NO-ISSUE: Add LVMS branching automation script

[pacevedom]

Automates the 7-step release branching procedure for lvm-operator, covering GitHub branching, prodsec updates, Konflux release data, tekton config updates, and Konflux SA push secret verification.

All steps are idempotent and can be re-run safely.

Summary by CodeRabbit

New Features

• Added release branching automation tool with dry-run support, step-by-step execution control, and interactive checkpoints.
• Automates release branch management and configuration updates.

[openshift-ci-robot]

@pacevedom: This pull request explicitly references no jira issue.

Details

In response to this:

Automates the 7-step release branching procedure for lvm-operator, covering GitHub branching, prodsec updates, Konflux release data, tekton config updates, and Konflux SA push secret verification.

All steps are idempotent and can be re-run safely.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds hack/branch-release.sh, a comprehensive bash script automating the full release branching workflow for lvm-operator across seven ordered steps: creating/pushing release branches, updating prodsec registries, editing Konflux manifests, retargeting Tekton pipelines, regenerating catalogs, and verifying Konflux secret configuration. Includes validation, dry-run support, and interactive step control.

Changes

Release Branch Automation Script

Layer / File(s)	Summary
Script foundation and scaffolding hack/branch-release.sh	Argument parsing, colored logging, version derivation, tool/repo validation, repository syncing, interactive prompts, dry-run wrapper, and safe sed-based text replacement.
Re-runnability and validation helpers hack/branch-release.sh	Branch hygiene utilities for local deletion and remote existence checks; validation that expected old-version references and required files exist.
GitHub branching and prodsec update hack/branch-release.sh	Step 1: Create and push release-X.Y branch. Step 2: Update prodsec ps_update_streams.json with new operator entry via jq and create feature branch for MR.
Konflux manifest and version updates hack/branch-release.sh	Step 3: Create Konflux feature branch, duplicate and edit operator/catalog version YAMLs (updating revisions and kustomization entries), run tenant config generation, update ReleasePlanAdmission YAMLs.
Release branch Tekton pipeline retargeting hack/branch-release.sh	Step 4: Edit .tekton/* YAMLs on release branch to retarget main-branch triggers to release branch and preserve older pipeline files.
Main branch component and version updates hack/branch-release.sh	Step 5: Edit .tekton/* YAMLs to replace old version identifiers with new version, update CATALOG_VERSION and image tags, update release/container-build.args and release/konflux.make.
Catalog template regeneration hack/branch-release.sh	Step 6: Prompt for PR-merge confirmation, reset main to origin, run make catalog-template, and display next actions.
Konflux secret verification and linking hack/branch-release.sh	Step 7: Verify oc access and namespace, ensure image-push secrets marked as common, link service accounts to image-push and registry secrets, validate results.
Main execution flow and orchestration hack/branch-release.sh	Entry point: parse arguments, validate prerequisites, support single-step execution via --step, orchestrate Steps 1–5 with interactive prompts, remind user of manual Steps 6–7.

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	Test names in test/e2e/lvm_pvc_test.go use fmt.Sprintf() with loop variables (pvMode, pvcType), violating the requirement for static, deterministic test names that don't change between runs.	Replace dynamic Context(fmt.Sprintf(...)) patterns with static test names describing what's being tested, moving the variable values into test setup/assertions.
Docstring Coverage	⚠️ Warning	Docstring coverage is 35.71% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding an automation script for LVMS release branching. It is concise and directly reflects the primary purpose of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Structure And Quality	✅ Passed	The PR adds only a bash script (hack/branch-release.sh), not Ginkgo test code. The custom check is for Ginkgo test quality and is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only a bash automation script (hack/branch-release.sh), not Ginkgo e2e tests. MicroShift test compatibility check is inapplicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only a bash automation script (hack/branch-release.sh) with no Ginkgo e2e tests. The SNO test compatibility check applies only when Ginkgo tests are added, so it is not applicable here.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR adds hack/branch-release.sh, a bash automation script for release branching, not deployment manifests, operator code, or controllers. No Kubernetes scheduling constraints detected.
Ote Binary Stdout Contract	✅ Passed	OTE Binary Stdout Contract check is for Go test binaries using OTE framework. PR adds only a bash automation script with no Go code, test code, or OTE test infrastructure.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds a bash release automation script (hack/branch-release.sh) with no Ginkgo e2e tests. The IPv6/disconnected network check applies only to e2e tests.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch release-branch-script

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pacevedom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pacevedom]

/cc @mmakwana30 @jeff-roche @qJkee

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/branch-release.sh`:
- Around line 507-515: The sed_replace function currently injects unescaped
pattern and replacement into sed which breaks when pattern/replacement contain
regex metacharacters (e.g., '.' in version strings); update sed_replace to
either escape regex/shell-special characters for both ${pattern} and
${replacement} before calling sed, or switch to a safer delimiter (e.g., use |
or a control character) in the sed substitution to avoid conflicts; ensure both
the DRY_RUN branch (log_dry_run message) and the actual sed invocation in
sed_replace use the same escaped/delimited form so the logged command matches
the executed command.
- Line 84: Update the help text string that currently reads "--step STEP        
Run only a specific step (1-6)" to include step 7 (e.g. "1-7") so the usage
matches the documented Konflux SA secrets verification step; locate the
help/usage output in hack/branch-release.sh (the line containing the "--step
STEP" description) and change the range from 1-6 to 1-7.
- Around line 506-517: The sed_replace function is using non-portable sed -i
which fails on macOS; update sed_replace to detect platform or sed flavor (e.g.,
check uname or sed --version) and use a portable approach: for GNU sed keep sed
-i "s/.../.../g", for BSD/macOS use sed -i '' "s/.../.../g" or perform the edit
via a safe tempfile (mktemp) and mv to replace the original; ensure the DRY_RUN
branch prints the actual command that will be executed for the chosen method and
that any temporary backup file behavior is handled/removed so file contents are
identical after replacement.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 919b7197-ba61-4aec-a386-984f65e5d1f9

📥 Commits

Reviewing files that changed from the base of the PR and between 370c239 and 3360e7a.

📒 Files selected for processing (1)

• hack/branch-release.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update help text to include step 7.

The help text states "Run only a specific step (1-6)" but step 7 (Konflux SA secrets verification) exists and is documented below at line 112.

📝 Proposed fix

-  --step STEP              Run only a specific step (1-6)
+  --step STEP              Run only a specific step (1-7)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	--step STEP Run only a specific step (1-6)
	--step STEP Run only a specific step (1-7)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/branch-release.sh` at line 84, Update the help text string that
currently reads "--step STEP              Run only a specific step (1-6)" to
include step 7 (e.g. "1-7") so the usage matches the documented Konflux SA
secrets verification step; locate the help/usage output in
hack/branch-release.sh (the line containing the "--step STEP" description) and
change the range from 1-6 to 1-7.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

sed -i portability issue: fails on macOS.

The sed -i command at line 515 is not portable between Linux (GNU sed) and macOS (BSD sed). BSD sed requires an extension argument: sed -i '' ... or sed -i.bak ....

🔧 Proposed fix

 sed_replace() {
     local pattern="${1}"
     local replacement="${2}"
     local file="${3}"
 
     if [[ "${DRY_RUN}" == "true" ]]; then
         log_dry_run "sed -i 's/${pattern}/${replacement}/g' ${file}"
     else
-        sed -i "s/${pattern}/${replacement}/g" "${file}"
+        # Use a temporary file for portability across GNU and BSD sed
+        sed "s/${pattern}/${replacement}/g" "${file}" > "${file}.tmp" && mv "${file}.tmp" "${file}"
     fi
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Perform sed replacement with backup for safety
	sed_replace() {
	local pattern="${1}"
	local replacement="${2}"
	local file="${3}"
	if [[ "${DRY_RUN}" == "true" ]]; then
	log_dry_run "sed -i 's/${pattern}/${replacement}/g' ${file}"
	else
	sed -i "s/${pattern}/${replacement}/g" "${file}"
	fi
	}
	# Perform sed replacement with backup for safety
	sed_replace() {
	local pattern="${1}"
	local replacement="${2}"
	local file="${3}"
	if [[ "${DRY_RUN}" == "true" ]]; then
	log_dry_run "sed -i 's/${pattern}/${replacement}/g' ${file}"
	else
	# Use a temporary file for portability across GNU and BSD sed
	sed "s/${pattern}/${replacement}/g" "${file}" > "${file}.tmp" && mv "${file}.tmp" "${file}"
	fi
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/branch-release.sh` around lines 506 - 517, The sed_replace function is
using non-portable sed -i which fails on macOS; update sed_replace to detect
platform or sed flavor (e.g., check uname or sed --version) and use a portable
approach: for GNU sed keep sed -i "s/.../.../g", for BSD/macOS use sed -i ''
"s/.../.../g" or perform the edit via a safe tempfile (mktemp) and mv to replace
the original; ensure the DRY_RUN branch prints the actual command that will be
executed for the chosen method and that any temporary backup file behavior is
handled/removed so file contents are identical after replacement.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

sed_replace does not escape regex special characters.

The pattern and replacement parameters are passed directly to sed without escaping. If these contain regex metacharacters (e.g., ., *, [, ], /), the substitution may fail or produce unexpected results. Version strings contain . which matches any character in regex.

Consider escaping special characters or using a delimiter other than / that won't appear in the patterns. For example, use | as the delimiter: sed "s|${pattern}|${replacement}|g" which reduces conflicts, though full escaping would be more robust.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/branch-release.sh` around lines 507 - 515, The sed_replace function
currently injects unescaped pattern and replacement into sed which breaks when
pattern/replacement contain regex metacharacters (e.g., '.' in version strings);
update sed_replace to either escape regex/shell-special characters for both
${pattern} and ${replacement} before calling sed, or switch to a safer delimiter
(e.g., use | or a control character) in the sed substitution to avoid conflicts;
ensure both the DRY_RUN branch (log_dry_run message) and the actual sed
invocation in sed_replace use the same escaped/delimited form so the logged
command matches the executed command.

[openshift-ci]

@pacevedom: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-hypershift	3360e7a	link	true	/test e2e-aws-hypershift
ci/prow/snyk-deps	3360e7a	link	false	/test snyk-deps
ci/prow/precommit-check	3360e7a	link	true	/test precommit-check
ci/prow/e2e-aws	3360e7a	link	true	/test e2e-aws
ci/prow/e2e-aws-single-node	3360e7a	link	true	/test e2e-aws-single-node
ci/prow/unit-test	3360e7a	link	true	/test unit-test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.