Conversation
…ipeline (#2903) * Directly skip release-latest jobs for RCs tags * Add public rc-latest tag for RCs * Add internal rc-latest tag for RCs * Extends FIPS internal job instead of fully re-defining it * Make internal rc-latest image jobs automatic Consistent with trigger_internal_operator_image and trigger_internal_operator_image_fips which run automatically on tags. Only the public publish jobs are manual. (cherry picked from commit a646370)
dd-octo-sts
bot
added
backport
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## v1.26 #2907 +/- ##
=======================================
Coverage 40.05% 40.05%
=======================================
Files 319 319
Lines 28052 28052
=======================================
Hits 11237 11237
Misses 15993 15993
Partials 822 822
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
khewonc
approved these changes
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport a646370 from #2903.
What does this PR do?
Updates the GitLab CI pipeline to push
rc-latestmutable image tags alongside eachvX.Y.Z-rc.WRC release, and prevents RC tags from accidentally updating thelatestmutable tag.Commit breakdown
58be0e6 Directly skip release-latest jobs for RC tags — Adds a
when: neverguard as the first rule ofpublish_public_latest(inherited bypublish_public_latest_fipsviaextends) so that RC tags (vX.Y.Z-rc.W) no longer trigger theoperator:latest/operator:latest-fipspublish jobs. Previously nothing prevented a manually triggeredpublish_public_latestfrom promoting an RC tolatest.abbc2dc Add public rc-latest tag for RCs — Adds
publish_public_rc_latestandpublish_public_rc_latest_fipsjobs in therelease-lateststage. They triggerDataDog/public-imagesto pushoperator:rc-latestandoperator:rc-latest-fipsto DockerHub, activated only on RC tags, as manual jobs consistent with the other release publish jobs.c9ad0d6 Add internal rc-latest tag for RCs — Adds
trigger_internal_operator_image_rc_latestandtrigger_internal_operator_image_fips_rc_latestjobs in therelease-lateststage. They triggerDataDog/imageswithRELEASE_TAG: rc-latest/rc-latest-fipsso the internal registry also receives the mutable RC tag automatically (consistent withtrigger_internal_operator_imagewhich also runs automatically on tags). The FIPS variant usesextendsfollowing the established pattern.6315c32 Extends FIPS internal job instead of fully re-defining it — Refactors the pre-existing
trigger_internal_operator_image_fipsto useextends: trigger_internal_operator_image, overriding only the four FIPS-specific variables (IMAGE_VERSION,TMPL_SRC_IMAGE,RELEASE_TAG,BUILD_TAG). This is consistent with how all other FIPS variants (publish_public_tag_fips,publish_public_latest_fips, etc.) are defined.da6f83a Make internal rc-latest image jobs automatic — Removes the
when: manualfromtrigger_internal_operator_image_rc_latest(inherited by its FIPS variant viaextends) to match the behaviour of the existing internal image jobs, which run automatically on tags. Only the public publish jobs are manual.Motivation
Part of CONTP-1547 — Phase 0 of the Operator Release Transfer to Agent Delivery initiative. Currently, each RC release requires a manual PR to
image-vuln-scansto bump the scanned version. By pushing a mutablerc-latesttag, the vulnerability scanning pipeline can always read the latest RC image automatically.Additional Notes
Steps 3 and 4 of CONTP-1547 (updating
image-vuln-scansand verifying the scan pipeline) will be handled separately.Minimum Agent Versions
N/A — pipeline-only change.
Describe your test plan
Verify on the next RC release (
vX.Y.Z-rc.Wtag) that:publish_public_rc_latestandpublish_public_rc_latest_fipsappear as manual jobs in therelease-lateststagetrigger_internal_operator_image_rc_latestandtrigger_internal_operator_image_fips_rc_latestrun automatically in therelease-lateststagepublish_public_latestandpublish_public_latest_fipsdo not appear (skipped by the newwhen: neverrule)Checklist
bug,enhancement,refactoring,documentation,tooling, and/ordependenciesqa/skip-qalabel