fix(bundler): argocd-helm parent App uses native-OCI source shape

[yuanchen8911]

Summary

Fix the argocd-helm parent Application template to use Argo CD's native-OCI source shape (full artifact path in repoURL, path: ".", no chart: field) instead of the broken repoURL + chart combination that PR #1047 was built on.

Motivation / Context

PRs #1047 and #1048 tried to fix the argocd-helm-oci KWOK matrix failures by adjusting how the wrapper script passes --set repoURL=.... Both PRs landed but the failures persisted — and main is now red on every argocd-helm-oci Tier-1 job. The root cause is in the bundler's parent App template, not the wrapper script.

parentAppTemplate (pkg/bundler/deployer/argocdhelm/argocdhelm.go) rendered:

source:
  repoURL: <Values.repoURL>     # e.g., oci://reg/path
  chart:   <.Chart.Name>        # e.g., my-bundle
  targetRevision: <tag>

The design assumed Argo CD would resolve this as <repoURL>/<chart>:<tag>. But Argo CD's oci:// scheme triggers the native OCI code path, where repoURL is the full artifact reference and source.chart is silently ignored. CI confirms this — every argocd-helm-oci job on main fails with:

HEAD /v2/aicr/manifests/0.0.0-<sha>-argocd-helm-oci

while the artifact actually lives at /v2/aicr/<recipe>/manifests/.... The Argo CD user guide splits the two shapes explicitly:

• Helm OCI charts (no oci://, chart: set): https://argo-cd.readthedocs.io/en/stable/user-guide/helm/
• Native OCI artifacts (oci:// repoURL, path: set): https://argo-cd.readthedocs.io/en/stable/user-guide/oci/

The path-based child Applications already use the native-OCI shape via injectValuesIntoSingleSource (argocdhelm.go:759-786). This PR aligns the parent with that same contract.

Fixes the argocd-helm-oci CI breakage currently failing on main (and on every open PR). Diagnosed via Codex review after #1048 merged.

Fixes: N/A (no dedicated tracking issue)
Related: #1047, #1048, #1019, #1018, #1034

Type of Change

• Bug fix (non-breaking change that fixes an issue)

Component(s) Affected

• Bundlers (pkg/bundler, pkg/component/*)

Implementation Notes

pkg/bundler/deployer/argocdhelm/argocdhelm.go — switch parentAppTemplate to:

source:
  repoURL: '{{ <Values.repoURL trim "/" >/<.Chart.Name> | quote }}'
  targetRevision: <tag>
  path: "."
  helm:
    valuesObject: ...

The printf "%s/%s" … | quote form renders to a single double-quoted YAML scalar, matching Codex's "make the parent repoURL render as a quoted final value" recommendation.

Test updates (argocdhelm_test.go) — the live-render assertions are broader than just goldens:

• TestHelmTemplate_RewrittenSources: parent repoURL now expected as setRepoURL + "/" + chartName; chart empty; path == ".".
• TestGenerate_CustomChartName: switched from asserting source.chart == customName to asserting the chart name flows into source.repoURL (since chart is no longer rendered).
• TestHelmTemplate_AppNameOverride: parent-App detection heuristic switched from source.chart \!= "" to source.path == "." (parent renders at root; path-based children use path: NNN-<name>).
• TestHelmTemplate_PathBasedChildRepoURL: parent repoURL updated to the new shape.

Goldens — testdata/{helm_and_manifest_only,mixed_component}/templates/aicr-stack.yaml regenerated via go test … -args -update.

Doc comments — stale references to source.chart / repoURL/chart:tag updated in:

• DefaultChartName (line 100-106)
• Generator.ChartName (line 136-146)
• parentAppTemplate doc block (line 427+)
• The "OCI publication and the path field" comment block (line 706+)
• The injectValuesIntoSingleSource doc block (line 748+)
• The "User flow" install example (line 484+)

KWOK wrapper script (kwok/scripts/validate-scheduling.sh) — the comment block I introduced in #1047 referenced the now-wrong source.chart contract. Replaced with an accurate description that cites the new parentAppTemplate design. The conditional itself (per-lane assignment from #1048) is unchanged.

Testing

# argocdhelm unit + golden tests
go test ./pkg/bundler/deployer/argocdhelm/...

# regenerate goldens
go test ./pkg/bundler/deployer/argocdhelm/... -run TestBundleGolden -args -update

# wrapper script syntax + lint
bash -n kwok/scripts/validate-scheduling.sh
shellcheck kwok/scripts/validate-scheduling.sh

# full gate
make qualify

All pass — make qualify reports 22 chainsaw tests green, no vulnerabilities, license-headers clean, codebase qualification completed.

Coverage: Touches pkg/bundler/deployer/argocdhelm only; the existing live-render tests already exercise the parent App template and were updated in-PR. No new untested code added.

The real validation is CI itself. After this lands, every argocd-helm-oci Tier-1 matrix job on main and on rebased open PRs should turn green. Local KWOK can't easily reproduce the issue without a published OCI artifact, but the unit tests' live-render path uses helm template with the exact same source-render code path Argo's repo-server would consume.

Risk Assessment

• Medium — Touches the parent App template shape that every published argocd-helm bundle ships. Existing deployed bundles continue to work (they're pre-rendered manifests, unaffected). New bundles produced after this lands ship the native-OCI shape, which is what Argo CD actually supports for oci:// repoURLs.

Rollout notes: Any operator who has an existing argocd-helm install will continue to work; their parent App's source block was already rendered. New installs after this lands produce a parent App with path: "." and no chart field. Argo CD treats this as a native-OCI Helm chart source. If a downstream pipeline somewhere has hardcoded the old shape, it'd need to update — but I'm not aware of any such consumer, and the shape change is the whole point of the fix.

Checklist

• Tests pass locally (make test with -race)
• Linter passes (make lint)
• I did not skip/disable tests to make CI green
• I added/updated tests for new functionality (live-render assertions + goldens regenerated)
• I updated docs if user-facing behavior changed (doc comments + KWOK wrapper inline rationale; the rendered Application shape is internal, not user-facing API)
• Changes follow existing patterns in the codebase
• Commits are cryptographically signed (git commit -S)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 10c8bc2b-b255-4833-90be-0eeaffc2f8f1

📥 Commits

Reviewing files that changed from the base of the PR and between 1d856a7 and 89e4bfa.

📒 Files selected for processing (5)

• kwok/scripts/validate-scheduling.sh
• pkg/bundler/deployer/argocdhelm/argocdhelm.go
• pkg/bundler/deployer/argocdhelm/argocdhelm_test.go
• pkg/bundler/deployer/argocdhelm/testdata/helm_and_manifest_only/templates/aicr-stack.yaml
• pkg/bundler/deployer/argocdhelm/testdata/mixed_component/templates/aicr-stack.yaml

---

📝 Walkthrough

Walkthrough

This PR changes the argocdhelm deployer to dispatch two parent Application render shapes by repoURL scheme: for oci:// inputs the parent App emits spec.source.repoURL as "/<.Chart.Name>", clears spec.source.chart, and sets spec.source.path="."; for non-OCI helm repos it emits repoURL and spec.source.chart. Corresponding docs, testdata, live-render tests, and operator logging were updated to match the new contract.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• bug(bundler): argocd-helm Application repoURL contains oci:// scheme; ArgoCD OCI Helm sources reject the scheme and ignore the chart field #1049: Fixes the reported behavior where Argo CD ignores source.chart for oci:// by emitting a full OCI repoURL (appending .Chart.Name) and clearing chart.
• argocd-helm OCI bundle: path-based child Applications miss .Chart.Name; Chart.yaml emits unquoted name #1034: Addresses child/parent template mismatch where path-based children missed .Chart.Name by aligning parent and child templates to the OCI contract.

Possibly related PRs

• NVIDIA/aicr#1038: Modifies parent/child OCI repoURL concatenation and trimming logic similar to this PR.
• NVIDIA/aicr#1035: Related changes around OCI repoURL + .Chart.Name composition in argocdhelm code paths and tests.
• NVIDIA/aicr#1047: Related updates to validate-scheduling.sh and in-cluster OCI repoURL composition/logging.

Suggested labels

size/M

Suggested reviewers

• lockwobr
• mchmarny

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing the argocd-helm parent Application template to use Argo CD's native-OCI source shape instead of the broken repoURL+chart combination.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the motivation, root cause analysis, implementation details, testing approach, and risk assessment for the native-OCI source shape fix.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}