(Feel free to update this bug's summary to be more specific.)
Component Readiness has found a potential regression in the following test:

[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial] Should fail clusterimagepolicy signature validation root of trust does not match the identity in the signature [Suite:openshift/conformance/serial]

Test has a 46.67% pass rate, but 95.00% is required.

Sample (being evaluated) Release: 4.20
Start Time: 2025-05-19T00:00:00Z
End Time: 2025-05-26T08:00:00Z
Success Rate: 46.67%
Successes: 7
Failures: 8
Flakes: 0

Base (historical) Release: 4.19
Start Time: 2025-04-26T00:00:00Z
End Time: 2025-05-26T08:00:00Z
Success Rate: 0.00%
Successes: 0
Failures: 0
Flakes: 0

View the test details report for additional context.

Additional tests:

[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial] Should fail imagepolicy signature validation in different namespaces root of trust does not match the identity in the signature [Suite:openshift/conformance/serial]

[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial] Should fail clusterimagepolicy signature validation when scope in allowedRegistries list does not skip signature verification [Suite:openshift/conformance/serial]

[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial] Should pass imagepolicy signature validation with signed image in namespaces [Suite:openshift/conformance/serial]

[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial] Should fail clusterimagepolicy signature validation root of trust does not match the identity in the signature [Suite:openshift/conformance/serial]

[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial] Should pass clusterimagepolicy signature validation with signed image [Suite:openshift/conformance/serial]

These are only failing on metal, feels like some kind of image mirroring issue. They appear to be new to 4.20. These tests have been regressed for 11 days, possibly since they first went in, this may also indicate no one is watching how they're performing.

Interestingly they pass on dualstack, but fail on ipv6, which again feels like an image mirroring problem.

Example failures: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.20-e2e-metal-ipi-serial-ovn-ipv6-techpreview-1of2/1926851024853667840

https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.20-e2e-metal-ipi-serial-ovn-ipv6-techpreview-2of2/1925401473147998208

These tests need to be mapped to a component in https://github.com/openshift-eng/ci-test-mapping, typically handled by including a valid tag in the test name to automatically map, but in this case with the tests already building history it might be best to establish explicit mappings for one of the tags already in the test names in the above repo. Commit history there should have examples.