Initial CI automation on test for GitOps operator support for xKS

[anandrkskd]

assisted-by: ClaudeCode

What type of PR is this?

/kind enhancement

What does this PR do / why we need it:
This PR adds CI automation to deploy gitops-operator on xKS(kind) cluster. This CI pipeline

• builds controler manager image
• push image with TTL of 1 day to quay
• and deploy the image usking make deploy on a Kind cluster
• And expects for manager pod to be up.

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes 9841
Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jopit for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Review limit reached

@anandrkskd, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 27 minutes and 39 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ae982b6f-3a49-434d-bee6-3f935e8beefb

📥 Commits

Reviewing files that changed from the base of the PR and between 68aebc9 and 4bbf4f3.

📒 Files selected for processing (1)

• .github/workflows/deploy-test.yaml

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is added that triggers on pull requests for all branches. The workflow builds a Docker image locally tagged gitops-operator:test, loads it into a kind cluster, installs CRDs and deploys the operator, then verifies the controller-manager deployment is available.

Changes

Deploy-test CI Workflow

Layer / File(s)	Summary
Workflow trigger and environment configuration .github/workflows/deploy-test.yaml	Configures the pull_request trigger for all branches and defines the workflow-level IMG environment variable set to gitops-operator:test.
Local build, deployment, and verification job .github/workflows/deploy-test.yaml	Defines the deploy-test job that checks out code, sets up Go, creates a kind cluster named gitops-test, comments out the Prometheus entry in the kustomization config, builds a Docker image locally, loads it directly into kind, runs make install to install CRDs, deploys the operator via make deploy, waits up to 120 seconds for controller-manager deployment availability, and lists pods in the openshift-gitops-operator namespace.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is specific and describes the added CI automation for testing GitOps operator support on kind.
Description check	✅ Passed	The description matches the workflow addition by describing kind-based deployment and manager pod verification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-test.yaml:
- Line 17: Replace the floating version tags on the GitHub Actions uses
statements at lines 17, 20, 25, and 40 with their corresponding immutable commit
SHAs. Instead of using `@v4`, `@v5`, `@v3`, and `@v1` tags for actions/checkout,
actions/setup-node, and other actions in this workflow, pin each to a specific
commit SHA by looking up the actual commit hash for each version tag and
replacing the tag portion with the full SHA reference (e.g., uses:
actions/checkout@abc123def456... format).
- Around line 54-57: The kubectl wait command in the deploy-test workflow is
targeting the wrong Deployment and namespace. The make deploy command creates a
controller named argocd-operator-controller-manager in the
argocd-operator-system namespace, but the current kubectl wait command is
looking for openshift-gitops-operator-controller-manager in
openshift-gitops-operator namespace. Update the deployment name from
openshift-gitops-operator-controller-manager to
argocd-operator-controller-manager and change the namespace from
openshift-gitops-operator to argocd-operator-system to match what is actually
deployed by make deploy.
- Around line 16-17: The actions/checkout action is using default credential
persistence settings, which stores the GitHub token in the git config for
subsequent steps. Disable credential persistence by adding the
persist-credentials parameter set to false in the actions/checkout@v4 step to
reduce credential exposure risk and remove the unnecessary token storage since
it is not needed for this workflow's subsequent steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4dbab3dd-9103-47f8-a5a5-97285e3bd659

📥 Commits

Reviewing files that changed from the base of the PR and between 8fa22b8 and 7a41a6d.

📒 Files selected for processing (1)

• .github/workflows/deploy-test.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable credential persistence in checkout step

Line 17 uses actions/checkout with default credential persistence. That leaves the GitHub token in local git config for subsequent steps, which is unnecessary for this workflow and expands credential exposure risk.

Suggested fix

       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout code
	uses: actions/checkout@v4
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 16 - 17, The
actions/checkout action is using default credential persistence settings, which
stores the GitHub token in the git config for subsequent steps. Disable
credential persistence by adding the persist-credentials parameter set to false
in the actions/checkout@v4 step to reduce credential exposure risk and remove
the unnecessary token storage since it is not needed for this workflow's
subsequent steps.

Source: Linters/SAST tools

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin GitHub Actions to immutable commit SHAs

Lines 17, 20, 25, and 40 use floating tags (@v4, @v5, @v3, @v1). Per the reported policy, this is non-compliant and increases supply-chain risk from upstream retags.

Suggested fix pattern

-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@<full-commit-sha>

-      - name: Setup Go
-        uses: actions/setup-go@v5
+      - name: Setup Go
+        uses: actions/setup-go@<full-commit-sha>

-      - name: Log in to Quay.io
-        uses: docker/login-action@v3
+      - name: Log in to Quay.io
+        uses: docker/login-action@<full-commit-sha>

-      - name: Create kind cluster
-        uses: helm/kind-action@v1
+      - name: Create kind cluster
+        uses: helm/kind-action@<full-commit-sha>

Also applies to: 20-20, 25-25, 40-40

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml at line 17, Replace the floating version
tags on the GitHub Actions uses statements at lines 17, 20, 25, and 40 with
their corresponding immutable commit SHAs. Instead of using `@v4`, `@v5`, `@v3`, and
`@v1` tags for actions/checkout, actions/setup-node, and other actions in this
workflow, pin each to a specific commit SHA by looking up the actual commit hash
for each version tag and replacing the tag portion with the full SHA reference
(e.g., uses: actions/checkout@abc123def456... format).

Source: Linters/SAST tools

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Controller verification targets the wrong Deployment/namespace

Line 54–57 waits for deployment/openshift-gitops-operator-controller-manager in openshift-gitops-operator, but make deploy applies config/default, which resolves to the controller in argocd-operator-system (argocd-operator-controller-manager). This will make the CI check fail even when deploy succeeds.

Suggested fix

       - name: Verify Controller Manager deployment is available
         run: |
           kubectl wait --for=condition=available --timeout=120s \
-            deployment/openshift-gitops-operator-controller-manager \
-            -n openshift-gitops-operator
-          kubectl get pods -n openshift-gitops-operator
+            deployment/argocd-operator-controller-manager \
+            -n argocd-operator-system
+          kubectl get pods -n argocd-operator-system

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	kubectl wait --for=condition=available --timeout=120s \
	deployment/openshift-gitops-operator-controller-manager \
	-n openshift-gitops-operator
	kubectl get pods -n openshift-gitops-operator
	kubectl wait --for=condition=available --timeout=120s \
	deployment/argocd-operator-controller-manager \
	-n argocd-operator-system
	kubectl get pods -n argocd-operator-system

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 54 - 57, The kubectl wait
command in the deploy-test workflow is targeting the wrong Deployment and
namespace. The make deploy command creates a controller named
argocd-operator-controller-manager in the argocd-operator-system namespace, but
the current kubectl wait command is looking for
openshift-gitops-operator-controller-manager in openshift-gitops-operator
namespace. Update the deployment name from
openshift-gitops-operator-controller-manager to
argocd-operator-controller-manager and change the namespace from
openshift-gitops-operator to argocd-operator-system to match what is actually
deployed by make deploy.

Source: Linked repositories

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/deploy-test.yaml (2)

17-17: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin all GitHub Actions to immutable SHAs.

Lines 17, 20, and 25 use floating tags (@v4, @v5, @v1), which weakens supply-chain integrity under strict CI policy.

Suggested pattern

-        uses: actions/checkout@v4
+        uses: actions/checkout@<full-commit-sha>

-        uses: actions/setup-go@v5
+        uses: actions/setup-go@<full-commit-sha>

-        uses: helm/kind-action@v1
+        uses: helm/kind-action@<full-commit-sha>

#!/bin/bash
# Verify unpinned GitHub Action refs in workflow files (expects matches for floating tags)
rg -nP '^\s*uses:\s*[^@]+@v[0-9]+(\.[0-9]+)?\s*$' .github/workflows

Also applies to: 20-20, 25-25

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml at line 17, The GitHub Actions in the
deploy-test.yaml workflow file are specified with floating version tags (`@v4`,
`@v5`, `@v1`) instead of immutable commit SHAs, which weakens supply-chain security.
For each of the three uses statements on lines 17, 20, and 25, replace the
floating version tag (the `@vX` portion) with the full commit SHA of that specific
action version. This ensures that the exact version of the action is always used
and cannot be changed unexpectedly by upstream maintainers.

Source: Linters/SAST tools

---

16-17: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable checkout credential persistence.

Line 17 uses default token persistence in actions/checkout, which is unnecessary for this workflow and broadens token exposure across subsequent steps.

Suggested patch

       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 16 - 17, The Checkout code
step uses actions/checkout@v4 with default token persistence enabled, which
unnecessarily exposes the authentication token across subsequent workflow steps.
Add the persist-credentials parameter set to false in the actions/checkout@v4
step configuration to disable credential persistence and reduce the token
exposure surface.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/deploy-test.yaml:
- Line 17: The GitHub Actions in the deploy-test.yaml workflow file are
specified with floating version tags (`@v4`, `@v5`, `@v1`) instead of immutable commit
SHAs, which weakens supply-chain security. For each of the three uses statements
on lines 17, 20, and 25, replace the floating version tag (the `@vX` portion) with
the full commit SHA of that specific action version. This ensures that the exact
version of the action is always used and cannot be changed unexpectedly by
upstream maintainers.
- Around line 16-17: The Checkout code step uses actions/checkout@v4 with
default token persistence enabled, which unnecessarily exposes the
authentication token across subsequent workflow steps. Add the
persist-credentials parameter set to false in the actions/checkout@v4 step
configuration to disable credential persistence and reduce the token exposure
surface.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 8c590d01-a18c-43d1-842a-c520e43b8b13

📥 Commits

Reviewing files that changed from the base of the PR and between 7a41a6d and 67df3df.

📒 Files selected for processing (1)

• .github/workflows/deploy-test.yaml

[openshift-ci]

@anandrkskd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.14-e2e	4bbf4f3	link	false	/test v4.14-e2e
ci/prow/v4.14-images	4bbf4f3	link	true	/test v4.14-images
ci/prow/v4.14-kuttl-parallel	4bbf4f3	link	false	/test v4.14-kuttl-parallel
ci/prow/v4.14-kuttl-sequential	4bbf4f3	link	false	/test v4.14-kuttl-sequential

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.