Boilerplate: Update to 98c46c12258c4ce4c9051c4458dcd9b7b9664346

[tnierman]

Update boilerplate via make boilerplate-update boilerplate-commit:

---

Conventions:

• openshift/golang-osd-operator: Update ---
  openshift/boilerplate@b3f3937...98c46c1

commit: 77970a51152ec0437f6b6845ceeb999bf80581fc
author: jdowni000
Update UBI9 base image to 9.7-1778044007 for Go 1.25.9

Updates both builder and final stage to use UBI9:9.7-1778044007 which includes go-toolset-1.25.9 for fixing critical stdlib CVEs.

This enables downstream projects (like aws-account-operator) to consume the latest Go stdlib security fixes.

Fixes Go 1.25.9 stdlib CVEs including CVE-2026-27143 (Critical) and 11 other High/Medium severity vulnerabilities.

commit: 0643771a04b7ebc8ec1b6d62dd85078ab864041f
author: devppratik
Minor fixes for pre-commit hooks and Lint

commit: 636c91891f92b9d0109d45d768ff07694d3b865c
author: cgong
fix: renumber hooks, make RBAC check warn-only (SREP-4485)

• Renumber hooks 1-6 after merging file hygiene and YAML syntax sections
• Clean up inline golden-rule references from comments
• Make rbac-wildcard-check warn-only (exit 0) to avoid blocking repos with pre-existing wildcard RBAC; will promote to blocking after cleanup
• Add go-build binary note: compile-only, no artifacts written to repo

commit: 213c67c8e0ffd603b7c0935829709ba6496c9efc
author: cgong
fix: address review comments on pre-commit config (SREP-4485)

• Merge duplicate pre-commit-hooks repo entries into one block
• Move RBAC wildcard check logic to make target rbac-wildcard-check in standard.mk for readability and reuse; hook now calls make target
• Clean up inline comments

commit: b854c349cc24ce530842764ad7982c74c8e1368c
author: devppratik
Update threshold values

commit: 99e10d2419e0e4e7caa821eb953085ac9e44acce
author: devppratik
Update threshold values

commit: 3bbe2cec84c927aca0c2ded28ec337e679d239be
author: Anthony Byrne
Remove myself from OWNERS

Removed 'abyrne55' from srep-functional-team-aurora and srep-functional-leads aliases.

commit: 2c24caf9372c0f117f6f4825b09c22007b80edaf
author: cgong
fix: remove Claude command from boilerplate MR (SREP-4485)

Claude Code skill (.claude/commands/pre-commit.md) moved to SREP-4410. This MR now contains only the pre-commit-config.yaml addition.

commit: 298b1a437285a1031d7d6ba67c576cb694cc73ba
author: cgong
add: pre-commit hooks to golang-osd-operator convention (SREP-4485)

Adds .pre-commit-config.yaml deployment to all operators subscribing to the golang-osd-operator boilerplate convention.

Files added to convention:

• pre-commit-config.yaml: Tier 1 common hooks mirroring ci/prow/lint (file hygiene, gitleaks, golangci-lint, go-build, go-mod-tidy, RBAC wildcard check)
• commands/pre-commit.md: /pre-commit Claude Code agent with golden rule compliance (2-retry limit, security escalation, structured output)

update script now deploys both files to operator repos:

• .pre-commit-config.yaml at repo root
• .claude/commands/pre-commit.md for Claude Code agent support

Golden rules: SREP-4450

commit: b945ce088eb8f53557f0128727141ea634127e9e
author: red-hat-konflux[bot]
chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 8244f60

commit: 599533cf8fcc65cf0edc89ec62b323f23ba0d50f
author: red-hat-konflux[bot]
chore(deps): update konflux references

commit: bf40484c3a6951f1da4aba49a1fc723521267af5
author: devppratik
SREP-4484: Enable codecov enforcement for repos

commit: 09b0e58b9a006cc37e74fa5603fa6410a9be9f68
author: Anwardeen A
Bumping ubi image

commit: 7f92f3595ab6f86048fffeaaf2964011e6ff00d9
author: Anwardeen A
Bumping ubi image

commit: d960f6e9051781f162c9834c8c570d7b143e2634
author: red-hat-konflux[bot]
chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 46f0892

commit: 8aa643951691f03c189c88749ef4cea5f5664640
author: red-hat-konflux[bot]
chore(deps): update konflux references

commit: ef5b692fe45d95701ea3f5cc3e3bb4c0cd4c239c
author: Josh Branham
remove jharrington22

commit: d83e5eea8cbd3b0c7fcaf70c612bcd538e943489
author: devppratik
Update golangci-lint configuration with enhanced linters

Enhance the golangci-lint configuration to include a more comprehensive set of linters organized by priority (Critical, High, Medium, Optional) with appropriate settings for error handling, security, and code quality checks.

commit: 584d83057f7c30a136f890276b3b21f35431869f
author: red-hat-konflux[bot]
chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to a2b9823

commit: 1e4454023a21310295aa370b6aaa6af12a3194a0
author: red-hat-konflux[bot]
chore(deps): update konflux references

Summary by CodeRabbit

• Chores

  • Updated build infrastructure base images to latest versions for improved security and stability.
  • Implemented pre-commit hooks to enhance code quality checks and prevent common mistakes during development.

• Tests

  • Established code coverage targets (35% project-level, 50% patch-level) with defined thresholds to maintain code quality standards.

[coderabbitai]

Walkthrough

This PR updates container base images across CI and build configurations, introduces pre-commit hooks for development workflows, configures codecov coverage targets, and removes three users from team ownership groups. Changes span infrastructure versioning, development tooling configuration, and team management.

Changes

Container Image & Boilerplate Updates

Layer / File(s)	Summary
CI Root Image Config .ci-operator.yaml	Build root image tag updated from image-v8.3.4 to image-v8.3.6.
Dockerfile Builder Stage build/Dockerfile	Boilerplate builder stage image updated to image-v8.3.6; UBI-minimal base image tag updated from 9.7-1775623882 to 9.7-1778072020.
OLM Registry Dockerfile build/Dockerfile.olm-registry	UBI-minimal base image tag updated to 9.7-1778072020 to align with main Dockerfile.

Development Tools & Team Configuration

Layer / File(s)	Summary
Code Coverage Configuration .codecov.yml	Codecov targets added: project coverage 35% with 1% threshold, patch coverage 50% with 1% threshold.
Pre-commit Hooks .pre-commit-config.yaml	Comprehensive pre-commit configuration added with Tier 1 hooks (merge-conflict, trailing-whitespace, end-of-file-fixer, yaml validation), gitleaks secrets detection, golangci-lint static analysis, and local custom hooks (go-build, go-mod-tidy, rbac-wildcard-check).
Team Ownership OWNERS_ALIASES	Removed abyrne55 from srep-functional-team-aurora and srep-functional-leads groups; removed jharrington22 from srep-architects group.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references a specific commit hash but doesn't convey the meaningful changes being made (boilerplate update, image versions, pre-commit configuration, etc.).	Use a more descriptive title like 'Update boilerplate with pre-commit hooks, codecov config, and image upgrades' to clarify the primary changes.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in modified files are stable and deterministic. No dynamic information found in test titles.
Test Structure And Quality	✅ Passed	PR does not contain Ginkgo test code. Added test files use Go testing framework with testify, gomock, and table-driven tests, not Ginkgo BDD patterns. Custom check not applicable.
Microshift Test Compatibility	✅ Passed	This PR only updates boilerplate configurations and Dockerfiles. No new Ginkgo e2e tests were added, so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only updates boilerplate configuration files and container image references. The SNO compatibility check is not applicable to this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only configuration and build file updates (boilerplate upgrade). No deployment manifests, operator code changes, or scheduling constraints were introduced. Check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR contains only configuration and build file changes with no modifications to process-level code (main, init, TestMain, suite setup). No stdout writes introduced to main binary execution path.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Custom check does not apply. PR contains only configuration and Dockerfile updates—no new Ginkgo e2e tests were added. Check applies only when new tests are added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

build/Dockerfile (1)

7-13: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set a non-root runtime user in the final image stage.

The final image runs as root today (no USER directive), which weakens container hardening and matches the DS-0002 finding.

Suggested hardening patch

 FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778072020
 ENV OPERATOR_BIN=deadmanssnitch-operator

-WORKDIR /root/
+WORKDIR /tmp
 COPY --from=builder /go/src/github.com/openshift/deadmanssnitch-operator/build/_output/bin/${OPERATOR_BIN} /usr/local/bin/${OPERATOR_BIN}
 LABEL io.openshift.managed.name="deadmanssnitch-operator" \
       io.openshift.managed.description="Operator to manage Dead Man Snitches"
+USER 1001

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` around lines 7 - 13, The final image runs as root; update
the Dockerfile to create a non-root user and switch to it at runtime: add a
non-root user/group (e.g., deadmanssnitch), chown the installed binary and
WORKDIR to that user (the binary referenced by OPERATOR_BIN and path
/usr/local/bin/${OPERATOR_BIN}) and add a USER directive before finishing the
final stage so the container runs as the non-root user; ensure permissions are
set so the operator can execute the binary and access /root/ or change WORKDIR
to a directory owned by the new user.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@build/Dockerfile`:
- Around line 7-13: The final image runs as root; update the Dockerfile to
create a non-root user and switch to it at runtime: add a non-root user/group
(e.g., deadmanssnitch), chown the installed binary and WORKDIR to that user (the
binary referenced by OPERATOR_BIN and path /usr/local/bin/${OPERATOR_BIN}) and
add a USER directive before finishing the final stage so the container runs as
the non-root user; ensure permissions are set so the operator can execute the
binary and access /root/ or change WORKDIR to a directory owned by the new user.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4c391df4-68ce-417a-846c-86f2206c3b5d

📥 Commits

Reviewing files that changed from the base of the PR and between 0a3ca8d and 594f627.

⛔ Files ignored due to path filters (8)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (6)

• .ci-operator.yaml
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry

💤 Files with no reviewable changes (1)

• OWNERS_ALIASES

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tnierman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [tnierman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tnierman]

/retest

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.28%. Comparing base (0a3ca8d) to head (594f627).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #282   +/-   ##
=======================================
  Coverage   43.28%   43.28%           
=======================================
  Files          11       11           
  Lines         834      834           
=======================================
  Hits          361      361           
  Misses        424      424           
  Partials       49       49           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@tnierman: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	594f627	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.