fix: spec-first official ocp input import for 4.11–4.22

[deepsm007]

Official ocp/4.11–4.22 inputs resolve from stable: in the job ns, then spec/status @sha256 on the source IS, with LocalTagReferencePolicy for pipeline tags. Legacy streams (4.23, 5.0) keep quay-proxy + Source policy.

https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-api-2854-openshift-installer-10566-openshift-origin-31211-openshift-machine-config-operator-6076-ci-5.0-e2e-aws-ovn-techpreview-serial-3of3/2060029597415641088#1:build-log.txt%3A150-157

dependent on #5216
/hold

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces official OCP image resolution utilities and integrates them into the InputImageTagStep, then applies similar optimizations to SnapshotStream. Reference policy (source vs. local tag) is now computed per-case and applied consistently. All three affected steps now support consolidated Quay promotion semantics with stable image precedence.

Changes

Official image resolution and reference policy handling

Layer / File(s)	Summary
Official image resolution utilities pkg/steps/utils/image.go	ImageDigestFor validates spec-tag existence via a new hasSpecTag helper. findSpecTag is exported as FindSpecTag with clarified docs. New OfficialImageTagFrom resolves source references from ImageStream spec/status with Quay fallback. New ResolveOfficialInputFrom checks official-image applicability, resolves stable tags, or loads source ImageStreams.
Official image utilities test coverage pkg/steps/utils/image_test.go	Imports extended for runtime and api packages. TestResolveOfficialInputFrom validates resolution across spec-based Docker, spec-based ImageStreamImage, Quay fallback, and stable-first scenarios. TestImageDigestForSpecTagWithoutFrom and TestImageDigestForMissingTag verify ImageDigestFor error and digest computation.
InputImageTagStep official import integration pkg/steps/input_image_tag.go	Inputs() calls new resolveOfficialImport() helper for non-external, non-cluster-bot cases. run() precomputes from, refPolicy, and sourcePullSpec across external-image, cluster-bot, and official-import branches. ImageStreamTag creation now uses computed policy and from. TagImportEvent records sourcePullSpec instead of objectReferenceName.
InputImageTagStep integration tests pkg/steps/input_image_tag_test.go	TestInputImageTagStepOfficialSpec validates OCP ImageStreamTagReference with digest pull spec creates pipeline ImageStreamTag with LocalTagReferencePolicy. TestInputImageTagStepLegacyStream validates legacy Quay input uses SourceTagReferencePolicy with preserved import. TestInputImageTagStepStableFirst validates stable tag precedence with LocalTagReferencePolicy.
SnapshotStream source ImageStream optimization pkg/steps/release/snapshot.go	snapshotStream resolves source ImageStream once into a shared variable instead of per-tag fetches. For non-cluster-bot operation, source is conditionally fetched outside the loop. For cluster-bot operation, source is lazily fetched inside the loop only when needed and reused across tags.

---

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 4

❌ Failed checks (4 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 31.58% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Go Error Handling	⚠️ Warning	Line 132 of pkg/steps/input_image_tag.go returns a fmt.Errorf without wrapping the captured error with %w, violating error context preservation.	Change line 132 to include : %w, err in the fmt.Errorf call to wrap the underlying error from waitForTagInSpec().
Test Coverage For New Features	⚠️ Warning	snapshot.go's refactored snapshotStream function (lines 85-117) lacks test coverage for control flow changes and official resolution logic despite new branching logic.	Add unit tests for snapshotStream covering: prefetch vs lazy-fetch logic, consolidated official resolution, and error cases per code review feedback.
Test Structure And Quality	⚠️ Warning	PR adds tests for input_image_tag and utils/image functions but lacks test coverage for refactored source-resolution branches in snapshot.go (lines 85-117), as noted in review comments.	Add unit tests for the refactored snapshotStream function to cover the modified control-flow paths (prefetch vs lazy fetch for source ImageStream resolution).

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: fixing official OCP input import behavior for specific Kubernetes versions (4.11–4.22) by implementing spec-first resolution with stable tag precedence.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR contains only standard Go testing.T tests, not Ginkgo tests. The custom check for Ginkgo test stability does not apply.
Microshift Test Compatibility	✅ Passed	PR adds only standard Go unit tests, not Ginkgo e2e tests. No Ginkgo imports or patterns (It, Describe, Context, When) found. Custom check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only unit tests (testing.T), not Ginkgo e2e tests. Custom check applies only to new Ginkgo e2e tests (It, Describe, Context, When); unit tests are outside scope.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies CI tool image import logic, not deployment manifests or operator code. No pod scheduling constraints or topology assumptions introduced.
Ote Binary Stdout Contract	✅ Passed	All modified production files are library packages (steps, release, utils) with no process-level code, stdout writes, or unredirected logging that would violate OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. All new tests are standard Go unit tests (testing.T) without Ginkgo syntax or imports. Check does not apply.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto, or insecure secret comparisons found in modified files.
Container-Privileges	✅ Passed	PR contains only Go source code files (input_image_tag.go, snapshot.go, image.go and tests). No Kubernetes/container manifests or privilege escalation configurations found.
No-Sensitive-Data-In-Logs	✅ Passed	All logging statements only expose non-sensitive data: image references, pull specs, namespace/tag names, and status messages. No passwords, tokens, keys, PII, or credentials are logged.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/steps/input_image_tag_test.go (1)

255-309: 💤 Low value

Consider adding examineStep to verify Inputs() return value for stable-first scenario.

Unlike TestInputImageTagStepOfficialSpec and TestInputImageTagStepLegacyStream, this test doesn't call examineStep to validate the Inputs() behavior. For stable-first resolution, Inputs() returns "target-namespace/stable:cli" as the input definition—verifying this matches expectations would strengthen coverage.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/input_image_tag_test.go` around lines 255 - 309,
TestInputImageTagStepStableFirst is missing a call to examineStep to assert the
Inputs() return for the stable-first case; add an examineStep invocation against
the created step (iits) before executeStep that checks iits.Inputs() (or
Inputs()) returns the expected input definition "target-namespace/stable:cli"
(matching jobspec.Namespace() + "/stable:cli") so this test validates the
Inputs() behavior like the other tests (e.g.,
TestInputImageTagStepOfficialSpec).

pkg/steps/input_image_tag.go (1)

86-111: 💤 Low value

Consider caching all resolveOfficialImport results to avoid duplicate API calls.

resolveOfficialImport is called in both Inputs() (line 64) and run() (line 107). Each call invokes ResolveOfficialInputFrom, which performs Get operations against the cluster for stable/source ImageStreams. Since Inputs() only stores pullSpec in s.imageName, run() must call again to get from and refPolicy.

Could cache all four return values in struct fields during the first call.

Also applies to: 157-171

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/input_image_tag.go` around lines 86 - 111, Cache the results of
resolveOfficialImport to avoid duplicate cluster API calls: add struct fields on
the step (e.g., cachedFrom *coreapi.ObjectReference, cachedRefPolicy
imagev1.TagReferencePolicyType, cachedSourcePullSpec string, cachedResolveErr
error) and change Inputs() and run() to call a small helper (or
resolveOfficialImport wrapper) that returns the cached values if present,
otherwise calls resolveOfficialImport once, stores
from/refPolicy/sourcePullSpec/error into those fields (and sets s.imageName =
sourcePullSpec if needed) and returns them; update both calls
(resolveOfficialImport usage in Inputs() and in run(), and the other occurrence
around the 157-171 region) to use the cached fields so subsequent invocations
reuse the stored from/refPolicy/sourcePullSpec instead of performing additional
Get operations.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/steps/release/snapshot.go`:
- Around line 85-91: Add unit tests covering the refactored source-resolution
branches around the source imagestream handling: create table-driven tests for
the code path that checks api.IsCreatedForClusterBotJob(sourceNamespace) (test
both true — where no client.Get call should occur and source remains nil — and
false — where client.Get is invoked and you assert success and failure
behaviors), plus tests exercising the prefetch vs lazy-fetch and the
consolidated official-resolution behavior that follow this block; target the
function containing the source variable and client.Get call (the snapshot/stream
resolution code in pkg/steps/release/snapshot.go) and use a fake
ctrlruntimeclient to simulate Get returning the ImageStream or an error so
regression cases fail without the fix.

---

Nitpick comments:
In `@pkg/steps/input_image_tag_test.go`:
- Around line 255-309: TestInputImageTagStepStableFirst is missing a call to
examineStep to assert the Inputs() return for the stable-first case; add an
examineStep invocation against the created step (iits) before executeStep that
checks iits.Inputs() (or Inputs()) returns the expected input definition
"target-namespace/stable:cli" (matching jobspec.Namespace() + "/stable:cli") so
this test validates the Inputs() behavior like the other tests (e.g.,
TestInputImageTagStepOfficialSpec).

In `@pkg/steps/input_image_tag.go`:
- Around line 86-111: Cache the results of resolveOfficialImport to avoid
duplicate cluster API calls: add struct fields on the step (e.g., cachedFrom
*coreapi.ObjectReference, cachedRefPolicy imagev1.TagReferencePolicyType,
cachedSourcePullSpec string, cachedResolveErr error) and change Inputs() and
run() to call a small helper (or resolveOfficialImport wrapper) that returns the
cached values if present, otherwise calls resolveOfficialImport once, stores
from/refPolicy/sourcePullSpec/error into those fields (and sets s.imageName =
sourcePullSpec if needed) and returns them; update both calls
(resolveOfficialImport usage in Inputs() and in run(), and the other occurrence
around the 157-171 region) to use the cached fields so subsequent invocations
reuse the stored from/refPolicy/sourcePullSpec instead of performing additional
Get operations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 97408c05-2078-4eed-9b7d-c2c29be2a48b

📥 Commits

Reviewing files that changed from the base of the PR and between 7b6e7b8 and dc4401b.

📒 Files selected for processing (5)

• pkg/steps/input_image_tag.go
• pkg/steps/input_image_tag_test.go
• pkg/steps/release/snapshot.go
• pkg/steps/utils/image.go
• pkg/steps/utils/image_test.go

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add regression coverage for the refactored source-resolution branches.

The logic at Line 85 through Line 117 changed control flow (prefetch vs lazy fetch + consolidated official resolution), but no corresponding snapshot-stream test changes are present here. Please add/point to tests that cover these branches to prevent silent behavior drift.

As per coding guidelines, "New or modified functionality should include test coverage. New Go functions and methods should have corresponding unit tests. Bug fixes should include a regression test that fails without the fix. Pure functions should always be tested. Prefer table-driven tests."

Also applies to: 98-103, 109-117

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/release/snapshot.go` around lines 85 - 91, Add unit tests covering
the refactored source-resolution branches around the source imagestream
handling: create table-driven tests for the code path that checks
api.IsCreatedForClusterBotJob(sourceNamespace) (test both true — where no
client.Get call should occur and source remains nil — and false — where
client.Get is invoked and you assert success and failure behaviors), plus tests
exercising the prefetch vs lazy-fetch and the consolidated official-resolution
behavior that follow this block; target the function containing the source
variable and client.Get call (the snapshot/stream resolution code in
pkg/steps/release/snapshot.go) and use a fake ctrlruntimeclient to simulate Get
returning the ImageStream or an error so regression cases fail without the fix.

[deepsm007]

/hold for dependent PR to merge

[danilo-gemoli]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danilo-gemoli, deepsm007

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danilo-gemoli,deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

[openshift-ci]

@deepsm007: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e	dc4401b	link	true	/test e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[deepsm007]

/test e2e

[deepsm007]

/unhold