Skip to content

chore: update manifest commit SHAs#3768

Open
odh-release-bot[bot] wants to merge 1 commit into
mainfrom
sync/upgrade-manifest-shas
Open

chore: update manifest commit SHAs#3768
odh-release-bot[bot] wants to merge 1 commit into
mainfrom
sync/upgrade-manifest-shas

Conversation

@odh-release-bot

Copy link
Copy Markdown
Contributor

This PR updates the manifest commit SHAs to the latest available commits.

@ugiordan ugiordan force-pushed the sync/upgrade-manifest-shas branch from 3fe63d2 to 641048c Compare July 7, 2026 10:56
@openshift-ci openshift-ci Bot removed the lgtm label Jul 7, 2026
@openshift-ci openshift-ci Bot added the lgtm label Jul 7, 2026
@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ugiordan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

rinaldodev added a commit to rinaldodev/opendatahub-operator that referenced this pull request Jul 7, 2026
author_association misreports opendatahub-io members with private org
visibility, so maintainers were having to re-add run-xks-e2e after every
commit even for people who are actually trusted. Until a reliable org
membership check is in place, accept the label as long as it is present
on the PR instead of only on the labeled event.

Bot-authored PRs (odh-release-bot, jira-autofix, dependabot) hit the same
gap: author_association reports CONTRIBUTOR for them regardless of the
app's actual permissions, confirmed on opendatahub-io#3768, opendatahub-io#3760, and opendatahub-io#3756. Trust
those exact logins the same way trusted human associations are trusted.

lgtm is trusted too, but only at the exact labeled event, not whenever
it's present. Prow strips lgtm from a PR on every new commit by default
in this repo (no sticky_lgtm_team or store_tree_hash configured), so a
malicious synchronize commit never carries the labeled action lgtm needs,
even if Prow hasn't removed the stale label yet. Scoping it that way
keeps this signal from reopening the TOCTOU window the label gate exists
to close.

Given that author_association gap, running the ODH xKS workflow on every
PR relies too much on a trust signal that fails for most of the org. This
workflow only exercises the kserve component on a Cloud Manager-
provisioned cluster (make e2e-test-xks sets E2E_TEST_COMPONENT=kserve),
so scope its trigger to kserve and cloudmanager paths instead of running
on every PR. The cloudmanager workflow already has its own path filter
and keeps the label-and-authorization gate as its primary check, since
that is where the actual secret risk is.
@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown

@odh-release-bot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/opendatahub-operator-rhoai-e2e 641048c link true /test opendatahub-operator-rhoai-e2e
ci/prow/opendatahub-operator-e2e 641048c link true /test opendatahub-operator-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

rinaldodev added a commit to rinaldodev/opendatahub-operator that referenced this pull request Jul 7, 2026
author_association misreports opendatahub-io members with private org
visibility, so maintainers were having to re-add run-xks-e2e after every
commit even for people who are actually trusted. Until a reliable org
membership check is in place, accept the label as long as it is present
on the PR instead of only on the labeled event.

Bot-authored PRs (odh-release-bot, jira-autofix, dependabot) hit the same
gap: author_association reports CONTRIBUTOR for them regardless of the
app's actual permissions, confirmed on opendatahub-io#3768, opendatahub-io#3760, and opendatahub-io#3756. Trust
those exact logins the same way trusted human associations are trusted.

lgtm and approved are trusted too, but only at the exact labeled event,
not whenever present. Prow strips lgtm from a PR on every new commit by
default in this repo (no sticky_lgtm_team or store_tree_hash configured),
so a malicious synchronize commit never carries the labeled action either
label needs, even if Prow hasn't removed the stale lgtm yet. approved
isn't auto-revoked on push, but that doesn't matter here since the check
never inspects current label state, only the labeling event itself.

Given that author_association gap, running the ODH xKS workflow on every
PR relied too much on a trust signal that fails for most of the org. This
workflow only exercises the kserve component on a Cloud Manager-
provisioned cluster (make e2e-test-xks sets E2E_TEST_COMPONENT=kserve),
so scope its trigger to kserve, cloudmanager, and config/rhaii paths
(the manifests make deploy-rhaii-local deploys for this test) instead of
running on every PR. The cloudmanager workflow already has its own path
filter and keeps the label-and-authorization gate as its primary check,
since that is where the actual secret risk is.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

2 participants