From 6455b1856cbd6c5ca5f72c7863b012e3900613ab Mon Sep 17 00:00:00 2001
From: davdhacs <105243888+davdhacs@users.noreply.github.com>
Date: Mon, 13 Apr 2026 13:02:58 -0600
Subject: [PATCH] Prevent latest apollo-ci tag on release branch configs

Add a check to config.py that rejects release branch configs
using the 'latest' floating tag for the build root image.
The 'latest' tag is a moving target intended only for
validation before promoting to 'stable'.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ci-operator/config/stackrox/stackrox/config.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ci-operator/config/stackrox/stackrox/config.py b/ci-operator/config/stackrox/stackrox/config.py
index a0ca2b71a18ed..2ab862e2937c3 100755
--- a/ci-operator/config/stackrox/stackrox/config.py
+++ b/ci-operator/config/stackrox/stackrox/config.py
@@ -767,6 +767,17 @@ def check_configs(data):
             if not check_config(config, data):
                 configs_ok = False
 
+        # Check that release branch configs do not use the "latest" floating
+        # tag for the rox-ci-image (apollo-ci). The "latest" tag is a moving
+        # target and should only be used for validation, not for release jobs.
+        if config.branch.startswith('release-'):
+            tag = config.build_root_tag
+            if tag and 'latest' in tag:
+                check_error(f"{config.short_filename}: release branch '{config.branch}' "
+                            f"must not use 'latest' build root tag '{tag}'. "
+                            f"Pin to a specific version (e.g. stackrox-ui-test-0.5.7).")
+                configs_ok = False
+
     return configs_ok