OCM-00000 | ci: Update Konflux references

[red-hat-konflux]

This PR contains the following updates:

Package	Change
quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check (source, changelog)	0b35292 → 8b50144
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check (source, changelog)	5d63b92 → e78d0d3
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog)	302828e → 88f4fd6
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta (source, changelog)	9709088 → d30f13d
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog)	c0798ff → 237c54b
quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta (source, changelog)	7c845b1 → e92d00e
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta (source, changelog)	a591675 → 3cbb353
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog)	9a6ec55 → 0ebf28a
quay.io/konflux-ci/tekton-catalog/task-show-sbom (source, changelog)	04f15cb → a7346ed

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates Tekton task bundle digest references across four pipeline configuration files. The pinned task bundle digests for nine tasks in the CLI E2E pipelines and six tasks in the standard pipelines are updated to new sha256 digests. The updated tasks include show-sbom, git-clone-oci-ta, deprecated-image-check, ecosystem-cert-preflight-checks, sast-snyk-check-oci-ta, sast-coverity-check-oci-ta, coverity-availability-check, sast-shell-check-oci-ta, and rpms-signature-scan. No structural changes, parameters, task wiring, or control flow modifications are made.

Suggested reviewers

• gdbranco
• jerichokeyne

Possibly related PRs

• openshift/rosa#3244: Updates Tekton PipelineRun task bundle image sha256 digests in .tekton/*.yaml and adds a renovate rule to automate Tekton bundle updates.

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete against the template. While it includes a detailed table of package updates with links and commit hashes, it is missing critical sections: PR Summary, Detailed Description of the Issue, Related Issues and PRs, Type of Change checkbox, Previous/After Behavior, How to Test, Breaking Changes assessment, and the Developer Verification Checklist.	Add missing template sections: brief PR summary, root problem/scope description, explicit Jira link confirmation, type of change selection, testing instructions with preconditions and steps, and verification checklist completion.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'OCM-00000 | ci: Update Konflux references' clearly summarizes the main change: updating CI pipeline Tekton task bundle references to newer versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test files or test name definitions—only updates to Tekton pipeline YAML configuration files with task bundle digest references.
Test Structure And Quality	✅ Passed	PR only modifies .tekton YAML configuration files for Konflux task image references; no Ginkgo test code was changed, so the test structure quality check is not applicable.
Microshift Test Compatibility	✅ Passed	ROSA CLI tests for AWS are not applicable to MicroShift. The repository has no MicroShift CI jobs, and ROSA's full OpenShift architecture is incompatible with MicroShift.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only updates Tekton task bundle digests in YAML pipeline files; no new Ginkgo e2e tests are added, making the SNO compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR updates only Tekton task bundle image digests in .tekton/*.yaml files. No scheduling constraints (affinity, nodeSelector, tolerations, PDB, topologySpread) were added or modified.
Ote Binary Stdout Contract	✅ Passed	PR only modifies .tekton/ YAML pipeline configurations (Tekton task bundle digests); OTE Stdout Contract applies to Go executable code, not pipeline config YAML.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only updates Tekton task bundle digest references in YAML CI/CD config files; no new Ginkgo e2e tests are added, so check is not applicable.
No-Weak-Crypto	✅ Passed	PR updates only container image SHA256 digest references in Tekton YAML files; no weak cryptographic algorithms, custom crypto, or insecure comparisons detected.
Container-Privileges	✅ Passed	PR only updates Tekton task bundle digests; no privileged container configurations or security context escalations were introduced.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements exposing sensitive data found. Changes are purely YAML pipeline config updates with bundle digest references, no credentials, tokens, PII, or secrets exposed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/references/master

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[olucasfreitas]

/ok-to-test
/approve
/lgtm

[olucasfreitas]

/ok-to-test
/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olucasfreitas, red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [olucasfreitas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/rosa-cli-e2e-test-push.yaml:
- Line 44: The pipeline references Konflux task bundle image digests that are
not resolvable (e.g., the image string
quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:a7346ed61237db4f82ff782e0c9e8b30536e0e67b907ad600341a6d192e80012);
replace each invalid digest occurrence with a known-good digest from
quay.io/konflux-ci/tekton-catalog (or revert to the prior working digests) for
all task bundle image fields in this manifest, then verify each replacement with
skopeo inspect to ensure resolvability and only afterwards run the task
changelog/compatibility checks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d7a552d1-54ee-4007-845b-1c283dd6be03

📥 Commits

Reviewing files that changed from the base of the PR and between 70e3dda and d0441ba.

📒 Files selected for processing (4)

• .tekton/rosa-cli-e2e-test-pull-request.yaml
• .tekton/rosa-cli-e2e-test-push.yaml
• .tekton/rosa-pull-request.yaml
• .tekton/rosa-push.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• .tekton/rosa-pull-request.yaml
• .tekton/rosa-cli-e2e-test-pull-request.yaml
• .tekton/rosa-push.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that all updated Konflux task bundle digests are valid and resolvable

bundles=(
  "quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:a7346ed61237db4f82ff782e0c9e8b30536e0e67b907ad600341a6d192e80012"
  "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d30f13dd15daf89dd6dc645243b3444d35570d13f7840c3fd65e366022515205"
  "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:e78d0d3baf3c8cfc1a5ad278196b74032d9568b143a87c7a79ab780fedfb296e"
  "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:88f4fd6d7812a3c46f120f3035974f5fb8cb06b5e3e927badf6e8370f1516a88"
  "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:0ebf28a0abd5a167438d4628938a74ade6f00a44a4b7ed1cfa9cfc57a5b24748"
  "quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:e92d00ed858233d0096627861192d3e4fc013cf1559c0d0b0ea0657d3377ce75"
  "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:8b501440a960aec446db2ebc6625a49d0317a9fc7bf0f7bd9b18cb63052db7de"
  "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:3cbb3535af6e7d4396858179a6427caaffb2e68775594795692fc01f28ae313f"
  "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:237c54b069d16c3785d1302f19be309aa6c0ae2313d446e30cb74671e07ca676"
)

echo "Verifying bundle manifests are accessible..."
for bundle in "${bundles[@]}"; do
  echo "Checking: $bundle"
  if ! skopeo inspect --raw "docker://$bundle" > /dev/null 2>&1; then
    echo "  ❌ FAILED to resolve: $bundle"
  else
    echo "  ✅ OK"
  fi
done

Repository: openshift/rosa

Length of output: 2878

---

Fix unresolved Konflux task bundle digests (pipeline may fail to fetch tasks)
In .tekton/rosa-cli-e2e-test-push.yaml (lines 44, 158, 309, 351, 377, 444, 465, 491, 580), the updated Konflux task bundle digest references can’t be resolved (all 9 digests fail skopeo inspect), so the pipeline will likely fail when trying to pull the task bundles.

• Update the digests to values that exist in quay.io/konflux-ci/tekton-catalog (or revert to the prior known-good digests), then re-run the resolvability check and only afterward validate compatibility via the task changelogs.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/rosa-cli-e2e-test-push.yaml at line 44, The pipeline references
Konflux task bundle image digests that are not resolvable (e.g., the image
string
quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:a7346ed61237db4f82ff782e0c9e8b30536e0e67b907ad600341a6d192e80012);
replace each invalid digest occurrence with a known-good digest from
quay.io/konflux-ci/tekton-catalog (or revert to the prior working digests) for
all task bundle image fields in this manifest, then verify each replacement with
skopeo inspect to ensure resolvability and only afterwards run the task
changelog/compatibility checks.