tide: enable github_merge_blocks_policy for repos with recent merge failures

[Prucek]

Summary

• Configures github_merge_blocks_policy: block for 71 repos that have had merge failures in the last 30 days (sourced from tide-history?state=failure)
• Uses the new Tide feature from tide: add configurable GitHub merge blocks enforcement kubernetes-sigs/prow#579 to respect GitHub's mergeStateStatus and prevent Tide from attempting to merge PRs blocked by branch protection rules, rulesets, or required reviews
• Policy set per-repo (not globally) to limit blast radius

/hold

Summary by CodeRabbit

This PR adds merge-blocking policy protection to 71 repositories that have experienced recent merge failures in the OpenShift CI infrastructure. The change adds a new github_merge_blocks_policy section to the Tide configuration in core-services/prow/02_config/_config.yaml, setting the policy to block for each affected repository.

What this does:

• Implements the Tide feature from kubernetes-sigs/prow#579 to honor GitHub's mergeStateStatus
• Prevents Tide from attempting to merge pull requests that are blocked by GitHub branch protection rules, rulesets, or required reviews
• Applies the policy on a per-repository basis rather than globally to limit blast radius

Affected repositories include:

• OpenShift core repos (cluster-monitoring-operator, hypershift, config, cincinnati-graph-data, lightspeed-operator)
• OpenStack K8s operators (multiple, including nova-operator, neutron-operator, mariadb-operator)
• RedHat AppStudio infrastructure repos (infra-deployments, infra-common-deployments)
• Container and migration tool repos (conmon-rs, kopia, kubevirt-datamover-plugin, oadp-cli)
• Operator framework repos (operator-lifecycle-manager, operator-registry, operator-controller)
• Various ecosystem partner repos (OpenDataHub, Red Hat Developer Hub, Stolostron, etc.)

This targeted approach allows repositories with recent merge instability to benefit from the merge-blocking policy protection without affecting all repositories managed by the OpenShift CI infrastructure.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1832ebe3-f6dd-40de-a7d7-4215414d4663

📥 Commits

Reviewing files that changed from the base of the PR and between dd3b7e2 and 396c6b2.

📒 Files selected for processing (1)

• core-services/prow/02_config/_config.yaml

---

Walkthrough

This PR extends Prow's Tide configuration by adding a new tide.github_merge_blocks_policy section that defines merge-blocking policies for a large set of OpenShift repositories. The update adds 72 lines of configuration entries that assign the block policy value to each listed repository.

Changes

Merge blocks policy configuration

Layer / File(s)	Summary
Tide merge blocks policy setup core-services/prow/02_config/_config.yaml	A new tide.github_merge_blocks_policy mapping is introduced, listing repositories including containers and operator/service repos, with each entry assigned the block merge-blocking policy value.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

lgtm, ok-to-test, rehearsals-ack

Suggested reviewers

• jmguzik
• bear-redhat

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: enabling github_merge_blocks_policy for affected repositories due to merge failures. It is specific, clear, and directly reflects the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only YAML configuration files with no Ginkgo tests present; custom check for test names is not applicable to configuration-only changes.
Test Structure And Quality	✅ Passed	PR only modifies YAML configuration file (_config.yaml) for Prow; no Ginkgo test code is included, making this check not applicable.
Microshift Test Compatibility	✅ Passed	PR contains no new Ginkgo e2e tests. It only modifies Prow CI configuration (YAML), so the MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only modifies Prow Tide configuration (YAML), not adding any Ginkgo e2e tests. SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies Prow CI configuration (_config.yaml), not deployment manifests, operator code, or controllers. No scheduling constraints or topology-dependent configuration is introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML configuration (_config.yaml for Prow Tide), not OTE binaries or Go test code. OTE stdout contract check is inapplicable to configuration-only changes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It modifies only Prow configuration files, CI operator configs, and documentation—not test source code. The custom check is not applicable.
No-Weak-Crypto	✅ Passed	PR modifies only a Prow YAML configuration file adding GitHub merge block policies. No weak cryptographic algorithms, custom crypto, or secret comparisons found.
Container-Privileges	✅ Passed	PR only modifies Prow config file. No container/K8s manifests or privileged settings (privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation) present.
No-Sensitive-Data-In-Logs	✅ Passed	The PR adds only public GitHub repository names and policy values to Prow configuration. No passwords, tokens, API keys, PII, session IDs, or customer data are exposed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• core-services/prow/02_config/OWNERS [Prucek]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Prucek: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[openshift-ci]

@Prucek: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/prow-config	396c6b2	link	true	/test prow-config

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Prucek]

it need's a prow bump in ci-tools 🤦🏼