fix imagepolicy image config testcase

[QiWang19]

• fix failure appeared after api change: OCPBUGS-43353: Add pattern validation for registry entries in image config api#2787
  Test:

[sig-imagepolicy][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:SigstoreImageVerification][Serial] Should fail clusterimagepolicy signature validation when scope in allowedRegistries list does not skip signature verification

• improve polling machine config pool by adding condition check spec.name == status.name

Summary by CodeRabbit

• Tests
  • Updated image policy tests to use a repository-scoped image reference for signature verification checks.
  • Tightened the test polling condition so a pool is only considered updated when the configuration name equals the reported status name.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: QiWang19
Once this PR has been reviewed and has the lgtm label, please assign sosiouxme for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds a repository-only constant testSignedPolicyScopeRepo and updates the clusterimagepolicy signature validation test to use it in allowedRegistries. Also tightens WaitForMCPConfigSpecChangeAndUpdated so it waits until mcp.Spec.Configuration.Name equals mcp.Status.Configuration.Name.

Changes

Image policy and MCP updates

Layer / File(s)	Summary
Repository constant and test update test/extended/imagepolicy/imagepolicy.go	Introduces testSignedPolicyScopeRepo (repository-only signed policy scope) and replaces the digest-qualified testSignedPolicyScope with testSignedPolicyScopeRepo in the clusterimagepolicy signature validation test's allowedRegistries.
MCP polling guard tightened test/extended/imagepolicy/imagepolicy.go	In WaitForMCPConfigSpecChangeAndUpdated, adds a polling condition requiring mcp.Spec.Configuration.Name == mcp.Status.Configuration.Name before considering the pool updated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

jira/valid-bug

Suggested reviewers

• sjenning
• p0lyn0mial

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	New tests use config.openshift.io and machineconfiguration APIs unavailable on MicroShift. No [Skipped:MicroShift], [apigroup:...], or exutil.IsMicroShiftCluster() protection present.	Add [apigroup:config.openshift.io] tag to test name, [Skipped:MicroShift] label, or add exutil.IsMicroShiftCluster() check with g.Skip() in test BeforeAll.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New Ginkgo tests added require external connectivity to public registries (quay.io, registry.redhat.io) which is incompatible with disconnected IPv6 environments.	Add [Skipped:Disconnected] tag to test suite descriptor on line 48: "[sig-imagepolicy][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:SigstoreImageVerification][Serial][Skipped:Disconnected]"

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: fixing an imagepolicy image config testcase that was failing in CI.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names use stable, static string literals. No dynamic information appears in test titles. Names are descriptive and deterministic across test runs.
Test Structure And Quality	✅ Passed	Test demonstrates good quality: proper cleanup via DeferCleanup, timeouts on cluster operations, single responsibility focus, and consistency with existing patterns.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add new Ginkgo e2e tests - it only modifies an existing test. The custom check applies only to "new Ginkgo e2e tests." No new tests were added.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes affect test code only. No deployment manifests, operator code, or controllers modified. No scheduling constraints introduced. Check not applicable.
Ote Binary Stdout Contract	✅ Passed	All logging in this test file is inside Ginkgo test blocks (It/DescribeTable), where stdout is intercepted by the framework. No process-level code writes to stdout.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[QiWang19]

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning-techpreview-1of2

[openshift-ci]

@QiWang19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning-techpreview-1of2

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/2798c050-50b9-11f1-9b43-b2d255a8d937-0

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@QiWang19: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-csi	33920cd	link	true	/test e2e-gcp-csi
ci/prow/e2e-vsphere-ovn-upi	33920cd	link	true	/test e2e-vsphere-ovn-upi
ci/prow/e2e-gcp-ovn-upgrade	33920cd	link	true	/test e2e-gcp-ovn-upgrade
ci/prow/e2e-metal-ipi-ovn-ipv6	33920cd	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-gcp-ovn	33920cd	link	true	/test e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[QiWang19]

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning-techpreview-1of2

[openshift-ci]

@QiWang19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning-techpreview-1of2

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/18657b00-50e6-11f1-8ad0-afdec98d5b5e-0

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-trt]

Job Failure Risk Analysis for sha: 5d5e931

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	IncompleteTests Tests for this run (21) are below the historical average (3323): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)