HYPERFLEET-1101 - chore: add LeakTK secret scanning and update hooks

[rafabene]

Summary

Adds LeakTK secret scanning and updates the pre-commit configuration:

• LeakTK v0.3.3 for secret scanning — open-source, no VPN required
• hyperfleet-hooks updated from v0.1.0 to v0.1.1
• pre-commit-hooks v6.0.0 for file hygiene (trailing whitespace, end-of-file-fixer, check-added-large-files)
• AGENTS.md updated with complete hook list

After merging

Team members should run make install-hooks to install the new hooks. First commit after installation takes 3-5 minutes while LeakTK compiles (one-time).

Ref: https://redhat.atlassian.net/browse/HYPERFLEET-1101

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mbrudnoy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 29c7d19f-b7cc-40f3-8e6d-01c5c5d35bd4

📥 Commits

Reviewing files that changed from the base of the PR and between ec70a87 and 1e6ea05.

📒 Files selected for processing (2)

• .pre-commit-config.yaml
• AGENTS.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

✅ Files skipped from review due to trivial changes (1)

• AGENTS.md

🚧 Files skipped from review as they are similar to previous changes (1)

• .pre-commit-config.yaml

---

📝 Walkthrough

Summary by CodeRabbit

• Chores

  • Updated the pre-commit hook set by bumping the hook version, adding a new secret-scanning check, and including additional file hygiene validations.

• Documentation

  • Updated onboarding to include a make install-hooks step.
  • Expanded pre-commit guidance with a dedicated “Pre-commit Hooks” section listing the checks that run (secret scanning, commit message linting, formatting/linting, and whitespace/large-file safeguards).

Walkthrough

.pre-commit-config.yaml adds leaktk/leaktk for secret scanning, bumps hyperfleet-hooks to v0.1.1, and adds pre-commit/pre-commit-hooks with trailing-whitespace, end-of-file-fixer, and check-added-large-files. AGENTS.md inserts make install-hooks into the fresh-clone setup sequence and documents a "Pre-commit Hooks" subsection listing specific hook checks executed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

---

Supply chain surface (CWE-829, CWE-494): Three external hook repositories now execute arbitrary code in developer environments and CI pipelines.

• leaktk/leaktk — Confirm rev is pinned to a commit SHA, not a floating tag. Tags are mutable; a compromised tag push silently replaces the hook binary without version bump.
• pre-commit/pre-commit-hooks — Same concern. Verify rev uses a SHA, not HEAD, main, or any branch ref. Unpinned branch refs are direct code-execution injection (CWE-494).
• hyperfleet-hooks v0.1.1 — Confirm the tag is signed or SHA-pinned. The bump from v0.1.0 introduced new executable code in pre-commit scope. Unsigned tags are forgeable.

Missing rev audit in diff summary: The diff shows hook repos were added but their rev values are not visible in the provided summaries. Ensure final config does not use floating refs or HEAD.

check-added-large-files is not a secrets control. It gates on file size, not entropy or pattern. It does not replace leaktk and should not be cited as a security mechanism.

Hook enumeration in docs (AGENTS.md): Listing active checks in developer documentation provides a discoverable bypass map. Adversaries committing to this repository now know exactly which controls exist and can route payloads around them.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the two main changes: adding LeakTK secret scanning and updating pre-commit hooks configuration.
Description check	✅ Passed	The description is directly related to the changeset, detailing LeakTK integration, hook version updates, and documentation changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR modifies only .pre-commit-config.yaml and AGENTS.md (config/docs); no Go source files changed; no log statements present in modified files.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets found. SHA-1 git hashes are legitimate pre-commit version references. Documentation correctly indicates broker credentials stored separately in broker.yaml, not hardcoded.
No Weak Cryptography	✅ Passed	No weak cryptography detected. PR modifies only .pre-commit-config.yaml and AGENTS.md (configuration and documentation), with no Go source code changes or use of banned cryptographic primitives.
No Injection Vectors	✅ Passed	PR adds only config and docs. No code changes introduce CWE-78, CWE-79, CWE-89, or CWE-502 injection vectors. Existing code uses safe patterns: Viper UnmarshalExact (strict YAML), CEL compile-time...
No Privileged Containers	✅ Passed	Production Dockerfile runs as UID 65532 non-root. Helm deployment enforces allowPrivilegeEscalation: false with runAsUser: 65532. No privileged: true, hostPID, hostNetwork, hostIPC, or SYS_ADMIN fo...
No Pii Or Sensitive Data In Logs	✅ Passed	PR modifies only .pre-commit-config.yaml and AGENTS.md—configuration and documentation files. No Go source code or logging statements are added/modified, so no new PII/sensitive data exposure in lo...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.pre-commit-config.yaml:
- Around line 4-8: The LeakTK pre-commit hook in the .pre-commit-config.yaml
file is pinned to a version tag (v0.3.3) instead of a commit SHA, which violates
supply-chain security best practices. Replace the rev field value with the full
commit SHA of the LeakTK repository. Additionally, there is a version mismatch:
the architecture repo documents LeakTK as v0.3.2 but this configuration pins
v0.3.3. Either revert to v0.3.2 to align with documented standards, or add a
comment documenting the reason for the version upgrade.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 74e19d9a-ea1a-4549-adb0-1c92f1ffb45a

📥 Commits

Reviewing files that changed from the base of the PR and between 6cb186e and 1269a84.

📒 Files selected for processing (2)

• .pre-commit-config.yaml
• AGENTS.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{"name":"HttpError","status":500,"request":{"method":"PATCH","url":"https://api.github.com/repos/openshift-hyperfleet/hyperfleet-sentinel/issues/comments/4721207843","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","authorization":"token [REDACTED]","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- This is an auto-generated comment: review in progress by coderabbit.ai -->\n\n> [!NOTE]\n> Currently processing new changes in this PR. This may take a few minutes, please wait...\n> \n> <details>\n> <summary>⚙️ Run configuration</summary>\n> \n> **Configuration used**: Central YAML (base), Organization UI (inherited)\n> \n> **Review profile**: CHILL\n> \n> **Plan**: Enterprise\n> \n> **Run ID**: `a8bfebd5-9c1b-4fe9-8f32-70fe29247c1e`\n> \n> </details>\n> \n> <details>\n> <summary>📥 Commits</summary>\n> \n> Reviewing files that changed from the base of the PR and between 1269a84cfa5ed8d2d7fa486d4dcdc1974a9ced18 and 198c794f1c47fc82f74d1db2c972050af2e856b3.\n> \n> </details>\n> \n> <details>\n> <summary>📒 Files selected for processing (2)</summary>\n> \n> * `.pre-commit-config.yaml`\n> * `AGENTS.md`\n> \n> </details>\n> \n> \n\n<!-- end of auto-generated comment: review in progress by coderabbit.ai -->\n\n<!-- walkthrough_start -->\n\n<details>\n<summary>📝 Walkthrough</summary>\n\n## Walkthrough\n\n`hyperfleet-hooks` is bumped from `v0.1.0` to `v0.1.1` in `.pre-commit-config.yaml`. Two new hook sources are added: `leaktk/leaktk` with the `leaktk.git.pre-commit` hook for secret scanning, and `pre-commit/pre-commit-hooks` with `trailing-whitespace`, `end-of-file-fixer`, and `check-added-large-files`. `AGENTS.md` replaces a one-line pre-commit mention with a structured subsection listing the install command (`make install-hooks`) and all active hook checks.\n\n## Estimated code review effort\n\n🎯 2 (Simple) | ⏱️ ~10 minutes\n\n---\n\n**Supply chain surface (CWE-829, CWE-494):** Three external hook repos are now trusted to execute arbitrary code in developer environments and CI.\n\n- `leaktk/leaktk` — pin to a commit SHA, not a floating tag. Tags are mutable; a compromised tag push silently replaces the hook binary.\n- `pre-commit/pre-commit-hooks` — same concern; version is not shown in the diff. Confirm it is pinned to a SHA in the final config.\n- `hyperfleet-hooks` `v0.1.1` — confirm the tag is signed or SHA-pinned; the bump from `v0.1.0` introduced new code that runs pre-commit.\n\n**Missing `rev` audit:** The diff shows `rev` values for `leaktk` and `pre-commit-hooks` were added but not shown in the summary. Ensure neither uses `HEAD`, `main`, or an unpinned branch ref — that is a direct code-execution injection point (CWE-494).\n\n**`check-added-large-files` alone is not a secrets control.** It gates on file size, not entropy or pattern. It does not replace `leaktk` and should not be cited as a security control in `AGENTS.md`.\n\n**AGENTS.md enumeration:** Listing active hooks in docs creates a discoverable bypass map. Adversaries committing to this repo know exactly which controls to route around. No action required, but be aware.\n\n</details>\n\n<!-- walkthrough_end -->\n<!-- pre_merge_checks_walkthrough_start -->\n\n<details>\n<summary>🚥 Pre-merge checks | ✅ 11</summary>\n\n<details>\n<summary>✅ Passed checks (11 passed)</summary>\n\n|            Check name            | Status   | Explanation                                                                                                                                                                                              |\n| :------------------------------: | :------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n|            Title check           | ✅ Passed | Title accurately reflects the main changes: addition of LeakTK secret scanning and pre-commit hook updates in the hyperfleet configuration.                                                              |\n|         Description check        | ✅ Passed | Description provides relevant context on LeakTK integration, dependency versions, file hygiene hooks, and post-merge installation instructions aligned with the changeset.                               |\n|        Docstring Coverage        | ✅ Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.                                                                                               |\n|        Linked Issues check       | ✅ Passed | Check skipped because no linked issues were found for this pull request.                                                                                                                                 |\n|    Out of Scope Changes check    | ✅ Passed | Check skipped because no linked issues were found for this pull request.                                                                                                                                 |\n|   Sec-02: Secrets In Log Output  | ✅ Passed | No log statements in the PR codebase contain passwords, tokens, credentials, or secrets. Comprehensive grep of all non-test Go files shows clean log output without sensitive field exposure.            |\n|       No Hardcoded Secrets       | ✅ Passed | No hardcoded secrets, API keys, tokens, or base64 credential strings found in .pre-commit-config.yaml or AGENTS.md; all references to credentials properly indicate external storage.                    |\n|       No Weak Cryptography       | ✅ Passed | PR modifies only .pre-commit-config.yaml and AGENTS.md; no cryptographic code, weak primitives (MD5/DES/RC4/SHA1), custom crypto implementations, or unsafe secret comparisons are introduced.           |\n|       No Injection Vectors       | ✅ Passed | No injection patterns (CWE-89, CWE-78, CWE-79, CWE-502) found. PR only modifies config and documentation files; no Go code changes. YAML config uses strict viper.UnmarshalExact() validation.           |\n|     No Privileged Containers     | ✅ Passed | PR modifies only .pre-commit-config.yaml and AGENTS.md; no Kubernetes manifests, Helm templates, or Dockerfiles containing privileged container settings were changed.                                   |\n| No Pii Or Sensitive Data In Logs | ✅ Passed | PR changes to .pre-commit-config.yaml and AGENTS.md do not introduce logging statements. Go code logging follows boundary pattern with only safe fields (resource_id, resource_type, poll_interval, e... |\n\n</details>\n\n<sub>✏️ Tip: You can configure your own custom pre-merge checks in the settings.</sub>\n\n</details>\n\n<!-- pre_merge_checks_walkthrough_end -->\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing Touches</summary>\n\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n\n</details>\n<details>\n<summary>✨ Simplify code</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f120d606-b0e2-4b7d-8316-181794555b43\", \"radioGroupId\": \"simplify-output-choice-group-unknown_comment_id\"} -->   Create PR with simplified code\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n<!-- tips_start -->\n\n---\n\n\n\n\n<sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>\n\n<!-- tips_end -->\n<!-- internal state start -->\n\n\n<!-- DwQgtGAEAqAWCWBnSTIEMB26CuAXA9mAOYCmGJATmriQCaQDG+Ats2bgFyQAOFk+AIwBWJBrngA3EsgEBPRvlqU0AgfFwA6NPEgQAfACgjoCEYDEZyAAUASpETZWaCrKNxUtlBlwVF2BtKQADIkaADW0ADSkBIADBoAzImQAGb4fIiiFCS49gyYGPAYROgY9NjctNSBvCRgTKzqkNkANtX0StxkShgM8IFFkLiwJJCwsl0UKS0kOWCZ3kUkLc0k3PiI6umyGjAjjLCYpMhFDC3YShxGUABUNyHhUTHxSQl3XACCWPhdGPP42AoAXsWRyeQKRRKBHwKzQtCU9DQyDQkHIAHceNl6ixmE1YPh8GEADSQZbwXEYaiQob7ch0VLpSAANSsADl0AwAohEAZbjdxpNprNcGB8YTEO9IABVSrtVK+ZjPDQARg0sSG+CVquVvMgd1q2MaIrFYQlNy4MqqNHoBBiADY1WqSWiEAxYJj8BJ4EpkCl4DMxrIiP1yAdRKavGcLtSfNoWtSXeppNw0MDssxPWgWiTumB8CkwH6A36AB6QkmYDo5UTifDfFLoeH0toUUipf3SXV3D4AcQAoqzoABlDTMWiSgAi+AYjnYVLrkAqVvptuyQrENNGDW4MxokHjiFy+bGBIjGHwGMG2Eybn2nlO5x9kCI2G9mGBaT4NDQirYzAElDIKuJBFIeWYrMMowmsg17UgABsw4SjKBuDgaKp6IHB6ApDQfBsK2kK7HAyGFOIWYKEaDItC0F7UiaXhgdR85YKgJAll0YgrpqqFhKMCRgAArJAFJ4IEtDYKMtoPBE0Tbv6zHOq67rTjOFDIHWLTyHWAQaLeW6HMUgRrpQZDAgAUvAVBDPADC8bkAASACaVh9jYABiQR9n20BgMqyqxKq1xgIYBgmFA3T8A2aB4IQpDkFQ1oUWw3hcLw/DCDWkiBHIChKFQqjqFoOj6KF4BQO4JzIlg0UEMQZDKIlDTJZwzRoBiDhOC4kA5UweUqGomjaLowVGKVpgGBoBpNeo2IYH6RAaLIP4tFcABE60GBYkAfAAknV8Vyh1iFdcebpHJ2BiWnKkGQHBk1YtNIpMHN8ALUtzAtFh0EKC9L4JfAC45QIjjcPBPxkIgCA4aKEyUEKOQAPQCnDMxzNBWEpAqt1xCqapYbacE49qcEVvC1Iouit0zOEuBhAj1NhLTWGZAw2Qiog+QYIUxQnoSkAABRwQztMaMGmhTTi6hwQAlBWZSNrQ8ES0aCPK7ixoYRjHaBsG9W8xGguxv6kJgImNCICmAQk7dub5oWHb2yWlDW3BbrhmAcIImALakPbMyYdLumjVtHwtLhzFAdx+xKGczgR5FpLsekiWMtw2ACPGDCkos4gXaydYkEYQRLMgZ2GbQXAANTKnaCO+UYfaHuScq9aM2ReiQGIkCkn4tUEF4GOtq1BWARi9gOw6jhXg8bSHe1xQ19JHc4WkNmXxxGFdiVwePg4jmOWGADgEPZNAA6ukYTTBegC4BCCYgA1gwE7qmowopsxQzN7SyQD6rPwNwtZ6yYjqI9bqJBDhekZGidQ7oUQIhsnKQ+VgHqSwchhW+DgBAs0AURWknd7Dp2wQ/H+05ZzeGQPiDEtoULgX1sgQWiFeIMVQtRdC4oZalHoGQWcCVAg3QtqIeAfos70TdrZZAFBsBYH5izNm4IubliSk0Ng3I0BtnjIsYoJIeyak/IhXA4gtHPhhEcPoX9vAkiIJqKQuASRGw0SUM2yYX6MGphgCoOYyh5gLEWUYpZKBy3oD7OovjgFSEWHWQOkBICjU2pYUO4dAGR03D/UQLZ47HjYusCgKc+BpwzjZbO4hc48gMPncgQdi7kFLgZUgFdIDVwAEx1x1AYRu4h9H0lbqsDuXce7Jy4P3NEM9h68hGmNcK8tjw1VivVXh9AmrsC4FQdqjhjryB6ooZQBVBrFRGmFPYqBUCYBwLVBe8ykpLNSahDsCytndRorZAhnV5BUEMjIeQrd8oDSKsNEKABtAA3qtN5pAdq0FWhwEF50AD6jSAAsAk7QAE4BApGVAkeFaLVpElWimYYkLVr3RAag2a81FrLRxatMCOSqkkEhfC3F3Q6WQsaXaXFy8XCEpsGsNoAQbT7DYkgQxJQ4LIymKjDW7DVjrAedOMIkBoHDFKIuWU28iYqiwu3JAxDKyJxoGUFc+xnrzUBMxDUkZHyjEptkdYvpGSyLBBzCEPNBbCzCBwvVAgkSFNCeMXWoZBZqxmujWWirLIxhGJZfWkAdoTiqvQMCxwvC2hup6ZQ1Fbq2o2FhA8mgqWtwAEKPLCAAYRYDuIVuBZCErYIrRwq0AC+RJgWgpIOCwlbaYUAHYUgAA5lRoGRciu0JA7SNISFS/FsBCW70nmOKlNLcAso4MqeF3amVlBXcqASfaOVrJXty3lL8BWjF4ADPgBdzGjCQSgyi0Fb7NWIUq2B9gfD+FwICekt6SWUXsugu+gCaTUEtRcPh+waGZqanqmDWAsmZyaHmhO9EOYUH/rgRACNoQtCAocXIzhRhsVEKJWgGgC1bOLfK8tzBK1lmrYSmiaIm0AF1jBlWzvQaZMV9qLzuawK5SgbkzDuUoOVTzOWvPOh83K2yflDRKgcx6MLvSIBhdqzudAYVLr+WxiAkBlRsuRWgPt8KGApDQAJOgfbaCNNoL2tA8K+12loPC2gDA3PKmRd2+FQ7+XKj7TpiZSjcDKdoKp9TaJNMRQU+x2oML8KkBhWI00WnUI5MC4Cgw0TVpIFsJR2ydBqPNSsBsa0kLUhZkyESLLkAcuIAAPJSAoGhpsGByvmZwyQar2XaDTkPGh4o5amtqPbd4SglIWhDlQjQcrgLm01dWq3Gw/V1Cn18DQZB0B1AzHa5VrrC3IYAhaLQfLYRbC7c6912ritaA2CkVOBgU2BtEEQKWkYtlyvvv2z170d2MBbdwDMN74ZPuSO+9d3793pB/wAQ/YHH2uBfau6tDRvFaA7W5BJRAT3yvrWR20Q88Owg8ocGHRA5X/k1eiZl6JtPavJdZD+elXBVoA4DMlnFVPafUum9eUHEkrt09WvBzAzFcds9fpyM1NBNKrHXBhlJiFBjr2kFwT26hiHHmkk8R1uRnUKJ5nq4NuR6JLmqCcR++xxXw1yCa160uH5kcF9zjMShcdomcNzIgnO6fZeyHbv6zOKuXa59l9Ir0ihZiJ4ztguPik7a5/NunNPfeLfe2EGPQfVoTmh2h2HC4OfO+y2BT95PEdg6L7VkXlJAG45z6h9DxDeCem9EZZYJAJCYFt3WGgJYjxYG19EIoNAiD/TrCSTo3RTLyCa5sOsiASR+qDCGKCGFAk8FK2ABLJFGJtCAyhSR995/oHjEQcg9AX0pJV5kfNlfVqu6zx7igXufep/93WU12QLtVdD7V8PwYJto8mdcdf489a9E9ncU8hcGdgCWcHt+tqQhtlBSBX8hcS8+dy8Bdf9hd2I2ga8H5cd85UgpEj8MB7UpF6BBgboVd6BfFkkO8sxsBqgSEGAECeYmBhtSBdghwwh/5QYeZetWCfBqQODkD9JwwndsDshEAYQ8ACCWc1skwWC2CXsGQvx9gUgSCklhIkB34oQRhFRbREAqREAUh5BqD00qA2xhhpD8RjtJDfdasH93dPdIRUDud/9I8WggDY8WdBCVDycICucoDucYDfDasqk0dY1MdAhC9sD0Cy8hgK9sDq8xcWcid7BeDuAuh6AAJ8hrxrVNRUd6RdCsdFUTIGQKC1CaRUA05M1sgABHLHW/bA5wlnJ/F/O/TwwA9PTPXHYo9HGIxAD4bkaQRAZqYeOnJPWnEI7LMIrPerPABOIcJgLoSAN7KTMMD7O/BI/ncHIXVI2vdI9PTIvg+kPI6KTIVEIoooKI0owISLbISo+WT8Go5AOolYRo5ohw1PNo2rDotwrotDAAqPXo2Av/PAerFIFY8GDY95EYzIbkCYoI5PbA+Y3HIcUQMAWIRpLgTE1mHIZAHaAffAEoRY3ANOXAdw4vXnRIpHKQ0QD/e3L/LgDrH/RwnA5+fAusQgoo0kt9aoZqC3FJTwVub1K456G5LAFMbkNEdIMLOxQkCGEkAknoMiHDEkB1UEDDXYajWoEYMgrKZ8W1BOWhc8P4c2XIHRdsf2ewShUuNxfcfkgECkpYl9F0kEQ08QKQdsZYLhJOBwbIH4oXaQ2Qo41EbAaiO/P44XZrdIakv/YErwnwrPGcQ8FgSY2naY6nNEsE8I1aIg+yZwNzLZegfEtmcnHY2kvYu/d/X6L9b/fY7nQ4+Q2rIgw4CgEshEO+CskkD4KwHaSAXiWQBfDUXiMgzUvgcUsdeFRgbINU+AciAI54ygrAYlQ0dWMlV6ClD6fgPgOdfeWgAAbhP0+O7hMl6D4U1FVPYEXJww9EmFlyKEVnyD3DYlwgmzfXSBG2DO51DPOHDPcSjNaK2RcOf0BOwO6NBPDD6JZzTIIGYEzOiWzMgFmPpzzKzyINPlCAVVLRcAAVJKoG4HGATJ52oAwKSKwI5LrM/yDzZKbOyxbJ5JZ08FdyEX6HUgwFl3XMei3LemWk4W2n7D3inhPPPDnImAIFHzQGIsKVbmdBwsxHJA1ykHoQAFkJwBIEYJw+whwEYbBS14UEYhx7IPhlQw14KWAJKCKUAaMZhmoI5JzFwyC0AUhRhdcKIUw0MZCyD0Anjh9fBxJ+Vfy/dpAwzWygLswQK3d2jXDihSKoLvCMLcdLLEKUSZjcyYLwSCzNRiSRBSDmQax0hKz4jqzMCGLasaLmS6K9s78mK2sWciCih8qgN8UPz6FS1T4+wwA+1kUSROruru0911iuqwBu0+qRruqBIcTpYVzdhPANJ5A2K/RYimSSg9VBCyFptiE6CxLNRrTulr9dhHIPg1Kggfp5pFxES300MNwvRJgNApQMBjpIYsw+wSxUxcB+ZZrO94wrRHdSL/y5DmKIzgKOSYyAT4qgSI8eisr8zUqkLIAUK0K084bMLNRkFJAOw6l1ie9tB4oSqOTdjyrazGT6yWTg92TU96rcdWLFB2LAhFrIAeLSUA8dzYR5YDzRLrjIBIh05xtqxkBEJCg3LDxRz7JlhDCSA7LzcnKHteIpgOxS48aihqRz0vQZgcbJT8bKAQQDFIRkBHj9JzpSNAawqAKIrIyorwbQLYrwKobIKkzYbbJYL6drwELEbkbMqXbsqiCrB4AdB6s+BMSvSjSJxqAURiTghSTCbU9ibKKKqQUybaLGy6rcDRdwzVpRTakrzmbjc+L2bBKuaxwSFrjcgAq/BgQaIiAACSgS9pb2BEBdgDr7lq7a6qJGMZAAQygV4eBqAPzw1lUmbjC3LfTjt6FQzAQAhQsSRJ6gQSAYVq0ugSR1hqJlMxsKBfqcwNAd6zaZCLaQbIrozbb/i4rvdoaQSkq0aUr3aMzE8atmN8ckRcBbB68YdM6EgEhYgBJGlYhYgEgGBGllQBA7QGABJ10e46Bu1Yg+0BBaA+00BZgR1kV4U7RvMBJUwcSe5EG7R+0EhGk+1d1kUSBYg3KvMh1u1X8Udn7bAJdccBBEV8hlRu04RLM+0GB4VlQqgEg7RrMe5SHYH/JPNGlVASABIv6PM2UBJe1LNTNYh4Q+1/6EVv7YHFHh5G1dMoA4tt8kt09VNot9l2MZkYUUwCjUtqhzH0sSoDBgUCcX7Li6APhcAeVelCtUFy0pEqSOBYgNGgtjHTHMhzGaAYUDHDADlmBIzxA1M1h8Akse93zLHchrGU978xiRtcdC0kR6QFxmB5B4NvzAESRByIFRgiBqARh5yCEe4bIQxbdfBuQwBs1NgCAupJT3zdgQhcg2Bnljp4AAAvSSDQ58g2jgAAHQwHGa2kiPpCaa2DQ0CD9DKANvGcma2nBjIKhmNFhglWFARmcDdCTDEC/RWYwDuCm0rGLITUgAey2uYg4DuHGfKn2H2YQBoCOaeOzRYK2tw3ctQh7s7OAQ3LxFPAuuZPNUGDFW2ZtwRn8NVjvU3Oginiwn+Q4A4HWchiES2cFElT2aBFeZrC/VRcfsVSUnsA4gZsQDGawF0Fumt0lTYVNCwg1WVHGeiSgCFhwqZiVCSEaQFk2uaiXj+aqABdnwfmllZZpbgnzvRntEdFiAlceb2FfjxcOc/Q+ZiYAHJ1I0QsA7p862b3pPpIAUW0XfgMXoY6XdmXnVXCWOBmNGBARshvBZdDhKWJX2XLW0ZNYtQVR3XbppXvWJAHR4h5XqW+QiDB9QXA96BZAcg7g+XkwlCAJqR+X2B6QkQBT/naBxWJnTn7gcKngmRAJiEJwkACSUxehZB7mbhxniIvmBXE0hXizVhFkyhkAOWaYPVuWNBGkSRgZcgbpPBk2eYIt034RkAcZXhcFlWDm3m1XRhU3vBzUQNIXsXdnYWA3xQkXjXUX0XNmYY13EZrW53bX7X4ManAd5B67KWs0O8uBJ2e3olLAMjYADFuBKWEYEYxZYB04NAGh6ZOW6Z3UEZWhQhrrXi99pBcA4ITm7hC1XxjtIAeUmjLIG7yFq3a3nmVWT31X1gtX625x99egrVDaz7kQBAPTI3gZ/RaC4wv1kATW93MWD2UYrXsOCXsgiWqWoBkPXxpDIBrTVRGkBJK5FW1K0B5BzN/RB73RRnVoBAfAUhMMAYxAWgNBYAuAiCHA3QbTRhGRFZ/cWnZA5OUAGxS0ex6sUBkAyAVBhMTy5SKAwhnBu7KDkkb9bpzP6sYUBwPhC1PIJwABeWIGD3NiwSwJji1qFnFz1kUGS+AWDm4UtyBp1tBPmJ7aoIgKth5jAKUa6uBIRNylLwF0BG/CoYDS3Gd/F9535i5zshj3ds1/dmLpGKL4UD2UGLjxVuCCgWAMAfOxpRIHtrCfmHlegIs8ujez8k+ZdFQDkLkCREgFD+cnN9lnrhlxAD2eAJl1UF4AWXaRp0IRWapChDCFb65/AQIVkeraAK60YVd1jr19hRVqcS767274IAtyIE5ut4u+gRjxr5j5rmL9r+AIlgj8hdAEELy5g43ZhcCc1Nq8bQS88c2YDXId88bciSUtDft4q4Sd2047gLNXr43LCS/OCIcSIHaKwALtb0njQE5sL/gAHyLw93AFrtnj2KoABSgBLtS1WxCFYZBX9dWc7mcBywBDD/7fYX7nd01iGJr1rxGYHuEGS3CMHpmp9Y/BCJCOH1hGV90pYwTOMBMUl76AjKNr9UjSAIgvV+FmaA15aDGFzrwFJWZozhn0LraSIEgeQPCjYDbnlWVerLBSgTvJJE51UPUG4IttSYhXEcY6gN0SUOtzwfg9t91fGaxF4RIPtpYtNVsTAfp5ifDgIbwKgFYMCLN5ARd7ahcQWY9jjkgLVGJ2a9/fjNt7txpcZgb6P4k56TYQ8dgRsH4QBFPrD2dpvmVTUWv5ASNjNt+JtgF/tsYJEDADV3IWN/DJsSggdzUdQbV3Vlmo0Auw1kLpIaPoPjYOZ+QEYXCUk+qdQWQScAri83Id38PQIAon+V/orlDWMEfBxQFhxdbuEiXrtBBPL4BIIakRVEdnKBXFge0EHNvCl2BwcEOXCDAF6F8DPVh+5IS2LgBT6hBmAyAOkDaE1AAR0AT+PTg2EE49sROqwJbmh3wzyx1gBqdUusQs5WcHADxA0iP1hw8xB8VDPoNaCv6JFKcQuCLliwe7s9G+1XdwqtEkEscdmyvJXrF1BjyDFBQPVQVzzV6UBMyrGXxuE0ibwBom6wOJmNj7whN5YMWPTMPkx4tAgmC9bVHPgwCJMMsq0NEGhhoAdooUAUYhrQB3QFgBAGKRpGNWAahDkUjSBgMqDACNJu0X9GuI0hSCyMUgTaTRimnsGODomXoFwVYPoD6AgAA -->\n\n<!-- internal state end -->"},"request":{"signal":{},"retryCount":3,"retries":3,"retryAfter":16}}}

[hyperfleet-ci-bot]

Risk Score: 0 — risk/low

Signal	Detail	Points
PR size	35 lines	+0
Sensitive paths	none	+0

_{Computed by hyperfleet-risk-scorer}

[rafabene]

/retest

[rafabene]

/retest ci/prow/lint

[openshift-ci]

@rafabene: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

/test helm-test

/test images

/test lint

/test presubmits-images

/test presubmits-integration

/test unit

/test validate-commits

The following commands are available to trigger optional jobs:

/test risk-scorer

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-hyperfleet-hyperfleet-sentinel-main-images

pull-ci-openshift-hyperfleet-hyperfleet-sentinel-main-lint

pull-ci-openshift-hyperfleet-hyperfleet-sentinel-main-presubmits-images

pull-ci-openshift-hyperfleet-hyperfleet-sentinel-main-presubmits-integration

pull-ci-openshift-hyperfleet-hyperfleet-sentinel-main-risk-scorer

pull-ci-openshift-hyperfleet-hyperfleet-sentinel-main-unit

pull-ci-openshift-hyperfleet-hyperfleet-sentinel-main-validate-commits

Details

In response to this:

/retest ci/prow/lint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.