From 5dfe2e38b78eb5c924d42017a392154a5f5fd079 Mon Sep 17 00:00:00 2001
From: Juan Manuel Parrilla Madrid <jparrill@redhat.com>
Date: Tue, 16 Jun 2026 11:40:37 +0200
Subject: [PATCH] CNTRLPLANE-3509: Deep-verify release component digests before
 accepting

The CI registry can garbage-collect individual component image digests
while the release tag itself remains accessible. This caused
NodePool tests to fail with "manifest unknown" when the ignition server
tried to pull component images (e.g. machine-config-operator) by digest.

The existing verify_image_pullable only checked the release tag via
`oc image info`, which passed even for stale releases. Add a second
check that extracts the MCO digest from the release metadata and
verifies it is actually pullable in the registry. If the digest has
been GC'd, the fallback to the nightly stream is triggered as intended.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Juan Manuel Parrilla Madrid <jparrill@redhat.com>
---
 ...hift-resolve-nodepool-releases-commands.sh | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/ci-operator/step-registry/hypershift/resolve-nodepool-releases/hypershift-resolve-nodepool-releases-commands.sh b/ci-operator/step-registry/hypershift/resolve-nodepool-releases/hypershift-resolve-nodepool-releases-commands.sh
index a5450dc86a1ec..b96c78133fdbe 100755
--- a/ci-operator/step-registry/hypershift/resolve-nodepool-releases/hypershift-resolve-nodepool-releases-commands.sh
+++ b/ci-operator/step-registry/hypershift/resolve-nodepool-releases/hypershift-resolve-nodepool-releases-commands.sh
@@ -35,11 +35,24 @@ resolve_from_stream() {
 
 verify_image_pullable() {
     local pullspec=$1
+    local auth_args=""
     if [[ -f "${REGISTRY_AUTH}" ]]; then
-        oc image info --filter-by-os linux/amd64 -a "${REGISTRY_AUTH}" "${pullspec}" &>/dev/null
-    else
-        oc image info --filter-by-os linux/amd64 "${pullspec}" &>/dev/null
+        auth_args="-a ${REGISTRY_AUTH}"
     fi
+
+    # Check 1: release tag manifest exists and is the right architecture
+    # shellcheck disable=SC2086
+    oc image info --filter-by-os linux/amd64 ${auth_args} "${pullspec}" &>/dev/null || return 1
+
+    # Check 2: internal component digests are still alive in the registry.
+    # The release tag can outlive its component digests when the CI registry
+    # garbage-collects old images. Extract the MCO digest from the release
+    # metadata and verify it is actually pullable.
+    local mco_digest
+    # shellcheck disable=SC2086
+    mco_digest=$(oc adm release info ${auth_args} "${pullspec}" --image-for=machine-config-operator 2>/dev/null) || return 1
+    # shellcheck disable=SC2086
+    oc image info --filter-by-os linux/amd64 ${auth_args} "${mco_digest}" &>/dev/null || return 1
 }
 
 resolve_release_image() {