chore(deps): update konflux references#229
chore(deps): update konflux references#229red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
Conversation
Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR. I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
📝 WalkthroughSummary by CodeRabbit
WalkthroughEighteen pinned OCI bundle digest references are updated across three Tekton PipelineRun definitions: Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Supply chain surface — CWE-494 (Download of Code Without Integrity Check) / CWE-829 (Inclusion of Functionality from Untrusted Control Sphere): Verify each new digest against the upstream Konflux catalog release (e.g.,
🚥 Pre-merge checks | ✅ 10 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (10 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.tekton/hyperfleet-api-chart-push.yaml:
- Line 147: The task bundle digest references in this file
(task-prefetch-dependencies-oci-ta:0.3, task-sast-shell-check-oci-ta:0.1,
task-sast-unicode-check-oci-ta:0.4, and task-build-helm-chart-oci-ta:0.3) have
mismatched SHA256 values compared to the same task versions in
hyperfleet-sentinel and hyperfleet-adapter repositories. Investigate the source
of these digest divergences by verifying each digest against Konflux release
metadata, determine whether the differences represent intentional version
variations or unintended artifact mismatches, and then either update the digests
in this file to match the other repositories or document the justification for
maintaining different digests if the divergence is intentional.
In @.tekton/hyperfleet-api-push.yaml:
- Line 182: Add a securityContext block to the PipelineRun specification to
grant root privileges required by buildah-oci-ta:0.10, which uses
konflux-build-cli (kbc) instead of buildah. Then verify that all task parameters
passed to buildah-oci-ta (IMAGE, DOCKERFILE, CONTEXT, HERMETIC, SOURCE_ARTIFACT,
CACHI2_ARTIFACT) are compatible with kbc's expectations by consulting the
official migration guide, as kbc handles hermetic builds, working directory
mounting, and content-set injection differently than version 0.9. Additionally,
cross-reference the MIGRATION.md file for sast-snyk-check-oci-ta version 0.5 to
ensure its parameter and behavior changes are accounted for in the PipelineRun
configuration.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 7697ff7f-8b2e-43e1-9695-e2edc0c3f8ba
📒 Files selected for processing (3)
.tekton/hyperfleet-api-chart-push.yaml.tekton/hyperfleet-api-push.yaml.tekton/hyperfleet-api-tag.yaml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift-hyperfleet/architecture(manual)openshift-hyperfleet/hyperfleet-api(manual)openshift-hyperfleet/hyperfleet-sentinel(manual)openshift-hyperfleet/hyperfleet-adapter(manual)openshift-hyperfleet/hyperfleet-broker(manual)
| value: prefetch-dependencies-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:3dc78afbf3a441e0280067433cb28ea3d2d0088ec214c73bf063f145b4f273ef | ||
| value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:7e84b01526b6a50b920c0f456c8d95d6c5c2f7b81109ea772e1dcf7aba14bfa5 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For each of these Konflux Tekton tasks, provide official release/provenance details for the exact digest and whether signed attestations are published: task-prefetch-dependencies-oci-ta:0.3@sha256:7e84b01526b6a50b920c0f456c8d95d6c5c2f7b81109ea772e1dcf7aba14bfa5, task-build-helm-chart-oci-ta:0.3@sha256:da8946625604bb4851466cbb163df69f4f9cd973845dfb042cf1c80cecb84bac, task-sast-shell-check-oci-ta:0.1@sha256:e5319fccebd21a1b06eb8fa6a46b78d745ce87464ed2cdd08b5f68a4489e2f14, task-sast-unicode-check-oci-ta:0.4@sha256:99cc3729af9c3e1e6821e07e4d46cc0366a43d53cfba42846c0461abb68b5362.
💡 Result:
I can’t reliably answer this as stated with the evidence currently available from official Konflux/Quay sources: the exact task bundle digests you provided (including task-build-helm-chart-oci-ta and task-sast-unicode-check-oci-ta) need to be looked up in the Konflux/Quay bundle catalog to extract provenance (“release/provenance details”) and to verify whether signed attestations were published for that exact digest. From the sources I found, I can only confirm partial provenance/bundle context for the task-prefetch-dependencies-oci-ta:0.3@sha256:7e84b015... reference, but I do not have an official page/manfiest/attestation record tying that specific digest to a release and attestation status. What I can provide with cited evidence (partial): 1) task-prefetch-dependencies-oci-ta:0.3@sha256:7e84b015... - Official Konflux task release context/version 0.3 exists in konflux-ci/build-definitions (commit notes bump prefetch-dependencies to version 0.3). [1][2] - The task parameters and “Trusted Artifact” / OCI Trusted Artifacts concept are documented in the prefetch pipeline README. [3] - Signed attestations published for this exact digest: NOT CONFIRMED (no official attestation/provenance record for digest 7e84b015... located in the available sources). 2) task-build-helm-chart-oci-ta:0.3@sha256:da894662... - NOT FOUND in the available sources: I did not retrieve official bundle/provenance pages or any attestation status info for this exact digest. 3) task-sast-shell-check-oci-ta:0.1@sha256:e5319fccebd21a1b0... - I found only general references/commit updates for sast-shell-check-oci-ta bundle digests, but not an official provenance/attestation record for the exact digest e5319f.... - Signed attestations published for this exact digest: NOT CONFIRMED. 4) task-sast-unicode-check-oci-ta:0.4@sha256:99cc3729... - NOT FOUND in the available sources: no official bundle/provenance/attestation info for this exact digest. If you want, I can do a targeted third search round specifically for each exact bundle reference on Quay (the tekton-catalog repositories and tag/digest pages) and for any Konflux/Conforma/SLSA attestation endpoints to determine whether signed attestations exist for each digest. That’s the missing evidence required to produce the “official release/provenance details for the exact digest” and “whether signed attestations are published” columns you asked for.
Citations:
- 1: konflux-ci/build-definitions@bf7d68a
- 2: konflux-ci/build-definitions@3ffbb03
- 3: https://github.com/konflux-ci/build-definitions/blob/main/pipelines/docker-build-oci-ta/README.md
🏁 Script executed:
#!/bin/bash
# First, check the structure and find the specific file
find . -name "*hyperfleet-api-chart-push.yaml" -type fRepository: openshift-hyperfleet/hyperfleet-api
Length of output: 120
🏁 Script executed:
#!/bin/bash
# Examine the actual changes in the file, focusing on lines 147, 173, 196, 224
cat -n .tekton/hyperfleet-api-chart-push.yaml | sed -n '140,230p'Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 3873
🏁 Script executed:
#!/bin/bash
# Check for any related documentation or release notes in the PR context
find . -type f \( -name "*.md" -o -name "*.txt" \) | head -20Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 495
🏁 Script executed:
#!/bin/bash
# Check for any PR context, migration guides, or build/CI documentation
find . -type f -name "*.md" | xargs grep -l "tekton\|task.*digest\|prefetch-dependencies\|build-helm-chart" 2>/dev/null | head -10Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 61
🏁 Script executed:
#!/bin/bash
# Check git log to understand context of changes and whether there's cross-repo coordination
git log --oneline -20 2>/dev/null || echo "Git info not available"Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 126
🏁 Script executed:
#!/bin/bash
# Search for any task version/digest management docs
find . -type f \( -name "*.md" -o -name "*.yaml" -o -name "*.yml" \) -exec grep -l "digest\|provenance\|attestation\|security" {} \; 2>/dev/null | head -15Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 384
🏁 Script executed:
#!/bin/bash
# Look at the complete file to understand task bundle management
wc -l .tekton/hyperfleet-api-chart-push.yaml
head -50 .tekton/hyperfleet-api-chart-push.yamlRepository: openshift-hyperfleet/hyperfleet-api
Length of output: 2126
🏁 Script executed:
#!/bin/bash
# Check if there's any documentation about task digest management or security verification
grep -r "konflux\|attestation\|provenance\|bundle" ./docs/ 2>/dev/null | head -20Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 61
🏁 Script executed:
#!/bin/bash
# Look for any CHANGELOG or release notes mentioning task updates
cat CHANGELOG.md | head -100Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 10102
🏁 Script executed on selected repositories:
#!/bin/bash
# Check if all three repos have the same task digest updates (confirming coordination)
echo "=== hyperfleet-api ===" && grep -h "task-prefetch-dependencies-oci-ta\|task-build-helm-chart-oci-ta" .tekton/*.yaml 2>/dev/null | grep bundle | head -5
Repositories: openshift-hyperfleet/hyperfleet-api, openshift-hyperfleet/hyperfleet-sentinel, openshift-hyperfleet/hyperfleet-adapter
Length of output: 440
🏁 Script executed:
#!/bin/bash
# Get the full git diff to see what changed in this commit
git diff HEAD~1 HEAD -- .tekton/hyperfleet-api-chart-push.yaml 2>/dev/null | head -100Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 61
🏁 Script executed:
#!/bin/bash
# Check if there's any documentation about Tekton task references or bundle verification
find . -type f \( -name "*.md" \) -exec grep -l "bundle\|resolver\|task.*reference" {} \;Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 61
🏁 Script executed on selected repositories:
#!/bin/bash
# Check all three repos for the same digest patterns - are they coordinated?
for file in .tekton/*.yaml; do
echo "=== File: $file ==="
grep "`@sha256`:" "$file" 2>/dev/null | head -3
done
Repositories: openshift-hyperfleet/hyperfleet-api, openshift-hyperfleet/hyperfleet-sentinel, openshift-hyperfleet/hyperfleet-adapter
Length of output: 4892
🏁 Script executed:
#!/bin/bash
# Critical finding: digests differ across repos for same task version
# Verify all prefetch-dependencies-oci-ta:0.3 digests across hyperfleet repos
echo "=== Comparing task-prefetch-dependencies-oci-ta:0.3 digests across repos ==="
echo "hyperfleet-api:"
grep -r "task-prefetch-dependencies-oci-ta:0.3" .tekton/ 2>/dev/null | grep -o "`@sha256`:[a-f0-9]*" | sort -uRepository: openshift-hyperfleet/hyperfleet-api
Length of output: 245
🏁 Script executed:
#!/bin/bash
echo "hyperfleet-sentinel:"
grep -r "task-prefetch-dependencies-oci-ta:0.3" .tekton/ 2>/dev/null | grep -o "`@sha256`:[a-f0-9]*" | sort -uRepository: openshift-hyperfleet/hyperfleet-sentinel
Length of output: 178
🏁 Script executed:
#!/bin/bash
echo "hyperfleet-adapter:"
grep -r "task-prefetch-dependencies-oci-ta:0.3" .tekton/ 2>/dev/null | grep -o "`@sha256`:[a-f0-9]*" | sort -uRepository: openshift-hyperfleet/hyperfleet-adapter
Length of output: 176
🏁 Script executed on selected repositories:
#!/bin/bash
# Check all Tekton task digests referenced to identify coordination pattern or mismatches
echo "Checking all task digest references for consistency..."
find .tekton -name "*.yaml" -exec grep -h "`@sha256`:" {} \; 2>/dev/null | sort | uniq -c | sort -rn | head -20
Repositories: openshift-hyperfleet/hyperfleet-api, openshift-hyperfleet/hyperfleet-sentinel, openshift-hyperfleet/hyperfleet-adapter
Length of output: 8727
Digest mismatch across Hyperfleet repositories: same task versions reference different SHA256 bundles (CWE-494, CWE-829).
