fix(ci-operator): keep registry.ci builder FROM when final stage is external

[deepsm007]

/cc @openshift/test-platform

Dockerfile Input Detection with External Final Stage

Component: ci-operator (Dockerfile parsing for build input detection)

Problem: ci-operator's Dockerfile scanner previously missed some registry.ci.openshift.org references in real-world Dockerfiles. It also incorrectly excluded all registry.ci references when the final stage used an external base image (via from), which broke multi-stage builds that relied on registry.ci builder stages.

What changed:

• ExtractRegistryReferences (pkg/dockerfile/extract.go) now:
  • Normalizes Dockerfile line continuations (replaces backslash-newline with spaces) so matches can span continued lines.
  • Scans RUN instructions in addition to FROM and COPY, so image references in commands like podman pull are detected.
  • Deduplicates matches with a seen set.
  • Tracks the registry captured from the final FROM line only, and excludes only that registry when a final external from is specified — earlier builder-stage registry.ci references are preserved.

Behavioral impact: Multi-stage Dockerfiles that use registry.ci builder images (e.g., OCP builders) in intermediate stages and an external final base image (e.g., Red Hat UBI) will now have the registry.ci builder references correctly detected and wired as build inputs. Detection is also more robust across line continuations and image pulls inside RUN commands.

Tests: Added table-driven tests (pkg/dockerfile/inputs_test.go) covering:

• detection of registry.ci references in podman pull (single-line and continued-line forms),
• a case where a builder-stage FROM uses registry.ci while the final stage is an external UBI image, asserting the builder registry is retained.

Practical benefit: Reduces manual configuration and prevents accidental omission of required builder images from CI build inputs, improving reliability for multi-stage builds that mix internal builder images and external base images.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c1a54bff-3510-42fc-92a6-90fb07202344

📥 Commits

Reviewing files that changed from the base of the PR and between a1ce255 and 61b8243.

📒 Files selected for processing (2)

• pkg/dockerfile/extract.go
• pkg/dockerfile/inputs_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/release (manual)
• openshift/ci-docs (manual)
• openshift/release-controller (manual)
• openshift/ci-chat-bot (manual)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/dockerfile/inputs_test.go
• pkg/dockerfile/extract.go

---

📝 Walkthrough

Walkthrough

ExtractRegistryReferences now collapses backslash-newline continuations, inspects FROM, COPY, and RUN lines for RegistryRegex, tracks the registry match per-FROM line (resetting on each FROM), deduplicates matches, and excludes only the final matching FROM registry when from is non-empty. Tests cover RUN pulls and mixed-stage FROM behavior.

Changes

Dockerfile Registry Reference Tracking

Layer / File(s)	Summary
Implementation: normalize continuations & scan RUN/COPY/FROM pkg/dockerfile/extract.go	Collapse Dockerfile backslash-newline continuations; update ExtractRegistryReferences to scan FROM, COPY, and RUN lines, reset per-FROM registry tracking and set it only when that FROM matches RegistryRegex, then deduplicate collected registry refs and apply final-FROM exclusion only for the captured match.
Tests: RUN pull and mixed-stage cases pkg/dockerfile/inputs_test.go	Add table cases asserting RUN podman pull image references (single-line and continued-line) are detected and converted to ImageStreamTagReference, and a case where a builder-stage registry.ci.openshift.org FROM is preserved when the final stage uses an external UBI image.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 16 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (16 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: keeping registry.ci builder FROM references when the final stage uses an external image.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Go Error Handling	✅ Passed	All Go error handling patterns are correct: no ignored errors, proper nil checks before dereferencing, no panic calls, and errors include context via fmt.Errorf with clear messages.
Test Coverage For New Features	✅ Passed	All modified functionality in ExtractRegistryReferences has test coverage: line continuation, RUN instructions, deduplication, and bug fix. Tests are table-driven and include regression scenarios.
Stable And Deterministic Test Names	✅ Passed	The PR contains no Ginkgo tests. Changes are only to Go testing package using table-driven tests with stable, descriptive static test names that do not contain dynamic information.
Test Structure And Quality	✅ Passed	Tests use Go standard testing package, not Ginkgo. Custom check for Ginkgo patterns is not applicable to this PR's table-driven unit tests which follow Go best practices.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to standard Go unit tests in pkg/dockerfile package with no e2e test additions to evaluate.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies Dockerfile parsing utilities with standard Go unit tests, not Ginkgo e2e tests. Custom check applies only to Ginkgo e2e tests (It/Describe/Context/When), which are absent.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only Dockerfile parsing utilities (pkg/dockerfile) for CI tooling; no deployment manifests, operators, controllers, or scheduling constraints present.
Ote Binary Stdout Contract	✅ Passed	Both files contain no stdout writes in process-level code. Changes are purely algorithmic parsing improvements and test coverage additions with no OTE contract violations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only standard Go unit tests (not Ginkgo e2e tests) for Dockerfile parsing with no IPv4 assumptions or external connectivity requirements.
No-Weak-Crypto	✅ Passed	PR contains no cryptographic code, weak crypto algorithms, custom crypto implementations, or insecure secret comparisons. Changes are limited to Dockerfile parsing and registry reference detection.
Container-Privileges	✅ Passed	PR modifies only Go source files (extract.go, inputs_test.go) for Dockerfile parsing; contains no container/K8s manifests or privilege escalation indicators. Check not applicable.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logged. Code logs only Docker image references (e.g., registry.ci.openshift.org/ocp/4.19:base) containing registry names and image tags, not credentials, tokens, PII, or secrets.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/dockerfile/extract.go (1)

26-27: 💤 Low value

Consider documenting the from parameter's behavior.

The function comment doesn't explain what the from parameter does (i.e., when non-empty, it excludes the final stage's registry reference). While the inline comment at line 57 is clear, adding a sentence to the function doc would help callers understand the contract without reading the implementation.

📝 Suggested documentation enhancement

-// ExtractRegistryReferences finds all registry.ci.openshift.org and quay-proxy.ci.openshift.org references in the Dockerfile
+// ExtractRegistryReferences finds all registry.ci.openshift.org and quay-proxy.ci.openshift.org references in the Dockerfile.
+// If from is non-empty, the registry reference from the final FROM stage is excluded from the result.
 func ExtractRegistryReferences(dockerfile []byte, from api.PipelineImageStreamTagReference) []string {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/dockerfile/extract.go` around lines 26 - 27, Update the
ExtractRegistryReferences function comment to document the behavior of the from
parameter: state that when the from parameter
(api.PipelineImageStreamTagReference) is non-empty, the function will exclude
registry references found in the final stage of the Dockerfile from the returned
slice; if from is empty, all matching registry references (including the final
stage) are returned. Mention this contract alongside the existing description so
callers understand the parameter's effect without reading the implementation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/dockerfile/extract.go`:
- Around line 26-27: Update the ExtractRegistryReferences function comment to
document the behavior of the from parameter: state that when the from parameter
(api.PipelineImageStreamTagReference) is non-empty, the function will exclude
registry references found in the final stage of the Dockerfile from the returned
slice; if from is empty, all matching registry references (including the final
stage) are returned. Mention this contract alongside the existing description so
callers understand the parameter's effect without reading the implementation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 24132de9-e2f7-417c-9bc9-3f5cb5a81397

📥 Commits

Reviewing files that changed from the base of the PR and between 3a61181 and 50dbe9b.

📒 Files selected for processing (2)

• pkg/dockerfile/extract.go
• pkg/dockerfile/inputs_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/release (manual)
• openshift/ci-docs (manual)
• openshift/release-controller (manual)
• openshift/ci-chat-bot (manual)

[deepsm007]

/hold

[deepsm007]

/test e2e

[coderabbitai]

🧹 Nitpick comments (2)

pkg/dockerfile/extract.go (2)

39-46: 💤 Low value

Minor: Avoid redundant regex evaluation on FROM lines.

Lines 41-42 call RegistryRegex.Find(line) to populate lastFromLineRegistryRef, then line 46 calls it again on the same FROM line. The match from line 41 could be reused to avoid evaluating the regex twice.

