fix(helm): use OCIRegistry consumer identity type for OCI URLs

[fabianburth]

Summary

• Fix consumer identity type for OCI-based Helm repositories to return OCIRegistry instead of HelmChartRepository when the URL uses oci:// scheme
• Add support for accessToken credential mapping for OCI registries (token is mapped to password for basic auth when password is not present)

This resolves credential lookup failures for Helm charts hosted on OCI registries after issue #786 fix removed the OCI fallback for AnyConsumerIdentityType.

Changes

1. Consumer identity type fix (bindings/go/helm/input/method.go, bindings/go/helm/access/access.go):

   • Detect oci:// scheme and return OCIRegistry consumer identity type
   • Non-OCI URLs (http://, https://) continue using HelmChartRepository for backward compatibility

2. Credential mapping (bindings/go/helm/internal/download/download.go):

   • When password is not present but accessToken is, map the token to password for basic auth
   • Enables token-based authentication with OCI registries like GitHub Container Registry

Test plan

• Unit tests added for OCI scheme detection in both input and access methods
• Existing tests updated to expect OCIRegistry type for OCI URLs
• All helm module tests pass
• Linter passes
• compiled the cli with go work and tested it against a private oci helm chart

Closes open-component-model/ocm-project#967

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5a84d59e-fb39-492f-8558-886c427de136

📥 Commits

Reviewing files that changed from the base of the PR and between db859b0 and 072ca97.

📒 Files selected for processing (3)

• bindings/go/helm/access/access.go
• bindings/go/helm/digest/digest.go
• bindings/go/helm/internal/download/download.go

✅ Files skipped from review due to trivial changes (1)

• bindings/go/helm/internal/download/download.go

🚧 Files skipped from review as they are similar to previous changes (2)

• bindings/go/helm/access/access.go
• bindings/go/helm/digest/digest.go

---

📝 Walkthrough

Walkthrough

GetResourceCredentialConsumerIdentity and related Helm flows now detect OCI-style repository URLs (scheme "oci") and set the credential consumer identity type to the OCI registry type; OCI digest/download paths accept credentials (password falls back to access-token) and use them when creating registry clients. Tests and an indirect go.mod dependency were updated.

Changes

Cohort / File(s)	Summary
Helm Access bindings/go/helm/access/access.go, bindings/go/helm/access/access_test.go	Parse Helm repo URL to identity and set consumer identity type to OCI registry type when parsed identity has scheme == "oci"; tests updated to expect OCIRegistry/oci.
Helm Input Method bindings/go/helm/input/method.go, bindings/go/helm/input/method_test.go	Input method now selects OCI credential consumer type for oci:// URLs; added test covering oci:// and https:// cases.
Helm Digest Processing bindings/go/helm/digest/digest.go, bindings/go/helm/digest/digest_test.go	Removed earlier nil checks, return nil for empty repos with debug log, choose OCI identity type for scheme == "oci", pass credentials into OCI digest resolver; tests adjusted (removed nil-resource test, added OCI case).
Remote Chart Download bindings/go/helm/internal/download/download.go	Credential extraction reads username/password independently, falls back to access-token when password empty; basic auth only added when both username and password are non-empty.
Module deps bindings/go/helm/go.mod	Added indirect dependency ocm.software/open-component-model/bindings/go/ctf v0.3.0.

Sequence Diagram(s)

sequenceDiagram
  participant InputMethod as InputMethod
  participant AccessBinding as AccessBinding
  participant CredentialStore as CredentialStore
  participant DigestResolver as DigestResolver
  participant RegistryClient as RegistryClient

  InputMethod->>AccessBinding: provide helmRepository URL
  AccessBinding->>AccessBinding: parse URL -> identity (scheme, hostname)
  alt identity.scheme == "oci"
    AccessBinding->>CredentialStore: request credentials for OCIRegistry + attrs
  else
    AccessBinding->>CredentialStore: request credentials for HelmChartRepository + attrs
  end
  CredentialStore-->>AccessBinding: return credentials (username, password or token)
  AccessBinding->>DigestResolver: pass resource + credentials
  DigestResolver->>RegistryClient: create client with basic auth (username, password||token) if present
  RegistryClient->>RegistryClient: resolve digest / fetch chart

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(helm): add digest processor for Helm access type #2064: Modifies Helm digest package and tests, touching credential identity parsing and OCI vs Helm handling.
• fix: Normalize scheme handling and update identity type to OCIRegistry #1964: Adjusts OCI consumer identity handling to use OCIRegistry type and updates related tests.
• fix: register oci type instead of AnyConsumerIdentityType #1890: Switches credential handling toward OCI-specific identity type; related identity-type changes.

Suggested reviewers

• jakobmoellerdev
• matthiasbruns
• Skarlso

"I hop through URLs both near and far,
When 'oci' glows I know what you are,
Tokens or passwords twirl in my paw,
Charts pulled tidy without a flaw,
A rabbit's cheer for registry law!" 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(helm): use OCIRegistry consumer identity type for OCI URLs' clearly and concisely summarizes the main change: updating the consumer identity type for OCI-based Helm repositories from HelmChartRepository to OCIRegistry.
Description check	✅ Passed	The description provides a comprehensive summary of changes directly related to the changeset, including consumer identity type fixes and credential mapping enhancements with test validation details.
Linked Issues check	✅ Passed	The PR fully addresses issue #967's requirements: implementing scheme-aware consumer identity detection to return OCIRegistry for OCI URLs while retaining HelmChartRepository for HTTP(S) URLs, with unit tests added and existing tests updated to validate the new behavior.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #967 objectives: OCI scheme detection and identity type selection in method.go/access.go, accessToken credential mapping in download.go, and related test updates—no extraneous modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

bindings/go/helm/access/access.go (1)

14-16: Consider extracting shared constants to reduce duplication.

LegacyHelmChartConsumerType is defined identically in both access.go and input/method.go. The conditional type-setting logic (lines 63-67) is also duplicated. A shared helper or constants package could reduce this duplication, though the current approach is acceptable given the separate package responsibilities.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindings/go/helm/access/access.go` around lines 14 - 16, Extract the
duplicated constants and conditional type-setting into a shared place and update
both modules to import it: move LegacyHelmChartConsumerType and
HelmRepositoryType plus the conditional logic that maps legacy types to current
types into a common package (e.g., a constants/helper package), then replace the
copies in access.go and input/method.go to reference the shared symbols; ensure
the helper exposes a function (e.g., NormalizeHelmConsumerType or
GetHelmRepositoryType) or exported constants used by the existing code paths so
behavior remains identical.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@bindings/go/helm/access/access.go`:
- Around line 14-16: Extract the duplicated constants and conditional
type-setting into a shared place and update both modules to import it: move
LegacyHelmChartConsumerType and HelmRepositoryType plus the conditional logic
that maps legacy types to current types into a common package (e.g., a
constants/helper package), then replace the copies in access.go and
input/method.go to reference the shared symbols; ensure the helper exposes a
function (e.g., NormalizeHelmConsumerType or GetHelmRepositoryType) or exported
constants used by the existing code paths so behavior remains identical.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 04183be3-357e-469a-8f92-716366f6ab14

📥 Commits

Reviewing files that changed from the base of the PR and between 220c7f9 and 23aafe4.

📒 Files selected for processing (6)

• bindings/go/helm/access/access.go
• bindings/go/helm/access/access_test.go
• bindings/go/helm/go.mod
• bindings/go/helm/input/method.go
• bindings/go/helm/input/method_test.go
• bindings/go/helm/internal/download/download.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindings/go/helm/digest/digest.go`:
- Around line 216-226: The code currently sets regClientOpts =
[]registry.ClientOption{registry.ClientOptBasicAuth(username, password)}
whenever credentials != nil even if username and password are empty; change the
logic in the block handling credentials (the variables username, password, and
token derived from ocicredentials.CredentialKeyUsername/Password/AccessToken) to
only append registry.ClientOptBasicAuth(username, password) to regClientOpts
when at least one of username or password (after token fallback) is non-empty —
i.e., check for non-empty values before calling registry.ClientOptBasicAuth so
public OCI pulls omit basic auth entirely.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a424f8d-34e9-472e-833b-097c2a967558

📥 Commits

Reviewing files that changed from the base of the PR and between 23aafe4 and 61dbbd7.

📒 Files selected for processing (5)

• bindings/go/helm/access/access.go
• bindings/go/helm/digest/digest.go
• bindings/go/helm/digest/digest_test.go
• bindings/go/helm/go.mod
• bindings/go/helm/internal/download/download.go

💤 Files with no reviewable changes (1)

• bindings/go/helm/digest/digest_test.go

✅ Files skipped from review due to trivial changes (1)

• bindings/go/helm/go.mod

🚧 Files skipped from review as they are similar to previous changes (2)

• bindings/go/helm/access/access.go
• bindings/go/helm/internal/download/download.go

[frewilhelm]

just two questions. The rest looks good