Prevent latest apollo-ci tag on stackrox release branch configs

[davdhacs]

Summary

• Add validation to config.py that rejects release branch configs using the latest floating tag for the build root image (apollo-ci)
• The latest tag is a moving target intended only for validation before promoting to stable
• This check runs as the existing stackrox-stackrox-check presubmit on openshift/release PRs that modify stackrox configs

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced build configuration validation for release branches to enforce stricter tag requirements, improving release quality assurance.

[coderabbitai]

Walkthrough

Adds a validation check in check_configs(data) that emits an error when config files with branches starting with release- have config.build_root_tag containing the substring latest. This validation affects the overall pass/fail result.

Changes

Cohort / File(s)	Summary
Release Branch Validation ci-operator/config/stackrox/stackrox/config.py	Introduces a new validation rule that detects and rejects release branch configurations using latest as the build root tag.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding validation to prevent the 'latest' apollo-ci tag on stackrox release branch configs.
Stable And Deterministic Test Names	✅ Passed	Custom check for Ginkgo test names is not applicable to this PR, which modifies only a Python configuration validation script without any Go test files.
Test Structure And Quality	✅ Passed	This PR modifies a Python configuration validation script and does not include Ginkgo test files, making the test structure and quality check not applicable.
Microshift Test Compatibility	✅ Passed	The custom check for MicroShift Test Compatibility is not applicable to this pull request. This PR only modifies a Python CI configuration validation script (config.py) to add a check for the latest tag on release branch configs. It does not introduce any new Ginkgo e2e tests or Go test code that would require validation against MicroShift API availability.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only Python CI/CD configuration file, not Ginkgo e2e tests, making SNO compatibility check inapplicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only a CI validation script that enforces image tag rules; no deployment manifests, operator code, or controllers are changed.
Ote Binary Stdout Contract	✅ Passed	The modified file is a configuration validation utility script, not an OTE binary that communicates with openshift-tests via JSON.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not add any Ginkgo e2e tests; it only modifies a Python CI configuration validation script.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davdhacs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/stackrox/OWNERS [davdhacs]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@davdhacs: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/config/stackrox/stackrox/config.py (1)

773-779: Match the floating tag explicitly, not via substring.

The current check rejects any tag containing latest, which can accidentally block non-floating pinned tags. Compare normalized tag value to latest directly.

Proposed fix

         if config.branch.startswith('release-'):
             tag = config.build_root_tag
-            if tag and 'latest' in tag:
+            normalized_tag = tag.strip().lower() if isinstance(tag, str) else None
+            if normalized_tag == 'latest':
                 check_error(f"{config.short_filename}: release branch '{config.branch}' "
                             f"must not use 'latest' build root tag '{tag}'. "
                             f"Pin to a specific version (e.g. stackrox-ui-test-0.5.7).")
                 configs_ok = False

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ci-operator/config/stackrox/stackrox/config.py` around lines 773 - 779, The
check in the release branch branch-block is matching 'latest' by substring in
tag = config.build_root_tag which can falsely reject tags containing the word
'latest' as part of a pinned name; change the condition to normalize the
build_root_tag (e.g., strip() and lower()) and compare equality to 'latest'
(e.g., if tag and tag.strip().lower() == 'latest') before calling check_error
and setting configs_ok = False so only the floating tag is rejected; update the
condition around tag, config.branch.startswith('release-'), check_error and
configs_ok accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@ci-operator/config/stackrox/stackrox/config.py`:
- Around line 773-779: The check in the release branch branch-block is matching
'latest' by substring in tag = config.build_root_tag which can falsely reject
tags containing the word 'latest' as part of a pinned name; change the condition
to normalize the build_root_tag (e.g., strip() and lower()) and compare equality
to 'latest' (e.g., if tag and tag.strip().lower() == 'latest') before calling
check_error and setting configs_ok = False so only the floating tag is rejected;
update the condition around tag, config.branch.startswith('release-'),
check_error and configs_ok accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1fc3d479-563f-4ad4-98c1-ed406849bfe0

📥 Commits

Reviewing files that changed from the base of the PR and between 5257a6f and 6455b18.

📒 Files selected for processing (1)

• ci-operator/config/stackrox/stackrox/config.py

[davdhacs]

/cc @porridge

[openshift-ci]

@davdhacs: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[porridge]

@davdhacs I think we want:

• only allow -X.Y.Z tags for release branches
• only allow -stable or -X.Y.Z for master
• -latest is OK for in-flight PRs, but the check should still fail, to prevent merging such PR