WIP: feat(azure): add ARO-HCP Taskfile automation for dev workflows

[devguyio]

What this PR does / why we need it:

Adds Taskfile-based automation for ARO-HCP development under hack/aro-hcp/. Provides modular tasks for managing Azure infrastructure, AKS clusters, HyperShift operator deployment, and hosted cluster lifecycle.

Key features:

• Modular task structure with prereq, keyvault, oidc, dataplane, aks, dns, operator, and cluster task files
• Example configuration files for credentials and environment setup
• Comprehensive README with prerequisites and workflow documentation

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: devguyio

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [devguyio]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@devguyio: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

Stale PRs are closed after 21d of inactivity.

If this PR is still relevant, comment to refresh it or remove the stale label.
Mark the PR as fresh by commenting /remove-lifecycle stale.

If this PR is safe to close now please do so with /close.

/lifecycle stale

[hypershift-jira-solve-ci]

Now I have all the evidence needed. Let me compile the final report.

Test Failure Analysis Complete

Job Information

• Prow Job: Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main
• Build ID: hypershift-operator-main-enterprise-contract-98kxk
• Second Job: Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main (hypershift-operator-enterprise-contract-cbq58)
• PR: WIP: feat(azure): add ARO-HCP Taskfile automation for dev workflows #7415 — WIP: feat(azure): add ARO-HCP Taskfile automation for dev workflows
• PR Created: 2025-12-19 (~6 months ago)
• PR Branch: aro-hcp-dev-taskfile (head SHA: 9c54600)
• PR Labels: approved, do-not-merge/work-in-progress, lifecycle/stale, area/ci-tooling
• Snapshot: hypershift-operator-865qt
• Result: 222 successes, 26 warnings, 2 failures (identical in both jobs)

Test Failure Analysis

Error

Enterprise Contract verify task: 2 failure(s)

Containerfile.operator is missing required elements that are present on main:
1. Missing LABEL cpe="cpe:/a:redhat:multicluster_engine:5.0::el9"
2. Missing ARG COMMIT_HASH

Summary

Both Konflux Enterprise Contract checks (hypershift-operator-main-enterprise-contract and hypershift-operator-enterprise-contract) fail with exactly 2 policy violations because PR #7415's branch was created on 2025-12-19 and has never been rebased. The branch is missing the mandatory cpe label (added 2026-02-17 in commit 70599ce) and the COMMIT_HASH build argument (added 2026-04-18 in commit 6dc4608) in Containerfile.operator. The branch is also missing updated Tekton task bundles (10 version bumps across 18 tasks), the enable-package-registry-proxy parameter for prefetch-dependencies-oci-ta, and the MCE version bump from 4.21 to 5.0. These are not related to the PR's functional changes (which only add files under hack/aro-hcp/). A rebase onto current main will resolve both failures.

Root Cause

The PR branch (aro-hcp-dev-taskfile) was created on 2025-12-19 — nearly 6 months ago — and has never been rebased onto main. During that time, several mandatory compliance and infrastructure changes were merged to main that the PR branch is missing:

EC Failure #1: Missing CPE Label

• Commit 70599cebe2a (merged 2026-02-17) added LABEL cpe="cpe:/a:redhat:multicluster_engine:2.12::el9" to Containerfile.operator
• Later updated to cpe:/a:redhat:multicluster_engine:5.0::el9 in commit b9ed901ec (2026-04-20)
• The CPE (Common Platform Enumeration) label is required by Red Hat Enterprise Contract policy for vulnerability tracking and compliance reporting
• The PR branch has no CPE label at all

EC Failure #2: Missing COMMIT_HASH Build Argument

• Commit 6dc4608ae45 (merged 2026-04-18) added ARG COMMIT_HASH to both Containerfile.operator and Dockerfile
• This build argument supports git worktree builds where .git is a file pointer rather than a directory
• The PR branch is missing this ARG from both files

Additional drift (contributing to warnings but not the 2 failures):

• Tekton task bundles: 10 major version bumps missing (e.g., init 0.2→0.4, buildah-remote-oci-ta 0.5→0.9, build-image-index 0.1→0.3, prefetch-dependencies-oci-ta 0.2→0.3) plus 8 digest-only updates — totaling 36 line differences across .tekton/pipelines/common-operator-build.yaml
• Missing enable-package-registry-proxy parameter on prefetch-dependencies-oci-ta task (required by EC policy, added in a dedicated fix commit)
• MCE version: PR branch has version=4.21, main has version=5.0
• Tekton file structure: PR branch still references mce-211 pipeline files; main has migrated to mce-50

This is the identical failure pattern seen on other stale PRs (#7446, #7749) in this repository. The PR's functional changes (files under hack/aro-hcp/) are entirely unrelated to the EC failures.

Recommendations

1. Rebase PR WIP: feat(azure): add ARO-HCP Taskfile automation for dev workflows #7415 onto current main — this is the only required action:

   git fetch upstream
   git checkout aro-hcp-dev-taskfile
   git rebase upstream/main
   git push --force-with-lease

   This will pick up the CPE label, COMMIT_HASH ARG, updated Tekton bundles, package-registry-proxy parameter, and all other compliance changes.

2. Expect EC checks to change to skipping or pass after rebase — recent merged PRs (OCPBUGS-87217: fix: add CPU partitioning workload annotation to control-plane-metrics-forwarder #8686, NO-JIRA: fix address-review-comments workflow for fork PRs #8706) show EC checks either pass or skip (with neutral/skipping conclusion) when the branch is current with main.

3. Consider whether this WIP PR is still needed — the PR has lifecycle/stale and do-not-merge/work-in-progress labels, was created 6 months ago, and the branch is extremely far behind main. If the feature is still desired, a fresh branch from current main may be cleaner than rebasing across 6 months of changes.

Evidence

Evidence	Detail
PR Created	2025-12-19 (~6 months ago)
PR Base SHA	780f88b8979b (Dec 2025)
Current Main SHA	4755e9c941b5 (Jun 2026)
PR Labels	lifecycle/stale, do-not-merge/work-in-progress, needs-rebase
EC Failure Count	2 failures (identical in both check runs)
EC Successes	222 successes, 26 warnings
Missing CPE Label	LABEL cpe="cpe:/a:redhat:multicluster_engine:5.0::el9" (added 2026-02-17, commit 70599ce)
Missing COMMIT_HASH ARG	ARG COMMIT_HASH in Containerfile.operator and Dockerfile (added 2026-04-18, commit 6dc4608)
Missing package-registry-proxy	enable-package-registry-proxy: "true" on prefetch-dependencies-oci-ta task
Tekton bundle drift	10 major version bumps + 8 digest updates = 36 line differences
Version label drift	PR: version=4.21 → Main: version=5.0
Pipeline run 1	hypershift-operator-main-enterprise-contract-98kxk
Pipeline run 2	hypershift-operator-enterprise-contract-cbq58
PR #8686 (recent merge)	EC checks show skipping — confirms main is compliant
Prior identical failures	PR #7446 (same 2 failures), PR #7749 (64 failures from older branch)

---