fix: Cannot deploy MCPRegistry from git in OpenShift

[dmartinol]

Fixes #2250

Root cause

• /tmp is not writable and the clone fails
• Also, even after mounting an emptyDir to the deployment, the clone requires large memory that may exceed the limits causing the controller restart
• Clone was performed twice because the FetchRegistry also called CurrentHash which runs another clone

Proposed solution

- Using sparse checkout to reduce the local repo size:
~ - Note: this also copies the other files and the subfloders from the registry data folder~

• Use in-memory FS (thanks @JAORMX and @jhrozek ) for the suggestion
• Do not clone again the repo to compute the hash
• Added GC options in deployment to expedite the execution of the Go Garbage Collector

Alternatives

• If the memory usage remains too high, we can use a direct HTTP raw fetch of the file with no storage and no git protocol
  • The raw URL depends on the Git provider and requires custom implementation. Some providers or versions may not be supported.
• Connect a PVC with some storage area
  • Caching and reuse of existing local repos would improve performance (git fetch instead of full clone)

[codecov]

Codecov Report

❌ Patch coverage is 73.49398% with 44 lines in your changes missing coverage. Please review.
✅ Project coverage is 54.40%. Comparing base (977eabf) to head (2da6e58).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/thv-operator/pkg/git/fs.go	53.84%	33 Missing and 9 partials ⚠️
cmd/thv-operator/pkg/sources/git.go	95.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2263      +/-   ##
==========================================
+ Coverage   54.30%   54.40%   +0.10%     
==========================================
  Files         240      241       +1     
  Lines       23594    23695     +101     
==========================================
+ Hits        12812    12891      +79     
- Misses       9567     9587      +20     
- Partials     1215     1217       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull Request Overview

This PR optimizes Git repository operations by implementing sparse checkout to reduce memory usage and improve performance. The root cause was that /tmp was not writable in Kubernetes deployments and clones required excessive memory, causing controller restarts. Additionally, the repository was being cloned twice unnecessarily.

Key changes:

• Replaced multi-step clone operations with a single FetchFileSparse method using sparse checkout
• Added configurable workspace directory via WORKSPACE_DIR environment variable
• Mounted emptyDir volume at /workspace in Kubernetes deployments

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
deploy/charts/operator/templates/deployment.yaml	Added WORKSPACE_DIR environment variable and mounted workspace volume
cmd/thv-operator/pkg/sources/git.go	Refactored to use sparse checkout and eliminated duplicate cloning
cmd/thv-operator/pkg/sources/git_test.go	Updated tests to use new FetchFileSparse API
cmd/thv-operator/pkg/git/client.go	Implemented sparse checkout with path traversal protection
cmd/thv-operator/pkg/git/integration_test.go	Updated integration tests for new API with improved test coverage
cmd/thv-operator/pkg/git/client_test.go	Added comprehensive unit tests including security tests
cmd/thv-operator/pkg/git/e2e_test.go	Added E2E tests for real repository operations
cmd/thv-operator/pkg/git/doc.go	Updated documentation to reflect sparse checkout implementation
cmd/thv-operator/pkg/git/commit_test.go	Removed obsolete commit-specific tests

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[JAORMX]

@claude can you review this with a focus on security?

[claude]

Claude encountered an error —— View job

Failed with exit code 128

---

I'll analyze this and get back to you.

[jhrozek]

Much better! A couple of findings inline

[jhrozek]

We went from git.PlainCloneContext to git.Clone (no context), could we use git.CloneContext ?

[jhrozek]

I still don't think nudging the GC is necessary.

[dmartinol]

Testing it

[dmartinol]

Without this call, the Pod still crashes with OOMKilled error.
Looks like it's really needed.
I would postpone this finalization once the logic moves to the thv-registry-api, since the same issue will be there, WDYT?