♻️ Proposed optimization

 	if bytes.HasPrefix(upper, []byte("FROM")) {
 		lastFromLineRegistryRef = ""
-		if match := RegistryRegex.Find(line); match != nil {
-			lastFromLineRegistryRef = string(match)
-		}
 	}
 
-	match := RegistryRegex.Find(line)
+	match := RegistryRegex.Find(line)
+	if bytes.HasPrefix(upper, []byte("FROM")) && match != nil {
+		lastFromLineRegistryRef = string(match)
+	}
+
 	if match == nil {
 		continue
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/dockerfile/extract.go` around lines 39 - 46, The RegistryRegex is being
evaluated twice for the same FROM line; refactor to call
RegistryRegex.Find(line) only once and reuse the result: inside the FROM branch
capture the result into a local variable (e.g., match) and set
lastFromLineRegistryRef when match != nil, then use that same match for the
subsequent logic instead of calling RegistryRegex.Find(line) again; update
references to the variable names lastFromLineRegistryRef and RegistryRegex in
pkg/dockerfile/extract.go accordingly so the regex is only executed once per
line.

---

35-37: ⚡ Quick win

Inconsistent instruction detection may cause false positives.

Line 35 uses bytes.Contains to check for FROM, COPY, and RUN, which matches these keywords anywhere in the line (including comments or string literals). Line 39 uses bytes.HasPrefix for FROM, which is more precise. This inconsistency means COPY and RUN keywords inside comments (e.g., # Note: COPY --from=...) or strings could trigger processing.

Consider using bytes.HasPrefix consistently for all three instructions, or use a Dockerfile parser library for robust instruction detection.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/dockerfile/extract.go` around lines 35 - 37, The condition that checks
Dockerfile instructions uses bytes.Contains for COPY and RUN which can match
keywords inside comments or strings; update the check that uses the variable
upper (the upper-cased line) to use bytes.HasPrefix after trimming leading
whitespace so it consistently mirrors the existing FROM detection (replace the
bytes.Contains checks for "COPY" and "RUN" with bytes.HasPrefix on
bytes.TrimLeft(upper, " \t")), and ensure lines beginning with '#' are skipped
before this check to avoid false positives.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/dockerfile/extract.go`:
- Around line 39-46: The RegistryRegex is being evaluated twice for the same
FROM line; refactor to call RegistryRegex.Find(line) only once and reuse the
result: inside the FROM branch capture the result into a local variable (e.g.,
match) and set lastFromLineRegistryRef when match != nil, then use that same
match for the subsequent logic instead of calling RegistryRegex.Find(line)
again; update references to the variable names lastFromLineRegistryRef and
RegistryRegex in pkg/dockerfile/extract.go accordingly so the regex is only
executed once per line.
- Around line 35-37: The condition that checks Dockerfile instructions uses
bytes.Contains for COPY and RUN which can match keywords inside comments or
strings; update the check that uses the variable upper (the upper-cased line) to
use bytes.HasPrefix after trimming leading whitespace so it consistently mirrors
the existing FROM detection (replace the bytes.Contains checks for "COPY" and
"RUN" with bytes.HasPrefix on bytes.TrimLeft(upper, " \t")), and ensure lines
beginning with '#' are skipped before this check to avoid false positives.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8b4e967e-210c-4611-842a-43a7e136f07b

📥 Commits

Reviewing files that changed from the base of the PR and between 50dbe9b and a1ce255.

📒 Files selected for processing (2)

• pkg/dockerfile/extract.go
• pkg/dockerfile/inputs_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/release (manual)
• openshift/ci-docs (manual)
• openshift/release-controller (manual)
• openshift/ci-chat-bot (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/dockerfile/inputs_test.go

[deepsm007]

/override ci/prow/integration

unrelated failures to the PR

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/integration

Details

In response to this:

/override ci/prow/integration

unrelated failures to the PR

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[deepsm007]

/override ci/prow/images

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/images

Details

In response to this:

/override ci/prow/images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[hector-vido]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepsm007, hector-vido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [deepsm007,hector-vido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepsm007]

/retest

[deepsm007]

/override ci/prow/unit
/override ci/prow/images

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/images, ci/prow/unit

Details

In response to this:

/override ci/prow/unit
/override ci/prow/images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 2c32eac and 2 for PR HEAD 61b8243 in total

[openshift-ci]

@deepsm007: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.