fix: hex-encode OCI layout image name to avoid validation errors

[joelanford]

Description of the change:

Hex-encode the image reference string when using it as the OCI layout ref.name annotation in the containers/image registry cache. Docker tags allow characters (e.g. __) that are not valid in OCI layout ref.name annotations, causing opm render to fail with Invalid image errors for images with such tags.

The layoutKey() function hex-encodes the reference string, producing a value that is always valid per the OCI ref.name regex while remaining reversible for debugging.

Motivation for the change:

Running opm render on images with double underscores in their tags (e.g. quay.io/redhat-user-workloads/ocp-art-tenant/art-fbc:oadp-1.6__v4.22__oadp-rhel9-operator) fails because the containersimageregistry Pull method passes the raw docker reference as the OCI layout image name, and the OCI ref.name annotation format is stricter than docker tag rules.

Reviewer Checklist

• Implementation matches the proposed design, or proposal is updated to match implementation
• Sufficient unit test coverage
• Sufficient end-to-end test coverage
• Docs updated or added to /docs
• Commit messages sensible and descriptive

Generated with Claude Code

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kevinrizza for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

This PR updates the containersimageregistry OCI-layout cache keying to avoid OCI ref.name validation failures when Docker image tags contain characters that OCI layout does not permit (e.g. __). It does this by hex-encoding the full image reference string before passing it to layout.NewReference.

Changes:

• Add layoutKey(ref string) which hex-encodes the reference into an OCI-ref-name-safe string.
• Use layoutKey(ref.String()) when creating OCI layout references in Pull, Unpack, and Labels.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Changing the OCI layout key from the raw ref string to a hex-encoded value will effectively invalidate any existing on-disk cache entries when OLM_CACHE_DIR is set (preserve=true), forcing images to be re-pulled and making older cache entries unreachable by Unpack/Labels. If persistent cache reuse across runs is expected, consider a backward-compatible fallback (try the legacy raw ref.name when the new key is missing) and/or a one-time migration/cleanup strategy, or clearly document this cache-key change as a breaking cache behavior.

[joelanford]

Image re-pulling is already optimized by containers/image internals and is not related to the use of the org.opencontainers.image.ref.name annotation.

That annotation is written by Pull and then read by Unpack and Labels. If someone pulls using the new Pull method, but then unpacks/gets labels with the old Unpack and Labels methods, that would be a problem. But it is not intended for different versions of the library to be used for different image interactions.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.71%. Comparing base (93adf40) to head (becb80f).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1954   +/-   ##
=======================================
  Coverage   57.70%   57.71%           
=======================================
  Files         139      139           
  Lines       13371    13373    +2     
=======================================
+ Hits         7716     7718    +2     
  Misses       4468     4468           
  Partials     1187     1187           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.