feat: onboard Notebooks to CVE fixer workflow

[mtchoum1]

Component Onboarding: Notebooks

Jira Component

Name: Notebooks (ID: 49589, redhat.atlassian.net)

Repositories Added

• https://github.com/opendatahub-io/notebooks (upstream, default: main)
• https://github.com/mtchoum1/notebooks (midstream, default: main)
• https://github.com/red-hat-data-services/notebooks (downstream, active: rhoai-2.25, rhoai-3.3)

Generated Guidance

.cve-fix/examples.md stubs are ready for each repo. Separate PRs will be opened
to each component repo. Repos have no CVE PR history yet — run /guidance.update
after more CVE fixes are merged to improve guidance quality.

Next Steps for Reviewers

• Verify Jira component name matches exactly (Notebooks)
• Verify repo URLs and active branch names are correct
• Add container image names if applicable (none provided at onboarding time)

🤖 Generated by /onboard

[coderabbitai]

Warning

Rate limit exceeded

@mtchoum1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 33 minutes and 20 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 33 minutes and 20 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5018a9e7-eda0-42e7-bb71-978cf72091db

📥 Commits

Reviewing files that changed from the base of the PR and between da1179b and af85b41.

📒 Files selected for processing (1)

• workflows/cve-fixer/component-repository-mappings.json

Walkthrough

A new component mapping for "Notebooks" was added to the repository configuration file with upstream, midstream, and downstream repository URLs, branch information, and active branch tracking. The metadata timestamp was updated to reflect the change.

Changes

Cohort / File(s)	Summary
Component Repository Configuration workflows/cve-fixer/component-repository-mappings.json	Added new top-level "Notebooks" component with three repository mappings (upstream, midstream, downstream) including URLs, types, default branches, and active branch lists. Updated metadata.last_updated timestamp from 2026-04-16 to 2026-04-22.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: onboarding the Notebooks component to the CVE fixer workflow.
Description check	✅ Passed	The description provides clear context about the component onboarding, including Jira component details, repository URLs, branches, and next steps for reviewers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@workflows/cve-fixer/component-repository-mappings.json`:
- Around line 605-610: The midstream entry currently references the personal
fork "https://github.com/mtchoum1/notebooks"; replace that URL with the
organization-owned repo (e.g., "https://github.com/opendatahub-io/notebooks") if
that is the authoritative midstream, or remove this midstream object entirely
from component-repository-mappings.json if Notebooks has no midstream, ensuring
you do not create a duplicate entry pointing to the same URL as the upstream.
- Around line 597-620: Add an optional "notes" field to the "Notebooks"
component mapping to document that omission of "containers" and "subcomponent"
is intentional during onboarding; update the "Notebooks" object (the top-level
key "Notebooks" and its "repos" entries) to include a notes string such as
"Container images not yet registered" so maintainers see the intent without
changing behavior relied on by cve.find.md and cve.fix.md.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e5d9baa7-e255-41af-88ba-3ca01354f631

📥 Commits

Reviewing files that changed from the base of the PR and between 65b811e and da1179b.

📒 Files selected for processing (1)

• workflows/cve-fixer/component-repository-mappings.json

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm how the fixer behaves when containers/subcomponent are absent.
rg -nP -C3 '\.containers\[\]?|subcomponent' workflows/cve-fixer/.claude/commands/

Repository: ambient-code/workflows

Length of output: 6468

---

Missing containers and subcomponent are intentional at onboarding — consider adding a notes field for clarity.

The Notebooks repos are missing containers and subcomponent fields. Per onboard.md, this is an acceptable state: "If no containers discovered, omit the field (can be added later)." When a subcomponent filter is later requested, cve.find.md warns the user ("⚠️ Subcomponent '...' not found in mapping — running without subcomponent filter") rather than failing silently, and cve.fix.md safely falls back to processing all component repos.

While the system handles this gracefully, consider adding a notes field (e.g., "notes": "Container images not yet registered") to explicitly signal to future maintainers that this is intentional and documents when to revisit it.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/component-repository-mappings.json` around lines 597 -
620, Add an optional "notes" field to the "Notebooks" component mapping to
document that omission of "containers" and "subcomponent" is intentional during
onboarding; update the "Notebooks" object (the top-level key "Notebooks" and its
"repos" entries) to include a notes string such as "Container images not yet
registered" so maintainers see the intent without changing behavior relied on by
cve.find.md and cve.fix.md.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Midstream repo points to a personal fork, not an org-owned repo.

https://github.com/mtchoum1/notebooks is the PR author's personal fork. Every other component in this file uses an opendatahub-io/* (or equivalent org) repo for midstream. Wiring the CVE-fixer automation to a personal fork is risky: the user could rename/delete/transfer the repo, force-push, or leave the project, silently breaking the workflow, and automated CVE PRs would land on a non-authoritative repository rather than the organizational midstream.

Please confirm the correct midstream. If opendatahub-io/notebooks (or another org-owned fork) is the true midstream, use that URL; if Notebooks legitimately has no midstream, drop this entry and let upstream → downstream flow directly (as done elsewhere in this file).

Suggested fix (if opendatahub-io/notebooks is the correct midstream)

         {
-          "url": "https://github.com/mtchoum1/notebooks",
+          "url": "https://github.com/opendatahub-io/notebooks",
           "type": "midstream",
           "default_branch": "main",
           "active_branches": []
         },

Note: if both upstream and midstream resolve to opendatahub-io/notebooks, you should instead remove one of the two entries (duplicate URLs in the same component will cause the fixer to file duplicate PRs).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{
	"url": "https://github.com/mtchoum1/notebooks",
	"type": "midstream",
	"default_branch": "main",
	"active_branches": []
	},
	{
	"url": "https://github.com/opendatahub-io/notebooks",
	"type": "midstream",
	"default_branch": "main",
	"active_branches": []
	},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/component-repository-mappings.json` around lines 605 -
610, The midstream entry currently references the personal fork
"https://github.com/mtchoum1/notebooks"; replace that URL with the
organization-owned repo (e.g., "https://github.com/opendatahub-io/notebooks") if
that is the authoritative midstream, or remove this midstream object entirely
from component-repository-mappings.json if Notebooks has no midstream, ensuring
you do not create a duplicate entry pointing to the same URL as the upstream.