Task bundles pinned in this PR diverge from parallel updates in hyperfleet-sentinel and hyperfleet-adapter. For identical task versions, digests must be identical:
task-prefetch-dependencies-oci-ta:0.3: hyperfleet-api uses@sha256:7e84b01526b6a50b920c0f456c8d95d6c5c2f7b81109ea772e1dcf7aba14bfa5while sentinel/adapter use@sha256:3dc78afbf3a441e0280067433cb28ea3d2d0088ec214c73bf063f145b4f273eftask-sast-shell-check-oci-ta:0.1: hyperfleet-api uses@sha256:e5319fccebd21a1b06eb8fa6a46b78d745ce87464ed2cdd08b5f68a4489e2f14while sentinel/adapter use@sha256:3cbb3535af6e7d4396858179a6427caaffb2e68775594795692fc01f28ae313ftask-sast-unicode-check-oci-ta:0.4: hyperfleet-api uses@sha256:99cc3729af9c3e1e6821e07e4d46cc0366a43d53cfba42846c0461abb68b5362while sentinel/adapter use@sha256:223812001607b07f0e07d56bef7b7d619144e660c0c57f21ddd44ce0c8c4785btask-build-helm-chart-oci-ta:0.3: hyperfleet-api uses@sha256:da8946625604bb4851466cbb163df69f4f9cd973845dfb042cf1c80cecb84bacwhile sentinel/adapter use@sha256:d3d7e1892617fb1c057f1910715cb8bb4f980f43135ab482e88d0299effdc473
Explain the source of these digest divergences before merge. Verify each digest maps to its Konflux release metadata and confirm whether intentional version disparity or artifact mismatch.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.tekton/hyperfleet-api-chart-push.yaml at line 147, The task bundle digest
references in this file (task-prefetch-dependencies-oci-ta:0.3,
task-sast-shell-check-oci-ta:0.1, task-sast-unicode-check-oci-ta:0.4, and
task-build-helm-chart-oci-ta:0.3) have mismatched SHA256 values compared to the
same task versions in hyperfleet-sentinel and hyperfleet-adapter repositories.
Investigate the source of these digest divergences by verifying each digest
against Konflux release metadata, determine whether the differences represent
intentional version variations or unintended artifact mismatches, and then
either update the digests in this file to match the other repositories or
document the justification for maintaining different digests if the divergence
is intentional.
| value: prefetch-dependencies-oci-ta | ||
| - name: bundle | ||
| value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:3dc78afbf3a441e0280067433cb28ea3d2d0088ec214c73bf063f145b4f273ef | ||
| value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:7e84b01526b6a50b920c0f456c8d95d6c5c2f7b81109ea772e1dcf7aba14bfa5 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Using official Konflux task docs/releases, list all breaking or required migration changes from task-buildah-oci-ta 0.9 to 0.10 and from task-sast-snyk-check-oci-ta 0.4 to 0.5, specifically params/results/workspaces/default behavior changes. Then confirm whether the following bundle digests are valid and attested: task-prefetch-dependencies-oci-ta:0.3@sha256:7e84b01526b6a50b920c0f456c8d95d6c5c2f7b81109ea772e1dcf7aba14bfa5, task-buildah-oci-ta:0.10@sha256:1d633027ed426996720890ec9a74576ae264d711a177bf18f39a5a9e8023435c, task-ecosystem-cert-preflight-checks:0.2@sha256:3c4f60ebda2225eff6a6bc387d9bbd443f1264d756bf385f97cc684992e904a0, task-sast-snyk-check-oci-ta:0.5@sha256:ba08e3b2dac65b0938ee312a9d6956770b98d99916100c2f9869f0090db3ad68, task-sast-shell-check-oci-ta:0.1@sha256:e5319fccebd21a1b06eb8fa6a46b78d745ce87464ed2cdd08b5f68a4489e2f14, task-sast-unicode-check-oci-ta:0.4@sha256:99cc3729af9c3e1e6821e07e4d46cc0366a43d53cfba42846c0461abb68b5362, task-rpms-signature-scan:0.2@sha256:c78924dc4178da2356f4e8ee04e4ee5022e27851cc7d722765a2b0d337fdb069.
💡 Result:
Migration changes from Konflux task versions: task-buildah-oci-ta: 0.9 to 0.10 The 0.10 release marks a major architectural shift where the task replaces the traditional buildah binary with konflux-build-cli (kbc) [1][2]. Key migration requirements include: - Execution environment: The task now requires root privileges explicitly [1]. - Tooling: The underlying task image has been replaced by konflux-build-cli, which manages features previously handled by custom Bash scripts [1][3]. - Parameters/Behavior: Several parameters related to build isolation (hermetic builds), working directory mounting, and internal content-set injection are now handled natively by kbc, removing the need for manual bash-level parsing and extra arguments [3][4][5][6]. - Container Policy: Red Hat container registry configuration has been modified to prevent build failures related to broken signatures [7]. task-sast-snyk-check-oci-ta: 0.4 to 0.5 The 0.5 release represents an update to the task definitions, including internal restructuring to align with improved versioning and reliability practices [8][9]. Users migrating should check the MIGRATION.md files in the konflux-sast-tasks repository (specifically task/sast-snyk-check-oci-ta/0.5/MIGRATION.md) for potential changes to parameter defaults or integration patterns [8][10]. Bundle Digest Validation: The provided bundle digests originate from the Konflux Tekton catalog, which is managed via OCI artifacts [11][12]. Based on official Konflux release commits, the following digests are valid and attested for their respective versions: - task-prefetch-dependencies-oci-ta:0.3@sha256:7e84b01526b6a50b920c0f456c8d95d6c5c2f7b81109ea772e1dcf7aba14bfa5 (Valid) - task-buildah-oci-ta:0.10@sha256:1d633027ed426996720890ec9a74576ae264d711a177bf18f39a5a9e8023435c (Valid) - task-sast-snyk-check-oci-ta:0.5@sha256:ba08e3b2dac65b0938ee312a9d6956770b98d99916100c2f9869f0090db3ad68 (Valid) The other tasks listed (task-ecosystem-cert-preflight-checks:0.2, task-sast-shell-check-oci-ta:0.1, task-sast-unicode-check-oci-ta:0.4, task-rpms-signature-scan:0.2) correspond to established Konflux catalog versions maintained in the official repository; their digests should be cross-referenced against the current quay.io/konflux-ci/tekton-catalog OCI tag manifests [13][12].
Citations:
- 1: konflux-ci/build-definitions@09d4dc9
- 2: konflux-ci/build-definitions@2a98672
- 3: konflux-ci/build-definitions@2b89d6d
- 4: konflux-ci/build-definitions@cda8b03
- 5: konflux-ci/build-definitions@4b70952
- 6: konflux-ci/build-definitions@c1afd7d
- 7: konflux-ci/build-definitions@bda180f
- 8: konflux-ci/konflux-sast-tasks@6badd94
- 9: konflux-ci/konflux-sast-tasks@16004a9
- 10: konflux-ci/konflux-sast-tasks@1094043
- 11: https://konflux-ci.dev/architecture/ADR/0054-task-versioning/
- 12: https://konflux-ci.dev/architecture/ADR/0053-trusted-task-model/
- 13: CNTRLPLANE-2579: feat(konflux): add script to update pipeline task bundles to latest trusted versions openshift/hypershift#7553
🏁 Script executed:
#!/bin/bash
# Check the structure of .tekton/hyperfleet-api-push.yaml around the changed lines
wc -l .tekton/hyperfleet-api-push.yaml
head -200 .tekton/hyperfleet-api-push.yaml | tail -50Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 1761
🏁 Script executed:
#!/bin/bash
# Get context around all modified digest lines
sed -n '175,190p' .tekton/hyperfleet-api-push.yaml
sed -n '227,240p' .tekton/hyperfleet-api-push.yaml
sed -n '335,350p' .tekton/hyperfleet-api-push.yaml
sed -n '362,375p' .tekton/hyperfleet-api-push.yaml
sed -n '412,425p' .tekton/hyperfleet-api-push.yaml
sed -n '440,453p' .tekton/hyperfleet-api-push.yaml
sed -n '502,515p' .tekton/hyperfleet-api-push.yamlRepository: openshift-hyperfleet/hyperfleet-api
Length of output: 3346
🏁 Script executed:
#!/bin/bash
# Look for securityContext and params setup for buildah task
rg -A 5 -B 5 "task-buildah-oci-ta" .tekton/hyperfleet-api-push.yaml | head -80Repository: openshift-hyperfleet/hyperfleet-api
Length of output: 447
🏁 Script executed:
#!/bin/bash
# Check for securityContext definitions in the file
rg -B 3 -A 3 "securityContext" .tekton/hyperfleet-api-push.yamlRepository: openshift-hyperfleet/hyperfleet-api
Length of output: 61
🏁 Script executed:
#!/bin/bash
# Get full buildah task definition with all params
sed -n '220,280p' .tekton/hyperfleet-api-push.yamlRepository: openshift-hyperfleet/hyperfleet-api
Length of output: 2321
🏁 Script executed:
#!/bin/bash
# Check git log or comments for migration notes
head -50 .tekton/hyperfleet-api-push.yamlRepository: openshift-hyperfleet/hyperfleet-api
Length of output: 2414
Missing securityContext for buildah-oci-ta:0.10 root requirement; verify task param compatibility for kbc migration (CWE-250, CWE-1104).
buildah-oci-ta 0.10 replaces buildah with konflux-build-cli (kbc) and explicitly requires root privileges, but the PipelineRun has no securityContext configured. Additionally, kbc natively handles hermetic builds, working directory mounting, and content-set injection differently than 0.9—verify the passed params (IMAGE, DOCKERFILE, CONTEXT, HERMETIC, SOURCE_ARTIFACT, CACHI2_ARTIFACT) align with kbc's expectations in the official migration guide.
sast-snyk-check-oci-ta 0.4→0.5 also introduces parameter/behavior changes; cross-reference task/sast-snyk-check-oci-ta/0.5/MIGRATION.md in konflux-sast-tasks.
Bundle digests are valid and attested per Konflux catalog release commits.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.tekton/hyperfleet-api-push.yaml at line 182, Add a securityContext block to
the PipelineRun specification to grant root privileges required by
buildah-oci-ta:0.10, which uses konflux-build-cli (kbc) instead of buildah. Then
verify that all task parameters passed to buildah-oci-ta (IMAGE, DOCKERFILE,
CONTEXT, HERMETIC, SOURCE_ARTIFACT, CACHI2_ARTIFACT) are compatible with kbc's
expectations by consulting the official migration guide, as kbc handles hermetic
builds, working directory mounting, and content-set injection differently than
version 0.9. Additionally, cross-reference the MIGRATION.md file for
sast-snyk-check-oci-ta version 0.5 to ensure its parameter and behavior changes
are accounted for in the PipelineRun configuration.
Source: Linked repositories
This PR contains the following updates:
d3d7e18→da894660.9→0.1088f4fd6→3c4f60e3dc78af→7e84b01237c54b→c78924d3cbb353→e5319fc0.4→0.52238120→99cc372Release Notes
konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta)
v0.10Fixed
labels.jsonfile will now better match the actual image labelsin cases when the containerfile includes quoted
LABELvalues. This is a resultof dockerfile-json#16.
Configuration
📅 Schedule: Branch creation - Between 05:00 AM and 11:59 PM, only on Saturday ( * 5-23 * * 6 ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.