chore(SREP-4482, SREP-4486, SREP-4800: Boilerplate Update for Agentic SDLC Rollout)

[charlesgong]

What type of PR is this?
boilerplate

What this PR does / why we need it?
This PR moves the changes introduced in boilerplate for Agentic SDLC Rollout into MVP for ocm-agent-operator.
Related BP MRs

• SREP-4482: Update golangci-lint configuration with enhanced linters boilerplate#716
• SREP-4484: Enable Codecov Enforcement boilerplate#720
• [SREP-4485] add pre-commit hooks to golang-osd-operator convention boilerplate#723

Which Jira/Github issue(s) this PR fixes?
Part of Rollout for Agentic SDLC -

• Lint -https://redhat.atlassian.net/browse/SREP-4482
• Pre-Commit Hook - https://redhat.atlassian.net/browse/SREP-4486
• CodeCov - https://redhat.atlassian.net/browse/SREP-4800

Special notes for your reviewer:
Pre-checks (if applicable):

• Tested latest changes against a cluster
• Ran make generate command locally to validate code changes
• Included documentation changes with PR

Summary by CodeRabbit

• Chores

  • Updated CI/build base images and image tags; refreshed TLS/webhook manifests and coverage thresholds
  • Replaced and tightened pre-commit configuration; added an agentic pre-commit procedure document
  • Minor manifest/whitespace cleanups and owner alias adjustments

• Bug Fixes

  • Improved condition/state handling and webhook operation validation
  • Added explicit handling for unknown health conditions

• Tests

  • Hardened tests for condition processing and metric collection

[openshift-ci-robot]

@charlesgong: This pull request references SREP-4482 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4486 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4800 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?
boilerplate

What this PR does / why we need it?
This PR moves the changes introduced in boilerplate for Agentic SDLC Rollout into MVP for ocm-agent-operator.
Related BP MRs

• SREP-4482: Update golangci-lint configuration with enhanced linters boilerplate#716
• SREP-4484: Enable Codecov Enforcement boilerplate#720
• [SREP-4485] add pre-commit hooks to golang-osd-operator convention boilerplate#723

Which Jira/Github issue(s) this PR fixes?
Part of Rollout for Agentic SDLC -

• Lint -https://redhat.atlassian.net/browse/SREP-4482
• Pre-Commit Hook - https://redhat.atlassian.net/browse/SREP-4486
• CodeCov - https://redhat.atlassian.net/browse/SREP-4800

Special notes for your reviewer:
Pre-checks (if applicable):

• Tested latest changes against a cluster
• Ran make generate command locally to validate code changes
• Included documentation changes with PR

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Warning

Rate limit exceeded

@charlesgong has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 45 minutes and 58 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 728d9b81-fbd7-4b08-9c8d-389cb936f555

📥 Commits

Reviewing files that changed from the base of the PR and between fd8998e and 18f9df1.

📒 Files selected for processing (1)

• .pre-commit-config.yaml

Walkthrough

Updates CI and Docker build base images, replaces pre-commit hookset and adds pre-commit procedure docs, rotates dev TLS/CA material, makes explicit condition/operation handling in controllers/webhooks/metrics, removes a few OWNERS entries, and applies minor whitespace/lint adjustments and test lint comments.

Changes

Build infrastructure

Layer / File(s)	Summary
CI operator and builder image tag .ci-operator.yaml	Bumped build_root_image tag from image-v8.3.4 → image-v8.3.6.
Dockerfile builder/runtime base updates build/Dockerfile, build/Dockerfile.olm-registry, build/Dockerfile.webhook	Updated builder image tag and updated runtime ubi-minimal image tag to 9.7-1778562320.
Code coverage gating .codecov.yml	Enabled coverage status checks: project target 35% (threshold 1%), patch target 50% (threshold 1%).

Pre-commit tooling and policy

Layer / File(s)	Summary
New pre-commit hookset .pre-commit-config.yaml	Replaced prior hooks with tiered "golden rule" hooks: global hygiene (merge-conflict, trailing whitespace, EOF fixer, YAML checks scoped to deploy/), pinned gitleaks, pinned golangci-lint, and local hooks go-build, go-mod-tidy (enforced diff check), rbac-wildcard-check.
Agentic pre-commit procedure doc .claude/commands/pre-commit.md	Added documentation specifying invocation modes, seven-step workflow for running hooks, retry/idempotency rules, escalation conditions, and hard constraints prohibiting bypasses and unsafe auto-fixes.

Development TLS and webhook manifests

Layer / File(s)	Summary
Dev TLS secrets and webhook CA deploy-extras/development/01-metrics-server-tls-secret.yaml, deploy-extras/development/webhook/00-tls-secret.yaml, deploy-extras/development/webhook/validatingwebhookconfig.yaml	Replaced base64-encoded TLS materials and rotated the webhook clientConfig.caBundle in development manifests.
PKO cleanup templates (format-only) deploy_pko/Cleanup-OLM-Job.yaml, deploy_pko/.test-fixtures/config-with-proxy/Cleanup-OLM-Job.yaml	Comment/whitespace edits only; no functional changes.

Runtime behavior, controllers, metrics, and webhooks

Layer / File(s)	Summary
Monitoring stack condition handling controllers/addon/monitoring_stack_reconciler.go, integration/monitoring_stack_test.go	Added explicit default branch to ignore unhandled monitoring condition types and updated test to ignore ResourceDiscoveryCondition.
CSV phase observation controllers/addon/phase_observe_operatorresource.go	Enumerated CSV phases (Pending, InstallReady, Installing, Unknown, Replacing, Deleting, Any) instead of a broad default to map to "unknown/pending".
Metrics health recording internal/metrics/recorder.go	Added explicit metav1.ConditionUnknown case mapping to health status value 2.
Admission operations allow-list internal/webhooks/addon_webhook.go	AddonWebhookHandler.Handle now explicitly allows adminv1beta1.Delete and adminv1beta1.Connect by returning admission.Allowed("") for those operations.

OWNERS, tests, lint and whitespace fixes

Layer / File(s)	Summary
OWNERS alias edits OWNERS_ALIASES	Removed abyrne55 from srep-functional-team-aurora and srep-functional-leads; removed jharrington22 from srep-architects.
Test lint comments and fixtures integration/fixtures_test.go, integration/metrics_collection_test.go	Removed repeated // nolint suppressions on image digest constants and added //nolint:contextcheck comments at three test call sites (formatting adjusted).
Whitespace / formatting & minor code tidy hack/hypershift/package/..., deploy/80_addon-sermon-fedaration-token.yaml, fips.go	Removed trailing whitespace in several YAML templates/manifests; in FIPS build init() now discards fmt.Println return values via _, _ = fmt.Println(...).

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	fips.go adds fmt.Println() in init() (process-level code), writing non-JSON to stdout and violating OTE Binary Stdout Contract. Discarding return values doesn't prevent output to stdout.	Redirect init() output to stderr via fmt.Fprintf(os.Stderr, ...) or remove the startup log, ensuring only JSON is written to stdout by OTE binary.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check requests Ginkgo test review, but repo uses testify/suite with standard Go testing.T, not Ginkgo. Test framework mismatch makes check inapplicable.	Clarify if check should apply to testify/suite tests. If yes, adjust criteria (T().Cleanup vs BeforeEach/AfterEach). PR changes follow existing patterns.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change as a boilerplate update and references three specific Jira issues (SREP-4482, SREP-4486, SREP-4800) related to an Agentic SDLC rollout, which directly corresponds to the changeset's primary objective.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Not applicable. Repository uses testify/suite (83 matches), not Ginkgo (0 matches). No Ginkgo test definitions found. All test names are static strings.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests (It(), Describe(), Context(), When()) are added in this PR. All test file changes are modifications to existing tests only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The repository uses testify/suite framework, not Ginkgo. All integration test changes were modifications to existing tests only.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no new scheduling constraints. Changes are boilerplate updates to Docker images, TLS credentials, and linting config. Existing deployment affinity rules remain unmodified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The test file changes only include modifications to existing tests (lint comments and condition handling logic). The custom check does not apply.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: charlesgong
Once this PR has been reviewed and has the lgtm label, please assign robshelly for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov-commenter]

Codecov Report

❌ Patch coverage is 33.33333% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.17%. Comparing base (ee483fd) to head (5a945e0).

Files with missing lines	Patch %	Lines
internal/webhooks/addon_webhook.go	0.00%	2 Missing ⚠️
controllers/addon/monitoring_stack_reconciler.go	0.00%	1 Missing ⚠️
...ontrollers/addon/phase_observe_operatorresource.go	0.00%	1 Missing ⚠️

❌ Your patch status has failed because the patch coverage (33.33%) is below the target coverage (50.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #724      +/-   ##
==========================================
- Coverage   59.24%   59.17%   -0.08%     
==========================================
  Files          62       62              
  Lines        4125     4130       +5     
==========================================
  Hits         2444     2444              
- Misses       1532     1537       +5     
  Partials      149      149              

Files with missing lines	Coverage Δ
internal/metrics/recorder.go	93.84% <100.00%> (-0.98%)	⬇️
controllers/addon/monitoring_stack_reconciler.go	79.36% <0.00%> (-0.64%)	⬇️
...ontrollers/addon/phase_observe_operatorresource.go	74.07% <0.00%> (ø)
internal/webhooks/addon_webhook.go	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

controllers/addon/phase_observe_operatorresource.go (1)

97-104: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing fallback in CSV phase switch causes false-ready path.

The switch no longer handles empty/unexpected phases, so unresolved CSV states can fall through as success (resultNil) instead of staying unready/retrying.

Proposed fix

 switch phase {
 case operatorsv1alpha1.CSVPhaseSucceeded:
 	// do nothing here
 case operatorsv1alpha1.CSVPhaseFailed:
 	message = "failed"
 case operatorsv1alpha1.CSVPhasePending, operatorsv1alpha1.CSVPhaseInstallReady, operatorsv1alpha1.CSVPhaseInstalling, operatorsv1alpha1.CSVPhaseUnknown, operatorsv1alpha1.CSVPhaseReplacing, operatorsv1alpha1.CSVPhaseDeleting, operatorsv1alpha1.CSVPhaseAny:
 	message = "unknown/pending"
+default:
+	message = "unknown/pending"
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/addon/phase_observe_operatorresource.go` around lines 97 - 104,
The switch on the CSV state variable phase (using
operatorsv1alpha1.CSVPhaseSucceeded/Failed/Pending/etc.) lacks a
default/fallback, so unexpected or empty phases fall through as success; update
the switch in controllers/addon/phase_observe_operatorresource.go to include a
default case that sets message (the same variable used for status) to an
"unknown/pending" or equivalent non-ready value and ensure the calling code does
not treat that path as resultNil/success (i.e., cause a retry or mark not-ready)
so unresolved CSV states don't incorrectly signal readiness.

deploy-extras/development/01-metrics-server-tls-secret.yaml (1)

1-14: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Stale validity comment after cert rotation.

The header comment claims this cert is valid until May 21 12:11:09 3021 GMT, but the rotated cert in ca-bundle.crt/tls.crt decodes to NotAfter: Jan 6 03:42:55 2034 GMT (~10 years from NotBefore: Jan 9 2024). Update the comment so dev users don't assume a far-future expiry.

📝 Proposed fix

 # This Secret is only for testing / dev.
-# This cert is valid till May 21 12:11:09 3021 GMT
+# This cert is valid till Jan  6 03:42:55 2034 GMT
 # When deployed as an OLM Bundle, OLM will handle injecting TLS secrets
 # CN = addon-operator-metrics.addon-operator.svc

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy-extras/development/01-metrics-server-tls-secret.yaml` around lines 1 -
14, The top header comment is stale; update the comment above the Secret
(metadata.name: manager-metrics-tls) to reflect the certificate's actual
NotAfter value (NotAfter: Jan 6 03:42:55 2034 GMT) instead of "May 21 12:11:09
3021 GMT" so devs won't be misled; edit the first few comment lines to state the
correct expiry (and optionally note NotBefore: Jan 9 2024) while leaving the
rest of the Secret (ca-bundle.crt, tls.crt, tls.key) untouched.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/commands/pre-commit.md:
- Around line 77-84: The fenced code block that begins with the triple backticks
around the "PRE-COMMIT SUMMARY" text lacks a language identifier; update the
opening fence in .claude/commands/pre-commit.md so it includes a language token
(for example "text" or "plain") immediately after the ``` to satisfy markdown
linting. Locate the block which contains the "PRE-COMMIT SUMMARY" header and
change the opening ``` to ```text (or another appropriate language) so the
linter recognizes the code fence.

---

Outside diff comments:
In `@controllers/addon/phase_observe_operatorresource.go`:
- Around line 97-104: The switch on the CSV state variable phase (using
operatorsv1alpha1.CSVPhaseSucceeded/Failed/Pending/etc.) lacks a
default/fallback, so unexpected or empty phases fall through as success; update
the switch in controllers/addon/phase_observe_operatorresource.go to include a
default case that sets message (the same variable used for status) to an
"unknown/pending" or equivalent non-ready value and ensure the calling code does
not treat that path as resultNil/success (i.e., cause a retry or mark not-ready)
so unresolved CSV states don't incorrectly signal readiness.

In `@deploy-extras/development/01-metrics-server-tls-secret.yaml`:
- Around line 1-14: The top header comment is stale; update the comment above
the Secret (metadata.name: manager-metrics-tls) to reflect the certificate's
actual NotAfter value (NotAfter: Jan 6 03:42:55 2034 GMT) instead of "May 21
12:11:09 3021 GMT" so devs won't be misled; edit the first few comment lines to
state the correct expiry (and optionally note NotBefore: Jan 9 2024) while
leaving the rest of the Secret (ca-bundle.crt, tls.crt, tls.key) untouched.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e6ddd226-f5cf-4464-a3f0-79b9780fd956

📥 Commits

Reviewing files that changed from the base of the PR and between ee483fd and 04bb6f9.

⛔ Files ignored due to path filters (14)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/README.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/TEST_README.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/app-sre.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.sh is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/test_olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (25)

• .ci-operator.yaml
• .claude/commands/pre-commit.md
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry
• build/Dockerfile.webhook
• controllers/addon/monitoring_stack_reconciler.go
• controllers/addon/phase_observe_operatorresource.go
• deploy-extras/development/01-metrics-server-tls-secret.yaml
• deploy-extras/development/webhook/00-tls-secret.yaml
• deploy-extras/development/webhook/validatingwebhookconfig.yaml
• deploy/80_addon-sermon-fedaration-token.yaml
• deploy_pko/.test-fixtures/config-with-proxy/Cleanup-OLM-Job.yaml
• deploy_pko/Cleanup-OLM-Job.yaml
• fips.go
• hack/hypershift/package/.test-fixtures/namespace-scope/hcp/addon-operator.yaml
• hack/hypershift/package/hcp/addon-operator.yaml.gotmpl
• hack/hypershift/package/manifest.yaml
• integration/fixtures_test.go
• integration/metrics_collection_test.go
• integration/monitoring_stack_test.go
• internal/metrics/recorder.go
• internal/webhooks/addon_webhook.go

💤 Files with no reviewable changes (2)

• integration/fixtures_test.go
• OWNERS_ALIASES

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add language specification to fenced code block.

The fenced code block lacks a language identifier. Add a language specification to satisfy markdown linting rules.

📝 Proposed fix

-```
+```text
 PRE-COMMIT SUMMARY
 ==================
 Passed:     <list of hook IDs>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	```
	PRE-COMMIT SUMMARY
	==================
	Passed: <list of hook IDs>
	Auto-fixed: <list of hook IDs> → files staged
	Fixed: <list of hook IDs> → changes applied
	Failed: <list of hook IDs> → escalated to human
	Attempts: <N> of 2 maximum

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 77-77: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/commands/pre-commit.md around lines 77 - 84, The fenced code block
that begins with the triple backticks around the "PRE-COMMIT SUMMARY" text lacks
a language identifier; update the opening fence in
.claude/commands/pre-commit.md so it includes a language token (for example
"text" or "plain") immediately after the ``` to satisfy markdown linting. Locate
the block which contains the "PRE-COMMIT SUMMARY" header and change the opening
``` to ```text (or another appropriate language) so the linter recognizes the
code fence.

[openshift-ci]

@charlesgong: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.