Make security jobs in OVNK/CNO required for 4.23+

[jluhrsen]

snyk configs have been added to the main/master branches of OVNK and CNO such that the security job should now pass. make it required now so we don't accidentally let something sneak :) in

A detailed high-level summary could not be generated for this review. Here is an overview derived from the analyzed file changes:

• ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml: ## AI-generated summary of changes
• ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-release-4.23.yaml: ## AI-generated summary of changes
• ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-release-5.0.yaml: ## AI-generated summary of changes
• ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-main.yaml: ## AI-generated summary of changes
• ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-release-4.23.yaml: ## AI-generated summary of changes
• ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-release-5.0.yaml: ## AI-generated summary of changes

[jluhrsen]

/pj-rehearse

[openshift-merge-bot]

@jluhrsen: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ba964591-e1c4-49e4-9995-c3b267e48fc7

📥 Commits

Reviewing files that changed from the base of the PR and between 0e0c031 and 02990cc.

⛔ Files ignored due to path filters (6)

• ci-operator/jobs/openshift/cluster-network-operator/openshift-cluster-network-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/cluster-network-operator/openshift-cluster-network-operator-release-4.23-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/cluster-network-operator/openshift-cluster-network-operator-release-5.0-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/ovn-kubernetes/openshift-ovn-kubernetes-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/ovn-kubernetes/openshift-ovn-kubernetes-release-4.23-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/ovn-kubernetes/openshift-ovn-kubernetes-release-5.0-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (6)

• ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml
• ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-release-4.23.yaml
• ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-release-5.0.yaml
• ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-main.yaml
• ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-release-4.23.yaml
• ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-release-5.0.yaml

💤 Files with no reviewable changes (6)

• ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-main.yaml
• ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-release-5.0.yaml
• ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-release-4.23.yaml
• ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml
• ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-release-5.0.yaml
• ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-release-4.23.yaml

---

Walkthrough

Removes optional: true from the security test job in six CI config files for cluster-network-operator (master, 4.23, 5.0) and ovn-kubernetes (main, 4.23, 5.0). The master branch config for cluster-network-operator also gains Snyk-specific environment variables and a pre-execution hook.

Changes

Security Job Promotion to Required

Layer / File(s)	Summary
CNO security job: master expansion + optional removal on release branches ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml, ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-release-4.23.yaml, ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-release-5.0.yaml	In the master config, adds ALL_PROJECTS, PROJECT_NAME, SNYK_CODE_ADDITIONAL_ARGS, and SNYK_PRE_EXECUTION_HOOK_CMD (rm -rf vendor) env vars to the security job and removes optional: true. In the 4.23 and 5.0 release configs, removes optional: true from the existing security job.
OVN-K security job: optional removal across all branch configs ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-main.yaml, ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-release-4.23.yaml, ci-operator/config/openshift/ovn-kubernetes/openshift-ovn-kubernetes-release-5.0.yaml	Removes optional: true from the security job in the main, 4.23, and 5.0 configs; the openshift-ci-security workflow and ALL_PROJECTS: "true" env var remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• openshift/release#80462: Updates the cluster-network-operator master branch CI security job with the same Snyk pre-execution hook (rm -rf vendor) and related env vars introduced in this PR.

Suggested labels

lgtm, approved, rehearsals-ack

Suggested reviewers

• taanyas
• martinkennelly

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: making security jobs required (non-optional) for OVNK and CNO in versions 4.23 and later.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only YAML CI configuration changes with no Ginkgo test code or test name modifications; the custom check is not applicable.
Test Structure And Quality	✅ Passed	PR contains only CI configuration YAML changes (removing optional: true from security jobs), not Ginkgo test code. The check is not applicable to this PR's scope.
Microshift Test Compatibility	✅ Passed	Check not applicable: PR modifies CI configuration only (removing optional: true from security jobs), does not add new Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR only modifies YAML CI configuration files, removing optional flags from security jobs. Check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only CI operator configuration files (test pipeline definitions), not deployment manifests, operator code, or controllers. No scheduling constraints or topology assumptions are int...
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML CI/CD configuration changes; no test binaries, code modifications, or stdout-writing operations that would violate OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. It only modifies CI configuration files to make existing security jobs required instead of optional. The check is not applicable.
No-Weak-Crypto	✅ Passed	PR modifies CI configuration YAML files to remove optional: true from security jobs; contains no weak cryptographic implementations, custom crypto code, or non-constant-time secret comparisons.
Container-Privileges	✅ Passed	PR modifies only CI-Operator config files defining test jobs, not K8s/container manifests. No container security specifications (privileged, hostPID, hostNetwork, etc.) are present to flag.
No-Sensitive-Data-In-Logs	✅ Passed	PR modifies CI config files to remove 'optional: true' from security jobs. Environment variables set (ALL_PROJECTS, PROJECT_NAME, SNYK config args) contain no passwords, tokens, API keys, PII, or o...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jluhrsen
Once this PR has been reviewed and has the lgtm label, please assign abhat for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cluster-network-operator/OWNERS
• ci-operator/config/openshift/ovn-kubernetes/OWNERS
• ci-operator/jobs/openshift/cluster-network-operator/OWNERS
• ci-operator/jobs/openshift/ovn-kubernetes/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@jluhrsen: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-ovn-kubernetes-main-security	openshift/ovn-kubernetes	presubmit	Presubmit changed
pull-ci-openshift-ovn-kubernetes-release-4.23-security	openshift/ovn-kubernetes	presubmit	Presubmit changed
pull-ci-openshift-ovn-kubernetes-release-5.0-security	openshift/ovn-kubernetes	presubmit	Presubmit changed
pull-ci-openshift-cluster-network-operator-master-security	openshift/cluster-network-operator	presubmit	Presubmit changed
pull-ci-openshift-cluster-network-operator-release-4.23-security	openshift/cluster-network-operator	presubmit	Presubmit changed
pull-ci-openshift-cluster-network-operator-release-5.0-security	openshift/cluster-network-operator	presubmit	Presubmit changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[jluhrsen]

/pj-rehearse pull-ci-openshift-ovn-kubernetes-release-5.0-security

[openshift-merge-bot]

@jluhrsen: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@jluhrsen: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jluhrsen]

/verified by rehearsals

[openshift-ci-robot]

@jluhrsen: This PR has been marked as verified by rehearsals.

Details

In response to this:

/verified by rehearsals

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jluhrsen]

@kyrtapz @jcaamano , this is the last piece. our CNO/OVN security jobs can now be required and expected to pass. if we introduce any issues that trigger this job to fail it will most likely be in our project code and maybe something real we should address.