Skip to content

CLID-627: Add test to check signature mirroring and deletion#1449

Open
adolfo-ab wants to merge 1 commit into
openshift:mainfrom
adolfo-ab:CLID-627
Open

CLID-627: Add test to check signature mirroring and deletion#1449
adolfo-ab wants to merge 1 commit into
openshift:mainfrom
adolfo-ab:CLID-627

Conversation

@adolfo-ab

@adolfo-ab adolfo-ab commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Description

Adds tests to verify that cosign signatures can be mirrored and deleted. It also adds the necessary scripts to attach the cosign signatures to test images.

Github / Jira issue:

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Code Improvements (Refactoring, Performance, CI upgrades, etc)
  • Internal repo assets (diagrams / docs on github repo)
  • This change requires a documentation update on openshift docs

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

Expected Outcome

Please describe the outcome expected from the tests.

Summary by CodeRabbit

  • Tests
    • Added integration coverage for mirroring to disk and back to a registry while preserving signatures, including signature-aware delete validation.
    • Added stricter post-delete tag assertions (only expected .sig tags may remain unconditionally; others must be catalog tags).
    • Improved signature-file discovery used by integration tests and added new ISC/DISC signature test fixtures.
  • Chores
    • Added Cosign key generation script for integration runs and populated encrypted Cosign key fixture.
    • Added Cosign signing targets to integration image-builder Makefiles (operator/release) with a shared COSIGN_KEY default.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 19, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 19, 2026
@openshift-ci

openshift-ci Bot commented Jun 19, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot

openshift-ci-robot commented Jun 19, 2026

Copy link
Copy Markdown

@adolfo-ab: This pull request references CLID-627 which is a valid jira issue.

Details

In response to this:

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Github / Jira issue:

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Code Improvements (Refactoring, Performance, CI upgrades, etc)
  • Internal repo assets (diagrams / docs on github repo)
  • This change requires a documentation update on openshift docs

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

Expected Outcome

Please describe the outcome expected from the tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds Cosign signing support to integration test image builders via new Makefiles sign targets and a key-generation helper script. Populates the cosign.key test fixture. Introduces signature-specific ISC and DISC YAML configs, a revised expectOnlySignatureTagsRemain helper, and a new end-to-end integration test covering mirror-to-disk, disk-to-mirror, and delete with signature preservation.

Changes

Signature Preservation Testing Infrastructure

Layer / File(s) Summary
Cosign key fixture and generation
tests/integration/testdata/keys/cosign.key, tests/integration/image-builders/generate-cosign-keys.sh
Populates the previously empty cosign.key fixture with a full encrypted PEM block and adds a bash script that idempotently generates the Cosign keypair into the test keys directory, exiting early if keys already exist.
Image signing in operator and release Makefiles
tests/integration/image-builders/operator/Makefile, tests/integration/image-builders/release/Makefile, tests/integration/image-builders/release/create-release.sh
Adds COSIGN_KEY default variables and sign targets to both image builders. Operator Makefile uses pattern rules to sign bundles, related images (with -bundle stripped), and per-catalog images. Release Makefile signs two fixed quay.io images. Both use empty COSIGN_PASSWORD and --tlog-upload=false. Corrects release Makefile build target header and removes test from .PHONY list and all prerequisites.
Signature-specific test data configurations
tests/integration/testdata/imagesetconfigs/signatures/isc-signatures.yaml, tests/integration/testdata/imagesetconfigs/signatures/disc-signatures.yaml
Introduces ISC and DISC YAML test fixtures defining platform and operator mirroring with signatures disabled, and platform and operator deletion targeting a specific package named foo.
Post-delete validation and key-discovery filtering
tests/integration/helpers_test.go
Adds expectOnlySignatureTagsRemain to validate post-delete registry state by permitting only .sig tags unconditionally while requiring all other remaining tags to be catalog tags via reg.IsCatalog. Updates setupWorkDir to additionally skip key directory entries whose names start with cosign.
End-to-end signature preservation test
tests/integration/m2d_d2m_test.go
Introduces a Ginkgo integration test that exercises mirror-to-disk using ISC config, mirrors disk back to local registry with signature retention (--remove-signatures=false), executes two-phase delete using DISC config, and validates that only .sig tags remain post-delete.

Sequence Diagram(s)

sequenceDiagram
    participant Test as Integration Test
    participant Disk as Local Disk Cache
    participant Registry as Local Registry

    rect rgba(70, 130, 180, 0.5)
        Note over Test,Disk: Mirror to Disk
        Test->>Disk: mirrorToDisk (isc-signatures.yaml)
        Test->>Disk: verify cache and tar outputs
    end

    rect rgba(60, 179, 113, 0.5)
        Note over Test,Registry: Disk to Mirror
        Test->>Registry: diskToMirror --remove-signatures=false
        Test->>Registry: verify mirrored images
    end

    rect rgba(205, 92, 92, 0.5)
        Note over Test,Registry: Delete with Signature Validation
        Test->>Registry: DeletePhaseOne (disc-signatures.yaml)
        Test->>Registry: DeletePhaseTwo execution
        Test->>Registry: expectOnlySignatureTagsRemain
    end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Ipv6 And Disconnected Network Test Compatibility ⚠️ Warning The new test references external public registries (quay.io/oc-mirror/*) which require internet connectivity to pull images. This test will fail in IPv6-only disconnected CI environments with no pu... Either mock the external registry references, pre-seed test images in a local registry, or add [Skipped:Disconnected] to skip the test in disconnected environments.
✅ Passed checks (13 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All Ginkgo test names in the PR are stable and deterministic with no dynamic values, timestamps, UUIDs, or generated identifiers. Test names use clear, static, descriptive strings appropriate for t...
Test Structure And Quality ✅ Passed The new test follows all quality criteria: single responsibility (tests signature preservation via two-phase mirror and delete), proper setup/cleanup via BeforeEach/AfterEach, appropriate context w...
Microshift Test Compatibility ✅ Passed The new Ginkgo test "should mirror with signatures preserved and then delete" is a CLI-based integration test that does not use any Kubernetes or OpenShift APIs. It executes oc-mirror commands agai...
Single Node Openshift (Sno) Test Compatibility ✅ Passed The new Ginkgo test added in tests/integration/m2d_d2m_test.go is an integration test for the oc-mirror CLI tool testing container image mirroring operations, not a Kubernetes e2e test. It has no m...
Topology-Aware Scheduling Compatibility ✅ Passed This PR contains only test infrastructure, test data, and build scripts. It does not introduce deployment manifests, operator code, controllers, or any Kubernetes scheduling constraints (pod affini...
Ote Binary Stdout Contract ✅ Passed The PR adds a new test helper expectOnlySignatureTagsRemain (called only from test It() blocks) and a new integration test in m2d_d2m_test.go. All test code is inside Ginkgo test blocks where std...
No-Weak-Crypto ✅ Passed PR contains no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons. Uses cosign (ECDSA/SHA256) and scrypt+NaCl for strong...
Container-Privileges ✅ Passed PR adds test infrastructure (Go tests, scripts, Makefiles, test YAML configs) with no container/K8s manifests containing privileged: true, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation,...
No-Sensitive-Data-In-Logs ✅ Passed No sensitive data (passwords, tokens, API keys, or PII) is exposed in logging. The PR uses empty COSIGN_PASSWORD values and references only encrypted test fixtures throughout.
Title check ✅ Passed The title accurately summarizes the main change: adding an integration test for signature mirroring and deletion.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/integration/helpers_test.go`:
- Around line 260-263: The `IsCatalog` check on line 260 only examines
`tags[0]`, causing non-deterministic test behavior when tag ordering changes.
Instead of checking only the first tag, iterate through all tags in the `tags`
slice and call `IsCatalog` for each tag. If any tag returns true for
`IsCatalog`, skip the repository with `continue`. Only process the repository if
none of the tags are identified as catalogs. This ensures the test correctly
handles repositories with multiple tags regardless of their order.

