Boilerplate: Update to d93f5056acbf3ed2fb2bb9bdf8f148bd33a3446b

[tnierman]

Update boilerplate via make boilerplate-update boilerplate-commit:

---

Conventions:

• openshift/golang-osd-operator: Update ---
  openshift/boilerplate@b3f3937...d93f505

commit: a903a81cde2b197d153253df9ca148935687dc76
author: Trevor Nierman
Re-enable std-error-handling exclusion for golang-osd-operator lint

The golang-osd-operator golangci config was missing the std-error-handling exclusion preset, causing errcheck to flag unchecked return values from standard library functions like fmt.Printf and fmt.Println. The golang-lint convention already includes this preset. Also removes disable-default-exclusions which was redundant with the explicit preset.

commit: f76b2a3ebed41d057e74e9facbf21235053c161f
author: devppratik
Update lint to run on new changes only

commit: 77970a51152ec0437f6b6845ceeb999bf80581fc
author: jdowni000
Update UBI9 base image to 9.7-1778044007 for Go 1.25.9

Updates both builder and final stage to use UBI9:9.7-1778044007 which includes go-toolset-1.25.9 for fixing critical stdlib CVEs.

This enables downstream projects (like aws-account-operator) to consume the latest Go stdlib security fixes.

Fixes Go 1.25.9 stdlib CVEs including CVE-2026-27143 (Critical) and 11 other High/Medium severity vulnerabilities.

commit: 0643771a04b7ebc8ec1b6d62dd85078ab864041f
author: devppratik
Minor fixes for pre-commit hooks and Lint

commit: 636c91891f92b9d0109d45d768ff07694d3b865c
author: cgong
fix: renumber hooks, make RBAC check warn-only (SREP-4485)

• Renumber hooks 1-6 after merging file hygiene and YAML syntax sections
• Clean up inline golden-rule references from comments
• Make rbac-wildcard-check warn-only (exit 0) to avoid blocking repos with pre-existing wildcard RBAC; will promote to blocking after cleanup
• Add go-build binary note: compile-only, no artifacts written to repo

commit: 213c67c8e0ffd603b7c0935829709ba6496c9efc
author: cgong
fix: address review comments on pre-commit config (SREP-4485)

• Merge duplicate pre-commit-hooks repo entries into one block
• Move RBAC wildcard check logic to make target rbac-wildcard-check in standard.mk for readability and reuse; hook now calls make target
• Clean up inline comments

commit: b854c349cc24ce530842764ad7982c74c8e1368c
author: devppratik
Update threshold values

commit: 99e10d2419e0e4e7caa821eb953085ac9e44acce
author: devppratik
Update threshold values

commit: 3bbe2cec84c927aca0c2ded28ec337e679d239be
author: Anthony Byrne
Remove myself from OWNERS

Removed 'abyrne55' from srep-functional-team-aurora and srep-functional-leads aliases.

commit: 2c24caf9372c0f117f6f4825b09c22007b80edaf
author: cgong
fix: remove Claude command from boilerplate MR (SREP-4485)

Claude Code skill (.claude/commands/pre-commit.md) moved to SREP-4410. This MR now contains only the pre-commit-config.yaml addition.

commit: 298b1a437285a1031d7d6ba67c576cb694cc73ba
author: cgong
add: pre-commit hooks to golang-osd-operator convention (SREP-4485)

Adds .pre-commit-config.yaml deployment to all operators subscribing to the golang-osd-operator boilerplate convention.

Files added to convention:

• pre-commit-config.yaml: Tier 1 common hooks mirroring ci/prow/lint (file hygiene, gitleaks, golangci-lint, go-build, go-mod-tidy, RBAC wildcard check)
• commands/pre-commit.md: /pre-commit Claude Code agent with golden rule compliance (2-retry limit, security escalation, structured output)

update script now deploys both files to operator repos:

• .pre-commit-config.yaml at repo root
• .claude/commands/pre-commit.md for Claude Code agent support

Golden rules: SREP-4450

commit: b945ce088eb8f53557f0128727141ea634127e9e
author: red-hat-konflux[bot]
chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 8244f60

commit: 599533cf8fcc65cf0edc89ec62b323f23ba0d50f
author: red-hat-konflux[bot]
chore(deps): update konflux references

commit: bf40484c3a6951f1da4aba49a1fc723521267af5
author: devppratik
SREP-4484: Enable codecov enforcement for repos

commit: 09b0e58b9a006cc37e74fa5603fa6410a9be9f68
author: Anwardeen A
Bumping ubi image

commit: 7f92f3595ab6f86048fffeaaf2964011e6ff00d9
author: Anwardeen A
Bumping ubi image

commit: d960f6e9051781f162c9834c8c570d7b143e2634
author: red-hat-konflux[bot]
chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to 46f0892

commit: 8aa643951691f03c189c88749ef4cea5f5664640
author: red-hat-konflux[bot]
chore(deps): update konflux references

commit: ef5b692fe45d95701ea3f5cc3e3bb4c0cd4c239c
author: Josh Branham
remove jharrington22

commit: d83e5eea8cbd3b0c7fcaf70c612bcd538e943489
author: devppratik
Update golangci-lint configuration with enhanced linters

Enhance the golangci-lint configuration to include a more comprehensive set of linters organized by priority (Critical, High, Medium, Optional) with appropriate settings for error handling, security, and code quality checks.

commit: 584d83057f7c30a136f890276b3b21f35431869f
author: red-hat-konflux[bot]
chore(deps): update registry.access.redhat.com/ubi8/ubi-minimal:latest docker digest to a2b9823

commit: 1e4454023a21310295aa370b6aaa6af12a3194a0
author: red-hat-konflux[bot]
chore(deps): update konflux references

Summary by CodeRabbit

Release Notes

• Chores
  • Updated CI/CD pipeline and Docker build images to newer versions for improved stability and security.
  • Configured code coverage monitoring with new threshold policies for enhanced quality tracking.
  • Enhanced development tooling configuration with pre-commit hooks and updated team records.

[coderabbitai]

Walkthrough

This PR performs independent maintenance updates across build infrastructure, CI configuration, and project ownership: base image versions are incremented, codecov coverage thresholds are enabled, pre-commit hooks are introduced, and a user is removed from two ownership aliases.

Changes

Base Image Version Updates

Layer / File(s)	Summary
CI Operator Config .ci-operator.yaml	Build root image tag updated from image-v8.3.4 to image-v8.3.6.
Docker Build Stages build/Dockerfile, build/Dockerfile.olm-registry	Both builder and runtime base images updated to newer versions: boilerplate image-v8.3.6 and UBI minimal 9.7-1778072020.

Codecov Coverage Status Checks

Layer / File(s)	Summary
Coverage Configuration .codecov.yml	Coverage status checks enabled with project.default targeting 35% coverage (1% threshold) and patch.default targeting 50% coverage (1% threshold), replacing prior disabled state.

Pre-commit Hooks Framework

Layer / File(s)	Summary
Hook Configuration .pre-commit-config.yaml	Complete pre-commit configuration introduced with file hygiene hooks (merge-conflict detection, whitespace/EOF fixes, YAML validation scoped to deploy/), secrets scanning via gitleaks, Go static analysis via golangci-lint (120s timeout), and local system hooks for go build, go mod tidy, and RBAC wildcard validation.

Ownership Alias Cleanup

Layer / File(s)	Summary
Alias Definitions OWNERS_ALIASES	User abyrne55 removed from both srep-functional-team-aurora and srep-functional-leads alias lists.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title references a specific boilerplate commit hash but does not clearly convey the main changes (base image updates, codecov config, pre-commit hooks, owner changes) to a reviewer scanning history.	Consider a more descriptive title like 'Update boilerplate and dependencies: base image, codecov config, pre-commit hooks, and owners' to better communicate the changeset scope.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo tests exist in this codebase. The PR modifies only standard Go test files using testing.T framework, making the Ginkgo test name stability check not applicable.
Test Structure And Quality	✅ Passed	Custom check not applicable: PR contains standard Go tests using *testing.T, not Ginkgo. No Ginkgo patterns (Describe/It/BeforeEach/AfterEach) or ginkgo imports found in any test file.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. All changes are configuration and build files. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add new Ginkgo e2e tests. It only modifies boilerplate configuration and Docker build files. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Boilerplate infrastructure update. No scheduling constraints, affinity rules, nodeSelectors, or topology-dependent logic added to deployments.
Ote Binary Stdout Contract	✅ Passed	Configuration and build infrastructure changes only. No process-level code modifications affecting stdout. Main logger uses zap (stderr).
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. All changes are to configuration files and Dockerfiles, making this check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

build/Dockerfile (1)

7-13: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Final stage runs as root — add a non-root USER directive.

The final runtime image has no USER instruction, so the operator process runs as root inside the container. build/Dockerfile.olm-registry already sets USER 1001 in its final stage; apply the same pattern here.

🛡️ Proposed fix

 FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778072020
 ENV OPERATOR_BIN=deadmanssnitch-operator
 
 WORKDIR /root/
 COPY --from=builder /go/src/github.com/openshift/deadmanssnitch-operator/build/_output/bin/${OPERATOR_BIN} /usr/local/bin/${OPERATOR_BIN}
+USER 1001
 LABEL io.openshift.managed.name="deadmanssnitch-operator" \
       io.openshift.managed.description="Operator to manage Dead Man Snitches"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` around lines 7 - 13, The final image in the Dockerfile
currently drops into /root/ and runs as root (see WORKDIR /root/ and COPY ...
${OPERATOR_BIN} /usr/local/bin/${OPERATOR_BIN}), so add a non-root USER
directive to mirror the other Dockerfile; after the final COPY and LABEL lines,
add a USER 1001 (or the same UID used in build/Dockerfile.olm-registry) so the
operator binary (${OPERATOR_BIN}) runs as a non-root user at runtime.

.pre-commit-config.yaml (1)

129-135: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Missing EOF newline creates a self-bootstrapping first-run issue

The file ends at Line 135 (pass_filenames: false) without a trailing newline. The end-of-file-fixer hook declared in section 1 will repair this, but only after the hooks are installed and run — i.e., the file that defines the fixer itself initially violates the rule it enforces. While the "FIRST RUN NOTE" at Lines 33–37 acknowledges this class of issue, it's cleaner to add the newline now so the first run produces no spurious diff.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 129 - 135, The file ends without a
trailing newline which causes the end-of-file-fixer hook to be self-violated;
open the configuration and add a single trailing newline after the final line
containing "pass_filenames: false" (the rbac-wildcard-check entry with id:
rbac-wildcard-check) so the file terminates with a newline and the
end-of-file-fixer hook (declared earlier) won't produce a spurious first-run
diff.

🧹 Nitpick comments (1)

.pre-commit-config.yaml (1)

114-120: 💤 Low value

go mod tidy in hook entry mutates the working tree without staging the result

The entry runs go mod tidy (which writes to go.mod/go.sum on disk) and then checks git diff --exit-code go.mod go.sum. If tidy produces changes, the diff check correctly fails — but the updated files are left unstaged in the working tree. The developer must manually git add go.mod go.sum before retrying the commit, which is easy to miss.

Consider documenting this explicitly in the hook name or description, or amend the entry to print a clear remediation hint on failure:

💡 Add an explicit error message

-       entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum'
+       entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum || (echo "go mod tidy changed go.mod/go.sum — stage them with: git add go.mod go.sum" && exit 1)'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 114 - 120, The go-mod-tidy hook (id:
go-mod-tidy) runs go mod tidy in the working tree but leaves modified
go.mod/go.sum unstaged; update the hook's entry so that after running go mod
tidy it detects any changes to go.mod or go.sum and either auto-stage them (git
add go.mod go.sum) before failing or, if you prefer not to auto-stage, print a
clear remediation hint telling the user to run git add go.mod go.sum and re-run
the commit; modify the entry string under entry to include this
detection+remediation behavior and update the hook name/description to indicate
that tidy may mutate the working tree.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.pre-commit-config.yaml:
- Around line 77-83: Update the golangci-lint pre-commit hook to match CI and
prevent implicit auto-fixing: change the hook's rev from v2.0.2 to v2.7.2 and
add an explicit entry to override the default CLI so --fix is not applied (use
entry: golangci-lint run --new-from-rev HEAD), keeping the existing args (e.g.,
--config and --timeout) under hooks->- id: golangci-lint to ensure the hook runs
with the intended flags and version.

---

Outside diff comments:
In @.pre-commit-config.yaml:
- Around line 129-135: The file ends without a trailing newline which causes the
end-of-file-fixer hook to be self-violated; open the configuration and add a
single trailing newline after the final line containing "pass_filenames: false"
(the rbac-wildcard-check entry with id: rbac-wildcard-check) so the file
terminates with a newline and the end-of-file-fixer hook (declared earlier)
won't produce a spurious first-run diff.

In `@build/Dockerfile`:
- Around line 7-13: The final image in the Dockerfile currently drops into
/root/ and runs as root (see WORKDIR /root/ and COPY ... ${OPERATOR_BIN}
/usr/local/bin/${OPERATOR_BIN}), so add a non-root USER directive to mirror the
other Dockerfile; after the final COPY and LABEL lines, add a USER 1001 (or the
same UID used in build/Dockerfile.olm-registry) so the operator binary
(${OPERATOR_BIN}) runs as a non-root user at runtime.

---

Nitpick comments:
In @.pre-commit-config.yaml:
- Around line 114-120: The go-mod-tidy hook (id: go-mod-tidy) runs go mod tidy
in the working tree but leaves modified go.mod/go.sum unstaged; update the
hook's entry so that after running go mod tidy it detects any changes to go.mod
or go.sum and either auto-stage them (git add go.mod go.sum) before failing or,
if you prefer not to auto-stage, print a clear remediation hint telling the user
to run git add go.mod go.sum and re-run the commit; modify the entry string
under entry to include this detection+remediation behavior and update the hook
name/description to indicate that tidy may mutate the working tree.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b6b20e0d-6036-4e75-9959-5bb4f7af40d1

📥 Commits

Reviewing files that changed from the base of the PR and between 0a3ca8d and 028120f.

⛔ Files ignored due to path filters (8)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (6)

• .ci-operator.yaml
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry

💤 Files with no reviewable changes (1)

• OWNERS_ALIASES

[nephomaniac]

/lgtm

[tnierman]

/retest