chore: update manifest commit SHAs#3768
Conversation
634009d to
3fe63d2
Compare
3fe63d2 to
641048c
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ugiordan The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
author_association misreports opendatahub-io members with private org visibility, so maintainers were having to re-add run-xks-e2e after every commit even for people who are actually trusted. Until a reliable org membership check is in place, accept the label as long as it is present on the PR instead of only on the labeled event. Bot-authored PRs (odh-release-bot, jira-autofix, dependabot) hit the same gap: author_association reports CONTRIBUTOR for them regardless of the app's actual permissions, confirmed on opendatahub-io#3768, opendatahub-io#3760, and opendatahub-io#3756. Trust those exact logins the same way trusted human associations are trusted. lgtm is trusted too, but only at the exact labeled event, not whenever it's present. Prow strips lgtm from a PR on every new commit by default in this repo (no sticky_lgtm_team or store_tree_hash configured), so a malicious synchronize commit never carries the labeled action lgtm needs, even if Prow hasn't removed the stale label yet. Scoping it that way keeps this signal from reopening the TOCTOU window the label gate exists to close. Given that author_association gap, running the ODH xKS workflow on every PR relies too much on a trust signal that fails for most of the org. This workflow only exercises the kserve component on a Cloud Manager- provisioned cluster (make e2e-test-xks sets E2E_TEST_COMPONENT=kserve), so scope its trigger to kserve and cloudmanager paths instead of running on every PR. The cloudmanager workflow already has its own path filter and keeps the label-and-authorization gate as its primary check, since that is where the actual secret risk is.
|
@odh-release-bot[bot]: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
author_association misreports opendatahub-io members with private org visibility, so maintainers were having to re-add run-xks-e2e after every commit even for people who are actually trusted. Until a reliable org membership check is in place, accept the label as long as it is present on the PR instead of only on the labeled event. Bot-authored PRs (odh-release-bot, jira-autofix, dependabot) hit the same gap: author_association reports CONTRIBUTOR for them regardless of the app's actual permissions, confirmed on opendatahub-io#3768, opendatahub-io#3760, and opendatahub-io#3756. Trust those exact logins the same way trusted human associations are trusted. lgtm and approved are trusted too, but only at the exact labeled event, not whenever present. Prow strips lgtm from a PR on every new commit by default in this repo (no sticky_lgtm_team or store_tree_hash configured), so a malicious synchronize commit never carries the labeled action either label needs, even if Prow hasn't removed the stale lgtm yet. approved isn't auto-revoked on push, but that doesn't matter here since the check never inspects current label state, only the labeling event itself. Given that author_association gap, running the ODH xKS workflow on every PR relied too much on a trust signal that fails for most of the org. This workflow only exercises the kserve component on a Cloud Manager- provisioned cluster (make e2e-test-xks sets E2E_TEST_COMPONENT=kserve), so scope its trigger to kserve, cloudmanager, and config/rhaii paths (the manifests make deploy-rhaii-local deploys for this test) instead of running on every PR. The cloudmanager workflow already has its own path filter and keeps the label-and-authorization gate as its primary check, since that is where the actual secret risk is.
This PR updates the manifest commit SHAs to the latest available commits.