ROSA-745: fix branch-protection for three SREP repos

[MitaliBhalla]

Summary

First in a series of ROSA-745 branch-protection updates (docs).

• managed-cluster-validating-webhooks: require primary Konflux PR check (replaces empty/misaligned branch protection).
• managed-cluster-config: require ci/prow/checklinks-pr and ci/prow/pr-check on master (explicit prow gates for dep auto-merge).
• aws-vpce-operator: protect main (default branch; was master) and require Konflux aws-vpce-operator-on-pull-request.

Complements DPP work on repo settings (auto-merge, merge commits). Does not require enterprise-contract, pr-group, e2e, or pko Konflux jobs.

Test plan

• After merge, periodic-branch-protector-openshift-org reconciles branch protection (~6h).
• On each repo, open or use a dependency PR and confirm required checks match the contexts above (+ prow auto-required jobs where applicable).
• Confirm tide can merge dep PRs with lgtm + approved when required checks are green.

Related

• ROSA-745 / SREP-4016 (MCWV), ROSAENG-765 (aws-vpce), ROSAENG-762 (mcc)
• Follow-up PR: Konflux contexts for remaining Phase 1/2 operators

Made with Cursor

Summary by CodeRabbit

This PR updates branch protection configuration for three OpenShift repositories to enforce required CI checks:

aws-vpce-operator: Shifted branch protection from the legacy master branch to the current default main branch, adding a requirement for the Konflux aws-vpce-operator-on-pull-request check to pass on pull requests.

managed-cluster-config: Expanded the required status checks on the master branch to include both ci/prow/checklinks-pr and ci/prow/pr-check, enabling dependency auto-merge workflows (via tide) when all checks pass and the PR is approved.

managed-cluster-validating-webhooks: Replaced a placeholder branch protection configuration with an explicit rule requiring the Konflux managed-cluster-validating-webhooks-on-pull-request check on the master branch.

These changes align branch protection policies with the repositories' current CI pipelines and support automated dependency management for the SREP infrastructure.

[openshift-ci-robot]

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

First in a series of ROSA-745 branch-protection updates (docs).

• managed-cluster-validating-webhooks: require primary Konflux PR check (replaces empty/misaligned branch protection).
• managed-cluster-config: require ci/prow/checklinks-pr and ci/prow/pr-check on master (explicit prow gates for dep auto-merge).
• aws-vpce-operator: protect main (default branch; was master) and require Konflux aws-vpce-operator-on-pull-request.

Complements DPP work on repo settings (auto-merge, merge commits). Does not require enterprise-contract, pr-group, e2e, or pko Konflux jobs.

Test plan

• After merge, periodic-branch-protector-openshift-org reconciles branch protection (~6h).
• On each repo, open or use a dependency PR and confirm required checks match the contexts above (+ prow auto-required jobs where applicable).
• Confirm tide can merge dep PRs with lgtm + approved when required checks are green.

Related

• ROSA-745 / SREP-4016 (MCWV), ROSAENG-765 (aws-vpce), ROSAENG-762 (mcc)
• Follow-up PR: Konflux contexts for remaining Phase 1/2 operators

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR updates Prow branch protection configurations across three OpenShift repositories: migrating aws-vpce-operator to protect the main branch with Konflux checks, adding Konflux protection to managed-cluster-validating-webhooks, and expanding validation contexts in managed-cluster-config to include link checking.

Changes

Branch Protection Configuration Updates

Layer / File(s)	Summary
Konflux status check integration core-services/prow/02_config/openshift/aws-vpce-operator/_prowconfig.yaml, core-services/prow/02_config/openshift/managed-cluster-validating-webhooks/_prowconfig.yaml	aws-vpce-operator switches branch protection target from master to main with Konflux status context, and managed-cluster-validating-webhooks adds explicit master branch protection with Konflux required checks.
Validation context expansion core-services/prow/02_config/openshift/managed-cluster-config/_prowconfig.yaml	managed-cluster-config expands required status checks on the master branch from ci/prow/pr-check alone to include both ci/prow/checklinks-pr and ci/prow/pr-check.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

lgtm, approved

Suggested reviewers

• tnierman
• Mhodesty

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: fixing branch-protection configurations for three SREP repositories (aws-vpce-operator, managed-cluster-config, and managed-cluster-validating-webhooks).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only Prow branch protection YAML configuration files. No Ginkgo test files are present, so the test name stability check is not applicable.
Test Structure And Quality	✅ Passed	PR modifies only Prow configuration files (YAML), not Ginkgo test code. The check requires reviewing test structure/quality, which is not applicable to configuration-only changes.
Microshift Test Compatibility	✅ Passed	PR only modifies Prow YAML configuration files; no Ginkgo e2e tests (It(), Describe(), Context(), When()) are added or modified. MicroShift compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only modifies Prow configuration files; no new Ginkgo e2e tests are added. SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes are Prow CI configuration files only. No deployment manifests, operator code, or controllers with scheduling constraints are modified.
Ote Binary Stdout Contract	✅ Passed	PR modifies only Prow branch-protection YAML configs; no OTE binaries, Go code, or stdout writes are present. Check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are present in this PR. Changes are Prow configuration files only, not test code. Check does not apply.
No-Weak-Crypto	✅ Passed	PR modifies only YAML configuration files for Prow branch protection settings; no code, cryptographic algorithms, or security-sensitive implementations present.
Container-Privileges	✅ Passed	The PR modifies only Prow configuration files with branch-protection and tide settings. No container specs or security context definitions present; check does not apply.
No-Sensitive-Data-In-Logs	✅ Passed	PR modifies only Prow configuration YAML files with no logging statements, executable code, or sensitive data exposure. Changes define CI job context identifiers and branch protection rules.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign rafael-azevedo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• core-services/prow/02_config/openshift/aws-vpce-operator/OWNERS
• core-services/prow/02_config/openshift/managed-cluster-config/OWNERS
• core-services/prow/02_config/openshift/managed-cluster-validating-webhooks/OWNERS [MitaliBhalla]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@MitaliBhalla: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.