OCM-00000 | ci: Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v9#3310
Conversation
…ker tag to v9 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
📝 WalkthroughWalkthroughThis PR bumps the Changes
Sequence Diagram(s)Not applicable — changes are limited to Dockerfile base image tag updates and stage restructuring, with no observable runtime flow to diagram. Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 11❌ Failed checks (1 warning, 10 inconclusive)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Hi @red-hat-konflux[bot]. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
images/Dockerfile.e2e (2)
16-18: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin
rosa-supportinstall to a specific version.
go install github.com/openshift-online/rosa-support@latestis unpinned, so rebuilds of this stage are non-reproducible and can silently pick up breaking upstream changes. Since this segment is retagged/restructured in this diff, consider pinning to a specific tag/commit while you're touching this stage.As per path instructions, "Flag unpinned downloads, secret-bearing build arguments, or image changes that drift from Tekton/Konflux assumptions without justification."
📌 Suggested fix
-RUN go install github.com/openshift-online/rosa-support@latest +RUN go install github.com/openshift-online/rosa-support@<pinned-version>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/Dockerfile.e2e` around lines 16 - 18, Pin the rosa-support installation in the rosa-support build stage instead of using `@latest`, since the current go install github.com/openshift-online/rosa-support@latest is non-reproducible. Update the RUN step in the rosa-support stage to use a specific released tag or commit so future builds are stable and do not silently drift with upstream changes.Source: Path instructions
22-44: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoffFinal image still ships the full go-toolset dev environment.
The final stage bumps to the new tag but keeps
go-toolset(withyum installin the final layer) as the runtime base rather than a minimal/distroless image. This is a pre-existing pattern unrelated to the tag bump itself, so it's not a blocker for this PR, but worth tracking separately.As per path instructions, container images should use "UBI minimal or distroless from catalog.redhat.com" as the base and avoid "build tools in final image."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/Dockerfile.e2e` around lines 22 - 44, The final stage in the e2e Dockerfile still uses the full go-toolset runtime image and installs packages with yum, so the image includes build tools instead of a minimal/distroless base. Update the final runtime stage to a UBI minimal or distroless image from catalog.redhat.com and keep only the runtime artifacts needed by the COPY steps and the setup around USER appuser, avoiding any package installation or dev-tool dependencies in the final image.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@images/Dockerfile.e2e`:
- Around line 16-18: Pin the rosa-support installation in the rosa-support build
stage instead of using `@latest`, since the current go install
github.com/openshift-online/rosa-support@latest is non-reproducible. Update the
RUN step in the rosa-support stage to use a specific released tag or commit so
future builds are stable and do not silently drift with upstream changes.
- Around line 22-44: The final stage in the e2e Dockerfile still uses the full
go-toolset runtime image and installs packages with yum, so the image includes
build tools instead of a minimal/distroless base. Update the final runtime stage
to a UBI minimal or distroless image from catalog.redhat.com and keep only the
runtime artifacts needed by the COPY steps and the setup around USER appuser,
avoiding any package installation or dev-tool dependencies in the final image.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: c4f8842a-97ad-4e44-af01-d975ebd670ef
📒 Files selected for processing (3)
Dockerfileimages/Dockerfile.e2eimages/Dockerfile.konflux
|
/override ci/prow/security |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: olucasfreitas, red-hat-konflux[bot] The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@olucasfreitas: Overrode contexts on behalf of olucasfreitas: ci/prow/security DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3310 +/- ##
=======================================
Coverage 27.02% 27.02%
=======================================
Files 334 334
Lines 36704 36704
=======================================
Hits 9920 9920
Misses 26029 26029
Partials 755 755 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
@red-hat-konflux: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Renovate Ignore NotificationBecause you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR. |
This PR contains the following updates:
1.26.4-1782736563→9.8-17828522341.26.4-1782736563→9.8-1782852234Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.
Summary by CodeRabbit