HYPERFLEET-991 - feat: add PR risk scoring presubmit job

[rafabene]

Summary

• Add new hyperfleet-risk-scorer step-registry ref that computes a deterministic risk score for PRs
• Score based on: diff size (>200/500 lines), sensitive path changes (cmd/, config/, deploy/, migrations/, auth/), and test coverage (_test.go presence)
• Applies risk/low, risk/medium, or risk/high GitHub label automatically
• Posts a score breakdown comment on the PR (updated idempotently on re-push)
• Uses hyperfleet-ci-bot GitHub App (installed on openshift-hyperfleet org) for API access
• Job is optional: true — never blocks merge
• Enabled for: hyperfleet-adapter, hyperfleet-api, hyperfleet-broker, hyperfleet-sentinel

Test plan

• Verify Vault secret hyperfleet-ci-bot is synced to test-credentials namespace
• Open a test PR on one of the 4 repos and trigger /test risk-scorer
• Verify label is applied and comment is posted with score breakdown
• Push a new commit to the PR and verify the comment is updated (not duplicated)
• Verify the job does not block merge (optional check)

Overview

Adds a reusable PR risk-scoring step and wires it into the CI pipelines for HyperFleet’s four component repositories (hyperfleet-adapter, hyperfleet-api, hyperfleet-broker, hyperfleet-sentinel). The job is optional and therefore does not block merges.

What changed (practical impact)

• New step-registry component: hyperfleet-risk-scorer

  • Implements deterministic PR risk scoring based on diff size thresholds (>200, >500 lines), changes under sensitive paths (cmd/, config/, deploy/, migrations/, auth/), and simple Go test-coverage heuristics (presence of _test.go files).
  • Authenticates to GitHub using the hyperfleet-ci-bot GitHub App (installation token via JWT).
  • Idempotently ensures exactly one risk label on the PR (risk/low, risk/medium, risk/high) and posts/updates a score-breakdown comment on the PR.
  • Configured to mount credentials (hyperfleet-ci-bot) and includes runtime resource limits and a 5-minute timeout.

• CI pipeline integration

  • Adds an optional risk-scorer test job to the main CI pipeline for each of these repos: hyperfleet-adapter, hyperfleet-api, hyperfleet-broker, hyperfleet-sentinel.
  • Each job runs the hyperfleet-risk-scorer step-ref; marked optional: true so it never blocks merges.

• Ownership & metadata

  • Step-registry OWNERS and a metadata JSON file were added/updated to list approvers and reviewers for the new step.

Implementation artifacts

• ci-operator/step-registry/hyperfleet/risk-scorer/

  • hyperfleet-risk-scorer-commands.sh — main Bash implementation (diff analysis, scoring, GitHub API calls for labels/comments).
  • hyperfleet-risk-scorer-ref.yaml — step definition (credentials mount, env var docs, resource requests, timeout).
  • OWNERS and ref.metadata.json — ownership and metadata for the step-ref.

• ci-operator/config/openshift-hyperfleet/

  • Added risk-scorer optional test job entries in the pipeline config for hyperfleet-adapter, hyperfleet-api, hyperfleet-broker, and hyperfleet-sentinel.

Security / operational notes

• The step requires the hyperfleet-ci-bot credentials to be available (Vault secret expected to be synced to the cluster namespace configured for CI); the job mounts those credentials and uses the GitHub App flow.
• The job is optional and intended for informational/risk-labeling purposes only.

Testing checklist (as provided)

• Ensure Vault secret hyperfleet-ci-bot is synced to CI namespace.
• Open a test PR in one of the four repos and trigger /test risk-scorer.
• Verify label application and score breakdown comment; push another commit and verify the comment is updated (not duplicated).
• Confirm the job is optional and does not block merges.

[coderabbitai]

Walkthrough

Adds an optional risk-scorer Prow test job to the hyperfleet-sentinel CI config that runs the hyperfleet-risk-scorer step reference.

Changes

Prow configuration update

Layer / File(s)	Summary
Add risk-scorer test job ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main.yaml	Inserted a new tests job block (as: risk-scorer) after validate-commits, set optional: true, and defined steps.test referencing hyperfleet-risk-scorer.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

lgtm, rehearsals-ack

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a PR risk scoring presubmit job to the HyperFleet project.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Check not applicable. PR contains no Ginkgo tests - only CI config files, shell scripts, and metadata. No test names to validate.
Test Structure And Quality	✅ Passed	This PR does not contain Ginkgo test code. It adds CI/CD configuration (YAML), a bash script, and metadata files. The custom check requiring Ginkgo test review is not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are being added. The check applies only to new Ginkgo test definitions. This PR adds CI configuration and a bash utility script for PR risk scoring.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds CI automation (Prow configs and bash script) for PR risk scoring, not Ginkgo e2e tests. SNO check only applies to e2e tests, which are not present.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI/presubmit job configuration and risk-scoring bash script. No Kubernetes deployment manifests, operator code, or scheduling constraints present. Topology check not applicable.
Ote Binary Stdout Contract	✅ Passed	PR adds CI/CD configuration and a PR risk-scoring shell script. No OTE test binaries or process-level test code is modified. The check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It adds CI configuration files, OWNERS, and a shell script. The check only applies to Ginkgo e2e tests, which are not present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rafabene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-hyperfleet/hyperfleet-adapter/OWNERS [rafabene]
• ci-operator/config/openshift-hyperfleet/hyperfleet-api/OWNERS [rafabene]
• ci-operator/config/openshift-hyperfleet/hyperfleet-broker/OWNERS [rafabene]
• ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/OWNERS [rafabene]
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-adapter/OWNERS [rafabene]
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-api/OWNERS [rafabene]
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-broker/OWNERS [rafabene]
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-sentinel/OWNERS [rafabene]
• ci-operator/step-registry/hyperfleet/OWNERS [rafabene]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rafabene]

/pj-rehearse auto-ack

[openshift-merge-bot]

@rafabene: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh (3)

56-56: ⚡ Quick win

YAML parsing with sed is fragile.

The sed command assumes specific YAML formatting and doesn't handle comments, varied indentation, or complex YAML structures. A malformed or unconventional .risk-config.yaml could cause silent failures or incorrect parsing.

Consider using yq for robust YAML parsing:

♻️ Alternative implementation with yq

 if [ -f .risk-config.yaml ]; then
-    CUSTOM=$(sed -n '/^sensitive_paths:/,/^[^ ]/{ /^  - /s/^  - //p }' .risk-config.yaml | tr '\n' ' ')
+    CUSTOM=$(yq eval '.sensitive_paths[]' .risk-config.yaml 2>/dev/null | tr '\n' ' ')
     [ -n "${CUSTOM}" ] && SENSITIVE_PATHS="${CUSTOM}"
 fi

Note: Verify that yq is available in the src container image, or fall back to the current sed approach with a comment acknowledging the limitation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`
at line 56, The sed-based extraction assigned to CUSTOM (the line setting
CUSTOM=$(sed -n '/^sensitive_paths:/,/^[^ ]/{ /^  - /s/^  - //p }'
.risk-config.yaml | tr '\n' ' ')) is fragile for YAML; replace it with a robust
yq-based parse to read the sensitive_paths array from .risk-config.yaml (e.g.,
using yq to extract .sensitive_paths[] and join with spaces) and fall back to
the original sed command only if yq is not available, adding a comment that
explains the fallback and the limitation; ensure the new logic preserves the
same final format (space-separated values in CUSTOM) and references the CUSTOM
variable and .risk-config.yaml so reviewers can find the change.

---

119-119: 💤 Low value

Consider using parameter expansion instead of sed.

Shellcheck SC2001 suggests a simpler alternative that doesn't require a subprocess.

♻️ Use parameter expansion

-        encoded=$(echo "${old}" | sed 's|/|%2F|g')
+        encoded="${old//\//%2F}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`
at line 119, Replace the sed subprocess used to percent-encode slashes with
shell parameter expansion: instead of running sed on the variable old, assign
encoded by expanding old with a global replacement of "/" to "%2F" (use the
${old//\//%2F} style) so you avoid spawning an external process; update the
assignment that currently sets encoded from the sed command accordingly.

