Initial CI automation on test for GitOps operator support for xKS

[anandrkskd]

assisted-by: ClaudeCode

What type of PR is this?

/kind enhancement

What does this PR do / why we need it:
This PR adds CI automation to deploy gitops-operator on xKS(kind) cluster. This CI pipeline

• builds controler manager image
• push image with TTL of 1 day to quay
• and deploy the image usking make deploy on a Kind cluster
• And expects for manager pod to be up.

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes 9841
Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jopit for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Enhanced automated testing infrastructure with a new continuous integration workflow to validate builds, deployments, and operator functionality on pull requests, improving code quality and release reliability.

Walkthrough

A new GitHub Actions workflow file is added that triggers on every pull request. It builds a Docker image tagged with the PR number and run ID, pushes it to Quay.io with a 1-day TTL label, provisions a kind cluster, installs CRDs, deploys the operator using the pushed image, and verifies controller-manager availability.

Changes

Deploy-test CI Workflow

Layer / File(s)	Summary
Workflow trigger and image tag env .github/workflows/deploy-test.yaml	Adds pull_request trigger for all branches and defines the workflow-level IMG env variable using the PR number and run ID for unique image tagging.
Build, push, deploy, and verify job .github/workflows/deploy-test.yaml	Defines the deploy-test job: checks out code, sets up Go, authenticates to Quay.io, builds and pushes the image with a quay.expires-after=1d TTL label, creates a kind cluster (gitops-test), runs make install and make deploy, then waits for the controller-manager deployment and lists pods in openshift-gitops-operator.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding CI automation for GitOps operator testing on xKS (kind cluster), which directly matches the workflow file added in the changeset.
Description check	✅ Passed	The description clearly relates to the changeset, explaining the CI pipeline's purpose and steps that correspond to the workflow implementation, including building, pushing, and deploying the image.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-test.yaml:
- Line 17: Replace the floating version tags on the GitHub Actions uses
statements at lines 17, 20, 25, and 40 with their corresponding immutable commit
SHAs. Instead of using `@v4`, `@v5`, `@v3`, and `@v1` tags for actions/checkout,
actions/setup-node, and other actions in this workflow, pin each to a specific
commit SHA by looking up the actual commit hash for each version tag and
replacing the tag portion with the full SHA reference (e.g., uses:
actions/checkout@abc123def456... format).
- Around line 54-57: The kubectl wait command in the deploy-test workflow is
targeting the wrong Deployment and namespace. The make deploy command creates a
controller named argocd-operator-controller-manager in the
argocd-operator-system namespace, but the current kubectl wait command is
looking for openshift-gitops-operator-controller-manager in
openshift-gitops-operator namespace. Update the deployment name from
openshift-gitops-operator-controller-manager to
argocd-operator-controller-manager and change the namespace from
openshift-gitops-operator to argocd-operator-system to match what is actually
deployed by make deploy.
- Around line 16-17: The actions/checkout action is using default credential
persistence settings, which stores the GitHub token in the git config for
subsequent steps. Disable credential persistence by adding the
persist-credentials parameter set to false in the actions/checkout@v4 step to
reduce credential exposure risk and remove the unnecessary token storage since
it is not needed for this workflow's subsequent steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4dbab3dd-9103-47f8-a5a5-97285e3bd659

📥 Commits

Reviewing files that changed from the base of the PR and between 8fa22b8 and 7a41a6d.

📒 Files selected for processing (1)

• .github/workflows/deploy-test.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable credential persistence in checkout step

Line 17 uses actions/checkout with default credential persistence. That leaves the GitHub token in local git config for subsequent steps, which is unnecessary for this workflow and expands credential exposure risk.

Suggested fix

       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout code
	uses: actions/checkout@v4
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 16 - 17, The
actions/checkout action is using default credential persistence settings, which
stores the GitHub token in the git config for subsequent steps. Disable
credential persistence by adding the persist-credentials parameter set to false
in the actions/checkout@v4 step to reduce credential exposure risk and remove
the unnecessary token storage since it is not needed for this workflow's
subsequent steps.

Source: Linters/SAST tools

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin GitHub Actions to immutable commit SHAs

Lines 17, 20, 25, and 40 use floating tags (@v4, @v5, @v3, @v1). Per the reported policy, this is non-compliant and increases supply-chain risk from upstream retags.

Suggested fix pattern

-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@<full-commit-sha>

-      - name: Setup Go
-        uses: actions/setup-go@v5
+      - name: Setup Go
+        uses: actions/setup-go@<full-commit-sha>

-      - name: Log in to Quay.io
-        uses: docker/login-action@v3
+      - name: Log in to Quay.io
+        uses: docker/login-action@<full-commit-sha>

-      - name: Create kind cluster
-        uses: helm/kind-action@v1
+      - name: Create kind cluster
+        uses: helm/kind-action@<full-commit-sha>

Also applies to: 20-20, 25-25, 40-40

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml at line 17, Replace the floating version
tags on the GitHub Actions uses statements at lines 17, 20, 25, and 40 with
their corresponding immutable commit SHAs. Instead of using `@v4`, `@v5`, `@v3`, and
`@v1` tags for actions/checkout, actions/setup-node, and other actions in this
workflow, pin each to a specific commit SHA by looking up the actual commit hash
for each version tag and replacing the tag portion with the full SHA reference
(e.g., uses: actions/checkout@abc123def456... format).

Source: Linters/SAST tools

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Controller verification targets the wrong Deployment/namespace

Line 54–57 waits for deployment/openshift-gitops-operator-controller-manager in openshift-gitops-operator, but make deploy applies config/default, which resolves to the controller in argocd-operator-system (argocd-operator-controller-manager). This will make the CI check fail even when deploy succeeds.

Suggested fix

       - name: Verify Controller Manager deployment is available
         run: |
           kubectl wait --for=condition=available --timeout=120s \
-            deployment/openshift-gitops-operator-controller-manager \
-            -n openshift-gitops-operator
-          kubectl get pods -n openshift-gitops-operator
+            deployment/argocd-operator-controller-manager \
+            -n argocd-operator-system
+          kubectl get pods -n argocd-operator-system

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	kubectl wait --for=condition=available --timeout=120s \
	deployment/openshift-gitops-operator-controller-manager \
	-n openshift-gitops-operator
	kubectl get pods -n openshift-gitops-operator
	kubectl wait --for=condition=available --timeout=120s \
	deployment/argocd-operator-controller-manager \
	-n argocd-operator-system
	kubectl get pods -n argocd-operator-system

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 54 - 57, The kubectl wait
command in the deploy-test workflow is targeting the wrong Deployment and
namespace. The make deploy command creates a controller named
argocd-operator-controller-manager in the argocd-operator-system namespace, but
the current kubectl wait command is looking for
openshift-gitops-operator-controller-manager in openshift-gitops-operator
namespace. Update the deployment name from
openshift-gitops-operator-controller-manager to
argocd-operator-controller-manager and change the namespace from
openshift-gitops-operator to argocd-operator-system to match what is actually
deployed by make deploy.

Source: Linked repositories

[openshift-ci]

@anandrkskd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.14-kuttl-sequential	7a41a6d	link	false	/test v4.14-kuttl-sequential
ci/prow/v4.14-kuttl-parallel	7a41a6d	link	false	/test v4.14-kuttl-parallel
ci/prow/v4.14-images	7a41a6d	link	true	/test v4.14-images
ci/prow/v4.14-e2e	7a41a6d	link	false	/test v4.14-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.