fix(image-updater): use short-SHA tag for clusters-service pin (AROSLSRE-954)

[hbhushan3]

https://issues.redhat.com/browse/AROSLSRE-954

What

Change the clusters-service pin in tooling/image-updater/config.yaml from the full 40-character git SHA to the 7-character short SHA that quay.io/app-sre/aro-hcp-clusters-service actually publishes:

-      tag: "dbb022a3dd3f0533ae1c8eebd4e6929ba1ca1ede" # pinned (AROSLSRE-944, unpin: AROSLSRE-946)
+      tag: "dbb022a" # pinned (AROSLSRE-944, unpin: AROSLSRE-946). Quay publishes 7-char short SHAs; full SHA is dbb022a3dd3f0533ae1c8eebd4e6929ba1ca1ede.

Why

PR #5371 pinned clusters-service to the full git SHA, but the upstream quay.io/app-sre/aro-hcp-clusters-service repository only publishes 7-character short-SHA tags (e.g. dbb022a, b8a87db, e2d2136). The full-SHA tag does not exist in quay, so every periodic image-updater run fails.

Failing prow job

periodic-ci-Azure-ARO-HCP-main-image-updater-image-updater-tooling/2059635834981715968 — 2026-05-27 14:32:49 UTC:

Before (current main)

[14:32:48.870] ERROR: command failed {
  "err": "failed to fetch latest value for clusters-service: failed to fetch image descriptor for tag dbb022a3dd3f0533ae1c8eebd4e6929ba1ca1ede: GET https://quay.io/v2/app-sre/aro-hcp-clusters-service/manifests/dbb022a3dd3f0533ae1c8eebd4e6929ba1ca1ede: MANIFEST_UNKNOWN: manifest unknown; map[]"
}
make[1]: *** [Makefile:25: update] Error 1
make: *** [Makefile:584: image-updater] Error 2

Direct podman pull of the full-SHA tag returns the same manifest unknown. Quay's UI confirms the repo only has the short-tag form dbb022a (9 days old, digest sha256:c7c3d1b499fb…, 149 MiB).

After (this PR)

$ AZURE_TOKEN_CREDENTIALS=dev ./image-updater update \
    --config config.yaml --components clusters-service --verbosity 2 --tags

[17:28:13.736] DEBUG+3: starting image updates { "totalImages": 1 }
[17:28:13.736] DEBUG+2: processing image {
  "name": "clusters-service",
  "source": "quay.io/app-sre/aro-hcp-clusters-service",
  "tag": "dbb022a"
}
[17:28:13.736] DEBUG+2: fetching digest for specific tag {
  "repository": "app-sre/aro-hcp-clusters-service",
  "tag": "dbb022a",
  "useAuth": true,
  "versionLabel": "vcs-ref"
}
[17:28:14.576] DEBUG+2: extracted version from label {
  "label": "vcs-ref",
  "tag": "dbb022a",
  "version": "dbb022a3dd3f0533ae1c8eebd4e6929ba1ca1ede"
}
[17:28:14.643] DEBUG+2: found matching image {
  "arch": "amd64",
  "digest": "sha256:c7c3d1b499fbc29760eda173fa1a8c4eb2cd2b0aa3a872c7fe3aacfc2ff8abe5",
  "repository": "app-sre/aro-hcp-clusters-service",
  "tag": "dbb022a"
}
[17:28:14.644] DEBUG+2: Current digest {
  "currentDigest": "sha256:c7c3d1b499fbc29760eda173fa1a8c4eb2cd2b0aa3a872c7fe3aacfc2ff8abe5",
  "name": "clusters-service"
}
[17:28:14.644] DEBUG+2: No update needed - digests match { "name": "clusters-service" }
[17:28:14.644] DEBUG+3: No updates to report {}

The short tag dbb022a resolves to digest sha256:c7c3d1b499fbc29760eda173fa1a8c4eb2cd2b0aa3a872c7fe3aacfc2ff8abe5 with vcs-ref label dbb022a3dd3f0533ae1c8eebd4e6929ba1ca1ede — the exact commit AROSLSRE-944 intended to pin, and the digest already present in config/config.yaml. No drift.

versionLabel: "vcs-ref" continues to validate the resolved image matches the intended full commit SHA, so the short-tag form is safe against accidental tag reuse.

Testing

• AZURE_TOKEN_CREDENTIALS=dev ./image-updater update --config config.yaml --components clusters-service --verbosity 2 --tags succeeds and reports "No update needed — digests match".
• podman pull quay.io/app-sre/aro-hcp-clusters-service:dbb022a resolves to the same digest currently in config/config.yaml.
• make -C config detect-change passes.

Special notes for your reviewer

• This is a one-line config fix to restore image-updater functionality. The underlying image and digest do not change.
• Permanent unpin (tag: "latest") remains tracked in AROSLSRE-946 and is gated on openshift/hypershift#8610 merging and rolling out to int.

[Copilot]

Pull request overview

Restores tooling/image-updater functionality by pinning clusters-service to the short-SHA tag format that the upstream Quay repository actually publishes, preventing periodic runs from failing due to a non-existent full-SHA tag.

Changes:

• Update the clusters-service pinned tag from a 40-character SHA to the corresponding 7-character short SHA in tooling/image-updater/config.yaml.

[sclarkso]

/test e2e-parallel

[sclarkso]

/lgtm

[sclarkso]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hbhushan3, sclarkso
Once this PR has been reviewed and has the lgtm label, please assign raelga for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• tooling/image-updater/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hbhushan3]

Superseded by #5382, which merged ~30 minutes before this PR was opened and unpinned clusters-service to tag: "latest" on main — fully resolving the prow MANIFEST_UNKNOWN failure via the permanent unpin path (the AROSLSRE-946 approach) rather than the short-tag pin proposed here.

Verified on main:

$ AZURE_TOKEN_CREDENTIALS=dev ./image-updater update --config config.yaml --components clusters-service --verbosity 2 --tags
[23:31:35.058] DEBUG+2: Update needed {
  "from": "sha256:449827838d1e8d19a442ca470c86acfc206628345b1a4dea47c57cbd4865b7c9",
  "name": "clusters-service",
  "to":   "sha256:0c972e54d66ec3f79cc69c93226cddfb173b9bed2cfe561261a4889d4f95ffbb"
}

Closing as no longer needed.