Skip to content

feat: update component mappings - Model as a Service and more #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jwm4 merged 5 commits into from
Apr 1, 2026
Merged

feat: update component mappings - Model as a Service and more #100

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
279ac9b
feat: update Model as a Service with real branch data and add opendat…
vmrh21 Apr 1, 2026
31a3bb4
fix: remove opendatahub-operator from MaaS — it is a platform-wide op…
vmrh21 Apr 1, 2026
9a32ab5
fix: correct branch strategy for models-as-a-service
vmrh21 Apr 1, 2026
f3bd823
fix: replace unicode escapes with actual characters in mapping file
vmrh21 Apr 1, 2026
85c164e
fix: add build_location maas-api/ to MaaS repos
vmrh21 Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 26 additions & 27 deletions workflows/cve-fixer/component-repository-mappings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,11 @@
"v2.28.0-fixes",
"v2.27.0-fixes"
],
"branch_strategy": "Fix in main \u2192 auto-propagates to stable \u2192 rhoai (every 2 hours). Manual cherry-pick to release branches during code freeze.",
"branch_strategy": "Fix in main auto-propagates to stable rhoai (every 2 hours). Manual cherry-pick to release branches during code freeze.",
"cve_fix_workflow": {
"primary_target": "main",
"backport_targets": "Active vX.X.X-fixes branches for released versions",
"automation": "Auto-sync every 2 hours (main \u2192 stable \u2192 rhoai)",
"automation": "Auto-sync every 2 hours (main stable rhoai)",
"manual_intervention": "Cherry-pick during code freeze or for patch releases"
},
"repository_type": "monorepo",
Expand All @@ -49,38 +49,37 @@
"opendatahub-io/models-as-a-service": {
"github_url": "https://github.com/opendatahub-io/models-as-a-service",
"default_branch": "main",
"protected_branches": [],
"active_release_branches": [],
"branch_strategy": "TBD - needs investigation",
"active_release_branches": [
"stable",
"rhoai",
"v0.1.x"
],
"branch_strategy": "Fix in main. stable and rhoai are release snapshots — backport manually as needed. v0.1.x is a separate release branch with independent commits.",
"repo_type": "upstream",
"subcomponent": "maas-api",
Comment on lines +52 to +59
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add protected_branches for these explicit release branches.

The CVE fixer safety rules only know custom protected branches from protected_branches. These entries now add stable, v0.1.x, and rhoai-3.x release branches but omit that field, so automation can treat release lines as writable branches.

🛡️ Proposed fix 
         "github_url": "https://github.com/opendatahub-io/models-as-a-service",
         "default_branch": "main",
+        "protected_branches": [
+          "main",
+          "stable",
+          "rhoai",
+          "v0.1.x"
+        ],
         "active_release_branches": [
           "stable",
           "rhoai",
           "v0.1.x"
         ],
@@
         "github_url": "https://github.com/red-hat-data-services/models-as-a-service",
         "default_branch": "main",
+        "protected_branches": [
+          "main",
+          "rhoai-3.3",
+          "rhoai-3.4",
+          "rhoai-3.4-ea.1",
+          "rhoai-3.4-ea.2"
+        ],
         "active_release_branches": [
           "rhoai-3.3",
           "rhoai-3.4",
           "rhoai-3.4-ea.1",

Also applies to: 67-76

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/component-repository-mappings.json` around lines 52 - 59,
This mapping block adds release branches via "active_release_branches" but omits
the CVE fixer-safe "protected_branches" field; update the JSON object that
contains "active_release_branches", "branch_strategy", "repo_type", and
"subcomponent" to include a "protected_branches" array listing the explicit
release branches (e.g., "stable", "v0.1.x", "rhoai-3.x") so automation treats
those lines as protected; apply the same change to the other similar mapping
block mentioned (the one around the 67-76 range).

"cve_fix_workflow": {
"primary_target": "main",
"backport_targets": "TBD",
"automation": "Unknown",
"manual_intervention": "Unknown"
"backport_targets": "stable, rhoai, v0.1.x (manual cherry-pick)"
},
"build_location": "maas-api/",
"notes": "Upstream repository. Contains maas-api Go application. Builds using Dockerfile.konflux for Red Hat builds.",
"repo_type": "upstream",
"subcomponent": "maas-api"
"build_location": "maas-api/"
},
"red-hat-data-services/models-as-a-service": {
"github_url": "https://github.com/red-hat-data-services/models-as-a-service",
"default_branch": "rhoai-3.0",
"protected_branches": [],
"default_branch": "main",
"active_release_branches": [
"rhoai-3.0"
"rhoai-3.3",
"rhoai-3.4",
"rhoai-3.4-ea.1",
"rhoai-3.4-ea.2"
],
"branch_strategy": "TBD - needs investigation",
"branch_strategy": "Fork of upstream. RHOAI release branches follow pattern rhoai-X.Y.",
"repo_type": "downstream",
"subcomponent": "maas-api",
"cve_fix_workflow": {
"primary_target": "rhoai-3.0",
"backport_targets": "rhoai-3.0",
"automation": "Manual backport from upstream",
"manual_intervention": "Cherry-pick or re-apply fixes from upstream repo"
"primary_target": "main",
"backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
},
"build_location": "maas-api/",
"notes": "Downstream Red Hat release repository for maas-api. Fixes from upstream should be backported to rhoai-3.0 branch.",
"repo_type": "downstream",
"subcomponent": "maas-api"
"build_location": "maas-api/"
}
}
},
Expand Down Expand Up @@ -441,7 +440,7 @@
"rhoai-3.0",
"rhoai-3.2"
],
"branch_strategy": "Fork of upstream (now archived). Downstream only \u2014 upstream code migrated into llm-d-inference-scheduler. No branches beyond rhoai-3.2.",
"branch_strategy": "Fork of upstream (now archived). Downstream only upstream code migrated into llm-d-inference-scheduler. No branches beyond rhoai-3.2.",
"repo_type": "downstream",
"notes": "Upstream llm-d/llm-d-routing-sidecar is archived; code moved to llm-d-inference-scheduler (cmd/pd_sidecar). This downstream repo may be phased out in future releases.",
"cve_fix_workflow": {
Expand Down Expand Up @@ -878,9 +877,9 @@
"github_url": "https://github.com/IBM/ai4rag",
"default_branch": "main",
"active_release_branches": [],
"branch_strategy": "Python package upstream. CVEs in ai4rag manifest as container CVEs in pipelines-components \u2014 fix by updating ai4rag version there.",
"branch_strategy": "Python package upstream. CVEs in ai4rag manifest as container CVEs in pipelines-components fix by updating ai4rag version there.",
"repo_type": "upstream",
"notes": "No containerization \u2014 distributed as a Python package. No ODH/RHDS forks exist. Excluded from automation; track upstream releases and update dependency version in pipelines-components.",
"notes": "No containerization distributed as a Python package. No ODH/RHDS forks exist. Excluded from automation; track upstream releases and update dependency version in pipelines-components.",
"cve_fix_workflow": {
"primary_target": "main",
"backport_targets": "N/A",
Expand Down
Loading