Ensure verified is required on main branch

[jupierce]

Summary by CodeRabbit

• Bug Fixes
  • Fixed branch exclusion configuration to ensure main and master branches are always excluded from branch-matching operations, preventing unintended behavior on these protected branches.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Walkthrough

The tide-config-manager now ensures that main and master branches are always included in the excluded branches set within the generalAvailabilityEvent.overrideExcludedBranches function, preventing these branches from being matched by the complement query.

Changes

Cohort / File(s)	Summary
Branch Exclusion Logic cmd/branchingconfigmanagers/tide-config-manager/main.go	Added mainBranch and masterBranch to the ExcludedBranches set in generalAvailabilityEvent.overrideExcludedBranches to ensure these branches are always excluded from complement query matching.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Ensure verified is required on main branch' is specific and clearly describes the main change, which is to enforce the verified requirement on the main branch.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo tests, only standard Go testing framework code. The custom check for Ginkgo test name stability is not applicable.
Test Structure And Quality	✅ Passed	This PR modifies production code for Prow tide configuration management, not Ginkgo test code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cmd/branchingconfigmanagers/tide-config-manager/main.go (1)

345-360: ⚠️ Potential issue | 🔴 Critical

Add bounds check for q.Repos before accessing it on line 358.

The unconditional insert of main/master on line 348 ensures that branches.Len() > 0 is always true, so the block at lines 357–360 now always executes. The code then accesses q.Repos[0] without checking if q.Repos is non-empty. Since TideQuery supports org-scoped queries with empty Repos, this will panic with an index out of range error at runtime. Add a length check before indexing, or log the query identifiers differently for org-scoped queries.

Suggested fix

 	if branches.Len() > 0 {
-		if branches.Intersection(gae.openshiftReleaseBranchesPlus1).Len() == 0 && !gae.excludedAllowList.Has(q.Repos[0]) {
-			fmt.Printf("Suspicious complement query (without %s): %s\n", gae.future, q.Repos)
+		repoScoped := len(q.Repos) > 0
+		if branches.Intersection(gae.openshiftReleaseBranchesPlus1).Len() == 0 &&
+			(!repoScoped || !gae.excludedAllowList.Has(q.Repos[0])) {
+			fmt.Printf("Suspicious complement query (without %s): repos=%v orgs=%v\n", gae.future, q.Repos, q.Orgs)
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/branchingconfigmanagers/tide-config-manager/main.go` around lines 345 -
360, The code unconditionally indexes q.Repos[0] inside the branches.Len() > 0
block which can panic for org-scoped queries with empty q.Repos; update the
condition or the logging so you only access q.Repos[0] when len(q.Repos) > 0
(e.g. change the if to check len(q.Repos) > 0 &&
!gae.excludedAllowList.Has(q.Repos[0]) ), and for the else (org-scoped) path
avoid indexing by logging the org or the full query object instead; reference
q.Repos, gae.excludedAllowList, branches, and the suspicious printf call to
locate where to add the length check and alternate logging.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@cmd/branchingconfigmanagers/tide-config-manager/main.go`:
- Around line 345-360: The code unconditionally indexes q.Repos[0] inside the
branches.Len() > 0 block which can panic for org-scoped queries with empty
q.Repos; update the condition or the logging so you only access q.Repos[0] when
len(q.Repos) > 0 (e.g. change the if to check len(q.Repos) > 0 &&
!gae.excludedAllowList.Has(q.Repos[0]) ), and for the else (org-scoped) path
avoid indexing by logging the org or the full query object instead; reference
q.Repos, gae.excludedAllowList, branches, and the suspicious printf call to
locate where to add the length check and alternate logging.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d86fe034-5799-4d81-a6b9-3c3063f0ec78

📥 Commits

Reviewing files that changed from the base of the PR and between 9e78440 and cd7ca9c.

📒 Files selected for processing (1)

• cmd/branchingconfigmanagers/tide-config-manager/main.go

[openshift-ci]

@jupierce: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	cd7ca9c	link	true	/test images
ci/prow/unit	cd7ca9c	link	true	/test unit
ci/prow/breaking-changes	cd7ca9c	link	false	/test breaking-changes

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jmguzik, jupierce

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jmguzik]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jmguzik]

/hold

[jmguzik]

second thoughts: I am thinking main/master should be added only if other main/master query exists, wdyt @jupierce ?