Skip to content

Update docker image updates to v9#204

Open
red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/major-docker-image-updates
Open

Update docker image updates to v9#204
red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/major-docker-image-updates

Conversation

@red-hat-konflux-kflux-prd-rh02

@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
registry.access.redhat.com/ubi9/go-toolset stage major 1.26.3-17817578519.8-1782736563

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@openshift-ci openshift-ci Bot requested review from mliptak0 and rh-amarin June 29, 2026 08:03
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mliptak0 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6c19c21b-0247-45ec-9417-431d4b94b43d

📥 Commits

Reviewing files that changed from the base of the PR and between 82050fb and 6a849a3.

📒 Files selected for processing (1)
  • Dockerfile
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual) → reviewed against open PR #241 konflux/mintmaker/main/major-docker-image-updates instead of the default branch
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)
🚧 Files skipped from review as they are similar to previous changes (1)
  • Dockerfile

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated the build environment base image used during container builds.
    • This should help keep the build toolchain current without changing app behavior.

Walkthrough

The Dockerfile builder stage base image tag changes from registry.access.redhat.com/ubi9/go-toolset:1.26.3-1781757851 to registry.access.redhat.com/ubi9/go-toolset:9.8-1782736563. No other Dockerfile instructions change.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Title check ✅ Passed The title is related to the image bump, though awkwardly phrased and broader than the exact Dockerfile change.
Description check ✅ Passed The description matches the dependency update from ubi9/go-toolset 1.26.3 to 9.8.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed No non-test/example log call contains token/password/credential/secret fields or interpolated strings; the config dump uses RedactedCopy. CWE-532 absent.
No Hardcoded Secrets ✅ Passed PASS: Dockerfile only changes the builder image tag; no API keys, tokens, passwords, embedded creds, or long base64 literals found (CWE-798/CWE-259).
No Weak Cryptography ✅ Passed Only Dockerfile base-image tag changed; repo scan found no crypto/md5, crypto/des, crypto/rc4, SHA1-for-security, ECB, or non-constant-time secret compares (CWE-327).
No Injection Vectors ✅ Passed Dockerfile-only base image tag bump; no SQL, exec, template.HTML, or yaml.Unmarshal injection pattern added.
No Privileged Containers ✅ Passed No privileged settings found; Dockerfile only uses justified builder-stage USER root and runtime runs as non-root 65532.
No Pii Or Sensitive Data In Logs ✅ Passed PASS: Only the Dockerfile builder base-image tag changed; no logging statements or output paths were added, so no CWE-532 exposure was introduced.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/main/major-docker-image-updates
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch konflux/mintmaker/main/major-docker-image-updates

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 3: The builder stage base image in the Dockerfile is still referenced by
a mutable tag, so update the FROM line for the builder stage to use a pinned
digest instead of the tag. Replace the current
registry.access.redhat.com/ubi9/go-toolset:9.8-1782717933 reference with the
same image locked to an `@sha256` digest so the builder image is reproducible and
stable.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2c3669d2-3924-4918-a8b4-f52015f1cfd6

📥 Commits

Reviewing files that changed from the base of the PR and between 3ffc587 and 82050fb.

📒 Files selected for processing (1)
  • Dockerfile
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual) → reviewed against open PR #241 konflux/mintmaker/main/major-docker-image-updates instead of the default branch
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)

Comment thread Dockerfile Outdated
ARG BASE_IMAGE=registry.access.redhat.com/ubi9-micro:latest

FROM registry.access.redhat.com/ubi9/go-toolset:1.26.3-1781757851 AS builder
FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1782717933 AS builder

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== Dockerfile ==\n'
cat -n Dockerfile

printf '\n== image references ==\n'
rg -n 'FROM .*ubi9/go-toolset|`@sha256`|go-toolset' Dockerfile . || true

printf '\n== relevant docs ==\n'
rg -n 'pin base images by digest|ubi9/go-toolset|ENV VERSION|Go 1\.25' -g 'AGENTS.md' -g 'README*' -g 'docs/**' -g 'CLAUDE.md' -g 'Makefile' . || true

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 3124


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== container-image-standard excerpts ==\n'
rg -n 'ubi9/go-toolset|digest|VERSION|go-toolset' hyperfleet/standards/container-image-standard.md hyperfleet/standards/makefile-conventions.md || true

Repository: openshift-hyperfleet/architecture

Length of output: 4875


Pin the builder image by digest.
Dockerfile:3 still uses a mutable tag; pin the builder stage to @sha256:<digest> to avoid non-reproducible base bytes and supply-chain drift (CWE-494).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, The builder stage base image in the Dockerfile is
still referenced by a mutable tag, so update the FROM line for the builder stage
to use a pinned digest instead of the tag. Replace the current
registry.access.redhat.com/ubi9/go-toolset:9.8-1782717933 reference with the
same image locked to an `@sha256` digest so the builder image is reproducible and
stable.

Source: Path instructions

Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot force-pushed the konflux/mintmaker/main/major-docker-image-updates branch from 82050fb to 6a849a3 Compare June 29, 2026 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants