Skip to content

chore(deps): update konflux references#20671

Merged
jschnath merged 1 commit into
release-4.9from
konflux/references/release-4.9
Jun 11, 2026
Merged

chore(deps): update konflux references#20671
jschnath merged 1 commit into
release-4.9from
konflux/references/release-4.9

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented May 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Notes
quay.io/konflux-ci/tekton-catalog/task-build-image-index (source, changelog) 550afdeb33bfa8
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta (source, changelog) 0.90.10 ⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta (source, changelog) 0.90.10 ⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog) e2bcf1188f4fd6
quay.io/konflux-ci/tekton-catalog/task-fips-operator-bundle-check-oci-ta (source, changelog) 897035131446fe
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta (source, changelog) 13d49dfd30f13d
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta (source, changelog) a2efbcd0e6324e
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog) d4e3499237c54b
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta (source, changelog) c4ef47ef960cc9
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog) 8f3ecbe1d6cdb0
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog) 90efa58324291c
quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta (source, changelog) 0917cfc8567bb7

Release Notes

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta)

v0.10

This version introduces konflux-build-cli. The build step replaces most of the Bash with
konflux-build-cli image build. Other steps still use Bash, this will change soon.

We expect version 0.10 to behave the same as version 0.9 for the vast majority
of use cases. All known (minor) differences documented below.

Added
  • The vcs-url label. Previously, the task would inject the following vcs-related labels:
    • org.opencontainers.image.revision and its legacy counterpart,
      vcs-ref
    • org.opencontainers.image.source and nothing else
      • Version 0.10 adds the missing legacy counterpart, vcs-url
Changed
  • The precedence of default annotations (those injected by the task automatically)
    • Before: ANNOTATIONS_FILE < ANNOTATIONS < default annotations
    • Now: default annotations < ANNOTATIONS_FILE < ANNOTATIONS
  • When handling the YUM_REPOS_D_SRC and YUM_REPOS_D_FETCHED directories,
    injects only regular files into /etc/yum.repos.d. Previously, the task would
    inject the directories as a whole. /etc/yum.repos.d is a flat structure, so
    the task now injects only regular files to avoid injecting unexpected content.
  • Prefetch integration:
    • Looks for both prefetch.env and cachi2.env in the prefetch dir (in this order).
      Version 0.3.1 of the prefetch task added prefetch.env and a future version
      will remove cachi2.env.
    • Doesn't rely specifically on cachi2.repo files to enable RPM integration,
      just needs any *.repo file at the expected path.
    • In case the YUM_REPOS_D_SRC or YUM_REPOS_D_FETCHED directories contain
      a repo file with the same name as the repo file from Hermeto, the Hermeto
      repo takes precedence. Previously, YUM_REPOS_* would take precedence.
    • Doesn't copy the prefetch files to /tmp, instead copies them to a directory
      on the same filesystem as the original files. This uses copy-on-write and avoids
      duplicating the underlying data.
  • Red Hat subscription-manager integration:
    • Will mount the RHSM CA certificates into the build in two cases:
      • When using ACTIVATION_KEY and the containerfile doesn't include
        subscription-manager register (same as before)
      • When using ENTITLEMENT_SECRET (not done before and should have been)
    • When mounting RHSM CA certificates, mounts the whole /etc/rhsm/ca directory
      instead of mounting a specific file. This closes #​1621.
Fixed
  • Injecting metadata to /usr/share/buildinfo and /root/buildinfo:
    • Does not write any new files or modify any existing files in the source directory,
      injects the files using a separate build-context.
    • Will log a warning if the TARGET param is set and SKIP_INJECTIONS=false
      (using TARGET disables metadata injection anyway). Metadata injection never
      worked with a non-default target, version 0.10 just adds the warning.
    • Injecting labels.json:
      • Will skip LABEL instructions in stages that don't affect the labels of the final image.
      • Will correctly omit the io.buildah.version label when SOURCE_DATE_EPOCH is non-empty.
        Previously, labels.json would always include io.buildah.version.
  • Pre-pulling base images for hermetic builds and base-arch verification (see 0.9.4):
    • Also pulls images referenced in COPY --from=$image and RUN --mount=from=$image.
      Previously, would only pull images referenced as FROM $image.
    • Does not pull images for unused stages (unless SKIP_UNUSED_STAGES=false).
    • Will skip image references with transports that don't
      represent pullable images. Specifically, will only pull transport-less references
      and docker:// references. Previously, the task would skip oci-archive: references
      but fail on any other kind of non-standard reference.
  • Modifying the containerfile to set prefetch environment variables in RUN instructions:

    • No longer mangles RUN instructions that use the exec form or a bare here-doc.
      Instead skips the instruction and logs a warning.

      RUN ["echo", "skips exec-form commands"]

RUN <<EOF
echo "skips bare heredocs"
EOF

RUN bash -e <<EOF
echo "supports heredocs if they start with something other than the <<marker"
EOF
      • This partially fixes #​1200, in the sense that the containerfile at least
        doesn't become broken. The unsupported instructions don't automatically get
        the variables that may be required to make the hermetic build work though.

    • Fixes dozens of small bugs that most users never would have hit. For example,
      version 0.10:

      • Doesn't mangle heredoc lines that look line RUN instructions
      • Doesn't inject text into the middle of a string with quoted/escaped whitespace
      • Properly handles backtick-escaped containerfiles
konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta)

v0.10

This version introduces konflux-build-cli. The build step replaces most of the Bash with
konflux-build-cli image build. Other steps still use Bash, this will change soon.

We expect version 0.10 to behave the same as version 0.9 for the vast majority
of use cases. All known (minor) differences documented below.

Added
  • The vcs-url label. Previously, the task would inject the following vcs-related labels:
    • org.opencontainers.image.revision and its legacy counterpart,
      vcs-ref
    • org.opencontainers.image.source and nothing else
      • Version 0.10 adds the missing legacy counterpart, vcs-url
Changed
  • The precedence of default annotations (those injected by the task automatically)
    • Before: ANNOTATIONS_FILE < ANNOTATIONS < default annotations
    • Now: default annotations < ANNOTATIONS_FILE < ANNOTATIONS
  • When handling the YUM_REPOS_D_SRC and YUM_REPOS_D_FETCHED directories,
    injects only regular files into /etc/yum.repos.d. Previously, the task would
    inject the directories as a whole. /etc/yum.repos.d is a flat structure, so
    the task now injects only regular files to avoid injecting unexpected content.
  • Prefetch integration:
    • Looks for both prefetch.env and cachi2.env in the prefetch dir (in this order).
      Version 0.3.1 of the prefetch task added prefetch.env and a future version
      will remove cachi2.env.
    • Doesn't rely specifically on cachi2.repo files to enable RPM integration,
      just needs any *.repo file at the expected path.
    • In case the YUM_REPOS_D_SRC or YUM_REPOS_D_FETCHED directories contain
      a repo file with the same name as the repo file from Hermeto, the Hermeto
      repo takes precedence. Previously, YUM_REPOS_* would take precedence.
    • Doesn't copy the prefetch files to /tmp, instead copies them to a directory
      on the same filesystem as the original files. This uses copy-on-write and avoids
      duplicating the underlying data.
  • Red Hat subscription-manager integration:
    • Will mount the RHSM CA certificates into the build in two cases:
      • When using ACTIVATION_KEY and the containerfile doesn't include
        subscription-manager register (same as before)
      • When using ENTITLEMENT_SECRET (not done before and should have been)
    • When mounting RHSM CA certificates, mounts the whole /etc/rhsm/ca directory
      instead of mounting a specific file. This closes #​1621.
Fixed
  • Injecting metadata to /usr/share/buildinfo and /root/buildinfo:
    • Does not write any new files or modify any existing files in the source directory,
      injects the files using a separate build-context.
    • Will log a warning if the TARGET param is set and SKIP_INJECTIONS=false
      (using TARGET disables metadata injection anyway). Metadata injection never
      worked with a non-default target, version 0.10 just adds the warning.
    • Injecting labels.json:
      • Will skip LABEL instructions in stages that don't affect the labels of the final image.
      • Will correctly omit the io.buildah.version label when SOURCE_DATE_EPOCH is non-empty.
        Previously, labels.json would always include io.buildah.version.
  • Pre-pulling base images for hermetic builds and base-arch verification (see 0.9.4):
    • Also pulls images referenced in COPY --from=$image and RUN --mount=from=$image.
      Previously, would only pull images referenced as FROM $image.
    • Does not pull images for unused stages (unless SKIP_UNUSED_STAGES=false).
    • Will skip image references with transports that don't
      represent pullable images. Specifically, will only pull transport-less references
      and docker:// references. Previously, the task would skip oci-archive: references
      but fail on any other kind of non-standard reference.
  • Modifying the containerfile to set prefetch environment variables in RUN instructions:

    • No longer mangles RUN instructions that use the exec form or a bare here-doc.
      Instead skips the instruction and logs a warning.

      RUN ["echo", "skips exec-form commands"]

RUN <<EOF
echo "skips bare heredocs"
EOF

RUN bash -e <<EOF
echo "supports heredocs if they start with something other than the <<marker"
EOF
      • This partially fixes #​1200, in the sense that the containerfile at least
        doesn't become broken. The unsupported instructions don't automatically get
        the variables that may be required to make the hermetic build work though.

    • Fixes dozens of small bugs that most users never would have hit. For example,
      version 0.10:

      • Doesn't mangle heredoc lines that look line RUN instructions
      • Doesn't inject text into the middle of a string with quoted/escaped whitespace
      • Properly handles backtick-escaped containerfiles

Configuration

📅 Schedule: Branch creation - "after 3am and before 7am" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux Bot added the mintmaker-auto-merge Automatically approve and merge PRs from MintMaker via the corresponding workflow. label May 19, 2026
@red-hat-konflux red-hat-konflux Bot requested review from a team and rhacs-bot as code owners May 19, 2026 06:09
@github-actions github-actions Bot added backport PR to backport changes from master to release branch konflux-build Run Konflux in PR. Push commit to trigger it. labels May 19, 2026
@rhacs-bot

rhacs-bot commented May 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Images are ready for the commit at 0e0635c.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.9.7-2-g0e0635c543.

@codecov

codecov Bot commented May 19, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.88%. Comparing base (d1c411e) to head (0e0635c).

Additional details and impacted files 
@@             Coverage Diff              @@
##           release-4.9   #20671   +/-   ##
============================================
  Coverage        48.88%   48.88%           
============================================
  Files             2719     2719           
  Lines           202927   202927           
============================================
  Hits             99194    99194           
+ Misses           95970    95969    -1     
- Partials          7763     7764    +1
Flag Coverage Δ
go-unit-tests 48.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/references/release-4.9 branch 4 times, most recently from 40f294a to a1f5f53 Compare May 27, 2026 06:06
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/references/release-4.9 branch 2 times, most recently from e4f0ee9 to 0d07b51 Compare June 4, 2026 06:23
@red-hat-konflux
chore(deps): update konflux references
0e0635c 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/references/release-4.9 branch from 0d07b51 to 0e0635c Compare June 5, 2026 06:10
@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

/konflux-retest scanner-v4-on-push

@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

/konflux-retest operator-on-push

@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

/konflux-retest scanner-v4-db-on-push

@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

/konflux-retest roxctl-on-push

@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

/konflux-retest operator-bundle-on-push

@jschnath jschnath merged commit ee76270 into release-4.9 Jun 11, 2026
103 of 110 checks passed
@jschnath jschnath deleted the konflux/references/release-4.9 branch June 11, 2026 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jschnath jschnath jschnath approved these changes

@rhacs-bot rhacs-bot Awaiting requested review from rhacs-bot rhacs-bot is a code owner

Assignees

No one assigned

Labels

backport PR to backport changes from master to release branch konflux-build Run Konflux in PR. Push commit to trigger it. mintmaker-auto-merge Automatically approve and merge PRs from MintMaker via the corresponding workflow.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rhacs-bot @jschnath