HYPERFLEET-1268 - docs: add Konflux operations and release runbook

[ciaranRoche]

Summary

Adds six engineer-facing operations docs under hyperfleet/docs/release/operations/ to complement the existing design (konflux-release-pipeline-design.md) and process (hyperfleet-release-process.md) docs. These are the docs an engineer reaches for during a release or when something fails.

• release-runbook.md — copy-paste command sequence for RC → GA, fix cycle, and hotfix
• pipeline-anatomy.md — reading a Konflux PipelineRun, the build-vs-release distinction, where to look in the UI, version flow
• debugging.md — failure-mode runbook organised by symptom (no PipelineRun, build red, build green but image not in Quay, wrong version label, RC E2E didn't trigger, EC violation, …)
• configuration-map.md — every release-related config file across the six repos (konflux-release-data, hyperfleet-api, -sentinel, -adapter, hyperfleet-release, openshift/release)
• notifications.md — #hyperfleet-e2e-status, webhook secret rotation, Pyxis, GitHub PR checks, Prow status signals
• support.md — Slack channels, JIRA queues, Konflux UI, escalation

hyperfleet/docs/release/README.md index updated with an Operations section linking the new docs.

Closes HYPERFLEET-1268 (in part — per-repo RELEASING.md stubs follow in separate PRs).

Test plan

• CI: markdownlint, yamllint, linkcheck green
• Render in GitHub: Mermaid diagrams display, tables render, internal anchors resolve
• Operations index shows up cleanly in hyperfleet/docs/release/README.md
• An engineer not involved in the spike walks release-runbook.md against the next planned RC and confirms it works without context-switching to other docs

Notes for reviewers

• Anchored on the actual RPA / Dockerfile / tag-pattern conventions, not the placeholders some spike notes carried (Slack channel is #hyperfleet-e2e-status).
• hyperfleet-chart intentionally not covered — charts ship from per-component .tekton/*-chart-push.yaml pipelines, the chart repo is dev-time reference only.
• Cross-links to existing docs are relative; cross-references between operations docs use anchor links.

Follow-ups (separate PRs, after this merges):

• RELEASING.md stub at root of hyperfleet-api
• RELEASING.md stub at root of hyperfleet-sentinel
• RELEASING.md stub at root of hyperfleet-adapter
• RELEASING.md stub at root of hyperfleet-release

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ciaranroche for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Documentation
  • Added comprehensive release operations documentation suite including: Release Runbook with copy/paste workflows for GA releases, RC fixes, and hotfixes; Pipeline Anatomy describing build and release flows; Debugging playbook for pipeline failures with troubleshooting checklists; Configuration Map documenting GitOps setup and review responsibilities; Notifications guide covering status signals across Slack, UI, and dashboards; and Support phone book with escalation routing and access instructions.

Walkthrough

Six new markdown files are added under hyperfleet/docs/release/operations/ documenting release pipeline operations: a configuration map detailing the six-repository GitOps split, Konflux resource layout, and Dockerfile version label contracts; a pipeline anatomy page covering build-vs-release PipelineRun execution, CEL triggers, version injection, and Quay verification; a release runbook with command sequences for RC→GA cuts, RC fix cycles, and post-GA hotfixes; a symptom-based debugging playbook for build/release/E2E failures; a notifications page documenting Slack webhooks, Pyxis registration, GitHub commit status, and Prow surfaces; and a support reference with escalation routing via Slack channels, JIRA, and access procedures. The README.md last-updated date is bumped and an Operations section table is added.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly summarizes the main changeset: adding Konflux operations and release runbook documentation under the specified directory.
Description check	✅ Passed	The description comprehensively details all six new operational documentation files, their purpose, updates to the index, test plan, and follow-up work—all directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	SEC-02 requires checking log statements (slog, log, logr, zap, fmt.Print*) for hardcoded secrets. This PR modifies only .md documentation files—no Go code with log statements. Documentation appropr...
No Hardcoded Secrets	✅ Passed	PR adds 6 engineering-facing operational documentation files. Comprehensive scan for hardcoded secrets (API keys, tokens, passwords, private keys, base64 >32 chars, URLs with embedded credentials)...
No Weak Cryptography	✅ Passed	PR adds only Markdown documentation files with no cryptographic code, weak crypto primitives, custom implementations, or insecure secret comparisons.
No Injection Vectors	✅ Passed	PR adds only markdown documentation files with no executable code, hardcoded bash examples, or code patterns matching CWE-89, CWE-78, CWE-79, or CWE-502 injection vectors.
No Privileged Containers	✅ Passed	PR adds only markdown documentation files; no Kubernetes manifests, Helm templates, or Dockerfiles present. Check not applicable.
No Pii Or Sensitive Data In Logs	✅ Passed	No logging statements containing PII, credentials, or sensitive data found. Code examples reference only public registry metadata, version strings, and secret names (never values).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hyperfleet/docs/release/operations/configuration-map.md`:
- Line 66: The tag matcher regex pattern `v[0-9]+.[0-9]+.[0-9]+(-rc[0-9]+)?`
contains unescaped dots which act as wildcards matching any character instead of
literal dots. Update this regex pattern to escape the dots with backslashes
(change each `.` to `\.`) so that only valid semver-like tags trigger the
release, preventing malformed tags from matching and firing the release trigger
unintentionally.
- Around line 65-68: The version variable naming is inconsistent between this
configuration map documentation and the konflux-release-pipeline-design.md
document. Update all references to APP_VERSION in the table rows (specifically
in the descriptions of `.tekton/hyperfleet-<svc>-push.yaml`,
`.tekton/hyperfleet-<svc>-tag.yaml`, and the Dockerfile contract row) to use
VERSION instead, and update the Dockerfile contract description to reference ARG
VERSION and LABEL version, to match the documented pipeline behavior in
konflux-release-pipeline-design.md lines 270-296.

In `@hyperfleet/docs/release/operations/notifications.md`:
- Around line 11-23: The introductory sentence states that the HyperFleet
release pipeline emits signals to four places, but the table "Where to watch a
release" lists five surfaces: Slack, Konflux UI, Pyxis, GitHub commit status,
and Prow dashboard. Update the introductory sentence to change "four places" to
"five places" to match the number of entries in the table and resolve the
internal inconsistency.

In `@hyperfleet/docs/release/operations/pipeline-anatomy.md`:
- Around line 143-145: The grep pattern in the tag verification snippet uses
only a start-of-line anchor (^) but is missing an end-of-line anchor, which
causes it to match unintended tags like 0.3.0-rc10 and 0.3.0-rc11 in addition to
0.3.0-rc1. Add a dollar sign ($) at the end of the grep pattern to anchor it to
the end of the line, changing grep '^0.3.0-rc1' to grep '^0.3.0-rc1$' to ensure
an exact match of the intended tag.

In `@hyperfleet/docs/release/operations/release-runbook.md`:
- Around line 152-155: The git push command in the release tag step uses the
--tags flag which pushes all local tags rather than just the specified
release-1.5 tag, potentially leaking unrelated refs to remote. Replace the
single command that uses git push origin release-1.5 --tags with two separate
push commands: one to push the release-1.5 branch explicitly using git push
origin release-1.5, and another to push only the specific release-1.5 tag using
git push origin tag release-1.5 to ensure only the intended tag is uploaded to
remote.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 504a5ff5-8405-493c-8082-b9709d26788f

📥 Commits

Reviewing files that changed from the base of the PR and between 29d5a67 and f7dd2a8.

📒 Files selected for processing (7)

• hyperfleet/docs/release/README.md
• hyperfleet/docs/release/operations/configuration-map.md
• hyperfleet/docs/release/operations/debugging.md
• hyperfleet/docs/release/operations/notifications.md
• hyperfleet/docs/release/operations/pipeline-anatomy.md
• hyperfleet/docs/release/operations/release-runbook.md
• hyperfleet/docs/release/operations/support.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hyperfleet/docs/release/operations/release-runbook.md`:
- Around line 153-155: The unqualified refspec in the git push command for
release-1.5 branch is ambiguous and will fail when a tag with the same name
exists. Replace the ambiguous `git push origin release-1.5` command with a fully
qualified branch refspec using `git push origin refs/heads/release-1.5` to
explicitly specify that you are pushing the branch rather than the tag,
eliminating the refspec ambiguity and ensuring deterministic release automation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c4b6cfc2-595d-4a41-a8ba-80ef8ccc3e01

📥 Commits

Reviewing files that changed from the base of the PR and between 368cd41 and 080abd8.

