fix(release): quay promotion in Go

[deepsm007]

/hold
/cc @danilo-gemoli

Move [promotion-quay] to a ConfigMap-mounted shell script pod (same mirror/tag logic as today), keep [promotion] unchanged, and skip promoting images that build_if_affected didn't build.

This updates the release promotion step so [promotion-quay] now runs as a Go-based implementation instead of the old bash-based pod, while keeping the same promotion routing and Quay-specific behavior separate from the standard [promotion] flow.

For CI users, the practical effect is that promotion jobs now build the right set of images more intelligently: optional tool images can be skipped when build_if_affected is enabled, but required images still force promotion. The Quay promotion path is also isolated into its own execution and pod/script generation, which simplifies the generic promotion pod and removes the old Quay shell logic from the default path.

The tests and fixtures were updated to cover the new Go Quay promotion pod/script generation, the skipped-image behavior, and the revised promotion pod outputs. Several old Quay promotion YAML fixtures were removed and replaced with new ones matching the Go implementation.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dcda7ad8-fa8f-48e2-99d9-fa4aa437da38

📥 Commits

Reviewing files that changed from the base of the PR and between cf9d400 and d1b0457.

📒 Files selected for processing (12)

• pkg/defaults/defaults.go
• pkg/steps/release/promote.go
• pkg/steps/release/promote_test.go
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_4.12.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_non_release_namespace.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionPod.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay_4.12.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay_multiple_tags.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay_non_release_namespace.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/release (manual)
• openshift/ci-docs (manual)
• openshift/release-controller (manual)
• openshift/ci-chat-bot (manual)

💤 Files with no reviewable changes (4)

• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_non_release_namespace.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_4.12.yaml

✅ Files skipped from review due to trivial changes (1)

• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionPod.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• pkg/defaults/defaults.go
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay_4.12.yaml
• pkg/steps/release/promote.go
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay_non_release_namespace.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay_multiple_tags.yaml

---

📝 Walkthrough

Walkthrough

Promotion registration now skips the default step for consolidated Quay promotion, adds skipped-image filtering to promoted tag selection, and routes Quay promotion through a dedicated script-backed pod path. Tests and fixtures were updated for the new Quay shell and pod outputs.

Changes

Promotion step gating, skipped-image filtering, and Quay split

Layer / File(s)	Summary
Default step gating and skipped-image contract pkg/defaults/defaults.go, pkg/steps/release/promote.go, pkg/steps/release/promote_test.go	Adds skipped-image plumbing through promotionStep, PromotedTagsOptions, WithSkippedImages, PromotedTagsWithRequiredImages, and PromotionStep; toPromote now excludes skipped tags unless they are required. Default promotion step registration is disabled when consolidated Quay promotion is enabled.
Quay promotion runtime pkg/steps/release/promote.go	Routes Quay promotion to runQuayPromotion, adds Quay script/configmap generation, refactors generic pod construction, and updates heredoc quoting in the tag loop.
Tests and fixtures pkg/steps/release/promote_test.go, pkg/steps/release/testdata/*quay*, pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay*	Updates promotion tests for skipped images and Quay target naming, removes old Quay pod fixtures, and adds new Quay shell/pod fixtures and coverage.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• openshift/ci-tools#4866: Modifies the same Quay promotion wiring and Quay-specific promotion behavior in pkg/defaults/defaults.go and pkg/steps/release/promote.go.

🚥 Pre-merge checks | ✅ 15 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.07% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Coverage For New Features	⚠️ Warning	Helper coverage is good, but the new runQuayPromotion orchestration path has no direct unit test.	Add a unit test for promotionStep.run/runQuayPromotion that verifies ConfigMap creation, pod launch, and cleanup for [promotion-quay].

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title matches the main change: moving quay promotion logic into Go for the release path.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Go Error Handling	✅ Passed	New paths wrap errors with %w, guard nils before deref, and only log cleanup/delete failures; no panic or bare ignored error found.
Stable And Deterministic Test Names	✅ Passed	New test names are static literals; none include generated, date-based, namespace, node, or other run-varying data.
Test Structure And Quality	✅ Passed	PASS: The changed tests are pure unit/snapshot tests with focused scope; they don’t create cluster resources or use waits, and key assertions include clear failure messages.
Microshift Test Compatibility	✅ Passed	PASS: The added tests are plain Go unit tests (Test...), with no Ginkgo It/Describe/Context/When usage and no MicroShift-unsupported APIs or namespaces.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the changed tests are plain testing unit tests and contain no multi-node or SNO-unsafe assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	PASS: The new promotion pod uses only kubernetes.io/arch selectors and no anti-affinity, spread constraints, PDBs, or control-plane/worker targeting.
Ote Binary Stdout Contract	✅ Passed	Touched code is library/test-only; no init/TestMain/main setup or stdout-printing calls were added in the changed files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PASS: The added tests are plain Go unit tests (testing.T) with no Ginkgo specs or runtime network calls; quay.io strings appear only in fixtures/assertions.
No-Weak-Crypto	✅ Passed	No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons were introduced; only sha256 digests and non-secret tag/string logic appear.
Container-Privileges	✅ Passed	The new Quay pod/ConfigMap fixtures and pod builder add no privileged, hostPID/Network/IPC, allowPrivilegeEscalation, or SYS_ADMIN settings.
No-Sensitive-Data-In-Logs	✅ Passed	New logs only report promotion attempts and tag names; no passwords, tokens, PII, or other secret values are emitted.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/steps/release/quay_promotion.go (2)

574-586: 💤 Low value

String-based JSON parsing is fragile.

parseImageInfoDigest uses substring matching rather than json.Unmarshal. This works for simple cases but could break if the JSON contains escaped quotes within the digest value (unlikely but possible) or if the output format changes.

Consider using proper JSON unmarshaling for robustness:

Alternative implementation

func parseImageInfoDigest(output string) (string, bool) {
	var info struct {
		Digest string `json:"digest"`
	}
	if err := json.Unmarshal([]byte(output), &info); err != nil || info.Digest == "" {
		return "", false
	}
	return info.Digest, true
}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/release/quay_promotion.go` around lines 574 - 586, The
parseImageInfoDigest function uses fragile string-based JSON parsing with
substring matching (looking for the prefix "digest":" and finding the closing
quote) which can break if the JSON contains escaped quotes within the digest
value or if the output format changes. Replace this with proper JSON
unmarshaling by defining a struct with a Digest field tagged with json:"digest",
then use json.Unmarshal to parse the output string into this struct, returning
the Digest field value and a bool indicating success (checking both for
unmarshal errors and empty digest values).

---

485-494: ⚖️ Poor tradeoff

Missing resource limits and security context on container.

Per coding guidelines, Kubernetes containers should have resource limits (cpu, memory) and security hardening (runAsNonRoot, readOnlyRootFilesystem: false since KUBECACHEDIR writes to /tmp, allowPrivilegeEscalation: false). This pod runs in CI namespaces but should still follow best practices.

Suggested addition

Containers: []coreapi.Container{{
    Name:    quayPromotionContainer,
    Image:   cliImage,
    Command: []string{"sleep", fmt.Sprintf("%d", quayPromotionPodSleepSec)},
    Env: []coreapi.EnvVar{
        {Name: "KUBECONFIG", Value: promotionPodKubeconfigPath},
        {Name: "KUBECACHEDIR", Value: "/tmp/.kube/cache"},
    },
    Resources: coreapi.ResourceRequirements{
        Requests: coreapi.ResourceList{
            coreapi.ResourceCPU:    resource.MustParse("100m"),
            coreapi.ResourceMemory: resource.MustParse("256Mi"),
        },
        Limits: coreapi.ResourceList{
            coreapi.ResourceCPU:    resource.MustParse("500m"),
            coreapi.ResourceMemory: resource.MustParse("512Mi"),
        },
    },
    SecurityContext: &coreapi.SecurityContext{
        AllowPrivilegeEscalation: ptr.To(false),
        RunAsNonRoot:             ptr.To(true),
        Capabilities:             &coreapi.Capabilities{Drop: []coreapi.Capability{"ALL"}},
    },
    VolumeMounts: mounts,
}},

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/release/quay_promotion.go` around lines 485 - 494, Add resource
limits and security hardening to the quayPromotionContainer in the Containers
array. Add a Resources field with cpu and memory requests (100m cpu, 256Mi
memory) and limits (500m cpu, 512Mi memory), and add a SecurityContext field
configured with AllowPrivilegeEscalation set to false, RunAsNonRoot set to true,
and Capabilities with all capabilities dropped. These additions follow
Kubernetes best practices for pod security and resource management.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/steps/release/quay_promotion.go`:
- Around line 273-276: The resolveAndTag method in quayPromotionRunner has a
potential panic because strings.LastIndex returns -1 when the colon substring is
not found in quayProxyTag, and using -1 as a slice bound causes a bounds panic.
Add a defensive check after the strings.LastIndex call to verify the returned
index is not -1; if it is, return an error indicating that quayProxyTag is
malformed (missing the expected colon separator). This ensures invalid input
cannot cause the function to panic.

---

Nitpick comments:
In `@pkg/steps/release/quay_promotion.go`:
- Around line 574-586: The parseImageInfoDigest function uses fragile
string-based JSON parsing with substring matching (looking for the prefix
"digest":" and finding the closing quote) which can break if the JSON contains
escaped quotes within the digest value or if the output format changes. Replace
this with proper JSON unmarshaling by defining a struct with a Digest field
tagged with json:"digest", then use json.Unmarshal to parse the output string
into this struct, returning the Digest field value and a bool indicating success
(checking both for unmarshal errors and empty digest values).
- Around line 485-494: Add resource limits and security hardening to the
quayPromotionContainer in the Containers array. Add a Resources field with cpu
and memory requests (100m cpu, 256Mi memory) and limits (500m cpu, 512Mi
memory), and add a SecurityContext field configured with
AllowPrivilegeEscalation set to false, RunAsNonRoot set to true, and
Capabilities with all capabilities dropped. These additions follow Kubernetes
best practices for pod security and resource management.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e6aaa0e5-336f-4f00-bab0-1449d7acd2b8

📥 Commits

Reviewing files that changed from the base of the PR and between 4220cce and 6b84945.

📒 Files selected for processing (10)

• pkg/defaults/defaults.go
• pkg/steps/release/promote.go
• pkg/steps/release/promote_test.go
• pkg/steps/release/quay_promote_test.go
• pkg/steps/release/quay_promotion.go
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_4.12.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_non_release_namespace.yaml
• pkg/steps/release/testdata/zz_fixture_TestQuayPromotionPod.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/release (manual)
• openshift/ci-docs (manual)
• openshift/release-controller (manual)
• openshift/ci-chat-bot (manual)

💤 Files with no reviewable changes (4)

• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_4.12.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_non_release_namespace.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml

[deepsm007]

/test e2e

[deepsm007]

/test all

[deepsm007]

/override ci/prow/e2e

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/e2e

Details

In response to this:

/override ci/prow/e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[deepsm007]

/test integration

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[deepsm007]

/assign @danilo-gemoli

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/steps/release/promote.go`:
- Around line 412-415: The deferred ConfigMap cleanup in promote.go reuses the
run context, so if RunPod cancels or times out, s.client.Delete may never
complete and the ConfigMap can leak. Update the deferred cleanup to use a
detached short-lived background context for the Delete call, while keeping the
existing logging with configMap.Name and the error handling in place.
- Around line 467-468: The tag-loop generation in
getTagLoopCommand/tagRetryShell is letting shell expansion alter template
destinations containing ${component}. Update the generated shell content so
those tag strings are emitted literally, either by quoting the heredoc delimiter
in the tag-loop helper or escaping $ in the entries before appending them in
promote.go. Make sure the tags passed through the len(tags) > 0 path remain
unchanged when /bin/sh runs newPromotionPod.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9fec487f-1441-4738-a279-25629e2f6cbd

📥 Commits

Reviewing files that changed from the base of the PR and between 72c356f and cf9d400.

📒 Files selected for processing (12)

• pkg/defaults/defaults.go
• pkg/steps/release/promote.go
• pkg/steps/release/promote_test.go
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_4.12.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_non_release_namespace.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionPod.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay_4.12.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay_multiple_tags.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionShell_promotion_quay_non_release_namespace.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/release (manual)
• openshift/ci-docs (manual)
• openshift/release-controller (manual)
• openshift/ci-chat-bot (manual)

💤 Files with no reviewable changes (4)

• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_non_release_namespace.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_4.12.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay.yaml

✅ Files skipped from review due to trivial changes (1)

• pkg/steps/release/testdata/zz_fixture_TestGetQuayPromotionPod.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/defaults/defaults.go

[deepsm007]

/test e2e
/override ci/prow/integration

[deepsm007]

/override ci/prow/images

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/integration

Details

In response to this:

/test e2e
/override ci/prow/integration

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/images

Details

In response to this:

/override ci/prow/images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[deepsm007]

/retest

[deepsm007]

/test e2e

[deepsm007]

/unhold

[danilo-gemoli]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danilo-gemoli, deepsm007

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danilo-gemoli,deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepsm007]

/override ci/prow/e2e

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/e2e

Details

In response to this:

/override ci/prow/e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@deepsm007: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.