fix: address CodeRabbit review comments and add AI Evaluations repos

- Fix cve.find mapping file path: replace unreliable dirname "$0" with
  cwd-relative path and repo-root fallback
- Add cve_fix_workflow field to all new llm-d and AI Evaluations repos
- Add full AI Evaluations component repos (trustyai-service-operator,
  lm-evaluation-harness, llama-stack-provider-trustyai-garak, eval-hub
  upstream/midstream/downstream with real branch data)
- Add container_to_repo_mapping for odh-ta-lmes-driver and odh-ta-lmes-job
- Remove hardcoded RHOAIENG reference from README onboarding step 3

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: vmrh21

workflows/cve-fixer/.claude/commands/cve.find.md

@@ -100,8 +100,15 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md
    b. Construct JQL query and execute API call:
    ```bash
    # Normalize component name with case-insensitive lookup against mapping file
-   MAPPING_FILE="$(dirname "$0")/../component-repository-mappings.json"
-   if [ -f "$MAPPING_FILE" ]; then
+   # Try relative to cwd (workflow root), then repo-relative fallback
+   if [ -f "component-repository-mappings.json" ]; then
+     MAPPING_FILE="component-repository-mappings.json"
+   elif [ -f "workflows/cve-fixer/component-repository-mappings.json" ]; then
+     MAPPING_FILE="workflows/cve-fixer/component-repository-mappings.json"
+   else
+     MAPPING_FILE=""
+   fi
+   if [ -n "$MAPPING_FILE" ] && [ -f "$MAPPING_FILE" ]; then
      CANONICAL_NAME=$(jq -r --arg name "${COMPONENT_NAME}" \
        '.components | keys[] | select(ascii_downcase == ($name | ascii_downcase))' \
        "$MAPPING_FILE" | head -1)

workflows/cve-fixer/README.md

@@ -110,7 +110,7 @@ Each team member using the workflow needs:
    - You'll be notified when ready
 
 3. **Coordinate with ProdSec**
-   - Ensure your Jira component exists in RHOAIENG
+   - Ensure your Jira component exists in your Jira project
    - Verify CVE issues are being filed against your component
    - Test with a sample CVE issue
 

workflows/cve-fixer/component-repository-mappings.json

@@ -23,11 +23,11 @@
             "v2.28.0-fixes",
             "v2.27.0-fixes"
           ],
-          "branch_strategy": "Fix in main → auto-propagates to stable → rhoai (every 2 hours). Manual cherry-pick to release branches during code freeze.",
+          "branch_strategy": "Fix in main \u2192 auto-propagates to stable \u2192 rhoai (every 2 hours). Manual cherry-pick to release branches during code freeze.",
           "cve_fix_workflow": {
             "primary_target": "main",
             "backport_targets": "Active vX.X.X-fixes branches for released versions",
-            "automation": "Auto-sync every 2 hours (main → stable → rhoai)",
+            "automation": "Auto-sync every 2 hours (main \u2192 stable \u2192 rhoai)",
             "manual_intervention": "Cherry-pick during code freeze or for patch releases"
           },
           "repository_type": "monorepo",
@@ -390,7 +390,11 @@
             "release-0.6"
           ],
           "branch_strategy": "Fix in main. Release branches follow pattern release-X.Y.",
-          "repo_type": "upstream"
+          "repo_type": "upstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release-0.5, release-0.6"
+          }
         },
         "opendatahub-io/llm-d-inference-scheduler": {
           "github_url": "https://github.com/opendatahub-io/llm-d-inference-scheduler",
@@ -402,7 +406,11 @@
             "stable-2.x"
           ],
           "branch_strategy": "Fork of upstream llm-d/llm-d-inference-scheduler. Synced via sync branches. ODH release branches via Konflux replicator.",
-          "repo_type": "midstream"
+          "repo_type": "midstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release-0.2, release-0.3.1, release-v0.4, stable-2.x"
+          }
         },
         "red-hat-data-services/llm-d-inference-scheduler": {
           "github_url": "https://github.com/red-hat-data-services/llm-d-inference-scheduler",
@@ -414,7 +422,11 @@
             "rhoai-3.4-ea.2"
           ],
           "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.",
-          "repo_type": "downstream"
+          "repo_type": "downstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
+          }
         },
         "red-hat-data-services/llm-d-routing-sidecar": {
           "github_url": "https://github.com/red-hat-data-services/llm-d-routing-sidecar",
@@ -424,16 +436,24 @@
             "rhoai-3.0",
             "rhoai-3.2"
           ],
-          "branch_strategy": "Fork of upstream (now archived). Downstream only — upstream code migrated into llm-d-inference-scheduler. No branches beyond rhoai-3.2.",
+          "branch_strategy": "Fork of upstream (now archived). Downstream only \u2014 upstream code migrated into llm-d-inference-scheduler. No branches beyond rhoai-3.2.",
           "repo_type": "downstream",
-          "notes": "Upstream llm-d/llm-d-routing-sidecar is archived; code moved to llm-d-inference-scheduler (cmd/pd_sidecar). This downstream repo may be phased out in future releases."
+          "notes": "Upstream llm-d/llm-d-routing-sidecar is archived; code moved to llm-d-inference-scheduler (cmd/pd_sidecar). This downstream repo may be phased out in future releases.",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "rhoai-2.25, rhoai-3.0, rhoai-3.2"
+          }
         },
         "llm-d-incubation/batch-gateway": {
           "github_url": "https://github.com/llm-d-incubation/batch-gateway",
           "default_branch": "main",
           "active_release_branches": [],
           "branch_strategy": "Fix in main. No formal release branching documented.",
-          "repo_type": "upstream"
+          "repo_type": "upstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "None"
+          }
         },
         "opendatahub-io/batch-gateway": {
           "github_url": "https://github.com/opendatahub-io/batch-gateway",
@@ -442,7 +462,11 @@
             "release-v0.5"
           ],
           "branch_strategy": "Fork of upstream llm-d-incubation/batch-gateway.",
-          "repo_type": "midstream"
+          "repo_type": "midstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release-v0.5"
+          }
         },
         "red-hat-data-services/batch-gateway": {
           "github_url": "https://github.com/red-hat-data-services/batch-gateway",
@@ -453,7 +477,11 @@
             "rhoai-3.4-ea.2"
           ],
           "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.",
-          "repo_type": "downstream"
+          "repo_type": "downstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
+          }
         },
         "llm-d/llm-d-workload-variant-autoscaler": {
           "github_url": "https://github.com/llm-d/llm-d-workload-variant-autoscaler",
@@ -462,7 +490,11 @@
             "release-0.4.2"
           ],
           "branch_strategy": "Fix in main. Release branches follow pattern release-X.Y.Z.",
-          "repo_type": "upstream"
+          "repo_type": "upstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release-0.4.2"
+          }
         },
         "opendatahub-io/workload-variant-autoscaler": {
           "github_url": "https://github.com/opendatahub-io/workload-variant-autoscaler",
@@ -471,7 +503,11 @@
             "release-v0.5"
           ],
           "branch_strategy": "Fork of upstream llm-d/llm-d-workload-variant-autoscaler. Note: repo name differs from upstream (no llm-d- prefix).",
-          "repo_type": "midstream"
+          "repo_type": "midstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release-v0.5"
+          }
         },
         "red-hat-data-services/workload-variant-autoscaler": {
           "github_url": "https://github.com/red-hat-data-services/workload-variant-autoscaler",
@@ -482,19 +518,79 @@
             "rhoai-3.4-ea.2"
           ],
           "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.",
-          "repo_type": "downstream"
+          "repo_type": "downstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
+          }
         }
       }
     },
     "AI Evaluations": {
-      "container_to_repo_mapping": {},
+      "container_to_repo_mapping": {
+        "rhoai/odh-ta-lmes-driver-rhel9": "opendatahub-io/trustyai-service-operator",
+        "rhoai/odh-ta-lmes-job-rhel9": "opendatahub-io/lm-evaluation-harness"
+      },
       "repositories": {
         "eval-hub/eval-hub": {
           "github_url": "https://github.com/eval-hub/eval-hub",
           "default_branch": "main",
           "active_release_branches": [],
           "branch_strategy": "Fix in main. Feature branches follow pattern feature/name or fix/issue.",
-          "repo_type": "upstream"
+          "repo_type": "upstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "None"
+          }
+        },
+        "eval-hub/eval-hub-sdk": {
+          "github_url": "https://github.com/eval-hub/eval-hub-sdk",
+          "default_branch": "main",
+          "active_release_branches": [],
+          "branch_strategy": "Fix in main.",
+          "repo_type": "upstream",
+          "notes": "No midstream/downstream forks exist yet.",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "None"
+          }
+        },
+        "eval-hub/eval-hub-contrib": {
+          "github_url": "https://github.com/eval-hub/eval-hub-contrib",
+          "default_branch": "main",
+          "active_release_branches": [],
+          "branch_strategy": "Fix in main.",
+          "repo_type": "upstream",
+          "notes": "No midstream/downstream forks exist yet.",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "None"
+          }
+        },
+        "trustyai-explainability/llama-stack-provider-trustyai-garak": {
+          "github_url": "https://github.com/trustyai-explainability/llama-stack-provider-trustyai-garak",
+          "default_branch": "main",
+          "active_release_branches": [],
+          "branch_strategy": "Fix in main.",
+          "repo_type": "upstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "None"
+          }
+        },
+        "trustyai-explainability/trustyai-service-operator": {
+          "github_url": "https://github.com/trustyai-explainability/trustyai-service-operator",
+          "default_branch": "main",
+          "active_release_branches": [
+            "release/1.37.0",
+            "release/1.38.0"
+          ],
+          "branch_strategy": "Fix in main. Release branches follow pattern release/X.Y.Z.",
+          "repo_type": "upstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release/1.37.0, release/1.38.0"
+          }
         },
         "opendatahub-io/eval-hub": {
           "github_url": "https://github.com/opendatahub-io/eval-hub",
@@ -504,7 +600,56 @@
             "stable"
           ],
           "branch_strategy": "Fork of upstream eval-hub/eval-hub.",
-          "repo_type": "midstream"
+          "repo_type": "midstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release/odh-3.4, stable"
+          }
+        },
+        "opendatahub-io/lm-evaluation-harness": {
+          "github_url": "https://github.com/opendatahub-io/lm-evaluation-harness",
+          "default_branch": "main",
+          "active_release_branches": [
+            "release/odh-3.3",
+            "release/odh-3.4",
+            "release/odh-3.4-ea2",
+            "release/odh-3.5"
+          ],
+          "branch_strategy": "ODH fork. Release branches follow pattern release/odh-X.Y.",
+          "repo_type": "midstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release/odh-3.3, release/odh-3.4, release/odh-3.4-ea2, release/odh-3.5"
+          }
+        },
+        "opendatahub-io/llama-stack-provider-trustyai-garak": {
+          "github_url": "https://github.com/opendatahub-io/llama-stack-provider-trustyai-garak",
+          "default_branch": "main",
+          "active_release_branches": [
+            "release/odh-3.4",
+            "stable"
+          ],
+          "branch_strategy": "Fork of upstream trustyai-explainability/llama-stack-provider-trustyai-garak.",
+          "repo_type": "midstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release/odh-3.4, stable"
+          }
+        },
+        "opendatahub-io/trustyai-service-operator": {
+          "github_url": "https://github.com/opendatahub-io/trustyai-service-operator",
+          "default_branch": "main",
+          "active_release_branches": [
+            "release/odh-3.3",
+            "release/odh-3.4",
+            "release/odh-3.4-ea2"
+          ],
+          "branch_strategy": "Fork of upstream trustyai-explainability/trustyai-service-operator. Release branches follow pattern release/odh-X.Y.",
+          "repo_type": "midstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "release/odh-3.3, release/odh-3.4, release/odh-3.4-ea2"
+          }
         },
         "red-hat-data-services/eval-hub": {
           "github_url": "https://github.com/red-hat-data-services/eval-hub",
@@ -515,7 +660,59 @@
             "rhoai-3.4-ea.2"
           ],
           "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.",
-          "repo_type": "downstream"
+          "repo_type": "downstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
+          }
+        },
+        "red-hat-data-services/lm-evaluation-harness": {
+          "github_url": "https://github.com/red-hat-data-services/lm-evaluation-harness",
+          "default_branch": "main",
+          "active_release_branches": [
+            "rhoai-3.3",
+            "rhoai-3.4",
+            "rhoai-3.4-ea.1",
+            "rhoai-3.4-ea.2"
+          ],
+          "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.",
+          "repo_type": "downstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
+          }
+        },
+        "red-hat-data-services/llama-stack-provider-trustyai-garak": {
+          "github_url": "https://github.com/red-hat-data-services/llama-stack-provider-trustyai-garak",
+          "default_branch": "main",
+          "active_release_branches": [
+            "rhoai-3.3",
+            "rhoai-3.4",
+            "rhoai-3.4-ea.1",
+            "rhoai-3.4-ea.2"
+          ],
+          "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.",
+          "repo_type": "downstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
+          }
+        },
+        "red-hat-data-services/trustyai-service-operator": {
+          "github_url": "https://github.com/red-hat-data-services/trustyai-service-operator",
+          "default_branch": "main",
+          "active_release_branches": [
+            "rhoai-3.3",
+            "rhoai-3.4",
+            "rhoai-3.4-ea.1",
+            "rhoai-3.4-ea.2"
+          ],
+          "branch_strategy": "Fork of midstream. RHOAI release branches follow pattern rhoai-X.Y.",
+          "repo_type": "downstream",
+          "cve_fix_workflow": {
+            "primary_target": "main",
+            "backport_targets": "rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2"
+          }
         }
       }
     }