Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v1.25.9-1778675823

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
registry.access.redhat.com/ubi9/go-toolset	stage	patch	1.25.8 → 1.25.9-1778675823
registry.access.redhat.com/ubi9/go-toolset	final	patch	1.25.8 → 1.25.9-1778675823

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign robpblake for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Three Dockerfiles—the top-level Dockerfile, images/Dockerfile.e2e, and images/Dockerfile.konflux—had their Go toolset base image tag changed from registry.access.redhat.com/ubi9/go-toolset:1.25.8 to registry.access.redhat.com/ubi9/go-toolset:1.25.8-1776644338. No other build instructions, environment variables, stage wiring, or runtime configurations were modified.

🚥 Pre-merge checks | ✅ 8 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title claims version 1.25.9-1778675823, but the actual changes update the tag to 1.25.8-1776644338 according to file summaries.	Update the PR title to accurately reflect the actual Docker tag update: 'Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v1.25.8-1776644338'
Description check	⚠️ Warning	The PR description is largely incomplete against the template, missing critical sections like detailed issue description, related issues/JIRA links, type of change selection, testing steps, and verification checklist.	Add missing sections from the template: JIRA ticket reference, detailed description of why the update is needed, type of change checkbox, testing steps, and complete the developer verification checklist.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	Pull request modifies only Docker image tags in Dockerfile files, not Ginkgo test files or test names.
Test Structure And Quality	✅ Passed	This PR exclusively updates Docker image tags in Dockerfile files without modifying any test code, making custom test quality checks inapplicable.
Microshift Test Compatibility	✅ Passed	PR contains only Docker base image version updates in three Dockerfiles with no new Ginkgo e2e test additions, making this check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only updates Docker image tags in Dockerfile files with no changes to test code or Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request only updates Docker base image tags in Dockerfiles with no scheduling-related configuration changes.
Ote Binary Stdout Contract	✅ Passed	PR only updates Docker base image tags in three Dockerfile files with no Go source code modifications, making the OTE Binary Stdout Contract check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not add any new Ginkgo e2e tests; it only updates Docker image tags in three Dockerfile files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/master/registry.access.redhat.com-ubi9-go-toolset-1.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

🧹 Nitpick comments (1)

Dockerfile (1)

8-17: Consider adding a USER directive to the final stage for security hardening.

The final stage inherits the default user (root) from ubi-micro:latest. While not directly related to this PR's change, adding an explicit USER directive with a non-root user would improve the security posture of the container.

🛡️ Proposed security improvement

 FROM registry.access.redhat.com/ubi9/ubi-micro:latest
 LABEL description="ROSA CLI"
 LABEL io.k8s.description="ROSA CLI"
 LABEL com.redhat.component="rh-rosa-cli"
 LABEL distribution-scope="release"
 LABEL name="rh-rosa-cli" release="vX.Y" url="https://github.com/openshift/rosa"
 LABEL vendor="Red Hat, Inc."
 LABEL version="vX.Y"

+USER 1001
+
 COPY --from=builder /opt/app-root/src/releases /releases

As per static analysis hints, Trivy rule DS-0002 recommends specifying at least one USER command with a non-root user.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 8 - 17, The Dockerfile's final stage currently runs
as root (inherits FROM registry.access.redhat.com/ubi9/ubi-micro:latest) and
should explicitly switch to a non-root user; add steps to create or use a
non-root user (e.g., add a dedicated user/group, chown the /releases directory
copied by COPY --from=builder /opt/app-root/src/releases /releases), and then
add a USER directive to run the container as that non-root user so the container
no longer defaults to root.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile`:
- Around line 8-17: The Dockerfile's final stage currently runs as root
(inherits FROM registry.access.redhat.com/ubi9/ubi-micro:latest) and should
explicitly switch to a non-root user; add steps to create or use a non-root user
(e.g., add a dedicated user/group, chown the /releases directory copied by COPY
--from=builder /opt/app-root/src/releases /releases), and then add a USER
directive to run the container as that non-root user so the container no longer
defaults to root.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: c72c0eb0-692a-4413-9d74-6c7a3b4b2eac

📥 Commits

Reviewing files that changed from the base of the PR and between 0bdc50b and a69c569.

📒 Files selected for processing (3)

• Dockerfile
• images/Dockerfile.e2e
• images/Dockerfile.konflux

✅ Files skipped from review due to trivial changes (2)

• images/Dockerfile.e2e
• images/Dockerfile.konflux

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

8-17: ⚠️ Potential issue | 🟠 Major

Add an explicit non-root USER in the final stage.

The final image has no USER directive, so it defaults to root. Add a non-root user (for example USER 1001) after the COPY statement.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 8 - 17, The final image stage currently ends with
the COPY --from=builder /opt/app-root/src/releases /releases and lacks a USER
directive so the container runs as root; add an explicit non-root user by
appending a USER directive (e.g., USER 1001) after the COPY statement to ensure
the image runs with a non-root UID and update any file ownership/permissions if
needed to match that UID.

🧹 Nitpick comments (1)

Dockerfile (1)

1-1: Consider pinning the builder image by digest for reproducibility.

Line 1 uses a mutable tag only. Pinning to @sha256:<digest> makes builds deterministic and improves supply-chain traceability.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 1, The FROM line uses a mutable tag; update the
Dockerfile's FROM instruction that references
"registry.access.redhat.com/ubi9/go-toolset:1.25.8-1776213685" to pin the image
by its immutable digest (e.g., replace the tag with `@sha256`:<digest>) so builds
are reproducible and supply-chain traceable, fetching and verifying the correct
sha256 digest for that exact image version before committing the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@Dockerfile`:
- Around line 8-17: The final image stage currently ends with the COPY
--from=builder /opt/app-root/src/releases /releases and lacks a USER directive
so the container runs as root; add an explicit non-root user by appending a USER
directive (e.g., USER 1001) after the COPY statement to ensure the image runs
with a non-root UID and update any file ownership/permissions if needed to match
that UID.

---

Nitpick comments:
In `@Dockerfile`:
- Line 1: The FROM line uses a mutable tag; update the Dockerfile's FROM
instruction that references
"registry.access.redhat.com/ubi9/go-toolset:1.25.8-1776213685" to pin the image
by its immutable digest (e.g., replace the tag with `@sha256`:<digest>) so builds
are reproducible and supply-chain traceable, fetching and verifying the correct
sha256 digest for that exact image version before committing the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 72f8371f-bc91-4f2f-bf7c-f510e35ceacf

📥 Commits

Reviewing files that changed from the base of the PR and between a69c569 and c918d22.

📒 Files selected for processing (3)

• Dockerfile
• images/Dockerfile.e2e
• images/Dockerfile.konflux

✅ Files skipped from review due to trivial changes (2)

• images/Dockerfile.konflux
• images/Dockerfile.e2e

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

8-17: ⚠️ Potential issue | 🟠 Major

Set an explicit non-root runtime user in the final image.

There is no USER instruction in the runtime stage, so the container defaults to root. Please set a non-root user explicitly.

🔐 Proposed fix

 FROM registry.access.redhat.com/ubi9/ubi-micro:latest
 LABEL description="ROSA CLI"
 LABEL io.k8s.description="ROSA CLI"
 LABEL com.redhat.component="rh-rosa-cli"
 LABEL distribution-scope="release"
 LABEL name="rh-rosa-cli" release="vX.Y" url="https://github.com/openshift/rosa"
 LABEL vendor="Red Hat, Inc."
 LABEL version="vX.Y"
 
 COPY --from=builder /opt/app-root/src/releases /releases
+USER 1001

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 8 - 17, The final image defaults to root; add an
explicit non-root runtime user by creating or referencing a non-root UID/GID and
switching to it after copying artifacts: add a RUN that creates a user/group
(e.g., groupadd -r rosa && useradd -r -g rosa -d /nonexistent -s /sbin/nologin
rosa), chown the target path copied by COPY --from=builder
/opt/app-root/src/releases /releases to that user, and add USER rosa (or USER
1001) before the image exits so the container runs as non-root.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@Dockerfile`:
- Around line 8-17: The final image defaults to root; add an explicit non-root
runtime user by creating or referencing a non-root UID/GID and switching to it
after copying artifacts: add a RUN that creates a user/group (e.g., groupadd -r
rosa && useradd -r -g rosa -d /nonexistent -s /sbin/nologin rosa), chown the
target path copied by COPY --from=builder /opt/app-root/src/releases /releases
to that user, and add USER rosa (or USER 1001) before the image exits so the
container runs as non-root.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: ee786bee-70d4-4e48-a25d-1a2e6a128a57

📥 Commits

Reviewing files that changed from the base of the PR and between c918d22 and 130168a.

📒 Files selected for processing (3)

• Dockerfile
• images/Dockerfile.e2e
• images/Dockerfile.konflux

✅ Files skipped from review due to trivial changes (2)

• images/Dockerfile.e2e
• images/Dockerfile.konflux

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

8-17: ⚠️ Potential issue | 🟠 Major

Set an explicit non-root runtime user in the final image stage.

The final stage has no USER directive, so the container defaults to running as root. Add a non-root USER to satisfy DS-0002 and reduce container breakout impact.

Suggested hardening patch

 FROM registry.access.redhat.com/ubi9/ubi-micro:latest
 LABEL description="ROSA CLI"
 LABEL io.k8s.description="ROSA CLI"
 LABEL com.redhat.component="rh-rosa-cli"
 LABEL distribution-scope="release"
 LABEL name="rh-rosa-cli" release="vX.Y" url="https://github.com/openshift/rosa"
 LABEL vendor="Red Hat, Inc."
 LABEL version="vX.Y"

 COPY --from=builder /opt/app-root/src/releases /releases
+USER 1001

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 8 - 17, The final Dockerfile stage currently leaves
the container running as root (no USER set) which violates DS-0002; update the
final image stage (the stage that uses FROM
registry.access.redhat.com/ubi9/ubi-micro:latest and performs COPY
--from=builder /opt/app-root/src/releases /releases) to create or use a non-root
runtime user and set USER to that non-root UID/GID, and ensure /releases (and
any other runtime-owned paths) are chowned/chmod'd appropriately so the non-root
user can access them before switching to USER; reference the final stage and the
COPY step to locate where to add the user creation, ownership fix, and USER
directive.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@Dockerfile`:
- Around line 8-17: The final Dockerfile stage currently leaves the container
running as root (no USER set) which violates DS-0002; update the final image
stage (the stage that uses FROM registry.access.redhat.com/ubi9/ubi-micro:latest
and performs COPY --from=builder /opt/app-root/src/releases /releases) to create
or use a non-root runtime user and set USER to that non-root UID/GID, and ensure
/releases (and any other runtime-owned paths) are chowned/chmod'd appropriately
so the non-root user can access them before switching to USER; reference the
final stage and the COPY step to locate where to add the user creation,
ownership fix, and USER directive.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: ad0b73c5-25a4-45d1-a51d-e60cb66f39be

📥 Commits

Reviewing files that changed from the base of the PR and between 130168a and 96a09a7.

📒 Files selected for processing (3)

• Dockerfile
• images/Dockerfile.e2e
• images/Dockerfile.konflux

✅ Files skipped from review due to trivial changes (2)

• images/Dockerfile.konflux
• images/Dockerfile.e2e