Merge branch 'master' into CMP-3846

taimurhafeez · taimurhafeez · commit f58895b21f43 · 2026-03-02T14:47:10.000Z
diff --git a/.tekton/compliance-operator-bundle-dev-pull-request.yaml b/.tekton/compliance-operator-bundle-dev-pull-request.yaml
@@ -386,7 +386,7 @@ spec:
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       - name: ARGS
-        value: "--project-name=openshift/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
+        value: "--project-name=ComplianceAsCode/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
       runAfter:
       - build-image-index
       taskRef:
diff --git a/.tekton/compliance-operator-bundle-dev-push.yaml b/.tekton/compliance-operator-bundle-dev-push.yaml
@@ -383,7 +383,7 @@ spec:
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       - name: ARGS
-        value: "--project-name=openshift/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
+        value: "--project-name=ComplianceAsCode/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
       runAfter:
       - build-image-index
       taskRef:
diff --git a/.tekton/compliance-operator-dev-pull-request.yaml b/.tekton/compliance-operator-dev-pull-request.yaml
@@ -8,7 +8,7 @@ metadata:
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/cancel-in-progress: "true"
     pipelinesascode.tekton.dev/max-keep-runs: "3"
-    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "master" && ( ".tekton/compliance-operator-dev-*.yaml".pathChanged() || "images/operator/***".pathChanged() || "images/redhat.repo".pathChanged() || "main.go".pathChanged() || "tools.go".pathChanged() || "pkg/**/*.go".pathChanged() || "cmd/**/*.go".pathChanged() || "version/***".pathChanged() || "config/***".pathChanged() || "*Makefile*".pathChanged() || "vendor/***".pathChanged() || "tests/***".pathChanged() || "LICENSE".pathChanged() )
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "master" && ( ".tekton/compliance-operator-dev-*.yaml".pathChanged() || "images/operator/***".pathChanged() || "images/redhat.repo".pathChanged() || "main.go".pathChanged() || "tools.go".pathChanged() || "images/operator/Dockerfile".pathChanged() || "build/bin/*".pathChanged() || "pkg/**/*.go".pathChanged() || "cmd/**/*.go".pathChanged() || "version/***".pathChanged() || "config/***".pathChanged() || "*Makefile*".pathChanged() || "vendor/***".pathChanged() || "tests/***".pathChanged() || "LICENSE".pathChanged() )
   creationTimestamp:
   labels:
     appstudio.openshift.io/application: compliance-operator-dev
@@ -409,7 +409,7 @@ spec:
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       - name: ARGS
-        value: "--project-name=openshift/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
+        value: "--project-name=ComplianceAsCode/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
       runAfter:
       - build-image-index
       taskRef:
diff --git a/.tekton/compliance-operator-dev-push.yaml b/.tekton/compliance-operator-dev-push.yaml
@@ -8,7 +8,7 @@ metadata:
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/cancel-in-progress: "false"
     pipelinesascode.tekton.dev/max-keep-runs: "3"
-    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master" && ( ".tekton/compliance-operator-dev-*.yaml".pathChanged() || "images/operator/***".pathChanged() || "images/redhat.repo".pathChanged() || "main.go".pathChanged() || "tools.go".pathChanged() || "pkg/**/*.go".pathChanged() || "cmd/**/*.go".pathChanged() || "version/***".pathChanged() || "config/***".pathChanged() || "*Makefile*".pathChanged() || "vendor/***".pathChanged() || "tests/***".pathChanged() || "LICENSE".pathChanged() )
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master" && ( ".tekton/compliance-operator-dev-*.yaml".pathChanged() || "images/operator/***".pathChanged() || "images/redhat.repo".pathChanged() || "main.go".pathChanged() || "tools.go".pathChanged() || "images/operator/Dockerfile".pathChanged() || "build/bin/*".pathChanged() || "pkg/**/*.go".pathChanged() || "cmd/**/*.go".pathChanged() || "version/***".pathChanged() || "config/***".pathChanged() || "*Makefile*".pathChanged() || "vendor/***".pathChanged() || "tests/***".pathChanged() || "LICENSE".pathChanged() )
   creationTimestamp:
   labels:
     appstudio.openshift.io/application: compliance-operator-dev
@@ -407,7 +407,7 @@ spec:
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       - name: ARGS
-        value: "--project-name=openshift/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
+        value: "--project-name=ComplianceAsCode/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
       runAfter:
       - build-image-index
       taskRef:
diff --git a/.tekton/compliance-operator-must-gather-dev-pull-request.yaml b/.tekton/compliance-operator-must-gather-dev-pull-request.yaml
@@ -409,7 +409,7 @@ spec:
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       - name: ARGS
-        value: "--project-name=openshift/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
+        value: "--project-name=ComplianceAsCode/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
       runAfter:
       - build-image-index
       taskRef:
diff --git a/.tekton/compliance-operator-must-gather-dev-push.yaml b/.tekton/compliance-operator-must-gather-dev-push.yaml
@@ -407,7 +407,7 @@ spec:
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       - name: ARGS
-        value: "--project-name=openshift/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
+        value: "--project-name=ComplianceAsCode/compliance-operator --report --org=86a5b6bf-8aad-4842-ab41-e5c7358c202e"
       runAfter:
       - build-image-index
       taskRef:
diff --git a/Dockerfile.ci b/Dockerfile.ci
@@ -1,5 +1,5 @@
 # Step one: build compliance-operator
-FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.23-openshift-4.19 AS builder
+FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.25-openshift-4.21 AS builder
 
 WORKDIR /go/src/github.com/openshift/compliance-operator
 
@@ -12,16 +12,13 @@ RUN make manager
 # Step two: containerize compliance-operator
 FROM registry.access.redhat.com/ubi9/ubi-micro:latest
 
-ENV OPERATOR=/usr/local/bin/compliance-operator \
-    USER_UID=1001 \
-    USER_NAME=compliance-operator
+ENV OPERATOR=/usr/local/bin/compliance-operator
 
 # install operator binary
 COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR}
 
-COPY build/bin /usr/local/bin
-RUN  /usr/local/bin/user_setup
+COPY build/bin/entrypoint /usr/local/bin/entrypoint
 
 ENTRYPOINT ["/usr/local/bin/entrypoint"]
 
-USER ${USER_UID}
+USER 1001
diff --git a/OWNERS b/OWNERS
@@ -5,13 +5,15 @@ approvers:
   - xiaojiey
   - Vincent056
   - rhmdnd
-  - BhargaviGudi
   - yuumasato
+  - taimurhafeez
+  - Anna-Koudelkova
 reviewers:
   - jhrozek
   - mrogers950
   - xiaojiey
   - Vincent056
   - rhmdnd
-  - BhargaviGudi
   - yuumasato
+  - taimurhafeez
+  - Anna-Koudelkova
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,5 +1,5 @@
 # Step one: build compliance-operator
-FROM golang:1.23 AS builder
+FROM golang:1.25 AS builder
 
 WORKDIR /go/src/github.com/openshift/compliance-operator
 
@@ -11,16 +11,13 @@ RUN make manager
 # Step two: containerize compliance-operator
 FROM registry.access.redhat.com/ubi9/ubi-micro:latest
 
-ENV OPERATOR=/usr/local/bin/compliance-operator \
-    USER_UID=1001 \
-    USER_NAME=compliance-operator
+ENV OPERATOR=/usr/local/bin/compliance-operator
 
 # install operator binary
 COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR}
 
-COPY build/bin /usr/local/bin
-RUN  /usr/local/bin/user_setup
+COPY build/bin/entrypoint /usr/local/bin/entrypoint
 
 ENTRYPOINT ["/usr/local/bin/entrypoint"]
 
-USER ${USER_UID}
+USER 1001
diff --git a/build/bin/entrypoint b/build/bin/entrypoint
@@ -1,12 +1,11 @@
 #!/bin/sh -e
 
 # This is documented here:
-# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
+# https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/images/creating-images#use-uid_create-images
 
-if ! whoami &>/dev/null; then
-  if [ -w /etc/passwd ]; then
-    echo "${USER_NAME:-compliance-operator}:x:$(id -u):$(id -g):${USER_NAME:-compliance-operator} user:${HOME}:/sbin/nologin" >> /etc/passwd
-  fi
-fi
+# Since version 4.1 OCP supports arbitrary UIDs without requiring /etc/passwd entries
+# https://docs.redhat.com/en/documentation/openshift_container_platform/4.1/html/images/creating_images
+# The container runs with the UID assigned by the platform, with group 0 (root) membership
+# File permissions are managed through group ownership, not username lookups
 
 exec ${OPERATOR} $@
diff --git a/build/bin/user_setup b/build/bin/user_setup
diff --git a/bundle.openshift.Dockerfile b/bundle.openshift.Dockerfile
@@ -1,7 +1,7 @@
 ARG CO_OLD_VERSION="1.7.1"
 ARG CO_NEW_VERSION="1.8.0-dev"
 
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.23 as builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.25 as builder
 
 COPY . .
 WORKDIR bundle-hack
diff --git a/cmd/manager/aggregator.go b/cmd/manager/aggregator.go
@@ -210,7 +210,7 @@ func parseResultRemediations(client runtimeclient.Client, scheme *runtime.Scheme
 	err := client.Get(context.TODO(), types.NamespacedName{Name: scanName, Namespace: namespace}, scan)
 	if err != nil {
 		errStr := "ErrorGettingTailoredProfileScan." + err.Error() + "\n"
-		return nil, nodeName, fmt.Errorf(errStr)
+		return nil, nodeName, fmt.Errorf("%s", errStr)
 	}
 	// scan has tailored profile CM
 	if scan.Spec.TailoringConfigMap != nil {
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/ComplianceAsCode/compliance-operator
 
-go 1.23.0
+go 1.25.3
 
 require (
 	github.com/ComplianceAsCode/compliance-sdk v0.0.0-20250925092238-0b432985772e
diff --git a/images/operator/Dockerfile b/images/operator/Dockerfile
@@ -1,4 +1,4 @@
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.23 as builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.25 as builder
 
 WORKDIR /go/src/github.com/ComplianceAsCode/compliance-operator
 
@@ -31,19 +31,14 @@ LABEL \
 
 WORKDIR /
 
-# Needed by the user_setup and entrypoint scripts
-ENV OPERATOR_BIN=/usr/local/bin/compliance-operator \
-    USER_NAME=compliance-operator \
-    USER_UID=1001
+ENV OPERATOR_BIN=/usr/local/bin/compliance-operator
 
 COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/LICENSE /licenses/LICENSE
 COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR_BIN}
-COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/build/bin/* /usr/local/bin
+COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/build/bin/entrypoint /usr/local/bin/entrypoint
 # This is required for the bundle build.
 COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/bundle /bundle
 
-RUN  /usr/local/bin/user_setup
-
 ENTRYPOINT ["/usr/local/bin/entrypoint"]
 
-USER ${USER_UID}
+USER 1001
diff --git a/pkg/controller/compliancescan/scan.go b/pkg/controller/compliancescan/scan.go
@@ -908,7 +908,7 @@ func checkScanUnknownError(cm *corev1.ConfigMap) error {
 	if exitcode != common.OpenSCAPExitCodeCompliant && exitcode != common.OpenSCAPExitCodeNonCompliant && exitcode != common.PodUnschedulableExitCode {
 		errorMsg, ok := cm.Data["error-msg"]
 		if ok {
-			return fmt.Errorf(errorMsg)
+			return fmt.Errorf("%s", errorMsg)
 		}
 		return fmt.Errorf("the ConfigMap '%s' was missing 'error-msg' despite exitcode %s", cm.Name, exitcode)
 	}
@@ -950,7 +950,7 @@ func getScanResult(cm *corev1.ConfigMap) (compv1alpha1.ComplianceScanStatusResul
 	if !ok {
 		errMsg = fmt.Sprintf("Undefined error in ConfigMap %s", cm.Name)
 	}
-	return compv1alpha1.ResultError, fmt.Errorf(errMsg)
+	return compv1alpha1.ResultError, fmt.Errorf("%s", errMsg)
 }
 
 func getReplicatedTailoringCMName(instanceName string) string {
diff --git a/pkg/profileparser/profileparser.go b/pkg/profileparser/profileparser.go
@@ -46,7 +46,7 @@ type ParserConfig struct {
 
 func LogAndReturnError(errormsg string) error {
 	log.Info(errormsg)
-	return fmt.Errorf(errormsg)
+	return fmt.Errorf("%s", errormsg)
 }
 
 func GetPrefixedName(pbName, objName string) string {
diff --git a/renovate.json b/renovate.json
@@ -2,7 +2,7 @@
   "extends": [
     "config:recommended"
   ],
-  "prConcurrentLimit": 30,
+  "prConcurrentLimit": 15,
   "labels": [
     "ok-to-test",
     "px-approved",
@@ -12,11 +12,13 @@
   "schedule": [
     "every weekend"
   ],
-  "packageRules": [
-    {
-      "matchManagers": ["gomod"],
-      "matchBaseBranches": ["/^release-.*/"],
-      "enabled": false
-    }
-  ]
+  "gomod": {
+    "packageRules": [
+      {
+        "matchManagers": ["gomod"],
+        "matchBaseBranches": ["/^release-.*/"],
+        "enabled": false
+      }
+    ]
+  }
 }
diff --git a/tests/e2e/framework/common.go b/tests/e2e/framework/common.go
diff --git a/tests/e2e/parallel/main_test.go b/tests/e2e/parallel/main_test.go
