Initial CI automation on test for GitOps operator support for xKS

[anandrkskd]

assisted-by: ClaudeCode

What type of PR is this?

/kind enhancement

What does this PR do / why we need it:
This PR adds CI automation to deploy gitops-operator on xKS(kind) cluster. This CI pipeline

• builds controler manager image
• push image with TTL of 1 day to quay
• and deploy the image usking make deploy on a Kind cluster
• And expects for manager pod to be up.

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes 9841
Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jopit for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Streamlined pull request testing workflow by implementing direct local Kubernetes cluster deployment with locally built images, eliminating external registry operations and image management overhead while preserving comprehensive verification of operator installation, deployment status, and service readiness.

Walkthrough

A new GitHub Actions workflow is added that triggers on pull requests for all branches. The workflow builds a Docker image locally tagged gitops-operator:test, loads it into a kind cluster, installs CRDs and deploys the operator, then verifies the controller-manager deployment is available. Registry authentication and image push steps are not included.

Changes

Deploy-test CI Workflow

Layer / File(s)	Summary
Workflow trigger and environment configuration .github/workflows/deploy-test.yaml	Configures the pull_request trigger for all branches and defines the workflow-level IMG environment variable set to gitops-operator:test.
Local build, deployment, and verification job .github/workflows/deploy-test.yaml	Defines the deploy-test job that checks out code, sets up Go, creates a kind cluster named gitops-test, builds a Docker image locally, loads it directly into kind, runs make install to install CRDs, deploys the operator via make deploy, waits up to 120 seconds for controller-manager deployment availability, and lists pods in the openshift-gitops-operator namespace.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: adding CI automation for GitOps operator deployment on kind clusters for xKS support.
Description check	✅ Passed	The description is directly related to the changeset, explaining the CI automation goals and the workflow implementation for deploying GitOps operator on kind clusters.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-test.yaml:
- Line 17: Replace the floating version tags on the GitHub Actions uses
statements at lines 17, 20, 25, and 40 with their corresponding immutable commit
SHAs. Instead of using `@v4`, `@v5`, `@v3`, and `@v1` tags for actions/checkout,
actions/setup-node, and other actions in this workflow, pin each to a specific
commit SHA by looking up the actual commit hash for each version tag and
replacing the tag portion with the full SHA reference (e.g., uses:
actions/checkout@abc123def456... format).
- Around line 54-57: The kubectl wait command in the deploy-test workflow is
targeting the wrong Deployment and namespace. The make deploy command creates a
controller named argocd-operator-controller-manager in the
argocd-operator-system namespace, but the current kubectl wait command is
looking for openshift-gitops-operator-controller-manager in
openshift-gitops-operator namespace. Update the deployment name from
openshift-gitops-operator-controller-manager to
argocd-operator-controller-manager and change the namespace from
openshift-gitops-operator to argocd-operator-system to match what is actually
deployed by make deploy.
- Around line 16-17: The actions/checkout action is using default credential
persistence settings, which stores the GitHub token in the git config for
subsequent steps. Disable credential persistence by adding the
persist-credentials parameter set to false in the actions/checkout@v4 step to
reduce credential exposure risk and remove the unnecessary token storage since
it is not needed for this workflow's subsequent steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4dbab3dd-9103-47f8-a5a5-97285e3bd659

📥 Commits

Reviewing files that changed from the base of the PR and between 8fa22b8 and 7a41a6d.

📒 Files selected for processing (1)

• .github/workflows/deploy-test.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable credential persistence in checkout step

Line 17 uses actions/checkout with default credential persistence. That leaves the GitHub token in local git config for subsequent steps, which is unnecessary for this workflow and expands credential exposure risk.

Suggested fix

       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout code
	uses: actions/checkout@v4
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 16 - 17, The
actions/checkout action is using default credential persistence settings, which
stores the GitHub token in the git config for subsequent steps. Disable
credential persistence by adding the persist-credentials parameter set to false
in the actions/checkout@v4 step to reduce credential exposure risk and remove
the unnecessary token storage since it is not needed for this workflow's
subsequent steps.

Source: Linters/SAST tools

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin GitHub Actions to immutable commit SHAs

Lines 17, 20, 25, and 40 use floating tags (@v4, @v5, @v3, @v1). Per the reported policy, this is non-compliant and increases supply-chain risk from upstream retags.

Suggested fix pattern

-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@<full-commit-sha>

-      - name: Setup Go
-        uses: actions/setup-go@v5
+      - name: Setup Go
+        uses: actions/setup-go@<full-commit-sha>

-      - name: Log in to Quay.io
-        uses: docker/login-action@v3
+      - name: Log in to Quay.io
+        uses: docker/login-action@<full-commit-sha>

-      - name: Create kind cluster
-        uses: helm/kind-action@v1
+      - name: Create kind cluster
+        uses: helm/kind-action@<full-commit-sha>

Also applies to: 20-20, 25-25, 40-40

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml at line 17, Replace the floating version
tags on the GitHub Actions uses statements at lines 17, 20, 25, and 40 with
their corresponding immutable commit SHAs. Instead of using `@v4`, `@v5`, `@v3`, and
`@v1` tags for actions/checkout, actions/setup-node, and other actions in this
workflow, pin each to a specific commit SHA by looking up the actual commit hash
for each version tag and replacing the tag portion with the full SHA reference
(e.g., uses: actions/checkout@abc123def456... format).

Source: Linters/SAST tools

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Controller verification targets the wrong Deployment/namespace

Line 54–57 waits for deployment/openshift-gitops-operator-controller-manager in openshift-gitops-operator, but make deploy applies config/default, which resolves to the controller in argocd-operator-system (argocd-operator-controller-manager). This will make the CI check fail even when deploy succeeds.

Suggested fix

       - name: Verify Controller Manager deployment is available
         run: |
           kubectl wait --for=condition=available --timeout=120s \
-            deployment/openshift-gitops-operator-controller-manager \
-            -n openshift-gitops-operator
-          kubectl get pods -n openshift-gitops-operator
+            deployment/argocd-operator-controller-manager \
+            -n argocd-operator-system
+          kubectl get pods -n argocd-operator-system

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	kubectl wait --for=condition=available --timeout=120s \
	deployment/openshift-gitops-operator-controller-manager \
	-n openshift-gitops-operator
	kubectl get pods -n openshift-gitops-operator
	kubectl wait --for=condition=available --timeout=120s \
	deployment/argocd-operator-controller-manager \
	-n argocd-operator-system
	kubectl get pods -n argocd-operator-system

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 54 - 57, The kubectl wait
command in the deploy-test workflow is targeting the wrong Deployment and
namespace. The make deploy command creates a controller named
argocd-operator-controller-manager in the argocd-operator-system namespace, but
the current kubectl wait command is looking for
openshift-gitops-operator-controller-manager in openshift-gitops-operator
namespace. Update the deployment name from
openshift-gitops-operator-controller-manager to
argocd-operator-controller-manager and change the namespace from
openshift-gitops-operator to argocd-operator-system to match what is actually
deployed by make deploy.

Source: Linked repositories

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/deploy-test.yaml (2)

17-17: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin all GitHub Actions to immutable SHAs.

Lines 17, 20, and 25 use floating tags (@v4, @v5, @v1), which weakens supply-chain integrity under strict CI policy.

Suggested pattern

-        uses: actions/checkout@v4
+        uses: actions/checkout@<full-commit-sha>

-        uses: actions/setup-go@v5
+        uses: actions/setup-go@<full-commit-sha>

-        uses: helm/kind-action@v1
+        uses: helm/kind-action@<full-commit-sha>

#!/bin/bash
# Verify unpinned GitHub Action refs in workflow files (expects matches for floating tags)
rg -nP '^\s*uses:\s*[^@]+@v[0-9]+(\.[0-9]+)?\s*$' .github/workflows

Also applies to: 20-20, 25-25

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml at line 17, The GitHub Actions in the
deploy-test.yaml workflow file are specified with floating version tags (`@v4`,
`@v5`, `@v1`) instead of immutable commit SHAs, which weakens supply-chain security.
For each of the three uses statements on lines 17, 20, and 25, replace the
floating version tag (the `@vX` portion) with the full commit SHA of that specific
action version. This ensures that the exact version of the action is always used
and cannot be changed unexpectedly by upstream maintainers.

Source: Linters/SAST tools

---

16-17: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable checkout credential persistence.

Line 17 uses default token persistence in actions/checkout, which is unnecessary for this workflow and broadens token exposure across subsequent steps.

Suggested patch

       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 16 - 17, The Checkout code
step uses actions/checkout@v4 with default token persistence enabled, which
unnecessarily exposes the authentication token across subsequent workflow steps.
Add the persist-credentials parameter set to false in the actions/checkout@v4
step configuration to disable credential persistence and reduce the token
exposure surface.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/deploy-test.yaml:
- Line 17: The GitHub Actions in the deploy-test.yaml workflow file are
specified with floating version tags (`@v4`, `@v5`, `@v1`) instead of immutable commit
SHAs, which weakens supply-chain security. For each of the three uses statements
on lines 17, 20, and 25, replace the floating version tag (the `@vX` portion) with
the full commit SHA of that specific action version. This ensures that the exact
version of the action is always used and cannot be changed unexpectedly by
upstream maintainers.
- Around line 16-17: The Checkout code step uses actions/checkout@v4 with
default token persistence enabled, which unnecessarily exposes the
authentication token across subsequent workflow steps. Add the
persist-credentials parameter set to false in the actions/checkout@v4 step
configuration to disable credential persistence and reduce the token exposure
surface.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 8c590d01-a18c-43d1-842a-c520e43b8b13

📥 Commits

Reviewing files that changed from the base of the PR and between 7a41a6d and 67df3df.

📒 Files selected for processing (1)

• .github/workflows/deploy-test.yaml

[openshift-ci]

@anandrkskd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.14-kuttl-sequential	7a41a6d	link	false	/test v4.14-kuttl-sequential
ci/prow/v4.19-kuttl-parallel	67df3df	link	true	/test v4.19-kuttl-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.