Skip to content

OCPBUGS-65718: Fixes the test-integration when running on ppc64le and arm64#1431

Open
prb112 wants to merge 4 commits into
openshift:mainfrom
prb112:OCPBUGS-65718-multi-arch
Open

OCPBUGS-65718: Fixes the test-integration when running on ppc64le and arm64#1431
prb112 wants to merge 4 commits into
openshift:mainfrom
prb112:OCPBUGS-65718-multi-arch

Conversation

@prb112

@prb112 prb112 commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Description

Closed OCPBUGS-65718: multi-arch tests were not passing on ppc64le #1325 in favor of this PR.

This fixes the integration tests when running on non-x86 arches:

To test the multi-arch tests:

linux/ppc64le

$ podman build --platform linux/ppc64le -t test -f Dockerfile .
$ podman run --platform linux/ppc64le --rm --entrypoint="" -v ./:/src:Z --workdir /src localhost/test:latest go test -mod=readonly -tags "json1 exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp libdm_no_deferred_remove" -count=1 ./internal/pkg/cli -run TestIntegrationRelease -v 2>&1

linux/arm64

$ podman build --platform linux/arm64 -t test -f Dockerfile .
$ podman run --platform linux/arm64 --rm --entrypoint="" -v ./:/src:Z --workdir /src localhost/test:latest go test -mod=readonly -tags "json1 exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp libdm_no_deferred_remove" -count=1 ./internal/pkg/cli -run TestIntegrationRelease -v 2>&1

Github / Jira issue: OCPBUGS-65718

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Code Improvements (Refactoring, Performance, CI upgrades, etc)
  • Internal repo assets (diagrams / docs on github repo)
  • This change requires a documentation update on openshift docs

How Has This Been Tested?

Tested on multiple architectures

Expected Outcome

Expect test-integration to function correctly

Summary by CodeRabbit

  • Tests

    • More precise integration test selection using anchored test patterns to make integration runs more targeted and reliable.
  • Chores

    • Enhanced test utilities to enumerate all manifests of generated images and push per-manifest signature artifacts, improving coverage and validation of signed-image scenarios in integration tests.

prb112 added 2 commits June 5, 2026 15:04
Signed-off-by: Paul Bastide <pbastide@redhat.com>
Signed-off-by: Paul Bastide <pbastide@redhat.com>
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 5, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@prb112: This pull request references Jira Issue OCPBUGS-65718, which is invalid:

  • expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.21.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Description

Closed OCPBUGS-65718: multi-arch tests were not passing on ppc64le #1325 in favor of this PR.

This fixes the integration tests when running on non-x86 arches:

To test the multi-arch tests:

linux/ppc64le

$ podman build --platform linux/ppc64le -t test -f Dockerfile .
$ podman run --platform linux/ppc64le --rm --entrypoint="" -v ./:/src:Z --workdir /src localhost/test:latest go test -mod=readonly -tags "json1 exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp libdm_no_deferred_remove" -count=1 ./internal/pkg/cli -run 'TestIntegrationReleaseM2M$' 2>&1
$ podman run --platform linux/ppc64le --rm --entrypoint="" -v ./:/src:Z --workdir /src localhost/test:latest go test -mod=readonly -tags "json1 exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp libdm_no_deferred_remove" -count=1 ./internal/pkg/cli -run 'TestIntegrationRelease$' 2>&1

linux/arm64

$ podman build --platform linux/arm64 -t test -f Dockerfile .
$ podman run --platform linux/arm64 --rm --entrypoint="" -v ./:/src:Z --workdir /src localhost/test:latest go test -mod=readonly -tags "json1 exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp libdm_no_deferred_remove" -count=1 ./internal/pkg/cli -run 'TestIntegrationReleaseM2M$' 2>&1
$ podman run --platform linux/arm64 --rm --entrypoint="" -v ./:/src:Z --workdir /src localhost/test:latest go test -mod=readonly -tags "json1 exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp libdm_no_deferred_remove" -count=1 ./internal/pkg/cli -run 'TestIntegrationRelease$' 2>&1

Github / Jira issue: OCPBUGS-65718

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Code Improvements (Refactoring, Performance, CI upgrades, etc)
  • Internal repo assets (diagrams / docs on github repo)
  • This change requires a documentation update on openshift docs

How Has This Been Tested?

Tested on multiple architectures

Expected Outcome

Expect test-integration to function correctly

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds manifest-digest discovery and per-manifest signature-image creation and pushes; integrates these into the test image generator to produce signatures for every manifest in component and release images; anchors integration test selection patterns in the Makefile.

Changes

Multi-manifest signature generation

Layer / File(s) Summary
Test selection anchoring
Makefile
test-integration target uses end-anchored regex patterns (TestIntegrationAdditional$$, TestIntegrationRelease$$) instead of unanchored patterns.
OCI mutate import
internal/testutils/testutils.go
Add go-containerregistry mutate (and related) imports used for converting images to OCI manifest/config media types.
Manifest digest discovery
internal/testutils/testutils.go
Add GetAllManifestDigests(imgRef string) ([]string, error) to resolve an image descriptor and collect the top-level digest and any index manifest digests.
Signature image generation
internal/testutils/testutils.go
Add PushSignatureImage(imgDigest, registryHost, repository string) error to build a minimal image containing /signature, convert it to OCI types via mutate, tag it as sha256-<digest>.sig, and push with remote.Write.
Integration test generator updates
internal/testutils/testutils.go
Update GenerateReleaseAndComponents to call GetAllManifestDigests for each component and the release image, and call PushSignatureImage per digest, returning wrapped errors that include the failing digest.

Sequence Diagram(s)

sequenceDiagram
  participant Generator as GenerateReleaseAndComponents
  participant Resolver as GetAllManifestDigests
  participant Signer as PushSignatureImage
  participant Registry as remote.Write
  Generator->>Resolver: resolve image ref -> list digests
  Resolver-->>Generator: return digest list
  loop per digest
    Generator->>Signer: build & tag signature sha256-<digest>.sig
    Signer->>Registry: remote.Write(signature image)
  end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

  • adolfo-ab
  • aguidirh
🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title references fixing integration tests for non-x86 architectures (ppc64le and arm64), which aligns with the PR's primary objective of restoring multi-arch test support. However, the actual code changes involve both fixing test selection via regex patterns (Makefile) and significantly expanding test utilities with signature image generation functions (testutils.go), making the title somewhat incomplete.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Repository uses standard Go testing (testing.T), not Ginkgo. No Ginkgo-style test definitions found; existing test names are static, deterministic, and contain no dynamic information.
Test Structure And Quality ✅ Passed PR modifies Makefile and adds utility functions in testutils.go. It does not modify any Ginkgo tests; affected tests use standard Go testing.T, not Ginkgo.
Microshift Test Compatibility ✅ Passed PR does not add any new Ginkgo e2e tests (It/Describe/Context/When blocks); it only modifies test utility functions and Makefile patterns.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR adds no new Ginkgo e2e tests. Changes are limited to Makefile test patterns and testutils.go infrastructure functions; no new It(), Describe(), Context(), or When() test definitions are added.
Topology-Aware Scheduling Compatibility ✅ Passed PR modifies test infrastructure (Makefile) and test utilities (testutils.go), not deployment manifests, operator code, or controllers. Check is not applicable to test-only changes.
Ote Binary Stdout Contract ✅ Passed No violations found. New functions have no stdout writes; all code is in test utilities, not process-level code like main() or init().
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR does not add Ginkgo e2e tests; only utility functions and Makefile regex updates. No IPv4 assumptions or external connectivity issues detected.
No-Weak-Crypto ✅ Passed PR contains no weak crypto (MD5, SHA1, DES, RC4, etc.), custom implementations, or unsafe comparisons. Uses standard SHA256 from go-containerregistry.
Container-Privileges ✅ Passed PR modifies test utilities and Makefile targets only; no container privilege configurations (privileged:true, hostPID, hostNetwork, etc.) are introduced or modified.
No-Sensitive-Data-In-Logs ✅ Passed No sensitive data logging found. The PR logs only test image digests, registry mirror locations, and generic test references—no passwords, tokens, API keys, PII, or credentials.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@prb112

prb112 commented Jun 5, 2026

Copy link
Copy Markdown
Contributor Author

/cc @KaushikOP

He is double-checking

@openshift-ci

openshift-ci Bot commented Jun 5, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: prb112
Once this PR has been reviewed and has the lgtm label, please assign r4f4 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/testutils/testutils.go`:
- Around line 184-191: The code currently swallows errors from desc.ImageIndex()
and idx.IndexManifest() by returning digests, nil which masks manifest-list
resolution failures; change both error paths to fail fast by returning nil and
the encountered error (propagate the error) instead of returning the partial
digests slice so callers see the failure (update the branches that handle err
after desc.ImageIndex() and after idx.IndexManifest() to return nil, err).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 447e6940-d2d4-4a72-9be8-15505f0fcfd2

📥 Commits

Reviewing files that changed from the base of the PR and between cd8e7ec and 7636b29.

📒 Files selected for processing (2)
  • Makefile
  • internal/testutils/testutils.go

Comment thread internal/testutils/testutils.go Outdated
Comment on lines +184 to +191
idx, err := desc.ImageIndex()
if err != nil {
return digests, nil // Return what we have
}

manifest, err := idx.IndexManifest()
if err != nil {
return digests, nil

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail fast when index resolution breaks.

Returning digests, nil here masks manifest-list resolution failures and lets callers continue with only a partial signature set. For multi-arch images that means the top-level digest gets a .sig tag while instance digests are silently skipped.

Suggested fix
 	if desc.MediaType.IsIndex() {
 		idx, err := desc.ImageIndex()
 		if err != nil {
-			return digests, nil // Return what we have
+			return nil, fmt.Errorf("resolve image index for %s: %w", imgRef, err)
 		}

 		manifest, err := idx.IndexManifest()
 		if err != nil {
-			return digests, nil
+			return nil, fmt.Errorf("load index manifest for %s: %w", imgRef, err)
 		}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/testutils/testutils.go` around lines 184 - 191, The code currently
swallows errors from desc.ImageIndex() and idx.IndexManifest() by returning
digests, nil which masks manifest-list resolution failures; change both error
paths to fail fast by returning nil and the encountered error (propagate the
error) instead of returning the partial digests slice so callers see the failure
(update the branches that handle err after desc.ImageIndex() and after
idx.IndexManifest() to return nil, err).

@prb112 prb112 force-pushed the OCPBUGS-65718-multi-arch branch from 7636b29 to 4f3dd32 Compare June 9, 2026 01:49
@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 9, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
internal/pkg/archive/unarchive_test.go (1)

84-119: ⚖️ Poor tradeoff

Consider using the same deterministic approach as TestUnArchiver_CacheDirError.

The current test attempts to create directories under / which may behave differently across environments (containers, rootless podman, etc.). While the flexible error assertions with substring matching help, the test could be more reliable by following the pattern used in TestUnArchiver_CacheDirError (lines 136-145): create a read-only parent directory within the test's temp space instead of relying on system-level permission restrictions.

For example:

  1. Create readOnlyParent := filepath.Join(testFolder, "readonly")
  2. Set permissions to 0555
  3. Try to create working dir inside: filepath.Join(readOnlyParent, "working-dir")
  4. Assert error contains "unable to create working dir"

This would make the test consistently fail in the expected way regardless of the execution environment.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/pkg/archive/unarchive_test.go` around lines 84 - 119, Replace the
brittle root-level path usage in TestUnArchiver_WorkingDirError with the
deterministic pattern used in TestUnArchiver_CacheDirError: create a read-only
parent directory inside the test temp dir (e.g., readOnlyParent :=
filepath.Join(testFolder, "readonly")), chmod it to 0555, then pass
filepath.Join(readOnlyParent, "working-dir") as the workingDir argument to
NewArchiveExtractor (after calling prepareDummyTarWorkingDir as before); call
o.Unarchive() and assert the returned error contains "unable to create working
dir" to make the test reliably fail due to permission errors rather than
environment-dependent root behavior.
internal/pkg/archive/unarchive.go (1)

168-173: 💤 Low value

Minor documentation improvement for clarity.

The comment on line 169 states "unless it's the root directory which already ends with separator on Unix," but the code actually checks whether absDir ends with a path separator regardless of whether it's the root directory. While the behavior is correct (the HasSuffix check handles any directory that already has a trailing separator), the comment could be more accurate.

Consider revising to: "Ensure absDir ends with a path separator for proper prefix checking, unless it already has one."

The path-sanitization logic itself is sound and correctly prevents path traversal attacks via canonicalization and prefix validation.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/pkg/archive/unarchive.go` around lines 168 - 173, Update the comment
above the path-normalization block to more accurately describe behavior: replace
the existing line referencing "unless it's the root directory which already ends
with separator on Unix" with a concise note like "Ensure absDir ends with a path
separator for proper prefix checking, unless it already has one." Keep the code
using strings.HasSuffix(absDir, string(os.PathSeparator)), the subsequent append
of os.PathSeparator, and the prefix check using strings.HasPrefix(absV, absDir)
/ absV == strings.TrimSuffix(absDir, string(os.PathSeparator)) unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/pkg/archive/unarchive_test.go`:
- Around line 84-119: Replace the brittle root-level path usage in
TestUnArchiver_WorkingDirError with the deterministic pattern used in
TestUnArchiver_CacheDirError: create a read-only parent directory inside the
test temp dir (e.g., readOnlyParent := filepath.Join(testFolder, "readonly")),
chmod it to 0555, then pass filepath.Join(readOnlyParent, "working-dir") as the
workingDir argument to NewArchiveExtractor (after calling
prepareDummyTarWorkingDir as before); call o.Unarchive() and assert the returned
error contains "unable to create working dir" to make the test reliably fail due
to permission errors rather than environment-dependent root behavior.

In `@internal/pkg/archive/unarchive.go`:
- Around line 168-173: Update the comment above the path-normalization block to
more accurately describe behavior: replace the existing line referencing "unless
it's the root directory which already ends with separator on Unix" with a
concise note like "Ensure absDir ends with a path separator for proper prefix
checking, unless it already has one." Keep the code using
strings.HasSuffix(absDir, string(os.PathSeparator)), the subsequent append of
os.PathSeparator, and the prefix check using strings.HasPrefix(absV, absDir) /
absV == strings.TrimSuffix(absDir, string(os.PathSeparator)) unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 86422770-4a5d-4766-bf44-a55bb75bf6aa

📥 Commits

Reviewing files that changed from the base of the PR and between 7636b29 and 4f3dd32.

📒 Files selected for processing (3)
  • Makefile
  • internal/pkg/archive/unarchive.go
  • internal/pkg/archive/unarchive_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • Makefile

Signed-off-by: Paul Bastide <pbastide@us.ibm.com>
@prb112 prb112 force-pushed the OCPBUGS-65718-multi-arch branch from 4f3dd32 to 08496b1 Compare June 9, 2026 01:59
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 9, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
internal/testutils/testutils.go (1)

450-451: Use the shared digest-tag formatting in test signature generation (no hardcoded sha256: prefix).

internal/testutils/testutils.go’s PushSignatureImage builds the signature tag by hardcoding sha256: via strings.TrimPrefix, while production uses internal/pkg/signature.SigstoreAttachmentTag to validate the digest and format tags based on the digest algorithm. Switch the test helper to the shared logic (or digest.Parse + the same formatting) to avoid generating incorrect signature tags for non-sha256/malformed digests.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/testutils/testutils.go` around lines 450 - 451, PushSignatureImage
currently builds signature tags by trimming a hardcoded "sha256:" prefix and
formatting "sha256-%s.sig", which breaks for non-sha256 or malformed digests;
update PushSignatureImage to reuse the shared formatting logic instead: either
call internal/pkg/signature.SigstoreAttachmentTag with the parsed digest or use
digest.Parse to parse imgDigest and then format the tag using the digest
algorithm and hex (same format SigstoreAttachmentTag produces). Replace the
strings.TrimPrefix/fmt.Sprintf lines with that shared/parsed-digest approach so
tests generate tags consistent with production validation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/testutils/testutils.go`:
- Line 467: The call to crane.Image(sigContent) ignores the returned error
causing potential nil img panics; change img, _ := crane.Image(sigContent) to
capture the error (e.g., img, err := crane.Image(sigContent)) and handle it
appropriately in the surrounding function (return the error, propagate it, or
fail the test using t.Fatalf/t.Errorf), ensuring any failure to create the image
with sigContent is reported rather than swallowed.

---

Nitpick comments:
In `@internal/testutils/testutils.go`:
- Around line 450-451: PushSignatureImage currently builds signature tags by
trimming a hardcoded "sha256:" prefix and formatting "sha256-%s.sig", which
breaks for non-sha256 or malformed digests; update PushSignatureImage to reuse
the shared formatting logic instead: either call
internal/pkg/signature.SigstoreAttachmentTag with the parsed digest or use
digest.Parse to parse imgDigest and then format the tag using the digest
algorithm and hex (same format SigstoreAttachmentTag produces). Replace the
strings.TrimPrefix/fmt.Sprintf lines with that shared/parsed-digest approach so
tests generate tags consistent with production validation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ad1237bc-1c9c-44cf-9f7e-08e91ff23c8f

📥 Commits

Reviewing files that changed from the base of the PR and between 4f3dd32 and 08496b1.

📒 Files selected for processing (2)
  • Makefile
  • internal/testutils/testutils.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • Makefile

Comment thread internal/testutils/testutils.go Outdated
@prb112

prb112 commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 10, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@prb112: This pull request references Jira Issue OCPBUGS-65718, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Comment thread Makefile
$(GO) test $(GO_MOD_FLAGS) $(GO_BUILD_FLAGS) -coverprofile=tests/results-integration/cover-additional.out -race -count=1 ./internal/pkg/... -run TestIntegrationAdditional
$(GO) test $(GO_MOD_FLAGS) $(GO_BUILD_FLAGS) -coverprofile=tests/results-integration/cover-release.out -race -count=1 ./internal/pkg/... -run TestIntegrationRelease
$(GO) test $(GO_MOD_FLAGS) $(GO_BUILD_FLAGS) -coverprofile=tests/results-integration/cover-additional.out -race -count=1 ./internal/pkg/... -run 'TestIntegrationAdditional$$'
$(GO) test $(GO_MOD_FLAGS) $(GO_BUILD_FLAGS) -coverprofile=tests/results-integration/cover-release.out -race -count=1 ./internal/pkg/... -run 'TestIntegrationRelease$$'

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoids running the M2M twice

@openshift-ci-robot

Copy link
Copy Markdown

@prb112: This pull request references Jira Issue OCPBUGS-65718, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Description

Closed OCPBUGS-65718: multi-arch tests were not passing on ppc64le #1325 in favor of this PR.

This fixes the integration tests when running on non-x86 arches:

To test the multi-arch tests:

linux/ppc64le

$ podman build --platform linux/ppc64le -t test -f Dockerfile .
$ podman run --platform linux/ppc64le --rm --entrypoint="" -v ./:/src:Z --workdir /src localhost/test:latest go test -mod=readonly -tags "json1 exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp libdm_no_deferred_remove" -count=1 ./internal/pkg/cli -run TestIntegrationRelease -v 2>&1

linux/arm64

$ podman build --platform linux/arm64 -t test -f Dockerfile .
$ podman run --platform linux/arm64 --rm --entrypoint="" -v ./:/src:Z --workdir /src localhost/test:latest go test -mod=readonly -tags "json1 exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp libdm_no_deferred_remove" -count=1 ./internal/pkg/cli -run TestIntegrationRelease -v 2>&1

Github / Jira issue: OCPBUGS-65718

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Code Improvements (Refactoring, Performance, CI upgrades, etc)
  • Internal repo assets (diagrams / docs on github repo)
  • This change requires a documentation update on openshift docs

How Has This Been Tested?

Tested on multiple architectures

Expected Outcome

Expect test-integration to function correctly

Summary by CodeRabbit

  • Tests

  • More precise integration test selection and improved handling of multi-manifest test images to make integration runs more targeted and reliable.

  • Chores

  • Enhanced internal test utilities to enumerate image manifests and generate/push corresponding signature artifacts for test images, improving test coverage of signed-image scenarios.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
internal/testutils/testutils.go (1)

189-192: 💤 Low value

Inconsistent error suppression: line 191 lacks the nolint directive present on line 186.

Line 186 documents the intentional error-ignoring behavior with //nolint:nilerr,errcheck, but line 191 does the same return digests, nil on IndexManifest() failure without the directive. For consistency and to satisfy linters, either add the same nolint annotation here or propagate the error as originally suggested.

Option A: Add nolint for consistency
 		manifest, err := idx.IndexManifest()
 		if err != nil {
-			return digests, nil
+			return digests, nil //nolint:nilerr,errcheck // Return what we have
 		}
Option B: Fail fast on both paths (as originally suggested)
 	if desc.MediaType.IsIndex() {
 		idx, err := desc.ImageIndex()
 		if err != nil {
-			return digests, nil //nolint:nilerr,errcheck // Return what we have
+			return nil, fmt.Errorf("resolve image index for %s: %w", imgRef, err)
 		}

 		manifest, err := idx.IndexManifest()
 		if err != nil {
-			return digests, nil
+			return nil, fmt.Errorf("load index manifest for %s: %w", imgRef, err)
 		}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/testutils/testutils.go` around lines 189 - 192, The error return
from idx.IndexManifest() in the block using manifest and digests is suppressing
the error by returning (digests, nil) but lacks the matching nolint directive
present earlier; update the handler for IndexManifest() failure to match the
existing behavior by adding the same comment directive
(//nolint:nilerr,errcheck) on the return path or, alternatively, propagate the
error instead of returning nil—locate the IndexManifest() call and its
surrounding block (variables manifest, err, digests) and apply the same chosen
fix consistently as was used on the earlier similar return.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/testutils/testutils.go`:
- Around line 189-192: The error return from idx.IndexManifest() in the block
using manifest and digests is suppressing the error by returning (digests, nil)
but lacks the matching nolint directive present earlier; update the handler for
IndexManifest() failure to match the existing behavior by adding the same
comment directive (//nolint:nilerr,errcheck) on the return path or,
alternatively, propagate the error instead of returning nil—locate the
IndexManifest() call and its surrounding block (variables manifest, err,
digests) and apply the same chosen fix consistently as was used on the earlier
similar return.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 26d1c280-551b-4dd5-8f1a-1ffff05484e8

📥 Commits

Reviewing files that changed from the base of the PR and between 08496b1 and 7be8d67.

📒 Files selected for processing (1)
  • internal/testutils/testutils.go

@prb112 prb112 force-pushed the OCPBUGS-65718-multi-arch branch 3 times, most recently from d606358 to 93a51d5 Compare June 10, 2026 17:32
Signed-off-by: Paul Bastide <pbastide@us.ibm.com>
@prb112 prb112 force-pushed the OCPBUGS-65718-multi-arch branch from 93a51d5 to 2711e05 Compare June 10, 2026 17:42
@prb112

prb112 commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Hey @aguidirh

Finally got to the root cause - signatures for the other arches were missing.

I've fixed the code with the assistance of 'IBM Bob'

Thanks

Paul

@openshift-ci

openshift-ci Bot commented Jun 10, 2026

Copy link
Copy Markdown

@prb112: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@aguidirh aguidirh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @prb112,

I added few comments, could you please have a look? Feel free to ask questions.

if desc.MediaType.IsIndex() {
idx, err := desc.ImageIndex()
if err != nil {
return digests, nil //nolint:nilerr,errcheck // Return what we have

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any specific reason why the error is not returned here?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will come back and answer tomorrow morning. Thanks Alex


manifest, err := idx.IndexManifest()
if err != nil {
return digests, nil //nolint:nilerr,errcheck

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any specific reason why the error is not returned here?

@aguidirh

Copy link
Copy Markdown
Contributor

/assign @prb112

@aguidirh

Copy link
Copy Markdown
Contributor

@prb112 could you please have a look? It is also required to sign the commits, it's a new security requirement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants