chore(SREP-4482, SREP-4486, SREP-4800: Boilerplate Update for Agentic SDLC Rollout)

[charlesgong]

What type of PR is this?
boilerplate

What this PR does / why we need it?
This PR moves the changes introduced in boilerplate for Agentic SDLC Rollout into MVP for ocm-agent-operator.
Related BP MRs

• SREP-4482: Update golangci-lint configuration with enhanced linters boilerplate#716
• SREP-4484: Enable Codecov Enforcement boilerplate#720
• [SREP-4485] add pre-commit hooks to golang-osd-operator convention boilerplate#723

Which Jira/Github issue(s) this PR fixes?
Part of Rollout for Agentic SDLC -

• Lint -https://redhat.atlassian.net/browse/SREP-4482
• Pre-Commit Hook - https://redhat.atlassian.net/browse/SREP-4486
• CodeCov - https://redhat.atlassian.net/browse/SREP-4800

Special notes for your reviewer:
Pre-checks (if applicable):

• Tested latest changes against a cluster
• Ran make generate command locally to validate code changes
• Included documentation changes with PR

Summary by CodeRabbit

• Chores
  • Updated builder and runtime base container images to newer versions
  • Added pre-commit hooks configuration for code quality, secrets detection, and static analysis
  • Updated Codecov coverage thresholds for project and patch validation
  • Updated team ownership assignments in configuration

[openshift-ci-robot]

@charlesgong: This pull request references SREP-4482 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4486 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4800 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?
boilerplate

What this PR does / why we need it?
This PR moves the changes introduced in boilerplate for Agentic SDLC Rollout into MVP for ocm-agent-operator.
Related BP MRs

• SREP-4482: Update golangci-lint configuration with enhanced linters boilerplate#716
• SREP-4484: Enable Codecov Enforcement boilerplate#720
• [SREP-4485] add pre-commit hooks to golang-osd-operator convention boilerplate#723

Which Jira/Github issue(s) this PR fixes?
Part of Rollout for Agentic SDLC -

• Lint -https://redhat.atlassian.net/browse/SREP-4482
• Pre-Commit Hook - https://redhat.atlassian.net/browse/SREP-4486
• CodeCov - https://redhat.atlassian.net/browse/SREP-4800

Special notes for your reviewer:
Pre-checks (if applicable):

• Tested latest changes against a cluster
• Ran make generate command locally to validate code changes
• Included documentation changes with PR

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Warning

Rate limit exceeded

@charlesgong has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 23 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 90fda663-45b4-4022-bc96-749b2f77ad07

📥 Commits

Reviewing files that changed from the base of the PR and between ed7199f and 6589cf0.

⛔ Files ignored due to path filters (2)

• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**

📒 Files selected for processing (16)

• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry
• config/config.go
• controllers/projectclaim/projectclaim_controller.go
• controllers/projectclaim/projectclaim_fake.go
• controllers/projectclaim/projectclaimadapter.go
• controllers/projectclaim/projectclaimadapter_test.go
• controllers/projectreference/projectreference_adapter.go
• controllers/projectreference/projectreference_adapter_test.go
• controllers/projectreference/projectreference_controller.go
• pkg/configmap/configmap.go
• pkg/configmap/configmap_test.go
• pkg/gcpclient/client.go
• pkg/util/util.go
• pkg/util/utils_test.go

Walkthrough

This PR updates build infrastructure base images across multiple Dockerfiles and CI configuration, introduces a comprehensive pre-commit hooks configuration for code hygiene and static analysis, adjusts Codecov coverage thresholds with explicit targets, and modifies team ownership aliases by removing and adding specific members to multiple teams.

Changes

Build Infrastructure: Base Image Updates

Layer / File(s)	Summary
CI operator and Dockerfile base images .ci-operator.yaml, build/Dockerfile, build/Dockerfile.olm-registry	Boilerplate builder image updated from image-v8.3.4 to image-v8.3.6 in CI configuration and builder stage. UBI-minimal runtime image updated from 9.7-1776833838 to 9.7-1778562320 across two Dockerfiles.

Developer Tooling and Code Quality Configuration

Layer / File(s)	Summary
Codecov coverage thresholds .codecov.yml	Coverage thresholds transitioned from no (disabled) to explicit configuration with project target of 35% and threshold of 1%, and patch target of 50% and threshold of 1%.
Pre-commit hooks framework .pre-commit-config.yaml	New configuration file defining merge-conflict detection, whitespace/YAML validation, gitleaks secrets scanning, golangci-lint static analysis, and local hooks for go build, go mod tidy enforcement, and RBAC wildcard checks with platform-aware timeouts and file filtering.

Team Governance

Layer / File(s)	Summary
OWNERS_ALIASES team membership OWNERS_ALIASES	Removed abyrne55 from srep-functional-team-aurora and srep-functional-leads, added BATMAN-JD to srep-functional-team-aurora, removed a7vicky from srep-functional-team-thor, and removed jharrington22 from srep-architects.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: a boilerplate update for the Agentic SDLC Rollout, covering image tag updates, codecov configuration, pre-commit hooks, and ownership changes across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains only configuration file changes and does not modify any test files (*_test.go). No Ginkgo tests are introduced or modified, so the stable test names check is not applicable.
Test Structure And Quality	✅ Passed	Tests are unit tests with mocks, not cluster tests. Minor interface updates and variable rename. Proper setup/cleanup. Timeout requirement inapplicable.
Microshift Test Compatibility	✅ Passed	PR contains only configuration and build file changes. No new Ginkgo e2e tests are added, so MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only boilerplate configuration and infrastructure updates. No new Ginkgo e2e tests are added, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only config and build files. No deployment manifests, code, or scheduling constraints changed. Check not applicable to this boilerplate configuration update.
Ote Binary Stdout Contract	✅ Passed	PR modifies only configuration files and Dockerfiles, no Go code. OTE Stdout Contract check applies only to Go process-level code changes, not applicable here.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes are configuration updates only (CI/CD, codecov, pre-commit, OWNERS, Dockerfiles). Check requires test code, which is absent.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

❌ Patch coverage is 52.50000% with 38 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.24%. Comparing base (9c35f69) to head (6589cf0).

Files with missing lines	Patch %	Lines
pkg/gcpclient/client.go	0.00%	19 Missing ⚠️
...rs/projectreference/projectreference_controller.go	0.00%	8 Missing ⚠️
...llers/projectreference/projectreference_adapter.go	73.07%	6 Missing and 1 partial ⚠️
pkg/util/util.go	77.77%	2 Missing ⚠️
...ontrollers/projectclaim/projectclaim_controller.go	50.00%	1 Missing ⚠️
controllers/projectclaim/projectclaimadapter.go	91.66%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #299      +/-   ##
==========================================
- Coverage   58.34%   58.24%   -0.10%     
==========================================
  Files          26       26              
  Lines        1942     1947       +5     
==========================================
+ Hits         1133     1134       +1     
- Misses        731      735       +4     
  Partials       78       78              

Files with missing lines	Coverage Δ
controllers/projectclaim/projectclaim_fake.go	62.85% <100.00%> (ø)
pkg/configmap/configmap.go	76.47% <100.00%> (ø)
...ontrollers/projectclaim/projectclaim_controller.go	64.86% <50.00%> (ø)
controllers/projectclaim/projectclaimadapter.go	75.00% <91.66%> (ø)
pkg/util/util.go	71.92% <77.77%> (-0.64%)	⬇️
...llers/projectreference/projectreference_adapter.go	68.92% <73.07%> (-0.09%)	⬇️
...rs/projectreference/projectreference_controller.go	0.00% <0.00%> (ø)
pkg/gcpclient/client.go	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: charlesgong
Once this PR has been reviewed and has the lgtm label, please assign raphaelbut for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

build/Dockerfile (1)

9-17: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the runtime image as non-root.

The final image still runs as root because no USER is set. Please switch to a non-root UID/GID before ENTRYPOINT to reduce container breakout impact.

Suggested hardening patch

 FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778562320
 ENV OPERATOR_PATH=/gcp-project-operator \
     OPERATOR_BIN=gcp-project-operator
 
-WORKDIR /root/
+WORKDIR /tmp
 COPY --from=builder /gcp-project-operator/build/_output/bin/${OPERATOR_BIN} /usr/local/bin/${OPERATOR_BIN}
 LABEL io.openshift.managed.name="gcp-project-operator" \
     io.openshift.managed.description="This operator will be responsible for managing GCP project and credentials."
+USER 1001
 ENTRYPOINT ["/usr/local/bin/gcp-project-operator"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` around lines 9 - 17, The Dockerfile currently leaves the
container running as root (ENTRYPOINT /usr/local/bin/gcp-project-operator);
create and switch to an unprivileged user and group and ensure the operator
binary and any required directories are owned by that UID/GID before ENTRYPOINT.
Specifically, add steps to create a non-root user/group (e.g., gcpop), chown
/usr/local/bin/${OPERATOR_BIN} (and any runtime dirs) to that user, and set USER
to that UID/GID so the container runs non-root when launching ENTRYPOINT.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.codecov.yml:
- Around line 11-14: Replace the static project coverage target in the
.codecov.yml project.default.target (currently "35%") with "auto" so Codecov
uses the base-commit comparison, and keep the threshold
(project.default.threshold) at 1% (or adjust as desired) to allow minor
fluctuations while preventing regressions.
- Around line 15-18: The .codecov.yml currently ignores generated files like
"zz_generated*.go" but doesn't exclude the auto-generated fips boilerplate;
update the ignore list in .codecov.yml (the same section that contains
"zz_generated*.go") to add "fips.go" (or a suitable pattern like "fips*.go") so
the auto-generated file is excluded from coverage checks and won't affect the
patch/threshold metrics.

In @.pre-commit-config.yaml:
- Around line 123-133: The hook labeled id "rbac-wildcard-check" currently runs
entry "bash -c 'make rbac-wildcard-check'" which will block commits on non-zero
exit despite the comment saying "warn-only"; update the hook to match the docs
by wrapping the make invocation with the same timeout guard used by other local
hooks and ensure the hook suppresses non-zero exit codes (so it never fails the
commit) while still emitting diagnostic output (i.e., run the check under a
timeout and always return success), and also update the human-readable
name/comment if you prefer to make it explicit that this is non-blocking; target
the hook definition for changes.

---

Outside diff comments:
In `@build/Dockerfile`:
- Around line 9-17: The Dockerfile currently leaves the container running as
root (ENTRYPOINT /usr/local/bin/gcp-project-operator); create and switch to an
unprivileged user and group and ensure the operator binary and any required
directories are owned by that UID/GID before ENTRYPOINT. Specifically, add steps
to create a non-root user/group (e.g., gcpop), chown
/usr/local/bin/${OPERATOR_BIN} (and any runtime dirs) to that user, and set USER
to that UID/GID so the container runs non-root when launching ENTRYPOINT.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ff01cf10-3a6d-4de9-b082-8942056f79f8

📥 Commits

Reviewing files that changed from the base of the PR and between cd99422 and ed7199f.

⛔ Files ignored due to path filters (11)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/README.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/ensure.sh is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (6)

• .ci-operator.yaml
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify current coverage levels and check if 35% target is appropriate

# Check recent coverage reports in CI logs or codecov history
echo "Current project coverage per codecov bot: 58.34%"
echo "Proposed target: 35%"
echo "Gap: 23.34%"
echo ""
echo "Recommendation: Consider raising target to ~55-58% to maintain current quality level"

Repository: openshift/gcp-project-operator

Length of output: 242

---

🌐 Web query:

What is the recommended best practice for setting Codecov project coverage targets relative to current coverage levels?

💡 Result:

Recommended best practice: set Codecov “project” coverage targets to auto (relative to the base commit / PR target), with a non-zero threshold (leniency) so coverage can improve steadily without blocking due to small fluctuations. Codecov’s status checks support target: auto, which compares the commit’s coverage against the PR base (parent/base commit) coverage rather than requiring an absolute fixed percentage. This is the intended way to enforce that new changes must maintain or increase project coverage over time [1][2]. If you expect legitimate variance (e.g., flaky tests or other normal churn), keep target: auto but set a threshold that allows a small drop while still requiring improvement relative to the base. Codecov explicitly calls out using threshold to “give some leeway” and shows threshold: 10% as an example for relaxing an auto target [2]. Example (project check relative to current levels): coverage: status: project: default: target: auto threshold: 0% # or a small non-zero value to allow minor drops base: auto This config makes the required “success” level track the current base coverage rather than a static number, aligning the target with how your coverage stands today [1][2].

Citations:

• 1: https://docs.codecov.io/docs/commit-status
• 2: https://docs.codecov.com/v4.6/docs/common-recipe-list

---

Use target: auto instead of a static percentage for project coverage.

The project coverage target is set to a static 35%, which is significantly below the current coverage of 58.34%. However, the issue isn't just the gap—it's the approach itself. Per Codecov best practices, project targets should use target: auto to compare against the base commit, not a static percentage. This automatically tracks current coverage levels and prevents regression without requiring manual adjustment. Set target: auto with a threshold value (e.g., 1%) to allow minor fluctuations while still enforcing improvement.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.codecov.yml around lines 11 - 14, Replace the static project coverage
target in the .codecov.yml project.default.target (currently "35%") with "auto"
so Codecov uses the base-commit comparison, and keep the threshold
(project.default.threshold) at 1% (or adjust as desired) to allow minor
fluctuations while preventing regressions.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Locate the uncovered line in fips.go mentioned by codecov

# Find fips.go and show recent changes
fd -t f 'fips.go$' --exec echo "File: {}" \; --exec git diff master...HEAD -- {} \;

Repository: openshift/gcp-project-operator

Length of output: 144

---

🏁 Script executed:

# Get file info and content for fips.go
wc -l ./fips.go
head -50 ./fips.go

Repository: openshift/gcp-project-operator

Length of output: 352

---

🏁 Script executed:

# Try alternative git commands to see recent changes
git log --oneline -5 -- ./fips.go
git show HEAD:./fips.go | head -50

Repository: openshift/gcp-project-operator

Length of output: 420

---

🏁 Script executed:

# Check for test files related to fips functionality
fd -t f '.*fips.*test.*' -o '.*test.*fips.*'

Repository: openshift/gcp-project-operator

Length of output: 222

---

🏁 Script executed:

# Check git status for unstaged changes
git status --short ./fips.go

Repository: openshift/gcp-project-operator

Length of output: 56

---

🏁 Script executed:

# Check the actual git state - see what branches exist
git branch -a | head -20

Repository: openshift/gcp-project-operator

Length of output: 178

---

🏁 Script executed:

# Try to see the actual changes in the PR using git diff HEAD~1 or similar
git log --oneline -10

Repository: openshift/gcp-project-operator

Length of output: 155

---

🏁 Script executed:

# Check the .codecov.yml file completely
cat -n .codecov.yml

Repository: openshift/gcp-project-operator

Length of output: 845

---

🏁 Script executed:

# Look for any exclude patterns in codecov config
rg "exclude|ignore" .codecov.yml -A 2 -B 2

Repository: openshift/gcp-project-operator

Length of output: 146

---

Add fips.go to the .codecov.yml ignore list to exclude auto-generated boilerplate from coverage requirements.

The fips.go file is auto-generated boilerplate marked with "BOILERPLATE GENERATED -- DO NOT EDIT" and only executes when the fips_enabled build tag is active. Standard CI tests don't use this tag, so the code is never executed in normal test runs. Rather than forcing test coverage for this auto-generated conditional code, update the ignore section of .codecov.yml to exclude it—similar to how zz_generated*.go files are already excluded.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.codecov.yml around lines 15 - 18, The .codecov.yml currently ignores
generated files like "zz_generated*.go" but doesn't exclude the auto-generated
fips boilerplate; update the ignore list in .codecov.yml (the same section that
contains "zz_generated*.go") to add "fips.go" (or a suitable pattern like
"fips*.go") so the auto-generated file is excluded from coverage checks and
won't affect the patch/threshold metrics.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does pre-commit provide a native warn-only mode for hooks, or do non-zero hook exits always block commits?

💡 Result:

No—pre-commit does not provide a native “warn-only” mode where non-zero hook exits still allow the commit. What happens instead: 1) A hook must effectively “pass” (i.e., pre-commit treats non-zero exit as failure) to avoid blocking the commit. pre-commit docs state that if a commit-msg/prepare-commit-msg hook exits nonzero, “the commit will be aborted.” [1][2] 2) The pre-commit maintainers explicitly discuss that they don’t provide an out-of-the-box warning-only mechanism; the recommended approach is to change the hook command so it exits 0 while emitting warnings (e.g., || true or using the underlying tool’s “exit-zero” option). [3] 3) There is a special-purpose workaround helper pre-commit hazmat ignore-exit-code, introduced in v4.5.0, which can suppress exit-code failures for a hook (with an explicit warning that it’s a “bad idea” to introduce warning noise). [1][2] So in general: non-zero hook exits block commits; “warn-only” is not a normal native mode, but you can achieve it by forcing exit 0 (or by using the hazmat helper). Example patterns from the pre-commit community: - Wrap the hook command so failures don’t propagate: entry: bash -c 'tool ... "$@" || true' -- [3] - For tools that support it, use their --exit-zero/equivalent so the hook exits 0 while still printing issues (example given with flake8). [3] - Or use pre-commit hazmat ignore-exit-code to ignore a hook’s exit code (new in v4.5.0). [1][2]

Citations:

• 1: https://pre-commit.com/
• 2: https://github.com/pre-commit/pre-commit.com/blob/main/sections/advanced.md
• 3: Can I show warning message without blocking the commit? pre-commit/pre-commit#923

---

Fix documentation/implementation mismatch and add timeout guard.

Line 123 claims "warn-only", but pre-commit does not support a native warn-only mode—non-zero hook exits always block commits. The current entry point (make rbac-wildcard-check) has no exit-code suppression and will therefore block, contradicting the documented behavior. Additionally, this hook lacks the timeout wrapper used by other local hooks in the file.

Suggested fix

-      # 6. RBAC WILDCARD CHECK  |  target < 5s  |  warn-only (blocking after cleanup)
+      # 6. RBAC WILDCARD CHECK  |  target < 5s  |  error
@@
-        entry: bash -c 'make rbac-wildcard-check'
+        entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 30s} make rbac-wildcard-check'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# 6. RBAC WILDCARD CHECK | target < 5s | warn-only (blocking after cleanup)
	# Rejects wildcard RBAC in deploy/ manifests (verbs/resources: ["*"]
	# or multi-line - '*' format). Logic lives in standard.mk target
	# 'rbac-wildcard-check' for readability and reuse.
	# Fix: replace wildcards with explicit verbs and resource names.
	# -----------------------------------------------------------------------
	- id: rbac-wildcard-check
	name: RBAC wildcard permissions
	language: system
	entry: bash -c 'make rbac-wildcard-check'
	files: ^deploy/.*\.ya?ml$
	# 6. RBAC WILDCARD CHECK | target < 5s | error
	# Rejects wildcard RBAC in deploy/ manifests (verbs/resources: ["*"]
	# or multi-line - '*' format). Logic lives in standard.mk target
	# 'rbac-wildcard-check' for readability and reuse.
	# Fix: replace wildcards with explicit verbs and resource names.
	# -----------------------------------------------------------------------
	- id: rbac-wildcard-check
	name: RBAC wildcard permissions
	language: system
	entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 30s} make rbac-wildcard-check'
	files: ^deploy/.*\.ya?ml$

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 123 - 133, The hook labeled id
"rbac-wildcard-check" currently runs entry "bash -c 'make rbac-wildcard-check'"
which will block commits on non-zero exit despite the comment saying
"warn-only"; update the hook to match the docs by wrapping the make invocation
with the same timeout guard used by other local hooks and ensure the hook
suppresses non-zero exit codes (so it never fails the commit) while still
emitting diagnostic output (i.e., run the check under a timeout and always
return success), and also update the human-readable name/comment if you prefer
to make it explicit that this is non-blocking; target the hook definition for
changes.

[openshift-ci]

@charlesgong: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.