NO-JIRA: Fix Azure private/topology CEL validation rules

[enxebre]

Description

Fix two CEL validation gaps on Azure AzurePlatformSpec and AzurePrivateSpec:

1. private was settable without topology: The existing rule !has(self.topology) || (...) short-circuited to true when topology was omitted, allowing private to be set without topology. Fixed to has(self.topology) && (...) ? has(self.private) : !has(self.private) — now correctly forbids private when topology is absent or Public.

2. privateLink struct not required when type is PrivateLink: Only the negative constraint existed (forbid privateLink when type is not PrivateLink). Added self.type != 'PrivateLink' || has(self.privateLink) to require the struct.

Changes

• api/hypershift/v1beta1/azure.go: Fix topology/private CEL rule, add privateLink requirement rule
• Envtest cases: added "private without topology should fail", "private with Public topology should fail", "PrivateLink without privateLink config should fail"; fixed existing tests to include privateLink struct

Test plan

• make test-envtest-ocp — all 630 specs pass

Summary by CodeRabbit

• Bug Fixes
  • Azure topology validation tightened: private configuration is now consistently required for Private or PublicAndPrivate topologies and forbidden otherwise, preventing ambiguous or missing private settings.
  • PrivateLink validation strengthened: PrivateLink-specific settings are now required when PrivateLink is selected and disallowed otherwise, reducing misconfiguration risk.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@enxebre: This pull request explicitly references no jira issue.

Details

In response to this:

Description

Fix two CEL validation gaps on Azure AzurePlatformSpec and AzurePrivateSpec:

1. private was settable without topology: The existing rule !has(self.topology) || (...) short-circuited to true when topology was omitted, allowing private to be set without topology. Fixed to has(self.topology) && (...) ? has(self.private) : !has(self.private) — now correctly forbids private when topology is absent or Public.

2. privateLink struct not required when type is PrivateLink: Only the negative constraint existed (forbid privateLink when type is not PrivateLink). Added self.type != 'PrivateLink' || has(self.privateLink) to require the struct.

Changes

• api/hypershift/v1beta1/azure.go: Fix topology/private CEL rule, add privateLink requirement rule
• Envtest cases: added "private without topology should fail", "private with Public topology should fail", "PrivateLink without privateLink config should fail"; fixed existing tests to include privateLink struct

Test plan

• make test-envtest-ocp — all 630 specs pass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5c8d71ad-a160-4b80-a912-0b3ec83933fd

📥 Commits

Reviewing files that changed from the base of the PR and between 9cafe87 and ca317d6.

⛔ Files ignored due to path filters (34)

• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml is excluded by !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• api/hypershift/v1beta1/azure.go

🚧 Files skipped from review as they are similar to previous changes (1)

• api/hypershift/v1beta1/azure.go

---

📝 Walkthrough

Walkthrough

Kubebuilder XValidation rules were tightened for two Azure API types in api/hypershift/v1beta1/azure.go. AzurePlatformSpec now requires topology to be present before evaluating whether private must be set (Private or PublicAndPrivate requires private; other values forbid it). AzurePrivateSpec now requires privateLink when type == 'PrivateLink' and forbids it otherwise.

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: fixing CEL validation rules for Azure private/topology fields, which is the primary focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in Azure test files are stable and deterministic. The 21 test names contain no dynamic content and clearly describe what each test validates.
Test Structure And Quality	✅ Passed	Three new Azure tests meet all quality criteria: single responsibility, proper setup/cleanup, timeouts, and codebase consistency. Pre-existing framework assertion gaps don't apply to YAML specs.
Microshift Test Compatibility	✅ Passed	New Ginkgo tests are envtest-based CEL validation tests for HyperShift CRDs. No references to OpenShift-specific APIs or MicroShift-incompatible features.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR adds envtest API validation tests (YAML-based, not Ginkgo e2e), not e2e tests. These tests validate CRD schema and CEL rules at the API level without assuming multi-node topology.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes to Azure API type validation rules only. No deployment manifests, pod scheduling constraints, affinity rules, or topology-aware scheduling configurations introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only API type definitions and YAML test specs. No process-level code, no stdout writes. Not applicable to OTE Binary Stdout Contract check.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests. Changes consist of: (1) CEL validation rule updates in azure.go, and (2) YAML-based envtest validation specs. Ginkgo e2e test check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.00%. Comparing base (b7c62b0) to head (ca317d6).
⚠️ Report is 95 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8490      +/-   ##
==========================================
+ Coverage   39.85%   40.00%   +0.14%     
==========================================
  Files         751      751              
  Lines       92556    92838     +282     
==========================================
+ Hits        36888    37137     +249     
- Misses      52994    53014      +20     
- Partials     2674     2687      +13     

see 27 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.09% <ø> (+0.05%)	⬆️
cpo-hostedcontrolplane	40.56% <ø> (+0.04%)	⬆️
cpo-other	40.14% <ø> (+0.05%)	⬆️
hypershift-operator	50.53% <ø> (+0.15%)	⬆️
other	31.54% <ø> (+0.84%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bryan-cox]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[bryan-cox]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, enxebre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox,enxebre]
• api/OWNERS [enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[muraee]

can't those 2 rules be combined?

// +kubebuilder:validation:XValidation:rule="(self.type == 'PrivateLink') == has(self.privateLink)",message="privateLink must be set if and only if type is PrivateLink"

[enxebre]

sgtm, @JoelSpeed is there any preference / convention for this? what's the impact on budget?

[JoelSpeed]

The one we typically use for this is

// +kubebuilder:validation:XValidation:rule="self.type == 'PrivateLink' ? has(self.privateLink) : !has(self.privateLink)",message="privateLink is required when type is PrivateLink, and forbidden otherwise"

[cwbotbot]

Test Results

e2e-aks

• Status: ✅ PASS
• Started: 2026-05-13T12:26:52Z
• View Job
• View Job History

e2e-aws

• Status: ✅ PASS
• Started: 2026-05-13T11:58:00Z
• View Job
• View Job History

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2054184559926317056 | Cost: $2.5378969999999996 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[enxebre]

/label tide/merge-method-squash

[bryan-cox]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[JoelSpeed]

/lgtm

[enxebre]

/verified by e2e @enxebre

[openshift-ci-robot]

@enxebre: This PR has been marked as verified by e2e @enxebre.

Details

In response to this:

/verified by e2e @enxebre

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[enxebre]

/retest

[openshift-ci]

@enxebre: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hypershift-jira-solve-ci]

Now I have the complete picture. Here's the analysis:

Test Failure Analysis Complete

Job Information

• Prow Job: tide (merge controller)
• Build ID: N/A (tide is a merge controller, not a CI test job)
• PR: #8490 — NO-JIRA: Fix Azure private/topology CEL validation rules
• Branch: enxebre/fix-azure-private-topology-cel → main
• Author: enxebre
• All Prow CI test jobs passed: ✅ e2e-aks, e2e-aws, e2e-aws-upgrade-hypershift-operator, e2e-azure-self-managed, e2e-kubevirt-aws-ovn-reduced, e2e-v2-aws, e2e-v2-gke, images, security, verify-deps

Test Failure Analysis

Error

tide: Not mergeable. PR has a merge conflict.
Label "needs-rebase" added by openshift-ci[bot] at 2026-05-21T08:27:09Z.
PR mergeable_state: "dirty" (CONFLICTING)

Summary

No CI tests actually failed — all Prow e2e and presubmit jobs passed successfully. The tide ERROR state is caused by a merge conflict between this PR's branch and main. The PR was created on 2026-05-12 and modifies api/hypershift/v1beta1/azure.go along with generated CRD manifests. Since then, commit 3f801ea6 ("feat(api): support both managed and self-managed KMS authentication" by Bryan Cox, merged 2026-05-19) modified the same azure.go file on main, creating a conflict. The openshift-ci[bot] detected the conflict and added the needs-rebase label, which causes tide to exclude the PR from its merge pool (the tide query requires -label:needs-rebase). Two Konflux enterprise-contract checks also show as FAILURE, but these are a separate repo-wide issue affecting multiple open PRs and are not blocking the merge.

Root Cause

The root cause is a git merge conflict between the PR branch and the main branch, not a test failure.

Conflict origin: PR #8490 modifies api/hypershift/v1beta1/azure.go (Azure CEL validation rules) and its generated CRD manifests. After the PR was created (2026-05-12), the following commits landed on main that touch overlapping files:

1. 3f801ea6 (2026-05-19) — "feat(api): support both managed and self-managed KMS authentication" — Modified api/hypershift/v1beta1/azure.go directly, creating a conflict with this PR's changes to the same file.
2. 9a216101 (2026-05-19) — "chore(api): regenerate CRDs, clients, deepcopy, and vendor" — Regenerated CRD manifests that this PR also modifies.
3. be263214 (2026-05-18) — "fix(hypershift-operator): reject Azure HostedClusters with shadowing service hostnames" — Also modifies Azure-related CRD manifests.
4. 1d348802 (2026-05-21) — Merge of PR OCPBUGS-85351: fix(azure): prevent externalDNSDomain from shadowing cluster apps domain #8480 "azure-external-dns-validation" — Further CRD changes.

The openshift-ci[bot] detected the conflict at 2026-05-21T08:27:09Z and added the needs-rebase label. Tide's merge pool query for openshift/hypershift on main includes -label:needs-rebase, so the PR is excluded from the merge pool entirely, resulting in the ERROR state.

Regarding the Konflux enterprise-contract failures: These are a separate, repo-wide issue — the same two checks (hypershift-operator-enterprise-contract and hypershift-operator-main-enterprise-contract) are also failing on other open PRs (e.g., #8556, #8555). They are not caused by this PR's changes and are not required by tide for merging.

Recommendations

1. Rebase the PR branch onto current main to resolve the merge conflict:

   git fetch origin
   git rebase origin/main
   # Resolve conflicts in api/hypershift/v1beta1/azure.go
   # Regenerate CRDs: make generate
   git push --force-with-lease

2. Resolve conflict in azure.go carefully — the main conflict is between this PR's CEL validation rule changes and the new KMS authentication fields added by commit 3f801ea6. Both changes need to coexist.

3. Regenerate CRD manifests after resolving the Go source conflict (make generate or equivalent), since the generated zz_generated.*.yaml files will need to reflect both sets of changes.

4. No action needed for Konflux EC failures — these are a repo-wide issue unrelated to this PR. They should be tracked separately by the team if they become blocking.

5. After rebasing, the needs-rebase label will be automatically removed by openshift-ci[bot], and tide will re-evaluate the PR for merging.

Evidence

Evidence	Detail
PR mergeable state	CONFLICTING / dirty (GitHub API)
Tide error message	Not mergeable. PR has a merge conflict.
Blocking label	needs-rebase (added by openshift-ci[bot] at 2026-05-21T08:27:09Z)
Conflicting file	api/hypershift/v1beta1/azure.go
Conflicting commit	3f801ea6 — "feat(api): support both managed and self-managed KMS authentication" (Bryan Cox, 2026-05-19)
Additional CRD conflicts	4 commits to generated CRD manifests since PR creation (2026-05-12 to 2026-05-21)
Prow CI tests	All 10 Prow jobs PASSED (e2e-aks, e2e-aws, e2e-v2-aws, etc.)
Konflux EC failures	Repo-wide issue — same checks fail on PRs #8555, #8556; not PR-specific
Tide merge query	Requires -label:needs-rebase; PR has the label, so excluded from merge pool

---