Skip to content

feat(validate): enforce artifact apiVersion compatibility#1387

Merged
mchmarny merged 1 commit into
mainfrom
feat/artifact-apiversion-gate
Jun 16, 2026
Merged

feat(validate): enforce artifact apiVersion compatibility#1387
mchmarny merged 1 commit into
mainfrom
feat/artifact-apiversion-gate

Conversation

@mchmarny

Copy link
Copy Markdown
Member

Summary

Make the AICR artifact apiVersion a single-sourced, enforced compatibility contract: consolidate the duplicate literals into header.GroupVersion, and gate the recipe and snapshot loaders to reject artifacts stamped with an unsupported apiVersion.

Motivation / Context

The artifact apiVersion (aicr.nvidia.com/v1alpha1) was redefined as ~5 independent string literals (snapshotter, recipe result + criteria, config) and was never enforced on read — snapshot loading ignored it entirely, recipe loading checked only Kind. A mismatched or incompatible artifact loaded silently and could surface later as a confusing validation failure. This is the durable, schema-level follow-up to the advisory binary-version warning in #1386.

Fixes: #1385
Related: #1386

Type of Change

  • New feature (non-breaking change that adds functionality)
  • Documentation update

Component(s) Affected

  • CLI (cmd/aicr, pkg/cli)
  • Recipe engine / data (pkg/recipe)
  • Collectors / snapshotter (pkg/collector, pkg/snapshotter)
  • Core libraries (pkg/errors, pkg/k8s) — pkg/header, pkg/config
  • Docs/examples (docs/, examples/)

Implementation Notes

  • Single source of truth: pkg/header gains APIGroup, APIVersionV1Alpha1, and canonical GroupVersion. snapshotter.FullAPIVersion, recipe.RecipeAPIVersion, recipe.RecipeCriteriaAPIVersion, and config.APIVersion now alias it.
  • Compatibility gate (accept-known / reject-unknown): header.IsSupportedAPIVersion drives enforcement. The recipe loader (LoadFromFileWithProvider, shared by CLI + server via pkg/client/v1) and a new context-aware snapshotter.LoadFromFile{,WithKubeconfig} reject a non-empty unsupported apiVersion with ErrCodeInvalidRequest. validate, query, and diff route snapshot loads through the new loader. Empty apiVersion stays accepted for older artifacts (mirrors the existing empty-Kind tolerance).
  • No bump to v1alpha2: no breaking schema change is made; bumping with no change would orphan existing artifacts. ADR-011 documents the evolution policy and the transition-window approach for a future bump.

Testing

make test   # pass, total coverage 77.2% (>= 70% floor)
golangci-lint run -c .golangci.yaml ./pkg/header/... ./pkg/snapshotter/... ./pkg/recipe/... ./pkg/config/... ./pkg/cli/...   # 0 issues

New table-driven tests: recipe + snapshot loaders (accept known/empty, reject unknown), and header.IsSupportedAPIVersion / GroupVersion.

Risk Assessment

  • Low — No behavior change for current artifacts (all v1alpha1 or empty). Adds a fail-closed gate only for unsupported versions; easy to revert.

Rollout notes: No new flags. An artifact with an unsupported apiVersion now fails at load with an actionable error instead of failing obscurely downstream.

Checklist

  • Tests pass locally (make test with -race)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality
  • I updated docs if user-facing behavior changed
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

@mchmarny mchmarny requested a review from a team as a code owner June 16, 2026 15:00
@mchmarny mchmarny added the theme/validation Constraint evaluation, health checks, and conformance evidence label Jun 16, 2026
@mchmarny mchmarny self-assigned this Jun 16, 2026
@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 77.1%
Threshold 75%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-77.1%25-green)

Merging this branch will increase overall coverage

Impacted Packages Coverage Δ 🤖
github.com/NVIDIA/aicr/pkg/cli 69.02% (ø)
github.com/NVIDIA/aicr/pkg/config 92.92% (ø)
github.com/NVIDIA/aicr/pkg/header 100.00% (ø)
github.com/NVIDIA/aicr/pkg/recipe 86.18% (+0.02%) 👍
github.com/NVIDIA/aicr/pkg/snapshotter 49.84% (+1.16%) 👍

Coverage by file

Changed files (no unit tests)

Changed File Coverage Δ Total Covered Missed 🤖
github.com/NVIDIA/aicr/pkg/cli/diff.go 87.27% (ø) 55 48 7
github.com/NVIDIA/aicr/pkg/cli/query.go 43.59% (ø) 78 34 44
github.com/NVIDIA/aicr/pkg/cli/validate.go 35.23% (ø) 176 62 114
github.com/NVIDIA/aicr/pkg/config/config.go 0.00% (ø) 0 0 0
github.com/NVIDIA/aicr/pkg/header/header.go 100.00% (ø) 12 (+3) 12 (+3) 0
github.com/NVIDIA/aicr/pkg/recipe/criteria.go 70.72% (ø) 345 244 101
github.com/NVIDIA/aicr/pkg/recipe/loader.go 92.31% (+1.00%) 26 (+3) 24 (+3) 2 👍
github.com/NVIDIA/aicr/pkg/recipe/metadata.go 91.51% (ø) 318 291 27
github.com/NVIDIA/aicr/pkg/snapshotter/loader.go 100.00% (+100.00%) 7 (+7) 7 (+7) 0 🌟
github.com/NVIDIA/aicr/pkg/snapshotter/version.go 0.00% (ø) 0 0 0

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 3ad26623-2a68-4669-a44c-628966b33ffd

📥 Commits

Reviewing files that changed from the base of the PR and between 147db76 and 62fb2b1.

📒 Files selected for processing (15)
  • docs/design/011-artifact-apiversion-policy.md
  • docs/user/cli-reference.md
  • pkg/cli/diff.go
  • pkg/cli/query.go
  • pkg/cli/validate.go
  • pkg/config/config.go
  • pkg/header/header.go
  • pkg/header/header_test.go
  • pkg/recipe/criteria.go
  • pkg/recipe/loader.go
  • pkg/recipe/loader_test.go
  • pkg/recipe/metadata.go
  • pkg/snapshotter/loader.go
  • pkg/snapshotter/loader_test.go
  • pkg/snapshotter/version.go

📝 Walkthrough

Walkthrough

This PR establishes a single source of truth for the AICR artifact apiVersion by introducing canonical constants (APIGroup, APIVersionV1Alpha1, GroupVersion) and a IsSupportedAPIVersion function in pkg/header. All previously hardcoded aicr.nvidia.com/v1alpha1 string literals in pkg/snapshotter, pkg/recipe, and pkg/config are replaced with aliases to header.GroupVersion. New dedicated loader functions (LoadFromFile, LoadFromFileWithKubeconfig) are added to the snapshotter package, and an apiVersion gate is wired into the recipe loader (LoadFromFileWithProvider). CLI commands in diff.go, query.go, and validate.go are updated to use the new snapshot loader. An ADR (docs/design/011-artifact-apiversion-policy.md) and CLI reference update document the enforcement policy, compatibility evolution rule, and rejection behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

area/api, size/M

Suggested reviewers

  • xdu31
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely summarizes the main change: enforcing artifact apiVersion compatibility through validation.
Description check ✅ Passed The description is comprehensive and directly related to the changeset, explaining the motivation, implementation, testing, and risk assessment.
Linked Issues check ✅ Passed The PR fully addresses issue #1385 acceptance criteria: single shared apiVersion constant, loader enforcement rejecting unsupported versions, ADR-011 documentation, and comprehensive tests for accept/reject paths.
Out of Scope Changes check ✅ Passed All changes are scoped to issue #1385 objectives: consolidating apiVersion literals, implementing compatibility gates in loaders, updating CLI commands to use new loaders, and documenting the evolution policy.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/artifact-apiversion-gate

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]

This comment was marked as resolved.

The artifact apiVersion (aicr.nvidia.com/v1alpha1) was redefined as
several independent string literals and was never enforced on read:
snapshot loading ignored it entirely and recipe loading checked only
Kind. A mismatched or incompatible artifact loaded silently and could
surface later as a confusing validation failure.

- Single source of truth: add header.GroupVersion (+ APIGroup,
  APIVersionV1Alpha1) and repoint snapshotter.FullAPIVersion,
  recipe.RecipeAPIVersion, recipe.RecipeCriteriaAPIVersion, and
  config.APIVersion to it.
- Compatibility gate: header.IsSupportedAPIVersion drives accept-known
  / reject-unknown enforcement. The recipe loader and a new
  context-aware snapshotter.LoadFromFile{,WithKubeconfig} (which
  validate, query, and diff route through) reject a non-empty
  unsupported apiVersion with ErrCodeInvalidRequest. Empty is tolerated
  for older artifacts that predate the field.
- ADR-011 documents the single-source rule, additive-only-within-version
  evolution policy, the reject-unknown gate, and the transition-window
  approach for a future bump (no bump to v1alpha2 now).

Closes #1385
@mchmarny mchmarny force-pushed the feat/artifact-apiversion-gate branch from 147db76 to 62fb2b1 Compare June 16, 2026 15:31
@mchmarny mchmarny enabled auto-merge (squash) June 16, 2026 15:33
@mchmarny mchmarny merged commit 9a741e6 into main Jun 16, 2026
32 of 34 checks passed
@mchmarny mchmarny deleted the feat/artifact-apiversion-gate branch June 16, 2026 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/cli area/docs size/L theme/validation Constraint evaluation, health checks, and conformance evidence

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Schema-versioned compatibility gate for validate inputs

2 participants