Skip to content

Add branch protection for medik8s org#76526

Merged
openshift-merge-bot[bot] merged 2 commits intoopenshift:mainfrom
razo7:medik8s-branch-protection
Mar 19, 2026
Merged

Add branch protection for medik8s org#76526
openshift-merge-bot[bot] merged 2 commits intoopenshift:mainfrom
razo7:medik8s-branch-protection

Conversation

@razo7
Copy link
Member

@razo7 razo7 commented Mar 19, 2026

Why we need this MR:

Branch protection on medik8s repos currently only has required status checks, force push blocked, and deletion blocked (from Prow's protect-tested-repos: true defaults). PR review requirements were never configured, meaning anyone with write access can push directly to protected branches bypassing the PR workflow. Required by Red Hat source code controls audit — Section 6.1.

Changes made:

Add a branch-protection stanza to medik8s _prowconfig.yaml that applies org-wide via the Prow branchprotector:

Which issue(s) this MR fixes:

RHWA-788

@razo7
Add branch protection for medik8s org
6dffdc7 
Required by Red Hat source code controls audit (Section 6.1).

https://redhat.atlassian.net/browse/RHWA-788

Assisted-by: Claude claude-opus-4-6
@openshift-ci-robot openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Mar 19, 2026
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 19, 2026
@razo7
Run make prow-config to determinize config
5fd061b 
Assisted-by: Claude claude-opus-4-6
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 19, 2026

[REHEARSALNOTIFIER]
@razo7: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 19, 2026

@razo7: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

mshitrit
mshitrit reviewed Mar 19, 2026
View reviewed changes
core-services/prow/02_config/medik8s/_prowconfig.yaml
Comment on lines +6 to +8
dismiss_stale_reviews: true
require_code_owner_reviews: true
required_approving_review_count: 1
Copy link
Contributor

@mshitrit mshitrit Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC this part is already enforced.
Is it because it's set on each repo individually , or am I missing something here ?

Copy link
Member Author

@razo7 razo7 Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC this part is already enforced.

Please elaborate on how

Copy link
Contributor

@mshitrit mshitrit Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure,
For example taking this dismiss_stale_reviews: true
IIUC this means that pushing will prevent a previous confirmation.
ATM when we push new code it'll indeed remove the lgtm label.

mshitrit
mshitrit reviewed Mar 19, 2026
View reviewed changes
core-services/prow/02_config/medik8s/_prowconfig.yaml
branch-protection:
orgs:
medik8s:
enforce_admins: true
Copy link
Contributor

@mshitrit mshitrit Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about that.
Don't we want to allow admins more flexibility ?

@slintes
Copy link
Member

slintes commented Mar 19, 2026

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 19, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 19, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: razo7, slintes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 10e1a58 into openshift:main Mar 19, 2026
10 checks passed
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 19, 2026

@razo7: Updated the config configmap in namespace ci at cluster app.ci using the following files:

  • key core-services-prow-02_config-medik8s-_prowconfig.yaml using file core-services/prow/02_config/medik8s/_prowconfig.yaml
Details

In response to this:

Why we need this MR:

Branch protection on medik8s repos currently only has required status checks, force push blocked, and deletion blocked (from Prow's protect-tested-repos: true defaults). PR review requirements were never configured, meaning anyone with write access can push directly to protected branches bypassing the PR workflow. Required by Red Hat source code controls audit — Section 6.1.

Changes made:

Add a branch-protection stanza to medik8s _prowconfig.yaml that applies org-wide via the Prow branchprotector:

Which issue(s) this MR fixes:

RHWA-788

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danilo-gemoli danilo-gemoli Awaiting requested review from danilo-gemoli

@liangxia liangxia Awaiting requested review from liangxia

1 more reviewer

@mshitrit mshitrit mshitrit left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@slintes slintes

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@razo7 @openshift-ci-robot @slintes @mshitrit