fix(oci): allow digest-only and OCM tag+digest references in UploadResourceStream#2723
Merged
jakobmoellerdev merged 4 commits intoJun 3, 2026
Conversation
Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
💤 Files with no reviewable changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe PR extends ChangesSupport Digest-Based OCI Image References
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
✅ Deploy Preview for ocm-website ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
bindings/go/oci/repository_test.go (1)
2081-2181: ⚡ Quick winAdd a mismatched pinned-digest case.
The digest-bearing cases all reuse
manifestDesc.Digest, so this table will miss the bug whereUploadResourceStreampreserves a caller-supplied digest that does not matchrs.Root().Digest. A case liketest-repo:v1.0.0@<different-digest>should assert that the upload fails.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@bindings/go/oci/repository_test.go` around lines 2081 - 2181, Add a test case to TestRepository_UploadResourceStream that simulates a mismatched pinned digest: in the table add an entry (name like "tag+non-matching digest is rejected") which uses refFunc to return "test-repo:v1.0.0@" + <differentDigest> where <differentDigest> is derived from manifestDesc.Digest but altered (e.g. flip one hex char or replace suffix) so it does not equal manifestDesc.Digest.String(); set wantErr=true and wantErrMsg to something indicating a digest mismatch (e.g. "digest" or "mismatch"); this will exercise UploadResourceStream and assert it fails when caller-supplied digest does not match rs.Root().Digest. Ensure the case references manifestDesc and UploadResourceStream so reviewers can find where to locate the behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@bindings/go/oci/repository.go`:
- Around line 990-995: The code currently preserves a caller-supplied digest in
ref.Reference.Reference even when it differs from rs.Root().Digest, producing an
invalid access reference; update the block around ref.Reference.Reference /
rs.Root().Digest so that if ref.Reference.Reference is non-empty and does not
equal rs.Root().Digest.String() you return a clear error (e.g., fmt.Errorf or
wrapped error) instead of proceeding, otherwise if empty set
ref.Reference.Reference = rs.Root().Digest.String(); finally set
access.ImageReference = ref.String(). This validation should be added in
repository.go where ref and rs.Root().Digest are handled to reject mismatched
pinned digests before returning the access reference.
---
Nitpick comments:
In `@bindings/go/oci/repository_test.go`:
- Around line 2081-2181: Add a test case to TestRepository_UploadResourceStream
that simulates a mismatched pinned digest: in the table add an entry (name like
"tag+non-matching digest is rejected") which uses refFunc to return
"test-repo:v1.0.0@" + <differentDigest> where <differentDigest> is derived from
manifestDesc.Digest but altered (e.g. flip one hex char or replace suffix) so it
does not equal manifestDesc.Digest.String(); set wantErr=true and wantErrMsg to
something indicating a digest mismatch (e.g. "digest" or "mismatch"); this will
exercise UploadResourceStream and assert it fails when caller-supplied digest
does not match rs.Root().Digest. Ensure the case references manifestDesc and
UploadResourceStream so reviewers can find where to locate the behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 703cb0d0-2cda-47e4-9f0e-ff36627a2fb5
📒 Files selected for processing (2)
bindings/go/oci/repository.gobindings/go/oci/repository_test.go
ec1ae6f to
b65617e
Compare
…CM tag+digest references The previous guard called ValidateReferenceAsTag() which only passes for tag-only references (Form C). This made the digest-pinning code added in the parent commit unreachable, and blocked digest-only (Form A) and OCM tag+digest references from uploading. Replace the guard with a tag-or-digest check: reject only bare repository references that have neither a tag nor a valid digest. Add table-driven tests covering all four reference forms: - tag-only: tag preserved, resource digest applied - digest-only: digest preserved, no tag call - tag+digest (OCM form): both preserved (was previously blocked) - bare repo: rejected with clear error Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
b65617e to
42b6b5c
Compare
fabianburth
approved these changes
Jun 2, 2026
frewilhelm
approved these changes
Jun 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
UploadResourceStreampreviously rejected all references except tagged ones (Form C:repo:tag) due to aValidateReferenceAsTag()guard — this blocked digest-only (Form A:repo@sha256:...) and OCM tag+digest references (repo:tag@sha256:...) from uploadingref.Reference.Referenceis always the tag string (non-empty), so theif ref.Reference.Reference == ""pin branch was never enteredChanges
bindings/go/oci/repository.go: relax guard fromValidateReferenceAsTag()toref.Tag == "" && ref.ValidateReferenceAsDigest() != nilbindings/go/oci/repository_test.go: addTestRepository_UploadResourceStreamwith 4 table-driven cases covering all reference formsTest plan
go test ./... -count=1passes inbindings/go/oci"can only upload ... if it has a tag or digest"error