release-import optional reference_policy, payload tags, Source digest wait

[deepsm007]

cc @Prucek @openshift/test-platform

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR introduces a top-level reference_policy field on unresolved releases, enabling users to specify whether imported payload tags resolve as Local or Source independent of integration-level configuration. The change includes CRD schema updates, struct field additions, policy resolution logic with precedence rules, signature updates to ImportReleaseStep, helpers for spec-tag-based exact pullspec resolution, and comprehensive validation and test coverage.

Changes

Unresolved Release Reference Policy

Layer / File(s)	Summary
Data Shape pkg/api/ephemeralcluster/v1/ci.openshift.io_ephemeralclusters.yaml, pkg/api/types.go	CRD schema description updated for spec.ciOperator.releases[*].integration.reference_policy. UnresolvedRelease struct gains optional ReferencePolicy field of type *imagev1.TagReferencePolicyType with JSON serialization key reference_policy,omitempty.
Validation pkg/validation/release.go, pkg/validation/release_test.go	New validateUnresolvedReleaseReferencePolicy enforces that reference_policy (when set) is Local or Source, and errors when both reference_policy and integration.reference_policy are set. Test coverage added for valid values, invalid values, and mutual-exclusivity conflicts.
Policy Resolution pkg/defaults/defaults.go	Release image import logic derives importReferencePolicy from UnresolvedRelease.ReferencePolicy with fallback to Integration.ReferencePolicy. For "initial/latest" tag-specific releases, per-tag ReferencePolicy is extracted and used with a default of SourceTagReferencePolicy. Cluster-claim imports switch to empty TagReferencePolicyType("").
Import Step Refactoring pkg/steps/release/import_release.go, pkg/steps/release/import_release_policy_test.go	ImportReleaseStep signature updated so referencePolicy parameter becomes a pointer (*imagev1.TagReferencePolicyType). New helpers payloadTagImpliesSource and mergedPayloadReferencePolicy compute effective per-tag reference policies during stable imagestream tag merging. Import timeout expanded to ReleasePayloadImportTimeout. CLI tag reference-policy selection now uses unset-aware logic.
Image Resolution Utilities pkg/steps/utils/image.go, pkg/steps/utils/image_test.go, pkg/util/imagestream.go, pkg/util/imagestream_test.go	ImageDigestFor gains early-resolution path via util.ResolvePullSpec before registry-based digest derivation. New constant ReleasePayloadImportTimeout exported. ResolvePullSpec extended to support spec-tag-driven digest pullspec resolution with helpers (findSpecTagReference, digestOnlyResolutionAllowed, sourceImportNotFailed, tagImportExplicitSuccess, digestPullSpecFromSpecTag) that gate digest resolution on policy type, import condition, and import mode. Test coverage expanded to validate source/local/unset policy behaviors and condition-based resolution gating.
Multi-stage Integration pkg/steps/multi_stage/gen.go, pkg/steps/multi_stage/init_test.go	generatePods now resolves step images via new resolveStepImage helper, which performs OpenShift ImageStream lookup for release streams using controller-runtime client and ResolvePullSpec, falling back to stream:tag when imagestream is absent or exact resolution unavailable. Test scheme registration updated to include imagev1 types.

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 4

❌ Failed checks (3 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.13% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Go Error Handling	⚠️ Warning	PR fails Go error handling checks. context.TODO() used without deadline in pkg/steps/multi_stage/gen.go line 303 and pkg/steps/utils/image.go line 31, violating context management patterns.	Replace context.TODO() with context.WithTimeout() in both imagestream Get() calls to prevent indefinite blocking on API server stalls.
Test Coverage For New Features	⚠️ Warning	New functionality lacks adequate test coverage: resolveStepImage() has no tests; defaults.go logic changes (15+ lines) are untested; stable tag mutation not tested despite review flags.	Add unit tests for resolveStepImage(); test importReferencePolicy derivation in defaults; add test cases for stable tag merging behavior flagged in review comments.
Test Structure And Quality	❓ Inconclusive	The check targets Ginkgo test code but the PR contains only standard Go tests using testing.T and table-driven patterns with t.Run subtests. No Ginkgo tests (Describe/Context/It) exist in the PR.	Check not applicable. This is designed for Ginkgo test files, but PR contains only standard Go tests. Verify with Ginkgo-specific PRs.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: adding optional reference_policy support for unresolved releases, implementing payload tag merging logic, and extending import timeout for Source policy.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in modified/new test files are stable and deterministic with no dynamic information found in test titles. No generated IDs, timestamps, or resource names present.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR contains only standard Go unit tests (using testing.T), which are not subject to the MicroShift compatibility check. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests added. All new test files use standard Go testing.T package for unit testing. Check not applicable to ci-tools unit test suite.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies Go test orchestration code and API types only. No deployment manifests, operator code, scheduling constraints, affinity rules, or topology-based assumptions are introduced.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations found. No fmt.Print/klog writes at process level, clean package initializers, and safe test init() functions.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. All test additions are standard Go unit tests (using testing.T), not Ginkgo framework tests. The custom check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepsm007

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

pkg/steps/release/import_release.go (1)

546-549: 💤 Low value

Empty TagReference in spec may be ineffective.

Line 548 creates an ImageStream with Tags: []imagev1.TagReference{{ReferencePolicy: ...}} — a TagReference with no Name field. This tag won't match any subsequent tag operations since the actual cli/latest tag is created separately via ImageStreamTag. The empty entry appears unused.

Consider either removing the Tags field from the spec (since the real tag is patched via ImageStreamTag) or providing the full tag definition here.

💡 Suggested simplification

 		overrideIS := &imagev1.ImageStream{
 			ObjectMeta: metav1.ObjectMeta{Name: overrideCLIStreamName, Namespace: s.jobSpec.Namespace()},
-			Spec:       imagev1.ImageStreamSpec{LookupPolicy: imagev1.ImageLookupPolicy{Local: true}, Tags: []imagev1.TagReference{{ReferencePolicy: imagev1.TagReferencePolicy{Type: s.overrideCLIReferencePolicy()}}}},
+			Spec:       imagev1.ImageStreamSpec{LookupPolicy: imagev1.ImageLookupPolicy{Local: true}},
 		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/release/import_release.go` around lines 546 - 549, The ImageStream
constructed as overrideIS includes a TagReference with no Name (Tags:
[]imagev1.TagReference{{ReferencePolicy: ...}}) which is ineffective; either
remove the Tags field from the ImageStream spec entirely (since you create/patch
the tag via ImageStreamTag elsewhere) or populate the TagReference.Name (e.g.
"latest" or the actual cli tag) so it matches the ImageStreamTag operations;
update the overrideIS creation (and references to overrideCLIStreamName and
overrideCLIReferencePolicy()) accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/api/types.go`:
- Around line 348-353: The comment for ReferencePolicy on the struct is
inaccurate: ReferencePolicy is a single field of type
imagev1.TagReferencePolicyType serialized as reference_policy with values
"Local" or "Source", not a nested object with referencePolicy.type; update the
comment on ReferencePolicy in pkg/api/types.go to describe the actual shape
(e.g., "ReferencePolicy is serialized as reference_policy and must be either
Local or Source; when unset behavior is ..."), remove any mention of
referencePolicy.type, and ensure the wording clarifies interaction with
integration.reference_policy and inference behavior so generated docs/CRDs
reflect the real config shape.

In `@pkg/defaults/defaults.go`:
- Around line 152-155: The code only forwards
resolveConfig.Integration.ReferencePolicy into AssembleReleaseStep via
importReferencePolicy, which ignores a per-release override at
resolveConfig.ReferencePolicy; change the logic that sets importReferencePolicy
(and the analogous block around lines 166-175) to prefer
resolveConfig.ReferencePolicy when non-nil and fall back to
resolveConfig.Integration.ReferencePolicy otherwise, then pass that resulting
importReferencePolicy into AssembleReleaseStep so
releases.<name>.reference_policy is honored.

In `@pkg/util/imagestream.go`:
- Around line 42-43: The helper sourcePolicyAllowsDigestOnlyStatus currently
treats an empty policy as equivalent to Source, causing ResolvePullSpec(...,
true) to take digest-only success for tags without Source hints; change
sourcePolicyAllowsDigestOnlyStatus to return true only when policy ==
imageapi.SourceTagReferencePolicy (remove the policy == "" branch) and ensure
any logic in ResolvePullSpec that relies on digest-only behavior also verifies
the tag itself carries Source hints (e.g., reference:true or PreserveOriginal)
before accepting digest-only resolution.

---

Nitpick comments:
In `@pkg/steps/release/import_release.go`:
- Around line 546-549: The ImageStream constructed as overrideIS includes a
TagReference with no Name (Tags: []imagev1.TagReference{{ReferencePolicy: ...}})
which is ineffective; either remove the Tags field from the ImageStream spec
entirely (since you create/patch the tag via ImageStreamTag elsewhere) or
populate the TagReference.Name (e.g. "latest" or the actual cli tag) so it
matches the ImageStreamTag operations; update the overrideIS creation (and
references to overrideCLIStreamName and overrideCLIReferencePolicy())
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b3fc7350-5faa-4570-ba20-b9ceef9e4c11

📥 Commits

Reviewing files that changed from the base of the PR and between b1cad87 and b7fbc24.

⛔ Files ignored due to path filters (2)

• pkg/api/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• pkg/webreg/zz_generated.ci_operator_reference.go is excluded by !**/zz_generated*

📒 Files selected for processing (11)

• pkg/api/ephemeralcluster/v1/ci.openshift.io_ephemeralclusters.yaml
• pkg/api/types.go
• pkg/defaults/defaults.go
• pkg/steps/release/import_release.go
• pkg/steps/release/import_release_policy_test.go
• pkg/steps/utils/image.go
• pkg/steps/utils/image_test.go
• pkg/util/imagestream.go
• pkg/util/imagestream_test.go
• pkg/validation/release.go
• pkg/validation/release_test.go

[deepsm007]

/test e2e

[deepsm007]

/unhold

[deepsm007]

/test e2e

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/util/imagestream.go`:
- Around line 142-149: The code treats any non-empty item.DockerImageReference
as an exact pullSpec; make it defensive by checking that the chosen ref is
digest-based before assigning pullSpec: when evaluating the branch in
requireExact && digestOnlyResolutionAllowed(specTag, specRefPolicy) &&
item.Image == "" && sourceImportNotFailed(tags.Conditions), only accept
item.DockerImageReference if it contains the digest marker (e.g.
strings.Contains(item.DockerImageReference, "@sha256:")); if that check fails,
fall back to dockerDigestPullSpecFromSpecTag(is, tag) as before and only set
pullSpec when the resulting ref is digest-based. Ensure checks reference the
existing symbols item.DockerImageReference, dockerDigestPullSpecFromSpecTag,
pullSpec, requireExact, digestOnlyResolutionAllowed, specTag, specRefPolicy, and
sourceImportNotFailed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a864064e-4692-4163-b349-e84ae2b1c6dd

📥 Commits

Reviewing files that changed from the base of the PR and between b7fbc24 and f5ace28.

⛔ Files ignored due to path filters (2)

• pkg/api/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• pkg/webreg/zz_generated.ci_operator_reference.go is excluded by !**/zz_generated*

📒 Files selected for processing (14)

• pkg/api/ephemeralcluster/v1/ci.openshift.io_ephemeralclusters.yaml
• pkg/api/reference_policy.go
• pkg/api/types.go
• pkg/defaults/defaults.go
• pkg/steps/multi_stage/gen.go
• pkg/steps/multi_stage/image_resolution_test.go
• pkg/steps/release/import_release.go
• pkg/steps/release/import_release_policy_test.go
• pkg/steps/utils/image.go
• pkg/steps/utils/image_test.go
• pkg/util/imagestream.go
• pkg/util/imagestream_test.go
• pkg/validation/release.go
• pkg/validation/release_test.go

✅ Files skipped from review due to trivial changes (4)

• pkg/api/reference_policy.go
• pkg/api/types.go
• pkg/api/ephemeralcluster/v1/ci.openshift.io_ephemeralclusters.yaml
• pkg/steps/utils/image_test.go

🚧 Files skipped from review as they are similar to previous changes (4)

• pkg/validation/release_test.go
• pkg/validation/release.go
• pkg/steps/utils/image.go
• pkg/defaults/defaults.go

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/steps/multi_stage/gen.go`:
- Around line 301-307: The imagestream lookup uses context.TODO() which can
block indefinitely; replace it with a bounded context (e.g., ctx, cancel :=
context.WithTimeout(context.Background(), <reasonableDuration>) and defer
cancel()) when calling s.client.Get for the imagev1.ImageStream, ensure you pass
that ctx to s.client.Get (the same call that uses key and is), and add "time" to
the imports; choose a sensible timeout (e.g., 15-30s) and propagate/cancel the
context to avoid leaks.
- Around line 102-105: The current logic in gen.go lets a transient
s.resolveStepImage(stream, tag) error (resolveErr) skip the entire step by
appending resolveErr to errs and continuing; instead implement a "fail-open"
fallback: when resolveErr is non-nil, log or record the resolution error but set
the step's image to the original stream:tag (use resolvedImage = stream + ":" +
tag or the same variable used downstream) and proceed rather than appending to
errs/continuing. Update the handling around resolvedImage/resolveErr so
downstream code uses the fallback image when resolution fails, and only treat it
as fatal if other validation later indicates a real problem.

In `@pkg/steps/release/import_release.go`:
- Around line 243-250: The loop over stable.Spec.Tags is reapplying
mergedPayloadReferencePolicy and setting ImportModePreserveOriginal to tags that
were not part of the imported payload, mutating unrelated existing tags; fix by
distinguishing tags that come from the imported payload versus existing retained
tags and only apply mergedPayloadReferencePolicy (and set
t.ImportPolicy.ImportMode = imagev1.ImportModePreserveOriginal) for tags known
to be from the imported payload. Concretely, in the loop that iterates
stable.Spec.Tags (and uses existing.Has/Insert and appends to tags), check
membership against the imported-payload tag set (create/use a payloadTags set
built from the payload import) and if the tag is not in payloadTags, append the
original tag unchanged and continue; only call mergedPayloadReferencePolicy and
mutate ImportPolicy for tags present in payloadTags (and that are newly
inserted).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a50e2f7a-5d5d-4ee1-95f9-fb8d632da60d

📥 Commits

Reviewing files that changed from the base of the PR and between fb3cbbc and b635685.

⛔ Files ignored due to path filters (2)

• pkg/api/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• pkg/webreg/zz_generated.ci_operator_reference.go is excluded by !**/zz_generated*

📒 Files selected for processing (13)

• pkg/api/ephemeralcluster/v1/ci.openshift.io_ephemeralclusters.yaml
• pkg/api/types.go
• pkg/defaults/defaults.go
• pkg/steps/multi_stage/gen.go
• pkg/steps/multi_stage/init_test.go
• pkg/steps/release/import_release.go
• pkg/steps/release/import_release_policy_test.go
• pkg/steps/utils/image.go
• pkg/steps/utils/image_test.go
• pkg/util/imagestream.go
• pkg/util/imagestream_test.go
• pkg/validation/release.go
• pkg/validation/release_test.go

✅ Files skipped from review due to trivial changes (4)

• pkg/api/ephemeralcluster/v1/ci.openshift.io_ephemeralclusters.yaml
• pkg/api/types.go
• pkg/steps/utils/image.go
• pkg/steps/release/import_release_policy_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/util/imagestream_test.go
• pkg/steps/utils/image_test.go

[deepsm007]

/test e2e

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci]

@deepsm007: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/breaking-changes	fd18bcc	link	false	/test breaking-changes

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[deepsm007]

/hold