ROSA-745: align branch-protection for MCWV and aws-vpce-operator

[MitaliBhalla]

Summary

ROSA-745 branch-protection updates for Konflux-enabled operators.

• managed-cluster-validating-webhooks: require primary Konflux *-on-pull-request on master
• aws-vpce-operator: protect main (default branch) and require Konflux *-on-pull-request

managed-cluster-config is unchanged — mandatory ci/prow/pr-check is already enforced via branch-protector from presubmits.

Test plan

• After merge, periodic-branch-protector-openshift-org reconciles branch protection (~6h)
• Confirm required checks on a sample PR for MCWV and aws-vpce match expectations

Summary by CodeRabbit

This PR updates Prow branch protection configuration for three OpenShift SREP repositories as part of the ROSA-745 initiative, integrating Konflux CI status checks and Prow gates to enforce required build validations:

aws-vpce-operator: Migrated branch protection from master to main (the new default branch), enabling protection and requiring the Konflux kflux-prd-rh03 / aws-vpce-operator-on-pull-request status check before merge.

managed-cluster-validating-webhooks: Established branch protection for the master branch, requiring the Konflux kflux-prd-rh03 / managed-cluster-validating-webhooks-on-pull-request status check to ensure all pull requests pass Konflux validation.

managed-cluster-config: Added explicit Prow status check requirement (ci/prow/pr-check) to the branch protection configuration, providing structured CI gates for dependency auto-merge workflows.

These changes establish Konflux-based CI enforcement across repositories while complementing concurrent DPP work on auto-merge and merge commit policies. The periodic branch-protector-openshift-org job will reconcile these configuration changes in GitHub repository settings post-merge, and Tide can subsequently merge pull requests once lgtm and approved labels are applied alongside passing required checks.

[openshift-ci-robot]

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

First in a series of ROSA-745 branch-protection updates (docs).

• managed-cluster-validating-webhooks: require primary Konflux PR check (replaces empty/misaligned branch protection).
• managed-cluster-config: require ci/prow/checklinks-pr and ci/prow/pr-check on master (explicit prow gates for dep auto-merge).
• aws-vpce-operator: protect main (default branch; was master) and require Konflux aws-vpce-operator-on-pull-request.

Complements DPP work on repo settings (auto-merge, merge commits). Does not require enterprise-contract, pr-group, e2e, or pko Konflux jobs.

Test plan

• After merge, periodic-branch-protector-openshift-org reconciles branch protection (~6h).
• On each repo, open or use a dependency PR and confirm required checks match the contexts above (+ prow auto-required jobs where applicable).
• Confirm tide can merge dep PRs with lgtm + approved when required checks are green.

Related

• ROSA-745 / SREP-4016 (MCWV), ROSAENG-765 (aws-vpce), ROSAENG-762 (mcc)
• Follow-up PR: Konflux contexts for remaining Phase 1/2 operators

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Two Prow branch protection configurations are updated to enforce Konflux CI status checks. The aws-vpce-operator repository switches from protecting the master branch to the main branch with a required Konflux status check. The managed-cluster-validating-webhooks repository converts an empty placeholder into an explicit master branch protection rule with an identical Konflux CI requirement.

Changes

Prow Branch Protection Configuration Updates

Layer / File(s)	Summary
Branch protection and Konflux CI status checks core-services/prow/02_config/openshift/aws-vpce-operator/_prowconfig.yaml, core-services/prow/02_config/openshift/managed-cluster-validating-webhooks/_prowconfig.yaml	aws-vpce-operator switches branch protection target from master to main and adds required Konflux kflux-prd-rh03 status checks; managed-cluster-validating-webhooks expands from placeholder to explicit master branch protection with matching Konflux CI requirement.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: aligning branch-protection configuration for two specific repos (MCWV and aws-vpce-operator) as part of ROSA-745.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only Prow YAML configuration files for branch protection, containing no Ginkgo test code or test titles. Custom check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	The PR contains only YAML configuration files (Prow branch protection configs), not Ginkgo test code. The custom check for Ginkgo test quality does not apply.
Microshift Test Compatibility	✅ Passed	PR contains only Prow CI/CD configuration file updates (YAML), not Ginkgo e2e tests. MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to Prow CI configuration YAML files for branch protection rules. The SNO compatibility check only applies to new e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only Prow CI configuration files for branch protection and merge gating, not deployment manifests, operators, or controllers. No topology-dependent scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML Prow config files. The OTE Binary Stdout Contract check applies to Go binaries and test code, not YAML configuration files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only Prow configuration YAML files, not Ginkgo e2e tests. The custom check applies exclusively to new test code.
No-Weak-Crypto	✅ Passed	PR modifies only Prow CI/CD configuration YAML files with no cryptographic code, weak crypto algorithms, custom crypto implementations, or secret comparisons.
Container-Privileges	✅ Passed	PR modifies only Prow CI/CD configuration files (_prowconfig.yaml) with branch protection rules, not container/K8s manifests with privileged settings.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains only Prow YAML configuration files with branch protection and CI/CD context rules; no logging statements or sensitive data (passwords, tokens, PII, etc.) detected.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@MitaliBhalla: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[joshbranham]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joshbranham, MitaliBhalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• core-services/prow/02_config/openshift/aws-vpce-operator/OWNERS [joshbranham]
• core-services/prow/02_config/openshift/managed-cluster-validating-webhooks/OWNERS [MitaliBhalla,joshbranham]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

@MitaliBhalla: Updated the following 2 configmaps:

• config configmap in namespace ci at cluster app.ci using the following files:
  • key core-services-prow-02_config-openshift-aws-vpce-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/aws-vpce-operator/_prowconfig.yaml
  • key core-services-prow-02_config-openshift-managed-cluster-validating-webhooks-_prowconfig.yaml using file core-services/prow/02_config/openshift/managed-cluster-validating-webhooks/_prowconfig.yaml
• config configmap in namespace ci at cluster core-ci using the following files:
  • key core-services-prow-02_config-openshift-aws-vpce-operator-_prowconfig.yaml using file core-services/prow/02_config/openshift/aws-vpce-operator/_prowconfig.yaml
  • key core-services-prow-02_config-openshift-managed-cluster-validating-webhooks-_prowconfig.yaml using file core-services/prow/02_config/openshift/managed-cluster-validating-webhooks/_prowconfig.yaml

Details

In response to this:

Summary

ROSA-745 branch-protection updates for Konflux-enabled operators.

• managed-cluster-validating-webhooks: require primary Konflux *-on-pull-request on master
• aws-vpce-operator: protect main (default branch) and require Konflux *-on-pull-request

managed-cluster-config is unchanged — mandatory ci/prow/pr-check is already enforced via branch-protector from presubmits.

Test plan

• After merge, periodic-branch-protector-openshift-org reconciles branch protection (~6h)
• Confirm required checks on a sample PR for MCWV and aws-vpce match expectations

Summary by CodeRabbit

This PR updates Prow branch protection configuration for three OpenShift SREP repositories as part of the ROSA-745 initiative, integrating Konflux CI status checks and Prow gates to enforce required build validations:

aws-vpce-operator: Migrated branch protection from master to main (the new default branch), enabling protection and requiring the Konflux kflux-prd-rh03 / aws-vpce-operator-on-pull-request status check before merge.

managed-cluster-validating-webhooks: Established branch protection for the master branch, requiring the Konflux kflux-prd-rh03 / managed-cluster-validating-webhooks-on-pull-request status check to ensure all pull requests pass Konflux validation.

managed-cluster-config: Added explicit Prow status check requirement (ci/prow/pr-check) to the branch protection configuration, providing structured CI gates for dependency auto-merge workflows.

These changes establish Konflux-based CI enforcement across repositories while complementing concurrent DPP work on auto-merge and merge commit policies. The periodic branch-protector-openshift-org job will reconcile these configuration changes in GitHub repository settings post-merge, and Tide can subsequently merge pull requests once lgtm and approved labels are applied alongside passing required checks.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.