Skip to content

RHOAIENG-58789: trust bots, lgtm, and scope xKS e2e triggers#3767

Open
rinaldodev wants to merge 1 commit into
opendatahub-io:mainfrom
rinaldodev:worktree-RHOAIENG-58789
Open

RHOAIENG-58789: trust bots, lgtm, and scope xKS e2e triggers#3767
rinaldodev wants to merge 1 commit into
opendatahub-io:mainfrom
rinaldodev:worktree-RHOAIENG-58789

Conversation

@rinaldodev

@rinaldodev rinaldodev commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Description

RHOAIENG-58789

author_association was supposed to auto-trust the right people, but it under-reports CONTRIBUTOR for cases that are actually trusted:

  • opendatahub-io members with private org visibility, including this PR's own author (#3676). Only 70 of 611 members are public, so this is most of the org.
  • Bots: odh-release-bot, jira-autofix, and dependabot (#3768, #3760, #3756).

The membership fix still needs its own investigation into org-level read access. As a stopgap, run-xks-e2e is now accepted whenever present instead of only on labeled, and those three bot logins are trusted directly since a login can't be spoofed.

lgtm is trusted too, but only at the exact labeled event: Prow strips it on every new commit here by default, so a malicious synchronize commit never carries the action lgtm needs, even before Prow removes the stale label.

Since that first gap covers most of the org, running the ODH xKS workflow on every PR relied too much on a signal that fails most of the time:

  • It only tests kserve on a Cloud Manager cluster (make e2e-test-xks sets E2E_TEST_COMPONENT=kserve), so its trigger is now scoped to kserve and cloudmanager paths.
  • Shared reconciler changes that could affect kserve indirectly won't trigger it anymore, a smaller gap than running on every PR.

How Has This Been Tested?

Workflow-only change. Confirmed by reading the updated trigger and authorization logic: a labeled PR keeps running after new commits, a trusted bot login or a fresh lgtm labeling runs automatically, an unlabeled PR from a non-trusted author still fails, and a PR touching unrelated paths doesn't trigger the ODH workflow at all.

Screenshot or short clip

N/A

Merge criteria

  • You have read the contributors guide.
  • Commit messages are meaningful - have a clear and concise summary and detailed explanation of what was changed and why.
  • Pull Request contains a description of the solution, a link to the JIRA issue, and to any dependent or related Pull Request.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work
  • The developer has run the integration test pipeline and verified that it passed successfully
  • New RELATED_IMAGE mappings are listed in ODH-Build-Config and RHOAI-Build-Config (CI validates names against build-config repos). Include links to build-config PRs in the description.

E2E test suite update requirement

  • Skip requirement to update E2E test suite for this PR

E2E update requirement opt-out justification

CI workflow configuration only. No operator source code or tests changed.

Summary by CodeRabbit

  • Bug Fixes
    • Improved end-to-end test auto-approval so PR labels are checked directly on the pull request, making runs more reliable.
    • Updated trusted contributor handling to recognize the correct author account for automated approval.
    • Limited one test workflow to relevant file changes, reducing unnecessary runs.

@rinaldodev

Copy link
Copy Markdown
Contributor Author

/hold

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

Two GitHub Actions workflows now derive run-xks-e2e authorization from the pull request’s current label set instead of the triggering event payload. One workflow also compares trusted-bot identity against AUTHOR_LOGIN and keeps the lgtm/approved label path. The other adds a paths filter on pull_request_target so it only runs for specified source, manifest, test, script, and workflow changes.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 10
✅ Passed checks (10 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the workflow changes to bot trust, lgtm handling, and xKS e2e trigger scope.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Contribution Quality And Spam Detection ✅ Passed PASS: Tightly scoped 2-file workflow change with JIRA-linked, repo-specific rationale; no second spam/AI signal is evidenced.
No Hardcoded Secrets ✅ Passed No hardcoded credentials found; the diffs only add runtime secret refs and label/login gating, with no literals matching CWE-798/CWE-259.
No Weak Cryptography ✅ Passed No CWE-327/CWE-208 issues: the PR only adds label/login string checks and pinned action SHAs; no banned primitives or custom crypto found.
No Injection Vectors ✅ Passed PASS: Changed workflows only use quoted bash comparisons on PR labels/logins; no eval/exec, shell=True, yaml.load, SQL, or innerHTML patterns. No CWE-78/89/94/502/79 vector.
No Privileged Containers ✅ Passed Only CI workflow YAMLs changed; no manifests/Dockerfiles or privileged fields (CWE-250/CWE-266 risk) were introduced.
No Sensitive Data In Logs ✅ Passed No new CWE-532/CWE-200 log exposure: added workflow lines only change auth gating, with generic echo messages and no secret/token/PII dumps.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@rinaldodev rinaldodev changed the title RHOAIENG-58789: avoid re-adding run-xks-e2e label every commit RHOAIENG-58789: scope ODH xKS trigger, keep run-xks-e2e label Jul 6, 2026
@rinaldodev

Copy link
Copy Markdown
Contributor Author

/unhold

types: [opened, labeled, synchronize, reopened]
branches:
- main
paths:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think was better to keep all paths, since it now only require the label but we ensure to avoid other bugs.
Otherwise, we should also add all changes to all pkg folder (since changes in utilities could change behaviour in reconcilers), config/rhaii which is the manifests deployed to run those tests.

What do you think?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidebianchi Until we can find a way to not need the label for private members, I'd rather not.
It adds value but also fricction, since 80% of org members are private and would require manually adding the label.

WDYT?

If you have a strong opinion I can change it.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the addition of run with the lgtm + approved label, we could run it when those are added?
By the way, ok but I'd add at least the config/rhaii folder

@rinaldodev rinaldodev force-pushed the worktree-RHOAIENG-58789 branch from 3ff6a19 to f48fff1 Compare July 7, 2026 12:45
@rinaldodev rinaldodev changed the title RHOAIENG-58789: scope ODH xKS trigger, keep run-xks-e2e label RHOAIENG-58789: trust bots, lgtm, and scope xKS e2e triggers Jul 7, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test-kind-odh-e2e.yaml:
- Around line 48-51: The run-xks-e2e label check is sticky because
get-merge-commit still uses github.event.pull_request.labels.*.name, so
synchronize updates can keep passing under pull_request_target after the label
was added. Update the gating logic in the workflow to verify the label against
the current head SHA or require a fresh approval/relabel for each push, and make
sure the job no longer proceeds into the checkout and make target steps unless
the current commit is explicitly re-approved. Refer to get-merge-commit and the
HAS_LABEL condition when adjusting the gate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 34085b87-e17f-4d29-a98f-a976b0b4935e

📥 Commits

Reviewing files that changed from the base of the PR and between 3ff6a19 and f48fff1.

📒 Files selected for processing (2)
  • .github/workflows/test-cloudmanager-e2e.yaml
  • .github/workflows/test-kind-odh-e2e.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/test-cloudmanager-e2e.yaml

Comment on lines +48 to +51
AUTHOR_LOGIN: ${{ github.event.pull_request.user.login }}
EVENT_ACTION: ${{ github.event.action }}
LABEL_NAME: ${{ github.event.label.name }}
HAS_LABEL: ${{ contains(github.event.pull_request.labels.*.name, 'run-xks-e2e') }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
fd -a 'test-kind-odh-e2e.yaml' .github/workflows --exec sed -n '24,40p;92,101p' {}

Repository: opendatahub-io/opendatahub-operator

Length of output: 887


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== test-kind-odh-e2e.yaml (lines 40-80) =="
sed -n '40,80p' .github/workflows/test-kind-odh-e2e.yaml | cat -n

echo
echo "== get-merge-commit.yaml (entire file, line-numbered) =="
cat -n .github/workflows/get-merge-commit.yaml

Repository: opendatahub-io/opendatahub-operator

Length of output: 3797


Critical: make the run-xks-e2e gate non-sticky across pushes. .github/workflows/test-kind-odh-e2e.yaml:12,29-37 uses github.event.pull_request.labels.*.name, so once run-xks-e2e is added, later synchronize runs on new commits still pass under pull_request_target (CWE-829, CWE-284). The job then checks out needs.get-merge-commit.outputs.mergedSha and runs PR-controlled make targets with secrets.CCM_PULL_SECRET in scope, which is the prt-scan secret-exfiltration pattern. Revoke the label on push or require fresh approval for the current head SHA.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-kind-odh-e2e.yaml around lines 48 - 51, The
run-xks-e2e label check is sticky because get-merge-commit still uses
github.event.pull_request.labels.*.name, so synchronize updates can keep passing
under pull_request_target after the label was added. Update the gating logic in
the workflow to verify the label against the current head SHA or require a fresh
approval/relabel for each push, and make sure the job no longer proceeds into
the checkout and make target steps unless the current commit is explicitly
re-approved. Refer to get-merge-commit and the HAS_LABEL condition when
adjusting the gate.

Sources: Path instructions, Linters/SAST tools

Comment thread .github/workflows/test-cloudmanager-e2e.yaml Outdated
types: [opened, labeled, synchronize, reopened]
branches:
- main
paths:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the addition of run with the lgtm + approved label, we could run it when those are added?
By the way, ok but I'd add at least the config/rhaii folder

author_association misreports opendatahub-io members with private org
visibility, so maintainers were having to re-add run-xks-e2e after every
commit even for people who are actually trusted. Until a reliable org
membership check is in place, accept the label as long as it is present
on the PR instead of only on the labeled event.

Bot-authored PRs (odh-release-bot, jira-autofix, dependabot) hit the same
gap: author_association reports CONTRIBUTOR for them regardless of the
app's actual permissions, confirmed on opendatahub-io#3768, opendatahub-io#3760, and opendatahub-io#3756. Trust
those exact logins the same way trusted human associations are trusted.

lgtm and approved are trusted too, but only at the exact labeled event,
not whenever present. Prow strips lgtm from a PR on every new commit by
default in this repo (no sticky_lgtm_team or store_tree_hash configured),
so a malicious synchronize commit never carries the labeled action either
label needs, even if Prow hasn't removed the stale lgtm yet. approved
isn't auto-revoked on push, but that doesn't matter here since the check
never inspects current label state, only the labeling event itself.

Given that author_association gap, running the ODH xKS workflow on every
PR relied too much on a trust signal that fails for most of the org. This
workflow only exercises the kserve component on a Cloud Manager-
provisioned cluster (make e2e-test-xks sets E2E_TEST_COMPONENT=kserve),
so scope its trigger to kserve, cloudmanager, and config/rhaii paths
(the manifests make deploy-rhaii-local deploys for this test) instead of
running on every PR. The cloudmanager workflow already has its own path
filter and keeps the label-and-authorization gate as its primary check,
since that is where the actual secret risk is.
@rinaldodev rinaldodev force-pushed the worktree-RHOAIENG-58789 branch from f48fff1 to 6ffa565 Compare July 7, 2026 14:44

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test-kind-odh-e2e.yaml:
- Around line 54-64: Remove dependabot[bot] from the TRUSTED_BOTS allowlist in
the test-kind-odh-e2e workflow so Dependabot-authored pull_request_target runs
do not auto-enter the secret-bearing path. Keep the trusted-bot shortcut limited
to the other bot identities, and ensure dependabot stays on the
external-pr/label-based flow or is blocked from the steps that use
secrets.CCM_PULL_SECRET. If needed, adjust the job’s gating logic around the bot
check and the run-xks-e2e maintainer gate to prevent secret access for
Dependabot PRs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 17124c4f-0ff3-4844-a862-6c132f19a4c1

📥 Commits

Reviewing files that changed from the base of the PR and between f48fff1 and 6ffa565.

📒 Files selected for processing (2)
  • .github/workflows/test-cloudmanager-e2e.yaml
  • .github/workflows/test-kind-odh-e2e.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/test-cloudmanager-e2e.yaml

Comment on lines +54 to +64
TRUSTED_BOTS=("odh-release-bot[bot]" "jira-autofix[bot]" "dependabot[bot]")
if [[ "$AUTHOR_ASSOCIATION" =~ ^(OWNER|MEMBER|COLLABORATOR)$ ]]; then
echo "Trusted contributor — running automatically"
exit 0
fi
if [[ "$EVENT_ACTION" == "labeled" && "$LABEL_NAME" == "run-xks-e2e" ]]; then
for bot in "${TRUSTED_BOTS[@]}"; do
if [[ "$AUTHOR_LOGIN" == "$bot" ]]; then
echo "Trusted bot — running automatically"
exit 0
fi
done

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -nP 'dependabot|CCM_PULL_SECRET|pull_request_target' .github/workflows

Repository: opendatahub-io/opendatahub-operator

Length of output: 1068


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== outline test-kind workflow =="
ast-grep outline .github/workflows/test-kind-odh-e2e.yaml --view expanded || true

echo
echo "== relevant lines from test-kind workflow =="
sed -n '1,140p' .github/workflows/test-kind-odh-e2e.yaml | cat -n

echo
echo "== outline cloudmanager workflow =="
ast-grep outline .github/workflows/test-cloudmanager-e2e.yaml --view expanded || true

echo
echo "== relevant lines from cloudmanager workflow =="
sed -n '1,130p' .github/workflows/test-cloudmanager-e2e.yaml | cat -n

echo
echo "== search for label gates and trusted bot logic in workflows =="
rg -n 'run-xks-e2e|TRUSTED_BOTS|AUTHOR_ASSOCIATION|dependabot\[bot\]|CCM_PULL_SECRET|pull_request_target|mergedSha' .github/workflows

Repository: opendatahub-io/opendatahub-operator

Length of output: 17343


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== test-kind gate and secret-bearing step =="
sed -n '48,110p' .github/workflows/test-kind-odh-e2e.yaml | cat -n

echo
echo "== test-cloudmanager gate and secret-bearing step =="
sed -n '44,104p' .github/workflows/test-cloudmanager-e2e.yaml | cat -n

Repository: opendatahub-io/opendatahub-operator

Length of output: 6277


Remove dependabot[bot] from TRUSTED_BOTS. This pull_request_target job later uses secrets.CCM_PULL_SECRET, so a Dependabot-authored PR can reach the secret-bearing build/e2e path without the run-xks-e2e maintainer gate (CWE-829/CWE-200). Keep Dependabot on the external-pr label path or skip the secret-bearing steps for bot-authored runs.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-kind-odh-e2e.yaml around lines 54 - 64, Remove
dependabot[bot] from the TRUSTED_BOTS allowlist in the test-kind-odh-e2e
workflow so Dependabot-authored pull_request_target runs do not auto-enter the
secret-bearing path. Keep the trusted-bot shortcut limited to the other bot
identities, and ensure dependabot stays on the external-pr/label-based flow or
is blocked from the steps that use secrets.CCM_PULL_SECRET. If needed, adjust
the job’s gating logic around the bot check and the run-xks-e2e maintainer gate
to prevent secret access for Dependabot PRs.

Source: Path instructions

@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davidebianchi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

3 participants