feat: cli credentials rollout

[matthiasbruns]

On-behalf-of: SAP matthias.bruns@sap.com

What this PR does / why we need it

Final PR of the breaking change chain for the credential migration.
This PR updated the CLI.

Which issue(s) this PR fixes

Fixed: open-component-model/ocm-project#1056

Gate	PRs	Modules	Status
1	✅ #2580	blob, signing, rsa	merged
2	✅ #2586	repository, sigstore	merged
3	✅ #2594	oci	merged
4	✅ #2598	constructor	merged
5	✅ #2602	plugin, input/dir, input/file, input/utf8	merged
6	✅ #2612	helm	merged
7	✅ #2616	transfer, controller	merged
8	this PR	cli	👈

Testing

How to test the changes

Verification

• I have added/updated tests for my changes (see Test Requirements)
• Tests pass locally (task test and task test/integration if applicable)
• If touching multiple modules, go work is enabled (see go.work)
• My changes do not decrease test coverage
• I have tested the changes locally by running ocm

[netlify]

✅ Deploy Preview for ocm-website canceled.

Name	Link
🔨 Latest commit	0932d6a
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/6a15bf2500a72a0008cc6665

[coderabbitai]

Warning

Review limit reached

@matthiasbruns, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 10 minutes and 30 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2689bf85-9184-406c-8cec-f9442b9f0a13

📥 Commits

Reviewing files that changed from the base of the PR and between 5471486 and 0932d6a.

⛔ Files ignored due to path filters (3)

• bindings/go/transfer/integration/go.sum is excluded by !**/*.sum
• cli/go.sum is excluded by !**/*.sum
• cli/integration/go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• bindings/go/transfer/integration/go.mod
• cli/go.mod
• cli/integration/go.mod
• cli/integration/transfer_oci_artifact_integration_test.go

📝 Walkthrough

Walkthrough

The PR migrates CLI command credential resolution and plugin interfaces from untyped map-based credentials to typed runtime.Typed credentials across module dependencies, plugin contracts, command implementations, and tests.

Changes

Typed Credentials Migration

Layer / File(s)	Summary
Module Dependencies Update bindings/go/sigstore/go.mod, bindings/go/transfer/go.mod, bindings/go/transfer/integration/go.mod, cli/go.mod, cli/integration/go.mod	Go module dependencies are bumped across sigstore, transfer, and CLI packages to newer versions supporting the typed credentials architecture. OCM credential bindings are promoted from indirect to direct dependencies where needed.
Plugin Interface Contract Updates cli/internal/plugin/builtin/oidc/oidc_plugin.go, cli/internal/plugin/builtin/credentials/oci/plugin.go, cli/internal/plugin/builtin/oci/component_lister.go	Credential plugins now accept and return runtime.Typed instead of map[string]string. OIDC plugin wraps tokens in v1.DirectCredentials, OCI credentials plugin registers with typed identity, and component lister accepts typed credentials arguments.
CLI Command Credential Resolution cli/cmd/add/component-version/cmd.go, cli/cmd/download/shared/common.go, cli/cmd/sign/component-version/cmd.go, cli/cmd/verify/component-version/cmd.go	Commands resolve credentials via credentialGraph.Resolve(ctx, identity) into runtime.Typed values and pass them to handlers. Credential discovery logging changes from iterating map keys to checking nil and logging credential type. Constructor plugin gains DownloadResource delegation with typed credentials.
Integration Tests and Mocks cli/integration/transfer_oci_artifact_integration_test.go, cli/internal/repository/ocm/compatibility_test.go	Test doubles and OCI artifact transfer tests are updated to construct ocicredsv1.OCICredentials objects and pass them as runtime.Typed, and mock repository provider accepts typed credentials parameter.

Sequence Diagram(s)

sequenceDiagram
    participant CLI Command
    participant Credential Graph
    participant Plugin Handler
    participant Credential Plugin
    CLI Command->>Credential Graph: Resolve(ctx, consumerIdentity)
    Credential Graph->>Credential Plugin: get credentials
    Credential Plugin-->>Credential Graph: runtime.Typed (e.g., DirectCredentials)
    Credential Graph-->>CLI Command: runtime.Typed
    CLI Command->>Plugin Handler: execute with typed credentials
    Plugin Handler-->>CLI Command: result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• open-component-model/open-component-model#2580: Updates CLI credential resolution call sites to pass runtime.Typed credentials aligned with blob/rsa/signing bindings migration.
• open-component-model/open-component-model#2518: Phase 3 credential bindings migration removing legacy map-based Resolve API in favor of ResolveTyped.
• open-component-model/open-component-model#2598: Constructor binding migration from map[string]string to runtime.Typed credentials.

Suggested labels

kind/feature, size/m, !BREAKING-CHANGE!

Suggested reviewers

• jakobmoellerdev
• fabianburth
• piotrjanik

Poem

🐰 From maps to types, the CLI takes flight,
Typed credentials now shine so bright!
Plugins resolve with structured grace,
Untyped chaos—replaced without trace! 🎯

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: cli credentials rollout' clearly and concisely identifies the primary change: rolling out credential migration updates to the CLI module.
Description check	✅ Passed	The PR description is directly related to the changeset, explicitly stating this is the final PR of the credential migration breaking change chain that updates the CLI, and references issue #1056.
Linked Issues check	✅ Passed	The code changes comprehensively address the linked issue #1056 objectives by migrating CLI commands from map-based credentials to typed credentials using runtime.Typed throughout.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the CLI credential migration: dependency updates, command credential resolution refactoring, and test updates for typed credentials.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR migrates CLI/plugin credential handling from plain map[string]string attributes to typed credential objects (runtime.Typed), aligning the CLI with newer OCM bindings and plugin APIs.

Changes:

• Update multiple plugin/provider interfaces to accept/return runtime.Typed credentials instead of map[string]string.
• Adapt CLI commands and integration tests to pass typed credential specs (e.g., OCI credentials).
• Bump and realign Go module dependencies across cli and bindings modules.

Reviewed changes

Copilot reviewed 13 out of 21 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
cli/internal/repository/ocm/compatibility_test.go	Updates mock provider method signature for typed credentials.
cli/internal/plugin/builtin/oidc/oidc_plugin.go	Changes OIDC Resolve to return typed credentials.
cli/internal/plugin/builtin/oci/component_lister.go	Updates component lister plugin signature to accept typed credentials.
cli/internal/plugin/builtin/credentials/oci/plugin.go	Adjusts OCI credential repository plugin registration to updated spec/identity types.
cli/integration/transfer_oci_artifact_integration_test.go	Updates integration test to use typed OCI credentials for uploads and typed creds plumbing.
cli/integration/go.mod	Bumps integration module dependencies to newer bindings versions.
cli/integration/go.sum	Updates checksums for bumped dependencies in the integration module.
cli/go.mod	Bumps core CLI dependencies and updates indirect dependency set.
cli/go.sum	Updates checksums for bumped dependencies in the CLI module.
cli/cmd/verify/component-version/cmd.go	Switches verification credential resolution/plumbing to runtime.Typed.
cli/cmd/sign/component-version/cmd.go	Switches signing credential resolution/plumbing to runtime.Typed.
cli/cmd/download/shared/common.go	Switches resource download credential resolution to runtime.Typed.
cli/cmd/add/component-version/cmd.go	Updates constructor interfaces and target repo creds resolution to runtime.Typed.
bindings/go/transfer/integration/go.mod	Bumps transfer integration dependencies to newer descriptor/runtime + transfer versions.
bindings/go/transfer/integration/go.sum	Updates checksums for transfer integration dependency bumps.
bindings/go/sigstore/go.mod	Adjusts sigstore module dependencies (credentials now a direct requirement).
bindings/go/sigstore/go.sum	Rewrites checksums set after dependency graph changes.
bindings/go/repository/go.sum	Updates checksums due to bindings dependency bumps.
bindings/go/input/utf8/go.sum	Updates checksums due to bindings dependency bumps.
bindings/go/input/file/go.sum	Updates checksums due to bindings dependency bumps.
bindings/go/input/dir/go.sum	Updates checksums due to bindings dependency bumps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.