Skip to content

OCM-00000 | ci: Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v9#3310

Closed
red-hat-konflux[bot] wants to merge 1 commit into
masterfrom
konflux/mintmaker/master/registry.access.redhat.com-ubi9-go-toolset-9.x
Closed

OCM-00000 | ci: Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v9#3310
red-hat-konflux[bot] wants to merge 1 commit into
masterfrom
konflux/mintmaker/master/registry.access.redhat.com-ubi9-go-toolset-9.x

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
registry.access.redhat.com/ubi9/go-toolset stage major 1.26.4-17827365639.8-1782852234
registry.access.redhat.com/ubi9/go-toolset final major 1.26.4-17827365639.8-1782852234

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Summary by CodeRabbit

  • Chores
    • Updated the build environment to use a newer base image across container builds.
    • Kept the application build and runtime steps unchanged while aligning multiple images to the same updated toolset.

…ker tag to v9

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Jul 1, 2026
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

This PR bumps the registry.access.redhat.com/ubi9/go-toolset base image tag from 1.26.4-1782736563 to 9.8-1782852234 in Dockerfile, images/Dockerfile.e2e, and images/Dockerfile.konflux. In images/Dockerfile.e2e, the rosa-support stage is also retagged to the new base image and given an explicit WORKDIR, with the final stage's FROM relocated to follow the unchanged ocmcli stage. All other build instructions remain unchanged.

Changes

Cohort / File(s) Change Summary
Go toolset base image update — Dockerfile, images/Dockerfile.konflux Bumped go-toolset builder image tag to 9.8-1782852234
Go toolset base image update — images/Dockerfile.e2e Bumped builder/final stage image tags; retagged and restructured rosa-support stage with explicit WORKDIR

Sequence Diagram(s)

Not applicable — changes are limited to Dockerfile base image tag updates and stage restructuring, with no observable runtime flow to diagram.

Possibly related PRs

  • openshift/rosa#3292: Modifies the same registry.access.redhat.com/ubi9/go-toolset base image tag across the same Dockerfile, images/Dockerfile.e2e, and images/Dockerfile.konflux files.
🚥 Pre-merge checks | ✅ 4 | ❌ 11

❌ Failed checks (1 warning, 10 inconclusive)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is a Renovate update notice and omits the required template sections for context, testing, and validation. Rewrite the description to follow the required template and add PR Summary, issue context, change details, testing steps, proof, and checklist items.
Stable And Deterministic Test Names ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the go-toolset Docker tag update and matches the main change.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/master/registry.access.redhat.com-ubi9-go-toolset-9.x

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from gdbranco and marcolan018 July 1, 2026 15:09
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
images/Dockerfile.e2e (2)

16-18: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin rosa-support install to a specific version.

go install github.com/openshift-online/rosa-support@latest is unpinned, so rebuilds of this stage are non-reproducible and can silently pick up breaking upstream changes. Since this segment is retagged/restructured in this diff, consider pinning to a specific tag/commit while you're touching this stage.

As per path instructions, "Flag unpinned downloads, secret-bearing build arguments, or image changes that drift from Tekton/Konflux assumptions without justification."

📌 Suggested fix
-RUN go install github.com/openshift-online/rosa-support@latest
+RUN go install github.com/openshift-online/rosa-support@<pinned-version>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.e2e` around lines 16 - 18, Pin the rosa-support
installation in the rosa-support build stage instead of using `@latest`, since the
current go install github.com/openshift-online/rosa-support@latest is
non-reproducible. Update the RUN step in the rosa-support stage to use a
specific released tag or commit so future builds are stable and do not silently
drift with upstream changes.

Source: Path instructions


22-44: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoff

Final image still ships the full go-toolset dev environment.

The final stage bumps to the new tag but keeps go-toolset (with yum install in the final layer) as the runtime base rather than a minimal/distroless image. This is a pre-existing pattern unrelated to the tag bump itself, so it's not a blocker for this PR, but worth tracking separately.

As per path instructions, container images should use "UBI minimal or distroless from catalog.redhat.com" as the base and avoid "build tools in final image."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.e2e` around lines 22 - 44, The final stage in the e2e
Dockerfile still uses the full go-toolset runtime image and installs packages
with yum, so the image includes build tools instead of a minimal/distroless
base. Update the final runtime stage to a UBI minimal or distroless image from
catalog.redhat.com and keep only the runtime artifacts needed by the COPY steps
and the setup around USER appuser, avoiding any package installation or dev-tool
dependencies in the final image.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@images/Dockerfile.e2e`:
- Around line 16-18: Pin the rosa-support installation in the rosa-support build
stage instead of using `@latest`, since the current go install
github.com/openshift-online/rosa-support@latest is non-reproducible. Update the
RUN step in the rosa-support stage to use a specific released tag or commit so
future builds are stable and do not silently drift with upstream changes.
- Around line 22-44: The final stage in the e2e Dockerfile still uses the full
go-toolset runtime image and installs packages with yum, so the image includes
build tools instead of a minimal/distroless base. Update the final runtime stage
to a UBI minimal or distroless image from catalog.redhat.com and keep only the
runtime artifacts needed by the COPY steps and the setup around USER appuser,
avoiding any package installation or dev-tool dependencies in the final image.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c4f8842a-97ad-4e44-af01-d975ebd670ef

📥 Commits

Reviewing files that changed from the base of the PR and between e6c81eb and 87863ed.

📒 Files selected for processing (3)
  • Dockerfile
  • images/Dockerfile.e2e
  • images/Dockerfile.konflux

@olucasfreitas

Copy link
Copy Markdown
Contributor

/override ci/prow/security
/lgtm
/approve

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olucasfreitas, red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@olucasfreitas: Overrode contexts on behalf of olucasfreitas: ci/prow/security

Details

In response to this:

/override ci/prow/security
/lgtm
/approve

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2026
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 27.02%. Comparing base (e6c81eb) to head (87863ed).
⚠️ Report is 6 commits behind head on master.

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #3310   +/-   ##
=======================================
  Coverage   27.02%   27.02%           
=======================================
  Files         334      334           
  Lines       36704    36704           
=======================================
  Hits         9920     9920           
  Misses      26029    26029           
  Partials      755      755           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@red-hat-konflux: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@amandahla amandahla closed this Jul 1, 2026
@red-hat-konflux

Copy link
Copy Markdown
Contributor Author

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 9.x releases. But if you manually upgrade to 9.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@red-hat-konflux red-hat-konflux Bot deleted the konflux/mintmaker/master/registry.access.redhat.com-ubi9-go-toolset-9.x branch July 1, 2026 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants