Update docker image updates to v9.8-1782980183#224
Conversation
Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
|
Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR. I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
📝 WalkthroughWalkthroughDockerfile builder stage base image tag updated from registry.access.redhat.com/ubi9/go-toolset:9.8-1782736563 to registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183. No other build or runtime configuration changed. Estimated code review effort: 1 (Trivial) | ~3 minutes Security note: Base image pinned by tag, not digest (SHA256). Tag-based references are mutable and vulnerable to registry-side tag reassignment/poisoning (CWE-829: Inclusion of Functionally Untrusted Code, CWE-494: Download of Code Without Integrity Check). Verify the new tag Suggested labels: dependencies, docker, supply-chain Suggested reviewers: platform-security-team 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@Dockerfile`:
- Line 3: The builder base image in the Dockerfile is pinned only by a mutable
tag, which leaves the build vulnerable to upstream image changes. Update the
FROM reference for the builder stage to use the same image pinned by immutable
digest (`@sha256`:...) instead of only the registry tag, so the image identity is
fixed and reproducible.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 97cf72dd-a0df-4eec-8f51-5327dc7d1f9e
📒 Files selected for processing (1)
Dockerfile
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift-hyperfleet/architecture(manual)openshift-hyperfleet/hyperfleet-api(manual)openshift-hyperfleet/hyperfleet-sentinel(manual)openshift-hyperfleet/hyperfleet-adapter(manual)openshift-hyperfleet/hyperfleet-broker(manual)
| ARG BASE_IMAGE=registry.access.redhat.com/ubi9-micro:latest | ||
|
|
||
| FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1782736563 AS builder | ||
| FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183 AS builder |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
No digest pin — supply chain integrity gap (CWE-1357/CWE-494).
registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183 is a mutable tag. Registry tags can be repointed or replaced without notice — verify provenance and pin by digest instead.
🔒 Pin by digest
-FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183 AS builder
+FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183@sha256:<digest> AS builderAs per path instructions, "Pin base images by digest (@sha256:...) not just tag."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@Dockerfile` at line 3, The builder base image in the Dockerfile is pinned
only by a mutable tag, which leaves the build vulnerable to upstream image
changes. Update the FROM reference for the builder stage to use the same image
pinned by immutable digest (`@sha256`:...) instead of only the registry tag, so
the image identity is fixed and reproducible.
Source: Path instructions
|
/ok-to-test |
Risk Score: 0 —
|
| Signal | Detail | Points |
|---|---|---|
| PR size | 2 lines | +0 |
| Sensitive paths | none | +0 |
Computed by hyperfleet-risk-scorer
|
/lgtm |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rafabene The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
1 similar comment
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rafabene The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR contains the following updates:
9.8-1782736563→9.8-1782980183Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.