Update Konflux references

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Change
quay.io/konflux-ci/tekton-catalog/task-clair-scan (source, changelog)	9397d3e → 8fad4c2
quay.io/konflux-ci/tekton-catalog/task-clamav-scan (source, changelog)	9f18b21 → 567cb66
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check (source, changelog)	3457a4c → e78d0d3
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog)	e2bcf11 → 9c30072
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog)	cfdb76c → d4e3499

---

Configuration

📅 Schedule: Branch creation - Between 05:00 AM and 11:59 PM, only on Saturday ( * 5-23 * * 6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mbrudnoy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated internal CI/CD pipeline task bundle references for security and compliance scanning, including deprecated image detection, vulnerability scanning, ecosystem certification, malware detection, and signature verification.

Walkthrough

This PR updates Tekton task bundle image digests in two PipelineRun configuration files. Both .tekton/hyperfleet-sentinel-push.yaml and .tekton/hyperfleet-sentinel-tag.yaml have five task references updated with new SHA256 digests: deprecated-image-check, clair-scan, ecosystem-cert-preflight-checks, clamav-scan, and rpms-signature-scan. No task parameters, orchestration, conditions, or other pipeline configuration is altered—only the external bundle image digests are pinned to new versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update Konflux references' accurately reflects the main change—updating container image digests for five Konflux task bundle references across two Tekton pipeline files.
Description check	✅ Passed	The description is directly related to the changeset, detailing the specific Konflux package updates with version/digest changes, source links, and configuration metadata.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/references/main

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/hyperfleet-sentinel-push.yaml:
- Line 298: The Konflux task image digest for task-deprecated-image-check is
pinned to
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:e78d0d3b...
which is out of sync with sibling component pipelines; update this digest to the
canonical/current sha256 across all affected occurrences (the five Konflux tasks
referenced) so openshift-hyperfleet/hyperfleet-api,
openshift-hyperfleet/hyperfleet-adapter and this pipeline use the identical
quay.io/...@sha256 value; search for the same task image names (e.g.,
task-deprecated-image-check:0.5@sha256:..., and the other four Konflux task
image lines) in the component .tekton YAMLs and replace their sha256 values to
the new coordinated digest.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 0cfecd60-4036-4122-8336-731454bcb5f6

📥 Commits

Reviewing files that changed from the base of the PR and between ef11b21 and d1be594.

📒 Files selected for processing (2)

• .tekton/hyperfleet-sentinel-push.yaml
• .tekton/hyperfleet-sentinel-tag.yaml

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Coordinate bundle digest bumps across sibling component repos.

Linked repo findings show openshift-hyperfleet/hyperfleet-api and openshift-hyperfleet/hyperfleet-adapter still pin the previous digests for these same five Konflux tasks. Keeping these in sync reduces divergence in security/check behavior across component pipelines.

Also applies to: 320-320, 340-340, 390-390, 508-508

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/hyperfleet-sentinel-push.yaml at line 298, The Konflux task image
digest for task-deprecated-image-check is pinned to
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:e78d0d3b...
which is out of sync with sibling component pipelines; update this digest to the
canonical/current sha256 across all affected occurrences (the five Konflux tasks
referenced) so openshift-hyperfleet/hyperfleet-api,
openshift-hyperfleet/hyperfleet-adapter and this pipeline use the identical
quay.io/...@sha256 value; search for the same task image names (e.g.,
task-deprecated-image-check:0.5@sha256:..., and the other four Konflux task
image lines) in the component .tekton YAMLs and replace their sha256 values to
the new coordinated digest.