Protect finops-tools branches

[theute]

This might be overkill but we'll see...
Primary intent is to protect the 'main' branch for direct commit and have reviewers/approvers

Summary by CodeRabbit

This change adds Prow configuration to protect and enforce review policies for the openshift-online/finops-tools repository.

Practical impact:

• Repository affected: openshift-online/finops-tools (Prow config only; no code changes).
• Enforces branch protection on main:
  • protect: true and enforce_admins: true.
  • Requires 1 approving review and dismisses stale reviews.
  • Team restriction: openshift-bots listed under restrictions.
• Approval and plugin behavior:
  • Disables self-approval (require_self_approval: false) for the approve plugin.
  • Enables lgtm with review_acts_as_lgtm: true so reviews count as LGTM.
  • Enables a broad set of core plugins for PR/workflow automation (assign, blunderbuss, lgtm, trigger, verify-owners, approve, etc.).
  • Configures two external plugins for the repo:
    • refresh (endpoint http://refresh) subscribed to issue_comment.
    • needs-rebase (endpoint http://needs-rebase) subscribed to issue_comment and pull_request.
  • Limits trusted apps for triggers to openshift-merge-bot.
• Tide / merge automation:
  • Merge method: squash for openshift-online/finops-tools.
  • Tide will auto-merge PRs on main only when labels approved and lgtm are present.
  • Blocks merging when specific “missing” or disallowed labels are present (examples: backports/unvalidated-commits, do-not-merge/* variants, jira/invalid-bug, needs-rebase).

Result: The main branch for finops-tools is now protected against direct commits and requires reviewer approval and label-based gating before Tide will merge, enforcing stricter review discipline and automated merge controls.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4159caa1-5a1c-4a6d-a2db-7874f8a26a38

📥 Commits

Reviewing files that changed from the base of the PR and between 2cf338b and de635d2.

📒 Files selected for processing (1)

• core-services/prow/02_config/openshift-online/finops-tools/_prowconfig.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• core-services/prow/02_config/openshift-online/finops-tools/_prowconfig.yaml

---

Walkthrough

Adds two Prow configuration files for the openshift-online/finops-tools repository: a plugin configuration enabling external plugins and core Prow features, and a Prow configuration defining main-branch protection with admin enforcement and Tide squash-merge automation based on label criteria.

Changes

Prow automation setup for finops-tools

Layer / File(s)

Summary

Prow plugin and branch protection configuration core-services/prow/02_config/openshift-online/finops-tools/_pluginconfig.yaml, core-services/prow/02_config/openshift-online/finops-tools/_prowconfig.yaml

Plugin configuration disables self-approval, enables lgtm with review_acts_as_lgtm, configures external plugins (refresh, needs-rebase) with event subscriptions, enumerates core plugins and triggers, and limits trusted apps. Branch protection requires 1 approval on main with admin enforcement and stale dismissal. Tide performs squash merges on main when approved and lgtm labels are present and blocks merges when specified disallowed labels are present.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/release#79772: Documents the _pluginconfig.yaml and _prowconfig.yaml fragment structure and hierarchy that these new configuration files follow.

Suggested reviewers

• danilo-gemoli

Suggested labels

lgtm

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Protect finops-tools branches' accurately reflects the main purpose of the changes, which add branch protection rules to the finops-tools repository through Prow configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only YAML configuration files for Prow (branch protection and plugin settings), not Ginkgo tests; check is not applicable.
Test Structure And Quality	✅ Passed	PR adds only Prow/GitHub branch protection YAML configuration files, not Ginkgo test code. Custom check for test structure is not applicable to configuration files.
Microshift Test Compatibility	✅ Passed	PR adds only YAML configuration files for Prow CI/CD (plugin and branch protection config), not Ginkgo e2e tests. Check is inapplicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only Prow configuration files (_pluginconfig.yaml and _prowconfig.yaml), not Ginkgo e2e tests. The SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	Files are Prow CI/CD configuration (_pluginconfig.yaml, _prowconfig.yaml), not deployment manifests, operator code, or controllers. No scheduling constraints found.
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML configuration files. OTE Binary Stdout Contract check applies only to Go test binaries, making it inapplicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only Prow configuration YAML files (_pluginconfig.yaml and _prowconfig.yaml), not Ginkgo e2e tests. The custom check only applies to new e2e tests with Ginkgo test constructs.
No-Weak-Crypto	✅ Passed	The PR adds only YAML configuration files for Prow CI/CD settings. No code, cryptographic algorithms, or custom implementations are present. No weak crypto patterns detected.
Container-Privileges	✅ Passed	PR contains only Prow CI configuration files (_pluginconfig.yaml, _prowconfig.yaml), not container/K8s manifests; no privileged container settings found.
No-Sensitive-Data-In-Logs	✅ Passed	The PR contains only YAML configuration files with no logging statements or sensitive data exposure. No passwords, tokens, API keys, PII, session IDs, hostnames, or customer data detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: theute

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@core-services/prow/02_config/openshift-online/finops-tools/_pluginconfig.yaml`:
- Around line 47-53: The triggers block contains an unsupported field
"org_invite: prominent: {}" which will fail strict Prow config validation;
remove the "org_invite: prominent: {}" entry from the triggers stanza (leave
valid keys like repos and trusted_apps unchanged) or, if this was intended for a
different plugin, move its configuration into the correct plugin's _pluginconfig
(search for usages of "org_invite" to confirm intent). Target the triggers block
surrounding the "triggers", "org_invite: prominent", "repos: -
openshift-online/finops-tools", and "trusted_apps: - openshift-merge-bot"
symbols when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ed4a12cc-7ed9-4a4e-add3-f072550ec3ef

📥 Commits

Reviewing files that changed from the base of the PR and between 674c464 and 2cf338b.

📒 Files selected for processing (2)

• core-services/prow/02_config/openshift-online/finops-tools/_pluginconfig.yaml
• core-services/prow/02_config/openshift-online/finops-tools/_prowconfig.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

org_invite is not a recognized field of the trigger plugin config.

The Prow trigger plugin's Trigger struct only accepts repos, trusted_apps, trusted_org, join_org_url, only_org_members, ignore_ok_to_test, and trigger_github_workflows. org_invite: prominent: {} is not part of this schema, so strict config validation (checkconfig) may reject this entry. trusted_apps/repos here are valid; please confirm whether org_invite is intended/supported, and drop it if not.

🔍 Proposed fix if `org_invite` is not supported

 triggers:
-- org_invite:
-    prominent: {}
-  repos:
+- repos:
   - openshift-online/finops-tools
   trusted_apps:
   - openshift-merge-bot

Check whether org_invite is used by any other Prow plugin config in this repo (broad usage would suggest a recognized/forked field, none would corroborate a typo/misplacement):

#!/bin/bash
# Look for other `org_invite` usages across Prow plugin configs
rg -nP -C3 'org_invite' --iglob '**/_pluginconfig.yaml'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@core-services/prow/02_config/openshift-online/finops-tools/_pluginconfig.yaml`
around lines 47 - 53, The triggers block contains an unsupported field
"org_invite: prominent: {}" which will fail strict Prow config validation;
remove the "org_invite: prominent: {}" entry from the triggers stanza (leave
valid keys like repos and trusted_apps unchanged) or, if this was intended for a
different plugin, move its configuration into the correct plugin's _pluginconfig
(search for usages of "org_invite" to confirm intent). Target the triggers block
surrounding the "triggers", "org_invite: prominent", "repos: -
openshift-online/finops-tools", and "trusted_apps: - openshift-merge-bot"
symbols when making the change.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@theute: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@theute: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.