bump operator-sdk version to v1.42.2

[jamesmarshall24]

Bump operator-sdk from v1.40.0 to v1.42.2. Updates OPERATOR_SDK_VERSION in Makefile and the base image in Dockerfile.

Summary by CodeRabbit

• Chores
  • Updated operator framework and SDK dependencies from v1.40.0 to v1.42.2 for improved stability and compatibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

The ansible-operator base image in Dockerfile and the OPERATOR_SDK_VERSION variable in Makefile are both updated from v1.40.0 to v1.42.2. No other changes are made.

Changes

Version Bump to v1.42.2

Layer / File(s)	Summary
Bump ansible-operator base image and OPERATOR_SDK_VERSION Dockerfile, Makefile	FROM quay.io/operator-framework/ansible-operator tag updated to v1.42.2 in Dockerfile; OPERATOR_SDK_VERSION updated to v1.42.2 in Makefile.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: bumping the operator-sdk version to v1.42.2, which is reflected in both the Dockerfile and Makefile updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch operator_sdk_bump

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

1-23: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set an explicit non-root runtime user in the image.

The Dockerfile does not declare USER; runtime identity is implicitly inherited from the base image and can regress with upstream image changes. Set a fixed non-root user/group explicitly after file copy/install steps.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 1 - 23, The Dockerfile lacks an explicit USER
directive, which means the runtime identity is inherited from the base image and
could change with upstream updates. Add a USER directive after all the COPY and
RUN commands (and before the ENTRYPOINT) to explicitly set a fixed non-root user
and group. This ensures the container runs with a consistent, secure identity
regardless of base image changes.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Makefile`:
- Line 51: The Makefile downloads operator binaries at lines 158 and 174 and
executes them with chmod +x without performing any integrity verification,
creating a supply-chain security risk. Add SHA256 checksum validation or cosign
signature verification immediately after downloading the operator binary at each
of these locations (lines 158 and 174) and before executing the chmod +x
command. The verification should validate the downloaded binary against a known
checksum or signature to ensure the binary has not been tampered with before it
is made executable and used.

---

Outside diff comments:
In `@Dockerfile`:
- Around line 1-23: The Dockerfile lacks an explicit USER directive, which means
the runtime identity is inherited from the base image and could change with
upstream updates. Add a USER directive after all the COPY and RUN commands (and
before the ENTRYPOINT) to explicitly set a fixed non-root user and group. This
ensures the container runs with a consistent, secure identity regardless of base
image changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: f709bba4-6f81-4b72-957e-81c0fd0713b6

📥 Commits

Reviewing files that changed from the base of the PR and between e368ffb and 223f42a.

📒 Files selected for processing (2)

• Dockerfile
• Makefile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and inspect the Makefile
fd -t f "Makefile$" | head -5

Repository: ansible/eda-server-operator

Length of output: 80

---

🏁 Script executed:

# Once we have the Makefile, examine the specific lines mentioned
wc -l Makefile && echo "---" && sed -n '45,55p' Makefile && echo "---" && sed -n '155,165p' Makefile && echo "---" && sed -n '170,180p' Makefile

Repository: ansible/eda-server-operator

Length of output: 1192

---

🏁 Script executed:

# Search for checksum or signature verification patterns in the Makefile
rg -i "(checksum|sha256|signature|cosign|verify|gpg)" Makefile

Repository: ansible/eda-server-operator

Length of output: 53

---

🏁 Script executed:

# Check the full context around the download sections and look for any supporting files
cat -n Makefile | sed -n '145,185p'

Repository: ansible/eda-server-operator

Length of output: 1718

---

🏁 Script executed:

# Check if there are any checksum files or verification scripts in the repo
fd -t f "(sha256|checksum|.*sums.*)" . --exclude ".git" | head -20

Repository: ansible/eda-server-operator

Length of output: 53

---

Add checksum/signature verification for downloaded operator binaries.

Line 51 changes the fetched release version, but the download paths (Lines 158 and 174) execute binaries without integrity verification. This leaves CI/local builds exposed to supply-chain tampering. Add SHA256 checksum validation or cosign signature verification before chmod +x.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` at line 51, The Makefile downloads operator binaries at lines 158
and 174 and executes them with chmod +x without performing any integrity
verification, creating a supply-chain security risk. Add SHA256 checksum
validation or cosign signature verification immediately after downloading the
operator binary at each of these locations (lines 158 and 174) and before
executing the chmod +x command. The verification should validate the downloaded
binary against a known checksum or signature to ensure the binary has not been
tampered with before it is made executable and used.