Implement the latest tag expansion in the CNCF workflow

[ggiguash]

Fixes #127

In this comment, I wrongly suggested not to implement the code for the latest tag expansion.

P.S. We used latest tags in the beginning, but then stopped. There was a left-over old image that misled me into thinking the expansion is not necessary. I removed that image to avoid similar mistakes in the future.

$ podman pull ghcr.io/microshift-io/microshift:latest
Trying to pull ghcr.io/microshift-io/microshift:latest...
Error: initializing source docker://ghcr.io/microshift-io/microshift:latest: reading manifest latest in ghcr.io/microshift-io/microshift: manifest unknown

Summary by CodeRabbit

• Chores
  • Improved dynamic version detection in the conformance testing workflow.
  • Enhanced error handling for version resolution to ensure reliable test execution.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The CNCF conformance workflow now dynamically resolves the latest MicroShift release tag from GitHub when VERSION is set to "latest", replacing static tag construction. The IMAGE variable is computed from a dynamically-fetched TAG with validation and fallback logic.

Changes

Cohort / File(s)	Summary
Workflow image tag resolution .github/workflows/cncf-conformance.yaml	Updated IMAGE construction to fetch the latest release tag from GitHub releases API when VERSION equals "latest"; adds validation and error handling for remote tag resolution

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• agullon

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: implementing dynamic latest tag expansion in the CNCF workflow, which is the primary focus of the changeset.
Linked Issues check	✅ Passed	The PR implements automated detection of the latest upstream MicroShift release via GitHub API and uses it in the CNCF workflow, directly addressing issue #127's requirement to automate selection of the latest release for scheduled jobs.
Out of Scope Changes check	✅ Passed	All changes are scoped to the CNCF workflow file and implement the latest tag expansion feature directly linked to issue #127; no extraneous modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/cncf-conformance.yaml (1)

53-64: Consider authenticating GitHub API requests for better reliability.

The unauthenticated GitHub API has a 60 requests/hour rate limit. While sufficient for daily scheduled runs, manual triggers or shared runner IPs could hit this limit. Using ${{ github.token }} provides 5,000 requests/hour.

🔎 Suggested enhancement

-          TAG="$(curl -s --max-time 60 "https://api.github.com/repos/microshift-io/microshift/releases/latest" | jq -r .tag_name)"
+          TAG="$(curl -s --max-time 60 -H "Authorization: token ${{ github.token }}" "https://api.github.com/repos/microshift-io/microshift/releases/latest" | jq -r .tag_name)"

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14b30cc and 2fa2fc1.

📒 Files selected for processing (1)

• .github/workflows/cncf-conformance.yaml

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/*.yaml

📄 CodeRabbit inference engine (CLAUDE.md)

CI/CD workflows should validate builds with builders.yaml, test quickstart scripts with installers.yaml, support manual release workflow via release.yaml, and run daily OKD ARM builds via release-okd.yaml

Files:

• .github/workflows/cncf-conformance.yaml

🧠 Learnings (8)

📓 Common learnings

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: src/debian/install.sh:12-0
Timestamp: 2025-10-17T10:31:57.408Z
Learning: In the MicroShift project, the Ubuntu version in src/debian/install.sh is intentionally hardcoded to "xUbuntu_20.04" because CRI-O builds are not available for all the latest Ubuntu versions. This should not be changed to dynamic detection.

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Applied to files:

• .github/workflows/cncf-conformance.yaml

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• .github/workflows/cncf-conformance.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Applied to files:

• .github/workflows/cncf-conformance.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Applied to files:

• .github/workflows/cncf-conformance.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Applied to files:

• .github/workflows/cncf-conformance.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to ansible/** : Ansible roles should support automated builds and deployments for both containerized and host-based MicroShift installations

Applied to files:

• .github/workflows/cncf-conformance.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Applied to files:

• .github/workflows/cncf-conformance.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: quick-start-and-clean (ubuntu-24.04-arm)
• GitHub Check: quick-rpm-and-clean (ubuntu-24.04)
• GitHub Check: quick-rpm-and-clean (ubuntu-24.04-arm)
• GitHub Check: quick-start-and-clean (ubuntu-24.04)
• GitHub Check: fedora-bootc (ubuntu-24.04-arm)
• GitHub Check: centos9-bootc
• GitHub Check: centos10-bootc
• GitHub Check: ubuntu-rpm2deb
• GitHub Check: isolated-network (ovnk, ubuntu-24.04, 1)
• GitHub Check: isolated-network (kindnet, ubuntu-24.04, 0)
• GitHub Check: fedora-bootc (ubuntu-24.04)

🔇 Additional comments (1)

.github/workflows/cncf-conformance.yaml (1)

66-66: Correct IMAGE construction with resolved tag.

The IMAGE variable properly combines the registry and dynamically resolved TAG. The syntax correctly mixes GitHub Actions expressions with shell variables.

[ggiguash]

The tag expansion seems to be working.
See https://github.com/ggiguash/microshift-io/actions/runs/20519517270/job/58952521868