📒 Files selected for processing (7)

• hyperfleet/docs/release/README.md
• hyperfleet/docs/release/operations/configuration-map.md
• hyperfleet/docs/release/operations/debugging.md
• hyperfleet/docs/release/operations/notifications.md
• hyperfleet/docs/release/operations/pipeline-anatomy.md
• hyperfleet/docs/release/operations/release-runbook.md
• hyperfleet/docs/release/operations/support.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

✅ Files skipped from review due to trivial changes (5)

• hyperfleet/docs/release/operations/debugging.md
• hyperfleet/docs/release/operations/configuration-map.md
• hyperfleet/docs/release/operations/pipeline-anatomy.md
• hyperfleet/docs/release/README.md
• hyperfleet/docs/release/operations/support.md

🚧 Files skipped from review as they are similar to previous changes (1)

• hyperfleet/docs/release/operations/notifications.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the file exists and read the context around lines 153-155
if [ -f "hyperfleet/docs/release/operations/release-runbook.md" ]; then
  echo "=== File exists, reading lines 145-165 ==="
  sed -n '145,165p' hyperfleet/docs/release/operations/release-runbook.md
  echo ""
  echo "=== Total file line count ==="
  wc -l hyperfleet/docs/release/operations/release-runbook.md
else
  echo "File not found at hyperfleet/docs/release/operations/release-runbook.md"
  echo "Searching for similar file patterns..."
  find . -name "*release-runbook*" -o -name "*release*operations*"
fi

Repository: openshift-hyperfleet/architecture

Length of output: 767

---

🌐 Web query:

Git ambiguous refspec behavior when tag and branch have same name - git-push documentation

💡 Result:

When a branch and a tag share the same name in a Git repository, Git's command-line tools often encounter ambiguity [1][2]. This is because Git uses unqualified names (shorthand) to resolve references, and if both refs/heads/<name> (branch) and refs/tags/<name> (tag) exist, Git cannot determine which one you intend to use [3][2]. When using git push, this ambiguity frequently results in an error message such as "error: src refspec matches more than one" or "error: dst refspec matches more than one" [4][3][1]. Git refuses to proceed because it cannot safely resolve the ambiguous refspec [1]. To resolve this issue, you must use fully qualified refnames in your git push command [3][5][2]. By explicitly specifying the namespace (e.g., refs/heads/ or refs/tags/), you remove the ambiguity [3][6]. Common commands to resolve the push: To push a branch specifically: git push origin refs/heads/:refs/heads/ [4] To push a tag specifically: git push origin refs/tags/:refs/tags/ [4][6] If the ambiguity is causing problems in other workflows (like checkout or merge), you can also delete the offending tag or branch to resolve the conflict [4][1][2]: To delete a local tag: git tag -d [4][1] To delete a remote tag safely (without accidentally deleting a branch): git push origin:refs/tags/ [6] It is a recommended best practice to avoid using identical names for tags and branches to prevent these ambiguities and potential operational errors [1][5].

Citations:

• 1: https://dev.to/andreasbergstrom/error-src-refspec-refsheadsfoo-matches-more-than-one-4ho0
• 2: https://deverrors.com/errors/git-refname-is-ambiguous
• 3: https://stackoverflow.com/questions/70584317/git-push-error-dst-refspec-refs-heads-main-matches-more-than-one
• 4: https://stackoverflow.com/questions/9378760/git-push-local-branch-with-same-name-as-remote-tag
• 5: https://stackoverflow.com/questions/28192422/git-warning-refname-xxx-is-ambiguous
• 6: https://support.atlassian.com/bitbucket-cloud/kb/removing-a-tag-when-having-a-branch-with-the-same-name/

---

Specify branch and tag refspecs explicitly in push commands.

Line 154 uses unqualified git push origin release-1.5 which is ambiguous when a tag with the same name exists (line 153). Git documents that ambiguous refspecs produce "error: src refspec matches more than one" and fail the push. This breaks release automation determinism. Use fully qualified refs to eliminate ambiguity:

Fix

 git tag release-1.5
-git push origin release-1.5             # push the branch
-git push origin tag release-1.5         # push the tag explicitly (same name as branch)
+git push origin refs/heads/release-1.5  # push the branch explicitly
+git push origin refs/tags/release-1.5   # push the tag explicitly

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hyperfleet/docs/release/operations/release-runbook.md` around lines 153 -
155, The unqualified refspec in the git push command for release-1.5 branch is
ambiguous and will fail when a tag with the same name exists. Replace the
ambiguous `git push origin release-1.5` command with a fully qualified branch
refspec using `git push origin refs/heads/release-1.5` to explicitly specify
that you are pushing the branch rather than the tag, eliminating the refspec
ambiguity and ensuring deterministic release automation.