test(recipes): enforce sha256 specifically in digest-pin gate (CodeRabbit follow-up to #778)#779
Merged
Merged
Conversation
…bbit follow-up) Patches a CodeRabbit review comment from PR #778 that didn't make it into the squash-merge. The digest-pin gate added in #778 accepts any non-empty digest algorithm; ADR-006 specifically requires sha256. A non-sha256 ref would silently pass CI. Now: sha256 prefix is the pass condition; any other digest algorithm emits a distinct error message naming the unexpected algorithm so the contributor knows what to fix. Original CodeRabbit thread: #778 (comment)
lalitadithya
approved these changes
May 6, 2026
|
Caution Review failedFailed to post review comments 📝 WalkthroughWalkthroughThe test Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Contributor
Coverage Report ✅
Coverage BadgeNo Go source files changed in this PR. |
23 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patches a CodeRabbit review comment from PR #778 that didn't make it into the squash-merge — my reply commit landed on the branch but the PR was already merged by then.
The digest-pin gate added in #778 accepts any non-empty digest algorithm; ADR-006 specifically requires
sha256. A non-sha256 ref would silently pass CI.Now:
sha256:prefix is the pass condition; any other digest algorithm emits a distinct error message naming the unexpected algorithm so the contributor knows what to fix.Original CodeRabbit thread: #778 (comment)
Refs #739, #749.
Type of Change
Component(s) Affected
recipes/manifest_images_test.go)Implementation Notes
Three-line change to the loop body in
TestComponentManifestImagesAreDigestPinned:The new branch surfaces a distinct error message for the "wrong-algorithm" case so a contributor seeing the failure knows to fix the algorithm rather than thinking the digest is missing.
Testing
Risk Assessment
sha256:(verified: 4 in-tree pins all sha256, the 7 CRD-triplet exemptions are bypassed before the digest check). No production behavior change. Easy to revert.Checklist
make testwith-race)make lint)git commit -S)