From e4a621de0e9f7130fabcbbcc4a0bae3b5af82e98 Mon Sep 17 00:00:00 2001 From: Josh Branham Date: Fri, 26 Jun 2026 15:38:55 -0600 Subject: [PATCH 1/2] chore(deps): update konflux references Update stale task bundle digests to fix untrusted task violations in the verify pipeline. git-clone-oci-ta was causing 5 violations; buildah-oci-ta was also stale and updated preemptively. Co-Authored-By: Claude Opus 4.6 --- .../managed-cluster-validating-webhooks-e2e-pull-request.yaml | 4 ++-- .tekton/managed-cluster-validating-webhooks-e2e-push.yaml | 4 ++-- .tekton/managed-cluster-validating-webhooks-pull-request.yaml | 4 ++-- .tekton/managed-cluster-validating-webhooks-push.yaml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.tekton/managed-cluster-validating-webhooks-e2e-pull-request.yaml b/.tekton/managed-cluster-validating-webhooks-e2e-pull-request.yaml index 4deac9b3..961570a9 100644 --- a/.tekton/managed-cluster-validating-webhooks-e2e-pull-request.yaml +++ b/.tekton/managed-cluster-validating-webhooks-e2e-pull-request.yaml @@ -164,7 +164,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:89da85c1508b3a2b7ad884c1215b9fd3a7d9e28c2335aca6750948d129707035 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:3506468c326f83edf529c2af476ae6b0fa81073422d2fb85ab16218c9579b020 - name: kind value: task resolver: bundles @@ -239,7 +239,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.10@sha256:21a2f7c0b1b623bb77e6f07f7a1b5e36a72c1e6896adb5977527a9180daa99d7 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.10@sha256:c38fc465f5904540d59cab9edad9a56c996e0ed8c31166f8b3eb3a1702ab6f91 - name: kind value: task resolver: bundles diff --git a/.tekton/managed-cluster-validating-webhooks-e2e-push.yaml b/.tekton/managed-cluster-validating-webhooks-e2e-push.yaml index c775bd7a..4bb6fdc5 100644 --- a/.tekton/managed-cluster-validating-webhooks-e2e-push.yaml +++ b/.tekton/managed-cluster-validating-webhooks-e2e-push.yaml @@ -154,7 +154,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:89da85c1508b3a2b7ad884c1215b9fd3a7d9e28c2335aca6750948d129707035 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:3506468c326f83edf529c2af476ae6b0fa81073422d2fb85ab16218c9579b020 - name: kind value: task resolver: bundles @@ -225,7 +225,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.10@sha256:21a2f7c0b1b623bb77e6f07f7a1b5e36a72c1e6896adb5977527a9180daa99d7 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.10@sha256:c38fc465f5904540d59cab9edad9a56c996e0ed8c31166f8b3eb3a1702ab6f91 - name: kind value: task resolver: bundles diff --git a/.tekton/managed-cluster-validating-webhooks-pull-request.yaml b/.tekton/managed-cluster-validating-webhooks-pull-request.yaml index 67f577a7..957878c4 100644 --- a/.tekton/managed-cluster-validating-webhooks-pull-request.yaml +++ b/.tekton/managed-cluster-validating-webhooks-pull-request.yaml @@ -161,7 +161,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:89da85c1508b3a2b7ad884c1215b9fd3a7d9e28c2335aca6750948d129707035 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:3506468c326f83edf529c2af476ae6b0fa81073422d2fb85ab16218c9579b020 - name: kind value: task resolver: bundles @@ -232,7 +232,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.10@sha256:21a2f7c0b1b623bb77e6f07f7a1b5e36a72c1e6896adb5977527a9180daa99d7 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.10@sha256:c38fc465f5904540d59cab9edad9a56c996e0ed8c31166f8b3eb3a1702ab6f91 - name: kind value: task resolver: bundles diff --git a/.tekton/managed-cluster-validating-webhooks-push.yaml b/.tekton/managed-cluster-validating-webhooks-push.yaml index fab6c71c..bcda9740 100644 --- a/.tekton/managed-cluster-validating-webhooks-push.yaml +++ b/.tekton/managed-cluster-validating-webhooks-push.yaml @@ -158,7 +158,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:89da85c1508b3a2b7ad884c1215b9fd3a7d9e28c2335aca6750948d129707035 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:3506468c326f83edf529c2af476ae6b0fa81073422d2fb85ab16218c9579b020 - name: kind value: task resolver: bundles @@ -229,7 +229,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.10@sha256:21a2f7c0b1b623bb77e6f07f7a1b5e36a72c1e6896adb5977527a9180daa99d7 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.10@sha256:c38fc465f5904540d59cab9edad9a56c996e0ed8c31166f8b3eb3a1702ab6f91 - name: kind value: task resolver: bundles From 7dcc905330fe6a688f00c91bbf5cf8935214a88d Mon Sep 17 00:00:00 2001 From: Josh Branham Date: Fri, 26 Jun 2026 16:00:03 -0600 Subject: [PATCH 2/2] fix: use git-clone-oci-ta 0.1 which is in the trusted tasks list Version 0.2 is not in the Konflux trusted tasks data bundle (quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles), so it fails Enterprise Contract verification regardless of digest. Switch to 0.1 with the latest permanently-trusted digest. Co-Authored-By: Claude Opus 4.6 --- .../managed-cluster-validating-webhooks-e2e-pull-request.yaml | 2 +- .tekton/managed-cluster-validating-webhooks-e2e-push.yaml | 2 +- .tekton/managed-cluster-validating-webhooks-pull-request.yaml | 2 +- .tekton/managed-cluster-validating-webhooks-push.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.tekton/managed-cluster-validating-webhooks-e2e-pull-request.yaml b/.tekton/managed-cluster-validating-webhooks-e2e-pull-request.yaml index 961570a9..550a4507 100644 --- a/.tekton/managed-cluster-validating-webhooks-e2e-pull-request.yaml +++ b/.tekton/managed-cluster-validating-webhooks-e2e-pull-request.yaml @@ -164,7 +164,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:3506468c326f83edf529c2af476ae6b0fa81073422d2fb85ab16218c9579b020 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:a11dac7d914d0165362cdcc4c50860a30320f59a32ed0778bf895004d3f74591 - name: kind value: task resolver: bundles diff --git a/.tekton/managed-cluster-validating-webhooks-e2e-push.yaml b/.tekton/managed-cluster-validating-webhooks-e2e-push.yaml index 4bb6fdc5..17bbffe6 100644 --- a/.tekton/managed-cluster-validating-webhooks-e2e-push.yaml +++ b/.tekton/managed-cluster-validating-webhooks-e2e-push.yaml @@ -154,7 +154,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:3506468c326f83edf529c2af476ae6b0fa81073422d2fb85ab16218c9579b020 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:a11dac7d914d0165362cdcc4c50860a30320f59a32ed0778bf895004d3f74591 - name: kind value: task resolver: bundles diff --git a/.tekton/managed-cluster-validating-webhooks-pull-request.yaml b/.tekton/managed-cluster-validating-webhooks-pull-request.yaml index 957878c4..784afd36 100644 --- a/.tekton/managed-cluster-validating-webhooks-pull-request.yaml +++ b/.tekton/managed-cluster-validating-webhooks-pull-request.yaml @@ -161,7 +161,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:3506468c326f83edf529c2af476ae6b0fa81073422d2fb85ab16218c9579b020 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:a11dac7d914d0165362cdcc4c50860a30320f59a32ed0778bf895004d3f74591 - name: kind value: task resolver: bundles diff --git a/.tekton/managed-cluster-validating-webhooks-push.yaml b/.tekton/managed-cluster-validating-webhooks-push.yaml index bcda9740..6afeeb59 100644 --- a/.tekton/managed-cluster-validating-webhooks-push.yaml +++ b/.tekton/managed-cluster-validating-webhooks-push.yaml @@ -158,7 +158,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.2@sha256:3506468c326f83edf529c2af476ae6b0fa81073422d2fb85ab16218c9579b020 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:a11dac7d914d0165362cdcc4c50860a30320f59a32ed0778bf895004d3f74591 - name: kind value: task resolver: bundles