bump operator-sdk version to v1.42.2

[jamesmarshall24]

Bump operator-sdk from v1.40.0 to v1.42.2. Updates OPERATOR_SDK_VERSION in Makefile and the base image in Dockerfile.

Summary by CodeRabbit

• Chores
  • Updated the operator-framework base image from v1.40.0 to v1.42.2 for improved stability and compatibility.
  • Bumped the Makefile’s operator SDK version from v1.40.0 to v1.42.2, ensuring build and validation steps download the newer operator-sdk release.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: b49cffaa-0df6-4403-b4b6-8fc83489dfb8

📥 Commits

Reviewing files that changed from the base of the PR and between 223f42a and d655c28.

📒 Files selected for processing (2)

• Dockerfile
• Makefile

🚧 Files skipped from review as they are similar to previous changes (1)

• Makefile

---

📝 Walkthrough

Walkthrough

The ansible-operator base image in Dockerfile and the OPERATOR_SDK_VERSION variable in Makefile are updated from v1.40.0 to v1.42.2.

Changes

Version Bump to v1.42.2

Layer / File(s)	Summary
Version updates Dockerfile, Makefile	The Dockerfile base image tag and the Makefile OPERATOR_SDK_VERSION are both updated to v1.42.2.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: upgrading operator-sdk to v1.42.2.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch operator_sdk_bump

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

1-23: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set an explicit non-root runtime user in the image.

The Dockerfile does not declare USER; runtime identity is implicitly inherited from the base image and can regress with upstream image changes. Set a fixed non-root user/group explicitly after file copy/install steps.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 1 - 23, The Dockerfile lacks an explicit USER
directive, which means the runtime identity is inherited from the base image and
could change with upstream updates. Add a USER directive after all the COPY and
RUN commands (and before the ENTRYPOINT) to explicitly set a fixed non-root user
and group. This ensures the container runs with a consistent, secure identity
regardless of base image changes.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Makefile`:
- Line 51: The Makefile downloads operator binaries at lines 158 and 174 and
executes them with chmod +x without performing any integrity verification,
creating a supply-chain security risk. Add SHA256 checksum validation or cosign
signature verification immediately after downloading the operator binary at each
of these locations (lines 158 and 174) and before executing the chmod +x
command. The verification should validate the downloaded binary against a known
checksum or signature to ensure the binary has not been tampered with before it
is made executable and used.

---

Outside diff comments:
In `@Dockerfile`:
- Around line 1-23: The Dockerfile lacks an explicit USER directive, which means
the runtime identity is inherited from the base image and could change with
upstream updates. Add a USER directive after all the COPY and RUN commands (and
before the ENTRYPOINT) to explicitly set a fixed non-root user and group. This
ensures the container runs with a consistent, secure identity regardless of base
image changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: f709bba4-6f81-4b72-957e-81c0fd0713b6

📥 Commits

Reviewing files that changed from the base of the PR and between e368ffb and 223f42a.

📒 Files selected for processing (2)

• Dockerfile
• Makefile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and inspect the Makefile
fd -t f "Makefile$" | head -5

Repository: ansible/eda-server-operator

Length of output: 80

---

🏁 Script executed:

# Once we have the Makefile, examine the specific lines mentioned
wc -l Makefile && echo "---" && sed -n '45,55p' Makefile && echo "---" && sed -n '155,165p' Makefile && echo "---" && sed -n '170,180p' Makefile

Repository: ansible/eda-server-operator

Length of output: 1192

---

🏁 Script executed:

# Search for checksum or signature verification patterns in the Makefile
rg -i "(checksum|sha256|signature|cosign|verify|gpg)" Makefile

Repository: ansible/eda-server-operator

Length of output: 53

---

🏁 Script executed:

# Check the full context around the download sections and look for any supporting files
cat -n Makefile | sed -n '145,185p'

Repository: ansible/eda-server-operator

Length of output: 1718

---

🏁 Script executed:

# Check if there are any checksum files or verification scripts in the repo
fd -t f "(sha256|checksum|.*sums.*)" . --exclude ".git" | head -20

Repository: ansible/eda-server-operator

Length of output: 53

---

Add checksum/signature verification for downloaded operator binaries.

Line 51 changes the fetched release version, but the download paths (Lines 158 and 174) execute binaries without integrity verification. This leaves CI/local builds exposed to supply-chain tampering. Add SHA256 checksum validation or cosign signature verification before chmod +x.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` at line 51, The Makefile downloads operator binaries at lines 158
and 174 and executes them with chmod +x without performing any integrity
verification, creating a supply-chain security risk. Add SHA256 checksum
validation or cosign signature verification immediately after downloading the
operator binary at each of these locations (lines 158 and 174) and before
executing the chmod +x command. The verification should validate the downloaded
binary against a known checksum or signature to ensure the binary has not been
tampered with before it is made executable and used.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud