fix: align logic with FBC script

[knrc]

User description

Making this consistent with securesign/fbc#221

---

PR Type

Enhancement, Bug fix

---

Description

• Refactor bundle removal logic to use bundle names instead of images

• Add support for removing replaces references in channel entries

• Implement empty channel cleanup after bundle removal

• Improve robustness with environment variables and better error handling

---

Diagram Walkthrough

flowchart LR
  A["Bundle Filtering"] --> B["Extract Bundle Names and Images"]
  B --> C["Check Image Availability"]
  C --> D["Remove Unavailable Bundles"]
  D --> E["Clean Channel References"]
  E --> F["Remove Replaces References"]
  F --> G["Delete Empty Channels"]
  G --> H["Render Catalog"]

Loading

File Walkthrough

Relevant files

Enhancement

main.yml Refactor bundle removal and add channel cleanup                    .github/workflows/main.yml Refactored bundle removal logic to iterate by bundle name instead of image Changed from image-based filtering to name-based filtering using pipe-delimited output Added removal of replaces references when bundles are unavailable Implemented cleanup step to remove empty channels after bundle removal Improved robustness by using environment variables with yq and added --no-tags flag to skopeo +26/-8

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing failure checks: The new workflow logic does not explicitly fail fast or validate prerequisites (e.g., yq output, $GRAPH existence, and yq -i edit success), which may cause silent partial updates or hard-to-debug failures. Referred Code BUNDLES=$(yq e '.entries[] | select(.schema == "olm.bundle") | .name + "|" + .image' "$GRAPH") while IFS='|' read -r BUNDLE IMAGE; do [[ -z "$BUNDLE" || -z "$IMAGE" ]] && continue echo -n "Checking $BUNDLE... " if skopeo inspect --no-tags "docker://${IMAGE}" > /dev/null 2>&1; then echo "EXISTS" else echo "NOT FOUND - removing" export BUNDLE # Remove bundle entry yq -i 'del(.entries[] | select(.schema == "olm.bundle" and .name == env(BUNDLE)))' "$GRAPH" # Remove from channel entries yq -i '(.entries[] | select(.schema == "olm.channel").entries) |= map(select(.name != env(BUNDLE)))' "$GRAPH" # Remove from skips arrays yq -i '(.entries[] | select(.schema == "olm.channel").entries[].skips) |= map(select(. != env(BUNDLE)))' "$GRAPH" # Remove from replaces references yq -i 'del(.entries[] | select(.schema == "olm.channel").entries[] | select(.replaces == env(BUNDLE)).replaces)' "$GRAPH" ... (clipped 6 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated external input: The workflow consumes IMAGE values parsed from $GRAPH and passes them directly into skopeo inspect, so additional validation/allowlisting may be needed to ensure only expected registries/URL formats are queried. Referred Code BUNDLES=$(yq e '.entries[] | select(.schema == "olm.bundle") | .name + "|" + .image' "$GRAPH") while IFS='|' read -r BUNDLE IMAGE; do [[ -z "$BUNDLE" || -z "$IMAGE" ]] && continue echo -n "Checking $BUNDLE... " if skopeo inspect --no-tags "docker://${IMAGE}" > /dev/null 2>&1; then echo "EXISTS" else echo "NOT FOUND - removing" export BUNDLE # Remove bundle entry yq -i 'del(.entries[] | select(.schema == "olm.bundle" and .name == env(BUNDLE)))' "$GRAPH" # Remove from channel entries yq -i '(.entries[] | select(.schema == "olm.channel").entries) |= map(select(.name != env(BUNDLE)))' "$GRAPH" # Remove from skips arrays yq -i '(.entries[] | select(.schema == "olm.channel").entries[].skips) |= map(select(. != env(BUNDLE)))' "$GRAPH" # Remove from replaces references yq -i 'del(.entries[] | select(.schema == "olm.channel").entries[] | select(.replaces == env(BUNDLE)).replaces)' "$GRAPH" ... (clipped 2 lines) Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Enable strict error handling Add set -euo pipefail to the beginning of the script to enable strict error handling and prevent proceeding in a corrupt state. .github/workflows/main.yml [198-199] +set -euo pipefail + # Filter out bundle images that don't exist in the registry echo "Checking bundle image availability..." Apply / Chat Suggestion importance[1-10]: 8 __ Why: Adding set -euo pipefail is a critical improvement for script robustness, ensuring that any command failure causes the workflow to exit immediately, which prevents data corruption.	Medium
General	Consolidate yq deletions atomically Consolidate the four yq -i commands into a single invocation to apply all deletions atomically and reduce file I/O. .github/workflows/main.yml [214-220] -yq -i 'del(.entries[] | select(.schema == "olm.bundle" and .name == env(BUNDLE)))' "$GRAPH" -yq -i '(.entries[] | select(.schema == "olm.channel").entries) |= map(select(.name != env(BUNDLE)))' "$GRAPH" -yq -i '(.entries[] | select(.schema == "olm.channel").entries[].skips) |= map(select(. != env(BUNDLE)))' "$GRAPH" -yq -i 'del(.entries[] | select(.schema == "olm.channel").entries[] | select(.replaces == env(BUNDLE)).replaces)' "$GRAPH" +yq -i ' + del(.entries[] | select(.schema=="olm.bundle" and .name==env(BUNDLE))) | + (.entries[] | select(.schema=="olm.channel").entries) |= map(select(.name!=env(BUNDLE))) | + (.entries[] | select(.schema=="olm.channel").entries[].skips) |= map(select(.!=env(BUNDLE))) | + del(.entries[] | select(.schema=="olm.channel").entries[] | select(.replaces==env(BUNDLE)).replaces) +' "$GRAPH" Apply / Chat Suggestion importance[1-10]: 7 __ Why: This suggestion correctly identifies that combining the four yq commands into one is more efficient and atomic, reducing I/O and improving script performance.	Medium
	Stream bundles via pipeline Stream the yq command output directly into the while loop instead of storing it in a variable first. .github/workflows/main.yml [200-222] -BUNDLES=$(yq e '.entries[] | select(.schema == "olm.bundle") | .name + "|" + .image' "$GRAPH") - +yq e '.entries[] | select(.schema == "olm.bundle") | .name + "|" + .image' "$GRAPH" | \ while IFS='|' read -r BUNDLE IMAGE; do [[ -z "$BUNDLE" || -z "$IMAGE" ]] && continue … -done <<< "$BUNDLES" +done Apply / Chat Suggestion importance[1-10]: 5 __ Why: This is a good shell scripting practice that improves memory efficiency by streaming the output of yq directly into the while loop, avoiding the creation of an intermediate variable.	Low
More