---

34-36: ⚡ Quick win

Consider validating PULL_BASE_SHA before use.

While PULL_BASE_SHA should be present in PR contexts, adding an explicit check would make the script more defensive against unexpected CI environments.

🛡️ Add validation

+if [ -z "${PULL_BASE_SHA:-}" ]; then
+    echo "ERROR: PULL_BASE_SHA not set."
+    exit 1
+fi
+
 DIFF_FILES=$(git diff --name-only "${PULL_BASE_SHA}..HEAD" || true)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`
around lines 34 - 36, The script uses PULL_BASE_SHA to compute DIFF_FILES and
LINES_CHANGED but doesn't validate it; add a guard that checks if the
PULL_BASE_SHA variable is unset or empty before running git commands (reference
PULL_BASE_SHA, DIFF_FILES, LINES_CHANGED), and if missing print a clear error
message to stderr and exit with a non-zero status (or set safe defaults and
continue if that behavior is preferred) so the git diff invocations are not run
with an invalid SHA.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`:
- Line 61: The current conditional uses grep "^${path}" which treats ${path} as
a regex and can mis-match paths containing regex metacharacters; update the
check so ${path} is matched literally and still anchored to the start of each
DIFF_FILES line (e.g., use grep -F with an anchored start or iterate lines and
use shell prefix matching). Specifically, change the if that references
DIFF_FILES and path to perform a literal, prefix-only match (examples: pipe
DIFF_FILES through grep -F and then filter for lines starting with the literal
path, or read DIFF_FILES line-by-line and use [[ "$file" == "${path}"* ]] to
detect a prefix) so sensitive paths from .risk-config.yaml are not interpreted
as regexes.

---

Nitpick comments:
In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`:
- Line 56: The sed-based extraction assigned to CUSTOM (the line setting
CUSTOM=$(sed -n '/^sensitive_paths:/,/^[^ ]/{ /^  - /s/^  - //p }'
.risk-config.yaml | tr '\n' ' ')) is fragile for YAML; replace it with a robust
yq-based parse to read the sensitive_paths array from .risk-config.yaml (e.g.,
using yq to extract .sensitive_paths[] and join with spaces) and fall back to
the original sed command only if yq is not available, adding a comment that
explains the fallback and the limitation; ensure the new logic preserves the
same final format (space-separated values in CUSTOM) and references the CUSTOM
variable and .risk-config.yaml so reviewers can find the change.
- Line 119: Replace the sed subprocess used to percent-encode slashes with shell
parameter expansion: instead of running sed on the variable old, assign encoded
by expanding old with a global replacement of "/" to "%2F" (use the
${old//\//%2F} style) so you avoid spawning an external process; update the
assignment that currently sets encoded from the sed command accordingly.
- Around line 34-36: The script uses PULL_BASE_SHA to compute DIFF_FILES and
LINES_CHANGED but doesn't validate it; add a guard that checks if the
PULL_BASE_SHA variable is unset or empty before running git commands (reference
PULL_BASE_SHA, DIFF_FILES, LINES_CHANGED), and if missing print a clear error
message to stderr and exit with a non-zero status (or set safe defaults and
continue if that behavior is preferred) so the git diff invocations are not run
with an invalid SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c00a1bc2-5c27-4451-a570-2cd4978ab5d1

📥 Commits

Reviewing files that changed from the base of the PR and between e0d0aa9 and add5b0b.

⛔ Files ignored due to path filters (4)

• ci-operator/jobs/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (8)

• ci-operator/config/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main.yaml
• ci-operator/step-registry/hyperfleet/risk-scorer/OWNERS
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.metadata.json
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use literal matching for file path prefixes.

The grep "^${path}" treats path as a regex pattern. If custom sensitive paths from .risk-config.yaml contain regex metacharacters (e.g., ., [, *), they could match unintended files.

🔒 Use grep -F for literal matching

-    if echo "${DIFF_FILES}" | grep -q "^${path}"; then
+    if echo "${DIFF_FILES}" | grep -qF "${path}"; then
         SENSITIVE_HIT="${SENSITIVE_HIT} ${path}"
     fi

Note: This matches paths containing the literal string rather than anchoring to the start. If prefix-only matching is required, consider:

if echo "${DIFF_FILES}" | grep -F "${path}" | grep -q "^${path}"; then

or process paths line-by-line:

while IFS= read -r file; do
    [[ "$file" == "${path}"* ]] && SENSITIVE_HIT="${SENSITIVE_HIT} ${path}" && break
done <<< "${DIFF_FILES}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`
at line 61, The current conditional uses grep "^${path}" which treats ${path} as
a regex and can mis-match paths containing regex metacharacters; update the
check so ${path} is matched literally and still anchored to the start of each
DIFF_FILES line (e.g., use grep -F with an anchored start or iterate lines and
use shell prefix matching). Specifically, change the if that references
DIFF_FILES and path to perform a literal, prefix-only match (examples: pipe
DIFF_FILES through grep -F and then filter for lines starting with the literal
path, or read DIFF_FILES line-by-line and use [[ "$file" == "${path}"* ]] to
detect a prefix) so sensitive paths from .risk-config.yaml are not interpreted
as regexes.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@rafabene: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-hyperfleet-hyperfleet-api-main-risk-scorer	openshift-hyperfleet/hyperfleet-api	presubmit	Presubmit changed
pull-ci-openshift-hyperfleet-hyperfleet-adapter-main-risk-scorer	openshift-hyperfleet/hyperfleet-adapter	presubmit	Presubmit changed
pull-ci-openshift-hyperfleet-hyperfleet-broker-main-risk-scorer	openshift-hyperfleet/hyperfleet-broker	presubmit	Presubmit changed
pull-ci-openshift-hyperfleet-hyperfleet-sentinel-main-risk-scorer	openshift-hyperfleet/hyperfleet-sentinel	presubmit	Presubmit changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main.yaml`:
- Around line 40-44: The new tests entry (as: risk-scorer / ref:
hyperfleet-risk-scorer) was added only to ci-operator config and you must run
the generator to produce the corresponding Prow job; run the repository job-gen
step (make update) to regenerate ci-operator/jobs and prow configs, verify the
generated presubmit for the risk-scorer ref appears under ci-operator/jobs and
jobs/... , and commit those generated files alongside your changed
openshift-hyperfleet-hyperfleet-sentinel-main.yaml so the new presubmit is
actually wired up.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`:
- Around line 22-28: The script enables xtrace via "$WAS_TRACING && set -x" that
may run before the authenticated GitHub token is printed; to avoid leaking
GITHUB_TOKEN, ensure tracing is disabled around the token request: before the
curl that builds GITHUB_TOKEN (which uses JWT and GITHUB_APP_INSTALLATION_ID),
save the current tracing state, run the curl with tracing off (or wrap the
authenticated block with set +x), then restore the original tracing state only
after the last authenticated request; specifically modify the section that
defines GITHUB_TOKEN so tracing is disabled during the python/json token
extraction and only restored afterwards.
- Around line 132-133: The lookup for EXISTING_COMMENT_ID only checks the first
page of comments and can miss the marker on busy PRs; change the logic that uses
curl + python3 to page through issue comments (use the API params per_page and
page, or request sorted by updated with sort=updated) until a comment containing
${COMMENT_MARKER} is found or no more pages remain, then set EXISTING_COMMENT_ID
to that comment's id (refer to the existing variables AUTH, API, PULL_NUMBER,
COMMENT_MARKER and the EXISTING_COMMENT_ID assignment). Implement a loop that
increments the page number, breaks when the marker is located, and falls back to
empty string if not found to preserve idempotence.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 94be7e51-e878-4515-b662-b778f43289d0

📥 Commits

Reviewing files that changed from the base of the PR and between add5b0b and 7079a48.

⛔ Files ignored due to path filters (4)

• ci-operator/jobs/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (8)

• ci-operator/config/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main.yaml
• ci-operator/step-registry/hyperfleet/risk-scorer/OWNERS
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.metadata.json
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.yaml

✅ Files skipped from review due to trivial changes (2)

• ci-operator/step-registry/hyperfleet/risk-scorer/OWNERS
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (4)

• ci-operator/config/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main.yaml
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run make update and commit the generated Prow configs.

This tests entry alone does not register a new presubmit in Prow; I don’t see the corresponding generated ci-operator/jobs/... updates in the supplied diff. Without those generated files, the new risk-scorer job won’t actually be wired up.

As per coding guidelines, ci-operator/config/**/*.yaml: "For CI configuration, edit files in ci-operator/config/<org>/<repo>/ and run make update to generate downstream Prow job configs".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main.yaml`
around lines 40 - 44, The new tests entry (as: risk-scorer / ref:
hyperfleet-risk-scorer) was added only to ci-operator config and you must run
the generator to produce the corresponding Prow job; run the repository job-gen
step (make update) to regenerate ci-operator/jobs and prow configs, verify the
generated presubmit for the risk-scorer ref appears under ci-operator/jobs and
jobs/... , and commit those generated files alongside your changed
openshift-hyperfleet-hyperfleet-sentinel-main.yaml so the new presubmit is
actually wired up.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep xtrace disabled for the authenticated GitHub calls.

If this step starts with -x, Line 28 turns tracing back on before every later curl that sends Authorization: token ${GITHUB_TOKEN}. That will leak the installation token into CI logs. Keep tracing off until the last authenticated request, or wrap each authenticated block with set +x / restore afterward.

As per coding guidelines, ci-operator/step-registry/**/*-commands.sh: "protect sensitive information (passwords, tokens, API keys, cluster URLs, kubeconfig contents) from leaking into CI logs" and "Disable shell tracing (set +x) temporarily when handling sensitive operations in step registry scripts, then restore it after".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`
around lines 22 - 28, The script enables xtrace via "$WAS_TRACING && set -x"
that may run before the authenticated GitHub token is printed; to avoid leaking
GITHUB_TOKEN, ensure tracing is disabled around the token request: before the
curl that builds GITHUB_TOKEN (which uses JWT and GITHUB_APP_INSTALLATION_ID),
save the current tracing state, run the curl with tracing off (or wrap the
authenticated block with set +x), then restore the original tracing state only
after the last authenticated request; specifically modify the section that
defines GITHUB_TOKEN so tracing is disabled during the python/json token
extraction and only restored afterwards.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

The existing-comment lookup is not actually idempotent on busy PRs.

This only inspects the first 100 issue comments. If a PR already has more than 100 comments before the scorer posts its marker comment, the next run will miss it and create a duplicate instead of updating in place. Page through comments until the marker is found, or query the most recently updated comments first.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`
around lines 132 - 133, The lookup for EXISTING_COMMENT_ID only checks the first
page of comments and can miss the marker on busy PRs; change the logic that uses
curl + python3 to page through issue comments (use the API params per_page and
page, or request sorted by updated with sort=updated) until a comment containing
${COMMENT_MARKER} is found or no more pages remain, then set EXISTING_COMMENT_ID
to that comment's id (refer to the existing variables AUTH, API, PULL_NUMBER,
COMMENT_MARKER and the EXISTING_COMMENT_ID assignment). Implement a loop that
increments the page number, breaks when the marker is located, and falls back to
empty string if not found to preserve idempotence.

[rafabene]

/pj-rehearse auto-ack

[openshift-merge-bot]

@rafabene: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@rafabene: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift-hyperfleet/hyperfleet-sentinel/main/risk-scorer	7079a48	link	unknown	/pj-rehearse pull-ci-openshift-hyperfleet-hyperfleet-sentinel-main-risk-scorer
ci/rehearse/openshift-hyperfleet/hyperfleet-api/main/risk-scorer	7079a48	link	unknown	/pj-rehearse pull-ci-openshift-hyperfleet-hyperfleet-api-main-risk-scorer
ci/rehearse/openshift-hyperfleet/hyperfleet-broker/main/risk-scorer	7079a48	link	unknown	/pj-rehearse pull-ci-openshift-hyperfleet-hyperfleet-broker-main-risk-scorer
ci/rehearse/openshift-hyperfleet/hyperfleet-adapter/main/risk-scorer	7079a48	link	unknown	/pj-rehearse pull-ci-openshift-hyperfleet-hyperfleet-adapter-main-risk-scorer

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.