OSAC-1535: Add OSAC connected CI job

[eurijon]

Summary

• Make e2e-deployment.yml callable as a reusable workflow (workflow_call) with inputs for plugin chain, AAP license file, run mode selection, and cleanup/notification controls
• Add e2e-osac.yml — thin caller workflow that deploys the OSAC plugin stack (lvms → trust-manager → rhbk → authorino → aap → osac) in connected mode
• Add explicit deploy-plugin steps for each OSAC addon plugin (trust-manager, rhbk, authorino, aap, cnv, osac) to both connected and disconnected E2E jobs, conditionally run based on enabled-plugins
• Add AAP license file handling to deploy_plugin.sh for CI environments (copies license to LZ, generates osac.yaml with osacProfilesList: [caas])

The job calls make deploy-plugin separately for each addon because addon plugin installation from bootstrap.sh was temporarily removed in #476.

Depends on #525.

Changes to e2e-deployment.yml

• workflow_call trigger with inputs mirroring workflow_dispatch plus enabled-plugins and aap-license-file
• check-e2e-needed resolves run_connected/run_disconnected from caller inputs (needed because the inputs context is unreliable in workflow_call)
• Job conditions use resolved outputs instead of checking inputs directly
• ENABLED_PLUGINS and AAP_LICENSE_FILE env vars set from inputs
• Explicit conditional addon plugin deploy steps (trust-manager, rhbk, authorino, aap, cnv, osac) in both connected and disconnected jobs
• Cleanup conditions simplified (work for both dispatch and call)

Adding more OSAC CI modes

To add disconnected mode, update e2e-osac.yml:

run-disconnected: true

Or create a separate e2e-osac-disconnected.yml caller for independent triggers.

Test plan

• Verify yamllint passes on both workflow files
• Verify shellcheck passes on deploy_plugin.sh
• Verify existing E2E jobs are unaffected (no behavioral change when enabled-plugins is empty)
• Manual dispatch of E2E OSAC workflow deploys the full plugin chain

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Made the E2E deployment workflow reusable with selectable connected/disconnected execution modes, configurable plugins, and optional AAP license path support.
  • Added an OSAC-dedicated E2E workflow that runs in connected mode with OSAC-related plugins enabled.

• Improvements

  • Improved Landing Zone plugin deployment to inject an AAP license file when provided.
  • Enhanced “full” CI artifact collection with additional problem-pod log capture and plugin-focused namespace diagnostics.

• Chores

  • Simplified E2E cleanup behavior for reusable runs.

[coderabbitai]

Walkthrough

The PR adds reusable OSAC E2E workflow inputs, a new OSAC caller workflow, AAP license propagation in deployment, and extra CI artifact collection for plugin-related namespaces and pods.

Changes

OSAC E2E plugin-chain support

Layer / File(s)	Summary
Reusable workflow inputs and mode selection .github/workflows/e2e-deployment.yml	Adds workflow_call inputs for run mode, plugin selection, and AAP license path; updates decision logic to resolve connected and disconnected execution for reusable callers; emits the run-mode outputs used by downstream jobs.
Plugin deployment gating and cleanup .github/workflows/e2e-deployment.yml	Gates connected and disconnected jobs on the resolved run-mode outputs, passes ENABLED_PLUGINS and AAP_LICENSE_FILE into both jobs, adds conditional deploy steps for trust-manager, rhbk, authorino, aap, cnv, and osac, and updates cleanup and failure-step tracking to match the new step sequence.
OSAC caller workflow .github/workflows/e2e-osac.yml	Adds the e2e-osac.yml workflow with manual and pull request triggers, path filters, concurrency control, minimal permissions, and a single connected-only call into the reusable deployment workflow.
AAP license handling in deploy_plugin.sh scripts/deployment/deploy_plugin.sh	Adds AAP_LICENSE_FILE validation and transfer to the Landing Zone, appends osacAapLicenseFile to extra vars, and creates config/plugins/osac.yaml with the license path and osacProfilesList: [caas] when absent.
Plugin diagnostics in CI artifact collection scripts/verification/collect_ci_artifacts.sh	Expands cluster artifact collection with a second pass for problematic pods, adds plugin-to-namespace diagnostics when ENABLED_PLUGINS is set, and invokes that collection during the full artifact flow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• rh-ecosystem-edge/enclave#478: Related to the AAP license path and OSAC plugin config handling now added in deploy_plugin.sh.
• rh-ecosystem-edge/enclave#482: Related because it also touches osacAapLicenseFile and OSAC plugin configuration fields used here.

Suggested labels

plugins

Suggested reviewers

• javipolo
• rporres

Poem

A license zipped, a plugin chain took flight,
And logs grew sharper in the fading light.
Reusable gates now steer the run,
While cleanup waits for work to be done.
⚠️ Medium risk: workflow routing, deployment inputs, and diagnostics all changed.

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	New artifact collection logs raw oc logs, oc describe, and oc get ... -o wide output, which can expose env secrets, hostnames, and app data.	Redact sensitive fields before writing artifacts, avoid -o wide/oc describe in CI, and gate raw pod logs behind a sanitized opt-in or private-only debug path.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is specific and relevant: it highlights the new OSAC connected CI job added by the PR, though it omits other workflow and deployment updates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	Low risk: the diff uses secret references and inputs only; no hardcoded API keys, tokens, passwords, private keys, or embedded credentials were added.
No-Weak-Crypto	✅ Passed	No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons were introduced in the changed workflows or shell scripts.
No-Injection-Vectors	✅ Passed	PASS: No eval/exec/yaml.load/os.system/shell=True/innerHTML patterns found; new inputs are quoted, validated, or mapped to fixed namespaces.
Container-Privileges	✅ Passed	No touched workflow or script introduces privileged/root/escalation settings, and repo scans found no such flags in the PR-changed files.
Ai-Attribution	✅ Passed	Low risk: the Claude Code use is attributed with an Assisted-by trailer, and no AI-related Co-Authored-By misuse appears in recent commit history.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/osac-ci-e2e-reusable

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[eurijon]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e-deployment.yml:
- Around line 395-423: The `contains()` checks for plugin gating use substring
matching which can unintentionally match partial strings (e.g., 'osac' would
match 'myosac'). Update all the conditional statements in the deploy steps
(deploy_trust_manager, deploy_rhbk, deploy_authorino, deploy_aap, deploy_cnv,
deploy_osac) to use delimiter-based matching instead. Wrap the ENABLED_PLUGINS
environment variable and each plugin name with delimiters (such as commas) to
ensure only explicitly enabled plugins in the CSV list are matched, preventing
unintended deployments from substring collisions.
- Around line 157-165: The `inputs.storage-plugin` value is being directly
interpolated into shell commands and the GITHUB_OUTPUT without validation,
creating a critical injection vulnerability where malicious input could break
quoting, corrupt JSON output, or execute arbitrary shell code. Add validation to
ensure the storage-plugin input only contains allowed plugin names (whitelist
approach) before it is used in the PLUGIN assignment and the echo statement that
writes to storage_plugins in GITHUB_OUTPUT. Alternatively, properly escape or
quote the value to prevent shell injection when constructing the JSON output.

In @.github/workflows/e2e-osac.yml:
- Line 48: In the e2e-osac workflow file, replace the `secrets: inherit`
statement with explicit secret mapping to follow the principle of least
privilege. Instead of inheriting all repository secrets, explicitly define which
specific secrets are required for the called workflow by replacing `secrets:
inherit` with a `secrets:` block that lists only the necessary secrets with
their individual mappings. This reduces the blast radius and prevents accidental
exposure of sensitive information as the workflow evolves.
- Around line 23-28: The GitHub Actions workflow trigger configuration in the
e2e-osac.yml file is missing an entry for the lvms plugin in the paths filter.
Add `plugins/lvms/**` to the paths list in both the push trigger section (around
line 23-28) and the pull_request trigger section (around line 44) to ensure E2E
OSAC tests run whenever changes are made to the lvms plugin, which is part of
the OSAC plugin chain.

In `@scripts/deployment/deploy_plugin.sh`:
- Around line 151-156: The osacProfilesList in the heredoc is hardcoded to only
include the 'caas' profile, which overrides the default plugin configuration
that includes both 'caas' and 'vmaas' profiles. Update the osacProfilesList
section in the SSH command that creates the osac.yaml file to include both
'caas' and 'vmaas' profiles instead of just 'caas' to maintain the expected OSAC
capabilities.
- Around line 140-144: After the scp command that copies the AAP license file to
the Landing Zone (the line copying to ${LZ_SSH}:${LZ_AAP_LICENSE}), add a
follow-up ssh command that applies restrictive file permissions (chmod 600 or
similar least-privileged mode) to the copied license file on the remote Landing
Zone to reduce the risk of unauthorized disclosure of this sensitive file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 09dfb64e-3ad8-4478-a372-ada16c0809a7

📥 Commits

Reviewing files that changed from the base of the PR and between eb25aa2 and 5f3247e.

📒 Files selected for processing (3)

• .github/workflows/e2e-deployment.yml
• .github/workflows/e2e-osac.yml
• scripts/deployment/deploy_plugin.sh

[eurijon]

@coderabbitai approve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e-osac.yml:
- Around line 31-34: The workflow permissions block grants unnecessary GitHub
Checks access. Update the permissions in the e2e-osac workflow so it keeps only
the required read access for contents and removes the checks: write entry, since
this job only calls a reusable workflow and does not use the Checks API.

In `@scripts/verification/collect_ci_artifacts.sh`:
- Around line 840-869: The plugin-to-namespace mapping in
collect_ci_artifacts.sh can leave the namespaces array empty for plugins like
lvms, yet the diagnostics loop still creates output directories and logs
attempts. Update the namespace collection flow around the ENABLED_PLUGINS
parsing and the unique_ns handling to return early when no mapped namespaces
exist, before any mkdir or ssh diagnostics work runs. Use the existing
namespaces and unique_ns logic to detect the empty case and skip the rest of the
plugin-diagnostics collection path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0f408fc5-2f0c-4fee-b4fe-badd98741006

📥 Commits

Reviewing files that changed from the base of the PR and between 5f3247e and ec9a123.

📒 Files selected for processing (4)

• .github/workflows/e2e-deployment.yml
• .github/workflows/e2e-osac.yml
• scripts/deployment/deploy_plugin.sh
• scripts/verification/collect_ci_artifacts.sh

[eurijon]

@coderabbitai approve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.