Skip to content

fix(validator): accept pre-release tags as release versions#919

Merged
mchmarny merged 1 commit into
mainfrom
fix/916-release-version-image-tag
May 15, 2026
Merged

fix(validator): accept pre-release tags as release versions#919
mchmarny merged 1 commit into
mainfrom
fix/916-release-version-image-tag

Conversation

@mchmarny

Copy link
Copy Markdown
Member

Summary

aicr validate failed with ImagePullBackOff on every tagged-release binary because the catalog rewrote :latest to :sha-<commit>, but the release workflow (on-tag.yaml) publishes validator images at :v<version> — including pre-release tags like v0.13.0-rc3. Widens releaseVersionPattern to accept a single pre-release suffix segment and adds an explicit -next$ exclusion so goreleaser snapshot builds keep falling through to :sha-<commit>.

Motivation / Context

Reported in #916. The tag-rewrite logic was written when the only published image stream was on-push.yaml's :sha-<commit> aliases, so releaseVersionPattern was deliberately strict (^v?\d+\.\d+\.\d+$). Once on-tag.yaml started publishing :<github.ref_name> for pre-release tags too (v[0-9]+.[0-9]+.[0-9]+* trigger), every install from a released binary like v0.13.0-rc3 started chasing a :sha-<commit> image that release CI never pushed.

Fixes: #916
Related: N/A

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • Documentation update (demo workaround removed)

Component(s) Affected

  • Validator (pkg/validator)
  • Docs/examples (docs/, examples/)

Implementation Notes

  • New regex: ^v?\d+\.\d+\.\d+(-[A-Za-z0-9.]+)?$. The pre-release suffix is a single alphanumeric-plus-dots segment — multi-segment forms like the git-describe snapshot v0.0.0-12-gabc1234 contain an internal dash and are still rejected.

  • New snapshotSuffixPattern = -next$ excludes goreleaser's snapshot template (.goreleaser.yaml: snapshot.version_template: "{{ .Tag }}-next"). This is the critical guard that keeps main-development builds on the :sha-<commit> path (which on-push.yaml publishes). The exclusion is documented in code so a future change does not silently re-break dev flow.

  • Build-path coverage with the new logic:

    Build path Binary version Image expected Match published?
    main push (on-push.yaml snapshot) v0.X.Y-next :sha-<commit> (falls through via -next$)
    Tagged release v0.13.0-rc3 v0.13.0-rc3 :v0.13.0-rc3 ✅ (new)
    Tagged release v0.13.0 (stable) v0.13.0 :v0.13.0 ✅ (unchanged)
    Local make build on main HEAD v0.X.Y-next :sha-<commit> ✅ if HEAD on main; else env-var (unchanged)
    Feature branch / fork v0.X.Y-next :sha-<commit> ❌ — env-var workaround required (unchanged)
  • demos/cuj1-gke-config.md: drops the AICR_VALIDATOR_IMAGE_TAG=edge workaround now that the binary asks for the right tag by default.

Testing

make qualify

New test cases in TestResolveImage:

  • pre-release rc tag rewrites :latest to :vX.Y.Z-rc1 (flipped from prior "is not a release")
  • pre-release beta tag rewrites :latest to :vX.Y.Z-beta
  • pre-release alpha.1 (dotted) tag rewrites :latest
  • snapshot of a pre-release tag falls through (v1.0.0-rc1-next)
  • snapshot of stable release with commit → sha tag (v1.0.0-next + commit)
  • pre-release tag ignores commit (release wins)

Existing cases preserved (regressions covered):

  • -next snapshot version — no tag rewrite — pinned with explanatory comment as the regression guard.
  • git-describe snapshot is not a release — still falls through.

Coverage on pkg/validator/catalog: 97.6%.

Risk Assessment

  • Low — Isolated change, well-tested, easy to revert.

Rollout notes: Backwards-compatible at runtime. The only behavioral change is for binaries whose version string matches the new shape — previously broken with ImagePullBackOff, now resolves correctly. The -next$ exclusion ensures main-development builds keep using :sha-<commit>.

Checklist

  • Tests pass locally (make test with -race)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality
  • I updated docs if user-facing behavior changed
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

`aicr validate` failed with ImagePullBackOff on every tagged-release
binary because the catalog rewrote :latest to :sha-<commit>, but the
release workflow (on-tag.yaml) publishes validator images at
:v<version> — including pre-release tags like v0.13.0-rc3.

Widen `releaseVersionPattern` to accept a single pre-release suffix
segment (vX.Y.Z, vX.Y.Z-rc1, vX.Y.Z-beta, vX.Y.Z-alpha.1), and add an
explicit `-next$` exclusion so goreleaser snapshot strings keep
falling through to :sha-<commit> (the path on-push.yaml publishes
for main-development builds). Git-describe forms like
v0.0.0-12-gabc1234 stay excluded by the single-segment shape.

Demo: drops the AICR_VALIDATOR_IMAGE_TAG=edge workaround.

Fixes #916
@coderabbitai

coderabbitai Bot commented May 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 60eecc0d-0981-4ff6-9ad4-b4e650951980

📥 Commits

Reviewing files that changed from the base of the PR and between 30e99c2 and 84aef87.

📒 Files selected for processing (3)
  • demos/cuj1-gke-config.md
  • pkg/validator/catalog/catalog.go
  • pkg/validator/catalog/catalog_test.go

📝 Walkthrough

Walkthrough

This PR fixes validator image pull failures when running released aicr binaries by updating catalog image tag resolution to detect release-style version strings and use semantic version tags (e.g., :v0.13.0-rc3) instead of commit SHA tags. The logic extends the release version pattern to accept pre-release suffixes (rc, beta, alpha) while explicitly excluding goreleaser snapshot builds (-next suffix). Test coverage expands to exercise pre-release classification, snapshot fallthrough, and tag precedence scenarios. Documentation removes the AICR_VALIDATOR_IMAGE_TAG=edge workaround from the demo, reflecting the fix.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • NVIDIA/aicr#917: Modifies the same demos/cuj1-gke-config.md section around AICR_VALIDATOR_IMAGE_TAG=edge workaround removal.

Suggested labels

area/tests, size/L

Suggested reviewers

  • lalitadithya
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: accepting pre-release tags as release versions in the validator image tag resolution logic.
Description check ✅ Passed The description comprehensively explains the bug (ImagePullBackOff on tagged releases), root cause, solution (widened regex and -next exclusion), and includes testing, risk assessment, and implementation details.
Linked Issues check ✅ Passed The PR directly addresses issue #916 by implementing the proposed binary-side fix: widening releaseVersionPattern to accept pre-release suffixes, adding -next exclusion for snapshots, updating tests with new cases, and removing the workaround from docs.
Out of Scope Changes check ✅ Passed All changes are scoped to the linked issue: validator catalog tag resolution (pkg/validator/catalog/), test updates, and removal of an outdated workaround from docs. No unrelated modifications detected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/916-release-version-image-tag

Comment @coderabbitai help to get the list of available commands and usage tips.

@mchmarny mchmarny self-assigned this May 15, 2026
@mchmarny mchmarny enabled auto-merge (squash) May 15, 2026 13:49
@github-actions

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 76.2%
Threshold 75%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-76.2%25-green)

Merging this branch will increase overall coverage

Impacted Packages Coverage Δ 🤖
github.com/NVIDIA/aicr/pkg/validator/catalog 97.65% (+0.06%) 👍

Coverage by file

Changed files (no unit tests)

Changed File Coverage Δ Total Covered Missed 🤖
github.com/NVIDIA/aicr/pkg/validator/catalog/catalog.go 97.65% (+0.06%) 85 (+2) 83 (+2) 2 👍

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

@mchmarny mchmarny merged commit 9776d9f into main May 15, 2026
35 of 36 checks passed
@mchmarny mchmarny deleted the fix/916-release-version-image-tag branch May 15, 2026 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: validator image pull fails on every tagged-release binary — catalog requests sha-<commit> but release CI publishes v<version>

2 participants