"NO-JIRA: chore: sync with upstream 2026-07-09 - 23 new commits"#379
Conversation
…date description (containers#1184) Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
…1242) Bumps the golang-x group with 1 update: [golang.org/x/mod](https://github.com/golang/mod). Updates `golang.org/x/mod` from 0.36.0 to 0.37.0 - [Commits](golang/mod@v0.36.0...v0.37.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…1241) Signed-off-by: grokspawn <jordan@nimblewidget.com>
Signed-off-by: Calum Murray <cmurray@redhat.com>
…ers#1247) * ci(mcpchecker): reference workflow event inputs via env vars Pass GitHub event context (event name, repository, comment body, issue/PR number, workflow run id, ...) through each job's `env:` block and reference it as shell variables instead of interpolating `${{ ... }}` expressions directly inside `run:` scripts. This follows the GitHub Actions recommendation for handling event inputs, keeps shell quoting consistent, and improves readability. The check-trigger permission check now returns early when the commenter is not a collaborator with admin/write access. Behavior is unchanged for scheduled runs, workflow_dispatch, and authorized /run-mcpchecker comments. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Marc Nuri <marc@marcnuri.com> * ci(mcpchecker): route remaining run-step values through env vars Address review feedback: env-route the eval-context values written in the Save evaluation context step (matching the existing DIFF_OUTPUT handling), reference the exported $KIND_CLUSTER_NAME in the kind make targets, and quote $GITHUB_OUTPUT in the suite case block. No ${{ }} expressions remain inside any run: script. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Marc Nuri <marc@marcnuri.com> --------- Signed-off-by: Marc Nuri <marc@marcnuri.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add a root-level SECURITY.md so the GitHub Security tab surfaces a private vulnerability reporting path for the project. Reports are routed through GitHub's built-in private vulnerability reporting. The policy documents supported versions (latest release), best-effort triage by the repo maintainers (downstream-affecting issues handled via Red Hat product security), and disclosure through GitHub Security Advisories and release notes. CONTRIBUTING.md now points at the new policy instead of the bare advisories listing. Closes containers#1132 Signed-off-by: Marc Nuri <marc@marcnuri.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…s#1243) Follow-up to containers#1240. The kubevirt resource discovery helpers logged listing failures through the global slog default logger, which is never wired to klog. That bypassed the project's log sink (verbosity, file output, secret redaction, OTEL), and since slog's default minimum level is Info the Debug lines were silently dropped at runtime anyway. Route all six through klog.FromContext(ctx) at V(4) with the klogutil helpers, matching the convention used across the rest of the codebase. Also switch the MCP SDK logger fallback in NewServer from klog.Background() to klog.FromContext(ctx) so it honors the contextual logger when no SDKLogger is supplied. Signed-off-by: Marc Nuri <marc@marcnuri.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…containers#1250) The MCPB bundle and MCP Registry publish workflows run on workflow_run completions of the Release workflow. Scope their job conditions so they only act on this repository's own tag-push releases (or an explicit manual dispatch), instead of on any Release workflow completion. This keeps publishing deterministic and avoids spurious publish runs. Signed-off-by: Marc Nuri <marc@marcnuri.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…s#1237) * chore(evals): fix stale docs and drifted Makefile defaults The local mcpchecker eval docs and Makefile defaults drifted after the ACP migration (containers#839) and the kubernetes -> core suite rename (containers#1081), making a local run hard to reproduce from the docs alone. - add a `make claude-agent-acp` target so the claude-code agent works out of the box (supersedes containers#947) - add SUITE/AGENT/MODEL knobs to `make run-evals` for a no-OpenAI-key single-suite run, plus a documented quickstart - fix the default label selector (suite=kubernetes selected zero tasks -> suite=core) and the readiness probe (/health 404 -> /healthz, -f) - rewrite evals/README.md for the ACP agent and document ANTHROPIC_MODEL - refresh the per-suite kubevirt configs and document top-level vs per-suite eval configs Closes containers#1234 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Marc Nuri <marc@marcnuri.com> * chore(evals): bump core-eval-testing to kubernetes-extension v0.0.4 Finishes aligning the drifted eval configs with the rest of the tree. - bump the 15 evals/core-eval-testing/** configs from kubernetes-extension@v0.0.3 to @v0.0.4, matching the claude-code, openai-agent, and kubevirt configs - clarify evals/tasks/README.md that a few subdirectories (kiali/scripts, kubevirt/helpers, tekton/helpers) hold shared helpers rather than task scenarios Refs containers#1234 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Marc Nuri <marc@marcnuri.com> * feat(evals): judge with claude-code for keyless local eval runs Route the LLM judge through claude-code for the claude-code agent, so the whole flow (agent + judge) runs on the Claude subscription with no OpenAI key. The legacy `verify: contains:` short form is judge-evaluated (semantic), so this is what makes those tasks runnable keyless. Verified locally: list-images-for-pods and ahoy pass keyless with real judge verdicts. - set llmJudge.ref.type: builtin.claude-code in evals/claude-code/eval.yaml (was openai:gpt-5) and the kubevirt/claude-code per-suite config (was no judge / noop). CI is unaffected: it runs evals/openai-agent/eval.yaml, which keeps the independent openai:gpt-5 judge. - pin the adapter with CLAUDE_AGENT_ACP_VERSION (next to MCPCHECKER_VERSION) and mirror the mcpchecker recipe style (set -e + success echo) - document the keyless claude-code judge, the version knob, and that `verify: contains:` is semantic judging rather than a literal match Refs containers#1234, containers#947, containers#995 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Marc Nuri <marc@marcnuri.com> --------- Signed-off-by: Marc Nuri <marc@marcnuri.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…RS (containers#1248) Make .github/CODEOWNERS the single source of truth for toolset ownership and toolset labels. Core maintainers (@manusa, @Cali0707) own everything by default; kiali, kubevirt, tekton and kcp are owned by their contributing maintainers, derived from git history. Add .github/workflows/toolset-triage.yaml, a pull_request_target workflow that parses CODEOWNERS and, per PR: - applies/removes the `toolset/<name>` label from the current changed files (replacing actions/labeler, whose default behaviour left stale labels behind), and - @-mentions a block's owners, since GitHub only auto-requests review from code owners that have write access and most toolset owners are external contributors who cannot be granted it. Retire .github/labeler.yaml and the labeler workflow. The new config also covers the eval-task and docs paths and the kcp toolset, which the old labeler config missed. The workflow never checks out or runs PR code. Signed-off-by: Marc Nuri <marc@marcnuri.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ontainers#1252) Bumps the github-actions group with 1 update: [actions/github-script](https://github.com/actions/github-script). Updates `actions/github-script` from 8 to 9 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v8...v9) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* test(e2e): add initial e2e test Signed-off-by: Calum Murray <cmurray@redhat.com> * test(e2e): add make targets Signed-off-by: Calum Murray <cmurray@redhat.com> * test(e2e): add kind e2e action Signed-off-by: Calum Murray <cmurray@redhat.com> * chore: address review comments Signed-off-by: Calum Murray <cmurray@redhat.com> --------- Signed-off-by: Calum Murray <cmurray@redhat.com>
The mcpchecker evaluation depends on model and judge API secrets that forks don't have access to, so the pipeline would only ever fail there. Gate the check-trigger job (which gates the whole pipeline) on the upstream repository, matching the fork guard already used by the release workflows. Signed-off-by: Marc Nuri <marc@marcnuri.com>
…iners#1269) Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6.0.3 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v6.0.3...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Calum Murray <cmurray@redhat.com>
* chore(e2e): cleanup e2e framework Signed-off-by: Calum Murray <cmurray@redhat.com> * chore(e2e): harden port-forward stdout handling Send kubectl port-forward stdout to a temp file instead of an undrained PIPE and poll it with a bounded deadline for the "Forwarding from" line. kubectl writes "Handling connection for <port>" to stdout on every forwarded connection, so the single readline() left the pipe undrained for the life of the process; once the ~64 KB OS buffer fills kubectl blocks on write and the forward stalls -- the exact deadlock the stderr-to-file handling already avoids. The readline() was also an unbounded blocking read that could hang the suite if kubectl wedged during setup. A temp file never blocks the writer and the 30s deadline bounds the wait. Scanning the whole output also makes port parsing order- independent on dual-stack hosts, and both stream files are closed on teardown. Also wait() after every kill() so terminated port-forward processes are reaped and returncode is populated in error messages. Signed-off-by: Marc Nuri <marc@marcnuri.com> --------- Signed-off-by: Calum Murray <cmurray@redhat.com> Signed-off-by: Marc Nuri <marc@marcnuri.com> Co-authored-by: Marc Nuri <marc@marcnuri.com>
* Target-specific tool filtering
- A new config option, `enable_target_compatibility_tool_filters`,
causes init to run potentially-expensive per-target queries to decide
whether particular tools should be exposed. By default, this is off:
we will expose all tools not otherwise filtered.
- The `Openshift` interface is no more. It was being used at several
levels of execution which called for different behaviors/semantics. It
is replaced by `HasGVKs()` and `AnyTargetHasGVKs()` -- see below.
- `HasGVKs()` is a new low-level utility function that operates at the
scope of a single discovery client (talking to a single cluster). It
treats `404` errors appropriately ("does not have the requested GVKs")
but bubbles other errors up to the caller. It directly replaces the
`IsOpenshift()` (note: lowercase `shift`, not the same as
`IsOpenShift()`) utility in the `ClusterState` watcher, and also
serves as the workhorse within...
- `AnyTargetHasGVKs()` is a higher-level method on a new
`FilteringProvider` interface.
- `FilteringProvider` takes the place of the `Openshift` interface as
composed into the various `Provider` implementations. It is
named/positioned to be extensible to more toolset filters in the
future.
- `ProviderGVKFilter` is the equivalent of an "abstract class": it
satisfies `FilteringProvider` by providing a concrete implementation
of `AnyTargetHasGVKs()` that iterates over targets retrieved from a
`ManagerProvider`, asking `HasGVKs()` of each of them. Importantly, it
contains logic for how to handle edge cases (e.g. errors from
`HasGVKs()`). Specific `Provider` implementations take advantage of
this by embedding `ProviderGVKFilter` and supplying their specific
implementation of `ManagerProvider`.
- The erstwhile `Provider` interface is split up. Currently all
`Provider`s are "kubernetes Providers"; this division anticipates
higher level Providers like ACM. Methods applicable to kubernetes
environments remain in `kubernetes.Provider`, while higher-level
methods are moved to a new `apis.TargetProvider` interface.
- `ManagerProvider` is a new, thin interface that provides the glue
between a `kubernetes.Provider` and the existing implementation of
`FilteringProvider`. Its implementors must supply the
`GetTargetManagers()` function that allows `ProviderGVKFilter()` to
iterate over targets.
- `ServerTool` grows a new field, `TargetCompatibilityFilters`, a slice
of (closure, so they can use a `FilteringProvider` without accepting
it as a param) functions each returning a `bool`. When
`enable_target_compatibility_tool_filters` is on, the high-level
`isToolApplicable()` filter invokes those funcs to decide whether to
expose the tool. This abstraction is extensible for arbitrary future
target-specific filters; but for now we register a specific use of
`AnyTargetHasGVKs()` that looks for the Route Kind to determine
whether to filter the `projects_list` tool. This replaces the previous
special-case `IsOpenShift()` conditional.
- On the testing side, the switch from `IsOpenShift()` to `HasGVKs()`
rendered the existing `MockServer` insufficient for certain suites. It
is replaced by `envtest` for these cases. The existing `envtest`
helpers are refactored so they can be shared by these new suites and
the existing consumers.
Behaviorally:
- Whereas previously we would *always* query *one* target for
`IsOpenShift()` and filter according to that one target's response, we
now properly query all targets for the `Provider`.
- We are permissive by default. We behave as if the target *is*
OpenShift if:
- `enable_target_compatibility_tool_filters` is `false`
- ^ is `true` and *any* target reports that it has the Route Kind.
- ^ is `true` and we experience any errors attempting to query the
targets.
I.e. we will only *hide* a tool if all of the following are true:
- `enable_target_compatibility_tool_filters` is `true`
- All targets were queried successfully
- All targets reported `HasGVKs(Route): false`
Signed-off-by: Eric Fried <efried@redhat.com>
Co-Authored-By: claude
* fix(api): detect memcache ErrCacheNotFound in HasGVKs instead of a string match
HasGVKs mapped a missing GroupVersion to (false, nil) via IsNotFound OR a literal
`err.Error() == "not found"` match. In production the discovery client is a
memory.NewMemCacheClient, whose ServerResourcesForGroupVersion returns
memory.ErrCacheNotFound (for which IsNotFound is false) for an absent
GroupVersion, so the string comparison is the load-bearing path, not a fallback.
A client-go change to that message would turn missing-GV into (false, err), which
AnyTargetHasGVKs treats as fail-open, silently re-exposing filtered tools.
Use errors.Is(err, memory.ErrCacheNotFound), and add a memcache-backed test that
exercises this branch (the existing cases use a raw discovery client and only hit
the IsNotFound path).
Signed-off-by: Marc Nuri <marc@marcnuri.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* chore: document target-compatibility flag and fix misleading test comments
- docs: document enable_target_compatibility_tool_filters in the Access Control
section of configuration.md (it was previously undocumented).
- test: drop the dead fakeDerivedProvider.HasGVKs method, left over after the
provider interface dropped HasGVKs.
- test: reword the envtest StopEnvTest comment (it cannot re-arm sync.Once in the
same process) and the mcp TestMain comment (each test package runs as its own
process and initializes its own envtest instance, contradicting the old
"shared across packages" note).
Signed-off-by: Marc Nuri <marc@marcnuri.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* OCPMCP-326: Remove TargetCompatibilityToolFilteringEnabled config option
We decided that target compatibility tool filtering should always be
enabled for now. If it turns out to be too expensive in some scenarios,
we'll revisit adding a config option for it.
Co-Authored-By: claude
Signed-off-by: Eric Fried <efried@redhat.com>
* test(kubernetes): use MockServer for provider suites to avoid a second envtest control plane
The provider suites were switched to envtest, which stands up a second
kube-apiserver+etcd control plane in the kubernetes package on top of the
one already run by the mcp package. `go test ./...` runs package binaries in
parallel, so both control planes come up at once; on the memory-constrained
macos-15-intel runner kube-apiserver is OOM-killed ("signal: killed") and the
run fails, while macos-latest (arm64) and Linux have enough headroom to pass.
These suites only exercise discovery and provider plumbing, which MockServer
already serves (see the pkg/api HasGVKs tests, including the memcache path).
Revert them to MockServer so only the mcp package needs envtest, removing the
concurrent control planes and letting the kubernetes package run without any
envtest download.
Also fold in two review nits:
- Serve route.openshift.io/v1 from NewInOpenShiftHandler so the OpenShift
toolset golden reflects a real OpenShift cluster (routes present) and guards
the Route hint in the resources_* descriptions.
- Replace the stale commonApiVersion TODO in initResources with a doc comment.
Signed-off-by: Marc Nuri <marc@marcnuri.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Signed-off-by: Eric Fried <efried@redhat.com>
Signed-off-by: Marc Nuri <marc@marcnuri.com>
Co-authored-by: Marc Nuri <marc@marcnuri.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: josunect <jcordoba@redhat.com>
Several `core` mcpchecker tasks failed for every agent because of bugs in the task definitions, not agent capability (reported in containers#1238). - multi-container-pod-communication: verify curled nginx-unprivileged on :80, but that image only listens on :8080 (it cannot bind :80 as a non-root user), so curl exited 7. setup/cleanup also used namespace `multi-container-test` while the prompt and verify use `multi-container-logging`. Probe :8080 and align the namespace. - filter-events-by-type / filter-namespace-by-name: verify grep'd the agent's prose for an exact wording and word order, rejecting correct answers phrased differently (confirmed against six weekly gpt-5 runs, two of which never write "Warning" or "bad-pod"). Anchor on the event content and on namespace name presence/absence instead. - resize-pvc: kind's default local-path StorageClass cannot expand volumes, so the resize never took effect. Add a trimmed hostPath CSI driver (make csi-hostpath-install) with a resize-capable StorageClass, install it in CI for the core suite, and point the PVC at it. Refs containers#1238 Signed-off-by: Marc Nuri <marc@marcnuri.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bumps the golang-x group with 2 updates: [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/sync](https://github.com/golang/sync). Updates `golang.org/x/mod` from 0.37.0 to 0.38.0 - [Commits](golang/mod@v0.37.0...v0.38.0) Updates `golang.org/x/sync` from 0.21.0 to 0.22.0 - [Commits](golang/sync@v0.21.0...v0.22.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sync dependency-version: 0.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ontainers#1235) Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
…ontainers#1274) Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.19.0 to 3.20.0. - [Release notes](https://github.com/coreos/go-oidc/releases) - [Commits](coreos/go-oidc@v3.19.0...v3.20.0) --- updated-dependencies: - dependency-name: github.com/coreos/go-oidc/v3 dependency-version: 3.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
Important Review skippedToo many files! This PR contains 557 files, which is 407 over the limit of 150. To get a review, narrow the scope: Upgrade to a paid plan to raise the limit. ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (7)
📒 Files selected for processing (557)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.21.2 to 3.21.3. - [Release notes](https://github.com/helm/helm/releases) - [Commits](helm/helm@v3.21.2...v3.21.3) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-version: 3.21.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat(otel): logs are exported with otel now Signed-off-by: Calum Murray <cmurray@redhat.com> * feat(otel): correlate logs with otel traces Signed-off-by: Calum Murray <cmurray@redhat.com> * chore(otel): switch to klogutil.FromContext Signed-off-by: Calum Murray <cmurray@redhat.com> * chore(logs): fix review comments Signed-off-by: Calum Murray <cmurray@redhat.com> --------- Signed-off-by: Calum Murray <cmurray@redhat.com>
…text (containers#1278) pkg/kubernetes/provider_gvk_filter.go was added in containers#1196 (target-specific tool filtering), which merged after the OTel logging work in containers#1260, so it kept calling klog.FromContext directly and is now the only production file that does. Switch it to klogutil.FromContext so AnyTargetHasGVKs warning logs carry the active trace span for log-trace correlation, and to restore the "no klog.FromContext in production code" invariant documented in AGENTS.md. Drops the now-unused k8s.io/klog/v2 import. Signed-off-by: Marc Nuri <marc@marcnuri.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
aa726d4 to
6306405
Compare
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
containers#1287) The vm_clone and vm_create tool descriptions used "a %s VirtualMachine", which reads fine for "a KubeVirt" but breaks for downstream product name overrides starting with a vowel sound (e.g. "an OpenShift Virtualization VirtualMachine"). Rephrase to avoid the leading article before the templated product name. Signed-off-by: Karel Simon <ksimon@redhat.com> Co-authored-by: Claude Sonnet 5 <noreply@anthropic.com>
* Add netobserv toolset Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> * handle alerts for openshift case Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> * helm + doc Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> * default http timeout Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> * add evals Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> * refactor tests Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> * remove alerts, namespaces and names tools Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> * address feedback Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> * align netobserv with toolset design skill Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> * Update generated netobserv tool descriptions in README Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com> * address feedback Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com> * fix timerange tests Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com> * fix evals Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com> --------- Signed-off-by: Julien Pinsonneau <jpinsonn@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
6306405 to
ae49b09
Compare
…1285) * fix(kubernetes): bound discovery requests during startup Use a discovery-only HTTP client copy so unreachable contexts return through the existing permissive GVK fallback without imposing a timeout on watches or exec sessions. Constraint: Preserve long-running Kubernetes operations while bounding synchronous tool-registration discovery. Rejected: Setting rest.Config.Timeout globally | would terminate watches and streaming operations. Confidence: high Scope-risk: narrow Directive: Keep startup discovery timeouts isolated from shared Kubernetes clients. Tested: go test ./pkg/kubernetes -count=1; go test ./pkg/api ./pkg/toolsets/core -count=1; go vet ./pkg/kubernetes; golangci-lint ./pkg/kubernetes/... Signed-off-by: ychampion <ychampion@users.noreply.github.com> * fix(test): synchronize access control round tripper Signed-off-by: Calum Murray <cmurray@redhat.com> Co-authored-by: Eric Fried <efried@redhat.com> --------- Signed-off-by: ychampion <ychampion@users.noreply.github.com> Signed-off-by: Calum Murray <cmurray@redhat.com> Co-authored-by: ychampion <ychampion@users.noreply.github.com> Co-authored-by: Calum Murray <cmurray@redhat.com> Co-authored-by: Eric Fried <efried@redhat.com>
A recent change (containers#1196) introduced the framework for prefiltering toolsets based on the compatibility of the configured target(s). The initial implementation included a filter to expose the `projects_list` tool based on whether any target is OpenShift or not. This functionality was always on, which was problematic in certain setups. This change gates this functionality behind a config option: ``` experimental_enable_target_compatibility_tool_filters = true ``` As implied by the name, we consider the feature experimental, and will rename/redesign/remove the config option in the future. Co-Authored-By: claude Signed-off-by: Eric Fried <efried@redhat.com>
…tainers#1295) Bumps the github-actions group with 1 update: [actions/setup-node](https://github.com/actions/setup-node). Updates `actions/setup-node` from 6 to 7 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v6...v7) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ae49b09 to
80738a7
Compare
Signed-off-by: Calum Murray <cmurray@redhat.com>
Signed-off-by: Calum Murray <cmurray@redhat.com>
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
|
@openshift-ci-robot: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
/retitle "NO-JIRA: chore: sync with upstream 2026-07-09 - 23 new commits" |
|
/approve |
| func (p *acmHubClusterProvider) IsOpenShift(ctx context.Context) bool { | ||
| return p.hubManager.IsOpenShift(ctx) | ||
| func (p *acmHubClusterProvider) AnyTargetHasGVKs(_ context.Context, _ []schema.GroupVersionKind) bool { | ||
| return true // TODO: implement this properly |
There was a problem hiding this comment.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Cali0707, openshift-ci-robot The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
🔄 Upstream Sync
Update: Wed Jul 15 08:02:47 UTC 2026
New changes detected from upstream: