From f9d61a2ee735d3e13d699f99334123728fd5e399 Mon Sep 17 00:00:00 2001
From: Simon Pasquier <spasquie@redhat.com>
Date: Mon, 2 Mar 2026 17:16:08 +0100
Subject: [PATCH 1/3] Add Prow config for github.com/rhobs/configuration

github.com/rhobs/configuration is a private repository holding
configuration for the Observatorium resources (which are the underlying
infrastructure for the OpenShift Telemeter server). Private GitHub
repositories can't configure protected branches which is why we look for
Prow to gate the merging of pull requests.

Signed-off-by: Simon Pasquier <spasquie@redhat.com>
---
 .../rhobs/configuration/.config.prowgen       |  2 +
 ci-operator/config/rhobs/configuration/OWNERS | 23 ++++++
 .../rhobs-configuration-main.yaml             | 22 ++++++
 ci-operator/jobs/rhobs/configuration/OWNERS   | 23 ++++++
 .../rhobs-configuration-main-presubmits.yaml  | 72 ++++++++++++++++++
 .../rhobs/configuration/_pluginconfig.yaml    | 76 +++++++++++++++++++
 .../rhobs/configuration/_prowconfig.yaml      | 14 ++++
 7 files changed, 232 insertions(+)
 create mode 100644 ci-operator/config/rhobs/configuration/.config.prowgen
 create mode 100644 ci-operator/config/rhobs/configuration/OWNERS
 create mode 100644 ci-operator/config/rhobs/configuration/rhobs-configuration-main.yaml
 create mode 100644 ci-operator/jobs/rhobs/configuration/OWNERS
 create mode 100644 ci-operator/jobs/rhobs/configuration/rhobs-configuration-main-presubmits.yaml
 create mode 100644 core-services/prow/02_config/rhobs/configuration/_pluginconfig.yaml
 create mode 100644 core-services/prow/02_config/rhobs/configuration/_prowconfig.yaml

diff --git a/ci-operator/config/rhobs/configuration/.config.prowgen b/ci-operator/config/rhobs/configuration/.config.prowgen
new file mode 100644
index 0000000000000..321afc9650c25
--- /dev/null
+++ b/ci-operator/config/rhobs/configuration/.config.prowgen
@@ -0,0 +1,2 @@
+private: true
+expose: true
diff --git a/ci-operator/config/rhobs/configuration/OWNERS b/ci-operator/config/rhobs/configuration/OWNERS
new file mode 100644
index 0000000000000..989e0022e3841
--- /dev/null
+++ b/ci-operator/config/rhobs/configuration/OWNERS
@@ -0,0 +1,23 @@
+# DO NOT EDIT; this file is auto-generated using https://github.com/openshift/ci-tools.
+# Fetched from https://github.com/rhobs/configuration root OWNERS
+# If the repo had OWNERS_ALIASES then the aliases were expanded
+# Logins who are not members of 'openshift' organization were filtered out
+# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md
+
+approvers:
+- philipgough
+- saswatamcode
+- moadz
+- xperimental
+- JoaoBraveCoding
+- dustman9000
+- simonpasquier
+options: {}
+reviewers:
+- philipgough
+- saswatamcode
+- moadz
+- xperimental
+- JoaoBraveCoding
+- dustman9000
+- simonpasquier
diff --git a/ci-operator/config/rhobs/configuration/rhobs-configuration-main.yaml b/ci-operator/config/rhobs/configuration/rhobs-configuration-main.yaml
new file mode 100644
index 0000000000000..42c8c664f2c1b
--- /dev/null
+++ b/ci-operator/config/rhobs/configuration/rhobs-configuration-main.yaml
@@ -0,0 +1,22 @@
+build_root:
+  image_stream_tag:
+    name: release
+    namespace: openshift
+    tag: rhel-9-release-golang-1.25-openshift-4.22
+resources:
+  '*':
+    limits:
+      memory: 4Gi
+    requests:
+      cpu: 100m
+      memory: 200Mi
+tests:
+- as: build
+  commands: make grafana manifests prometheusrules format lint validate && git diff
+    --exit-code
+  container:
+    from: src
+zz_generated_metadata:
+  branch: main
+  org: rhobs
+  repo: configuration
diff --git a/ci-operator/jobs/rhobs/configuration/OWNERS b/ci-operator/jobs/rhobs/configuration/OWNERS
new file mode 100644
index 0000000000000..989e0022e3841
--- /dev/null
+++ b/ci-operator/jobs/rhobs/configuration/OWNERS
@@ -0,0 +1,23 @@
+# DO NOT EDIT; this file is auto-generated using https://github.com/openshift/ci-tools.
+# Fetched from https://github.com/rhobs/configuration root OWNERS
+# If the repo had OWNERS_ALIASES then the aliases were expanded
+# Logins who are not members of 'openshift' organization were filtered out
+# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md
+
+approvers:
+- philipgough
+- saswatamcode
+- moadz
+- xperimental
+- JoaoBraveCoding
+- dustman9000
+- simonpasquier
+options: {}
+reviewers:
+- philipgough
+- saswatamcode
+- moadz
+- xperimental
+- JoaoBraveCoding
+- dustman9000
+- simonpasquier
diff --git a/ci-operator/jobs/rhobs/configuration/rhobs-configuration-main-presubmits.yaml b/ci-operator/jobs/rhobs/configuration/rhobs-configuration-main-presubmits.yaml
new file mode 100644
index 0000000000000..c7d05a471390d
--- /dev/null
+++ b/ci-operator/jobs/rhobs/configuration/rhobs-configuration-main-presubmits.yaml
@@ -0,0 +1,72 @@
+presubmits:
+  rhobs/configuration:
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build01
+    context: ci/prow/build
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-rhobs-configuration-main-build
+    rerun_command: /test build
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --oauth-token-path=/usr/local/github-credentials/oauth
+        - --report-credentials-file=/etc/report/credentials
+        - --target=build
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /usr/local/github-credentials
+          name: github-credentials-openshift-ci-robot-private-git-cloner
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: github-credentials-openshift-ci-robot-private-git-cloner
+        secret:
+          secretName: github-credentials-openshift-ci-robot-private-git-cloner
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )build,?($|\s.*)
diff --git a/core-services/prow/02_config/rhobs/configuration/_pluginconfig.yaml b/core-services/prow/02_config/rhobs/configuration/_pluginconfig.yaml
new file mode 100644
index 0000000000000..c9be0ef02bc24
--- /dev/null
+++ b/core-services/prow/02_config/rhobs/configuration/_pluginconfig.yaml
@@ -0,0 +1,76 @@
+approve:
+- commandHelpLink: ""
+  repos:
+  - rhobs/configuration
+  require_self_approval: false
+external_plugins:
+  rhobs/configuration:
+  - endpoint: http://refresh
+    events:
+    - issue_comment
+    name: refresh
+  - endpoint: http://cherrypick
+    events:
+    - issue_comment
+    - pull_request
+    name: cherrypick
+  - endpoint: http://needs-rebase
+    events:
+    - issue_comment
+    - pull_request
+    name: needs-rebase
+  - endpoint: http://backport-verifier
+    events:
+    - issue_comment
+    - pull_request
+    name: backport-verifier
+  - endpoint: http://payload-testing-prow-plugin
+    events:
+    - issue_comment
+    name: payload-testing-prow-plugin
+  - endpoint: http://jira-lifecycle-plugin
+    events:
+    - issue_comment
+    - pull_request
+    name: jira-lifecycle-plugin
+  - endpoint: http://pipeline-controller
+    events:
+    - pull_request
+    - issue_comment
+    name: pipeline-controller
+  - endpoint: http://multi-pr-prow-plugin
+    events:
+    - issue_comment
+    name: multi-pr-prow-plugin
+lgtm:
+- repos:
+  - rhobs/configuration
+  review_acts_as_lgtm: true
+plugins:
+  rhobs/configuration:
+    plugins:
+    - assign
+    - blunderbuss
+    - cat
+    - dog
+    - heart
+    - golint
+    - goose
+    - help
+    - hold
+    - jira
+    - label
+    - lgtm
+    - lifecycle
+    - override
+    - pony
+    - retitle
+    - shrug
+    - sigmention
+    - skip
+    - trigger
+    - verify-owners
+    - owners-label
+    - wip
+    - yuks
+    - approve
diff --git a/core-services/prow/02_config/rhobs/configuration/_prowconfig.yaml b/core-services/prow/02_config/rhobs/configuration/_prowconfig.yaml
new file mode 100644
index 0000000000000..57d6243960f0c
--- /dev/null
+++ b/core-services/prow/02_config/rhobs/configuration/_prowconfig.yaml
@@ -0,0 +1,14 @@
+tide:
+  queries:
+  - labels:
+    - approved
+    - lgtm
+    missingLabels:
+    - backports/unvalidated-commits
+    - do-not-merge/hold
+    - do-not-merge/invalid-owners-file
+    - do-not-merge/work-in-progress
+    - jira/invalid-bug
+    - needs-rebase
+    repos:
+    - rhobs/configuration

