From d3e63e99b42ccfa682a594dc84348c74ec015b23 Mon Sep 17 00:00:00 2001
From: Gloria Ciavarrini <gciavarrini@redhat.com>
Date: Mon, 22 Jun 2026 11:34:13 +0200
Subject: [PATCH 1/2] Fix subsystem CI workflow env context in reusable calls

GitHub Actions rejects env in with inputs for workflow_call.
Inline pre-pull image lists in each subsystem job.

Assisted-By: Claude (Anthropic)

Signed-off-by: Gloria Ciavarrini <gciavarrini@redhat.com>
---
 .github/workflows/subsystem.yaml | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/subsystem.yaml b/.github/workflows/subsystem.yaml
index 41765a1..4992900 100644
--- a/.github/workflows/subsystem.yaml
+++ b/.github/workflows/subsystem.yaml
@@ -6,13 +6,6 @@ on:
   pull_request:
     branches: [main, 'release/v*']
 
-# All jobs build control-plane via Containerfile (UBI builder + runtime).
-# Pre-pull with retries avoids flaky CDN EOFs during podman-compose build.
-env:
-  CONTROL_PLANE_BUILD_IMAGES: >-
-    registry.access.redhat.com/ubi9/go-toolset:1.25.5
-    registry.access.redhat.com/ubi9/ubi-minimal:latest
-
 jobs:
   policy-subsystem:
     uses: dcm-project/shared-workflows/.github/workflows/black-box.yaml@main
@@ -20,7 +13,10 @@ jobs:
       up-target: policy-subsystem-test-up
       test-target: policy-subsystem-test
       down-target: policy-subsystem-test-down
-      images: "${{ env.CONTROL_PLANE_BUILD_IMAGES }} quay.io/sclorg/postgresql-16-c9s:latest"
+      images: >-
+        registry.access.redhat.com/ubi9/go-toolset:1.25.5
+        registry.access.redhat.com/ubi9/ubi-minimal:latest
+        quay.io/sclorg/postgresql-16-c9s:latest
 
   catalog-subsystem:
     uses: dcm-project/shared-workflows/.github/workflows/black-box.yaml@main
@@ -28,7 +24,11 @@ jobs:
       up-target: catalog-subsystem-test-up
       test-target: catalog-subsystem-test
       down-target: catalog-subsystem-test-down
-      images: "${{ env.CONTROL_PLANE_BUILD_IMAGES }} quay.io/sclorg/postgresql-16-c9s:latest wiremock/wiremock:3x"
+      images: >-
+        registry.access.redhat.com/ubi9/go-toolset:1.25.5
+        registry.access.redhat.com/ubi9/ubi-minimal:latest
+        quay.io/sclorg/postgresql-16-c9s:latest
+        wiremock/wiremock:3x
 
   sp-subsystem:
     uses: dcm-project/shared-workflows/.github/workflows/black-box.yaml@main
@@ -36,4 +36,9 @@ jobs:
       up-target: sp-subsystem-test-up
       test-target: sp-subsystem-test
       down-target: sp-subsystem-test-down
-      images: "${{ env.CONTROL_PLANE_BUILD_IMAGES }} quay.io/sclorg/postgresql-16-c9s:latest wiremock/wiremock:3x docker.io/library/nats:2-alpine"
+      images: >-
+        registry.access.redhat.com/ubi9/go-toolset:1.25.5
+        registry.access.redhat.com/ubi9/ubi-minimal:latest
+        quay.io/sclorg/postgresql-16-c9s:latest
+        wiremock/wiremock:3x
+        docker.io/library/nats:2-alpine

From 0b9a1650c6e4be2ed8ec1d396831493d2cf072dd Mon Sep 17 00:00:00 2001
From: Gloria Ciavarrini <gciavarrini@redhat.com>
Date: Mon, 22 Jun 2026 12:19:00 +0200
Subject: [PATCH 2/2] fix(app): allow merge-patch bodies through OpenAPI
 validation kin-openapi rewrites request bodies after applying schema defaults
 but only encodes application/json. PATCH policies use merge-patch+json, so
 validation returned 400 before the handler ran. Assisted-by: Claude
 (Anthropic)

Signed-off-by: Gloria Ciavarrini <gciavarrini@redhat.com>
---
 internal/app/openapi.go                 |  4 ++++
 internal/app/openapi_validation_test.go | 16 ++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/internal/app/openapi.go b/internal/app/openapi.go
index de31a69..2aa333d 100644
--- a/internal/app/openapi.go
+++ b/internal/app/openapi.go
@@ -56,6 +56,10 @@ func oapiRequestValidator(spec *openapi3.T) func(http.Handler) http.Handler {
 	return nethttpmiddleware.OapiRequestValidatorWithOptions(spec, &nethttpmiddleware.Options{
 		Options: openapi3filter.Options{
 			AuthenticationFunc: openapi3filter.NoopAuthenticationFunc,
+			// kin-openapi rewrites validated bodies when schema defaults are applied,
+			// but only registers encoders for application/json. PATCH merge bodies
+			// use application/merge-patch+json and must stay partial (RFC 7396).
+			SkipSettingDefaults: true,
 		},
 		SilenceServersWarning: true,
 	})
diff --git a/internal/app/openapi_validation_test.go b/internal/app/openapi_validation_test.go
index c2f4534..126c665 100644
--- a/internal/app/openapi_validation_test.go
+++ b/internal/app/openapi_validation_test.go
@@ -37,6 +37,22 @@ var _ = Describe("OpenAPI request validation", func() {
 		It("rejects malformed JSON on POST /policies", func() {
 			expectInvalidJSONRejected(validators, "/api/v1alpha1/policies")
 		})
+
+		It("allows valid partial PATCH on /policies/{policyId}", func() {
+			router := chi.NewRouter()
+			router.Use(validators.middleware())
+			router.Patch("/api/v1alpha1/policies/{policyId}", func(w http.ResponseWriter, _ *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			})
+
+			body := `{"display_name":"Updated Name","priority":600}`
+			req := httptest.NewRequest(http.MethodPatch, "/api/v1alpha1/policies/test-policy-id", strings.NewReader(body))
+			req.Header.Set("Content-Type", "application/merge-patch+json")
+			rec := httptest.NewRecorder()
+			router.ServeHTTP(rec, req)
+
+			Expect(rec.Code).To(Equal(http.StatusOK), rec.Body.String())
+		})
 	})
 
 	Describe("catalog routes", func() {