Validate main promotion: Prow includedBranches + periodic current-release, require release-X disabled only when repo has main/master

[deepsm007]

CI fails when an image tag (e.g. ocp/4.23) is promoted from more than one branch (e.g. both main and release-4.23). Each promotion target must have exactly one promoting branch: main should be the current development branch (e.g. 4.22) and only release-X should promote to X. This PR adds a validation check so we catch misconfigurations in CI instead of at runtime.

What

• New check: make check-validate-main-promotion (wired into make check) runs hack/validate-main-promotion-guard.py.
• No new config file: The check uses existing sources of truth:
  • Current release (e.g. 4.22, 4.23, 5.0): from periodic-prow-auto-config-brancher in ci-operator/jobs/infra-periodics.yaml (--current-release=), same as config-brancher.
  • Which repos are in scope: Repos whose core-services/prow/02_config/{org}/{repo}/_prowconfig.yaml has openshift-{current} or release-{current} in a tide query’s includedBranches (i.e. they have that release as the development branch).

Rules enforced

1. Main/master configs in those repos must promote only to the current release: ocp/{current} and ocp-private/{current}-priv. They must not be disabled.
2. Release/openshift-{current} configs (*-release-4.22.yaml, *-openshift-4.22.yaml) must have promotion disabled — but only for repos that also have a main or master config. Repos that only have versioned configs (e.g. etcd with only openshift-4.22) are excluded so they can keep promoting from that branch.

Result

• At release branching, only the periodic job’s --current-release (and Prow’s includedBranches) need to be updated; the validator adapts to 4.22, 4.23, 5.0, etc.
• Duplicate promotion from main and release-X is caught by make check before merge.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepsm007

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

[REHEARSALNOTIFIER]
@deepsm007: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@deepsm007: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.