[hack] Add create-release-tag.py script

[mtnbikenc]

Summary

• Adds hack/create-release-tag.py to create consistent annotated release tags for WMCO
• Resolves the commit SHA from the bundle image in the Red Hat Container Catalog,
  preferring the org.opencontainers.image.revision OCI label (full SHA) and falling
  back to the short-SHA image tag — matching the approach used by hack/verify-release.py
• Sets the tag date to the operator image's push_date so the tag timestamp reflects
  the actual release date rather than when the tag was created
• Prompts for confirmation before creating the tag, showing the resolved commit,
  date, and their sources

Usage

python3 hack/create-release-tag.py <version> [--commit SHA] [--date YYYY-MM-DD]

--commit is required for releases not present in the bundle catalog (e.g. backport-only
releases). --date allows overriding the publish date when needed.

Test plan

• Run python3 hack/create-release-tag.py --help and verify usage output
• Run against an existing version (e.g. 10.21.1) and verify it exits early with "tag already exists"
• Run against a new version and verify the catalog-resolved commit and date match expectations
• Run with --commit and --date overrides and verify the confirmation prompt reflects them
• Verify the created tag is annotated (git cat-file -t vX.Y.Z returns tag) with correct message and date

Summary by CodeRabbit

• New Features
  • Added a command-line tool for creating annotated Git release tags with automated version validation, metadata resolution, and interactive approval workflow before tag creation.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (2)

• do-not-merge/work-in-progress
• do-not-merge/hold

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: c2cf5985-f5dc-44b1-b6a8-e5f330c8c93e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mtnbikenc
Once this PR has been reviewed and has the lgtm label, please assign jrvaldes for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jrvaldes]

@mtnbikenc thanks for working on this.

there is a presedence to maintain the hack scripts in bash, consider implementing the script in bash to avoid introducing another dependency. i.e. python

also, the script requires special permissions push the tag to the repository, please capture that requirement in the documentation/usage

[mtnbikenc]

@jrvaldes Thanks for the feedback. I started out with a bash script but it became lengthy and cumbersome for the task at hand. I switched from bash to python for improved error handling and reducing the overall length of the script. I understand the desire for consistency for scripts, but I also balance that with the right tool for the job. I'd like feedback from the rest of the team if using python would be too burdensome or undesired.

I'll add a note about the repo permissions required for pushing tags.

[openshift-ci]

@mtnbikenc: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/create-release-tag.py`:
- Around line 224-230: The tag_exists function currently calls git("rev-parse",
tag) which resolves any ref (branch or tag); change it to verify the tag ref
explicitly by invoking git with "refs/tags/{tag}" (e.g., git("rev-parse",
f"refs/tags/{tag}") or equivalent) so only actual tags cause a True return, and
keep the existing try/except RuntimeError behavior to return False when the
refs/tags/... lookup fails; update the reference in the tag_exists function
accordingly.
- Around line 297-298: The current check only uses re.fullmatch on args.date and
allows invalid calendar dates (e.g., 2026-02-31); update the validation to
attempt parsing the ISO date string (use datetime.date.fromisoformat or
datetime.strptime) inside a try/except and if parsing raises ValueError call
parser.error(f"--date must be YYYY-MM-DD, got: {args.date!r}") so invalid
calendar dates are rejected at argument parsing; replace or augment the existing
re.fullmatch branch that references args.date and parser.error to perform the
parse-and-catch logic instead.
- Around line 320-346: fetch_bundle_info() and fetch_operator_push_date() call
_fetch_pages() and may raise network/JSON exceptions; wrap both calls in
try/except and surface a clean ERROR + sys.exit(1) like the git-error handling
already used: when calling fetch_bundle_info(version) and
fetch_operator_push_date(version) catch Exception as err, print a descriptive
ERROR to stderr that includes the function name and err (same style as the git
failure prints), then sys.exit(1); keep setting commit_sha/commit_source and
published_date/date_source only on success so behavior matches the manual
--commit/--date branches.
- Around line 214-221: The git() helper currently allows FileNotFoundError from
subprocess.run to leak; modify git() to resolve the git executable first (e.g.,
use shutil.which("git")) and if not found raise a RuntimeError with a clear
message, or wrap the subprocess.run call in a try/except that catches
FileNotFoundError and re-raises a RuntimeError with the original error text;
ensure the change is applied in the git(...) function so all callers continue to
receive RuntimeError instead of an unhandled FileNotFoundError.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5eca9ed4-d5b5-4540-82fc-b372ad2e25fd

📥 Commits

Reviewing files that changed from the base of the PR and between c676971 and 192dbea.

📒 Files selected for processing (1)

• hack/create-release-tag.py