Update Konflux refs and ubi digest manually (main branch)

[simonbaird]

No description provided.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated Tekton task bundle digests in pipeline YAMLs, refreshed UBI9 runtime image digests in both Dockerfiles, and bumped OpenTelemetry and golang.org/x/sys indirect dependency versions in module files.

Changes

Cohort / File(s)	Summary
Tekton Task Bundle Digests .tekton/cli-main-pull-request.yaml, .tekton/cli-main-push.yaml	Replaced OCI bundle digests for multiple Tekton taskRef entries; one task (task-push-dockerfile-oci-ta) also advanced from :0.2 to :0.3. No task wiring or parameters changed.
Docker Base Image References Dockerfile, Dockerfile.dist	Updated final-stage registry.access.redhat.com/ubi9/ubi-minimal:latest image digest to a new sha256 value; no other Dockerfile instructions changed.
Go module dependency bumps go.mod, acceptance/go.mod, tools/go.mod	Bumped OpenTelemetry-related indirect modules (to v1.42.0 in main modules / various versions in tools) and upgraded golang.org/x/sys (to v0.41.0) in module files; only go.mod/go.sum metadata changed.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: updating Konflux task references and UBI base image digest, which matches the changeset modifications across Tekton configs, Dockerfiles, and go.mod files.
Description check	✅ Passed	No description was provided by the author. This is a lenient check and passes as long as the description is not completely off-topic; absence of description does not constitute a failure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Update Konflux task refs and ubi-minimal base image digests

✨ Enhancement

Walkthroughs

Description

• Update Konflux task bundle references with latest SHA256 digests
• Update ubi-minimal base image digest to latest version
• Address permission issues affecting clair-scan and deprecated-image-check tasks

Diagram

flowchart LR
  A["Tekton Pipeline Files"] -->|Update task bundle SHAs| B["14 Konflux tasks"]
  C["Dockerfile Files"] -->|Update base image digest| D["ubi-minimal:latest"]
  B --> E["Resolved permission issues"]
  D --> E

Loading

File Changes

1. .tekton/cli-main-pull-request.yaml Dependencies +13/-13

Update Konflux task bundle SHA256 digests

• Updated 14 Konflux task bundle SHA256 digests to latest versions
• Tasks updated include git-clone-oci-ta, buildah-remote-oci-ta, build-image-index,
 source-build-oci-ta, tkn-bundle-oci-ta, deprecated-image-check, clair-scan,
 ecosystem-cert-preflight-checks, sast-snyk-check-oci-ta, clamav-scan, sast-shell-check-oci-ta,
 sast-unicode-check-oci-ta, and push-dockerfile-oci-ta
• Changes address permission issues in clair-scan and deprecated-image-check tasks

.tekton/cli-main-pull-request.yaml

---

2. .tekton/cli-main-push.yaml Dependencies +13/-13

Update Konflux task bundle SHA256 digests

• Updated 14 Konflux task bundle SHA256 digests to latest versions
• Mirrors changes from cli-main-pull-request.yaml for push pipeline
• Tasks updated include git-clone-oci-ta, buildah-remote-oci-ta, build-image-index,
 source-build-oci-ta, tkn-bundle-oci-ta, deprecated-image-check, clair-scan,
 ecosystem-cert-preflight-checks, sast-snyk-check-oci-ta, clamav-scan, sast-shell-check-oci-ta,
 sast-unicode-check-oci-ta, and push-dockerfile-oci-ta

.tekton/cli-main-push.yaml

---

3. Dockerfile Dependencies +1/-1

Update ubi-minimal base image digest

• Updated ubi-minimal base image digest from
 c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 to
 83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183
• Ensures latest security patches and updates from ubi-minimal:latest

Dockerfile

---

View more (1)

4. Dockerfile.dist Dependencies +1/-1

Update ubi-minimal base image digest

• Updated ubi-minimal base image digest from
 c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 to
 83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183
• Mirrors changes from main Dockerfile for distribution build

Dockerfile.dist

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0) 📐 Spec deviations (0)

1. Bundle bump script misses pipelines 🐞 Bug ⚙ Maintainability

Description

The repo’s Tekton bundle bump script claims to update pipeline definitions in .tekton, but it only
rewrites files matching *.tekton/*-build.yaml, so the PipelineRun definitions updated in this PR
will not be updated by automation and are likely to drift/stale over time.

Code

.tekton/cli-main-pull-request.yaml[165]

+          value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9

Evidence

hack/bump-tekton-bundles.sh only iterates over .tekton/*-build.yaml even though it states it
updates pipeline definitions in .tekton. The updated Tekton definitions in this PR are
PipelineRun resources in .tekton/cli-main-push.yaml and .tekton/cli-main-pull-request.yaml,
which do not match that glob, so running the script will not update the bundle digests in these
files.

hack/bump-tekton-bundles.sh[18-40]
.tekton/cli-main-push.yaml[1-16]
.tekton/cli-main-pull-request.yaml[1-18]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`hack/bump-tekton-bundles.sh` advertises updating Tekton pipeline definitions in `.tekton`, but it only processes files matching `.tekton/*-build.yaml`. The actual pipeline definitions in this repo are `.tekton/cli-main-push.yaml` and `.tekton/cli-main-pull-request.yaml`, so future bundle digest bumps done via the script will not touch these files, increasing drift and manual work.

### Issue Context
The PR manually updates multiple `taskRef.params[name=bundle].value` digests in `.tekton/cli-main-{push,pull-request}.yaml`. These should ideally be covered by the same automation used for other Tekton bundle updates.

### Fix Focus Areas
- hack/bump-tekton-bundles.sh[18-40]

### Suggested change
- Update the `for f in ...` glob to include the actual `.tekton/*.yaml` PipelineRun files (or explicitly include `cli-main-push.yaml` and `cli-main-pull-request.yaml`).
- Optionally adjust the script comment to match what it actually updates.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.16% <ø> (ø)
generative	17.90% <ø> (ø)
integration	26.63% <ø> (ø)
unit	69.01% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (2)

acceptance/go.mod (1)

232-237: Consider aligning OTLP exporter modules with the OTel 1.42 core bump.

Lines 232-237 move core OTel modules to v1.42.0, while go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp is still v1.38.0 (Line 233). Keeping the family aligned reduces version-skew maintenance risk.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@acceptance/go.mod` around lines 232 - 237, The OTLP HTTP exporter module
version is out of sync: update the module
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from v1.38.0 to
v1.42.0 so it matches the core OTel modules (e.g., go.opentelemetry.io/otel,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk,
go.opentelemetry.io/otel/sdk/metric, go.opentelemetry.io/otel/trace) to avoid
version skew.

go.mod (1)

387-394: Please verify OpenTelemetry exporter/core version alignment.

Core OTel modules were bumped to v1.42.0, but exporter modules in this file remain at v1.38.0 (Lines 388-390). If no compatibility constraint exists, aligning versions would reduce long-term dependency skew.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 387 - 394, The go.mod shows OpenTelemetry core modules
at v1.42.0 while exporter modules otlptrace, otlptracegrpc, and otlptracehttp
are pinned to v1.38.0; verify compatibility and either update those exporter
lines (go.opentelemetry.io/otel/exporters/otlp/otlptrace, .../otlptracegrpc,
.../otlptracehttp) to v1.42.0 to align versions or document/lock a specific
reason for keeping them at v1.38.0 (e.g., add a comment or separate override) so
dependency skew is intentional and tracked.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@acceptance/go.mod`:
- Around line 232-237: The OTLP HTTP exporter module version is out of sync:
update the module
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from v1.38.0 to
v1.42.0 so it matches the core OTel modules (e.g., go.opentelemetry.io/otel,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk,
go.opentelemetry.io/otel/sdk/metric, go.opentelemetry.io/otel/trace) to avoid
version skew.

In `@go.mod`:
- Around line 387-394: The go.mod shows OpenTelemetry core modules at v1.42.0
while exporter modules otlptrace, otlptracegrpc, and otlptracehttp are pinned to
v1.38.0; verify compatibility and either update those exporter lines
(go.opentelemetry.io/otel/exporters/otlp/otlptrace, .../otlptracegrpc,
.../otlptracehttp) to v1.42.0 to align versions or document/lock a specific
reason for keeping them at v1.38.0 (e.g., add a comment or separate override) so
dependency skew is intentional and tracked.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0d01a6bf-d1b3-4fbf-bd52-6e700e2a8ee0

📥 Commits

Reviewing files that changed from the base of the PR and between 3758bf1 and 4fa20e2.

⛔ Files ignored due to path filters (3)

• acceptance/go.sum is excluded by !**/*.sum
• go.sum is excluded by !**/*.sum
• tools/go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• .tekton/cli-main-pull-request.yaml
• .tekton/cli-main-push.yaml
• acceptance/go.mod
• go.mod
• tools/go.mod

✅ Files skipped from review due to trivial changes (2)

• tools/go.mod
• .tekton/cli-main-push.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .tekton/cli-main-pull-request.yaml