ci: combine kind test and image publish into single workflow

[cooktheryan]

Summary

• Replaces separate publish-images.yml with unified test-kind.yml that runs kind-based e2e tests on PRs and pushes, then conditionally publishes images
• Pins all GitHub Actions to commit hashes for supply-chain security
• Extracted from feat: add spec.traces and spec.logs for OTel forwarding #15 to keep workflow changes separate from feature work

Test plan

• Verify kind e2e test job runs on PR
• Verify publish job triggers on push to main (when QUAY_PUBLISH_ENABLED is set)
• Verify workflow_dispatch inputs work correctly

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Unified CI/CD workflows to integrate cluster-based testing, configuration validation, container image building, registry publishing, and scorecard testing into a single cohesive pipeline. Enhancements include comprehensive failure diagnostics, extended debug output collection on test failures, and automated resource cleanup procedures for improved development workflow efficiency.

[coderabbitai]

Warning

Review limit reached

@cooktheryan, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 14 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 1e720309-7cdc-4c98-8f3a-d4398e65c5f1

📥 Commits

Reviewing files that changed from the base of the PR and between c0b0d10 and d3f7c4d.

📒 Files selected for processing (1)

• .github/workflows/test-kind.yml

📝 Walkthrough

Walkthrough

The standalone .github/workflows/publish-images.yml workflow is deleted and its logic is merged into a new .github/workflows/test-kind.yml file that defines a single ci workflow. The new workflow adds a full kind cluster E2E test job and consolidates the existing image build/push and scorecard steps into a conditional publish job.

Changes

Consolidated CI Workflow

Layer / File(s)	Summary
Workflow triggers, permissions, and env defaults .github/workflows/test-kind.yml	Declares push/pull_request/workflow_dispatch triggers (including publishing inputs), top-level permissions, and shared environment variables for both jobs.
Test job: cluster provisioning, operator deployment, and CR setup .github/workflows/test-kind.yml	Creates a kind cluster, builds and loads operator/proxy images, installs cert-manager and the operator, deploys a mock OpenTelemetry backend, creates the Gemini API key secret, applies a Claw CR, and waits for the Ready condition.
Test job: runtime and network policy assertions .github/workflows/test-kind.yml	Validates sidecar injection, collector config content and exporter naming, operator.json diagnostics keys, gateway OTel env vars, Prometheus port 9464 exposure, in-cluster egress NetworkPolicy, patch-driven split-exporter behavior, and external endpoint egress rules.
Test job: failure diagnostics and cleanup .github/workflows/test-kind.yml	On failure, collects controller-manager logs, Claw CR state, events, gateway pod description/logs, configmap contents, and network policy dumps; always deletes the kind cluster.
Publish job: image build/push and scorecard .github/workflows/test-kind.yml, .github/workflows/publish-images.yml	Replaces the deleted publish-images.yml; resolves SHA and optional latest tags, builds/tags images, logs into Quay.io, pushes operator/proxy images, generates scorecard bundle manifests, runs non-blocking Operator SDK scorecard tests in a separate kind cluster, and cleans up.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• redhat-et/claw-operator#2: This PR originally introduced the .github/workflows/publish-images.yml workflow that the current PR removes and consolidates into test-kind.yml.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: consolidating two separate workflows (publish-images.yml and test-kind.yml) into a single unified workflow that combines kind testing with image publishing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/unified-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test-kind.yml:
- Around line 79-96: The operator readiness check in the "Wait for operator pod"
step currently only verifies the pod phase is "Running" but does not check if
the pod has actually reached a Ready state, and the script does not fail if the
pod never becomes ready within the timeout window. Modify the readiness check to
verify the pod's Ready condition (check the
.status.conditions[?(@.type=="Ready")].status field) in addition to or instead
of just checking the Running phase, and add an explicit failure after the for
loop completes without finding a ready pod by adding a check that exits with a
non-zero status code if the POD variable remains empty after 60 iterations.
- Around line 50-55: The Kind binary downloaded in the Install Kind step lacks
cryptographic verification, creating a supply-chain security gap. After the curl
command that downloads the Kind binary to ./kind, add a second curl command to
fetch the SHA256 checksum from
https://kind.sigs.k8s.io/dl/v0.32.0/kind-linux-amd64.sha256sum and pipe it to
sha256sum -c to verify the downloaded binary's integrity before proceeding with
chmod and installation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 1ae1feb9-eb26-46b9-aab6-b36dc7d87902

📥 Commits

Reviewing files that changed from the base of the PR and between 6235859 and c0b0d10.

📒 Files selected for processing (2)

• .github/workflows/publish-images.yml
• .github/workflows/test-kind.yml

💤 Files with no reviewable changes (1)

• .github/workflows/publish-images.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test-kind.yml | head -160

Repository: redhat-et/claw-operator

Length of output: 6052

---

Verify downloaded artifacts and use digest-pinned images to close supply-chain gaps.

Three external artifacts lack cryptographic verification:

1. Line 52: Kind binary downloaded without checksum. Add SHA256 verification:

   curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.32.0/kind-linux-amd64
   curl -L https://kind.sigs.k8s.io/dl/v0.32.0/kind-linux-amd64.sha256sum | sha256sum -c

2. Line 68: cert-manager manifest applied without verification. Fetch and verify the manifest hash from the release before applying.

3. Line 139: OTel collector image uses tag-only reference. Replace with digest:

   image: mirror.gcr.io/otel/opentelemetry-collector@sha256:<digest>

This hardens the CI supply chain by ensuring only verified artifacts run in the test environment.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-kind.yml around lines 50 - 55, The Kind binary
downloaded in the Install Kind step lacks cryptographic verification, creating a
supply-chain security gap. After the curl command that downloads the Kind binary
to ./kind, add a second curl command to fetch the SHA256 checksum from
https://kind.sigs.k8s.io/dl/v0.32.0/kind-linux-amd64.sha256sum and pipe it to
sha256sum -c to verify the downloaded binary's integrity before proceeding with
chmod and installation.

[cooktheryan]

@pavelanni can I get a review here?

[pavelanni]

LGTM