HYPERFLEET-991 - feat: add PR risk scoring presubmit job

[rafabene]

Summary

• Add new hyperfleet-risk-scorer step-registry ref that computes a deterministic risk score for PRs
• Score based on: diff size (>200/500 lines), sensitive path changes (cmd/, config/, deploy/, migrations/, auth/), and test coverage (_test.go presence)
• Applies risk/low, risk/medium, or risk/high GitHub label automatically
• Posts a score breakdown comment on the PR (updated idempotently on re-push)
• Uses hyperfleet-ci-bot GitHub App (installed on openshift-hyperfleet org) for API access
• Job is optional: true — never blocks merge
• Enabled for: hyperfleet-adapter, hyperfleet-api, hyperfleet-broker, hyperfleet-sentinel

Test plan

• Verify Vault secret hyperfleet-ci-bot is synced to test-credentials namespace
• Open a test PR on one of the 4 repos and trigger /test risk-scorer
• Verify label is applied and comment is posted with score breakdown
• Push a new commit to the PR and verify the comment is updated (not duplicated)
• Verify the job does not block merge (optional check)

Overview

Adds a reusable PR risk-scoring step and wires it into the CI pipelines for HyperFleet’s four component repositories (hyperfleet-adapter, hyperfleet-api, hyperfleet-broker, hyperfleet-sentinel). The job is optional and does not block merges.

What changed (practical impact)

• New step-registry component: ci-operator/step-registry/hyperfleet/risk-scorer

  • Implements deterministic PR risk scoring based on: diff-size thresholds (>200, >500 lines), changes under sensitive paths (default: cmd/, config/, deploy/, migrations/, auth/; overridable via .risk-config.yaml), and a Go test-coverage heuristic (presence of _test.go files vs changed non-test .go files).
  • Authenticates to GitHub using the hyperfleet-ci-bot GitHub App (the step-ref includes defaults/docs for GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, and the private key file); it mints an installation token by signing a JWT.
  • Maps a numeric score to one of risk/low, risk/medium, risk/high; ensures exactly one risk/* label on the PR (creates labels if missing, removes prior risk/* labels).
  • Posts a single PR comment containing a markdown score breakdown and updates that same comment idempotently on subsequent pushes (uses a fixed HTML marker to find/update the comment).
  • Step-ref mounts the hyperfleet-ci-bot credential from the test-credentials namespace, requests 100m CPU / 200Mi memory, sets a 1m grace period and 5m timeout, and documents behavior.

• CI pipeline integration

  • Adds an optional risk-scorer test job to the main ci-operator pipeline for each of: hyperfleet-adapter, hyperfleet-api, hyperfleet-broker, hyperfleet-sentinel. Each job runs the hyperfleet-risk-scorer step-ref and is marked optional: true so it never blocks merges.

• Ownership & metadata

  • Added OWNERS and hyperfleet-risk-scorer-ref.metadata.json listing approvers/reviewers for the new step-ref.

Implementation artifacts

• ci-operator/step-registry/hyperfleet/risk-scorer/

  • hyperfleet-risk-scorer-commands.sh — Bash script implementing diff analysis, scoring, GitHub App token generation, label management, and idempotent comment upsert.
  • hyperfleet-risk-scorer-ref.yaml — step definition (credentials mount, env var defaults/docs, resources, timeouts).
  • OWNERS and hyperfleet-risk-scorer-ref.metadata.json — ownership/metadata.

• ci-operator/config/openshift-hyperfleet/

  • Added optional risk-scorer test job entries to the main pipeline configs for hyperfleet-adapter, hyperfleet-api, hyperfleet-broker, and hyperfleet-sentinel.

Security / operational notes

• The step requires the hyperfleet-ci-bot Vault secret to be available (expected to be synced to the test-credentials namespace and mounted into the job). The script uses the GitHub App private key to mint an installation token.
• The job is informational/labeling only (optional: true) and will not block merges.
• The GitHub App used must be installed on the openshift-hyperfleet org and have sufficient permissions to manage labels and comments.

Testing checklist

• Ensure Vault secret hyperfleet-ci-bot is synced to the CI namespace (test-credentials).
• Open a test PR in one of the four repos and trigger /test risk-scorer.
• Verify the correct risk label is applied and a score-breakdown comment is posted.
• Push a new commit and verify the comment is updated (not duplicated).
• Confirm the job remains optional and does not block merges.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a new hyperfleet-risk-scorer step (script, step-registry ref, metadata, OWNERS) and wires optional risk-scorer Prow test jobs into four OpenShift Hyperfleet CI configs.

Changes

Risk scorer step and wiring

Layer / File(s)	Summary
Step implementation (script) ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh	Bash script that computes a numeric PR risk from diff size, sensitive paths, and Go test coverage; idempotently ensures risk/* labels, removes prior risk/* labels, and upserts a PR comment with a score breakdown.
Step registry ref and metadata ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.yaml, ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.metadata.json	Adds hyperfleet-risk-scorer step-registry entry (command src, resources, credential mount, GitHub App env vars, timeout) and JSON metadata pointing to the ref and declaring owners.
OWNERS for the step ci-operator/step-registry/hyperfleet/risk-scorer/OWNERS	Defines explicit approvers and reviewers lists and sets options: {} for the step-registry path.
Prow job wiring in hyperfleet configs ci-operator/config/openshift-hyperfleet/*/openshift-hyperfleet-*-main.yaml	In four hyperfleet prow config files (adapter, api, broker, sentinel) adds an optional tests job entry as: risk-scorer that references hyperfleet-risk-scorer.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

lgtm, rehearsals-ack, jira/valid-reference

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a PR risk scoring presubmit job to the HyperFleet projects, which is the core objective of this changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo tests. It adds CI configuration and bash tooling. The test job name 'risk-scorer' is stable with no dynamic elements. Check not applicable.
Test Structure And Quality	✅ Passed	Custom check for Ginkgo test structure is not applicable. PR adds CI/operator config and bash script implementation only—no Go test files or Ginkgo code present.
Microshift Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests or Kubernetes test code. It adds CI infrastructure (YAML configs, shell script, metadata) for PR risk scoring. Custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only CI/CD infrastructure (Prow configs, step-registry code) with no Ginkgo e2e tests. SNO compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only CI/CD infrastructure (Prow jobs and CI step-registry), not production manifests or operator code. Check is not applicable.
Ote Binary Stdout Contract	✅ Passed	Check is not applicable. PR adds only CI/operator configuration (YAML, JSON, OWNERS) and a Bash workflow script—no Go test code present that could violate the OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It adds CI configuration and a bash script for PR risk scoring. The custom check is specifically for Ginkgo e2e tests and is not applicable here.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rafabene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-hyperfleet/hyperfleet-adapter/OWNERS [rafabene]
• ci-operator/config/openshift-hyperfleet/hyperfleet-api/OWNERS [rafabene]
• ci-operator/config/openshift-hyperfleet/hyperfleet-broker/OWNERS [rafabene]
• ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/OWNERS [rafabene]
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-adapter/OWNERS [rafabene]
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-api/OWNERS [rafabene]
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-broker/OWNERS [rafabene]
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-sentinel/OWNERS [rafabene]
• ci-operator/step-registry/hyperfleet/OWNERS [rafabene]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rafabene]

/pj-rehearse auto-ack

[openshift-merge-bot]

@rafabene: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh (3)

56-56: ⚡ Quick win

YAML parsing with sed is fragile.

The sed command assumes specific YAML formatting and doesn't handle comments, varied indentation, or complex YAML structures. A malformed or unconventional .risk-config.yaml could cause silent failures or incorrect parsing.

Consider using yq for robust YAML parsing:

♻️ Alternative implementation with yq

 if [ -f .risk-config.yaml ]; then
-    CUSTOM=$(sed -n '/^sensitive_paths:/,/^[^ ]/{ /^  - /s/^  - //p }' .risk-config.yaml | tr '\n' ' ')
+    CUSTOM=$(yq eval '.sensitive_paths[]' .risk-config.yaml 2>/dev/null | tr '\n' ' ')
     [ -n "${CUSTOM}" ] && SENSITIVE_PATHS="${CUSTOM}"
 fi

Note: Verify that yq is available in the src container image, or fall back to the current sed approach with a comment acknowledging the limitation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`
at line 56, The sed-based extraction assigned to CUSTOM (the line setting
CUSTOM=$(sed -n '/^sensitive_paths:/,/^[^ ]/{ /^  - /s/^  - //p }'
.risk-config.yaml | tr '\n' ' ')) is fragile for YAML; replace it with a robust
yq-based parse to read the sensitive_paths array from .risk-config.yaml (e.g.,
using yq to extract .sensitive_paths[] and join with spaces) and fall back to
the original sed command only if yq is not available, adding a comment that
explains the fallback and the limitation; ensure the new logic preserves the
same final format (space-separated values in CUSTOM) and references the CUSTOM
variable and .risk-config.yaml so reviewers can find the change.

---

119-119: 💤 Low value

Consider using parameter expansion instead of sed.

Shellcheck SC2001 suggests a simpler alternative that doesn't require a subprocess.

♻️ Use parameter expansion

-        encoded=$(echo "${old}" | sed 's|/|%2F|g')
+        encoded="${old//\//%2F}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`
at line 119, Replace the sed subprocess used to percent-encode slashes with
shell parameter expansion: instead of running sed on the variable old, assign
encoded by expanding old with a global replacement of "/" to "%2F" (use the
${old//\//%2F} style) so you avoid spawning an external process; update the
assignment that currently sets encoded from the sed command accordingly.

---

34-36: ⚡ Quick win

Consider validating PULL_BASE_SHA before use.

While PULL_BASE_SHA should be present in PR contexts, adding an explicit check would make the script more defensive against unexpected CI environments.

🛡️ Add validation

+if [ -z "${PULL_BASE_SHA:-}" ]; then
+    echo "ERROR: PULL_BASE_SHA not set."
+    exit 1
+fi
+
 DIFF_FILES=$(git diff --name-only "${PULL_BASE_SHA}..HEAD" || true)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`
around lines 34 - 36, The script uses PULL_BASE_SHA to compute DIFF_FILES and
LINES_CHANGED but doesn't validate it; add a guard that checks if the
PULL_BASE_SHA variable is unset or empty before running git commands (reference
PULL_BASE_SHA, DIFF_FILES, LINES_CHANGED), and if missing print a clear error
message to stderr and exit with a non-zero status (or set safe defaults and
continue if that behavior is preferred) so the git diff invocations are not run
with an invalid SHA.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`:
- Line 61: The current conditional uses grep "^${path}" which treats ${path} as
a regex and can mis-match paths containing regex metacharacters; update the
check so ${path} is matched literally and still anchored to the start of each
DIFF_FILES line (e.g., use grep -F with an anchored start or iterate lines and
use shell prefix matching). Specifically, change the if that references
DIFF_FILES and path to perform a literal, prefix-only match (examples: pipe
DIFF_FILES through grep -F and then filter for lines starting with the literal
path, or read DIFF_FILES line-by-line and use [[ "$file" == "${path}"* ]] to
detect a prefix) so sensitive paths from .risk-config.yaml are not interpreted
as regexes.

---

Nitpick comments:
In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`:
- Line 56: The sed-based extraction assigned to CUSTOM (the line setting
CUSTOM=$(sed -n '/^sensitive_paths:/,/^[^ ]/{ /^  - /s/^  - //p }'
.risk-config.yaml | tr '\n' ' ')) is fragile for YAML; replace it with a robust
yq-based parse to read the sensitive_paths array from .risk-config.yaml (e.g.,
using yq to extract .sensitive_paths[] and join with spaces) and fall back to
the original sed command only if yq is not available, adding a comment that
explains the fallback and the limitation; ensure the new logic preserves the
same final format (space-separated values in CUSTOM) and references the CUSTOM
variable and .risk-config.yaml so reviewers can find the change.
- Line 119: Replace the sed subprocess used to percent-encode slashes with shell
parameter expansion: instead of running sed on the variable old, assign encoded
by expanding old with a global replacement of "/" to "%2F" (use the
${old//\//%2F} style) so you avoid spawning an external process; update the
assignment that currently sets encoded from the sed command accordingly.
- Around line 34-36: The script uses PULL_BASE_SHA to compute DIFF_FILES and
LINES_CHANGED but doesn't validate it; add a guard that checks if the
PULL_BASE_SHA variable is unset or empty before running git commands (reference
PULL_BASE_SHA, DIFF_FILES, LINES_CHANGED), and if missing print a clear error
message to stderr and exit with a non-zero status (or set safe defaults and
continue if that behavior is preferred) so the git diff invocations are not run
with an invalid SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c00a1bc2-5c27-4451-a570-2cd4978ab5d1

📥 Commits

Reviewing files that changed from the base of the PR and between e0d0aa9 and add5b0b.

⛔ Files ignored due to path filters (4)

• ci-operator/jobs/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (8)

• ci-operator/config/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main.yaml
• ci-operator/step-registry/hyperfleet/risk-scorer/OWNERS
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.metadata.json
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.yaml

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main.yaml`:
- Around line 40-44: The new tests entry (as: risk-scorer / ref:
hyperfleet-risk-scorer) was added only to ci-operator config and you must run
the generator to produce the corresponding Prow job; run the repository job-gen
step (make update) to regenerate ci-operator/jobs and prow configs, verify the
generated presubmit for the risk-scorer ref appears under ci-operator/jobs and
jobs/... , and commit those generated files alongside your changed
openshift-hyperfleet-hyperfleet-sentinel-main.yaml so the new presubmit is
actually wired up.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`:
- Around line 22-28: The script enables xtrace via "$WAS_TRACING && set -x" that
may run before the authenticated GitHub token is printed; to avoid leaking
GITHUB_TOKEN, ensure tracing is disabled around the token request: before the
curl that builds GITHUB_TOKEN (which uses JWT and GITHUB_APP_INSTALLATION_ID),
save the current tracing state, run the curl with tracing off (or wrap the
authenticated block with set +x), then restore the original tracing state only
after the last authenticated request; specifically modify the section that
defines GITHUB_TOKEN so tracing is disabled during the python/json token
extraction and only restored afterwards.
- Around line 132-133: The lookup for EXISTING_COMMENT_ID only checks the first
page of comments and can miss the marker on busy PRs; change the logic that uses
curl + python3 to page through issue comments (use the API params per_page and
page, or request sorted by updated with sort=updated) until a comment containing
${COMMENT_MARKER} is found or no more pages remain, then set EXISTING_COMMENT_ID
to that comment's id (refer to the existing variables AUTH, API, PULL_NUMBER,
COMMENT_MARKER and the EXISTING_COMMENT_ID assignment). Implement a loop that
increments the page number, breaks when the marker is located, and falls back to
empty string if not found to preserve idempotence.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 94be7e51-e878-4515-b662-b778f43289d0

📥 Commits

Reviewing files that changed from the base of the PR and between add5b0b and 7079a48.

⛔ Files ignored due to path filters (4)

• ci-operator/jobs/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (8)

• ci-operator/config/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main.yaml
• ci-operator/step-registry/hyperfleet/risk-scorer/OWNERS
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.metadata.json
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.yaml

✅ Files skipped from review due to trivial changes (2)

• ci-operator/step-registry/hyperfleet/risk-scorer/OWNERS
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (4)

• ci-operator/config/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main.yaml
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run make update and commit the generated Prow configs.

This tests entry alone does not register a new presubmit in Prow; I don’t see the corresponding generated ci-operator/jobs/... updates in the supplied diff. Without those generated files, the new risk-scorer job won’t actually be wired up.

As per coding guidelines, ci-operator/config/**/*.yaml: "For CI configuration, edit files in ci-operator/config/<org>/<repo>/ and run make update to generate downstream Prow job configs".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main.yaml`
around lines 40 - 44, The new tests entry (as: risk-scorer / ref:
hyperfleet-risk-scorer) was added only to ci-operator config and you must run
the generator to produce the corresponding Prow job; run the repository job-gen
step (make update) to regenerate ci-operator/jobs and prow configs, verify the
generated presubmit for the risk-scorer ref appears under ci-operator/jobs and
jobs/... , and commit those generated files alongside your changed
openshift-hyperfleet-hyperfleet-sentinel-main.yaml so the new presubmit is
actually wired up.

[rafabene]

/pj-rehearse auto-ack

[openshift-merge-bot]

@rafabene: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[rafabene]

/pj-rehearse auto-ack

[openshift-merge-bot]

@rafabene: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh (1)

123-123: 💤 Low value

Use shell parameter expansion instead of sed.

Static analysis suggests using ${variable//search/replace} for this simple substitution.

♻️ Proposed refactor

-        encoded=$(echo "${old}" | sed 's|/|%2F|g')
+        encoded="${old//\//%2F}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`
at line 123, Replace the sed-based substitution that sets encoded from old with
shell parameter expansion: perform a global replacement of '/' with '%2F' on the
variable old when assigning encoded (remove the echo|sed pipeline and use
POSIX/bash parameter expansion on variable old instead); update the assignment
that currently references encoded and old accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`:
- Around line 39-42: The current fetch of PR_FILES only retrieves the first 100
files, causing DIFF_FILES and LINES_CHANGED to be incomplete for large PRs;
update the code that sets PR_FILES to paginate through the GitHub API (use
per_page=100 and iterate page=1..N or follow the Link header) and concatenate
results into a single JSON array before computing DIFF_FILES and LINES_CHANGED
so the python one-liners operate on the full file list; refer to PR_FILES,
DIFF_FILES, LINES_CHANGED, API, AUTH and PULL_NUMBER when implementing the
loop/aggregation and ensure the final PR_FILES variable contains the merged JSON
of all pages.

---

Nitpick comments:
In
`@ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh`:
- Line 123: Replace the sed-based substitution that sets encoded from old with
shell parameter expansion: perform a global replacement of '/' with '%2F' on the
variable old when assigning encoded (remove the echo|sed pipeline and use
POSIX/bash parameter expansion on variable old instead); update the assignment
that currently references encoded and old accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e9b806e3-d52b-4b4b-a142-1ac27a69f6f7

📥 Commits

Reviewing files that changed from the base of the PR and between 7079a48 and 26f1693.

⛔ Files ignored due to path filters (4)

• ci-operator/jobs/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (8)

• ci-operator/config/openshift-hyperfleet/hyperfleet-adapter/openshift-hyperfleet-hyperfleet-adapter-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-api/openshift-hyperfleet-hyperfleet-api-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-sentinel/openshift-hyperfleet-hyperfleet-sentinel-main.yaml
• ci-operator/step-registry/hyperfleet/risk-scorer/OWNERS
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-commands.sh
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.metadata.json
• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (3)

• ci-operator/step-registry/hyperfleet/risk-scorer/hyperfleet-risk-scorer-ref.yaml
• ci-operator/config/openshift-hyperfleet/hyperfleet-broker/openshift-hyperfleet-hyperfleet-broker-main.yaml
• ci-operator/step-registry/hyperfleet/risk-scorer/OWNERS

[rafabene]

/pj-rehearse auto-ack

[openshift-merge-bot]

@rafabene: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@rafabene: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-hyperfleet-hyperfleet-broker-main-risk-scorer	openshift-hyperfleet/hyperfleet-broker	presubmit	Presubmit changed
pull-ci-openshift-hyperfleet-hyperfleet-sentinel-main-risk-scorer	openshift-hyperfleet/hyperfleet-sentinel	presubmit	Presubmit changed
pull-ci-openshift-hyperfleet-hyperfleet-api-main-risk-scorer	openshift-hyperfleet/hyperfleet-api	presubmit	Presubmit changed
pull-ci-openshift-hyperfleet-hyperfleet-adapter-main-risk-scorer	openshift-hyperfleet/hyperfleet-adapter	presubmit	Presubmit changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[rafabene]

/pj-rehearse auto-ack

[openshift-merge-bot]

@rafabene: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@rafabene: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.