Skip to content

Update docker image updates to v9.8-1782980183#224

Merged
openshift-merge-bot[bot] merged 1 commit into
mainfrom
konflux/mintmaker/main/docker-image-updates
Jul 6, 2026
Merged

Update docker image updates to v9.8-1782980183#224
openshift-merge-bot[bot] merged 1 commit into
mainfrom
konflux/mintmaker/main/docker-image-updates

Conversation

@red-hat-konflux-kflux-prd-rh02

@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
registry.access.redhat.com/ubi9/go-toolset stage patch 9.8-17827365639.8-1782980183

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
@openshift-ci openshift-ci Bot requested review from mbrudnoy and mliptak0 July 6, 2026 00:04
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Dockerfile builder stage base image tag updated from registry.access.redhat.com/ubi9/go-toolset:9.8-1782736563 to registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183. No other build or runtime configuration changed.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Security note: Base image pinned by tag, not digest (SHA256). Tag-based references are mutable and vulnerable to registry-side tag reassignment/poisoning (CWE-829: Inclusion of Functionally Untrusted Code, CWE-494: Download of Code Without Integrity Check). Verify the new tag 9.8-1782980183 against known-good SBOM/provenance before merge. No CVE scan results provided for the updated base image — confirm no unpatched CVEs introduced in ubi9/go-toolset 9.8 layer.

Suggested labels: dependencies, docker, supply-chain

Suggested reviewers: platform-security-team

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed PR only changes a Dockerfile base-image tag; no slog/logr/zap/fmt.Print* statements or token/password/credential/secret fields were introduced. CWE-532 not present.
No Hardcoded Secrets ✅ Passed No hardcoded credentials or secret literals found; the only change is a Dockerfile base-image tag update, not CWE-798/CWE-259 material.
No Weak Cryptography ✅ Passed PASS: Only a Dockerfile base-image tag changed; no crypto/md5, des, rc4, SHA1-for-security, ECB, or secret comparisons were added (CWE-327/CWE-328).
No Injection Vectors ✅ Passed Only Dockerfile changed; no SQL concat, exec.Command, template.HTML, or yaml.Unmarshal sinks in the diff (CWE-89/78/79/502).
No Privileged Containers ✅ Passed PASS: No privileged=true/hostNetwork/hostIPC/SYS_ADMIN or root runtime. Dockerfile uses USER root only for a documented build step, then drops to USER 1001/65532.
No Pii Or Sensitive Data In Logs ✅ Passed Dockerfile-only change; no slog/logr/zap/fmt.Print* calls or PII-bearing log output. CWE-532 not present.
Title check ✅ Passed The title matches the only change: bumping the Docker base image tag.
Description check ✅ Passed The description correctly describes the stage image version bump and automated update context.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/main/docker-image-updates
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch konflux/mintmaker/main/docker-image-updates

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 3: The builder base image in the Dockerfile is pinned only by a mutable
tag, which leaves the build vulnerable to upstream image changes. Update the
FROM reference for the builder stage to use the same image pinned by immutable
digest (`@sha256`:...) instead of only the registry tag, so the image identity is
fixed and reproducible.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 97cf72dd-a0df-4eec-8f51-5327dc7d1f9e

📥 Commits

Reviewing files that changed from the base of the PR and between 21c0d26 and ecf0caf.

📒 Files selected for processing (1)
  • Dockerfile
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)

Comment thread Dockerfile
ARG BASE_IMAGE=registry.access.redhat.com/ubi9-micro:latest

FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1782736563 AS builder
FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183 AS builder

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

No digest pin — supply chain integrity gap (CWE-1357/CWE-494).

registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183 is a mutable tag. Registry tags can be repointed or replaced without notice — verify provenance and pin by digest instead.

🔒 Pin by digest
-FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183 AS builder
+FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183@sha256:<digest> AS builder

As per path instructions, "Pin base images by digest (@sha256:...) not just tag."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, The builder base image in the Dockerfile is pinned
only by a mutable tag, which leaves the build vulnerable to upstream image
changes. Update the FROM reference for the builder stage to use the same image
pinned by immutable digest (`@sha256`:...) instead of only the registry tag, so
the image identity is fixed and reproducible.

Source: Path instructions

@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

/ok-to-test

@hyperfleet-ci-bot

Copy link
Copy Markdown

Risk Score: 0 — risk/low

Signal Detail Points
PR size 2 lines +0
Sensitive paths none +0

Computed by hyperfleet-risk-scorer

@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

/lgtm

@rafabene rafabene left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

/lgtm

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rafabene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rafabene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit ad1b679 into main Jul 6, 2026
10 checks passed
@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot deleted the konflux/mintmaker/main/docker-image-updates branch July 6, 2026 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant