feat: 1047 typed credentials - full migration path by matthiasbruns · Pull Request #2519 · open-component-model/open-component-model

matthiasbruns · 2026-05-15T08:46:21Z

What this PR does / why we need it

This PR basically migrates the whole code-base to the final state of credentials including cli and controllers.

updates all interfaces that used credentials map[string]string
updates plugin boundary auth parsing
updates all consumers and cross references
updates cli & controllers
updates all tests and integration tests
cleans up deprecated consts and helper functions
adds a util to convert runtime.Typed into typed credentials in the bindings where needed
introduces typed credentials in sigstore

Which issue(s) this PR fixes

Contributes:

Binding release order

Dependency graph (changed → changed only):

blob → (none)
signing → (none)
rsa → (none)
sigstore → signing
repository → blob, credentials
oci → blob, credentials, repository
constructor → blob, credentials, oci, repository
plugin → blob, constructor, credentials, repository, signing
input/dir → blob, constructor, credentials, repository
input/file → blob, constructor, credentials, repository
input/utf8 → blob, constructor, credentials, repository
helm → blob, constructor, credentials, oci, plugin, repository
transfer → blob, credentials, helm, oci, repository, signing

PR plan:

Gate	PRs	Modules	Can review in parallel
1	✅ PR 1 (#2580)	blob, signing, rsa	✅ (3 modules)
2	✅ PR 2 (#2586)	repository, sigstore	✅ (2 modules)
3	PR 3 (#2594)	oci	—
4	PR 4	constructor	—
5	PR 5	plugin, input/dir, input/file, input/utf8	✅ (4 modules)
6	PR 6	helm	—
7	PR 7	transfer, controller	✅ (2 modules)
8	PR 8	cli	—

netlify · 2026-05-15T08:46:26Z

❌ Deploy Preview for ocm-website failed. Why did it fail? →

Name	Link
🔨 Latest commit	`cf56f52`
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/6a0ef03cb8d907000984f29e

coderabbitai · 2026-05-15T08:46:28Z

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a7523671-e069-483a-8788-3ceae6329c42

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

#### What this PR does / why we need it This PR migrates the following bindings to runtime.Typed credentials - blob - rsa - signing Since we touch central interfaces, this is a breaking change. The migration path can be observed here: #2519 #### Which issue(s) this PR fixes Contributes: - open-component-model/ocm-project#1055 #### Testing Fully tested locally with `go.work` enabled in open-component-model/ocm-project#1047 --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

…ent-model#2580) #### What this PR does / why we need it This PR migrates the following bindings to runtime.Typed credentials - blob - rsa - signing Since we touch central interfaces, this is a breaking change. The migration path can be observed here: open-component-model#2519 #### Which issue(s) this PR fixes Contributes: - open-component-model/ocm-project#1055 #### Testing Fully tested locally with `go.work` enabled in open-component-model/ocm-project#1047 --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com> c7e5118

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com> # Conflicts: # bindings/go/oci/go.sum # Conflicts: # bindings/go/credentials/doc.go # bindings/go/credentials/graph.go # bindings/go/credentials/graph_test.go # bindings/go/credentials/interface.go # bindings/go/credentials/plugins.go # bindings/go/credentials/resolve_direct.go # bindings/go/credentials/resolve_direct_test.go # bindings/go/credentials/resolve_static.go # bindings/go/credentials/resolve_static_test.go

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com> # Conflicts: # bindings/go/oci/repository/resource/resource_repository.go

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

#### What this PR does / why we need it This PR migrates the following bindings to runtime.Typed credentials - repository - sigstore Since we touch central interfaces, this is a breaking change. For `sigstore`, this PR already introduces typed credentials and identities and updates all code paths where possible. (identity is mostly there for documentation, since we delayed the migration to typed identities) The migration path can be observed here: #2519 #### Which issue(s) this PR fixes Contributes: - open-component-model/ocm-project#1055 #### Testing - breaking change only tested with binding tests - go.work disabled, task test is green --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

…nent-model#2586) #### What this PR does / why we need it This PR migrates the following bindings to runtime.Typed credentials - repository - sigstore Since we touch central interfaces, this is a breaking change. For `sigstore`, this PR already introduces typed credentials and identities and updates all code paths where possible. (identity is mostly there for documentation, since we delayed the migration to typed identities) The migration path can be observed here: open-component-model#2519 #### Which issue(s) this PR fixes Contributes: - open-component-model/ocm-project#1055 #### Testing - breaking change only tested with binding tests - go.work disabled, task test is green --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> 6c9693c

#### What this PR does / why we need it This PR migrates the following bindings to runtime.Typed credentials - oci Since we cascade the repository breaking changes, set public consts to private and change the spec, this is a breaking change. The migration path can be observed here: #2519 #### Which issue(s) this PR fixes Contributes: - open-component-model/ocm-project#1055 #### Testing - breaking change only tested with binding tests - go.work disabled, task test is green --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

jakobmoellerdev · 2026-05-21T14:30:41Z

superceded by #2599 as tracker

#### What this PR does / why we need it Migrates the `constructor` binding to use `runtime.Typed` credentials, following the established pattern from: - #2580 (blob, rsa, signing) - #2594 (oci) Updates the following interfaces from `map[string]string` → `runtime.Typed`: - `ResourceInputMethod.ProcessResource` - `SourceInputMethod.ProcessSource` - `ResourceDigestProcessor.ProcessResourceDigest` - `ResourceRepository.DownloadResource` Also migrates `resolveCredentials` to call `ResolveTyped` and bumps the `credentials` dependency from `v0.0.10` → `v0.0.11`. #### Which issue(s) this PR fixes Contributes: - open-component-model/ocm-project#1055 Part of the migration path: #2519 #### Dependencies This PR depends on #2594 (oci) being merged first. #### Testing - All existing constructor binding tests pass (`go test ./...`) - Breaking change — callers must update mock implementations to accept `runtime.Typed` --------- Signed-off-by: Jakob Möller <contact@jakob-moeller.com>

github-actions Bot added kind/feature new feature, enhancement, improvement, extension size/l Large labels May 15, 2026

matthiasbruns mentioned this pull request May 15, 2026

feat!: resolve typed plugins bindings impl #2508

Closed

matthiasbruns force-pushed the feat/1047_typed_credentials_phase_3_consumers branch 3 times, most recently from 2b31d10 to 5f3c60f Compare May 19, 2026 10:45

matthiasbruns changed the title ~~feat: 1047 credentials phase 3 - consumer impl~~ feat: 1047 removal of ResolveTyped - bump credential consumers May 19, 2026

matthiasbruns force-pushed the feat/1047_typed_credentials_phase_3_consumers branch from 178160d to 5dfaeb8 Compare May 19, 2026 11:27

fabianburth reviewed May 19, 2026

View reviewed changes

Comment thread bindings/go/constructor/construct.go Outdated

matthiasbruns mentioned this pull request May 20, 2026

feat(sigstore): typed credentials for sigstore binding (Phase 2) #2453

Closed

4 tasks

matthiasbruns changed the title ~~feat: 1047 removal of ResolveTyped - bump credential consumers~~ feat: 1047 removal of ResolveTyped and map credentials - bump credential consumers May 20, 2026

matthiasbruns mentioned this pull request May 20, 2026

feat!: update rsa, blob and signing to use runtime.Typed #2580

Merged

matthiasbruns mentioned this pull request May 20, 2026

feat!: migrate repository & sigstore to typed credentials #2586

Merged

matthiasbruns added 13 commits May 21, 2026 09:36

chore: bring back helm spec

40bc758

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: bump credentials in constructor

bf29901

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: revert credentials to main

edeccc7

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: reset examples

9186d15

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: update helm

6d61404

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: update oci to use latest credentials

cc9c0ab

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: update signing to run on typed

8207043

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

feat: typed digest processor

6dcf262

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: working on input plugin

f6a75f0

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

feat: update repository interfaces

7cee089

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

feat: update more interfaces to runtime.Typed

d5ea05c

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

wip

88c2d1a

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

matthiasbruns added 17 commits May 21, 2026 09:40

feat: convert helm to runtime.Typed

0c8fa2b

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com> # Conflicts: # bindings/go/oci/repository/resource/resource_repository.go

feat: add FromTyped

b2fe162

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: update oci tests

b1f708a

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: migrate more apis to runtime.Typed

41523da

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

fix: tests

6d39889

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

fix: plugin auth boundary

f51876b

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

fix: repository tests

e52b34c

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

feat: typed sigstore

d017584

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

feat: migrate rsa and cli to typed credentials

af9520d

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

fix: cli tests

82e5239

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

feat: migrate controller

2df4820

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

feat: migrate blobtransformer to runtime.Typed

ffeb436

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

fix: tests and auth parsing

35db1c5

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: clean up

34148e5

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: deprecate snake_care consts

f8d3ad4

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: roll back not needed credential binding change

baf22f6

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: sync rsa

0c05929

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

matthiasbruns force-pushed the feat/1047_typed_credentials_phase_3_consumers branch from c8aaf22 to 0c05929 Compare May 21, 2026 07:41

matthiasbruns mentioned this pull request May 21, 2026

feat: migrate oci to typed credentials #2594

Merged

matthiasbruns changed the title ~~feat: 1047 removal of ResolveTyped and map credentials - bump credential consumers~~ feat: 1047 typed credentials - full migration path May 21, 2026

chore: update conversion patterns and rebase main

2327e88

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

chore: sync sigstore

cf56f52

On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

jakobmoellerdev mentioned this pull request May 21, 2026

feat!: migrate constructor binding to runtime.Typed credentials #2598

Merged

jakobmoellerdev closed this May 21, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: 1047 typed credentials - full migration path#2519

feat: 1047 typed credentials - full migration path#2519
matthiasbruns wants to merge 32 commits into
open-component-model:mainfrom
matthiasbruns:feat/1047_typed_credentials_phase_3_consumers

matthiasbruns commented May 15, 2026 •

edited

Loading

Uh oh!

netlify Bot commented May 15, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot commented May 15, 2026 •

edited

Loading

Review skipped

Uh oh!

Uh oh!

jakobmoellerdev commented May 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

matthiasbruns commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What this PR does / why we need it

Which issue(s) this PR fixes

Binding release order

Uh oh!

netlify Bot commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

❌ Deploy Preview for ocm-website failed. Why did it fail? →

Uh oh!

coderabbitai Bot commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Uh oh!

Uh oh!

jakobmoellerdev commented May 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

matthiasbruns commented May 15, 2026 •

edited

Loading

netlify Bot commented May 15, 2026 •

edited

Loading

coderabbitai Bot commented May 15, 2026 •

edited

Loading