test: rehearse LocalTagReferencePolicy fix for ci-tools images job

[Prucek]

Summary

• Uses a custom ci-operator image (quay.io/prucek/ci-operator:latest) for the pull-ci-openshift-ci-tools-main-images job to rehearse the LocalTagReferencePolicy fix from fix: use LocalTagReferencePolicy for input image tags ci-tools#5139
• The custom image switches input image tag reference policy from Source to Local, so builds pull base images from the internal registry instead of quay-proxy — avoiding "manifest unknown" failures when quay.io garbage-collects digests
• Also includes early-fail detection for "manifest unknown" errors to skip futile retries

This PR is temporary and will be closed after rehearsal validates the fix.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated CI pipeline container image reference for presubmit job execution.

[Prucek]

/pj-rehearse pull-ci-openshift-ci-tools-main-images

[openshift-merge-bot]

@Prucek: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Walkthrough

Updates the container image reference in a CI/CD presubmit job configuration from an internal proxy image to a direct registry image (quay.io/prucek/ci-operator:latest), with no changes to job logic, commands, or execution parameters.

Changes

Cohort / File(s)	Summary
CI Configuration Update ci-operator/jobs/openshift/ci-tools/openshift-ci-tools-main-presubmits.yaml	Modified the ci-operator container image reference used by the ci/prow/images presubmit job from the internal proxy registry to quay.io/prucek/ci-operator:latest.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	Cannot access shell commands to examine PR file modifications. Unable to verify custom check requirements.	Provide the actual file diffs or PR contents to assess the custom check implementation.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: using a custom ci-operator image to test a LocalTagReferencePolicy fix for the ci-tools images job.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for Ginkgo test names is not applicable to this PR. The PR only modifies a Prow CI job configuration YAML file with no Ginkgo test definitions present.
Microshift Test Compatibility	✅ Passed	The custom check for MicroShift test compatibility is not applicable to this PR. This pull request only modifies a Prow CI configuration file to update a container image reference, with no new Ginkgo e2e tests being added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR modifies only a CI/CD job configuration file, changing a container image reference. No new Ginkgo e2e tests are being added, so the SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request modifies Prow CI configuration file updating container image reference for testing; no scheduling constraints or workload scheduling configurations present.
Ote Binary Stdout Contract	✅ Passed	The PR only modifies a CI configuration YAML file with a container image reference update. No Go source code, test code, or executable binaries are changed, so the OTE Binary Stdout Contract check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only a CI/CD job configuration YAML file, not adding any Ginkgo e2e tests, so the check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/jobs/openshift/ci-tools/OWNERS [Prucek]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/jobs/openshift/ci-tools/openshift-ci-tools-main-presubmits.yaml (1)

414-414: Pin the rehearsal image to an immutable digest.

Line 414 uses a mutable :latest tag with imagePullPolicy: Always, which allows repeated rehearsals to execute different binaries and undermines reproducibility of test results. Pin to an explicit digest for deterministic validation.

Suggested change

-        image: quay.io/prucek/ci-operator:latest
+        image: quay.io/prucek/ci-operator@sha256:fdfa14df985790ead5e3557490229dae044fc29c2d619eed1ae382d9fabaa9d3

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ci-operator/jobs/openshift/ci-tools/openshift-ci-tools-main-presubmits.yaml`
at line 414, The rehearsal job is using a mutable image tag ("image:
quay.io/prucek/ci-operator:latest") with imagePullPolicy: Always which
undermines reproducibility; update the image field to a pinned digest (e.g.,
"quay.io/prucek/ci-operator@sha256:...") for the rehearsal job and ensure any
related imagePullPolicy remains appropriate, replacing the ":latest" reference
in the job spec where "image: quay.io/prucek/ci-operator:latest" appears so the
job always pulls the exact immutable artifact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@ci-operator/jobs/openshift/ci-tools/openshift-ci-tools-main-presubmits.yaml`:
- Line 414: The rehearsal job is using a mutable image tag ("image:
quay.io/prucek/ci-operator:latest") with imagePullPolicy: Always which
undermines reproducibility; update the image field to a pinned digest (e.g.,
"quay.io/prucek/ci-operator@sha256:...") for the rehearsal job and ensure any
related imagePullPolicy remains appropriate, replacing the ":latest" reference
in the job spec where "image: quay.io/prucek/ci-operator:latest" appears so the
job always pulls the exact immutable artifact.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9db69fe6-376f-4cc5-9e94-c62759aa14ec

📥 Commits

Reviewing files that changed from the base of the PR and between 7e8bf48 and 18bddc1.

📒 Files selected for processing (1)

• ci-operator/jobs/openshift/ci-tools/openshift-ci-tools-main-presubmits.yaml

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Prucek: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-ci-tools-main-images	openshift/ci-tools	presubmit	Presubmit changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[Prucek]

1st run: passed after 1h9m46s
2nd run: passed after 1h7m49s.
3rd run: passed after 3h13m52s

[Prucek]

/pj-rehearse pull-ci-openshift-ci-tools-main-images

[openshift-merge-bot]

@Prucek: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Prucek]

/pj-rehearse pull-ci-openshift-ci-tools-main-images
for good measure

[openshift-merge-bot]

@Prucek: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@Prucek: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/generated-config	18bddc1	link	true	/test generated-config

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Prucek]

/hold