[CONTP-1547] Push rc-latest mutable image tags from Operator GitLab pipeline

[tbavelier]

What does this PR do?

Updates the GitLab CI pipeline to push rc-latest mutable image tags alongside each vX.Y.Z-rc.W RC release, and prevents RC tags from accidentally updating the latest mutable tag.

Commit breakdown

• 58be0e6 Directly skip release-latest jobs for RC tags — Adds a when: never guard as the first rule of publish_public_latest (inherited by publish_public_latest_fips via extends) so that RC tags (vX.Y.Z-rc.W) no longer trigger the operator:latest / operator:latest-fips publish jobs. Previously nothing prevented a manually triggered publish_public_latest from promoting an RC to latest.

• abbc2dc Add public rc-latest tag for RCs — Adds publish_public_rc_latest and publish_public_rc_latest_fips jobs in the release-latest stage. They trigger DataDog/public-images to push operator:rc-latest and operator:rc-latest-fips to DockerHub, activated only on RC tags, as manual jobs consistent with the other release publish jobs.

• c9ad0d6 Add internal rc-latest tag for RCs — Adds trigger_internal_operator_image_rc_latest and trigger_internal_operator_image_fips_rc_latest jobs in the release-latest stage. They trigger DataDog/images with RELEASE_TAG: rc-latest / rc-latest-fips so the internal registry also receives the mutable RC tag automatically (consistent with trigger_internal_operator_image which also runs automatically on tags). The FIPS variant uses extends following the established pattern.

• 6315c32 Extends FIPS internal job instead of fully re-defining it — Refactors the pre-existing trigger_internal_operator_image_fips to use extends: trigger_internal_operator_image, overriding only the four FIPS-specific variables (IMAGE_VERSION, TMPL_SRC_IMAGE, RELEASE_TAG, BUILD_TAG). This is consistent with how all other FIPS variants (publish_public_tag_fips, publish_public_latest_fips, etc.) are defined.

• da6f83a Make internal rc-latest image jobs automatic — Removes the when: manual from trigger_internal_operator_image_rc_latest (inherited by its FIPS variant via extends) to match the behaviour of the existing internal image jobs, which run automatically on tags. Only the public publish jobs are manual.

Motivation

Part of CONTP-1547 — Phase 0 of the Operator Release Transfer to Agent Delivery initiative. Currently, each RC release requires a manual PR to image-vuln-scans to bump the scanned version. By pushing a mutable rc-latest tag, the vulnerability scanning pipeline can always read the latest RC image automatically.

Additional Notes

Steps 3 and 4 of CONTP-1547 (updating image-vuln-scans and verifying the scan pipeline) will be handled separately.

Minimum Agent Versions

N/A — pipeline-only change.

Describe your test plan

Verify on the next RC release (vX.Y.Z-rc.W tag) that:

• publish_public_rc_latest and publish_public_rc_latest_fips appear as manual jobs in the release-latest stage
• trigger_internal_operator_image_rc_latest and trigger_internal_operator_image_fips_rc_latest run automatically in the release-latest stage
• publish_public_latest and publish_public_latest_fips do not appear (skipped by the new when: never rule)

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.03%. Comparing base (79c0824) to head (da6f83a).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2903   +/-   ##
=======================================
  Coverage   40.03%   40.03%           
=======================================
  Files         319      319           
  Lines       28066    28066           
=======================================
  Hits        11235    11235           
  Misses      16008    16008           
  Partials      823      823           

Flag	Coverage Δ
unittests	40.03% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 79c0824...da6f83a. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.