Update docker image updates to v9#204
Update docker image updates to v9#204red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR. I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Central YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🔗 Linked repositories identifiedCodeRabbit considers these linked repositories for cross-repo context during reviews:
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe Dockerfile Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@Dockerfile`:
- Line 3: The builder stage base image in the Dockerfile is still referenced by
a mutable tag, so update the FROM line for the builder stage to use a pinned
digest instead of the tag. Replace the current
registry.access.redhat.com/ubi9/go-toolset:9.8-1782717933 reference with the
same image locked to an `@sha256` digest so the builder image is reproducible and
stable.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 2c3669d2-3924-4918-a8b4-f52015f1cfd6
📒 Files selected for processing (1)
Dockerfile
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift-hyperfleet/architecture(manual)openshift-hyperfleet/hyperfleet-api(manual) → reviewed against open PR#241konflux/mintmaker/main/major-docker-image-updatesinstead of the default branchopenshift-hyperfleet/hyperfleet-sentinel(manual)openshift-hyperfleet/hyperfleet-adapter(manual)openshift-hyperfleet/hyperfleet-broker(manual)
| ARG BASE_IMAGE=registry.access.redhat.com/ubi9-micro:latest | ||
|
|
||
| FROM registry.access.redhat.com/ubi9/go-toolset:1.26.3-1781757851 AS builder | ||
| FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1782717933 AS builder |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== Dockerfile ==\n'
cat -n Dockerfile
printf '\n== image references ==\n'
rg -n 'FROM .*ubi9/go-toolset|`@sha256`|go-toolset' Dockerfile . || true
printf '\n== relevant docs ==\n'
rg -n 'pin base images by digest|ubi9/go-toolset|ENV VERSION|Go 1\.25' -g 'AGENTS.md' -g 'README*' -g 'docs/**' -g 'CLAUDE.md' -g 'Makefile' . || trueRepository: openshift-hyperfleet/hyperfleet-sentinel
Length of output: 3124
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== container-image-standard excerpts ==\n'
rg -n 'ubi9/go-toolset|digest|VERSION|go-toolset' hyperfleet/standards/container-image-standard.md hyperfleet/standards/makefile-conventions.md || trueRepository: openshift-hyperfleet/architecture
Length of output: 4875
Pin the builder image by digest.
Dockerfile:3 still uses a mutable tag; pin the builder stage to @sha256:<digest> to avoid non-reproducible base bytes and supply-chain drift (CWE-494).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@Dockerfile` at line 3, The builder stage base image in the Dockerfile is
still referenced by a mutable tag, so update the FROM line for the builder stage
to use a pinned digest instead of the tag. Replace the current
registry.access.redhat.com/ubi9/go-toolset:9.8-1782717933 reference with the
same image locked to an `@sha256` digest so the builder image is reproducible and
stable.
Source: Path instructions
Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
red-hat-konflux-kflux-prd-rh02
Bot
force-pushed
the
konflux/mintmaker/main/major-docker-image-updates
branch
from
82050fb to
6a849a3
Compare
This PR contains the following updates:
1.26.3-1781757851→9.8-1782736563Warning
Some dependencies could not be looked up. Check the warning logs for more information.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.