chore!: rollback oci typed identity to runtime.Identity

[matthiasbruns]

On-behalf-of: SAP matthias.bruns@sap.com

What this PR does / why we need it

Follow up of #2360 after rolling back identity to runtime.Identity

• Updates internal identity usage to OCIRegistryIdentity where sensible.
• Updates internal credential usage nearly everywhere, if it would not just lead to a map->typed->map conversion chain

Which issue(s) this PR fixes

Contributes: open-component-model/ocm-project#986

Breaking changes

• bindings/go/oci/credentials/docker_config.go CredentialFunc now accepts typed identity and credentials (this shouldn't be exposed in the first place imho)
• reverting ResolveTyped to use runtime.Identity

Testing

How to test the changes

I ran task init/go.work with the updated credentials binding to see if the update breaks ocm - it does not :)

Verification

• I have added/updated tests for my changes (see Test Requirements)
• Tests pass locally (task test and task test/integration if applicable)
• My changes do not decrease test coverage

[netlify]

✅ Deploy Preview for ocm-website canceled.

Name	Link
🔨 Latest commit	04dbf47
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/6a032e589806410008a2b1e0

[coderabbitai]

Warning

Rate limit exceeded

@matthiasbruns has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 16 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 76a704c3-9656-4d2a-9497-19fc27f06db4

📥 Commits

Reviewing files that changed from the base of the PR and between f2364f0 and 04dbf47.

📒 Files selected for processing (1)

• bindings/go/oci/credentials/docker_config.go

📝 Walkthrough

Walkthrough

Untyped map-based credentials and generic runtime.Typed identities were replaced with structured OCIRegistryIdentity and OCICredentials types throughout OCI bindings. Identity spec, conversion helpers, typed credential functions, and all call sites were updated; dependencies were bumped.

Changes

OCI Bindings Typed Credentials & Identity Migration

Layer / File(s)	Summary
Dependency module version update bindings/go/oci/go.mod, bindings/go/oci/integration/go.mod	Credentials binding dependency version updated from v0.0.10 to v0.0.11-0.20260511105124-058d61f5cd54 to support typed credential resolution.
Identity spec, registration, and conversion helpers bindings/go/oci/spec/identity/scheme.go, bindings/go/oci/spec/identity/v1/oci_registry_identity.go, bindings/go/oci/spec/identity/v1/register.go, bindings/go/oci/spec/identity/v1/type.go	New runtime Scheme created and registered with v1 identity types via init(). Added ToIdentity and FromIdentity conversion helpers to map between *OCIRegistryIdentity and runtime.Identity, with automatic type parsing and VersionedType defaulting. Added OCIRegistryIdentityFromOCIRepository helper.
Identity conversion unit tests bindings/go/oci/spec/identity/v1/oci_registry_identity_test.go	Unit tests validate nil handling, full/partial field mapping, type defaulting, and round-trip equivalence for ToIdentity/FromIdentity conversions.
Core resolveCredentialsMap signature and resolver invocation bindings/go/oci/transformer/credentials.go	resolveCredentialsMap parameter type changed from runtime.Typed to *v1.OCIRegistryIdentity; resolver is invoked with v1.ToIdentity(identity) for typed resolution path.
Docker config typed credential conversion and matching bindings/go/oci/credentials/docker_config.go	Added CredentialFromTyped to convert typed *credentialsv1.OCICredentials to auth.Credential; added CredentialFuncTyped for hostname/port matching against typed *identityv1.OCIRegistryIdentity; deprecated map-based CredentialFromMap and CredentialFunc; refactored ResolveV1DockerConfigCredentials to extract identity via FromIdentity and use typed port for secondary hostname:port fallback lookup.
Docker config typed credential tests bindings/go/oci/credentials/docker_config_test.go	Added TestCredentialFuncTyped and TestCredentialFromTyped to validate typed credential conversion, hostname/port matching, and field-by-field equivalence with auth.Credential struct.
Repository provider and resource wiring for typed credentials bindings/go/oci/repository/provider/provider.go, bindings/go/oci/repository/resource/resource_repository.go, bindings/go/oci/repository/resource/resource_repository_test.go	Provider's GetComponentVersionRepository now derives typed credentials via v2.FromDirectCredentials and uses OCIRegistryIdentityFromOCIRepository with CredentialFuncTyped. Resource repository helpers updated to accept and forward *ocicredsv1.OCICredentials instead of map[string]string; static credential creation switched to CredentialFromTyped.
Transformer call sites updated for typed identity bindings/go/oci/transformer/add_component_version.go, bindings/go/oci/transformer/add_local_resource.go, bindings/go/oci/transformer/add_oci_artifact.go, bindings/go/oci/transformer/get_component_version.go, bindings/go/oci/transformer/get_local_resource.go, bindings/go/oci/transformer/get_oci_artifact.go	All transformer call sites updated to convert consumerId via v1.FromIdentity before passing to resolveCredentialsMap.
Test mocks and resolver test call sites bindings/go/oci/transformer/add_oci_artifact_test.go, bindings/go/oci/transformer/credentials_test.go	Updated mockCredentialResolver and stubResolver to accept runtime.Identity in ResolveTyped signature; all credentials test call sites now pass typed *v1.OCIRegistryIdentity instead of untyped map literals; file permission literal modernized to 0o644 notation.

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• open-component-model/open-component-model#2343: Updates OCI binding code to use the new typed identity/credential APIs introduced in this PR (ResolveTyped, OCIRegistryIdentity conversions, typed OCICredentials).
• open-component-model/open-component-model#2149: Implements the typed credentials/consumer identity design (ResolveTyped, runtime.Scheme-registered types, DirectCredentials fallback) that this PR builds upon.
• open-component-model/open-component-model#2469: Modifies the same credential/identity resolver signatures and ResolveTyped identity parameter handling as this PR.

Suggested reviewers

• fabianburth
• jakobmoellerdev
• frewilhelm

Poem

🐰 From maps of strings to types so bright,
Identity flows through the OCI night,
Converters dance with hostname and port,
Typed credentials now, of finest sort,
A schema's truth, no more runtime's fog!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 29.41% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore!: rollback oci typed identity to runtime.Identity' accurately describes the main change: reverting OCI typed identity back to runtime.Identity while updating credential usage.
Description check	✅ Passed	The PR description is directly related to the changeset. It explains the follow-up nature of the change, identifies specific modules being updated, documents breaking changes, and includes testing verification.
Linked Issues check	✅ Passed	The PR partially addresses issue #986 by introducing typed credential structures (OCIRegistryIdentity conversion helpers, CredentialFromTyped, CredentialFuncTyped) while revising the approach to use runtime.Identity for ResolveTyped as described in the PR description.
Out of Scope Changes check	✅ Passed	All changes align with the stated objectives: updating internal credential handling to use typed structures where appropriate, reverting ResolveTyped to runtime.Identity, and avoiding unnecessary map-to-typed-to-map conversions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bindings/go/oci/go.mod`:
- Line 15: The mock in construct_resource_test.go uses the old ResolveTyped
signature; update the mockCredentialProvider's ResolveTyped method to accept
runtime.Identity (not runtime.Typed) as the second parameter and return
(runtime.Typed, error) by calling m.Resolve(ctx, identity) and converting the
result to runtime.Identity; ensure the method signature is changed to
ResolveTyped(ctx context.Context, identity runtime.Identity) and its body
returns runtime.Identity(creds) or the appropriate conversion to satisfy
runtime.Typed, matching the updated credentials interface.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6b60ce88-501e-4209-ad44-d0785e7b1397

📥 Commits

Reviewing files that changed from the base of the PR and between 058d61f and 055f2ba.

⛔ Files ignored due to path filters (1)

• bindings/go/oci/go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• bindings/go/oci/go.mod
• bindings/go/oci/transformer/add_oci_artifact_test.go
• bindings/go/oci/transformer/credentials.go
• bindings/go/oci/transformer/credentials_test.go

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

bindings/go/oci/spec/identity/v1/type.go (1)

22-37: ⚡ Quick win

The type difference between these helpers is intentional but could benefit from clearer documentation of the migration path.

IdentityFromOCIRepository sets the unversioned Type (marked as "backward compat" on line 16), while OCIRegistryIdentityFromOCIRepository delegates type handling to FromIdentity, which defaults to VersionedType when the type is empty (see oci_registry_identity.go lines 72-74). For the same repository URL, these produce identities with different type values.

Both functions remain actively used in the codebase. Consider either:

• Adding a deprecation notice to IdentityFromOCIRepository with a migration timeline, or
• Documenting the coexistence strategy more explicitly (e.g., when to use each function)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindings/go/oci/spec/identity/v1/type.go` around lines 22 - 37,
IdentityFromOCIRepository and OCIRegistryIdentityFromOCIRepository produce
different type values for the same repository URL because
IdentityFromOCIRepository sets the unversioned Type (Type) while FromIdentity
(used by OCIRegistryIdentityFromOCIRepository) defaults empty types to
VersionedType; add an explicit deprecation and migration note: mark
IdentityFromOCIRepository as deprecated (doc comment and, if supported, a
deprecation annotation) explaining the migration timeline and instruct callers
to switch to OCIRegistryIdentityFromOCIRepository/FromIdentity to get
VersionedType, or alternatively add a clear comment near both
IdentityFromOCIRepository and OCIRegistryIdentityFromOCIRepository explaining
when to use each and that they intentionally co-exist with different type
behavior.

bindings/go/oci/spec/identity/v1/oci_registry_identity.go (1)

68-71: ⚡ Quick win

Clarify intent for malformed vs missing type attributes.

The debug-level log and fallback to VersionedType is intentional and documented (line 56). However, ParseType() returns errors for two distinct scenarios:

1. Missing type attribute → normal case, logging at debug is appropriate
2. Malformed/invalid type string (line 127 in runtime/identity.go) → potential data corruption

The current code treats both identically. If the intent is to silently recover from missing types only, consider checking the error message or wrapping the error to distinguish corruption cases and log them at warning level instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindings/go/oci/spec/identity/v1/oci_registry_identity.go` around lines 68 -
71, The code calls id.ParseType() and treats all errors the same, but ParseType
can fail for either a missing type attribute (benign) or a malformed type string
(possible corruption); update the error handling in the block that calls
ParseType() to distinguish the two: change ParseType() (or its callers) to
return/export distinct error values (e.g., ErrMissingType vs ErrMalformedType)
or wrap errors so you can errors.Is/As them here, then when err indicates
missing type keep the debug log and fall back to VersionedType, but when err
indicates malformed/invalid type log at warning/error level (including the err
details) and still decide on fallback behavior; reference symbols:
id.ParseType(), VersionedType, and the specific error values or wrapped errors
you add.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bindings/go/oci/spec/identity/v1/schemas/DockerConfig.schema.json`:
- Line 4: The DockerConfig.schema.json's $id points to the credentials/v1
location but this file lives under identity/v1; either update the "$id" value in
DockerConfig.schema.json to use the identity/v1 namespace (so $id matches the
file's identity/v1 route) or remove this duplicate schema file entirely if the
canonical schema should remain under credentials/v1; modify the $id string in
the file (or delete the file) and ensure any references to
DockerConfig.schema.json point to the chosen canonical $id.

In `@bindings/go/oci/spec/identity/v1/schemas/OCICredentials.schema.json`:
- Line 4: The schema's $id currently points to
"ocm.software/open-component-model/bindings/go/oci/spec/credentials/v1/schemas/OCICredentials.schema.json"
which does not match this file's location under identity/v1; update the $id
string to the correct path replacing "credentials/v1" with "identity/v1" so the
$id equals
"ocm.software/open-component-model/bindings/go/oci/spec/identity/v1/schemas/OCICredentials.schema.json"
to restore proper schema resolution and external references.

---

Nitpick comments:
In `@bindings/go/oci/spec/identity/v1/oci_registry_identity.go`:
- Around line 68-71: The code calls id.ParseType() and treats all errors the
same, but ParseType can fail for either a missing type attribute (benign) or a
malformed type string (possible corruption); update the error handling in the
block that calls ParseType() to distinguish the two: change ParseType() (or its
callers) to return/export distinct error values (e.g., ErrMissingType vs
ErrMalformedType) or wrap errors so you can errors.Is/As them here, then when
err indicates missing type keep the debug log and fall back to VersionedType,
but when err indicates malformed/invalid type log at warning/error level
(including the err details) and still decide on fallback behavior; reference
symbols: id.ParseType(), VersionedType, and the specific error values or wrapped
errors you add.

In `@bindings/go/oci/spec/identity/v1/type.go`:
- Around line 22-37: IdentityFromOCIRepository and
OCIRegistryIdentityFromOCIRepository produce different type values for the same
repository URL because IdentityFromOCIRepository sets the unversioned Type
(Type) while FromIdentity (used by OCIRegistryIdentityFromOCIRepository)
defaults empty types to VersionedType; add an explicit deprecation and migration
note: mark IdentityFromOCIRepository as deprecated (doc comment and, if
supported, a deprecation annotation) explaining the migration timeline and
instruct callers to switch to OCIRegistryIdentityFromOCIRepository/FromIdentity
to get VersionedType, or alternatively add a clear comment near both
IdentityFromOCIRepository and OCIRegistryIdentityFromOCIRepository explaining
when to use each and that they intentionally co-exist with different type
behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ae291ffb-348d-49f9-845d-1fd543e43669

📥 Commits

Reviewing files that changed from the base of the PR and between cc2c51d and 389024e.

⛔ Files ignored due to path filters (2)

• bindings/go/oci/go.sum is excluded by !**/*.sum
• bindings/go/oci/integration/go.sum is excluded by !**/*.sum

📒 Files selected for processing (22)

• bindings/go/oci/credentials/docker_config.go
• bindings/go/oci/credentials/docker_config_test.go
• bindings/go/oci/go.mod
• bindings/go/oci/integration/go.mod
• bindings/go/oci/repository/provider/provider.go
• bindings/go/oci/repository/resource/resource_repository.go
• bindings/go/oci/repository/resource/resource_repository_test.go
• bindings/go/oci/spec/identity/scheme.go
• bindings/go/oci/spec/identity/v1/oci_registry_identity.go
• bindings/go/oci/spec/identity/v1/oci_registry_identity_test.go
• bindings/go/oci/spec/identity/v1/register.go
• bindings/go/oci/spec/identity/v1/schemas/DockerConfig.schema.json
• bindings/go/oci/spec/identity/v1/schemas/OCICredentials.schema.json
• bindings/go/oci/spec/identity/v1/type.go
• bindings/go/oci/transformer/add_component_version.go
• bindings/go/oci/transformer/add_local_resource.go
• bindings/go/oci/transformer/add_oci_artifact.go
• bindings/go/oci/transformer/credentials.go
• bindings/go/oci/transformer/credentials_test.go
• bindings/go/oci/transformer/get_component_version.go
• bindings/go/oci/transformer/get_local_resource.go
• bindings/go/oci/transformer/get_oci_artifact.go

✅ Files skipped from review due to trivial changes (1)

• bindings/go/oci/go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• bindings/go/oci/integration/go.mod

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

bindings/go/oci/credentials/docker_config_test.go (2)

279-332: ⚡ Quick win

Consider adding a test case for nil credentials.

Add a test case to verify the function's behavior when passed nil to ensure safe handling.

📋 Suggested additional test case

{
	name:        "nil credentials",
	credentials: nil,
	expected:    auth.Credential{},
},

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindings/go/oci/credentials/docker_config_test.go` around lines 279 - 332,
Add a table-driven test case that passes a nil *credentialsv1.OCICredentials to
CredentialFromTyped and expects an empty auth.Credential; update
TestCredentialFromTyped's tests slice to include a case with name "nil
credentials", credentials: nil, and expected: auth.Credential{} so the suite
verifies CredentialFromTyped handles nil safely.

---

133-241: ⚡ Quick win

Consider adding test cases for nil inputs.

The test suite should include test cases for nil identity and nil credentials to verify safe handling and document expected behavior. This would help catch potential panics discovered in the implementation.

📋 Suggested additional test cases

{
	name:        "nil identity",
	identity:    nil,
	credentials: &credentialsv1.OCICredentials{
		Username: "testuser",
	},
	hostport:  "example.com",
	wantErr:   false,
	wantEmpty: false,
},
{
	name: "nil credentials",
	identity: &identityv1.OCIRegistryIdentity{
		Hostname: "example.com",
	},
	credentials: nil,
	hostport:    "example.com",
	wantErr:     false,
	wantEmpty:   false,
},

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindings/go/oci/credentials/docker_config_test.go` around lines 133 - 241,
Add test cases to TestCredentialFuncTyped to cover nil inputs: insert two table
entries named "nil identity" (identity: nil, credentials:
&credentialsv1.OCICredentials{Username:"testuser"}, hostport:"example.com",
wantErr:false, wantEmpty:false) and "nil credentials" (identity:
&identityv1.OCIRegistryIdentity{Hostname:"example.com"}, credentials: nil,
hostport:"example.com", wantErr:false, wantEmpty:false). These should be added
to the tests slice exercised by CredentialFuncTyped so the test verifies no
panic and the credential function returns safely (use the existing
require.NoError / assertions pattern already in TestCredentialFuncTyped).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bindings/go/oci/credentials/docker_config.go`:
- Line 133: Update the documentation example to call CredentialFuncTyped instead
of CredentialFunc: locate the docstring/example that currently shows credFunc :=
CredentialFunc(identity, credentials) and change the function name to credFunc
:= CredentialFuncTyped(identity, credentials) so the example matches the
surrounding doc for CredentialFuncTyped.
- Around line 104-112: Add a nil guard at the start of CredentialFromTyped so it
returns an empty auth.Credential when the input *credentialsv1.OCICredentials is
nil instead of dereferencing and panicking; modify the function
(CredentialFromTyped) to check "if credentials == nil { return auth.Credential{}
}" before accessing Username/Password/AccessToken/RefreshToken.
- Around line 114-139: CredentialFuncTyped currently calls
CredentialFromTyped(credentials) without guarding for a nil credentials pointer
which can panic; add a nil check at the top of CredentialFuncTyped: if
credentials is nil, immediately return an auth.CredentialFunc that always
returns empty credentials (and no error) instead of calling CredentialFromTyped;
otherwise proceed to call CredentialFromTyped(credentials) and continue with the
existing host/port matching logic.

---

Nitpick comments:
In `@bindings/go/oci/credentials/docker_config_test.go`:
- Around line 279-332: Add a table-driven test case that passes a nil
*credentialsv1.OCICredentials to CredentialFromTyped and expects an empty
auth.Credential; update TestCredentialFromTyped's tests slice to include a case
with name "nil credentials", credentials: nil, and expected: auth.Credential{}
so the suite verifies CredentialFromTyped handles nil safely.
- Around line 133-241: Add test cases to TestCredentialFuncTyped to cover nil
inputs: insert two table entries named "nil identity" (identity: nil,
credentials: &credentialsv1.OCICredentials{Username:"testuser"},
hostport:"example.com", wantErr:false, wantEmpty:false) and "nil credentials"
(identity: &identityv1.OCIRegistryIdentity{Hostname:"example.com"}, credentials:
nil, hostport:"example.com", wantErr:false, wantEmpty:false). These should be
added to the tests slice exercised by CredentialFuncTyped so the test verifies
no panic and the credential function returns safely (use the existing
require.NoError / assertions pattern already in TestCredentialFuncTyped).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 40d576cb-68ba-49e8-b544-68c73daee40b

📥 Commits

Reviewing files that changed from the base of the PR and between 389024e and f2364f0.

📒 Files selected for processing (3)

• bindings/go/oci/credentials/docker_config.go
• bindings/go/oci/credentials/docker_config_test.go
• bindings/go/oci/repository/provider/provider.go

🚧 Files skipped from review as they are similar to previous changes (1)

• bindings/go/oci/repository/provider/provider.go