fix(ci): address code review findings for PR #1884

- Remove push: triggers from reusable workflows (config-checks,
  golang-checks, image-builds, release) to prevent double-execution
  when called from ci.yaml
- Eliminate ~80 lines of duplicated variable calculation logic in
  image-builds.yaml and release.yaml
- Make yq a hard requirement for YAML merging instead of falling back
  to cat concatenation which produces invalid YAML
- Replace echo -e with printf '%b' in env-to-values.sh for portability
- Add use_values_override input to e2e-tests workflow_dispatch
- Fix shebang consistency in get-latest-images.sh (#!/usr/bin/env bash)
- Document 8-char SHA truncation assumption in get-latest-images.sh
- Remove non-deterministic date from generated values file headers
- Remove trailing whitespace in code-scanning.yaml

Author: ArangoGutierrez

.github/scripts/generate-values-overrides.sh

@@ -41,7 +41,6 @@ MIG_MANAGER_IMAGE="$4"
 # Generate values override file
 cat > "${OUTPUT_FILE}" <<EOF
 # Generated by generate-values-overrides.sh
-# Date: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
 #
 # This file overrides default GPU Operator component images with
 # specific versions for forward compatibility testing.

.github/scripts/get-latest-images.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # Copyright NVIDIA CORPORATION
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -51,7 +51,9 @@ esac
 
 echo "Fetching latest commit from ${GITHUB_REPO}..." >&2
 
-# Get the latest commit SHA from the main branch using GitHub API
+# Get the latest commit SHA from the main branch using GitHub API.
+# NOTE: We use 8-char truncated SHAs as image tags. This must match the
+# tag convention used by each component's CI pipeline when publishing images.
 GITHUB_API_URL="https://api.github.com/repos/${GITHUB_REPO}/commits/main"
 
 # Use GITHUB_TOKEN if available for authentication (higher rate limits)

.github/workflows/code-scanning.yaml

@@ -45,7 +45,7 @@ jobs:
     - shell: bash
       run: |
         make build
-        
+
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v4
       with:

.github/workflows/config-checks.yaml

@@ -15,11 +15,6 @@
 name: Configuration Checks
 
 on:
-  push:
-    branches:
-      - "pull-request/[0-9]+"
-      - main
-      - release-*
   workflow_call:
   workflow_dispatch:
 

.github/workflows/e2e-tests.yaml

@@ -49,6 +49,11 @@ on:
         description: 'Operator version to test (override)'
         required: false
         type: string
+      use_values_override:
+        description: 'Use values-overrides artifact for component image configuration'
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   variables:

.github/workflows/golang-checks.yaml

@@ -15,11 +15,6 @@
 name: Golang Checks
 
 on:
-  push:
-    branches:
-      - "pull-request/[0-9]+"
-      - main
-      - release-*
   workflow_call:
   workflow_dispatch:
 

.github/workflows/image-builds.yaml

@@ -15,11 +15,6 @@
 name: Image Builds
 
 on:
-  push:
-    branches:
-      - "pull-request/[0-9]+"
-      - main
-      - release-*
   workflow_call:
     inputs:
       commit_short_sha:
@@ -34,7 +29,6 @@ on:
       operator_image_base:
         required: true
         type: string
-  workflow_dispatch:
 
 jobs:
   variables:
@@ -48,47 +42,19 @@ jobs:
       operator_image_amd64: ${{ steps.vars.outputs.operator_image_amd64 }}
       operator_image_multiarch: ${{ steps.vars.outputs.operator_image_multiarch }}
     steps:
-      - name: Checkout code
-        if: ${{ github.event_name != 'workflow_call' }}
-        uses: actions/checkout@v6
       - name: Calculate build variables
         id: vars
         run: |
-          # Use inputs from workflow_call if available, otherwise calculate
-          if [[ "${{ github.event_name }}" == "workflow_call" ]]; then
-            COMMIT_SHORT_SHA="${{ inputs.commit_short_sha }}"
-            LABEL_IMAGE_SOURCE="${{ inputs.label_image_source }}"
-            PUSH_ON_BUILD="${{ inputs.push_on_build }}"
-            OPERATOR_IMAGE_BASE="${{ inputs.operator_image_base }}"
-          else
-            # Calculate for standalone runs
-            COMMIT_SHORT_SHA="${GITHUB_SHA:0:8}"
-            
-            REPO_FULL_NAME="${{ github.event.pull_request.head.repo.full_name }}"
-            if [[ -z "${REPO_FULL_NAME}" ]]; then
-              REPO_FULL_NAME="${{ github.repository }}"
-            fi
-            LABEL_IMAGE_SOURCE="https://github.com/${REPO_FULL_NAME}"
-            
-            PUSH_ON_BUILD="false"
-            if [[ "${{ github.actor }}" != "dependabot[bot]" ]]; then
-              if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then
-                PUSH_ON_BUILD="true"
-              elif [[ "${{ github.event_name }}" == "push" ]]; then
-                PUSH_ON_BUILD="true"
-              elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-                PUSH_ON_BUILD="true"
-              fi
-            fi
-            
-            OPERATOR_IMAGE_BASE="ghcr.io/nvidia/gpu-operator"
-          fi
-          
+          COMMIT_SHORT_SHA="${{ inputs.commit_short_sha }}"
+          LABEL_IMAGE_SOURCE="${{ inputs.label_image_source }}"
+          PUSH_ON_BUILD="${{ inputs.push_on_build }}"
+          OPERATOR_IMAGE_BASE="${{ inputs.operator_image_base }}"
+
           # Calculate derived image names
           OPERATOR_IMAGE_ARM64="${OPERATOR_IMAGE_BASE}:${COMMIT_SHORT_SHA}-arm64"
           OPERATOR_IMAGE_AMD64="${OPERATOR_IMAGE_BASE}:${COMMIT_SHORT_SHA}-amd64"
           OPERATOR_IMAGE_MULTIARCH="${OPERATOR_IMAGE_BASE}:${COMMIT_SHORT_SHA}"
-          
+
           # Output all variables
           echo "commit_short_sha=${COMMIT_SHORT_SHA}" >> $GITHUB_OUTPUT
           echo "label_image_source=${LABEL_IMAGE_SOURCE}" >> $GITHUB_OUTPUT
@@ -97,7 +63,7 @@ jobs:
           echo "operator_image_arm64=${OPERATOR_IMAGE_ARM64}" >> $GITHUB_OUTPUT
           echo "operator_image_amd64=${OPERATOR_IMAGE_AMD64}" >> $GITHUB_OUTPUT
           echo "operator_image_multiarch=${OPERATOR_IMAGE_MULTIARCH}" >> $GITHUB_OUTPUT
-          
+
           # Display for debugging
           echo "::notice::Commit SHA: ${COMMIT_SHORT_SHA}"
           echo "::notice::Push on build: ${PUSH_ON_BUILD}"

.github/workflows/release.yaml

@@ -15,9 +15,6 @@
 name: Release
 
 on:
-  push:
-    branches:
-      - main
   workflow_call:
     inputs:
       commit_short_sha:
@@ -37,34 +34,24 @@ jobs:
       operator_image_latest: ${{ steps.vars.outputs.operator_image_latest }}
       bundle_image: ${{ steps.vars.outputs.bundle_image }}
     steps:
-      - name: Checkout code
-        if: ${{ github.event_name != 'workflow_call' }}
-        uses: actions/checkout@v6
       - name: Calculate release variables
         id: vars
         run: |
-          # Use inputs from workflow_call if available
-          if [[ "${{ github.event_name }}" == "workflow_call" ]]; then
-            COMMIT_SHORT_SHA="${{ inputs.commit_short_sha }}"
-            OPERATOR_IMAGE_BASE="${{ inputs.operator_image_base }}"
-          else
-            # Calculate for standalone runs
-            COMMIT_SHORT_SHA="${GITHUB_SHA:0:8}"
-            OPERATOR_IMAGE_BASE="ghcr.io/nvidia/gpu-operator"
-          fi
-          
+          COMMIT_SHORT_SHA="${{ inputs.commit_short_sha }}"
+          OPERATOR_IMAGE_BASE="${{ inputs.operator_image_base }}"
+
           # Calculate derived values
           OPERATOR_IMAGE_SOURCE="${OPERATOR_IMAGE_BASE}:${COMMIT_SHORT_SHA}"
           OPERATOR_IMAGE_LATEST="${OPERATOR_IMAGE_BASE}:main-latest"
           BUNDLE_IMAGE="ghcr.io/nvidia/gpu-operator/gpu-operator-bundle:main-latest"
-          
+
           # Output all variables
           echo "commit_short_sha=${COMMIT_SHORT_SHA}" >> $GITHUB_OUTPUT
           echo "operator_image_base=${OPERATOR_IMAGE_BASE}" >> $GITHUB_OUTPUT
           echo "operator_image_source=${OPERATOR_IMAGE_SOURCE}" >> $GITHUB_OUTPUT
           echo "operator_image_latest=${OPERATOR_IMAGE_LATEST}" >> $GITHUB_OUTPUT
           echo "bundle_image=${BUNDLE_IMAGE}" >> $GITHUB_OUTPUT
-          
+
           # Display for debugging
           echo "::notice::Releasing: ${OPERATOR_IMAGE_SOURCE} → ${OPERATOR_IMAGE_LATEST}"
 

tests/scripts/env-to-values.sh

@@ -42,7 +42,6 @@ OUTPUT_FILE="$1"
 # Start with header
 cat > "${OUTPUT_FILE}" <<EOF
 # Generated from environment variables by env-to-values.sh
-# Date: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
 #
 # This file contains GPU Operator configuration derived from test
 # environment variables.
@@ -80,13 +79,15 @@ fi
 # Write operator configuration if any
 if [[ -n "${OPERATOR_CONFIG}" ]]; then
     echo "operator:" >> "${OUTPUT_FILE}"
-    echo -e "${OPERATOR_CONFIG}" >> "${OUTPUT_FILE}"
+    printf '%b' "${OPERATOR_CONFIG}" >> "${OUTPUT_FILE}"
+    echo "" >> "${OUTPUT_FILE}"
 fi
 
 # Write validator configuration if any
 if [[ -n "${VALIDATOR_CONFIG}" ]]; then
     echo "validator:" >> "${OUTPUT_FILE}"
-    echo -e "${VALIDATOR_CONFIG}" >> "${OUTPUT_FILE}"
+    printf '%b' "${VALIDATOR_CONFIG}" >> "${OUTPUT_FILE}"
+    echo "" >> "${OUTPUT_FILE}"
 fi
 
 # Container Toolkit configuration

tests/scripts/install-operator.sh

@@ -48,13 +48,13 @@ if [[ "${USE_VALUES_FILE}" == "true" ]]; then
 
 		# Create a combined values file using yq for proper YAML merging
 		COMBINED_VALUES=$(mktemp)
-		if command -v yq >/dev/null 2>&1; then
-			# yq merges YAML properly, with later files taking precedence
-			yq ea '. as $item ireduce ({}; . * $item )' "${VALUES_FILE}" "${TEMP_ENV_VALUES}" > "${COMBINED_VALUES}"
-		else
-			echo "Warning: yq not found, falling back to concatenation (may have issues with duplicate keys)" >&2
-			cat "${VALUES_FILE}" "${TEMP_ENV_VALUES}" > "${COMBINED_VALUES}"
+		if ! command -v yq >/dev/null 2>&1; then
+			echo "Error: yq is required to merge YAML values files but was not found in PATH." >&2
+			echo "Install yq: https://github.com/mikefarah/yq" >&2
+			exit 1
 		fi
+		# yq merges YAML properly, with later files taking precedence
+		yq ea '. as $item ireduce ({}; . * $item )' "${VALUES_FILE}" "${TEMP_ENV_VALUES}" > "${COMBINED_VALUES}"
 		VALUES_FILE="${COMBINED_VALUES}"
 	else
 		VALUES_FILE="${TEMP_ENV_VALUES}"