feat: onboard Notebooks to CVE fixer workflow#116
Conversation
Add Notebooks to component-repository-mappings.json with 3 repos: - opendatahub-io/notebooks (upstream) - mtchoum1/notebooks (midstream) - red-hat-data-services/notebooks (downstream, active: rhoai-2.25, rhoai-3.3) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
WalkthroughAdded a new top-level "Notebooks" component mapping to workflows/cve-fixer/component-repository-mappings.json (one repository entry with type midstream, default_branch main, active_branches ["rhoai-2.25","rhoai-3.3"]) and updated metadata.last_updated to 2026-04-22. ChangesComponent Repository Configuration
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@workflows/cve-fixer/component-repository-mappings.json`:
- Around line 605-610: The midstream entry currently references the personal
fork "https://github.com/mtchoum1/notebooks"; replace that URL with the
organization-owned repo (e.g., "https://github.com/opendatahub-io/notebooks") if
that is the authoritative midstream, or remove this midstream object entirely
from component-repository-mappings.json if Notebooks has no midstream, ensuring
you do not create a duplicate entry pointing to the same URL as the upstream.
- Around line 597-620: Add an optional "notes" field to the "Notebooks"
component mapping to document that omission of "containers" and "subcomponent"
is intentional during onboarding; update the "Notebooks" object (the top-level
key "Notebooks" and its "repos" entries) to include a notes string such as
"Container images not yet registered" so maintainers see the intent without
changing behavior relied on by cve.find.md and cve.fix.md.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: e5d9baa7-e255-41af-88ba-3ca01354f631
📒 Files selected for processing (1)
workflows/cve-fixer/component-repository-mappings.json
| "Notebooks": { | ||
| "repos": [ | ||
| { | ||
| "url": "https://github.com/opendatahub-io/notebooks", | ||
| "type": "upstream", | ||
| "default_branch": "main", | ||
| "active_branches": [] | ||
| }, | ||
| { | ||
| "url": "https://github.com/mtchoum1/notebooks", | ||
| "type": "midstream", | ||
| "default_branch": "main", | ||
| "active_branches": [] | ||
| }, | ||
| { | ||
| "url": "https://github.com/red-hat-data-services/notebooks", | ||
| "type": "downstream", | ||
| "default_branch": "main", | ||
| "active_branches": [ | ||
| "rhoai-2.25", | ||
| "rhoai-3.3" | ||
| ] | ||
| } | ||
| ] |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Confirm how the fixer behaves when containers/subcomponent are absent.
rg -nP -C3 '\.containers\[\]?|subcomponent' workflows/cve-fixer/.claude/commands/Repository: ambient-code/workflows
Length of output: 6468
Missing containers and subcomponent are intentional at onboarding — consider adding a notes field for clarity.
The Notebooks repos are missing containers and subcomponent fields. Per onboard.md, this is an acceptable state: "If no containers discovered, omit the field (can be added later)." When a subcomponent filter is later requested, cve.find.md warns the user ("cve.fix.md safely falls back to processing all component repos.
While the system handles this gracefully, consider adding a notes field (e.g., "notes": "Container images not yet registered") to explicitly signal to future maintainers that this is intentional and documents when to revisit it.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workflows/cve-fixer/component-repository-mappings.json` around lines 597 -
620, Add an optional "notes" field to the "Notebooks" component mapping to
document that omission of "containers" and "subcomponent" is intentional during
onboarding; update the "Notebooks" object (the top-level key "Notebooks" and its
"repos" entries) to include a notes string such as "Container images not yet
registered" so maintainers see the intent without changing behavior relied on by
cve.find.md and cve.fix.md.
Update to reflect user-confirmed repository: - https://github.com/mtchoum1/notebooks (midstream) - Active branches: rhoai-2.25, rhoai-3.3 Co-Authored-By: Claude <noreply@anthropic.com>
atheo89
left a comment
atheo89
left a comment
There was a problem hiding this comment.
I was browsing on this repo and I saw your PR, take a look on my suggestions, and ignore them in case you want to do experiments with your fork.
| "type": "midstream", | ||
| "default_branch": "main", | ||
| "active_branches": [ | ||
| "rhoai-2.25", |
There was a problem hiding this comment.
We have these branches on RHDS (downstream) maybe these should be in another block
|
@mtchoum1 Please review the above when you get a chance. Once we have alignment with the community/component SMEs across teams, we can merge this in and help scale this out. Thanks for contributing! |
Co-authored-by: aTheo <atheodorak@outlook.com>
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
workflows/cve-fixer/component-repository-mappings.json (1)
597-609:⚠️ Potential issue | 🔴 CriticalFix Notebooks component mapping (wrong repo URL + missing upstream/downstream entries).
workflows/cve-fixer/component-repository-mappings.jsoncurrently maps Notebooks to only:"Notebooks": { "repos": [ { "url": "https://github.com/opendatahub/notebooks", "type": "midstream", "default_branch": "main", "active_branches": [ "rhoai-2.25", "rhoai-3.3" ] } ] }Major issues:
https://github.com/opendatahub/notebooksdoes not exist (404), so this mapping can’t be used by the CVE fixer.red-hat-data-services/notebooksdoes exist, and branchesrhoai-2.25/rhoai-3.3exist there, but that downstream repo is missing from the mapping.opendatahub-io/notebooksdoes exist, but it is also missing from the mapping (so the upstream side is incomplete).Required actions:
- Replace the invalid
opendatahub/notebooksentry with the correct upstream/downstream repo entries.- Move
rhoai-2.25andrhoai-3.3to thered-hat-data-services/notebooks(downstream) entry.- Only keep a midstream entry if it points to a real repository; otherwise remove/replace it with the intended fork URL.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@workflows/cve-fixer/component-repository-mappings.json` around lines 597 - 609, The "Notebooks" mapping currently points to the non-existent URL "https://github.com/opendatahub/notebooks"; replace that entry by adding three correct repo objects in the "Notebooks" -> "repos" array: an upstream entry for "https://github.com/opendatahub-io/notebooks" (type: "upstream"), a downstream entry for "https://github.com/red-hat-data-services/notebooks" (type: "downstream") which must include the active_branches ["rhoai-2.25","rhoai-3.3"] and the appropriate default_branch, and only include a "midstream" entry if there is a valid midstream fork URL to point at (otherwise remove the invalid midstream object referencing opendatahub/notebooks); ensure each repo object uses the same keys as other mappings ("url","type","default_branch","active_branches") so the CVE fixer can resolve upstream/downstream correctly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@workflows/cve-fixer/component-repository-mappings.json`:
- Around line 597-609: The "Notebooks" mapping currently points to the
non-existent URL "https://github.com/opendatahub/notebooks"; replace that entry
by adding three correct repo objects in the "Notebooks" -> "repos" array: an
upstream entry for "https://github.com/opendatahub-io/notebooks" (type:
"upstream"), a downstream entry for
"https://github.com/red-hat-data-services/notebooks" (type: "downstream") which
must include the active_branches ["rhoai-2.25","rhoai-3.3"] and the appropriate
default_branch, and only include a "midstream" entry if there is a valid
midstream fork URL to point at (otherwise remove the invalid midstream object
referencing opendatahub/notebooks); ensure each repo object uses the same keys
as other mappings ("url","type","default_branch","active_branches") so the CVE
fixer can resolve upstream/downstream correctly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: b2dcb8b4-56d4-459e-a5b1-b7071d975465
📒 Files selected for processing (1)
workflows/cve-fixer/component-repository-mappings.json
3 participants
Component Onboarding: Notebooks
Jira Component
Name: Notebooks (ID: 49589, redhat.atlassian.net)
Repositories Added
Generated Guidance
.cve-fix/examples.mdstubs are ready for each repo. Separate PRs will be openedto each component repo. Repos have no CVE PR history yet — run
/guidance.updateafter more CVE fixes are merged to improve guidance quality.
Next Steps for Reviewers
Notebooks)🤖 Generated by /onboard