Update Konflux references#209
Conversation
Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
|
Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR. I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
📝 WalkthroughWalkthroughPinned OCI digests (sha256) for Tekton task bundle references were updated across three PipelineRun manifests: hyperfleet-sentinel-chart-push.yaml (2 references), hyperfleet-sentinel-push.yaml (9 references), and hyperfleet-sentinel-tag.yaml (9 references). Task names, versions, parameters, runAfter ordering, conditions, and workspace declarations remain unchanged. Estimated code review effort: 2 (Simple) | ~10 minutes Security NotesCI/CD pipeline manifest changes constitute supply chain attack surface (CWE-829: Inclusion of Functionality from Untrusted Control Sphere). Digest pins are content-addressed (sha256), which is the correct pattern versus mutable tags — but no provenance/attestation verification is shown in this diff. Verify each new digest resolves to a signed, attested build from the expected upstream source (Konflux/Red Hat task catalog) before merge; a swapped digest here silently changes what code executes in clone, build, scan, and push stages (clair-scan, sast-snyk-check, clamav-scan are security gate tasks themselves — compromising their bundle defeats the scan). No diff evidence of digest provenance validation (e.g., cosign verify, TUF) is present in these files. Related Issues: None referenced. Related PRs: None referenced. Suggested labels: ci/cd, dependencies Suggested reviewers: platform/pipeline-owners (verify digest provenance before approval) 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
|
/ok-to-test |
Risk Score: 0 —
|
| Signal | Detail | Points |
|---|---|---|
| PR size | 40 lines | +0 |
| Sensitive paths | none | +0 |
Computed by hyperfleet-risk-scorer
|
Closing — waiting for Go 1.26 bump (HYPERFLEET-1311). Renovate will recreate with proper go.sum after the bump. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rafabene The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR contains the following updates:
a291081→3ab8441d7c57ad→dcc40cc0b4251e→70c52e8c38fc46→62de839312fb4d→9ff424d567cb66→53a023252827a4→12cbcf0581ddbb→f3e97e691980bb→fda2e51d8115c7→7c5575aConfiguration
📅 Schedule: (UTC)
* 5-23 * * 6)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.