Skip to content

Syncing latest changes from main for ocs-client-operator#656

Merged
openshift-merge-bot[bot] merged 16 commits into
release-4.23from
sync_ds--main
Jul 7, 2026
Merged

Syncing latest changes from main for ocs-client-operator#656
openshift-merge-bot[bot] merged 16 commits into
release-4.23from
sync_ds--main

Conversation

@df-build-team

Copy link
Copy Markdown

PR containing the latest commits from main branch

leelavg and others added 16 commits June 29, 2026 07:44
Signed-off-by: Leela Venkaiah G <lgangava@ibm.com>
Signed-off-by: Leela Venkaiah G <lgangava@ibm.com>
Signed-off-by: Leela Venkaiah G <lgangava@ibm.com>
- fix critical pull_request_target vulnerability in dependencies workflow
- pin all actions to commit SHAs (prevents tag hijacking)
- upgrade all actions to latest stable versions:
  - actions/checkout v4 -> v7.0.0
  - actions/setup-go v5 -> v6.5.0
  - docker/login-action v3 -> v4.2.0
  - codespell-project/actions-codespell v2 -> v2.2
  - wagoid/commitlint-github-action v5 -> v6.2.1
  - ibiqlik/action-yamllint v3 -> v3.1.1
  - golangci/golangci-lint-action v8 -> v9.2.1
  - z0al/dependent-issues v1 -> v1.5.2
- add explicit permissions blocks to all workflows (least privilege)
- add persist-credentials: false to all checkout actions
- add input validation for workflow_dispatch parameters
- add hack/gh-tag-to-sha.sh script to track action versions
- add GH action version tracking to hack/build.env

Signed-off-by: Leela Venkaiah G <lgangava@ibm.com>
Signed-off-by: Leela Venkaiah G <lgangava@ibm.com>
chore: ci for more predicatbility and sufficient hardenging against GH attacks
- configure self-hosted Renovate as GitHub Action
- group Go dependencies by update type (major vs non-major)
- disable indirect Go dependencies (handled by go mod tidy)
- enable GitHub Actions updates with 7-day stability period
- require manual approval via dependency dashboard
- schedule updates for Tuesday mornings before 5am UTC

Signed-off-by: Leela Venkaiah G <lgangava@ibm.com>
add Renovate bot configuration for automated dependency updates
- remove Renovate configuration (workflow and config)
- add Dependabot configuration for Go modules and GitHub Actions
- configure weekly updates on Tuesday mornings
- group minor/patch updates to reduce PR noise
- support Go workspace (root and api/ directories)

Signed-off-by: Leela Venkaiah G <lgangava@ibm.com>
switch from Renovate to Dependabot for dependency management
Bumps the github-actions group with 1 update: [wagoid/commitlint-github-action](https://github.com/wagoid/commitlint-github-action).


Updates `wagoid/commitlint-github-action` from 6cf16efdf4da5277c791d335142c03a0bdf1766e to b948419dd99f3fd78a6548d48f94e3df7f6bf3ed
- [Changelog](https://github.com/wagoid/commitlint-github-action/blob/master/CHANGELOG.md)
- [Commits](wagoid/commitlint-github-action@6cf16ef...b948419)

---
updated-dependencies:
- dependency-name: wagoid/commitlint-github-action
  dependency-version: b948419dd99f3fd78a6548d48f94e3df7f6bf3ed
  dependency-type: direct:production
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
…s/github-actions-a9509404e1

chore(deps)(deps): bump wagoid/commitlint-github-action from 6cf16efdf4da5277c791d335142c03a0bdf1766e to b948419dd99f3fd78a6548d48f94e3df7f6bf3ed in the github-actions group
Automates deployment of the external-snapshot-metadata gRPC sidecar for
CSI Changed Block Tracking (CBT, KEP-3314) when the RBD driver is enabled.

Resources created:
- Service openshift-storage-rbd-snapshot-metadata (port 6443→50051) with
  serving-cert-secret-name annotation for OpenShift service-ca TLS
- Spec ConfigMap (name = driver name) with address, audience, caCert,
  driverName — source of truth for backup vendors
- tls-key VolumeSpec upserted into the RBD Driver CR, triggering
  ceph-csi-operator to deploy the sidecar container

Design:
- No SMS CR creation — SnapshotMetadataService CR is admin responsibility
  when CRD is installed; ConfigMap is the source of truth
- No external-snapshot-metadata vendor dependency needed
- CA cert read from pre-existing openshift-service-ca.crt ConfigMap;
  ConfigMap watch triggers re-reconcile when CA is injected
- Service and ConfigMap owned by operator ConfigMap (auto-GC on deletion)
- serving-cert annotation string extracted to utils.ServingCertSecretAnnotation

Assisted-by: Claude <noreply@anthropic.com>
Signed-off-by: Rakshith R <rar@redhat.com>
controllers: automate RBD snapshot metadata sidecar setup (KEP-3314/CBT)
Add conditional VolumeAttributesClass
(storage.k8s.io/v1) support to
the StorageClient controller. The API
availability is checked at startup
via REST mapper and dynamically
during reconciliation, ensuring the
operator works on clusters where
the API is not yet available (K8s <1.34).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
feat: add VolumeAttributesClass reconciliation support
@df-build-team df-build-team requested a review from a team July 7, 2026 10:37
@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: df-build-team, leelavg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label Jul 7, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 49ac49c into release-4.23 Jul 7, 2026
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants