feat: support running skillctl in OpenShift containers

[pavelanni]

Summary

• Dockerfile: multi-stage build compiles Go binary inside the container; creates OpenShift-compatible home directory (GID 0 writable) so skillctl works with arbitrary UIDs
• --tls-verify flag: added to inspect, push, pull, and promote for registries with self-signed certificates (e.g. OpenShift internal registry)
• Digest reference support: splitRefTag and parseNameFromTag now handle @sha256:... references correctly
• README: documents namespace field, remote naming convention, and OpenShift usage with oc run + mounted auth secrets

Test plan

• go vet ./... passes
• go test ./... passes
• Verified splitRefTag parses digest refs, tag refs, and port-based registry refs correctly
• Built container image via podman build on RHEL x86_64
• Successfully ran skillctl inspect --tls-verify=false against OpenShift internal registry from a pod with mounted auth secret

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added --tls-verify flag to inspect, promote, pull, and push commands to control TLS certificate verification when accessing remote registries.

• Documentation

  • Documented namespace field semantics and registry path conventions.
  • Added OpenShift workflow guide for in-cluster image inspection.

• Chores

  • Improved container image: multi-stage build with non-root user and CA certificate support.

[coderabbitai]

Warning

Rate limit exceeded

@pavelanni has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 40 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 50 minutes and 40 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c483a658-4ac4-4808-b32a-88004cb85b0b

📥 Commits

Reviewing files that changed from the base of the PR and between 40b9917 and c5eae73.

📒 Files selected for processing (6)

• README.md
• internal/cli/inspect.go
• pkg/oci/client.go
• pkg/oci/inspect.go
• pkg/oci/push.go
• pkg/oci/ref_test.go

📝 Walkthrough

Walkthrough

This pull request introduces TLS certificate verification control across OCI client commands and improves reference parsing to handle digest-style references. The Dockerfile is updated to a multi-stage build with proper binary compilation and home directory setup. Documentation adds guidance on namespace conventions and OpenShift integration workflows.

Changes

Cohort / File(s)	Summary
CLI TLS Verification internal/cli/inspect.go, internal/cli/promote.go, internal/cli/pull.go, internal/cli/push.go	Added --tls-verify boolean flag (defaulting to true) to all commands, wiring the inverted flag into respective run* functions as skipTLSVerify parameter.
OCI Options Structs pkg/oci/client.go	Extended PushOptions, PullOptions, and PromoteOptions structs with SkipTLSVerify boolean field to control TLS verification behavior.
OCI Client Methods pkg/oci/inspect.go, pkg/oci/promote.go, pkg/oci/pull.go, pkg/oci/push.go	Updated method signatures and implementations to accept and forward skipTLSVerify parameter to newRemoteRepository calls; Push additionally configures HTTP transport with InsecureSkipVerify when requested.
Reference Parsing Logic pkg/oci/pack.go, pkg/oci/pull.go	Enhanced reference parsing to support digest-style references (e.g., name@sha256:...) via splitRefTag function and digest truncation with @; updated tag derivation logic in multiple functions.
Reference Parsing Tests pkg/oci/ref_test.go	Added comprehensive unit tests for splitRefTag, parseNameFromTag, and skillNameFromRef helper functions with table-driven test cases covering tag and digest forms.
Build & Documentation Dockerfile, README.md	Dockerfile refactored to multi-stage build with Go compilation stage, base stage for CA certificates and home directory setup; README adds namespace field guidance, registry path conventions, and OpenShift in-cluster inspection workflow with TLS and token handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 23.53% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: support running skillctl in OpenShift containers' directly and clearly summarizes the main change: enabling skillctl to run in OpenShift container environments with all necessary supporting features (Dockerfile multi-stage build, --tls-verify flag, digest reference support, and documentation).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/openshift-container-support

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

README.md (1)

183-186: Consider line-breaking the --overrides JSON for readability.

The single-line JSON is hard to read/copy-edit. Either pretty-print it inline (shell accepts multi-line single-quoted strings) or reference a small overrides.json file via --overrides="$(cat overrides.json)".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 183 - 186, The current oc run skillctl command uses a
single-line --overrides JSON which is hard to read; update the invocation to
either pretty-print the JSON inside the single-quoted --overrides string (split
across lines) or move the JSON into a small overrides.json file and change the
invocation to use --overrides="$(cat overrides.json)"; target the oc run
skillctl command and the --overrides argument so the JSON becomes readable and
easy to edit.

pkg/oci/inspect.go (1)

26-32: Breaking signature change on exported method.

InspectRemote gained a required skipTLSVerify parameter. Any external importer of pkg/oci will fail to build. If external consumers are a concern, consider adding an InspectOptions struct (mirroring PullOptions/PushOptions/PromoteOptions) for a non-breaking, forward-compatible API; otherwise call this out in release notes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/oci/inspect.go` around lines 26 - 32, The exported InspectRemote gained a
breaking boolean parameter; add a non-breaking InspectOptions struct (similar to
PullOptions/PushOptions/PromoteOptions) and change the implementation to accept
an *InspectOptions (or nil) instead of a raw bool, e.g. InspectRemote(ctx
context.Context, ref string, opts *InspectOptions) and use opts.SkipTLSVerify
when calling newRemoteRepository/inspect; then provide a thin shim
InspectRemote(ctx, ref string) that calls the new signature with nil for
backward compatibility (or vice‑versa: keep current signature and add
InspectRemoteWithOptions) so external callers don’t break. Ensure you reference
InspectOptions.SkipTLSVerify in the newRemoteRepository call and update any
internal calls to use the new API.

pkg/oci/ref_test.go (1)

5-66: Good coverage of the digest/port edge cases.

Table-driven tests exercise the port-in-host + digest combination that motivated the parsing fix. Consider adding a subtest name via t.Run(tt.ref, ...) so failures pinpoint the offending case, and one case for an empty-digest boundary (name@) if that's considered invalid input worth locking down — otherwise this is sufficient.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/oci/ref_test.go` around lines 5 - 66, Add subtest names to the
table-driven tests so failures show the offending ref: in TestSplitRefTag,
TestParseNameFromTag, and TestSkillNameFromRef wrap the loop body with
t.Run(tt.ref, func(t *testing.T) { ... }) (remember to capture tt := tt inside
the loop). Also consider adding an explicit empty-digest boundary case to
TestSplitRefTag such as the ref "name@" with expected repo "name" and empty tag
to lock down behavior for that input; update assertions inside the subtest
bodies to use the local t.

pkg/oci/push.go (1)

61-71: Optional: pin MinVersion on the TLS config.

Static analysis flags the missing MinVersion. Even with InsecureSkipVerify: true (certificate identity not validated), pinning a minimum protocol version still avoids negotiating weak/legacy TLS when talking to a misconfigured internal registry. Low risk given this is opt-in via --tls-verify=false, so treat as a nice-to-have hardening.

🔒 Proposed hardening

-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // user-requested via --tls-verify=false
+				TLSClientConfig: &tls.Config{
+					InsecureSkipVerify: true, //nolint:gosec // user-requested via --tls-verify=false
+					MinVersion:         tls.VersionTLS12,
+				},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/oci/push.go` around lines 61 - 71, The TLS config created when
skipTLSVerify is true should also pin a minimum protocol version to avoid
negotiating legacy TLS; update the tls.Config instantiation used for
authClient.Client (the TLSClientConfig in the http.Transport assigned when
skipTLSVerify is true) to set MinVersion to tls.VersionTLS12 (or higher),
keeping the existing InsecureSkipVerify and the nolint comment as appropriate so
repo.Client still uses the authClient with a minimum TLS version enforced.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Around line 182-190: Update the oc run invocation and notes: when using oc run
skillctl --rm add the stdin/attach flag (e.g., -i or --attach=true) so the --rm
cleanup runs, or explicitly instruct users to run oc delete pod skillctl after
the pod reaches Completed; also clarify the token expiry by mentioning oc whoami
-t is short-lived and users must recreate the secret when it expires.

---

Nitpick comments:
In `@pkg/oci/inspect.go`:
- Around line 26-32: The exported InspectRemote gained a breaking boolean
parameter; add a non-breaking InspectOptions struct (similar to
PullOptions/PushOptions/PromoteOptions) and change the implementation to accept
an *InspectOptions (or nil) instead of a raw bool, e.g. InspectRemote(ctx
context.Context, ref string, opts *InspectOptions) and use opts.SkipTLSVerify
when calling newRemoteRepository/inspect; then provide a thin shim
InspectRemote(ctx, ref string) that calls the new signature with nil for
backward compatibility (or vice‑versa: keep current signature and add
InspectRemoteWithOptions) so external callers don’t break. Ensure you reference
InspectOptions.SkipTLSVerify in the newRemoteRepository call and update any
internal calls to use the new API.

In `@pkg/oci/push.go`:
- Around line 61-71: The TLS config created when skipTLSVerify is true should
also pin a minimum protocol version to avoid negotiating legacy TLS; update the
tls.Config instantiation used for authClient.Client (the TLSClientConfig in the
http.Transport assigned when skipTLSVerify is true) to set MinVersion to
tls.VersionTLS12 (or higher), keeping the existing InsecureSkipVerify and the
nolint comment as appropriate so repo.Client still uses the authClient with a
minimum TLS version enforced.

In `@pkg/oci/ref_test.go`:
- Around line 5-66: Add subtest names to the table-driven tests so failures show
the offending ref: in TestSplitRefTag, TestParseNameFromTag, and
TestSkillNameFromRef wrap the loop body with t.Run(tt.ref, func(t *testing.T) {
... }) (remember to capture tt := tt inside the loop). Also consider adding an
explicit empty-digest boundary case to TestSplitRefTag such as the ref "name@"
with expected repo "name" and empty tag to lock down behavior for that input;
update assertions inside the subtest bodies to use the local t.

In `@README.md`:
- Around line 183-186: The current oc run skillctl command uses a single-line
--overrides JSON which is hard to read; update the invocation to either
pretty-print the JSON inside the single-quoted --overrides string (split across
lines) or move the JSON into a small overrides.json file and change the
invocation to use --overrides="$(cat overrides.json)"; target the oc run
skillctl command and the --overrides argument so the JSON becomes readable and
easy to edit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f5fbd631-e983-4402-b9f2-bea3acff99f2

📥 Commits

Reviewing files that changed from the base of the PR and between e907b9d and 40b9917.

📒 Files selected for processing (13)

• Dockerfile
• README.md
• internal/cli/inspect.go
• internal/cli/promote.go
• internal/cli/pull.go
• internal/cli/push.go
• pkg/oci/client.go
• pkg/oci/inspect.go
• pkg/oci/pack.go
• pkg/oci/promote.go
• pkg/oci/pull.go
• pkg/oci/push.go
• pkg/oci/ref_test.go