignment to NEW_BODY inside
the loop (using variables UPDATES, short, source, target) injects an embedded
newline that breaks YAML parsing; change the append to build the string without
splitting a quoted literal across lines — e.g., append a single-line formatted
entry (including a terminating newline) to NEW_BODY using a safe one-line method
such as printf -v or NEW_BODY+= with an explicit "\n" so the loop that reads
UPDATES produces properly escaped single-line YAML content.
- Around line 23-24: Replace the checkout ref that uses
github.event.workflow_run.head_branch with the exact commit SHA
github.event.workflow_run.head_sha in the checkout step (the line currently
showing "ref: ${{ github.event.workflow_run.head_branch }}") so the action
checks out the precise commit that triggered the workflow; also update the push
command used later in the job to explicitly target the branch ref (i.e., include
the branch name/ref in the git push) so the force-push amends the intended ref
rather than pushing to an ambiguous head.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d0a78fca-a800-42ec-b497-d2d4ec720292

📥 Commits

Reviewing files that changed from the base of the PR and between 7ac2953 and 9cb5707.

📒 Files selected for processing (1)

• .github/workflows/dependabot-commit-fix.yaml

[jparrill]

/area ci-tooling

[jparrill]

/jira refresh

[openshift-ci-robot]

@jparrill: This pull request references Jira Issue OCPBUGS-85084, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-commit-fix.yaml:
- Around line 38-43: The fallback wrapping path currently folds the full BODY
into WRAPPED and sets NEW_BODY="$WRAPPED", which causes duplicated
"Signed-off-by:" trailers because the later block appends the first
Signed-off-by again; update the logic to detect and extract any trailing
"Signed-off-by:" line(s) from BODY into a separate TRAILER variable (or
FIRST_SIGNED_OFF), remove those lines from BODY before running fold into
WRAPPED, set NEW_BODY="$WRAPPED" and then append the preserved TRAILER exactly
once; reference the existing variables WRAPPED, BODY, NEW_BODY and the block
that appends the first "Signed-off-by:" to implement this change.
- Around line 33-34: The UPDATES extraction pipeline can fail if grep returns
non-zero; replace the two-step grep+sed pipeline used to populate the UPDATES
variable with a single non-failing sed extraction that reads from BODY (e.g.,
use sed -nE with the same regex and print only matches) so that UPDATES is set
to an empty string when there are no "Updates `...`" lines; update the
assignment that sets UPDATES to run only this sed command (refer to the UPDATES
variable and the current grep+sed pipeline) to make the extraction non-fatal.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ecbaecfc-7819-47e1-97fb-fde9da44b8b0

📥 Commits

Reviewing files that changed from the base of the PR and between 9cb5707 and 7a27ad2.

📒 Files selected for processing (1)

• .github/workflows/dependabot-commit-fix.yaml

[openshift-ci-robot]

@jparrill: This pull request references Jira Issue OCPBUGS-85084, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Summary

• Adds a GitHub Actions workflow that triggers via workflow_run after the Gitlint check fails for dependabot PRs
• Parses the commit body to extract library names and version ranges, then reconstructs a clean message that passes gitlint validation
• Fixes the systemic issue where all dependabot PRs fail CI due to auto-generated body lines exceeding body-max-line-length=140

Related: OCPBUGS-85084 | dependabot-core#2445

Example — current dependabot commit (fails gitlint, 476 chars on one line):

Bumps the azure-github-dependencies group with 4 updates in the / directory: [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go), ...

After this workflow rewrites it:

build(deps): bump the azure-github-dependencies group

- azidentity: 1.8.2 => 1.9.0
- armstorage: 1.7.0 => 1.8.0
- azkeys: 1.3.0 => 1.4.0
- msi-dataplane: 1.1.0 => 1.2.0

Signed-off-by: dependabot[bot] <support@github.com>

cc @bryan-cox

Test plan

• Verify gitlint passes on reconstructed single-dep message (tested locally ✅)
• Verify gitlint passes on reconstructed multi-dep message (tested locally ✅)
• Merge and wait for next dependabot PR to validate end-to-end

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
• Added an automated workflow to standardize dependency-update commit messages. It formats update lines or wraps long bodies for readability, preserves subject, author and sign-off lines, and automatically updates the most recent commit when formatting is applied.
• Improves consistency and clarity of dependency update commits across the repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-commit-fix.yaml:
- Around line 49-53: The generated bullet lines inside the while loop that
builds NEW_BODY (the "- ${short}: ${source} => ${target}" template) can exceed
140 chars; update the loop that reads UPDATES to wrap each generated bullet to
140 columns before appending to NEW_BODY (e.g., produce the single bullet string
then run it through a line-wrapping command like fold/fmt with -w 140 and -s,
preserving the leading "- " indent on wrapped lines) so that every appended
chunk respects the 140-char gitlint rule.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b2f37bac-d60a-488f-9a8f-9c718690ab57

📥 Commits

Reviewing files that changed from the base of the PR and between 7a27ad2 and 025a583.

📒 Files selected for processing (1)

• .github/workflows/dependabot-commit-fix.yaml

[jparrill]

Local testing

Verified parsing + gitlint compliance against real dependabot commit messages.

Test 1: Single dependency (PR #8392) — PASS ✅

Before (dependabot auto-generated):

Bumps the k8s-dependencies group in /hack/tools with 1 update: [sigs.k8s.io/controller-runtime/tools/setup-envtest](https://github.com/kubernetes-sigs/controller-runtime).
Updates `sigs.k8s.io/controller-runtime/tools/setup-envtest` from 0.0.0-20260125163108-a19ec76a3c5d to 0.24.0
- [Release notes](https://github.com/...)
...
Signed-off-by: dependabot[bot] <support@github.com>

gitlint → B1 Line exceeds max length (218>140)

After (workflow rewrite):

- setup-envtest: 0.0.0-20260125163108-a19ec76a3c5d => 0.24.0

Signed-off-by: dependabot[bot] <support@github.com>

gitlint → PASS

Test 2: Multi-dependency (4 Azure SDK deps) — PASS ✅

Before: 476-char line with 4 full GitHub URLs on one line → B1 Line exceeds max length (476>140)

After (workflow rewrite):

- azidentity: 1.8.2 => 1.9.0
- armstorage: 1.7.0 => 1.8.0
- azkeys: 1.3.0 => 1.4.0
- msi-dataplane: 1.1.0 => 1.2.0

Signed-off-by: dependabot[bot] <support@github.com>

gitlint → PASS

Test 3: Fallback path (no Updates lines, fold wrapping) — PASS ✅

Before: 170-char body line → B1 Line exceeds max length (170>140)
After: wrapped at 140 chars, trailing whitespace stripped, Signed-off-by count: 1 (no duplication)
gitlint → PASS

YAML validation: python3 -c "import yaml; yaml.safe_load(open(...))" → OK

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/dependabot-commit-fix.yaml (1)

49-53: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Wrap generated dependency bullets before composing NEW_BODY.

Line 51 appends raw bullet lines; long source/target values can still exceed 140 chars and keep gitlint failing.

