chore(SREP-4482, SREP-4486, SREP-4800: Boilerplate Update for Agentic SDLC Rollout)

[charlesgong]

What type of PR is this?
boilerplate

What this PR does / why we need it?
This PR moves the changes introduced in boilerplate for Agentic SDLC Rollout into MVP for ocm-agent-operator.
Related BP MRs

• SREP-4482: Update golangci-lint configuration with enhanced linters boilerplate#716
• SREP-4484: Enable Codecov Enforcement boilerplate#720
• [SREP-4485] add pre-commit hooks to golang-osd-operator convention boilerplate#723

Which Jira/Github issue(s) this PR fixes?
Part of Rollout for Agentic SDLC -

• Lint -https://redhat.atlassian.net/browse/SREP-4482
• Pre-Commit Hook - https://redhat.atlassian.net/browse/SREP-4486
• CodeCov - https://redhat.atlassian.net/browse/SREP-4800

Special notes for your reviewer:
Pre-checks (if applicable):

• Tested latest changes against a cluster
• Ran make generate command locally to validate code changes
• Included documentation changes with PR

Summary by CodeRabbit

• Chores

  • Updated base image versions to newer releases for improved stability and security.
  • Configured pre-commit hooks to enforce code quality standards.
  • Updated code coverage thresholds (project: 35%, patch: 50%).
  • Updated CI/CD configuration and build settings.

• Refactor

  • Improved context propagation throughout machine utility functions for better request handling.

[openshift-ci-robot]

@charlesgong: This pull request references SREP-4482 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4486 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4800 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?
boilerplate

What this PR does / why we need it?
This PR moves the changes introduced in boilerplate for Agentic SDLC Rollout into MVP for ocm-agent-operator.
Related BP MRs

• SREP-4482: Update golangci-lint configuration with enhanced linters boilerplate#716
• SREP-4484: Enable Codecov Enforcement boilerplate#720
• [SREP-4485] add pre-commit hooks to golang-osd-operator convention boilerplate#723

Which Jira/Github issue(s) this PR fixes?
Part of Rollout for Agentic SDLC -

• Lint -https://redhat.atlassian.net/browse/SREP-4482
• Pre-Commit Hook - https://redhat.atlassian.net/browse/SREP-4486
• CodeCov - https://redhat.atlassian.net/browse/SREP-4800

Special notes for your reviewer:
Pre-checks (if applicable):

• Tested latest changes against a cluster
• Ran make generate command locally to validate code changes
• Included documentation changes with PR

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: charlesgong
Once this PR has been reviewed and has the lgtm label, please assign smarthall for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: eb41a9bc-db55-4e0d-86a4-0fb37ab011eb

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This PR adds context propagation to Kubernetes client helper functions, updates base image tags across CI/build configuration, establishes pre-commit hook infrastructure with security and linting checks, adjusts coverage thresholds, and removes a user from the owners list.

Changes

Context Propagation Refactor

Layer / File(s)	Summary
API Signature Update pkg/machine/machine.go	GetMachinesForMachineSet and GetNodeForMachine now accept a context.Context parameter as the first argument, enabling proper request cancellation and deadline propagation through Kubernetes client calls.
Controller Integration controllers/machineset_controller.go	ProcessMachineSet is updated to pass ctx to both helper functions; getExpectedLabels signature changed to remove its ctx parameter; error handling refactored from type assertion to errors.As(err, &derr) pattern.
Tests & Implementation controllers/machineset_controller_test.go, pkg/machine/machine_test.go, int/int_test.go, fips.go, pkg/metrics/metrics_test.go	All test call sites updated to pass context.Background() to the refactored helper functions; unused fmt.Printf return values captured; slice preallocation added in int_test.go; concurrent metrics test refactored to use strings.Builder.

Infrastructure & Configuration Updates

Layer / File(s)	Summary
Base Image & CI Configuration .ci-operator.yaml, build/Dockerfile, build/Dockerfile.olm-registry	Boilerplate builder image tag updated from image-v8.3.5 to image-v8.3.6 in CI operator and Dockerfile builder stage; UBI minimal runtime image updated to 9.7-1778072020 in both Dockerfiles.
Pre-commit & Code Quality .pre-commit-config.yaml, .claude/commands/pre-commit.md	New .pre-commit-config.yaml defines Tier 1 hooks (conflict/trailing whitespace/YAML validation), security scanning via gitleaks, linting via golangci-lint, and local hooks for Go compilation check, module drift detection, and RBAC validation; accompanying command documentation specifies execution procedure and golden rules.
Coverage & Source Management .codecov.yml, .gitignore, OWNERS_ALIASES	Codecov configuration changed from disabled enforcement to explicit thresholds: Project 35% default with 1% threshold, Patch 50% default with 1% threshold; .venv/ directory added to .gitignore; abyrne55 user removed from ownership aliases.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description includes PR type, clear explanation of purpose (boilerplate update for Agentic SDLC), related references, and specific Jira issues, but does not follow the template structure with required sections like 'What is being added?', 'Checklist', or 'Steps to Manually Test'.	Add required template sections: describe what is being added, complete the pre-review checklist, and include manual testing steps or note why they are not applicable for this boilerplate change.
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test files lack meaningful assertion messages (19 error assertions without diagnostics). Three review comments on test quality remain unaddressed.	Add diagnostic messages to Expect(err) assertions. Fix code block hint in pre-commit.md. Guard NodeRef in machine.go. Make test setup errors call Fail().

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly references the main objectives (boilerplate update for Agentic SDLC rollout with specific SREP ticket numbers) and aligns with the commit messages indicating lint fixes, pre-commit hooks, and codecov changes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names are stable and deterministic with no dynamic values, fmt.Sprintf, concatenation, or generated identifiers in test titles.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes only modify existing unit/integration tests. The MicroShift compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. All test file changes are modifications to existing tests. SNO compatibility check only applies to newly added tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no new scheduling constraints. Changes are config updates, lint fixes, and context refactoring. Operator deployment manifests (unmodified) use topology-compatible patterns.
Ote Binary Stdout Contract	✅ Passed	OTE stdout check not applicable. This is a standard Kubernetes operator, not an OTE test extension binary. No OTE infrastructure in codebase.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. All test file changes are refactoring of existing tests (context parameter additions). The check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.60%. Comparing base (3b59c4f) to head (cc66876).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #239   +/-   ##
=======================================
  Coverage   58.60%   58.60%           
=======================================
  Files           5        5           
  Lines         244      244           
=======================================
  Hits          143      143           
  Misses         87       87           
  Partials       14       14           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

controllers/machineset_controller.go (1)

142-160: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

getExpectedLabels mutates MachineSet template labels by reference.

At Line 143, result := machineSet.Spec.Template.Spec.Labels aliases the original map, and Line 159 deletes keys from it. This leaks side effects into machineSet and subsequent reconciliation logic.

Proposed fix

 func (r *MachinesetReconciler) getExpectedLabels(machineSet *machinev1beta1.MachineSet, machine *machinev1beta1.Machine, node *corev1.Node) map[string]string {
-	result := machineSet.Spec.Template.Spec.Labels
+	result := make(map[string]string, len(machineSet.Spec.Template.Spec.Labels))
+	for k, v := range machineSet.Spec.Template.Spec.Labels {
+		result[k] = v
+	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/machineset_controller.go` around lines 142 - 160, The function
getExpectedLabels currently aliases machineSet.Spec.Template.Spec.Labels into
result and then deletes keys, mutating the MachineSet's template; instead,
create a new map (e.g., newResult) and copy all entries from
machineSet.Spec.Template.Spec.Labels into it (handle nil by initializing an
empty map) and then perform the delete operations on that new map; return the
new map so the original machineSet.Spec.Template.Spec.Labels is never modified
in-place (refer to symbols: getExpectedLabels, result,
machineSet.Spec.Template.Spec.Labels, delete(result,...)).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/commands/pre-commit.md:
- Around line 77-85: The fenced code block showing the "PRE-COMMIT SUMMARY" in
.claude/commands/pre-commit.md lacks a language hint which triggers markdownlint
MD040; update the opening fence for that block (the block containing the
"PRE-COMMIT SUMMARY" header and list) to include a language hint (e.g., change
the opening ``` to ```text) so the fenced summary block is annotated and the
lint rule is satisfied.

In `@controllers/machineset_controller_test.go`:
- Around line 45-50: The current test setup swallows errors from
corev1.AddToScheme(s) and machinev1beta1.AddToScheme(s) by only printing
messages; change those branches to fail the test immediately by propagating the
error (e.g., call panic(fmt.Sprintf(..., err)) or use the test harness' fatal
helper such as t.Fatalf("failed adding apis to scheme: %v", err) if a *testing.T
is available). Update the error handling for the AddToScheme calls
(corev1.AddToScheme and machinev1beta1.AddToScheme) to include the actual err
and abort so the suite cannot continue with a bad scheme.

In `@pkg/machine/machine.go`:
- Around line 85-88: GetNodeForMachine currently dereferences
m.Status.NodeRef.Name without checking for nil; add a guard at the top of
GetNodeForMachine that checks if m == nil or m.Status.NodeRef == nil and return
a clear error (or nil, error) when NodeRef is missing instead of proceeding to
c.Get; this prevents panics and keeps the existing client.Get call using
m.Status.NodeRef.Name only after confirming NodeRef is non-nil.

---

Outside diff comments:
In `@controllers/machineset_controller.go`:
- Around line 142-160: The function getExpectedLabels currently aliases
machineSet.Spec.Template.Spec.Labels into result and then deletes keys, mutating
the MachineSet's template; instead, create a new map (e.g., newResult) and copy
all entries from machineSet.Spec.Template.Spec.Labels into it (handle nil by
initializing an empty map) and then perform the delete operations on that new
map; return the new map so the original machineSet.Spec.Template.Spec.Labels is
never modified in-place (refer to symbols: getExpectedLabels, result,
machineSet.Spec.Template.Spec.Labels, delete(result,...)).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f43a3d82-52fd-471a-9503-7f20387be318

📥 Commits

Reviewing files that changed from the base of the PR and between 3b59c4f and 2906883.

⛔ Files ignored due to path filters (8)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (15)

• .ci-operator.yaml
• .claude/commands/pre-commit.md
• .codecov.yml
• .gitignore
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry
• controllers/machineset_controller.go
• controllers/machineset_controller_test.go
• fips.go
• int/int_test.go
• pkg/machine/machine.go
• pkg/machine/machine_test.go
• pkg/metrics/metrics_test.go

💤 Files with no reviewable changes (1)

• OWNERS_ALIASES

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a language hint to the fenced summary block (markdownlint MD040).

Line 77 uses a fenced code block without a language, which triggers lint and can fail docs checks.

Suggested patch

-```
+```text
 PRE-COMMIT SUMMARY
 ==================
 Passed:     <list of hook IDs>
 Auto-fixed: <list of hook IDs> → files staged
 Fixed:      <list of hook IDs> → changes applied
 Failed:     <list of hook IDs> → escalated to human
 Attempts:   <N> of 2 maximum

</details>

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>

[warning] 77-77: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/commands/pre-commit.md around lines 77 - 85, The fenced code block
showing the "PRE-COMMIT SUMMARY" in .claude/commands/pre-commit.md lacks a
language hint which triggers markdownlint MD040; update the opening fence for
that block (the block containing the "PRE-COMMIT SUMMARY" header and list) to
include a language hint (e.g., change the opening totext) so the fenced
summary block is annotated and the lint rule is satisfied.

</details>

<!-- fingerprinting:phantom:poseidon:hawk -->

<!-- d98c2f50 -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fail fast when AddToScheme fails in test setup.

At Line 46 and Line 49, setup errors are only printed. These should fail the suite immediately to avoid false/opaque downstream test failures.

Proposed fix

 if err := corev1.AddToScheme(s); err != nil {
-	_, _ = fmt.Printf("failed adding apis to scheme in machineset controller tests")
+	Fail(fmt.Sprintf("failed adding core APIs to scheme in machineset controller tests: %v", err))
 }
 if err := machinev1beta1.AddToScheme(s); err != nil {
-	_, _ = fmt.Printf("failed adding apis to scheme in machineset controller tests")
+	Fail(fmt.Sprintf("failed adding machine APIs to scheme in machineset controller tests: %v", err))
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if err := corev1.AddToScheme(s); err != nil {
	fmt.Printf("failed adding apis to scheme in machineset controller tests")
	_, _ = fmt.Printf("failed adding apis to scheme in machineset controller tests")
	}
	if err := machinev1beta1.AddToScheme(s); err != nil {
	fmt.Printf("failed adding apis to scheme in machineset controller tests")
	_, _ = fmt.Printf("failed adding apis to scheme in machineset controller tests")
	}
	if err := corev1.AddToScheme(s); err != nil {
	Fail(fmt.Sprintf("failed adding core APIs to scheme in machineset controller tests: %v", err))
	}
	if err := machinev1beta1.AddToScheme(s); err != nil {
	Fail(fmt.Sprintf("failed adding machine APIs to scheme in machineset controller tests: %v", err))
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/machineset_controller_test.go` around lines 45 - 50, The current
test setup swallows errors from corev1.AddToScheme(s) and
machinev1beta1.AddToScheme(s) by only printing messages; change those branches
to fail the test immediately by propagating the error (e.g., call
panic(fmt.Sprintf(..., err)) or use the test harness' fatal helper such as
t.Fatalf("failed adding apis to scheme: %v", err) if a *testing.T is available).
Update the error handling for the AddToScheme calls (corev1.AddToScheme and
machinev1beta1.AddToScheme) to include the actual err and abort so the suite
cannot continue with a bad scheme.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard NodeRef before dereferencing to avoid panic.

At Line 87, m.Status.NodeRef.Name is accessed without checking m.Status.NodeRef != nil. This can panic on machines missing NodeRef.

Proposed fix

 func GetNodeForMachine(ctx context.Context, c client.Client, m *machinev1.Machine) (*corev1.Node, error) {
+	if m == nil || m.Status.NodeRef == nil || m.Status.NodeRef.Name == "" {
+		return &corev1.Node{}, fmt.Errorf("machine has no node reference")
+	}
 	node := &corev1.Node{}
 	err := c.Get(ctx, types.NamespacedName{Name: m.Status.NodeRef.Name}, node)
 	if err != nil {
 		return &corev1.Node{}, err
 	}
 	return node, err
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func GetNodeForMachine(ctx context.Context, c client.Client, m *machinev1.Machine) (*corev1.Node, error) {
	node := &corev1.Node{}
	err := c.Get(context.TODO(), types.NamespacedName{Name: m.Status.NodeRef.Name}, node)
	err := c.Get(ctx, types.NamespacedName{Name: m.Status.NodeRef.Name}, node)
	if err != nil {
	func GetNodeForMachine(ctx context.Context, c client.Client, m *machinev1.Machine) (*corev1.Node, error) {
	if m == nil || m.Status.NodeRef == nil || m.Status.NodeRef.Name == "" {
	return &corev1.Node{}, fmt.Errorf("machine has no node reference")
	}
	node := &corev1.Node{}
	err := c.Get(ctx, types.NamespacedName{Name: m.Status.NodeRef.Name}, node)
	if err != nil {
	return &corev1.Node{}, err
	}
	return node, err
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/machine/machine.go` around lines 85 - 88, GetNodeForMachine currently
dereferences m.Status.NodeRef.Name without checking for nil; add a guard at the
top of GetNodeForMachine that checks if m == nil or m.Status.NodeRef == nil and
return a clear error (or nil, error) when NodeRef is missing instead of
proceeding to c.Get; this prevents panics and keeps the existing client.Get call
using m.Status.NodeRef.Name only after confirming NodeRef is non-nil.

[openshift-ci]

@charlesgong: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	cc66876	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.