feat: update toOCI to handle OCI and localBlob transparently

[matthiasbruns]

What this PR does / why we need it

This PR handles both OCIImage and localBlob to get the referenceName from.

For this, we try to get the following keys from the input map in order:

• imageReference -> this is the key from an oci access
• localReference -> gets localBlob, builds a reference based on components
• imageReference ->get key from the map as a fallback

Which issue(s) this PR fixes

Contributes: open-component-model/ocm-project#918

Testing

How to test the changes

This PR also updated all cel expressions in the testing setup, thus migrates from
resource.access.imageReference.toOCI().registry to resource.access.toOCI().registry.
All tests run fine, I added a unit-test for the oci.go itself.

Verification

• I have tested the changes locally by running controller e2e test suite

in kubernetes/controller

• task test/e2e/setup/local
• task test/e2e

in monorepo root

• task test

Summary by CodeRabbit

Release Notes

• Refactor
  • Updated OCI image metadata resolution by standardizing how resource access retrieves registry, repository, and tag information across configuration examples and documentation
  • Enhanced runtime type handling to support string-encoded type identities with improved type inference capabilities
  • Expanded test coverage for OCI functionality and type resolution across various access scenarios

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR refactors the toOCI() CEL function to transparently handle both OCI artifact and localBlob access types. It updates documentation, examples, and test data to reflect the new API pattern, adds comprehensive test coverage for map and typed access specifications, and enhances the runtime's type inference logic.

Changes

Cohort / File(s)	Summary
Documentation & Examples kubernetes/controller/docs/getting-started/deploy-helm-chart-bootstrap.md, kubernetes/controller/docs/getting-started/deploy-helm-chart.md, kubernetes/controller/examples/helm-*/*, kubernetes/controller/examples/kustomize-configuration-localization/rgd.yaml, kubernetes/controller/test/e2e/testdata/*	Updated all references from resource.access.imageReference.toOCI() to resource.access.toOCI() for extracting registry, repository, tag, and digest fields in additionalStatusFields definitions.
Core OCI Function Refactor kubernetes/controller/internal/cel/functions/oci.go	Refactored BindingToOCI to support flexible input handling for both OCIImage and localBlob access types. Added extractImageReference helper to normalize map inputs before parsing. Updated error handling and documentation to reflect new accepted input shapes.
OCI Function Tests kubernetes/controller/internal/cel/functions/oci_test.go	Added 351 lines of comprehensive test coverage for BindingToOCI with new test suites for MapReference (OCIImage, localBlob, error cases) and TypedAccessSpecs (JSON roundtrip scenarios). Introduced typedToMap helper for typed-to-map conversion simulation.
Runtime Type Inference bindings/go/runtime/unstructured.go	Enhanced GetType method to handle string-encoded type identities; now attempts parsing type strings from the same identity attribute with fallback logic for unrecognized formats.
Runtime Type Tests bindings/go/runtime/unstructured_test.go	Added 105 lines of test coverage for GetType including versioned types (OCIImage/v1, Helm/v1), unversioned types (ociArtifact), and legacy format handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• Skarlso
• jakobmoellerdev
• fabianburth

Poem

🐰 A hop, skip, and a CEL expression away,
toOCI() now works in a flexible way!
Whether localBlob or artifact bright,
The access transparent, the parsing just right! ✨
From registry to tag, let the function play,
Hopping through handlers both new and old ways!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.65% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: updating toOCI to transparently handle both OCI and localBlob access types.
Linked Issues check	✅ Passed	The PR successfully implements all coding requirements from issue #918: toOCI now handles both OCIImage and localBlob transparently with updated unit tests (oci_test.go, unstructured_test.go) and documentation updates across multiple resource definitions.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #918: refactoring toOCI logic in oci.go, adding comprehensive tests, and updating CEL expressions in documentation and resource definitions to use the new transparent approach.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

Migrating from UI to YAML configuration.

Use the @coderabbitai configuration command in a PR comment to get a dump of all your UI settings in YAML format. You can then edit this YAML file and upload it to the root of your repository to configure CodeRabbit programmatically.

[coderabbitai]

Of course, master of potatoes! 🥔 I'll get right on reviewing your PR.

---

🧠 Learnings used

Learnt from: matthiasbruns
Repo: open-component-model/open-component-model PR: 1846
File: cli/cmd/transfer/component-version/internal/oci.go:50-55
Timestamp: 2026-03-09T08:50:03.966Z
Learning: In `cli/cmd/transfer/component-version/internal/helpers.go` (open-component-model/open-component-model), `ParseReferenceName` (formerly `GetReferenceName`) was refactored from accepting `ociv1.OCIImage` to accepting a plain `string` for reusability across processors (OCI and Helm). The logic is identical in both versions. The function does not preserve digest suffixes (`sha256:...`) — this is pre-existing behavior, not a regression introduced in PR `#1846`.

---

Learnt from: matthiasbruns
Repo: open-component-model/open-component-model PR: 1832
File: bindings/go/helm/transformation/convert_helm_chart_to_oci.go:134-146
Timestamp: 2026-03-05T12:49:21.413Z
Learning: In `bindings/go/helm/transformation/convert_helm_chart_to_oci.go` (open-component-model/open-component-model), the `referenceFromHelmAccess` function intentionally omits `lref.Registry` when constructing the OCI image reference. By design, the `ImageReference` field in this context should only contain the artifact path (repository and optional tag), never the registry. Flagging the absence of the registry as a bug is incorrect.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

kubernetes/controller/internal/cel/functions/oci.go (1)

53-68: ⚠️ Potential issue | 🟡 Minor

Update the unsupported-input error to match the new contract.

Line 67 still says only 'imageReference' is accepted, but this function now also supports globalAccess.imageReference and referenceName. That makes failures harder to diagnose for the new call sites.

Suggested fix

 	default:
-		return types.NewErr("expected string or map with key 'imageReference', got %T", lhs.Value())
+		return types.NewErr(
+			"expected string or map containing an OCI reference ('imageReference', 'globalAccess.imageReference', or 'referenceName'), got %T",
+			lhs.Value(),
+		)
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/cel/functions/oci.go` around lines 53 - 68,
The unsupported-input error in BindingToOCI incorrectly states only
'imageReference' is accepted; update the error message in BindingToOCI (and/or
where it returns types.NewErr) to list all supported input forms:
'imageReference', 'globalAccess.imageReference', and 'referenceName' so callers
get accurate diagnostics; locate the error return in BindingToOCI (and the
extractImageReference error path if it returns similar messages) and replace the
message text to mention all three accepted keys.

🧹 Nitpick comments (1)

kubernetes/controller/internal/cel/functions/oci_test.go (1)

149-158: Consider more defensive error handling in the CEL subtest.

The current logic assumes that error cases always surface as *types.Err in val. While this is correct for BindingToOCI returning types.NewErr(...), CEL can also return errors through the err return value for certain failure modes.

♻️ Optional: Handle both error paths

 val, _, err := prog.ContextEval(t.Context(), map[string]any{
     "value": tc.input,
 })
 if tc.err != nil {
-    r.IsType(&types.Err{}, val)
-    tc.err(t, val.(*types.Err))
+    // CEL errors can surface either as *types.Err in val or as Go error in err
+    if celErr, ok := val.(*types.Err); ok {
+        tc.err(t, celErr)
+    } else {
+        tc.err(t, err)
+    }
     return
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/cel/functions/oci_test.go` around lines 149 -
158, The CEL subtest should defensively handle both error paths: first check the
returned err from prog.ContextEval and assert/handle it when non-nil, and only
when err is nil inspect val for a CEL types.Err; update the logic around
prog.ContextEval(...) to assert on err (r.NoError/require.Error as appropriate)
before assuming val is a *types.Err, and when validating expected errors
(tc.err) support both checking err and checking val.(*types.Err) (types.Err) so
BindingToOCI test cases that surface via the err return are handled.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@kubernetes/controller/internal/cel/functions/oci.go`:
- Around line 53-68: The unsupported-input error in BindingToOCI incorrectly
states only 'imageReference' is accepted; update the error message in
BindingToOCI (and/or where it returns types.NewErr) to list all supported input
forms: 'imageReference', 'globalAccess.imageReference', and 'referenceName' so
callers get accurate diagnostics; locate the error return in BindingToOCI (and
the extractImageReference error path if it returns similar messages) and replace
the message text to mention all three accepted keys.

---

Nitpick comments:
In `@kubernetes/controller/internal/cel/functions/oci_test.go`:
- Around line 149-158: The CEL subtest should defensively handle both error
paths: first check the returned err from prog.ContextEval and assert/handle it
when non-nil, and only when err is nil inspect val for a CEL types.Err; update
the logic around prog.ContextEval(...) to assert on err (r.NoError/require.Error
as appropriate) before assuming val is a *types.Err, and when validating
expected errors (tc.err) support both checking err and checking val.(*types.Err)
(types.Err) so BindingToOCI test cases that surface via the err return are
handled.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 44c1e3dc-545a-4fe6-a77a-16c55c6139a8

📥 Commits

Reviewing files that changed from the base of the PR and between 6205a8a and 401a94f.

📒 Files selected for processing (11)

• kubernetes/controller/docs/getting-started/deploy-helm-chart-bootstrap.md
• kubernetes/controller/docs/getting-started/deploy-helm-chart.md
• kubernetes/controller/examples/helm-configuration-localization/rgd.yaml
• kubernetes/controller/examples/helm-nested/rgd.yaml
• kubernetes/controller/examples/helm-signing/rgd.yaml
• kubernetes/controller/examples/helm-simple/rgd.yaml
• kubernetes/controller/examples/kustomize-configuration-localization/rgd.yaml
• kubernetes/controller/internal/cel/functions/oci.go
• kubernetes/controller/internal/cel/functions/oci_test.go
• kubernetes/controller/test/e2e/testdata/basic-auth/rgd.yaml
• kubernetes/controller/test/e2e/testdata/docker-config-json/rgd.yaml

[matthiasbruns]

@coderabbitai check again

[coderabbitai]

Of course, master of potatoes! 🥔 Let me take another look at the PR right away.

---

🧠 Learnings used

Learnt from: matthiasbruns
Repo: open-component-model/open-component-model PR: 1846
File: cli/cmd/transfer/component-version/internal/oci.go:50-55
Timestamp: 2026-03-09T08:50:10.807Z
Learning: In `cli/cmd/transfer/component-version/internal/helpers.go` (open-component-model/open-component-model), `ParseReferenceName` (formerly `GetReferenceName`) was refactored from accepting `ociv1.OCIImage` to accepting a plain `string` for reusability across processors (OCI and Helm). The logic is identical in both versions. The function does not preserve digest suffixes (`sha256:...`) — this is pre-existing behavior, not a regression introduced in PR `#1846`.

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@kubernetes/controller/internal/cel/functions/oci.go`:
- Around line 149-159: The code currently ignores a non-object globalAccess
(when m["globalAccess"] exists but is not a map[string]any) and falls through,
which can hide malformed input; update the globalAccess handling in the function
that inspects m (the block referencing variables ga, gaMap and the
"imageReference" key) to explicitly detect when ga exists but is not an object
and return a clear error (e.g., "expected 'globalAccess' to be an object, got
%T") instead of falling back to referenceName or the generic missing-key error;
keep the existing check that validates that globalAccess.imageReference is a
string (imgRefStr) and return it when valid.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0961ef98-302f-441a-883f-fb6d5d65d837

📥 Commits

Reviewing files that changed from the base of the PR and between 33c767e and 253fe96.

📒 Files selected for processing (11)

• kubernetes/controller/docs/getting-started/deploy-helm-chart-bootstrap.md
• kubernetes/controller/docs/getting-started/deploy-helm-chart.md
• kubernetes/controller/examples/helm-configuration-localization/rgd.yaml
• kubernetes/controller/examples/helm-nested/rgd.yaml
• kubernetes/controller/examples/helm-signing/rgd.yaml
• kubernetes/controller/examples/helm-simple/rgd.yaml
• kubernetes/controller/examples/kustomize-configuration-localization/rgd.yaml
• kubernetes/controller/internal/cel/functions/oci.go
• kubernetes/controller/internal/cel/functions/oci_test.go
• kubernetes/controller/test/e2e/testdata/basic-auth/rgd.yaml
• kubernetes/controller/test/e2e/testdata/docker-config-json/rgd.yaml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindings/go/runtime/registry.go`:
- Around line 407-439: convertFromRaw and convertFromUnstructured are
unmarshalling into any concrete into value without verifying that the decode
target matches the source fromType (allowing mismatched types like converting
unstructured<TestType/v1> into &TestType2{}); add the same guard used in
convertFromTyped to reject targets whose concrete type does not correspond to
fromType before unmarshalling. Concretely, in convertFromRaw(from *Raw, into
Typed, fromType Type) and convertFromUnstructured(from *Unstructured, into
Typed, fromType Type) call the existing type-matching check (the logic used by
convertFromTyped) to ensure the concrete target type of into matches fromType
and return an error if not, then proceed with json.Unmarshal only when the types
match; also add tests in bindings/go/runtime/registry_convert_test.go covering
Convert(unstructured<...>, &OtherType{}) rejection.

In `@kubernetes/controller/internal/cel/functions/oci.go`:
- Around line 67-73: The code regressed by relying solely on Scheme.Convert()
and now rejects plain typeless maps; update extractImageReference to detect
untyped maps (e.g., map[string]any or map[interface{}]any) and perform a direct
key-based lookup for "imageReference", "globalAccess", or "referenceName" (if
found, use the value or recursively call extractImageReference for nested maps)
before returning the type error, and apply the same fallback behavior where the
same logic appears (lines with similar switch handling around
extractImageReference); add a regression test in
kubernetes/controller/internal/cel/functions/oci_test.go that passes plain maps
like map[string]any{"imageReference":"registry.io/app:v1"} and nested
map[string]any{"globalAccess":
map[string]any{"imageReference":"registry.io/app:v1"}} to assert correct
extraction.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d703c721-ddd0-4973-9ee6-1c99e646d00c

📥 Commits

Reviewing files that changed from the base of the PR and between 253fe96 and 7e04630.

📒 Files selected for processing (6)

• bindings/go/runtime/registry.go
• bindings/go/runtime/registry_convert_test.go
• bindings/go/runtime/unstructured.go
• bindings/go/runtime/unstructured_test.go
• kubernetes/controller/internal/cel/functions/oci.go
• kubernetes/controller/internal/cel/functions/oci_test.go

[matthiasbruns]

Follow up - fixing unstructured type handling #1960

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

kubernetes/controller/internal/cel/functions/oci_test.go (1)

269-313: Consider adding a test for typeless maps.

Current tests all include a type field. It would be valuable to add a test case verifying behavior when a map lacks type metadata (e.g., map[string]any{"imageReference": "registry.io/app:v1"}) to document whether this is expected to succeed or fail.

💡 Suggested test case

{
    name: "map without type field returns error",
    input: map[string]any{
        "imageReference": "registry.io/myrepo/myapp:v1",
    },
    err: require.Error, // or expects: map[string]string{...} if key-based fallback is added
},

Also applies to: 412-456

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/cel/functions/oci_test.go` around lines 269 -
313, Add a new table-driven test case in the tests slice (the same place other
cases call functions.BindingToOCI and then run the "cel" subtest) that uses a
typeless map input (e.g.,
map[string]any{"imageReference":"registry.io/myrepo/myapp:v1"}) and asserts the
call returns an error; reference the existing test harness around BindingToOCI,
functions.ToOCI and functions.ToOCIFunctionName so the new case exercises both
the direct BindingToOCI path and the cel evaluation path and expects an error
(use the same tc.err require.Error check pattern used by other cases).

kubernetes/controller/internal/cel/functions/oci.go (1)

67-73: Error message implies key-based lookup, but implementation uses type conversion.

The error message at line 73 mentions 'imageReference', 'globalAccess', or 'referenceName' as expected keys, but extractImageReference relies on Scheme.Convert() which typically requires a type field for proper conversion. This could be misleading if users pass a map without type metadata.

Consider either:

1. Updating the error message to mention the type requirement, or
2. Adding a key-based fallback for typeless maps (as suggested in a previous review)

💡 Option 1: Update error message

 	default:
-		return types.NewErr("expected string or map with key 'imageReference', 'globalAccess', or 'referenceName', got %T", lhs.Value())
+		return types.NewErr("expected string or typed access map (OCIImage or localBlob), got %T", lhs.Value())
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/cel/functions/oci.go` around lines 67 - 73,
The error text in the default branch is misleading because extractImageReference
uses Scheme.Convert (which requires a type field) rather than key-based lookup;
either update the returned error from the default case to explain that a typed
map (with a "type" field) or a string is required, or implement a typeless-map
fallback inside the same switch: if lhs.Value() is a map[string]interface{}
check for keys "imageReference", "globalAccess", or "referenceName" and call
extractImageReference with the constructed typed value before returning
types.NewErr; reference the extractImageReference function and the default
switch branch when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindings/go/runtime/registry.go`:
- Around line 428-440: The convertFromUnstructured function currently marshals
Unstructured.Data and unmarshals into the target, which loses payload when the
target is *Raw (because Raw.Data has json:"-"); update convertFromUnstructured
to detect when into is a *Raw (use the Raw type check used in
convertFromRaw/convertFromTyped), and in that branch set Raw.Type (from
fromType) and assign Raw.Data to the raw marshaled JSON bytes (rather than going
through json.Unmarshal). Preserve existing error handling for the marshal step
and return early after populating the Raw struct.

In `@kubernetes/controller/internal/cel/functions/oci_test.go`:
- Around line 401-409: The failing test case "Helm access has no imageReference
and returns error" references a non-existent helmspec package; either import the
correct package that defines helmspec.Helm or replace the typed helmspec usage
with an equivalent plain map (e.g., use typedToMap(t, map[string]any{ "Type":
runtime.NewVersionedType("Helm","v1"),
"HelmRepository":"oci://ghcr.io/org/charts", "HelmChart":"my-chart:1.0.0" }))
and remove the helmspec import; update the test case in the oci_test.go block
and ensure typedToMap and the test's err: require.Error remain unchanged.

---

Nitpick comments:
In `@kubernetes/controller/internal/cel/functions/oci_test.go`:
- Around line 269-313: Add a new table-driven test case in the tests slice (the
same place other cases call functions.BindingToOCI and then run the "cel"
subtest) that uses a typeless map input (e.g.,
map[string]any{"imageReference":"registry.io/myrepo/myapp:v1"}) and asserts the
call returns an error; reference the existing test harness around BindingToOCI,
functions.ToOCI and functions.ToOCIFunctionName so the new case exercises both
the direct BindingToOCI path and the cel evaluation path and expects an error
(use the same tc.err require.Error check pattern used by other cases).

In `@kubernetes/controller/internal/cel/functions/oci.go`:
- Around line 67-73: The error text in the default branch is misleading because
extractImageReference uses Scheme.Convert (which requires a type field) rather
than key-based lookup; either update the returned error from the default case to
explain that a typed map (with a "type" field) or a string is required, or
implement a typeless-map fallback inside the same switch: if lhs.Value() is a
map[string]interface{} check for keys "imageReference", "globalAccess", or
"referenceName" and call extractImageReference with the constructed typed value
before returning types.NewErr; reference the extractImageReference function and
the default switch branch when making the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8f036da6-56e5-4d67-93aa-8fc975c58ed9

📥 Commits

Reviewing files that changed from the base of the PR and between 7e04630 and 71741c0.

📒 Files selected for processing (6)

• bindings/go/runtime/registry.go
• bindings/go/runtime/registry_convert_test.go
• bindings/go/runtime/unstructured.go
• bindings/go/runtime/unstructured_test.go
• kubernetes/controller/internal/cel/functions/oci.go
• kubernetes/controller/internal/cel/functions/oci_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• bindings/go/runtime/unstructured.go
• bindings/go/runtime/unstructured_test.go
• bindings/go/runtime/registry_convert_test.go

[coderabbitai]

🧹 Nitpick comments (1)

kubernetes/controller/internal/cel/functions/oci.go (1)

182-182: Consider limiting map contents in error message.

Dumping the entire map with %v could produce verbose output or inadvertently expose sensitive fields in logs. Consider showing only the available keys instead.

💡 Suggested change

-	return "", fmt.Errorf("expected map with key 'imageReference', 'globalAccess.imageReference', or 'referenceName', got %v", m)
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	return "", fmt.Errorf("expected map with key 'imageReference', 'globalAccess.imageReference', or 'referenceName', got keys %v", keys)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/controller/internal/cel/functions/oci.go` at line 182, The error
message in the OCI map-check (when returning fmt.Errorf("expected map with key
'imageReference', 'globalAccess.imageReference', or 'referenceName', got %v",
m)) exposes the entire map m; change it to only include the map's keys to avoid
verbose/sensitive logging. Locate the return in
kubernetes/controller/internal/cel/functions/oci.go where variable m is
validated, extract the keys from m (e.g., iterate m to build a []string of keys
or use a helper keysFromMap(m)), and format the error as something like
"expected map with key 'imageReference', 'globalAccess.imageReference', or
'referenceName'; available keys: [a,b,c]" so only the keys are logged instead of
the full map contents.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@kubernetes/controller/internal/cel/functions/oci.go`:
- Line 182: The error message in the OCI map-check (when returning
fmt.Errorf("expected map with key 'imageReference',
'globalAccess.imageReference', or 'referenceName', got %v", m)) exposes the
entire map m; change it to only include the map's keys to avoid
verbose/sensitive logging. Locate the return in
kubernetes/controller/internal/cel/functions/oci.go where variable m is
validated, extract the keys from m (e.g., iterate m to build a []string of keys
or use a helper keysFromMap(m)), and format the error as something like
"expected map with key 'imageReference', 'globalAccess.imageReference', or
'referenceName'; available keys: [a,b,c]" so only the keys are logged instead of
the full map contents.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 85dd91ce-a644-45cc-85ee-94fa06bd9d10

📥 Commits

Reviewing files that changed from the base of the PR and between 71741c0 and a0264a4.

📒 Files selected for processing (2)

• bindings/go/runtime/unstructured.go
• kubernetes/controller/internal/cel/functions/oci.go

🚧 Files skipped from review as they are similar to previous changes (1)

• bindings/go/runtime/unstructured.go

[Skarlso]

I'm testing this right now as part of my deployer documentation PR.

[Skarlso]

Tested while writing open-component-model/ocm-website#761.

Worked 🎉