fix: merge Pull Request changes

ci-operator/step-registry/konflux-ci/install-konflux/README.md

@@ -0,0 +1,75 @@
+# konflux-ci-install-konflux
+
+Installs [Konflux](https://github.com/konflux-ci) on an OpenShift cluster using the
+[infra-deployments](https://github.com/redhat-appstudio/infra-deployments) bootstrap scripts
+in **preview mode**.
+
+This step replaces the deprecated `redhat-appstudio-install-konflux` step, which relied on
+magefiles from the [e2e-tests](https://github.com/konflux-ci/e2e-tests) repository.
+
+## What it does
+
+1. **Selects a GitHub account** with the highest remaining API rate limit from a pool of
+   CI bot accounts.
+2. **Logs into the cluster** using `kubeadmin` credentials from the claim.
+3. **Clones `redhat-appstudio/infra-deployments`** at `main`. For presubmit jobs on
+   infra-deployments PRs, the PR changes are merged into the working tree so the bootstrap
+   runs against the proposed code.
+4. **Marks master nodes as schedulable** (needed for small CI clusters).
+5. **Runs `hack/bootstrap-cluster.sh preview`**, which deploys ArgoCD and bootstraps
+   all Konflux components (host + member clusters, pipelines-as-code, build-service,
+   integration-service, etc.).
+6. **Creates the `e2e-secrets/quay-repository` secret** with Quay registry credentials
+   required by build pipelines.
+7. **Registers the PAC route with SprayProxy** so GitHub webhook events are forwarded
+   to the ephemeral CI cluster.
+
+## Credentials
+
+The step mounts the `konflux-ci-secrets-new` secret from the `test-credentials` namespace at
+`/usr/local/konflux-ci-secrets-new/redhat-appstudio-qe/`. Required keys:
+
+| Key | Purpose |
+|-----|---------|
+| `github_accounts` | Comma-separated `user:token` pairs for GitHub API access |
+| `default-quay-org-token` | Quay token for the `redhat-appstudio-qe` org (image-controller) |
+| `quay-token` | Base64-encoded Docker config for Quay registry auth |
+| `pac-github-app-id` | GitHub App ID for Pipelines-as-Code |
+| `pac-github-app-private-key` | GitHub App private key (PEM) for Pipelines-as-Code |
+| `pac-github-app-webhook-secret` | Webhook secret for the PAC GitHub App |
+| `smee-channel` | Smee.io channel URL for webhook proxying |
+| `qe-sprayproxy-host` | SprayProxy server URL |
+| `qe-sprayproxy-token` | Bearer token for SprayProxy registration |
+
+## Usage
+
+Reference this step in a multi-stage test definition:
+
+```yaml
+tests:
+- as: my-konflux-test
+  cluster_claim:
+    architecture: amd64
+    cloud: aws
+    owner: konflux
+    product: ocp
+    timeout: 1h0m0s
+    version: "4.18"
+  steps:
+    test:
+    - ref: konflux-ci-install-konflux
+    - ref: redhat-appstudio-conformance-tests   # or your own test step
+    workflow: redhat-appstudio-claim
+```
+
+## Infra-deployments PR support
+
+When `REPO_NAME=infra-deployments` and `PULL_NUMBER` are set (standard Prow env vars for
+presubmit jobs), the step automatically fetches and merges the PR into the infra-deployments
+working tree before running bootstrap. This means presubmit tests validate the actual PR
+changes without needing any extra configuration.
+
+## Timeout
+
+Default timeout is **1 hour**. The bootstrap process typically takes 15-25 minutes depending
+on cluster size and image pull times.

ci-operator/step-registry/konflux-ci/install-konflux/konflux-ci-install-konflux-commands.sh

@@ -79,6 +79,14 @@ cd "${INFRA_DIR}"
 git remote add origin "https://github.com/redhat-appstudio-qe/infra-deployments.git" || true
 git pull --rebase upstream main
 
+# If this is a PR job for infra-deployments, apply the PR changes
+if [[ "${REPO_NAME:-}" == "infra-deployments" && -n "${PULL_NUMBER:-}" ]]; then
+    echo "[INFO] Fetching infra-deployments PR #${PULL_NUMBER} changes..."
+    git fetch upstream "refs/pull/${PULL_NUMBER}/head"
+    git merge --no-edit FETCH_HEAD
+    echo "[INFO] Merged PR #${PULL_NUMBER} into working tree"
+fi
+
 # Mark master nodes as schedulable (for small clusters)
 oc patch scheduler cluster --type=merge -p '{"spec":{"mastersSchedulable":true}}' 2>&1 || \
     echo "[WARN] Could not modify scheduler (might be HyperShift cluster)"

ci-operator/step-registry/redhat-appstudio/conformance-tests/README.md

@@ -0,0 +1,88 @@
+# redhat-appstudio-conformance-tests
+
+Runs Konflux conformance tests from the
+[konflux-ci/konflux-ci](https://github.com/konflux-ci/konflux-ci) repository against a
+pre-installed Konflux instance.
+
+This step is designed to run **after** `konflux-ci-install-konflux`, which handles the
+full cluster setup.
+
+## What it does
+
+1. **Selects a GitHub account** with the highest remaining API rate limit.
+2. **Clones `konflux-ci/konflux-ci`** at the `main` branch (or a specific ref via
+   Gangway override).
+3. **Deploys test resources** via `deploy-test-resources.sh`, which creates:
+   - Tenant namespaces (`user-ns1`, `user-ns2`)
+   - Kueue `LocalQueue` for pipeline scheduling
+   - `ServiceAccounts` and `RoleBindings` via Kyverno policies
+4. **Verifies the tenant namespace** has a working `LocalQueue`.
+5. **Creates the `konflux-cli` namespace** with the `setup-release` ConfigMap.
+6. **Runs Go conformance tests** using Ginkgo v2 with configurable label filters.
+
+## Environment variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `GINKGO_LABEL_FILTER` | `upstream-konflux` | Ginkgo label filter for selecting which tests to run |
+| `KONFLUX_REPO` | `konflux-ci/konflux-ci` | GitHub org/repo to clone tests from |
+| `KONFLUX_REF` | `main` | Git ref (branch, tag, or SHA) to checkout |
+| `GINKGO_TEST_TIMEOUT` | `30m` | Timeout for the Go test runner |
+
+## Gangway override
+
+When triggered via Gangway with `MULTISTAGE_PARAM_OVERRIDE_OPERATOR_IMAGE`, the image tag
+is extracted and used as `KONFLUX_REF`. This allows testing specific commits or releases
+without changing the CI config.
+
+## Credentials
+
+Same credential bundle as `konflux-ci-install-konflux` — the `konflux-ci-secrets-new` secret
+mounted at `/usr/local/konflux-ci-secrets-new/redhat-appstudio-qe/`. Only the following keys
+are used by this step:
+
+| Key | Purpose |
+|-----|---------|
+| `github_accounts` | GitHub API access for cloning repos and running tests |
+| `default-quay-org-token` | Quay org token exported for test pipelines |
+| `quay-token` | Docker config for Quay registry auth |
+
+## Usage
+
+Pair with the install step in a multi-stage test:
+
+```yaml
+tests:
+- as: appstudio-e2e-tests
+  cluster_claim:
+    architecture: amd64
+    cloud: aws
+    owner: konflux
+    product: ocp
+    timeout: 1h0m0s
+    version: "4.18"
+  steps:
+    test:
+    - ref: konflux-ci-install-konflux
+    - ref: redhat-appstudio-conformance-tests
+    workflow: redhat-appstudio-claim-failure-analysis
+```
+
+To run a different label filter (e.g. only build tests):
+
+```yaml
+steps:
+  test:
+  - ref: konflux-ci-install-konflux
+  - as: build-conformance
+    from: e2e-test-runner
+    commands: |
+      export GINKGO_LABEL_FILTER="build"
+    ref: redhat-appstudio-conformance-tests
+```
+
+## Timeout
+
+Default timeout is **2 hours**. Most conformance suites complete in 20-40 minutes, but
+the extended timeout accommodates the full upstream-konflux label filter which includes
+longer-running integration and release pipeline tests.