CI: add unit test, CodeQL, FIPS, stale, and labeler workflows

[GowthamShanmugam]

Add GitHub Actions workflows to complement the existing Konflux build pipeline:

• unit-tests: runs make test-unit on PRs and pushes
• codeql: Go security scanning on PRs, pushes, and weekly
• fips-compliance: FIPS check against Dockerfile.redhat on PRs
• stale: auto-close inactive issues/PRs after 180+14 days
• labeler: auto-label PRs by files changed (ci, go, tests, etc.)

Issue: https://redhat.atlassian.net/browse/RHOAIENG-52034

Made-with: Cursor

Description

How Has This Been Tested?

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

• Chores
  • Added CodeQL security analysis workflow for automated vulnerability scanning
  • Added FIPS compliance verification for container images
  • Added automated PR labeling based on file changes
  • Added stale issue and pull request management automation
  • Added unit test execution workflow

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: GowthamShanmugam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [GowthamShanmugam]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces six new GitHub Actions workflow files and one labeler configuration file to the .github/ directory. The additions establish automated CI/CD processes for label management, security scanning (CodeQL), FIPS compliance validation, stale issue/PR cleanup, and unit testing. All changes are configuration-based with no modifications to existing workflows or application code.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Security findings

.github/workflows/codeql.yml

• CodeQL job timeout set to 15 minutes may be insufficient for initial analysis on larger codebases; consider increasing to 30+ minutes to prevent premature job cancellation and incomplete security findings.

.github/workflows/fips-compliance.yml

• Docker image tagged as kube-rbac-proxy:fips-test with VERSION=test build argument could inadvertently be used in non-test environments if image naming conventions are not enforced elsewhere; recommend explicit registry scoping or immutable tagging strategy.
• check-payload scan results are not validated before artifact upload; if the scan exits with non-zero status, the artifact may contain incomplete or corrupted data. Consider explicit error handling to validate scan success before artifact archival.
• Build uses BUILDPLATFORM=linux/amd64 hardcoded, limiting FIPS validation to single architecture; if multi-arch support is required, expand platform matrix or document the limitation.

.github/workflows/stale.yml

• No minimum PR/issue age requirement before stale labeling (defaults to 180 days inactivity); verify this threshold aligns with project SLA expectations and doesn't incorrectly mark legitimately dormant but important issues.

.github/labeler.yml

• No validation that labels defined in configuration actually exist in repository settings; non-existent labels will silently fail to apply. Recommend automating label creation or documenting required pre-configuration.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: introduction of five new CI/CD workflows for unit testing, security analysis, compliance checks, issue management, and automated labeling.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 10

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/codeql.yml:
- Line 24: The workflow uses mutable tags like "actions/checkout@v4" and the
various "github/codeql-action/*" step references which are susceptible to
supply-chain attacks; replace each "uses: actions/checkout@vX" and every "uses:
github/codeql-action/..." entry with the corresponding immutable full commit SHA
for that action (i.e., fetch the action's repository commit SHA you want to pin
and update the uses value to "repo@<full-commit-sha>") so that actions/checkout
and all github/codeql-action steps are pinned to specific commits.
- Around line 20-24: Update the workflow job permissions block to include the
missing scopes required by the checkout step and follow least-privilege
guidance: add "contents: read" so actions/checkout@v4 can access repository
files, and add "actions: read" to align with CodeQL starter recommendations;
modify the existing permissions: security-events: write to include these two
read entries in the same permissions mapping.

In @.github/workflows/fips-compliance.yml:
- Around line 53-60: The workflow uploads kube-rbac-proxy-fips.tar on failure
but no step creates that archive; add a short preceding step (e.g., "Package
fips artifacts") that collects the relevant outputs (build logs, binaries, test
artifacts) and creates kube-rbac-proxy-fips.tar (using tar or equivalent) so the
"Upload build artifacts on failure" step actually uploads content; reference the
artifact name kube-rbac-proxy-fips.tar and the upload step name "Upload build
artifacts on failure" when adding the packaging step so it runs before the
upload and only when the files exist.
- Line 18: Replace mutable tag-based action references with immutable commit
SHAs: locate each "uses:" entry (e.g., actions/checkout@v4 and the three other
action references flagged) and change the tag (e.g., `@v4`) to the corresponding
full commit SHA for that action repository (uses:
actions/checkout@<full-commit-sha> etc.), verifying you picked the intended
release commit; update all four occurrences so every workflow action is pinned
to its specific commit SHA.
- Around line 12-15: The fips-compliance job is missing an explicit permissions
block; add a permissions mapping under the fips-compliance job to constrain the
GITHUB_TOKEN to the least-privilege scope required (for example set minimal
rights like contents: read and any specific scopes the job needs), ensuring the
permissions key is present directly under the fips-compliance job definition so
GitHub uses the restricted token for that job.
- Around line 37-40: The workflow clones and builds upstream code without
pinning to an immutable revision; after the git clone of
https://github.com/openshift/check-payload into /tmp/check-payload (or before
running make), add an explicit checkout to a specific commit SHA (e.g., run git
-C /tmp/check-payload checkout <COMMIT_SHA> or cd /tmp/check-payload && git
checkout <COMMIT_SHA>) so the subsequent make operates on a fixed, immutable
commit rather than the branch tip.

In @.github/workflows/labeler.yml:
- Line 14: The workflow uses a mutable tag "actions/labeler@v5" which can be
modified upstream; replace that with the action pinned to its immutable full
commit SHA (the v5 release commit) so the workflow refers to a fixed revision;
locate the step that currently specifies "uses: actions/labeler@v5" and
substitute the tag with the full commit SHA for the v5 release (e.g., "uses:
actions/labeler@<full-commit-sha>") to ensure reproducible behavior.

In @.github/workflows/stale.yml:
- Line 15: Replace the loose tag reference "actions/stale@v9" under the uses:
declaration with a pinned full commit SHA for the actions/stale action; locate
the uses: actions/stale@v9 entry and change it to uses:
actions/stale@<full-commit-sha> (obtain the SHA from the action's GitHub repo
release/commit you want to lock to) so the workflow is pinned to that exact
commit.

In @.github/workflows/unit-tests.yml:
- Around line 19-20: Replace the tag-based GitHub Action references with
immutable commit SHAs to prevent upstream retargeting: locate the usages of
actions/checkout@v4 and actions/setup-go@v5 in the workflow and change each to
the corresponding full commit SHA for that action (e.g.,
actions/checkout@<FULL_SHA> and actions/setup-go@<FULL_SHA>), ensuring you fetch
the verified commit SHAs from the official action repositories and update both
occurrences so the workflow pins to those exact commits.
- Around line 14-17: The unit-tests job currently lacks an explicit permissions
block which grants broader default tokens; update the "unit-tests" job in
.github/workflows/unit-tests.yml to add a job-level permissions entry
restricting the GitHub token to only what checkout needs (e.g., add permissions:
contents: read) so the job uses least-privilege access; place the permissions
block directly under the unit-tests job definition (near
name/runs-on/timeout-minutes) to ensure actions/checkout only gets read access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 37483e93-e9e4-478d-a26e-2ab7e49e98ff

📥 Commits

Reviewing files that changed from the base of the PR and between 180858d and ae6704b.

📒 Files selected for processing (6)

• .github/labeler.yml
• .github/workflows/codeql.yml
• .github/workflows/fips-compliance.yml
• .github/workflows/labeler.yml
• .github/workflows/stale.yml
• .github/workflows/unit-tests.yml