Add integration test with real Google Artifact Registry image

rdimitrov · rdimitrov · commit 5458edf9d69d · 2025-10-24T12:58:33.000+03:00
Signed-off-by: Radoslav Dimitrov &lt;radoslav@stacklok.com&gt;
diff --git a/internal/validators/registries/oci_test.go b/internal/validators/registries/oci_test.go
@@ -18,42 +18,38 @@ func TestValidateOCI_RegistryAllowlist(t *testing.T) {
 		expectError bool
 		errorMsg    string
 	}{
-		// Allowed registries - these should NOT fail with "unsupported registry"
+		// Allowed registries - use real public images that exist
+		// These should fail with "missing required annotation" (no MCP label)
+		// NOT with "unsupported registry", "does not exist", or "is private" errors
 		{
-			name:       "Docker Hub should be allowed",
-			identifier: "docker.io/test/image:latest",
-			// Will fail on image not found, but registry should be accepted
+			name:        "Docker Hub should be allowed",
+			identifier:  "docker.io/library/alpine:latest",
 			expectError: true,
+			errorMsg:    "missing required annotation",
 		},
 		{
-			name:       "Docker Hub without explicit registry should default and be allowed",
-			identifier: "test/image:latest",
-			// Will fail on image not found, but registry should be accepted
+			name:        "Docker Hub without explicit registry should default and be allowed",
+			identifier:  "library/hello-world:latest",
 			expectError: true,
+			errorMsg:    "missing required annotation",
 		},
 		{
-			name:       "GHCR should be allowed",
-			identifier: "ghcr.io/test/image:latest",
-			// Will fail on image fetch, but registry should be accepted
+			name:        "GHCR should be allowed",
+			identifier:  "ghcr.io/containerbase/base:latest",
 			expectError: true,
+			errorMsg:    "missing required annotation",
 		},
 		{
-			name:       "Artifact Registry us-central1 should be allowed",
-			identifier: "us-central1-docker.pkg.dev/project/repo/image:latest",
-			// Will fail on image fetch, but registry should be accepted
+			name:        "Artifact Registry regional should be allowed",
+			identifier:  "us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest",
 			expectError: true,
+			errorMsg:    "missing required annotation",
 		},
 		{
-			name:       "Artifact Registry europe-west1 should be allowed",
-			identifier: "europe-west1-docker.pkg.dev/project/repo/image:latest",
-			// Will fail on image fetch, but registry should be accepted
-			expectError: true,
-		},
-		{
-			name:       "Artifact Registry multi-region us should be allowed",
-			identifier: "us-docker.pkg.dev/project/repo/image:latest",
-			// Will fail on image fetch, but registry should be accepted
+			name:        "Artifact Registry multi-region should be allowed",
+			identifier:  "us-docker.pkg.dev/berglas/berglas/berglas:latest",
 			expectError: true,
+			errorMsg:    "missing required annotation",
 		},
 
 		// Disallowed registries
@@ -106,13 +102,8 @@ func TestValidateOCI_RegistryAllowlist(t *testing.T) {
 
 			if tt.expectError {
 				assert.Error(t, err)
-				if tt.errorMsg != "" {
-					// Should contain the specific error message
-					assert.Contains(t, err.Error(), tt.errorMsg)
-				} else {
-					// For allowed registries, should NOT be "unsupported registry" error
-					assert.NotContains(t, err.Error(), "unsupported OCI registry")
-				}
+				// Should contain the specific error message
+				assert.Contains(t, err.Error(), tt.errorMsg)
 			} else {
 				assert.NoError(t, err)
 			}
