ROSAENG-59283 | prow onboarding for ams

[cambelem]

Onboarding account manager service for prow.

Summary by CodeRabbit

This PR onboards the openshift-online/rosa-account-manager-service repository into OpenShift CI (Prow) by adding CI operator configuration, OWNERS, Prow plugin configuration, and Tide merge rules so the repo can use shared OpenShift CI automation.

Practical impact and key changes:

• CI build & tests (ci-operator config):

  • Adds ci-operator config for openshift-online/rosa-account-manager-service (branch: master).
  • Uses Go build root from the release image stream tag golang-1.25.
  • Installs the account-manager binary via go install ./cmd/account-manager.
  • Builds test binaries via go test ./pkg/... ./cmd/... ./test/....
  • Defines four test jobs wired to the bin container: unit-test (make test), integration-test (make test-integration), fedramp-test (make test-fedramp), xcm-test (make test-xcm).
  • Sets resource requests/limits for builds (memory limits 4Gi; requests cpu 100m, memory 200Mi).

• OWNERS:

  • Adds approvers and reviewers for the repo: cambelem, bhushanthakur93, rawsyntax — enabling code review and approvals.

• Prow plugins & external plugins (_pluginconfig.yaml):

  • Enables a broad plugins list for the repo (assign, blunderbuss, lgtm, label, verify-owners, owners-label, approve, trigger, skip, wip, etc.).
  • Configures lgtm with review_acts_as_lgtm: true and approve (require_self_approval: false).
  • Declares multiple external-plugin endpoints for the repo (refresh, cherrypick, needs-rebase, backport-verifier, payload-testing-prow-plugin, jira-lifecycle-plugin, pipeline-controller, multi-pr-prow-plugin, ship-hook) with their triggering events.
  • Adds triggers with trusted app openshift-merge-bot.

• Tide configuration (_prowconfig.yaml):

  • Adds a single-repo Tide query requiring labels approved and lgtm for merges.
  • Blocks merges when any of several missingLabels are present: backports/unvalidated-commits, do-not-merge/hold, do-not-merge/invalid-owners-file, do-not-merge/work-in-progress, jira/invalid-bug, needs-rebase.

Review effort: Low–Medium. OWNERS change is small; ci-operator and Prow/plugin config should be reviewed to validate job commands, resources, and external-plugin endpoints.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cambelem

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8dab836c-ed4e-4e5c-a69f-f22a0acc8fc6

📥 Commits

Reviewing files that changed from the base of the PR and between 8b24105 and 7f35b7a.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/openshift-online/rosa-account-manager-service/OWNERS is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (4)

• ci-operator/config/openshift-online/rosa-account-manager-service/OWNERS
• ci-operator/config/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master.yaml
• core-services/prow/02_config/openshift-online/rosa-account-manager-service/_pluginconfig.yaml
• core-services/prow/02_config/openshift-online/rosa-account-manager-service/_prowconfig.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/config/openshift-online/rosa-account-manager-service/OWNERS

🚧 Files skipped from review as they are similar to previous changes (2)

• core-services/prow/02_config/openshift-online/rosa-account-manager-service/_pluginconfig.yaml
• ci-operator/config/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master.yaml

---

Walkthrough

Onboards openshift-online/rosa-account-manager-service by adding an OWNERS file, a ci-operator job for building/testing the service, and repository-specific Prow plugin and Tide configuration for PR automation.

Changes

Service Infrastructure Onboarding

Layer / File(s)	Summary
Ownership declaration ci-operator/config/openshift-online/rosa-account-manager-service/OWNERS	Adds approvers and reviewers arrays containing cambelem, bhushanthakur93, and rawsyntax.
CI build and test pipeline ci-operator/config/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master.yaml	Defines a ci-operator job using golang-1.25, builds cmd/account-manager, builds test binaries (go test), wires unit/integration/fedramp/xcm make-based test scenarios to the bin output, and sets CPU/memory requests and limits with generated metadata for master branch.
Prow plugins configuration core-services/prow/02_config/openshift-online/rosa-account-manager-service/_pluginconfig.yaml	Adds repository-scoped Prow _pluginconfig.yaml including external plugin endpoints, approve behavior, lgtm settings, trusted apps, and an allowlist of enabled internal plugins.
Tide configuration core-services/prow/02_config/openshift-online/rosa-account-manager-service/_prowconfig.yaml	Adds a Tide query scoped to the repo requiring approved and lgtm and listing missingLabels that prevent merging.

Sequence Diagram(s)

(omitted — configuration-only changes without a multi-component sequential runtime flow)

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related PRs

• openshift/release#80091: Similar OWNERS updates adding approver/reviewer entries.
• openshift/release#77688: Related OWNERS and repo config updates for another repository under ci-operator/core-services.

Suggested Labels

lgtm, rehearsals-ack

Suggested Reviewers

• bear-redhat
• jmguzik

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title refers to prow onboarding for the account manager service, which is the primary focus of the PR (4 new prow/CI configuration files added).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only CI/Prow configuration files (OWNERS, YAML configs), not Go test code. No Ginkgo test patterns found; check not applicable.
Test Structure And Quality	✅ Passed	This PR contains no Ginkgo test code—only configuration files (OWNERS, CI operator YAML, Prow configs). The test structure check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR only adds CI/Prow configuration files (OWNERS, CI operator config, Prow plugins/tide config). No Ginkgo e2e tests are added, so the MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests—only CI/Prow configuration files (OWNERS, CI operator config, plugin config). SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	No deployment manifests, operator code, or controllers are added/modified—only CI/CD infrastructure configuration (OWNERS, CI operator, Prow configs). No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR contains only configuration files (OWNERS, CI operator YAML, Prow configs) with no Go source code, so OTE Binary Stdout Contract check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only configuration files for rosa-account-manager-service onboarding. No Ginkgo e2e tests are added, so IPv6/disconnected network check does not apply.
No-Weak-Crypto	✅ Passed	PR contains only YAML configuration files for CI/CD onboarding with no source code or cryptographic implementations; weak-crypto check is not applicable to configuration-only changes.
Container-Privileges	✅ Passed	No privileged container settings found; modified files contain only CI/CD and Prow infrastructure configuration without container specs.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements or sensitive data (passwords, tokens, API keys, PII, credentials, hostnames, customer data) found in any of the four configuration files added in this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cambelem]

/verify-owners

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/config/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master.yaml (1)

1-36: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing generated Prow job files.

According to the repository guidelines, after modifying CI configuration files in ci-operator/config/, you must run make update to regenerate downstream artifacts, including Prow job configurations in ci-operator/jobs/.

This PR should include generated job files at:

• ci-operator/jobs/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master-presubmits.yaml
• ci-operator/jobs/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master-postsubmits.yaml (if applicable)

Please run make update from the repository root and commit the generated files.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master.yaml`
around lines 1 - 36, The CI config change adds/updates top-level keys like
binary_build_commands, test_binary_build_commands and zz_generated_metadata but
you didn't regenerate the downstream Prow job artifacts; run make update at the
repository root to regenerate ci-operator/jobs for the openshift-online
rosa-account-manager-service (which will create the master-presubmits and
master-postsubmits YAMLs) and commit those generated files alongside this CI
config change.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master.yaml`:
- Around line 2-6: The build_root image_stream_tag references a non-existent tag
(name: release, namespace: openshift, tag: golang-1.25); update the
build_root.image_stream_tag.tag value to a golang imagestreamtag that actually
exists in the openshift namespace (or adjust the name/namespace to match the
available imagestreamtag), e.g., query available tags with oc get imagestreamtag
release -n openshift and replace golang-1.25 with one of the returned tags so
build_root points to a valid imagestreamtag.

In `@ci-operator/config/openshift-online/rosa-account-manager-service/OWNERS`:
- Around line 1-10: The OWNERS file's approvers/reviewers lists contain GitHub
handles that are either non-existent or not public members of the
openshift-online org; update the approvers and reviewers entries in
ci-operator/config/openshift-online/rosa-account-manager-service/OWNERS by
removing the invalid handles (ecambel, ehimmelr, bhthakur, xamorim) and
replacing them with GitHub usernames that exist and are confirmed public members
of the openshift-online organization; ensure both the approvers and reviewers
blocks list only valid org members and rerun the owners validation to confirm
the file no longer triggers do-not-merge/invalid-owners-file.

---

Outside diff comments:
In
`@ci-operator/config/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master.yaml`:
- Around line 1-36: The CI config change adds/updates top-level keys like
binary_build_commands, test_binary_build_commands and zz_generated_metadata but
you didn't regenerate the downstream Prow job artifacts; run make update at the
repository root to regenerate ci-operator/jobs for the openshift-online
rosa-account-manager-service (which will create the master-presubmits and
master-postsubmits YAMLs) and commit those generated files alongside this CI
config change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 10faa357-475e-45b5-933f-a1336486265b

📥 Commits

Reviewing files that changed from the base of the PR and between 9989d12 and e321bba.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/openshift-online/rosa-account-manager-service/OWNERS is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (4)

• ci-operator/config/openshift-online/rosa-account-manager-service/OWNERS
• ci-operator/config/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master.yaml
• core-services/prow/02_config/openshift-online/rosa-account-manager-service/_pluginconfig.yaml
• core-services/prow/02_config/openshift-online/rosa-account-manager-service/_prowconfig.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check if golang-1.25 image stream tag exists in openshift namespace

oc get imagestreamtag release:golang-1.25 -n openshift 2>/dev/null && \
  echo "✓ golang-1.25 tag exists" || \
  echo "✗ golang-1.25 tag not found - consider using golang-1.23 or golang-1.22"

# List available golang tags
echo -e "\nAvailable golang tags:"
oc get imagestream release -n openshift -o json 2>/dev/null | \
  jq -r '.spec.tags[]? | select(.name | startswith("golang")) | .name' | sort -V

Repository: openshift/release

Length of output: 157

---

🌐 Web query:

OpenShift CI golang builder image tags available in 2026

💡 Result:

As of June 2026, OpenShift CI uses builder images hosted in the registry.ci.openshift.org/ocp/builder repository [1]. These images typically follow a structured naming convention: registry.ci.openshift.org/ocp/builder:rhel-{VERSION}-golang-{GO_VERSION}-openshift-{OCP_VERSION} As of early 2026, recent technical documentation and source code updates confirm the availability and usage of Go 1.25 builder images, commonly paired with OpenShift 4.22 base images [2][3][4][5][6]. Key naming patterns for these images include: - RHEL Version: Commonly rhel-9 (e.g., rhel-9-golang-1.25-openshift-4.22) [2][5]. RHEL-8 variants also exist and are updated in parallel for specific components (e.g., rhel-8-golang-1.25-openshift-4.22) [5]. - Golang Version: As of March/April 2026, Go 1.25 is the standard for new builds in many core OpenShift repositories [3][4][5][6]. - OpenShift Version: These images are tagged against specific OpenShift release streams, such as 4.22 [2][3][5][6]. Additionally, CI configurations often utilize "release" images for the build root, following a similar pattern: registry.ci.openshift.org/openshift/release:rhel-{VERSION}-release-golang-{GO_VERSION}-openshift-{OCP_VERSION} [1][3][4][5][6]. You can verify the current tags by querying the imagestreams in the OpenShift CI registry or by checking the build manifest configurations (.ci-operator.yaml) of official OpenShift repositories, which are regularly updated to reflect the latest stable builder tags [1][2][6].

Citations:

• 1: https://docs.ci.openshift.org/architecture/images/
• 2: NO-JIRA: Bump to builder:rhel-9-golang-1.25-openshift-4.22 cluster-version-operator#1293
• 3: openshift/cluster-image-registry-operator@1eb03dc
• 4: openshift/api@c63fe74
• 5: openshift/oc@b0c5ec0
• 6: openshift/operator-framework-operator-controller@e7fb1ec

---

Update build_root golang tag to an existing imagestreamtag
The config references release:golang-1.25 in the openshift namespace, but oc get imagestreamtag release:golang-1.25 -n openshift returns not found. Switch to a golang imagestreamtag that exists in that namespace (or align the config with the actual available release tags).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-online/rosa-account-manager-service/openshift-online-rosa-account-manager-service-master.yaml`
around lines 2 - 6, The build_root image_stream_tag references a non-existent
tag (name: release, namespace: openshift, tag: golang-1.25); update the
build_root.image_stream_tag.tag value to a golang imagestreamtag that actually
exists in the openshift namespace (or adjust the name/namespace to match the
available imagestreamtag), e.g., query available tags with oc get imagestreamtag
release -n openshift and replace golang-1.25 with one of the returned tags so
build_root points to a valid imagestreamtag.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@cambelem: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-online-rosa-account-manager-service-master-fedramp-test	openshift-online/rosa-account-manager-service	presubmit	Presubmit changed
pull-ci-openshift-online-rosa-account-manager-service-master-integration-test	openshift-online/rosa-account-manager-service	presubmit	Presubmit changed
pull-ci-openshift-online-rosa-account-manager-service-master-unit-test	openshift-online/rosa-account-manager-service	presubmit	Presubmit changed
pull-ci-openshift-online-rosa-account-manager-service-master-xcm-test	openshift-online/rosa-account-manager-service	presubmit	Presubmit changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[cambelem]

/retest

[openshift-ci]

@cambelem: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/check-gh-automation	7f35b7a	link	true	/test check-gh-automation
ci/prow/prow-config	7f35b7a	link	true	/test prow-config

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.