Suggested fix

           else
             NEW_BODY=""
             while IFS='|' read -r lib source target; do
               short=$(basename "$lib")
-              NEW_BODY+="- ${short}: ${source} => ${target}"$'\n'
+              bullet="- ${short}: ${source} => ${target}"
+              wrapped=$(printf '%s\n' "$bullet" | fold -w 140 | sed '2,$s/^/  /')
+              NEW_BODY+="${wrapped}"$'\n'
             done <<< "$UPDATES"
           fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-commit-fix.yaml around lines 49 - 53, The loop
that builds NEW_BODY from UPDATES (while IFS='|' read -r lib source target;
short=$(basename "$lib")) currently appends raw bullet lines which can exceed
140 chars; instead wrap each generated bullet to 140 chars before concatenation
(e.g., build the bullet string "- ${short}: ${source} => ${target}", pipe it
through a wrapping utility like fold or fmt with -w 140 -s, and prefix wrapped
continuation lines with spaces to preserve bullet formatting) and then append
the wrapped result to NEW_BODY so long source/target values won't trigger
gitlint failures.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/dependabot-commit-fix.yaml:
- Around line 49-53: The loop that builds NEW_BODY from UPDATES (while IFS='|'
read -r lib source target; short=$(basename "$lib")) currently appends raw
bullet lines which can exceed 140 chars; instead wrap each generated bullet to
140 chars before concatenation (e.g., build the bullet string "- ${short}:
${source} => ${target}", pipe it through a wrapping utility like fold or fmt
with -w 140 -s, and prefix wrapped continuation lines with spaces to preserve
bullet formatting) and then append the wrapped result to NEW_BODY so long
source/target values won't trigger gitlint failures.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8542894b-5433-4ec8-8d5f-36d103e0a293

📥 Commits

Reviewing files that changed from the base of the PR and between 025a583 and c8921ff.

📒 Files selected for processing (1)

• .github/workflows/dependabot-commit-fix.yaml

[bryan-cox]

/lgtm

[openshift-merge-bot]

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

• The changed files don't match any pipeline_run_if_changed patterns
• All files match pipeline_skip_if_only_changed patterns
• No pipeline-controlled jobs are defined for the main branch

Use /test ? to see all available tests.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, jparrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox,jparrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryan-cox]

/verified later @jparrill

[openshift-ci-robot]

@bryan-cox: This PR has been marked to be verified later by @jparrill.

Details

In response to this:

/verified later @jparrill

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@jparrill: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@jparrill: Jira Issue OCPBUGS-85084: All pull requests linked via external trackers have merged:

• openshift/hypershift#8435

This pull request has the verified-later tag and will need to be manually moved to VERIFIED after testing. Jira Issue OCPBUGS-85084 has been moved to the MODIFIED state.

Details

In response to this:

Summary

• Adds a GitHub Actions workflow that triggers via workflow_run after the Gitlint check fails for dependabot PRs
• Parses the commit body to extract library names and version ranges, then reconstructs a clean message that passes gitlint validation
• Fixes the systemic issue where all dependabot PRs fail CI due to auto-generated body lines exceeding body-max-line-length=140
• Follows the repo's caller + reusable @main workflow pattern for consistency and security

Related: OCPBUGS-85084 | dependabot-core#2445

Structure

File	Role
dependabot-commit-fix.yaml	Caller — triggers on workflow_run (Gitlint failure + dependabot actor), delegates to reusable @main
dependabot-commit-fix-reusable.yaml	Reusable — receives head_sha and head_branch as inputs, rewrites the commit body and pushes

Flow

1. Dependabot opens PR → Gitlint runs → fails (body lines exceed 140 chars)
2. dependabot-commit-fix.yaml triggers → calls reusable workflow
3. Reusable checks out the exact commit (head_sha), parses Updates lines, reconstructs clean body
4. Pushes amended commit → Gitlint re-runs → passes

Example

Current dependabot commit (fails gitlint, 476 chars on one line):

Bumps the azure-github-dependencies group with 4 updates in the / directory: [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go), ...

After this workflow rewrites it:

build(deps): bump the azure-github-dependencies group

- azidentity: 1.8.2 => 1.9.0
- armstorage: 1.7.0 => 1.8.0
- azkeys: 1.3.0 => 1.4.0
- msi-dataplane: 1.1.0 => 1.2.0

Signed-off-by: dependabot[bot] <support@github.com>

cc @bryan-cox

Test plan

• Verify gitlint passes on reconstructed single-dep message (tested locally ✅)
• Verify gitlint passes on reconstructed multi-dep message (tested locally ✅)
• Verify fallback fold path passes gitlint with no duplicate Signed-off-by (tested locally ✅)
• YAML validation passes on both workflow files
• Merge and wait for next dependabot PR to validate end-to-end

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.