From e6beb768ca91157a575f4d992ec37f4fb07007dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20St=C3=A4bler?= <cstabler@redhat.com>
Date: Thu, 16 Jan 2025 19:20:56 +0100
Subject: [PATCH] Add revision alignment check for images in CSV (#3338)

---
 Makefile                     |  3 ++
 hack/lib/images.bash         | 79 ++++++++++++++++++++++++++++--------
 hack/verify-csv-revisions.sh | 45 ++++++++++++++++++++
 3 files changed, 109 insertions(+), 18 deletions(-)
 create mode 100755 hack/verify-csv-revisions.sh

diff --git a/Makefile b/Makefile
index 8f7a344c02..44096c29bb 100644
--- a/Makefile
+++ b/Makefile
@@ -379,6 +379,9 @@ generated-files-release-next: release-files
 	(cd olm-catalog/serverless-operator && USE_RELEASE_NEXT=true ./hack/update-manifests.sh)
 	./hack/update-deps.sh
 
+verify-csv-revisions: install-tools
+	./hack/verify-csv-revisions.sh
+
 # Runs the lints Github Actions do too.
 lint:
 	woke
diff --git a/hack/lib/images.bash b/hack/lib/images.bash
index 1a19779729..3a0362e5b4 100755
--- a/hack/lib/images.bash
+++ b/hack/lib/images.bash
@@ -303,24 +303,8 @@ function latest_registry_redhat_io_image_sha() {
     exit 1
   fi
 
-  digest="${image##*@}" # Get only sha
-
-  image_name=${image_without_tag##*/} # Get image name after last slash
-
-  # Add rhel suffix
-  if [ "${image_name}" == "serverless-openshift-kn-operator" ]; then
-    # serverless-openshift-kn-operator is special, as it has rhel in the middle of the name
-    # see https://redhat-internal.slack.com/archives/CKR568L8G/p1729684088850349
-    image_name="serverless-openshift-kn-rhel$(get_serverless_operator_rhel_version)-operator"
-  elif [ "${image_name}" == "serverless-bundle" ]; then
-    # serverless-bundle is special, as it has no rhelXYZ in the name
-    image_name="serverless-bundle"
-  else
-    # for other images simply add it as a suffix
-    image_name="${image_name}-rhel$(get_serverless_operator_rhel_version)"
-  fi
-
-  echo "${registry_redhat_io}/${image_name}@${digest}"
+  rh_registry_image="$(get_rh_registry_image_ref "$image")"
+  echo "$rh_registry_image"
 }
 
 function latest_konflux_image_sha() {
@@ -363,3 +347,62 @@ function get_app_version_from_tag() {
   app_version=${app_version/./}                          # -> 134
   echo "${app_version}"
 }
+
+# returns the quay image for a given rh registry image ref
+function get_quay_image_ref() {
+  local rh_registry_image_ref
+  rh_registry_image_ref="${1}"
+
+  if  [[ $rh_registry_image_ref =~ $registry_redhat_io ]]; then
+    image=${rh_registry_image_ref##*/} # Get image name after last slash
+    image_sha=${image##*@} # Get SHA of image
+    image_name=${image%@*} # Remove sha
+
+    if [[ "${image_name}" =~ ^serverless-openshift-kn-rhel[0-9]+-operator$ ]]; then
+      # serverless-openshift-kn-operator is special, as it has rhel in the middle of the name
+      # see https://redhat-internal.slack.com/archives/CKR568L8G/p1729684088850349
+      component="serverless-openshift-kn-operator"
+    elif [[ "${image_name}" == "serverless-operator-bundle" ]]; then
+      # serverless-operator-bundle is special, as it is named only serverless-bundle in quay
+      component="serverless-bundle"
+    else
+      # for other images simply remove the -rhelXYZ suffix
+      component=${image_name%-rhel*}
+    fi
+
+    echo "${registry_quay}/${component}@${image_sha}"
+  else
+    echo "Image must be from ${registry_redhat_io}, got ${rh_registry_image_ref}"
+    return 1
+  fi
+}
+
+# returns the RH registry image for a given quay image ref
+function get_rh_registry_image_ref() {
+  local quay_registry_image_ref
+  quay_registry_image_ref="${1}"
+
+  if  [[ $quay_registry_image_ref =~ $registry_quay ]]; then
+    image=${quay_registry_image_ref##*/} # Get image name after last slash
+    image_sha=${image##*@} # Get SHA of image
+    image_name=${image%@*} # Remove sha
+
+    # Add rhel suffix
+    if [ "${image_name}" == "serverless-openshift-kn-operator" ]; then
+      # serverless-openshift-kn-operator is special, as it has rhel in the middle of the name
+      # see https://redhat-internal.slack.com/archives/CKR568L8G/p1729684088850349
+      image_name="serverless-openshift-kn-rhel$(get_serverless_operator_rhel_version)-operator"
+    elif [ "${image_name}" == "serverless-bundle" ]; then
+      # serverless-bundle is special, as it has no rhelXYZ in the name
+      image_name="serverless-bundle"
+    else
+      # for other images simply add it as a suffix
+      image_name="${image_name}-rhel$(get_serverless_operator_rhel_version)"
+    fi
+
+    echo "${registry_redhat_io}/${image_name}@${image_sha}"
+  else
+    echo "Image must be from ${registry_quay}, got ${quay_registry_image_ref}"
+    return 1
+  fi
+}
diff --git a/hack/verify-csv-revisions.sh b/hack/verify-csv-revisions.sh
new file mode 100755
index 0000000000..5479aca33c
--- /dev/null
+++ b/hack/verify-csv-revisions.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+source "$(dirname "${BASH_SOURCE[0]}")/lib/__sources__.bash"
+
+# verify that the revisions (git commit) for components from the same repo match
+function verify_image_revisions {
+  local root_dir csv_file repo_revision rc
+  root_dir="$(dirname "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")"
+  csv_file="${root_dir}/olm-catalog/serverless-operator/manifests/serverless-operator.clusterserviceversion.yaml"
+  declare -A repo_revision=()
+  rc=0
+
+  while IFS= read -r image_ref; do
+
+    if  [[ $image_ref =~ $registry_redhat_io ]]; then
+      quay_image_ref="$(get_quay_image_ref "$image_ref")"
+      parameters="$(cosign download attestation "${quay_image_ref}" | jq -r '.payload' | base64 -d | jq -c '.predicate.invocation.parameters')"
+      repo="$(echo "${parameters}" | jq -r '."git-url"')"
+      revision="$(echo "${parameters}" | jq -r ".revision")"
+      repo=${repo%".git"} # remove optional .git suffix from repo name
+
+      if [[ ! -v repo_revision[$repo]  ]]; then
+          # no revision for repo so far --> add it to map
+          repo_revision[$repo]=$revision
+      else
+        if [[ "${repo_revision[$repo]}" != "$revision" ]]; then
+          # revisions don't match
+          image=${image_ref##*/} # Get image name after last slash
+
+          echo "Revision for ${image} didn't match. Expected revision ${repo_revision[$repo]} for repo ${repo}, but got ${revision}"
+          rc=1
+        fi
+      fi
+    fi
+
+  done <<< "$(yq read "${csv_file}" 'spec.relatedImages[*].image' | sort | uniq)"
+
+  if [[ "$rc" == "0" ]]; then
+    echo "All revisions matched correctly"
+  fi
+
+  return $rc
+}
+
+verify_image_revisions