From 1a7f7e69b8ad25efdbc7d27fe1a4325893c03eef Mon Sep 17 00:00:00 2001
From: Simon Pasquier <spasquie@redhat.com>
Date: Tue, 3 Mar 2026 10:14:26 +0100
Subject: [PATCH 2/3] Remove cherrypicker plugin

---
 .../02_config/rhobs/configuration/_pluginconfig.yaml   | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/core-services/prow/02_config/rhobs/configuration/_pluginconfig.yaml b/core-services/prow/02_config/rhobs/configuration/_pluginconfig.yaml
index c9be0ef02bc24..37e108b2032c9 100644
--- a/core-services/prow/02_config/rhobs/configuration/_pluginconfig.yaml
+++ b/core-services/prow/02_config/rhobs/configuration/_pluginconfig.yaml
@@ -9,21 +9,11 @@ external_plugins:
     events:
     - issue_comment
     name: refresh
-  - endpoint: http://cherrypick
-    events:
-    - issue_comment
-    - pull_request
-    name: cherrypick
   - endpoint: http://needs-rebase
     events:
     - issue_comment
     - pull_request
     name: needs-rebase
-  - endpoint: http://backport-verifier
-    events:
-    - issue_comment
-    - pull_request
-    name: backport-verifier
   - endpoint: http://payload-testing-prow-plugin
     events:
     - issue_comment

From ffa25a3ec94134191b08703ea1a99f1caa88c162 Mon Sep 17 00:00:00 2001
From: Simon Pasquier <spasquie@redhat.com>
Date: Tue, 3 Mar 2026 11:55:37 +0100
Subject: [PATCH 3/3] Disable branch protection for rhobs/configuration

The project is private but on a free plan which doesn't allow to enable
branch protection.

Signed-off-by: Simon Pasquier <spasquie@redhat.com>
---
 .../prow/02_config/rhobs/configuration/_prowconfig.yaml     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/core-services/prow/02_config/rhobs/configuration/_prowconfig.yaml b/core-services/prow/02_config/rhobs/configuration/_prowconfig.yaml
index 57d6243960f0c..781d4de3315f5 100644
--- a/core-services/prow/02_config/rhobs/configuration/_prowconfig.yaml
+++ b/core-services/prow/02_config/rhobs/configuration/_prowconfig.yaml
@@ -1,3 +1,9 @@
+branch-protection:
+  orgs:
+    rhobs:
+      repos:
+        configuration:
+          unmanaged: true
 tide:
   queries:
   - labels: