Update Konflux references

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Notes
quay.io/konflux-ci/tekton-catalog/task-apply-tags (source, changelog)	0.1 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-build-image-index (source, changelog)	0.1 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta (source, changelog)	0.4 → 0.9	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-clair-scan (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-clamav-scan (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check (source, changelog)	0b35292 → 8b50144
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check (source, changelog)	5d63b92 → e78d0d3
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog)	0.1 → 0.2	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog)	302828e → 9c30072
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta (source, changelog)	9709088 → 13d49df
quay.io/konflux-ci/tekton-catalog/task-init (source, changelog)	0.2 → 0.4	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta (source, changelog)	0.1 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog)	c0798ff → d4e3499
quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta (source, changelog)	7c845b1 → e92d00e
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta (source, changelog)	a591675 → c4ef47e
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog)	0.3 → 0.4	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog)	9a6ec55 → 8f3ecbe
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog)	0.1 → 0.4	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog)	0.2 → 0.4	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-show-sbom (source, changelog)	04f15cb → a7346ed
quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta (source, changelog)	0.2 → 0.3	⚠️migration⚠️

---

Release Notes

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-apply-tags)

v0.3

• Switched from bash implementation to Konflux Build CLI.
• Deprecated older 0.1 and 0.2 versions.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-build-image-index)

v0.3

Changed

• The task now uses konflux-build-cli for the build step instead of an inline bash
  implementation. This provides more robust error handling and simplified maintenance.
• When ALWAYS_BUILD_INDEX is false and multiple images are provided, the task now
  creates an image index instead of failing. The previous behavior (failing with an error)
  was not useful.
• Image reference validation is now stricter and will fail earlier for invalid formats.

Removed

• COMMIT_SHA parameter (was not used by the task implementation)
• IMAGE_EXPIRES_AFTER parameter (was not used by the task implementation)

Added

• Started tracking changes in this file.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta)

v0.9

Fixed

• Version bump to stay in sync with buildah-remote-oci-ta. The remote variant now has --fail
  flag and error handling on the curl call that retrieves the SSH key from the OTP server.

v0.8

Fixed

• Platform build arguments (BUILDPLATFORM, TARGETPLATFORM) now correctly include CPU variant
  for ARM architectures (e.g., linux/arm/v7 or linux/arm64/v8 instead of just linux/arm
  or linux/arm64).

v0.7

Added

• Started tracking changes in this file.

konflux-ci/konflux-test-tasks (quay.io/konflux-ci/tekton-catalog/task-clair-scan)

v0.3

Changed

• Replaced quay.io/konflux-ci/oras:latest image with quay.io/konflux-ci/task-runner:1.5.0 in the oci-attach-report step.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-init)

v0.4

• Pipeline upgrade: Remove PipelineRun parameter sast-target-dirs with invalid attributes from PipelineRun .spec.params definition

v0.3

• Remove params image-url, rebuild and skip-checks
• Remove task result build

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta)

v0.3

• Added enable-package-registry-proxy parameter to enable use of the package registry proxy when prefetching dependencies.
• Added SERVICE_CA_TRUST_CONFIG_MAP_NAME and SERVICE_CA_TRUST_CONFIG_MAP_KEY parameters to mount the OpenShift service CA for verifying TLS connections to in-cluster services such as the package registry proxy.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta)

v0.3

Fixed

• Use Dockerfile as the file name in the uploaded artifact, regardless of the name of the actual file.

v0.2

Removed

• BREAKING: Support for Dockerfile downloading in Konflux Build Pipeline.

---

Configuration

📅 Schedule: Branch creation - Between 05:00 AM and 11:59 PM, only on Saturday ( * 5-23 * * 6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hunterkepley]

/ok-to-test

[hunterkepley]

/lgtm

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 65c7416 and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 1 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updated four Tekton PipelineRun YAMLs under .tekton: refreshed many Tekton taskRef bundle image digests/versions, replaced explicit metadata.creationTimestamp: null with an unset/empty value, condensed multi-line parameter description fields to single lines, added pipeline parameters enable-package-registry-proxy (default 'true') and sast-target-dirs (default .) where applicable and wired them into prefetch and SAST tasks, removed COMMIT_SHA and IMAGE_EXPIRES_AFTER from image-index invocations, and rewired downstream steps so build-image-index publishes IMAGE_URL and IMAGE_DIGEST consumed by build-source-image and several SAST/Coverity tasks.

Changes

Cohort / File(s)	Summary
Task bundle & metadata updates .tekton/rosa-cli-e2e-test-pull-request.yaml, .tekton/rosa-cli-e2e-test-push.yaml, .tekton/rosa-pull-request.yaml, .tekton/rosa-push.yaml	Pinned/updated many Tekton taskRef bundle image digests/versions (e.g., task-show-sbom, task-init, task-git-clone-oci-ta, task-prefetch-dependencies-oci-ta, task-buildah-oci-ta, task-build-image-index, task-source-build-oci-ta, scanning/SAST/apply/push tasks). Replaced explicit metadata.creationTimestamp: null with an unset/empty value. Collapsed multi-line parameter description fields to single-line formatting.
Pipeline parameter additions .tekton/*	Added pipeline parameter enable-package-registry-proxy (default: 'true') in multiple PipelineRuns and passed it into prefetch-dependencies/prefetch-dependencies-oci-ta. Added sast-target-dirs (default: '.') in push pipelines and passed it into SAST tasks as TARGET_DIRS.
Build task parameter rewiring .tekton/*-pull-request.yaml, .tekton/*-push.yaml	Removed COMMIT_SHA and IMAGE_EXPIRES_AFTER from build-image-index task invocations. Updated build-source-image to set BINARY_IMAGE from $(tasks.build-image-index.results.IMAGE_URL) and added BINARY_IMAGE_DIGEST from $(tasks.build-image-index.results.IMAGE_DIGEST) instead of using $(params.output-image).
Downstream image-digest wiring .tekton/rosa-pull-request.yaml, .tekton/rosa-push.yaml, related CLI E2E YAMLs	Wired image-digest from $(tasks.build-image-index.results.IMAGE_DIGEST) into Coverity and Unicode SAST tasks and other downstream checks that require image digest.

Sequence Diagram(s)

sequenceDiagram
    participant PR as PipelineRun
    participant BI as build-image-index
    participant BS as build-source-image
    participant SAST as SAST/Coverity tasks
    participant Reg as Image Registry

    PR->>BI: start task
    BI-->>PR: results: IMAGE_URL, IMAGE_DIGEST
    PR->>BS: start with BINARY_IMAGE=IMAGE_URL, BINARY_IMAGE_DIGEST=IMAGE_DIGEST
    BS->>Reg: push source/binary image (uses IMAGE_URL)
    PR->>SAST: start with image-digest=IMAGE_DIGEST
    SAST->>Reg: scan image by digest

Loading

Estimated code review effort

High | ⏱️ ~20–30 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	PR description provides detailed release notes but lacks structured context per template requirements: no problem statement, business impact, or how the changes were validated.	Add sections explaining the root problem/scope, why these updates are needed, how they were tested, and confirm migration impacts of major version bumps are understood.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update Konflux references' clearly describes the main change—updating Konflux/tekton-catalog task references and versions—making it specific and relevant to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check is not applicable. PR only modifies Tekton pipeline configuration YAML files (.tekton/*.yaml), not Ginkgo test files. No test names present to validate.
Test Structure And Quality	✅ Passed	Check not applicable. PR modifies only .tekton/ YAML pipeline files, not Ginkgo test code. Custom check requires review of Go test quality.
Microshift Test Compatibility	✅ Passed	This PR updates Konflux references and Tekton pipeline configuration files (.tekton/*.yaml). No new Ginkgo e2e tests (It(), Describe(), Context(), When()) are added. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR updates Tekton/Konflux pipeline configuration files in .tekton/ directory only. No new Ginkgo e2e tests (It(), Describe(), Context(), When()) are added. The check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR updates Tekton pipeline configurations, not deployment manifests. No scheduling constraints found. Check is not applicable to CI/CD pipeline configs.
Ote Binary Stdout Contract	✅ Passed	PR modifies only Tekton pipeline YAML files. OTE stdout contract check applies to Go code. These are declarative pipeline definitions without executable Go code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies Tekton pipeline YAML files, not Ginkgo e2e test source code. No new tests are being added, so the IPv6/disconnected compatibility check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/references/master

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hunterkepley, red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign gdbranco for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.tekton/rosa-cli-e2e-test-push.yaml (1)

26-27: ⚠️ Potential issue | 🟠 Major

Normalize the Dockerfile path for buildah-oci-ta:0.9.

The buildah-oci-ta:0.9 task contract requires the dockerfile parameter to be a path relative to the git repository root. /images/Dockerfile.konflux is an absolute path and will fail at runtime. Change it to images/Dockerfile.konflux.

Suggested fix

  - name: dockerfile
-   value: /images/Dockerfile.konflux
+   value: images/Dockerfile.konflux

Also applies to .tekton/rosa-cli-e2e-test-pull-request.yaml (same parameter at the same lines).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/rosa-cli-e2e-test-push.yaml around lines 26 - 27, The dockerfile
parameter for the buildah-oci-ta:0.9 task is set to an absolute path
("/images/Dockerfile.konflux") which violates the task contract; update the
dockerfile parameter value to a repository-relative path
"images/Dockerfile.konflux" wherever the buildah-oci-ta:0.9 task is used (both
occurrences mentioned) so the task receives a git-root-relative path instead of
an absolute path.

.tekton/rosa-cli-e2e-test-pull-request.yaml (1)

29-30: ⚠️ Potential issue | 🟠 Major

Use a repo-relative Dockerfile path before taking buildah-oci-ta:0.9.

The 0.9 migration requires dockerfile to be relative to the git repository root. This pipeline passes /images/Dockerfile.konflux with a leading slash, which violates the documented contract. The correct path should be images/Dockerfile.konflux.

Suggested fix

  - name: dockerfile
-   value: /images/Dockerfile.konflux
+   value: images/Dockerfile.konflux

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/rosa-cli-e2e-test-pull-request.yaml around lines 29 - 30, Update the
dockerfile value to be repository-relative by removing the leading slash: locate
the dockerfile field in the Tekton step (the key named "dockerfile" in
.tekton/rosa-cli-e2e-test-pull-request.yaml) and change its value from
"/images/Dockerfile.konflux" to "images/Dockerfile.konflux" so it conforms to
the buildah-oci-ta:0.9 contract.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.tekton/rosa-cli-e2e-test-pull-request.yaml:
- Around line 29-30: Update the dockerfile value to be repository-relative by
removing the leading slash: locate the dockerfile field in the Tekton step (the
key named "dockerfile" in .tekton/rosa-cli-e2e-test-pull-request.yaml) and
change its value from "/images/Dockerfile.konflux" to
"images/Dockerfile.konflux" so it conforms to the buildah-oci-ta:0.9 contract.

In @.tekton/rosa-cli-e2e-test-push.yaml:
- Around line 26-27: The dockerfile parameter for the buildah-oci-ta:0.9 task is
set to an absolute path ("/images/Dockerfile.konflux") which violates the task
contract; update the dockerfile parameter value to a repository-relative path
"images/Dockerfile.konflux" wherever the buildah-oci-ta:0.9 task is used (both
occurrences mentioned) so the task receives a git-root-relative path instead of
an absolute path.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 0f590e9e-055d-4b30-b665-9b54817a58f1

📥 Commits

Reviewing files that changed from the base of the PR and between 9ab05bc and 00ff6fb.

📒 Files selected for processing (4)

• .tekton/rosa-cli-e2e-test-pull-request.yaml
• .tekton/rosa-cli-e2e-test-push.yaml
• .tekton/rosa-pull-request.yaml
• .tekton/rosa-push.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .tekton/rosa-pull-request.yaml

[openshift-ci]

@red-hat-konflux[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/coverage	8add80d	link	true	/test coverage
ci/prow/commits	f491cb3	link	true	/test commits

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.