chore(SREP-4482, SREP-4486, SREP-4800: Boilerplate Update for Agentic SDLC Rollout)

.ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
   name: boilerplate
   namespace: openshift
-  tag: image-v8.3.4
+  tag: image-v8.3.6

.claude/commands/pre-commit.md

@@ -0,0 +1,94 @@
+Run pre-commit hooks on this repository following the agentic SDLC golden rules (SREP-4450).
+
+## Usage
+- `/pre-commit` — run on staged files (default, fastest)
+- `/pre-commit --all-files` — run on all files (first-time setup, CI equivalent)
+- `/pre-commit <hook-id>` — run a single hook by ID (targeted debugging)
+
+## What you must do
+
+### Step 1 — Preflight checks
+
+1. Confirm `.pre-commit-config.yaml` exists in the repo root. If not, tell the user and stop.
+2. Confirm `pre-commit` is installed: run `which pre-commit`. If not found, run `pip install pre-commit` or `pip3 install pre-commit`.
+3. Confirm hooks are installed: check if `.git/hooks/pre-commit` exists. If not, run `pre-commit install`.
+
+### Step 2 — Run hooks
+
+Determine the run mode from `$ARGUMENTS`:
+- `--all-files` → run `pre-commit run --all-files`
+- `<hook-id>` (a word that is not a flag) → run `pre-commit run <hook-id>`
+- empty or default → run `pre-commit run` (staged files only)
+
+Capture the full stdout and stderr output.
+
+### Step 3 — Parse and categorise results
+
+For each hook in the output, classify it as one of:
+- **Passed** — hook exited 0, no changes
+- **Auto-fixed** — hook exited non-zero but modified files (trailing-whitespace, end-of-file-fixer)
+- **Failed** — hook exited non-zero, no auto-fix
+
+Extract for each failure:
+- Hook ID and name
+- Affected files and line numbers if present
+- The error message
+- Whether it is a security hook (gitleaks, rbac-wildcard-check)
+
+### Step 4 — Handle auto-fixes (idempotency loop, golden rule 9)
+
+If any hooks auto-fixed files:
+1. Stage the modified files: `git add <auto-fixed files>`
+2. Re-run the hooks on staged files
+3. Report what was fixed
+
+### Step 5 — Retry on failure (golden rule 19, max 2 iterations)
+
+Track `attempt_count` starting at 1.
+
+For each non-security failure with an identifiable fix:
+1. Apply the fix (edit the file, run the suggested command)
+2. Stage the changes
+3. Re-run `pre-commit run`
+4. Increment `attempt_count`
+
+**Stop retrying when:**
+- All hooks pass → report success
+- `attempt_count` reaches 3 → stop, escalate to human (see Step 6)
+- A security hook fails → stop immediately, escalate to human (see Step 6)
+
+### Step 6 — Escalate to human when required
+
+Escalate (do not retry further) when:
+- A **security hook** fires (gitleaks, rbac-wildcard-check) — these require human judgment
+- Hooks still fail after **2 fix-and-retry attempts**
+- A hook **timed out** — this indicates a systemic issue, not a fixable code problem
+
+When escalating, report:
+- Which hook is failing
+- The exact error output
+- What was already attempted
+- The recommended next action for the human
+
+### Step 7 — Final report
+
+Always end with a structured summary:
+
+```
+PRE-COMMIT SUMMARY
+==================
+Passed:     <list of hook IDs>
+Auto-fixed: <list of hook IDs> → files staged
+Fixed:      <list of hook IDs> → changes applied
+Failed:     <list of hook IDs> → escalated to human
+Attempts:   <N> of 2 maximum
+```
+
+## Rules you must never break
+
+- **Never run `git commit --no-verify`** — bypassing all hooks is not permitted
+- **Never modify `.pre-commit-config.yaml`** to suppress a failing hook
+- **Never retry more than twice** — escalate on the third failure
+- **Never auto-fix a security hook failure** — always escalate to human
+- **Always stage auto-fixed files** before re-running — do not leave unstaged modifications
+- **Always report what changed** — the human must be able to review every fix you applied

.codecov.yml

@@ -8,8 +8,14 @@ coverage:
   range: "20...100"
 
   status:
-    project: no
-    patch: no
+    project:
+      default:
+        target: 35%
+        threshold: 1%
+    patch:
+      default:
+        target: 50%
+        threshold: 1%
     changes: no
 
 parsers:

OWNERS_ALIASES

@@ -4,8 +4,8 @@
 # =============================================================================
 aliases:
   srep-functional-team-aurora:
-    - abyrne55
     - AlexSmithGH
+    - BATMAN-JD
     - dakotalongRH
     - eth1030
     - joshbranham
@@ -73,7 +73,6 @@ aliases:
     - yiqinzhang
     - varunraokadaparthi
   srep-functional-leads:
-    - abyrne55
     - clcollins
     - bergmannf
     - theautoroboto
@@ -91,5 +90,4 @@ aliases:
     - maorfr
     - rogbas
   srep-architects:
-    - jharrington22
     - cblecker

boilerplate/_data/backing-image-tag

@@ -1 +1 @@
-image-v8.3.4
+image-v8.3.6

boilerplate/_data/last-boilerplate-commit

@@ -1 +1 @@
-28f0d527a87f963961e218687f8e481acf62e47d
+c2342f1bcec55d87fd028e5c1d7f105c745eb32e

boilerplate/openshift/golang-osd-operator/.codecov.yml

@@ -8,8 +8,14 @@ coverage:
   range: "20...100"
 
   status:
-    project: no
-    patch: no
+    project:
+      default:
+        target: 35%
+        threshold: 1%
+    patch:
+      default:
+        target: 50%
+        threshold: 1%
     changes: no
 
 parsers:

boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES

@@ -4,8 +4,8 @@
 # =============================================================================
 aliases:
   srep-functional-team-aurora:
-    - abyrne55
     - AlexSmithGH
+    - BATMAN-JD
     - dakotalongRH
     - eth1030
     - joshbranham
@@ -73,7 +73,6 @@ aliases:
     - yiqinzhang
     - varunraokadaparthi
   srep-functional-leads:
-    - abyrne55
     - clcollins
     - bergmannf
     - theautoroboto
@@ -91,5 +90,4 @@ aliases:
     - maorfr
     - rogbas
   srep-architects:
-    - jharrington22
     - cblecker

boilerplate/openshift/golang-osd-operator/README.md

@@ -157,7 +157,7 @@ With `FIPS_ENABLED=true`, `ensure-fips` is always run before `make go-build`
 - If an additional deployment image has to be built and appended to the CSV as part of the build process, then the consumer needs to:
   - Specify `SupplementaryImage` which is the deployment name in the consuming repository's `config/config.go`.
   - Define the image to be built as `ADDITIONAL_IMAGE_SPECS` in the consuming repository's Makefile, Boilerplate later parses this image as part of the build process; [ref](https://github.com/openshift/boilerplate/blob/master/boilerplate/openshift/golang-osd-operator/standard.mk#L56).
-  
+
   e.g.
 
     ```.mk

boilerplate/openshift/golang-osd-operator/TEST_README.md

@@ -156,10 +156,10 @@ class TestManifestProcessing(unittest.TestCase):
         """Test description."""
         # Arrange
         manifest_str = "..."
-        
+
         # Act
         result = migration.some_function(manifest_str)
-        
+
         # Assert
         self.assertEqual(result, expected_value)
 ```

boilerplate/openshift/golang-osd-operator/app-sre.md

@@ -28,8 +28,8 @@ An example of how to do this for the `staging` branch is below (`production` ste
 ```
 git checkout staging
 git pull upstream staging
-git reset --hard upstream/staging                
-git push origin staging --force                                                                            
+git reset --hard upstream/staging  
+git push origin staging --force  
 ```
 
 ## Set environment variables

boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.sh

@@ -169,11 +169,11 @@ if [[ -z "$SKIP_SAAS_FILE_CHECKS" ]]; then
 
             if [[ "$delete" == false ]]; then
                 short_hash=$(echo "$version" | cut -d- -f2)
-                
+
                 # before comparing the short_hash to the deployment hash, remove the leading g added in https://issues.redhat.com/browse/OSD-13681
-                # short_hash should be 7 char long without the leading g. 
+                # short_hash should be 7 char long without the leading g.
                 [ ${#short_hash} -gt 7 ] && short_hash=${short_hash:1:7}
-                
+
                 if [[ "$DEPLOYED_HASH" == "${short_hash}"* ]]; then
                     delete=true
                 fi

boilerplate/openshift/golang-osd-operator/golangci.yml

@@ -1,39 +1,76 @@
 version: "2"
-run:
-  concurrency: 10
+
 linters:
-  default: none
   enable:
+    # Error Handling & Security
     - errcheck
-    - gosec
     - govet
-    - ineffassign
-    - misspell
     - staticcheck
+    - gosec
+    - bodyclose
+    - sqlclosecheck
+    - contextcheck
+    - noctx
+
+    # Error Prevention
+    - errorlint
+    - nilerr
+    - nilnil
+    - revive
+
+    # Code Quality
+    - ineffassign
+    - unconvert
+    - unparam
     - unused
+    - misspell
+
+    # Maintainability
+    - prealloc
+    - nolintlint
+    - gocyclo
+    - exhaustive
+    - makezero
+    - containedctx
+
   settings:
+    revive:
+      rules:
+        - name: package-comments
+          disabled: true
+
+    errcheck:
+      check-type-assertions: true
+      check-blank: false
+
+  exclusions:
+    presets:
+      - std-error-handling
+
+    gocyclo:
+      min-complexity: 15
+
+    errorlint:
+      errorf: true
+      asserts: true
+      comparison: true
+
     misspell:
       extra-words:
         - typo: openshit
           correction: OpenShift
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    paths:
-      - third_party/
-      - builtin/
-      - examples/
+
+run:
+  timeout: 5m
+  # Incremental linting (new-from-rev) is passed via the Makefile's
+  # go-check target. In CI it uses PULL_BASE_SHA (guaranteed to exist
+  # even in shallow clones); locally it falls back to origin/HEAD.
+
+formatters:
+  enable:
+    - gofmt
+    - goimports
+
 issues:
   max-issues-per-linter: 0
   max-same-issues: 0
-formatters:
-  exclusions:
-    generated: lax
-    paths:
-      - third_party/
-      - builtin/
-      - examples/