Skip to content

test(recipes): enforce sha256 specifically in digest-pin gate (CodeRabbit follow-up to #778)#779

Merged
mchmarny merged 1 commit into
mainfrom
fix/bom-digest-pin-sha256-only
May 6, 2026
Merged

test(recipes): enforce sha256 specifically in digest-pin gate (CodeRabbit follow-up to #778)#779
mchmarny merged 1 commit into
mainfrom
fix/bom-digest-pin-sha256-only

Conversation

@mchmarny

@mchmarny mchmarny commented May 6, 2026

Copy link
Copy Markdown
Member

Summary

Patches a CodeRabbit review comment from PR #778 that didn't make it into the squash-merge — my reply commit landed on the branch but the PR was already merged by then.

The digest-pin gate added in #778 accepts any non-empty digest algorithm; ADR-006 specifically requires sha256. A non-sha256 ref would silently pass CI.

Now: sha256: prefix is the pass condition; any other digest algorithm emits a distinct error message naming the unexpected algorithm so the contributor knows what to fix.

Original CodeRabbit thread: #778 (comment)

Refs #739, #749.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)

Component(s) Affected

  • Tests (recipes/manifest_images_test.go)

Implementation Notes

Three-line change to the loop body in TestComponentManifestImagesAreDigestPinned:

-if ref.Digest != "" {
+if strings.HasPrefix(ref.Digest, "sha256:") {
     continue
 }
+if ref.Digest != "" {
+    t.Errorf("%s: image %q uses non-sha256 digest %q; ADR-006 requires @sha256:<digest>", p, img, ref.Digest)
+    continue
+}

The new branch surfaces a distinct error message for the "wrong-algorithm" case so a contributor seeing the failure knows to fix the algorithm rather than thinking the digest is missing.

Testing

unset GITLAB_TOKEN && make qualify
# Codebase qualification completed

Risk Assessment

  • Low — Tightens an existing test. All current refs use sha256: (verified: 4 in-tree pins all sha256, the 7 CRD-triplet exemptions are bypassed before the digest check). No production behavior change. Easy to revert.

Checklist

  • Tests pass locally (make test with -race)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality
  • I updated docs if user-facing behavior changed (n/a — internal test gate)
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

…bbit follow-up)

Patches a CodeRabbit review comment from PR #778 that didn't make it
into the squash-merge. The digest-pin gate added in #778 accepts any
non-empty digest algorithm; ADR-006 specifically requires sha256.
A non-sha256 ref would silently pass CI.

Now: sha256 prefix is the pass condition; any other digest algorithm
emits a distinct error message naming the unexpected algorithm so the
contributor knows what to fix.

Original CodeRabbit thread:
#778 (comment)
@mchmarny mchmarny requested a review from a team as a code owner May 6, 2026 15:05
@mchmarny mchmarny self-assigned this May 6, 2026
@mchmarny mchmarny enabled auto-merge (squash) May 6, 2026 15:06
@coderabbitai

coderabbitai Bot commented May 6, 2026

Copy link
Copy Markdown

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

The test TestComponentManifestImagesAreDigestPinned in recipes/manifest_images_test.go was updated to enforce SHA-256 digest validation. The modified logic now explicitly skips processing for images that already have SHA-256 digests, raises an error if a non-empty digest is present that is not SHA-256, and continues to exemption checks otherwise. The net change adds 4 lines to implement this stricter validation requirement.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: enforcing SHA-256 digests specifically in the digest-pin test gate, with a clear reference to the follow-up nature of the PR.
Description check ✅ Passed The description is comprehensive and directly related to the changeset, explaining the rationale, implementation details, testing, and risk assessment.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/bom-digest-pin-sha256-only

Comment @coderabbitai help to get the list of available commands and usage tips.

@mchmarny mchmarny merged commit a73f027 into main May 6, 2026
54 of 56 checks passed
@mchmarny mchmarny deleted the fix/bom-digest-pin-sha256-only branch May 6, 2026 15:15
@github-actions

github-actions Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 75.1%
Threshold 70%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-75.1%25-green)

No Go source files changed in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants