From 279ac9b441948d8560e91e7f64e545f267af090f Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Wed, 1 Apr 2026 14:54:15 -0400 Subject: [PATCH 1/5] feat: update Model as a Service with real branch data and add opendatahub-operator MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - models-as-a-service upstream: add active branches (stable, rhoai, v0.1.x) and real branch strategy (main → stable → rhoai auto-propagation) - models-as-a-service downstream: update active branches to rhoai-3.3 through rhoai-3.4-ea.2 (dropping stale rhoai-3.0, rhoai-3.2) - Add opendatahub-io/opendatahub-operator (upstream, subcomponent: operator) with odh-3.4.0-ea.1/ea.2 active branches - Add red-hat-data-services/opendatahub-operator (downstream, no release branches yet) Co-Authored-By: Claude Sonnet 4.6 (1M context) --- .../component-repository-mappings.json | 71 +++++++++++++------ 1 file changed, 48 insertions(+), 23 deletions(-) diff --git a/workflows/cve-fixer/component-repository-mappings.json b/workflows/cve-fixer/component-repository-mappings.json index 2ea8163a..489c512e 100644 --- a/workflows/cve-fixer/component-repository-mappings.json +++ b/workflows/cve-fixer/component-repository-mappings.json @@ -49,38 +49,63 @@ "opendatahub-io/models-as-a-service": { "github_url": "https://github.com/opendatahub-io/models-as-a-service", "default_branch": "main", - "protected_branches": [], - "active_release_branches": [], - "branch_strategy": "TBD - needs investigation", + "active_release_branches": [ + "stable", + "rhoai", + "v0.1.x" + ], + "branch_strategy": "Fix in main \u2192 auto-propagates to stable \u2192 rhoai. Release branches follow pattern v0.X.x.", + "repo_type": "upstream", + "subcomponent": "maas-api", "cve_fix_workflow": { "primary_target": "main", - "backport_targets": "TBD", - "automation": "Unknown", - "manual_intervention": "Unknown" - }, - "build_location": "maas-api/", - "notes": "Upstream repository. Contains maas-api Go application. Builds using Dockerfile.konflux for Red Hat builds.", - "repo_type": "upstream", - "subcomponent": "maas-api" + "backport_targets": "stable, rhoai, v0.1.x" + } }, "red-hat-data-services/models-as-a-service": { "github_url": "https://github.com/red-hat-data-services/models-as-a-service", - "default_branch": "rhoai-3.0", - "protected_branches": [], + "default_branch": "main", "active_release_branches": [ - "rhoai-3.0" + "rhoai-3.3", + "rhoai-3.4", + "rhoai-3.4-ea.1", + "rhoai-3.4-ea.2" ], - "branch_strategy": "TBD - needs investigation", + "branch_strategy": "Fork of upstream. RHOAI release branches follow pattern rhoai-X.Y.", + "repo_type": "downstream", + "subcomponent": "maas-api", "cve_fix_workflow": { - "primary_target": "rhoai-3.0", - "backport_targets": "rhoai-3.0", - "automation": "Manual backport from upstream", - "manual_intervention": "Cherry-pick or re-apply fixes from upstream repo" - }, - "build_location": "maas-api/", - "notes": "Downstream Red Hat release repository for maas-api. Fixes from upstream should be backported to rhoai-3.0 branch.", + "primary_target": "main", + "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2" + } + }, + "opendatahub-io/opendatahub-operator": { + "github_url": "https://github.com/opendatahub-io/opendatahub-operator", + "default_branch": "main", + "active_release_branches": [ + "odh-3.4.0-ea.1", + "odh-3.4.0-ea.2" + ], + "branch_strategy": "Fix in main. ODH release branches follow pattern odh-X.Y.Z. Also syncs to stable and rhoai branches.", + "repo_type": "upstream", + "subcomponent": "operator", + "notes": "No Dockerfile.konflux RHOAI container label found. Container name TBD.", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "odh-3.4.0-ea.1, odh-3.4.0-ea.2" + } + }, + "red-hat-data-services/opendatahub-operator": { + "github_url": "https://github.com/red-hat-data-services/opendatahub-operator", + "default_branch": "main", + "active_release_branches": [], + "branch_strategy": "Fork of upstream. No RHOAI release branches yet \u2014 only main/master.", "repo_type": "downstream", - "subcomponent": "maas-api" + "subcomponent": "operator", + "cve_fix_workflow": { + "primary_target": "main", + "backport_targets": "None" + } } } }, From 31a3bb46ee1331371c8834c8a13eeb12c42c200e Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Wed, 1 Apr 2026 14:54:57 -0400 Subject: [PATCH 2/5] =?UTF-8?q?fix:=20remove=20opendatahub-operator=20from?= =?UTF-8?q?=20MaaS=20=E2=80=94=20it=20is=20a=20platform-wide=20operator,?= =?UTF-8?q?=20not=20MaaS-specific?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 (1M context) --- .../component-repository-mappings.json | 28 ------------------- 1 file changed, 28 deletions(-) diff --git a/workflows/cve-fixer/component-repository-mappings.json b/workflows/cve-fixer/component-repository-mappings.json index 489c512e..3bd3b0cb 100644 --- a/workflows/cve-fixer/component-repository-mappings.json +++ b/workflows/cve-fixer/component-repository-mappings.json @@ -78,34 +78,6 @@ "primary_target": "main", "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2" } - }, - "opendatahub-io/opendatahub-operator": { - "github_url": "https://github.com/opendatahub-io/opendatahub-operator", - "default_branch": "main", - "active_release_branches": [ - "odh-3.4.0-ea.1", - "odh-3.4.0-ea.2" - ], - "branch_strategy": "Fix in main. ODH release branches follow pattern odh-X.Y.Z. Also syncs to stable and rhoai branches.", - "repo_type": "upstream", - "subcomponent": "operator", - "notes": "No Dockerfile.konflux RHOAI container label found. Container name TBD.", - "cve_fix_workflow": { - "primary_target": "main", - "backport_targets": "odh-3.4.0-ea.1, odh-3.4.0-ea.2" - } - }, - "red-hat-data-services/opendatahub-operator": { - "github_url": "https://github.com/red-hat-data-services/opendatahub-operator", - "default_branch": "main", - "active_release_branches": [], - "branch_strategy": "Fork of upstream. No RHOAI release branches yet \u2014 only main/master.", - "repo_type": "downstream", - "subcomponent": "operator", - "cve_fix_workflow": { - "primary_target": "main", - "backport_targets": "None" - } } } }, From 9a32ab52d01df34d5fb0eb558c36f99a3ad6157f Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Wed, 1 Apr 2026 14:57:28 -0400 Subject: [PATCH 3/5] fix: correct branch strategy for models-as-a-service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit stable and rhoai are 26 commits behind main — they are release snapshots not auto-propagated. v0.1.x has diverged from main. Updated to reflect manual cherry-pick backport approach. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- workflows/cve-fixer/component-repository-mappings.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/workflows/cve-fixer/component-repository-mappings.json b/workflows/cve-fixer/component-repository-mappings.json index 3bd3b0cb..0a18f985 100644 --- a/workflows/cve-fixer/component-repository-mappings.json +++ b/workflows/cve-fixer/component-repository-mappings.json @@ -54,12 +54,12 @@ "rhoai", "v0.1.x" ], - "branch_strategy": "Fix in main \u2192 auto-propagates to stable \u2192 rhoai. Release branches follow pattern v0.X.x.", + "branch_strategy": "Fix in main. stable and rhoai are release snapshots \u2014 backport manually as needed. v0.1.x is a separate release branch with independent commits.", "repo_type": "upstream", "subcomponent": "maas-api", "cve_fix_workflow": { "primary_target": "main", - "backport_targets": "stable, rhoai, v0.1.x" + "backport_targets": "stable, rhoai, v0.1.x (manual cherry-pick)" } }, "red-hat-data-services/models-as-a-service": { From f3bd823a6141e576e400bde4e1b9029bdac50f7a Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Wed, 1 Apr 2026 14:59:15 -0400 Subject: [PATCH 4/5] fix: replace unicode escapes with actual characters in mapping file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use ensure_ascii=False so → and — render as readable text instead of \u2192 and \u2014. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- .../cve-fixer/component-repository-mappings.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/workflows/cve-fixer/component-repository-mappings.json b/workflows/cve-fixer/component-repository-mappings.json index 0a18f985..21e8e690 100644 --- a/workflows/cve-fixer/component-repository-mappings.json +++ b/workflows/cve-fixer/component-repository-mappings.json @@ -23,11 +23,11 @@ "v2.28.0-fixes", "v2.27.0-fixes" ], - "branch_strategy": "Fix in main \u2192 auto-propagates to stable \u2192 rhoai (every 2 hours). Manual cherry-pick to release branches during code freeze.", + "branch_strategy": "Fix in main → auto-propagates to stable → rhoai (every 2 hours). Manual cherry-pick to release branches during code freeze.", "cve_fix_workflow": { "primary_target": "main", "backport_targets": "Active vX.X.X-fixes branches for released versions", - "automation": "Auto-sync every 2 hours (main \u2192 stable \u2192 rhoai)", + "automation": "Auto-sync every 2 hours (main → stable → rhoai)", "manual_intervention": "Cherry-pick during code freeze or for patch releases" }, "repository_type": "monorepo", @@ -54,7 +54,7 @@ "rhoai", "v0.1.x" ], - "branch_strategy": "Fix in main. stable and rhoai are release snapshots \u2014 backport manually as needed. v0.1.x is a separate release branch with independent commits.", + "branch_strategy": "Fix in main. stable and rhoai are release snapshots — backport manually as needed. v0.1.x is a separate release branch with independent commits.", "repo_type": "upstream", "subcomponent": "maas-api", "cve_fix_workflow": { @@ -438,7 +438,7 @@ "rhoai-3.0", "rhoai-3.2" ], - "branch_strategy": "Fork of upstream (now archived). Downstream only \u2014 upstream code migrated into llm-d-inference-scheduler. No branches beyond rhoai-3.2.", + "branch_strategy": "Fork of upstream (now archived). Downstream only — upstream code migrated into llm-d-inference-scheduler. No branches beyond rhoai-3.2.", "repo_type": "downstream", "notes": "Upstream llm-d/llm-d-routing-sidecar is archived; code moved to llm-d-inference-scheduler (cmd/pd_sidecar). This downstream repo may be phased out in future releases.", "cve_fix_workflow": { @@ -875,9 +875,9 @@ "github_url": "https://github.com/IBM/ai4rag", "default_branch": "main", "active_release_branches": [], - "branch_strategy": "Python package upstream. CVEs in ai4rag manifest as container CVEs in pipelines-components \u2014 fix by updating ai4rag version there.", + "branch_strategy": "Python package upstream. CVEs in ai4rag manifest as container CVEs in pipelines-components — fix by updating ai4rag version there.", "repo_type": "upstream", - "notes": "No containerization \u2014 distributed as a Python package. No ODH/RHDS forks exist. Excluded from automation; track upstream releases and update dependency version in pipelines-components.", + "notes": "No containerization — distributed as a Python package. No ODH/RHDS forks exist. Excluded from automation; track upstream releases and update dependency version in pipelines-components.", "cve_fix_workflow": { "primary_target": "main", "backport_targets": "N/A", From 85c164e335d30b3a492443845a18a31856d00046 Mon Sep 17 00:00:00 2001 From: Vaishnavi-Modi Date: Wed, 1 Apr 2026 14:59:52 -0400 Subject: [PATCH 5/5] fix: add build_location maas-api/ to MaaS repos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit go.mod is in maas-api/ subdirectory — without this govulncheck and other scanners would fail at the repo root. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- workflows/cve-fixer/component-repository-mappings.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/workflows/cve-fixer/component-repository-mappings.json b/workflows/cve-fixer/component-repository-mappings.json index 21e8e690..2e7fc915 100644 --- a/workflows/cve-fixer/component-repository-mappings.json +++ b/workflows/cve-fixer/component-repository-mappings.json @@ -60,7 +60,8 @@ "cve_fix_workflow": { "primary_target": "main", "backport_targets": "stable, rhoai, v0.1.x (manual cherry-pick)" - } + }, + "build_location": "maas-api/" }, "red-hat-data-services/models-as-a-service": { "github_url": "https://github.com/red-hat-data-services/models-as-a-service", @@ -77,7 +78,8 @@ "cve_fix_workflow": { "primary_target": "main", "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2" - } + }, + "build_location": "maas-api/" } } },