promotion-quay: use QCI digest pullspecs for *-quay oc tag sources

[deepsm007]

promotion-quay tags *-quay ImageStreams using quay-proxy.ci.openshift.org/openshift/ci@sha256:... (same digest as the build). (https://redhat.atlassian.net/browse/DPTP-4340)

/cc @jupierce @openshift/test-platform

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2a200344-18e8-47f0-8801-d3708a4a1649

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Detects sha256 digests in pipeline image sources and constructs quay-proxy digest-pinned pullspecs. Promotion logic and mirror mapping now prefer those digest-based quay-proxy references; when no digest is present the original tag-based source is used. Tests and promotion fixtures updated accordingly.

Changes

Cohort / File(s)	Summary
Core implementation pkg/api/promotion.go	Added unexported quayProxyDigestPullSpecFromPipelineSource(pipelineSource string) (string, bool) to extract @sha256: digests and build quay-proxy pullspecs. Changed QuayCombinedMirrorFunc to initially map proxy targets to the raw source and only replace with digest-based quay-proxy pullspec when a digest is found.
API tests pkg/api/promotion_test.go	Updated TestQuayCombinedMirrorFunc expectations to use digest-pinned quay-proxy targets for digest-bearing sources and added a tag-only pipeline source case to ensure tag-only inputs remain tag-based.
Promotion logic & CLI generation pkg/steps/release/promote.go	Added quayResolveQciPullspecBash() to produce a shell helper that resolves QCI pullspecs to digest form via oc image info, and getQuayTagCommandWithResolveBody() to generate tag commands that resolve sources before oc tag. Integrated these into the quay promotion flow (all-together and per-tag fallbacks).
Promotion unit tests pkg/steps/release/promote_test.go	Added tests validating the resolve helper body and the generated tag-command bodies (single, multi, empty cases). Updated fixture expectations to use quay-proxy digest-pinned destination references where applicable.
Promotion YAML fixtures pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay.yaml, pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml	Rewrote inline shell tag logic to add a resolve_qci_pullspec() helper that normalizes inputs to quay-proxy.../openshift/ci@sha256:<digest> (pass-through for digest inputs or resolved via oc image info), and updated oc tag invocations to use resolved digest pullspecs while preserving retry/backoff semantics.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 1a82e4a and 2 for PR HEAD b77e499 in total

[coderabbitai]

🧹 Nitpick comments (1)

pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml (1)

29-55: Add one tag-only source fixture for the resolver branch.

Every source passed to resolve_qci_pullspec() here is already digest-pinned, so the branch that has to resolve a raw tag via oc image info is still untested. The new unit case in pkg/api/promotion_test.go covers the map-level fallback, but the promotion-pod path for tag-only sources would benefit from one fixture too.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml`
around lines 29 - 55, The test fixture only uses digest-pinned sources so the
resolver code path that handles tag-only images (which triggers
resolve_qci_pullspec -> oc image info) isn't exercised; update the fixture in
zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml to add one
source entry that is a tag (e.g.,
quay-proxy.ci.openshift.org/openshift/ci:some-tag) instead of an `@sha256` digest
so the promotion-pod path and resolve_qci_pullspec behavior for tag resolution
are covered; specifically, modify the block that calls resolve_qci_pullspec (the
occurrences of resolve_qci_pullspec in the fixture) to include at least one
pullspec without a sha256 digest to force the tag-resolution branch to run
during the test.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml`:
- Around line 29-55: The test fixture only uses digest-pinned sources so the
resolver code path that handles tag-only images (which triggers
resolve_qci_pullspec -> oc image info) isn't exercised; update the fixture in
zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml to add one
source entry that is a tag (e.g.,
quay-proxy.ci.openshift.org/openshift/ci:some-tag) instead of an `@sha256` digest
so the promotion-pod path and resolve_qci_pullspec behavior for tag resolution
are covered; specifically, modify the block that calls resolve_qci_pullspec (the
occurrences of resolve_qci_pullspec in the fixture) to include at least one
pullspec without a sha256 digest to force the tag-resolution branch to run
during the test.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 55c41d49-e7d6-47ee-ac90-3e32e360880c

📥 Commits

Reviewing files that changed from the base of the PR and between b77e499 and 0a2fc90.

📒 Files selected for processing (6)

• pkg/api/promotion.go
• pkg/api/promotion_test.go
• pkg/steps/release/promote.go
• pkg/steps/release/promote_test.go
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay.yaml
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay_multiple_tags.yaml

✅ Files skipped from review due to trivial changes (1)

• pkg/steps/release/promote.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/steps/release/promote_test.go
• pkg/steps/release/testdata/zz_fixture_TestGetPromotionPod_promotion_quay.yaml

[hector-vido]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 7043768 and 2 for PR HEAD 0a2fc90 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD ced59e4 and 1 for PR HEAD 0a2fc90 in total

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[deepsm007]

/hold

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[deepsm007]

/unhold

[jupierce]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepsm007, hector-vido, jupierce, Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Prucek,deepsm007,hector-vido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci]

@deepsm007: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/breaking-changes	a652ea6	link	false	/test breaking-changes

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.