Set commit sha in bundle/catalog

[adam-cattermole]

Updated the default flow to set the commit sha in the bundle manifests and in the catalog. This makes it so that the relatedImages and the bundle in the catalog are pointing to the commit sha variant of the images. As the workflow pushes duplicate images for both the latest and commit sha, this means that the latest images will also be pointing to specific commit sha tagged images.

Due to the pipeline modifying the manifests to set the image to the commit sha variant, the verify-manifests and verify-bundle make targets will fail. These checks are verifying that there are no uncommitted changes in the local git repo which does not make sense given the changes, and so the check was removed for the main flow.

Verified this on our own branch here. Example output from the render:

opm render quay.io/acatterm/authorino-operator-catalog:d350f6a0f8f4e705a3fc9ac5b048967479a6503a --output=yaml

---
image: quay.io/acatterm/authorino-operator-bundle:d350f6a0f8f4e705a3fc9ac5b048967479a6503a
name: authorino-operator.v0.0.0
package: authorino-operator
...

relatedImages:
- image: quay.io/acatterm/authorino-operator:d350f6a0f8f4e705a3fc9ac5b048967479a6503a
  name: ""
schema: olm.bundle

Looking for thoughts on this approach.

Resolves #121

[codecov-commenter]

Codecov Report

Merging #132 (8e26662) into main (b03fcf4) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #132   +/-   ##
=======================================
  Coverage   63.11%   63.11%           
=======================================
  Files           1        1           
  Lines         732      732           
=======================================
  Hits          462      462           
  Misses        220      220           
  Partials       50       50           

Flag	Coverage Δ
unit	63.11% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[didierofrivia]

If with the IMAGE_TAG change is enough for the catalog generation, it's great... in the future we could update the catalog generation to file based instead of sqlite, to align with the others.. or just have one workflow to rule them all. Anyways, the fork kind of breaks the implementation, because it can't push to quay, then the scheduled job will always be pulling a stale version...

[didierofrivia]

We will need to change the way of generating this in the end, more information can be found in this issue

[adam-cattermole]

After discussion we have added the check to make verify-manifests verify-bundle back into the workflow and ignored the lines that specify the images with the commit sha. Also added an additional commit where we add the make verify-bundle to the test workflow run on PR's.

[guicassolato]

LGTM

I see this is as the minimal change to get the issue of the floating latest image tag fixed. This has been causing problems to @Kuadrant/qe who need to lock the environment to a particular set of SHAs in order to debug stuff and relate the issues they found to specific versions of the code.

Maybe future enhancements could include:

• A. Somehow avoid that the image tag that is injected in the bundle/catalog files by the workflow (based on the commit SHA) mismatches what's read in the code by one who checks out the main branch (i.e. :latest).¹
• B. Standardise how the Authorino Operator generates the bundle manifests and catalog image compared to other operators (kuadrant/kuadrant-operator, kuadrant/limitador-operator) – e.g., see local catalog raw file based format limitador-operator#62

Footnotes

1. I few different ways to try to achieve that (mentioned in an off-line call we had about this change): (i) some kind of post-commit hook that sets the SHA when the bundle manifests are generated locally, before pushing them to remote; (ii) replacing the commit SHA with another system to lock the manifests to a fixed version of the code (e.g. timestamp-based); (iii) start git-ignoring the bundle manifests altogether and start generating them on-the-fly whenever we need to build and push the image/cut a release only; (iv) get back to using the floating tag latest and create a special workflow for QE that follows the same steps as when we build for a release, i.e. introduce automated pre-releases from the main branch only for QE (after very merge, daily, weekly, etc). ↩

[adam-cattermole]

Just added one final commit that uses yq to verify the status of the ignored lines in the git diff to ensure the containers are set to the ones we expect

[adam-cattermole]

@didierofrivia If you have time do you mind reviewing the latest changes here to make some progress on this?

[didierofrivia]

🎖️