In `@tests/integration/image-builders/generate-cosign-keys.sh`:
- Around line 11-20: The early exit condition in the script only checks for the
existence of cosign.key and cosign.pub in the KEYS_DIR, but does not verify that
cosign-signing-config.json also exists. This causes the script to exit
prematurely when the signing config file is deleted while the key files remain,
leaving the repository in a broken state. Modify the conditional statement that
checks for existing keys to also include a check for the existence of
cosign-signing-config.json alongside cosign.key and cosign.pub in KEYS_DIR. Only
exit early if all three files are present; otherwise, allow the script to
continue and regenerate the missing file or files.

In `@tests/integration/image-builders/operator/Makefile`:
- Around line 57-62: In the sign-bundles-cosign target and all other similar
targets mentioned (lines 57-107) that contain for loops running critical
operations like cosign signing, image inspection, and artifact tagging, add
fail-fast semantics by including 'set -e' at the start of the shell command
block. This ensures that if any command in the loop fails, the entire loop and
target will exit immediately with a non-zero status instead of continuing
execution and silently masking failures. Apply this consistently across all
affected targets to prevent cryptographic signing errors and other critical
failures from being masked.
- Around line 84-87: The Python one-liner in the referrer variable assignment
(and similarly in the duplicate lines at 96 and 104) accesses the last element
of the manifests list without first validating that the list is not empty, which
will cause an IndexError if oras discover returns no referrers. Update the
Python code within the oras discover command to check if the manifests list
exists and contains at least one element before attempting to access it with the
index operator, and handle the case appropriately (either by returning an empty
value, exiting with an error, or using a default behavior depending on the
desired behavior). Apply this same fix to all three occurrences of this pattern
in the Makefile.

In `@tests/integration/image-builders/release/Makefile`:
- Around line 33-41: The sign-tag-legacy target contains a multi-step loop that
continues executing even when commands fail (skopeo inspect, JSON parsing, oras
discover, or oras tag), which silently hides failures. Add set -e at the
beginning of the shell command block (after the @ symbol) to enable fail-fast
behavior, ensuring that if any command in the loop returns a non-zero exit code,
the entire loop terminates immediately and the target fails as expected.
- Line 38: The referrer extraction in line 38 uses `manifests[-1]` without
validating that the manifests array is non-empty, which will cause a silent
failure or incorrect behavior if oras discover returns no referrers. Modify the
Python one-liner within the referrer variable assignment to add validation that
checks if the manifests array exists and contains elements before accessing the
last element, and handle the error case appropriately (such as exiting with an
error message or returning an empty value) to make the failure explicit rather
than silent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 75ca94d5-8b86-45fc-87b0-79cb75e09474

📥 Commits

Reviewing files that changed from the base of the PR and between 507b46a and 3e53b33.

⛔ Files ignored due to path filters (1)
  • tests/integration/testdata/keys/cosign.pub is excluded by !**/*.pub
📒 Files selected for processing (10)
  • tests/integration/helpers_test.go
  • tests/integration/image-builders/generate-cosign-keys.sh
  • tests/integration/image-builders/operator/Makefile
  • tests/integration/image-builders/release/Makefile
  • tests/integration/image-builders/release/create-release.sh
  • tests/integration/m2d_d2m_test.go
  • tests/integration/testdata/imagesetconfigs/signatures/disc-signatures.yaml
  • tests/integration/testdata/imagesetconfigs/signatures/isc-signatures.yaml
  • tests/integration/testdata/keys/cosign-signing-config.json
  • tests/integration/testdata/keys/cosign.key
💤 Files with no reviewable changes (1)
  • tests/integration/image-builders/release/create-release.sh

Comment thread tests/integration/helpers_test.go Outdated
Comment thread tests/integration/image-builders/generate-cosign-keys.sh Outdated
Comment thread tests/integration/image-builders/operator/Makefile Outdated
Comment thread tests/integration/image-builders/operator/Makefile Outdated
Comment thread tests/integration/image-builders/release/Makefile Outdated
Comment thread tests/integration/image-builders/release/Makefile Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
tests/integration/image-builders/release/Makefile (1)

28-41: 💤 Low value

Consider defining a variable for the release images list.

The image references quay.io/oc-mirror/release/test-image:v0.0.1 and quay.io/oc-mirror/release/test-release-index:v0.0.1 are repeated in sign-cosign (lines 29-30) and sign-tag-legacy (line 34). Extracting them to a RELEASE_IMAGES variable would centralize the list and reduce duplication.

RELEASE_IMAGES := quay.io/oc-mirror/release/test-image:v0.0.1 quay.io/oc-mirror/release/test-release-index:v0.0.1
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/integration/image-builders/release/Makefile` around lines 28 - 41,
Define a RELEASE_IMAGES variable at the top of the Makefile containing the two
image references (quay.io/oc-mirror/release/test-image:v0.0.1 and
quay.io/oc-mirror/release/test-release-index:v0.0.1). Then replace the hardcoded
image references in the sign-cosign target with references to this variable, and
update the sign-tag-legacy target to use the RELEASE_IMAGES variable in the for
loop instead of hardcoding the image list. This eliminates duplication and makes
the images easier to maintain in a single location.
tests/integration/image-builders/operator/Makefile (1)

80-107: 💤 Low value

Consider extracting the repeated legacy-tagging logic into a helper.

The sign-tag-legacy target contains three nearly identical loops (lines 80-89, 90-99, 100-107) that all perform the same sequence: inspect image → compute signature tag → discover referrer → tag referrer. This duplication increases maintenance burden and makes it easy for bugs to diverge across loops.

Consider defining a reusable shell function or a separate target that accepts an image argument, then invoke it from a single loop over all images.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/integration/image-builders/operator/Makefile` around lines 80 - 107,
The sign-tag-legacy target contains three nearly identical loops that repeat the
same sequence of operations: using skopeo inspect to get the image digest,
computing a signature tag from the digest, discovering the referrer with oras
discover, and finally tagging the referrer with oras tag. Extract this repeated
logic into a reusable shell function that accepts an image name as a parameter
and performs all these steps (the skopeo inspect, digest computation via sed
substitution, oras discover, and final oras tag operations). Then replace each
of the three separate for loops in sign-tag-legacy with a single loop that calls
this helper function for each image, reducing duplication and maintenance
burden.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/integration/image-builders/operator/Makefile`:
- Around line 80-107: The sign-tag-legacy target contains three nearly identical
loops that repeat the same sequence of operations: using skopeo inspect to get
the image digest, computing a signature tag from the digest, discovering the
referrer with oras discover, and finally tagging the referrer with oras tag.
Extract this repeated logic into a reusable shell function that accepts an image
name as a parameter and performs all these steps (the skopeo inspect, digest
computation via sed substitution, oras discover, and final oras tag operations).
Then replace each of the three separate for loops in sign-tag-legacy with a
single loop that calls this helper function for each image, reducing duplication
and maintenance burden.

In `@tests/integration/image-builders/release/Makefile`:
- Around line 28-41: Define a RELEASE_IMAGES variable at the top of the Makefile
containing the two image references (quay.io/oc-mirror/release/test-image:v0.0.1
and quay.io/oc-mirror/release/test-release-index:v0.0.1). Then replace the
hardcoded image references in the sign-cosign target with references to this
variable, and update the sign-tag-legacy target to use the RELEASE_IMAGES
variable in the for loop instead of hardcoding the image list. This eliminates
duplication and makes the images easier to maintain in a single location.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 204bf8e0-8d64-495f-a743-21d55b2b35a0

📥 Commits

Reviewing files that changed from the base of the PR and between 3e53b33 and 13ad58d.

⛔ Files ignored due to path filters (1)
  • tests/integration/testdata/keys/cosign.pub is excluded by !**/*.pub
📒 Files selected for processing (10)
  • tests/integration/helpers_test.go
  • tests/integration/image-builders/generate-cosign-keys.sh
  • tests/integration/image-builders/operator/Makefile
  • tests/integration/image-builders/release/Makefile
  • tests/integration/image-builders/release/create-release.sh
  • tests/integration/m2d_d2m_test.go
  • tests/integration/testdata/imagesetconfigs/signatures/disc-signatures.yaml
  • tests/integration/testdata/imagesetconfigs/signatures/isc-signatures.yaml
  • tests/integration/testdata/keys/cosign-signing-config.json
  • tests/integration/testdata/keys/cosign.key
💤 Files with no reviewable changes (1)
  • tests/integration/image-builders/release/create-release.sh
✅ Files skipped from review due to trivial changes (1)
  • tests/integration/testdata/keys/cosign-signing-config.json
🚧 Files skipped from review as they are similar to previous changes (5)
  • tests/integration/testdata/imagesetconfigs/signatures/disc-signatures.yaml
  • tests/integration/testdata/imagesetconfigs/signatures/isc-signatures.yaml
  • tests/integration/m2d_d2m_test.go
  • tests/integration/image-builders/generate-cosign-keys.sh
  • tests/integration/helpers_test.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
tests/integration/image-builders/operator/Makefile (1)

53-68: ⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Make signing loops fail-fast to prevent silent command failures.

Lines 54–58 and 62–67 run critical cosign sign operations inside for loops without explicit fail-fast semantics. If any cosign sign command fails mid-loop, subsequent iterations continue and the target reports success despite the failure—masking cryptographic signing errors.

Proposed fix
 sign-bundles:
-	`@for` dir in bundles/*/*-bundle-v*/; do \
+	`@set` -e; \
+	for dir in bundles/*/*-bundle-v*/; do \
 		tag=$$(basename "$$dir"); \
 		echo "Signing bundle $$tag"; \
 		COSIGN_PASSWORD="" cosign sign --key $(COSIGN_KEY) --tlog-upload=false "$(REGISTRY):$$tag"; \
 	done
@@
 sign-related:
-	`@for` dir in bundles/*/*-bundle-v*/; do \
+	`@set` -e; \
+	for dir in bundles/*/*-bundle-v*/; do \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/integration/image-builders/operator/Makefile` around lines 53 - 68, The
sign-bundles and sign-related targets run cosign sign commands inside for loops
without fail-fast semantics, meaning if any cosign sign fails, the loop
continues and the target still reports success, masking cryptographic signing
errors. Add `set -e` as the first line inside each for loop (after the `@for dir
in bundles/*/*-bundle-v*/;` part) to ensure that if any cosign sign command
exits with a non-zero status, the entire loop and target will fail immediately
rather than continuing to process remaining iterations.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@tests/integration/image-builders/operator/Makefile`:
- Around line 53-68: The sign-bundles and sign-related targets run cosign sign
commands inside for loops without fail-fast semantics, meaning if any cosign
sign fails, the loop continues and the target still reports success, masking
cryptographic signing errors. Add `set -e` as the first line inside each for
loop (after the `@for dir in bundles/*/*-bundle-v*/;` part) to ensure that if
any cosign sign command exits with a non-zero status, the entire loop and target
will fail immediately rather than continuing to process remaining iterations.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fc1962cf-1fb2-40d5-b5c9-505b52b634a3

📥 Commits

Reviewing files that changed from the base of the PR and between 13ad58d and 96b4300.

⛔ Files ignored due to path filters (1)
  • tests/integration/testdata/keys/cosign.pub is excluded by !**/*.pub
📒 Files selected for processing (9)
  • tests/integration/helpers_test.go
  • tests/integration/image-builders/generate-cosign-keys.sh
  • tests/integration/image-builders/operator/Makefile
  • tests/integration/image-builders/release/Makefile
  • tests/integration/image-builders/release/create-release.sh
  • tests/integration/m2d_d2m_test.go
  • tests/integration/testdata/imagesetconfigs/signatures/disc-signatures.yaml
  • tests/integration/testdata/imagesetconfigs/signatures/isc-signatures.yaml
  • tests/integration/testdata/keys/cosign.key
💤 Files with no reviewable changes (1)
  • tests/integration/image-builders/release/create-release.sh
✅ Files skipped from review due to trivial changes (2)
  • tests/integration/testdata/imagesetconfigs/signatures/disc-signatures.yaml
  • tests/integration/testdata/imagesetconfigs/signatures/isc-signatures.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • tests/integration/m2d_d2m_test.go
  • tests/integration/helpers_test.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/integration/image-builders/release/Makefile`:
- Line 5: The `all` target in the Makefile lists `test` as a dependency, but no
corresponding `test:` target is defined in the file, which will cause make to
fail. You need to either add a new `test:` target that defines the necessary
test commands, or remove `test` from the dependency list of the `all` target if
testing is not required. Choose the appropriate solution based on whether tests
should be part of the build workflow.

In `@tests/integration/testdata/keys/cosign.key`:
- Around line 1-11: The file cosign.key contains an encrypted Sigstore private
key that has been committed to the repository. Remove this private key file from
the commit entirely. If test execution requires a key, either generate it
dynamically during test setup using the make target or CI environment, or
replace it with a public key file if only verification is needed. Ensure the
file is added to .gitignore if it needs to be generated locally but not
committed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b26f1a1e-0a98-4527-913c-9088f34747e4

📥 Commits

Reviewing files that changed from the base of the PR and between 96b4300 and 53d1073.

⛔ Files ignored due to path filters (1)
  • tests/integration/testdata/keys/cosign.pub is excluded by !**/*.pub
📒 Files selected for processing (9)
  • tests/integration/helpers_test.go
  • tests/integration/image-builders/generate-cosign-keys.sh
  • tests/integration/image-builders/operator/Makefile
  • tests/integration/image-builders/release/Makefile
  • tests/integration/image-builders/release/create-release.sh
  • tests/integration/m2d_d2m_test.go
  • tests/integration/testdata/imagesetconfigs/signatures/disc-signatures.yaml
  • tests/integration/testdata/imagesetconfigs/signatures/isc-signatures.yaml
  • tests/integration/testdata/keys/cosign.key
💤 Files with no reviewable changes (1)
  • tests/integration/image-builders/release/create-release.sh
✅ Files skipped from review due to trivial changes (2)
  • tests/integration/testdata/imagesetconfigs/signatures/isc-signatures.yaml
  • tests/integration/testdata/imagesetconfigs/signatures/disc-signatures.yaml
🚧 Files skipped from review as they are similar to previous changes (3)
  • tests/integration/image-builders/generate-cosign-keys.sh
  • tests/integration/helpers_test.go
  • tests/integration/m2d_d2m_test.go

Comment thread tests/integration/image-builders/release/Makefile Outdated
Comment thread tests/integration/testdata/keys/cosign.key
@adolfo-ab adolfo-ab changed the title WIP CLID-627: Add test to check signature preservation CLID-627: Add test to check signature preservation Jun 23, 2026
@adolfo-ab adolfo-ab marked this pull request as ready for review June 23, 2026 08:50
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 23, 2026
@openshift-ci openshift-ci Bot requested review from aguidirh and r4f4 June 23, 2026 08:51

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
tests/integration/image-builders/operator/Makefile (1)

53-68: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Add fail-fast semantics in signing loops.

sign-bundles and sign-related can continue after a failed cosign sign, which may mask partial-signing failures.

Suggested fix
 sign-bundles:
-	`@for` dir in bundles/*/*-bundle-v*/; do \
+	`@set` -e; \
+	for dir in bundles/*/*-bundle-v*/; do \
 		tag=$$(basename "$$dir"); \
 		echo "Signing bundle $$tag"; \
 		COSIGN_PASSWORD="" cosign sign --key $(COSIGN_KEY) --tlog-upload=false "$(REGISTRY):$$tag"; \
 	done
@@
 sign-related:
-	`@for` dir in bundles/*/*-bundle-v*/; do \
+	`@set` -e; \
+	for dir in bundles/*/*-bundle-v*/; do \
 		bundle_tag=$$(basename "$$dir"); \
 		tag=$$(echo "$$bundle_tag" | sed 's/-bundle//'); \
 		echo "Signing related image $$tag"; \
 		COSIGN_PASSWORD="" cosign sign --key $(COSIGN_KEY) --tlog-upload=false "$(REGISTRY):$$tag"; \
 	done
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/integration/image-builders/operator/Makefile` around lines 53 - 68, The
sign-bundles and sign-related targets do not have fail-fast semantics, allowing
the loops to continue executing even when cosign sign fails for a bundle. Add
error checking to both targets by including set -e at the beginning of the shell
command block (after the @ symbol) to ensure the entire command fails
immediately if any cosign sign invocation fails, preventing partial-signing
failures from being masked.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@tests/integration/image-builders/operator/Makefile`:
- Around line 53-68: The sign-bundles and sign-related targets do not have
fail-fast semantics, allowing the loops to continue executing even when cosign
sign fails for a bundle. Add error checking to both targets by including set -e
at the beginning of the shell command block (after the @ symbol) to ensure the
entire command fails immediately if any cosign sign invocation fails, preventing
partial-signing failures from being masked.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2a3b1f35-020c-43b6-aa86-9a78f4af6559

📥 Commits

Reviewing files that changed from the base of the PR and between 53d1073 and d24d07e.

⛔ Files ignored due to path filters (1)
  • tests/integration/testdata/keys/cosign.pub is excluded by !**/*.pub
📒 Files selected for processing (9)
  • tests/integration/helpers_test.go
  • tests/integration/image-builders/generate-cosign-keys.sh
  • tests/integration/image-builders/operator/Makefile
  • tests/integration/image-builders/release/Makefile
  • tests/integration/image-builders/release/create-release.sh
  • tests/integration/m2d_d2m_test.go
  • tests/integration/testdata/imagesetconfigs/signatures/disc-signatures.yaml
  • tests/integration/testdata/imagesetconfigs/signatures/isc-signatures.yaml
  • tests/integration/testdata/keys/cosign.key
💤 Files with no reviewable changes (1)
  • tests/integration/image-builders/release/create-release.sh
✅ Files skipped from review due to trivial changes (1)
  • tests/integration/testdata/imagesetconfigs/signatures/isc-signatures.yaml
🚧 Files skipped from review as they are similar to previous changes (3)
  • tests/integration/image-builders/generate-cosign-keys.sh
  • tests/integration/m2d_d2m_test.go
  • tests/integration/testdata/imagesetconfigs/signatures/disc-signatures.yaml

@aguidirh aguidirh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR Adolfo, approving it.

I'm wondering if in a different PR we should cover the following:

  • Verification that signatures are actually valid after mirroring (currently we are only checking if they exist)

  • Signature verification using the public key

  • Behavior when signatures are corrupted

  • Mixed scenario: some images signed, some not

Comment thread tests/integration/helpers_test.go Outdated
}

// expectEmptyRegistry verifies that no non-catalog repos have tags remaining after a delete operation.
// expectOnlySignatureTagsRemain verifies that no non-catalog repos have tags remaining after a delete operation.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// expectOnlySignatureTagsRemain verifies that no non-catalog repos have tags remaining after a delete operation.
// expectOnlySignatureTagsRemain verifies that after delete, only signature tags (.sig) and catalog tags remain in the registry.

@openshift-ci

openshift-ci Bot commented Jun 23, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adolfo-ab, aguidirh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 23, 2026
@adolfo-ab adolfo-ab changed the title CLID-627: Add test to check signature preservation CLID-627: Add test to check signature mirroring and deletion Jun 26, 2026
@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown

@adolfo-ab: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants