• Derive the bundle image repo name from the create-release fbc_dir input.
• Configure Podman registry mirroring to work for any operator bundle, not just rhtas.
• Remove the stale rhtas-operator-bundle-v1-3 mirror entry.

graph TD
  A["create-release workflow"] --> B["Input: fbc_dir"] --> C["Set BUNDLE_REPO"] --> D["Write registries.conf"] --> G["opm render uses mirror"]
  D --> E[("registry.redhat.io")]
  D --> F[("quay.io")]

Loading

The following are alternative approaches to this PR:

1. Add explicit `bundle_repo` workflow input

• ➕ Avoids relying on naming conventions like ${fbc_dir}-bundle
• ➕ More flexible if repo naming diverges in the future
• ➖ Adds another required/optional input to maintain and document
• ➖ Increases operator for workflow users (more parameters to set correctly)

2. Maintain a hardcoded mapping table (fbc_dir → bundle repo)

• ➕ Most robust when names are inconsistent
• ➕ Allows special-casing without changing calling conventions
• ➖ Requires ongoing updates as new operators are added
• ➖ Easy to forget to update, reintroducing the same failure mode

Recommendation: The current approach (derive BUNDLE_REPO from fbc_dir) is the best default given existing conventions: it generalizes the mirror configuration to all operators without introducing new inputs or brittle mapping tables. If naming is expected to diverge, consider adding an explicit bundle_repo input as a future-proof extension.

Bug fix (1) +7 / -7

create-release.yamlDerive bundle repo name and make registry mirror dynamic +7/-7

Derive bundle repo name and make registry mirror dynamic

• Updates the Podman registry mirror configuration to compute 'BUNDLE_REPO' from the 'fbc_dir' workflow input and mirror the corresponding 'registry.redhat.io/rhtas/<bundle>' prefix to 'quay.io/securesign/<bundle>'. Removes the stale '*-v1-3' mirror entry and updates the success message to include the derived repo.

.github/workflows/create-release.yaml

Description

The registry mirror is derived from fbc_dir, but the catalog rendering path uses bundle_image;
if the inputs diverge (including when only fbc_dir is changed from defaults), the mirror can point
at the wrong repo and opm may still try to pull an unmapped registry.redhat.io/... image and
fail.

Code

.github/workflows/create-release.yaml[R73-84]

+        env:
+          FBC_DIR: ${{ github.event.inputs.fbc_dir }}
        run: |
+          BUNDLE_REPO="${FBC_DIR}-bundle"
          mkdir -p ~/.config/containers
          cat <<EOF > ~/.config/containers/registries.conf
          [[registry]]
-          prefix = "registry.redhat.io/rhtas/rhtas-operator-bundle"
-          location = "registry.redhat.io/rhtas/rhtas-operator-bundle"
-
-          [[registry.mirror]]
-          location = "quay.io/securesign/rhtas-operator-bundle"
+          prefix = "registry.redhat.io/rhtas/${BUNDLE_REPO}"
+          location = "registry.redhat.io/rhtas/${BUNDLE_REPO}"

          [[registry.mirror]]
-          location = "quay.io/securesign/rhtas-operator-bundle-v1-3"
+          location = "quay.io/securesign/${BUNDLE_REPO}"

Relevance

⭐⭐⭐ High

Team previously changed create-release mirrors to prevent opm pull failures; this mismatch risks
same failures (PR296/256).

PR-#296
PR-#256

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

registries.conf is built from FBC_DIR (BUNDLE_REPO="${FBC_DIR}-bundle"), but the downstream
rendering uses BUNDLE_IMAGE to update the graph and then runs opm on that graph; nothing
enforces the bundle_image repo matches the mirror target.

.github/workflows/create-release.yaml[14-30]
.github/workflows/create-release.yaml[72-106]
utils/configure_bundles.sh[8-15]
utils/render_catalog.sh[32-33]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow configures `registries.conf` based on `${{ github.event.inputs.fbc_dir }}`, but the bundles that `opm` renders are controlled by the independent `${{ github.event.inputs.bundle_image }}` input. If the repo embedded in `bundle_image` doesn’t match the repo derived from `fbc_dir`, the mirror won’t apply and `opm` can fail pulling bundles.

### Issue Context
- `bundle_image` defaults to `registry.redhat.io/rhtas/rhtas-operator-bundle@...`, while `fbc_dir` can be set to other operators.
- `utils/configure_bundles.sh` writes `BUNDLE_IMAGE` into the graph, and `utils/render_catalog.sh` renders the graph via `opm`.

### Fix Focus Areas
- Update mirror configuration to be based on `bundle_image` (parse repo name), OR add an explicit guard that `bundle_image` repo matches `${FBC_DIR}-bundle` and fail fast with a clear error.
- file/path[start_line-end_line]
 - .github/workflows/create-release.yaml[72-106]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Description

fbc_dir is a free-form workflow input and is interpolated into registries.conf without
validation/escaping; quotes/newlines or other unexpected characters can produce invalid TOML and
break image resolution for opm.

Code

.github/workflows/create-release.yaml[R73-85]

+        env:
+          FBC_DIR: ${{ github.event.inputs.fbc_dir }}
        run: |
+          BUNDLE_REPO="${FBC_DIR}-bundle"
          mkdir -p ~/.config/containers
          cat <<EOF > ~/.config/containers/registries.conf
          [[registry]]
-          prefix = "registry.redhat.io/rhtas/rhtas-operator-bundle"
-          location = "registry.redhat.io/rhtas/rhtas-operator-bundle"
-
-          [[registry.mirror]]
-          location = "quay.io/securesign/rhtas-operator-bundle"
+          prefix = "registry.redhat.io/rhtas/${BUNDLE_REPO}"
+          location = "registry.redhat.io/rhtas/${BUNDLE_REPO}"

          [[registry.mirror]]
-          location = "quay.io/securesign/rhtas-operator-bundle-v1-3"
+          location = "quay.io/securesign/${BUNDLE_REPO}"
          EOF

Relevance

⭐⭐ Medium

No historical evidence of validating/sanitizing workflow_dispatch inputs before writing
registries.conf; unclear if team enforces this.

PR-#256
PR-#296

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The workflow takes fbc_dir directly from workflow_dispatch inputs and uses it to construct TOML
strings inside a heredoc; there is no sanitization or validation before writing registries.conf.

.github/workflows/create-release.yaml[3-30]
.github/workflows/create-release.yaml[72-88]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow writes a TOML config file (`registries.conf`) using `${{ github.event.inputs.fbc_dir }}` without validating allowed characters. Malformed input (e.g., containing `"` or a newline) can make the generated TOML invalid, causing tooling using containers/image (like `opm`) to fail when reading registries configuration.

### Issue Context
`fbc_dir` is declared as a required `workflow_dispatch` input, but it is still user-provided and not constrained to a safe character set.

### Fix Focus Areas
- Add a validation step before writing `registries.conf`, e.g. enforce `^[a-z0-9][a-z0-9-]*$` and fail with a clear message.
- Optionally, derive `BUNDLE_REPO` via a whitelist mapping (known operators) to avoid relying on free-form input.
- file/path[start_line-end_line]
 - .github/workflows/create-release.yaml[3-30]
 - .github/workflows/create-release.yaml[72-88]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools