Skip to content

Update Konflux references#209

Merged
openshift-merge-bot[bot] merged 1 commit into
mainfrom
konflux/references/main
Jul 6, 2026
Merged

Update Konflux references#209
openshift-merge-bot[bot] merged 1 commit into
mainfrom
konflux/references/main

Conversation

@red-hat-konflux-kflux-prd-rh02

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change
quay.io/konflux-ci/tekton-catalog/task-apply-tags (source, changelog) a2910813ab8441
quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta (source, changelog) d7c57addcc40cc
quay.io/konflux-ci/tekton-catalog/task-build-image-index (source, changelog) 0b4251e70c52e8
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta (source, changelog) c38fc4662de839
quay.io/konflux-ci/tekton-catalog/task-clair-scan (source, changelog) 312fb4d9ff424d
quay.io/konflux-ci/tekton-catalog/task-clamav-scan (source, changelog) 567cb6653a0232
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta (source, changelog) 52827a412cbcf0
quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta (source, changelog) 581ddbbf3e97e6
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog) 91980bbfda2e51
quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta (source, changelog) d8115c77c5575a

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 05:00 AM and 11:59 PM, only on Saturday (* 5-23 * * 6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
@openshift-ci openshift-ci Bot requested review from Ruclo and tirthct July 4, 2026 08:02
@openshift-ci

openshift-ci Bot commented Jul 4, 2026

Copy link
Copy Markdown

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Pinned OCI digests (sha256) for Tekton task bundle references were updated across three PipelineRun manifests: hyperfleet-sentinel-chart-push.yaml (2 references), hyperfleet-sentinel-push.yaml (9 references), and hyperfleet-sentinel-tag.yaml (9 references). Task names, versions, parameters, runAfter ordering, conditions, and workspace declarations remain unchanged.

Estimated code review effort: 2 (Simple) | ~10 minutes

Security Notes

CI/CD pipeline manifest changes constitute supply chain attack surface (CWE-829: Inclusion of Functionality from Untrusted Control Sphere). Digest pins are content-addressed (sha256), which is the correct pattern versus mutable tags — but no provenance/attestation verification is shown in this diff. Verify each new digest resolves to a signed, attested build from the expected upstream source (Konflux/Red Hat task catalog) before merge; a swapped digest here silently changes what code executes in clone, build, scan, and push stages (clair-scan, sast-snyk-check, clamav-scan are security gate tasks themselves — compromising their bundle defeats the scan). No diff evidence of digest provenance validation (e.g., cosign verify, TUF) is present in these files.

Related Issues: None referenced.

Related PRs: None referenced.

Suggested labels: ci/cd, dependencies

Suggested reviewers: platform/pipeline-owners (verify digest provenance before approval)

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed PASS: No CWE-532 log leak in this PR; HEAD only changes three Tekton YAML bundle digests, and the only 'secret:' hits are workspace secret refs.
No Hardcoded Secrets ✅ Passed No CWE-798/CWE-259 indicators: the diff only swaps OCI bundle SHA-256 digests; no hardcoded keys, tokens, passwords, or embedded-credential URLs were added.
No Weak Cryptography ✅ Passed Only Tekton OCI bundle digest bumps; no md5/des/rc4/sha1-ECB, custom crypto, or non-constant-time secret compares (CWE-327/CWE-208).
No Injection Vectors ✅ Passed Diff only updates Tekton bundle sha256 digests in YAML; no SQL concat, exec.Command, template.HTML, or yaml.Unmarshal changes (CWE-78/79/89/502).
No Privileged Containers ✅ Passed Only bundle digests changed; no privileged:true, hostNetwork/PID/IPC, SYS_ADMIN, allowPrivilegeEscalation, or root in these PipelineRuns (CWE-732 not implicated).
No Pii Or Sensitive Data In Logs ✅ Passed Diff only updates Tekton bundle digests; no slog/logr/zap/fmt.Print* additions. The lone printf writes a Tekton result, not a log (CWE-532/CWE-200 not triggered).
Title check ✅ Passed The title matches the main change: updating Konflux task references in Tekton configs.
Description check ✅ Passed The description is directly related and lists the Konflux task revisions updated by the PR.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/references/main
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch konflux/references/main

Comment @coderabbitai help to get the list of available commands.

@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

/ok-to-test

@hyperfleet-ci-bot

Copy link
Copy Markdown

Risk Score: 0 — risk/low

Signal Detail Points
PR size 40 lines +0
Sensitive paths none +0

Computed by hyperfleet-risk-scorer

@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

Closing — waiting for Go 1.26 bump (HYPERFLEET-1311). Renovate will recreate with proper go.sum after the bump.

@rafabene rafabene closed this Jul 6, 2026
@rafabene rafabene reopened this Jul 6, 2026
@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

/lgtm

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rafabene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label Jul 6, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 79c9941 into main Jul 6, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant