Skip to content

chore(deps): update konflux references#582

Closed
joshbranham wants to merge 2 commits into
openshift:masterfrom
joshbranham:update-konflux-task-refs
Closed

chore(deps): update konflux references#582
joshbranham wants to merge 2 commits into
openshift:masterfrom
joshbranham:update-konflux-task-refs

Conversation

@joshbranham

@joshbranham joshbranham commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Update git-clone-oci-ta:0.2 bundle digest to fix 5 trusted_task.trusted violations in the verify pipeline
  • Update buildah-oci-ta:0.10 bundle digest preemptively (also stale)

Test plan

  • Konflux verify pipeline passes without untrusted task violations

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated pinned Tekton task bundle digests/versions in validating webhooks PipelineRun manifests for both pull-request and push workflows.
    • Kept the existing pipeline structure, parameters, and workspace configuration unchanged while refreshing the referenced task bundles.

Update stale task bundle digests to fix untrusted task violations in
the verify pipeline. git-clone-oci-ta was causing 5 violations;
buildah-oci-ta was also stale and updated preemptively.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cf2c528c-1b87-4160-94f1-991da74bc7fb

📥 Commits

Reviewing files that changed from the base of the PR and between e4a621d and 7dcc905.

📒 Files selected for processing (4)
  • .tekton/managed-cluster-validating-webhooks-e2e-pull-request.yaml
  • .tekton/managed-cluster-validating-webhooks-e2e-push.yaml
  • .tekton/managed-cluster-validating-webhooks-pull-request.yaml
  • .tekton/managed-cluster-validating-webhooks-push.yaml
✅ Files skipped from review due to trivial changes (1)
  • .tekton/managed-cluster-validating-webhooks-e2e-pull-request.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • .tekton/managed-cluster-validating-webhooks-pull-request.yaml
  • .tekton/managed-cluster-validating-webhooks-e2e-push.yaml

Walkthrough

Updated pinned Tekton bundle digests for the clone-repository and build-container tasks across four managed-cluster-validating-webhooks PipelineRun manifests. No task wiring, parameters, workspaces, or conditions changed.

Changes

Tekton bundle digest updates

Layer / File(s) Summary
Clone task digest updates
.tekton/managed-cluster-validating-webhooks-*.yaml
clone-repository now points to updated task-git-clone-oci-ta bundle digests in all four PipelineRun manifests.
Build task digest updates
.tekton/managed-cluster-validating-webhooks-*.yaml
build-container now points to updated task-buildah-oci-ta:0.10 bundle digests in all four PipelineRun manifests.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: updating Konflux task bundle references.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR only updates Tekton PipelineRun YAML bundle digests; no Ginkgo test titles were added or modified.
Test Structure And Quality ✅ Passed PR only changes four Tekton YAML manifests; no Ginkgo test code or test blocks are modified, so the checklist is not applicable.
Microshift Test Compatibility ✅ Passed PR only updates .tekton PipelineRun bundle digests; no Ginkgo e2e test files or test bodies changed, so MicroShift compatibility is not implicated.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only updates Tekton task bundle digests in .tekton YAML; no Ginkgo e2e tests were added or modified, so SNO compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only updates Tekton task bundle digests in PipelineRun manifests; no replicas, node selectors, affinity, spread constraints, or topology logic changed.
Ote Binary Stdout Contract ✅ Passed PR only updates Tekton bundle digests in YAML; no Go entrypoints or suite setup code changed, so the stdout contract is unaffected.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The PR only updates Tekton task bundle digests in existing PipelineRun YAMLs; no new Ginkgo e2e tests or networking logic were added.
No-Weak-Crypto ✅ Passed Changes only touch Tekton bundle refs using sha256 digests; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or custom crypto code was found.
Container-Privileges ✅ Passed PASS: The changed Tekton YAML only updates task bundle digests; no added lines set privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation or root-run settings.
No-Sensitive-Data-In-Logs ✅ Passed The PR only updates Tekton task bundle digests in four PipelineRun YAMLs; it adds no log statements or fields that would expose secrets, PII, or tokens.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from Mhodesty and anispate June 26, 2026 21:40
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 26, 2026
@joshbranham joshbranham self-assigned this Jun 26, 2026
@dustman9000

Copy link
Copy Markdown
Member

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 26, 2026
@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dustman9000, joshbranham

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [dustman9000,joshbranham]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Version 0.2 is not in the Konflux trusted tasks data bundle
(quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles), so it
fails Enterprise Contract verification regardless of digest. Switch
to 0.1 with the latest permanently-trusted digest.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 26, 2026
@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

@joshbranham: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants