ci: address review feedback on OCI immutability guard

Author: bkenez

scripts/deploy-camunda/cmd/matrix.go

@@ -602,7 +602,7 @@ This command calls deploy.Execute() for each matrix entry.`,
 	f.BoolVar(&ensureDockerHub, "ensure-docker-hub", false, "Ensure Docker Hub registry pull secret is created in each entry's namespace")
 	f.BoolVar(&useLatest, "use-latest", false, "Use values-latest.yaml from each chart root instead of values-digest.yaml")
 	f.BoolVar(&useQA, "use-qa", false, "Force the base-qa layer to be included for all entries, regardless of per-scenario qa config")
-	f.BoolVar(&forceImageOverrides, "force-image-overrides", false, "Bypass OCI immutability guard: allow image version overrides even when --chart-ref is set")
+	f.BoolVar(&forceImageOverrides, "force-image-overrides", false, "Bypass OCI immutability guard: allow Go-layer image overlays (base-image-tags, chart-root overlays) even when --chart-ref is set. Note: env-file IMAGE_TAG keys stripped at the workflow layer are not restored by this flag.")
 	f.BoolVarP(&yes, "yes", "y", false, "Skip confirmation prompts (e.g., e2e threshold warning)")
 	f.StringVar(&logDir, "log-dir", "", "Write logs to this directory and show a live status table (auto-generated when running in a TTY)")
 	f.StringArrayVar(&extraHelmArgs, "extra-helm-arg", nil, "Extra argument appended to every helm command (repeatable, e.g. --extra-helm-arg=--set-file=global.license.secret.inlineSecret=/tmp/license.txt)")

scripts/deploy-camunda/matrix/matrix_test.go

@@ -1193,6 +1193,54 @@ func TestSanitizeEnvFileForOCIImmutability(t *testing.T) {
 
 // --- resolveUseVaultBackedSecrets tests ---
 
+func TestOCIImmutabilityForceOverridesRestoresDigest(t *testing.T) {
+	chartPath := t.TempDir()
+	for _, name := range []string{"values-digest.yaml", "values-enterprise.yaml", "values-latest.yaml"} {
+		if err := os.WriteFile(filepath.Join(chartPath, name), []byte("# test\n"), 0o644); err != nil {
+			t.Fatalf("write %s: %v", name, err)
+		}
+	}
+
+	// ForceImageOverrides: true + ImageTags: false -> digest overlay should be restored
+	entry := Entry{Enterprise: true, ImageTags: false}
+	opts := RunOptions{ChartRef: "oci://registry.camunda.cloud/team-distribution/camunda-platform", ForceImageOverrides: true}
+	got := resolveChartRootOverlaysQuiet(chartPath, entry, opts)
+	expected := "enterprise,digest"
+	if strings.Join(got, ",") != expected {
+		t.Fatalf("resolveChartRootOverlaysQuiet() = %v, want [enterprise, digest] when force-overrides restores non-image-tags path", got)
+	}
+}
+
+func TestSanitizeEnvFileAllImageTags(t *testing.T) {
+	// All keys are IMAGE_TAG -> result should be empty path (no temp file needed)
+	envFile := filepath.Join(t.TempDir(), "values.env")
+	content := "E2E_TESTS_OPTIMIZE_IMAGE_TAG=8.8-SNAPSHOT\nE2E_TESTS_OPERATE_IMAGE_TAG=8.8-SNAPSHOT\n"
+	if err := os.WriteFile(envFile, []byte(content), 0o644); err != nil {
+		t.Fatalf("write env file: %v", err)
+	}
+
+	got, cleanup, err := sanitizeEnvFileForOCIImmutability(envFile, RunOptions{ChartRef: "oci://registry.camunda.cloud/team-distribution/camunda-platform"})
+	if err != nil {
+		t.Fatalf("sanitizeEnvFileForOCIImmutability() error = %v", err)
+	}
+	defer cleanup()
+	if got != "" {
+		t.Fatalf("sanitizeEnvFileForOCIImmutability() = %q, want empty path when all keys are image tags", got)
+	}
+}
+
+func TestSanitizeEnvFileNoEnvFile(t *testing.T) {
+	// OCI mode with no env file -> should short-circuit cleanly
+	got, cleanup, err := sanitizeEnvFileForOCIImmutability("", RunOptions{ChartRef: "oci://registry.camunda.cloud/team-distribution/camunda-platform"})
+	if err != nil {
+		t.Fatalf("sanitizeEnvFileForOCIImmutability() error = %v", err)
+	}
+	defer cleanup()
+	if got != "" {
+		t.Fatalf("sanitizeEnvFileForOCIImmutability() = %q, want empty string for no env file", got)
+	}
+}
+
 func TestResolveUseVaultBackedSecrets(t *testing.T) {
 	tests := []struct {
 		name     string

scripts/deploy-camunda/matrix/runner.go

@@ -232,6 +232,8 @@ func effectiveImageTags(entry Entry, opts RunOptions) bool {
 
 func resolveChartRootOverlays(entry Entry, opts RunOptions) []string {
 	if ociImmutabilityMode(opts) {
+		// OCI artifacts bake all image versions; skip overlays that would
+		// override them (includes enterprise sub-chart image pins).
 		return nil
 	}
 
@@ -600,7 +602,7 @@ func resolveStep1ValuesFromQuiet(entry Entry) string {
 
 // resolveChartRootOverlaysQuiet returns the list of chart-root overlays that exist on disk.
 // This is a dry-run helper — best-effort, silently filters to existing files only.
-// enterprise is composable (changes registry/repo, not tags).
+// enterprise adds registry/repo config and sub-chart image pins (Keycloak, PostgreSQL).
 // digest, latest, and image-tags are mutually exclusive for image version resolution:
 //   - image-tags (SNAPSHOT tags from env) takes priority over digest/latest
 //   - useLatest selects values-latest.yaml instead of values-digest.yaml
@@ -610,6 +612,11 @@ func resolveChartRootOverlaysQuiet(chartPath string, entry Entry, opts RunOption
 	if chartPath == "" {
 		return nil
 	}
+	if ociImmutabilityMode(opts) {
+		logging.Logger.Warn().
+			Str("chartRef", opts.ChartRef).
+			Msg("OCI immutability mode: skipping chart-root image overlays (dry-run)")
+	}
 	overlays := resolveChartRootOverlays(entry, opts)
 	// Filter to only overlays whose files exist on disk.
 	var existing []string
@@ -1578,10 +1585,10 @@ func executeEntry(ctx context.Context, entry Entry, opts RunOptions, entryIndex
 	kubeCtx := resolveKubeContext(opts, platform)
 	envFile := resolveEnvFile(opts, entry.Version)
 	envFile, cleanupEnvFile, err := sanitizeEnvFileForOCIImmutability(envFile, opts)
+	defer cleanupEnvFile() // safe: cleanup is always a valid no-op func even on error
 	if err != nil {
 		return RunResult{Entry: entry, Namespace: namespace, KubeContext: kubeCtx, Error: err}
 	}
-	defer cleanupEnvFile()
 	useVault := resolveUseVaultBackedSecrets(opts, platform)
 
 	// Compute the scenario directory. deploy.Execute uses this to resolve