address comments

Author: mantomas

ansible/roles/operator-pipeline/templates/openshift/tasks/merge-pr.yml

@@ -69,6 +69,9 @@ spec:
 
     - name: merge-pull-request
       image: "$(params.pipeline_image)"
+      volumeMounts:
+        - name: merge-guard-git-scratch
+          mountPath: /tmp/merge-guard-git
       env:
         - name: HOME
           value: "$(params.userHome)"
@@ -97,6 +100,8 @@ spec:
         if [[ "$(params.enable_merge_base_lane_guard)" == "true" ]] \
             && [[ "$(workspaces.merge-base-guard.bound)" == "true" ]] \
             && [[ -f "$(workspaces.merge-base-guard.path)/snapshot.json" ]]; then
+            SCRATCH_GIT_DIR="/tmp/merge-guard-git/repo"
+            rm -rf "${SCRATCH_GIT_DIR}"
             mkdir -p "${HOME}"
             if [[ "${WORKSPACE_SSH_DIRECTORY_BOUND}" == "true" ]]; then
               cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${HOME}/.ssh"
@@ -112,10 +117,10 @@ spec:
             # Inject safe.directory without mutating $HOME/.gitconfig.
             export GIT_CONFIG_COUNT=1
             export GIT_CONFIG_KEY_0=safe.directory
-            export GIT_CONFIG_VALUE_0="$(workspaces.source.path)"
+            export GIT_CONFIG_VALUE_0="${SCRATCH_GIT_DIR}"
             VERIFY_RC=0
             merge-base-lane-fingerprint verify \
-              --git-dir "$(workspaces.source.path)" \
+              --git-dir "${SCRATCH_GIT_DIR}" \
               --git-repo-url "$(params.git_repo_url)" \
               --git-base-branch "$(params.git_base_branch)" \
               --snapshot-file "$(workspaces.merge-base-guard.path)/snapshot.json" \
@@ -170,3 +175,6 @@ spec:
               exit 1
             fi
         fi
+  volumes:
+    - name: merge-guard-git-scratch
+      emptyDir: {}

ansible/roles/operator-pipeline/templates/openshift/tasks/record-merge-base-lane-snapshot.yml

@@ -43,7 +43,7 @@ spec:
         Clone of the repo at git_commit_base (detect-changes). Reused for fingerprinting
         when the live remote tip still matches git_commit_base (no second clone).
     - name: output
-      description: Writes snapshot.json and ephemeral tip clone (e.g. results/merge-base-guard).
+      description: Writes snapshot.json for merge-pr guard input.
     - name: ssh-directory
       optional: true
       description: >
@@ -52,6 +52,9 @@ spec:
     - name: record-snapshot
       image: "$(params.pipeline_image)"
       workingDir: $(workspaces.output.path)
+      volumeMounts:
+        - name: merge-guard-git-scratch
+          mountPath: /tmp/merge-guard-git
       env:
         - name: HOME
           value: "$(params.userHome)"
@@ -87,7 +90,7 @@ spec:
         fi
 
         BASE_CLONE="$(workspaces.base.path)"
-        TIP_CLONE="$(workspaces.output.path)/tip-clone"
+        TIP_CLONE="/tmp/merge-guard-git/tip-clone"
 
         REMOTE_URL="$(params.git_repo_url)"
         if [[ "${REMOTE_URL}" == git@* ]] || [[ "${REMOTE_URL}" == ssh://* ]]; then
@@ -129,3 +132,6 @@ spec:
           --operator-path "$(params.operator_path)" \
           --added-or-modified-catalog-operators "$(params.added_or_modified_catalog_operators)" \
           --output "$(workspaces.output.path)/snapshot.json"
+  volumes:
+    - name: merge-guard-git-scratch
+      emptyDir: {}

operatorcert/entrypoints/merge_base_lane_fingerprint.py

@@ -15,6 +15,13 @@
 
 
 def _parser() -> argparse.ArgumentParser:
+    """
+    Create the CLI argument parser.
+
+    Returns:
+        argparse.ArgumentParser: Configured parser with `record` and `verify`
+            subcommands.
+    """
     parser = argparse.ArgumentParser(
         description="Record or verify a fingerprint of operator/catalog paths on the base branch."
     )
@@ -85,7 +92,12 @@ def _parser() -> argparse.ArgumentParser:
 
 
 def main() -> None:
-    """CLI entrypoint for record or verify merge-base lane fingerprint snapshots."""
+    """
+    Run the merge-base lane fingerprint CLI entrypoint.
+
+    Parses arguments, configures logging, and dispatches to either
+    `record_snapshot` or `verify_snapshot`.
+    """
     parser = _parser()
     args = parser.parse_args()
     setup_logger(level="DEBUG" if args.verbose else "INFO")

operatorcert/merge_base_lane.py

@@ -16,12 +16,18 @@
 
 def _git_global_args_for_ssh_remote(remote_url: str) -> list[str]:
     """
-    Extra `git -c ...` options so SSH matches Tekton git-clone (git-init) behavior.
+    Build optional git config args for SSH remotes.
 
-    git-init uses StrictHostKeyChecking=accept-new, so clone works when the
-    ssh-directory secret has a key but no known_hosts. Plain `git ls-remote` /
-    `git fetch` in the pipeline image use OpenSSH defaults and fail with
-    "Host key verification failed" in that setup.
+    Adds `git -c ...` options so SSH behavior matches Tekton git-init. This
+    keeps host key checking compatible with setups where the ssh-directory
+    secret has keys but no `known_hosts` file.
+
+    Args:
+        remote_url (str): Git remote URL.
+
+    Returns:
+        list[str]: Extra arguments for a git command, or an empty list for
+            non-SSH remotes.
     """
     u = remote_url.strip()
     if u.startswith("git@") or u.startswith("ssh://"):
@@ -33,19 +39,36 @@ def _git_global_args_for_ssh_remote(remote_url: str) -> list[str]:
 
 
 def split_csv(value: str) -> list[str]:
-    """Split comma-separated Tekton params into stripped non-empty segments."""
+    """
+    Split a comma-separated value into normalized segments.
+
+    Args:
+        value (str): Comma-separated text.
+
+    Returns:
+        list[str]: Non-empty, whitespace-trimmed segments.
+    """
     if not value or not value.strip():
         return []
     return [p.strip() for p in value.split(",") if p.strip()]
 
 
 def catalog_operator_segment_to_repo_path(segment: str) -> str:
     """
-    Map detect-changes catalog operator segments to repo-root-relative paths.
+    Map a detect-changes catalog segment to a repo-relative path.
 
-    `detect-changed-operators` emits `version/operator` (e.g. `v4.14/foo`)
-    without the `catalogs/` prefix. Entries may also already be under
-    `catalogs/...` in which case they are normalized as-is.
+    `detect-changed-operators` emits `version/operator` values (for example
+    `v4.14/foo`) without a `catalogs/` prefix. Inputs already under
+    `catalogs/...` are normalized and returned as-is.
+
+    Args:
+        segment (str): Catalog operator segment.
+
+    Returns:
+        str: Normalized path under `catalogs/`.
+
+    Raises:
+        ValueError: If the segment is empty, absolute, unsafe, or malformed.
     """
     s = segment.strip()
     if not s:
@@ -71,10 +94,22 @@ def build_lane_paths(
     operator_path: str, added_or_modified_catalog_operators: str
 ) -> list[str]:
     """
-    Union and de-duplicate path prefixes that define the merge guard lane on the base tree.
+    Build sorted unique path prefixes for the merge guard lane.
+
+    Combines `operator_path` (`operators/...`) and
+    `added_or_modified_catalog_operators` from detect-changes
+    (comma-separated `version/operator` or `catalogs/...`).
+
+    Args:
+        operator_path (str): Operator path reported by detect-changes.
+        added_or_modified_catalog_operators (str): Comma-separated catalog
+            operator segments from detect-changes.
 
-    Uses `operator_path` (`operators/...`) and `added_or_modified_catalog_operators`
-    from detect-changes (comma-separated `version/operator` or `catalogs/...`).
+    Returns:
+        list[str]: Sorted, de-duplicated lane paths.
+
+    Raises:
+        ValueError: If any resolved path is unsafe.
     """
     paths: set[str] = set()
 
@@ -102,7 +137,18 @@ def _add_operator_path(raw: str) -> None:
 
 def git_ls_tree_lines(git_dir: Path, tree_ish: str, paths: Sequence[str]) -> list[str]:
     """
-    Return sorted lines from `git ls-tree -r` for the given paths (stable fingerprint input).
+    Return sorted `git ls-tree -r` output lines for selected paths.
+
+    Args:
+        git_dir (Path): Repository directory.
+        tree_ish (str): Commit, ref, or tree expression to inspect.
+        paths (Sequence[str]): Path prefixes to include.
+
+    Returns:
+        list[str]: Sorted non-empty `git ls-tree` lines.
+
+    Raises:
+        RuntimeError: If `git ls-tree` fails.
     """
     if not paths:
         return []
@@ -125,7 +171,15 @@ def git_ls_tree_lines(git_dir: Path, tree_ish: str, paths: Sequence[str]) -> lis
 
 def fingerprint_lane(git_dir: Path, tree_ish: str, paths: Sequence[str]) -> str:
     """
-    SHA256 hex digest of canonical ls-tree output for paths at tree_ish.
+    Compute a SHA256 fingerprint for the lane paths at a tree-ish.
+
+    Args:
+        git_dir (Path): Repository directory.
+        tree_ish (str): Commit, ref, or tree expression to fingerprint.
+        paths (Sequence[str]): Path prefixes that define the lane.
+
+    Returns:
+        str: Hex-encoded SHA256 digest of canonical `git ls-tree` output.
     """
     lines = git_ls_tree_lines(git_dir, tree_ish, paths)
     blob = "\n".join(lines).encode("utf-8")
@@ -134,14 +188,24 @@ def fingerprint_lane(git_dir: Path, tree_ish: str, paths: Sequence[str]) -> str:
 
 def git_ls_remote_tip(remote_url: str, branch: str) -> str:
     """
-    Resolve refs/heads/<branch> OID via `git ls-remote`.
-
-    Uses the current process environment (`HOME`, `SSH_AUTH_SOCK`, etc.).
-    For SSH `remote_url` values, callers must install the same credentials as
-    `git-clone` (for example Tekton `ssh-directory` copied to `$HOME/.ssh`)
-    before invoking the CLI. SSH host-key handling matches Tekton git-init
-    (`StrictHostKeyChecking=accept-new`) so missing `known_hosts` in the secret
-    does not break verify after a successful clone.
+    Resolve the current object ID for a remote branch tip.
+
+    Uses `git ls-remote` against `refs/heads/<branch>` in the current process
+    environment (`HOME`, `SSH_AUTH_SOCK`, and related settings).
+
+    For SSH remotes, callers must provide credentials equivalent to the clone
+    step (for example Tekton `ssh-directory` copied to `$HOME/.ssh`). SSH host
+    key handling mirrors Tekton git-init (`StrictHostKeyChecking=accept-new`).
+
+    Args:
+        remote_url (str): Git remote URL.
+        branch (str): Branch name.
+
+    Returns:
+        str: Object ID for `refs/heads/<branch>`.
+
+    Raises:
+        RuntimeError: If `git ls-remote` fails or the branch ref is missing.
     """
     ref = f"refs/heads/{branch}"
     cmd = [
@@ -173,10 +237,40 @@ def git_fetch_branch_tip(
     git_dir: Path, remote_name: str, remote_url: str, branch: str, local_ref: str
 ) -> None:
     """
-    Shallow-fetch branch tip from `remote_url` into `local_ref`.
+    Shallow-fetch a remote branch tip into a local ref.
+
+    This uses the same SSH/HTTPS credential requirements as
+    `git_ls_remote_tip()`.
+
+    Args:
+        git_dir (Path): Repository directory.
+        remote_name (str): Temporary remote name to create.
+        remote_url (str): Git remote URL.
+        branch (str): Branch name to fetch.
+        local_ref (str): Destination local ref.
 
-    Same SSH/HTTPS credential requirements as :func:`git_ls_remote_tip`.
+    Raises:
+        RuntimeError: If remote add or fetch fails.
     """
+    git_dir.mkdir(parents=True, exist_ok=True)
+    probe = subprocess.run(
+        ["git", "-C", str(git_dir), "rev-parse", "--git-dir"],
+        check=False,
+        capture_output=True,
+        text=True,
+    )
+    if probe.returncode != 0:
+        init = subprocess.run(
+            ["git", "init", str(git_dir)],
+            check=False,
+            capture_output=True,
+            text=True,
+        )
+        if init.returncode != 0:
+            raise RuntimeError(
+                f"git init failed ({init.returncode}): "
+                f"{init.stderr.strip() or init.stdout.strip()}"
+            )
     # remove the local remote if it exists
     subprocess.run(
         ["git", "-C", str(git_dir), "remote", "remove", remote_name],
@@ -221,13 +315,27 @@ def git_fetch_branch_tip(
 
 
 def load_snapshot(path: Path) -> Any:
-    """Load a snapshot from a file."""
+    """
+    Load a snapshot JSON file.
+
+    Args:
+        path (Path): Snapshot file path.
+
+    Returns:
+        Any: Parsed JSON snapshot data.
+    """
     with path.open(encoding="utf-8") as f:
         return json.load(f)
 
 
 def write_snapshot(path: Path, data: dict[str, Any]) -> None:
-    """Write a snapshot to a file."""
+    """
+    Write snapshot data to a JSON file.
+
+    Args:
+        path (Path): Output snapshot path.
+        data (dict[str, Any]): Snapshot payload to serialize.
+    """
     path.parent.mkdir(parents=True, exist_ok=True)
     with path.open("w", encoding="utf-8") as f:
         json.dump(data, f, indent=2, sort_keys=True)
@@ -241,7 +349,17 @@ def record_snapshot(
     added_or_modified_catalog_operators: str,
     output: Path,
 ) -> None:
-    """Record a snapshot of the merge-base lane fingerprint."""
+    """
+    Record a snapshot of the merge-base lane fingerprint.
+
+    Args:
+        git_dir (Path): Repository directory.
+        tree_ish (str): Commit or ref used as the base snapshot point.
+        operator_path (str): Operator path from detect-changes.
+        added_or_modified_catalog_operators (str): Comma-separated catalog
+            operator segments from detect-changes.
+        output (Path): Snapshot JSON output path.
+    """
     paths = build_lane_paths(operator_path, added_or_modified_catalog_operators)
     if not paths:
         write_snapshot(
@@ -275,11 +393,26 @@ def verify_snapshot(
     snapshot_file: Path,
 ) -> int:
     """
-    Returns 0 if merge is allowed, EXIT_LANE_MISMATCH if lane changed on base, 1 on error.
+    Verify snapshot validity against the current base branch lane.
+
+    Returns 0 if merge is allowed, `EXIT_LANE_MISMATCH` if the lane changed on
+    the base branch, and 1 when verification fails.
+
+    If `remote_url` is not reachable from clone-local configuration alone,
+    configure git credentials in the process environment as required by
+    `git_ls_remote_tip()`.
+
+    Args:
+        git_dir (Path): Repository directory.
+        remote_url (str): Upstream repository URL.
+        branch (str): Base branch name.
+        snapshot_file (Path): Snapshot JSON path written during record.
+
+    Returns:
+        int: Verification status code.
 
-    When `remote_url` is not reachable from the local clone alone, `git ls-remote` /
-    `git fetch` run in the process environment; configure git credentials accordingly
-    (see :func:`git_ls_remote_tip`).
+    Raises:
+        ValueError: If snapshot content is structurally invalid.
     """
     try:
         snap = load_snapshot(snapshot_file)