Skip to content

feat: onboard Notebooks to CVE fixer workflow #116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mtchoum1 wants to merge 2 commits into
base: main
Choose a base branch
from
+14 −1
Open

feat: onboard Notebooks to CVE fixer workflow #116

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
da1179b
feat: onboard Notebooks to CVE fixer workflow
mtchoum1 Apr 22, 2026
af85b41
fix: update Notebooks mapping to single midstream repo
Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 26 additions & 1 deletion workflows/cve-fixer/component-repository-mappings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -593,11 +593,36 @@
]
}
]
},
"Notebooks": {
"repos": [
{
"url": "https://github.com/opendatahub-io/notebooks",
"type": "upstream",
"default_branch": "main",
"active_branches": []
},
{
"url": "https://github.com/mtchoum1/notebooks",
Copy link
Copy Markdown

@atheo89 atheo89 Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"url": "https://github.com/mtchoum1/notebooks",
"url": "https://github.com/opendatahub/notebooks",

"type": "midstream",
"default_branch": "main",
"active_branches": []
},
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Midstream repo points to a personal fork, not an org-owned repo.

https://github.com/mtchoum1/notebooks is the PR author's personal fork. Every other component in this file uses an opendatahub-io/* (or equivalent org) repo for midstream. Wiring the CVE-fixer automation to a personal fork is risky: the user could rename/delete/transfer the repo, force-push, or leave the project, silently breaking the workflow, and automated CVE PRs would land on a non-authoritative repository rather than the organizational midstream.

Please confirm the correct midstream. If opendatahub-io/notebooks (or another org-owned fork) is the true midstream, use that URL; if Notebooks legitimately has no midstream, drop this entry and let upstream → downstream flow directly (as done elsewhere in this file).

Suggested fix (if opendatahub-io/notebooks is the correct midstream) 
         {
-          "url": "https://github.com/mtchoum1/notebooks",
+          "url": "https://github.com/opendatahub-io/notebooks",
           "type": "midstream",
           "default_branch": "main",
           "active_branches": []
         },

Note: if both upstream and midstream resolve to opendatahub-io/notebooks, you should instead remove one of the two entries (duplicate URLs in the same component will cause the fixer to file duplicate PRs).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{
"url": "https://github.com/mtchoum1/notebooks",
"type": "midstream",
"default_branch": "main",
"active_branches": []
},
{
"url": "https://github.com/opendatahub-io/notebooks",
"type": "midstream",
"default_branch": "main",
"active_branches": []
},
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/component-repository-mappings.json` around lines 605 -
610, The midstream entry currently references the personal fork
"https://github.com/mtchoum1/notebooks"; replace that URL with the
organization-owned repo (e.g., "https://github.com/opendatahub-io/notebooks") if
that is the authoritative midstream, or remove this midstream object entirely
from component-repository-mappings.json if Notebooks has no midstream, ensuring
you do not create a duplicate entry pointing to the same URL as the upstream.

{
"url": "https://github.com/red-hat-data-services/notebooks",
"type": "downstream",
"default_branch": "main",
"active_branches": [
"rhoai-2.25",
Copy link
Copy Markdown

@atheo89 atheo89 Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have these branches on RHDS (downstream) maybe these should be in another block

"rhoai-3.3"
]
}
]
Comment on lines +597 to +608
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm how the fixer behaves when containers/subcomponent are absent.
rg -nP -C3 '\.containers\[\]?|subcomponent' workflows/cve-fixer/.claude/commands/

Repository: ambient-code/workflows

Length of output: 6468

Missing containers and subcomponent are intentional at onboarding — consider adding a notes field for clarity.

The Notebooks repos are missing containers and subcomponent fields. Per onboard.md, this is an acceptable state: "If no containers discovered, omit the field (can be added later)." When a subcomponent filter is later requested, cve.find.md warns the user ("⚠️ Subcomponent '...' not found in mapping — running without subcomponent filter") rather than failing silently, and cve.fix.md safely falls back to processing all component repos.

While the system handles this gracefully, consider adding a notes field (e.g., "notes": "Container images not yet registered") to explicitly signal to future maintainers that this is intentional and documents when to revisit it.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/component-repository-mappings.json` around lines 597 -
620, Add an optional "notes" field to the "Notebooks" component mapping to
document that omission of "containers" and "subcomponent" is intentional during
onboarding; update the "Notebooks" object (the top-level key "Notebooks" and its
"repos" entries) to include a notes string such as "Container images not yet
registered" so maintainers see the intent without changing behavior relied on by
cve.find.md and cve.fix.md.

}
},
"metadata": {
"description": "Component to repository and branch mappings for CVE fix workflow automation",
"purpose": "Maps Jira components to GitHub repositories and their branch strategies for automated CVE patching",
"last_updated": "2026-04-16"
"last_updated": "2026-04-22"
}
}