Update Konflux references

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Change	Notes
quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta (source, changelog)	d3d7e18 → da89466
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta (source, changelog)	0.9 → 0.10	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog)	88f4fd6 → 3c4f60e
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta (source, changelog)	3dc78af → 7e84b01
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog)	237c54b → c78924d
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta (source, changelog)	3cbb353 → e5319fc
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog)	0.4 → 0.5	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog)	2238120 → 99cc372

---

Release Notes

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta)

v0.10

Fixed

• The injected labels.json file will now better match the actual image labels
  in cases when the containerfile includes quoted LABEL values. This is a result
  of dockerfile-json#16.

---

Configuration

📅 Schedule: Branch creation - Between 05:00 AM and 11:59 PM, only on Saturday ( * 5-23 * * 6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kuudori for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated build pipeline task dependencies to their latest versions across multiple deployment configurations.
  • Refreshed task bundle references for dependency management, container building, security scanning, and artifact verification tools.
  • Infrastructure maintenance to ensure current tooling versions are available for improved build reliability.

Walkthrough

Three Tekton PipelineRun manifests (.tekton/hyperfleet-adapter-chart-push.yaml, .tekton/hyperfleet-adapter-push.yaml, .tekton/hyperfleet-adapter-tag.yaml) have their pinned taskRef.bundle OCI image digests updated for multiple tasks. Two tasks also receive minor version bumps: buildah-oci-ta moves from 0.9 to 0.10 and sast-snyk-check-oci-ta moves from 0.4 to 0.5. No pipeline logic, task parameters, workspace wiring, ordering, or conditional execution is altered.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

---

Supply chain surface — verify before merging:

• CWE-829 (Inclusion of Functionality from Untrusted Control Sphere): Each bundle digest is an absolute trust anchor. Confirm every new sha256: digest resolves to the expected upstream Konflux/Tekton catalog image. A substituted digest here executes arbitrary code in your CI/CD pipeline with cluster credentials.
• buildah-oci-ta 0.9 → 0.10 and sast-snyk-check-oci-ta 0.4 → 0.5: Minor version bumps introduce new code, not just patch fixes. These warrant explicit changelog review — a compromised minor release is a classic supply chain vector (ref: SolarWinds-style CI poisoning).
• rpms-signature-scan digest change: RPM signature scanning is a security gate. Verify the new bundle does not weaken scan thresholds or skip checks.
• No provenance attestation visible in the diff: Confirm the new digests are accompanied by Sigstore/cosign signatures or SLSA provenance in your pipeline before trusting them.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update Konflux references' accurately summarizes the PR's primary objective—updating Tekton task bundle references across three pipeline YAML files.
Description check	✅ Passed	The description provides a detailed table of all eight package updates with version/digest changes, migration guidance, and release notes linking to upstream changelogs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR modifies only YAML config files (.tekton/* PipelineRun definitions), no Go code. Custom check targets logging statements (slog, log, logr, zap, fmt.Print*) which cannot exist in YAML; therefore...
No Hardcoded Secrets	✅ Passed	No hardcoded secrets found in the three modified .tekton YAML files. All credential references use templated placeholders ({{ git_auth_secret }}); all other values are task bundle digests, URLs, or...
No Weak Cryptography	✅ Passed	PR modifies only Tekton YAML config files, updating task bundle digests. No weak crypto primitives (MD5, DES, RC4, SHA1 for security, ECB) found. Codebase uses crypto/rand, crypto/tls, crypto/x509...
No Injection Vectors	✅ Passed	No injection vectors detected. Bundle references use pinned OCI digests; no dynamic SQL, command, template, or YAML deserialization patterns with untrusted input found in modified Tekton YAML files.
No Privileged Containers	✅ Passed	The three YAML files are PipelineRun definitions that reference external Tekton task bundles by digest/version. They contain no pod specifications, securityContext definitions, privileged container...
No Pii Or Sensitive Data In Logs	✅ Passed	PR updates only Tekton task bundle digests in YAML configs. No logging frameworks present. Only script is a printf statement outputting a semantic version. No PII, credentials, session IDs, or sens...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/references/main

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/references/main

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/hyperfleet-adapter-push.yaml:
- Line 234: Before committing the task version upgrades for buildah-oci-ta to
0.10 and sast-snyk-check-oci-ta to 0.5 in the hyperfleet-adapter-push.yaml file,
you must complete the breaking change migrations documented in the task
changelogs. For buildah-oci-ta 0.10, update the runner image to
konflux-build-cli, remove workspace bindings from the spec, update all result
references to use IMAGE_URL/IMAGE_DIGEST/IMAGE_REF/SBOM_BLOB_URL, validate the
securityContext configuration, and test the hermetic, prefetch, annotations, and
labels behavior. For sast-snyk-check-oci-ta 0.5, run the automated migration
using the Konflux pmt tool against the MIGRATION.md file and validate all
parameters, results, and workspace configurations. Additionally, update the task
versions in hyperfleet-api and hyperfleet-sentinel configurations from 0.9 and
0.4 respectively to match the new versions (0.10 and 0.5) to eliminate platform
version skew. Document all migration changes with evidence in the repository
before unblocking the merge.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: be0517f4-5ecc-463f-8be1-a2eaeffc9411

📥 Commits

Reviewing files that changed from the base of the PR and between 142860a and 26731f1.

📒 Files selected for processing (3)

• .tekton/hyperfleet-adapter-chart-push.yaml
• .tekton/hyperfleet-adapter-push.yaml
• .tekton/hyperfleet-adapter-tag.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Konflux tekton-catalog task-buildah-oci-ta 0.10 migration guide from 0.9 (required parameter/result/workspace changes)

💡 Result:

Required parameter/result/workspace changes for task-buildah-oci-ta:0.10 (Konflux tekton-catalog) migrating from 0.9: 1) Runner image change (impacts how the task runs, not pipeline params/workspaces) - In buildah*/0.10, the buildah task image is replaced with konflux-build-cli (kbc-based flow). [1] - 0.10 now “sets runAsUser: 0 explicitly” (previously it ran as root implicitly), so if your pipeline/controller policies override securityContext you may need to re-check. [1] 2) Workspace binding change in the shipped pipelines - The docker-build-oci-ta pipeline customization patch for 0.10 removes a workspace binding at /spec/workspaces/0. That indicates pipelines upgrading to 0.10 should drop that workspace binding and rely on the task’s OCI-artifact/result-based data flow instead. [2] 3) Task results you must wire (result key names) - buildah-oci-ta:0.10 exposes results including IMAGE_DIGEST, IMAGE_REF, IMAGE_URL, and SBOM_BLOB_URL, and pipeline params can reference them by those result names. If your 0.9 pipeline referenced different result names, update them to the 0.10 keys. [3] 4) Behavior-affecting internal parameter handling (validate your overrides against the new semantics) - 0.10 changes multiple internal behaviors by passing values directly to kbc, including: a) annotations+labels handling via kbc. [4] b) hermetic mode handling via kbc. [5] c) prefetch integration via kbc. [6] d) working directory mount handling via kbc. [7] These may not require parameter schema changes, but they can affect behavior if your 0.9 pipeline depended on previous side-effects. What to do when migrating your pipeline from 0.9 -> 0.10: - Bump the task bundle version to task-buildah-oci-ta:0.10. [1] - Remove the pipeline workspace binding corresponding to /spec/workspaces/0 (as per the 0.10 pipeline patch). [2] - Update any task result references to use IMAGE_DIGEST / IMAGE_REF / IMAGE_URL / SBOM_BLOB_URL for buildah-oci-ta:0.10. [3] - Re-test/verify behavior for hermetic builds, prefetch, and annotations/labels if you set related params, because 0.10 routes these through kbc. [4][5][6] Note: build-definitions does include a per-task version MIGRATION.md file (task/buildah-oci-ta/0.10/MIGRATION.md), but in the retrieved sources for this run I did not get the MIGRATION.md contents themselves; the migration-impact items above are grounded in the 0.10 change commit notes and the published pipeline patch/README schemas. [1][3][2]

Citations:

• 1: konflux-ci/build-definitions@09d4dc9
• 2: https://github.com/konflux-ci/build-definitions/blob/main/pipelines/docker-build-oci-ta/patch.yaml
• 3: https://github.com/konflux-ci/build-definitions/blob/main/pipelines/docker-build-oci-ta/README.md
• 4: konflux-ci/build-definitions@e0548cb
• 5: konflux-ci/build-definitions@4b70952
• 6: konflux-ci/build-definitions@6b9d3fc
• 7: konflux-ci/build-definitions@cda8b03

---

🌐 Web query:

Konflux tekton-catalog task-sast-snyk-check-oci-ta 0.5 migration guide from 0.4 (required parameter/result/workspace changes)

💡 Result:

To migrate the Konflux tekton-catalog task sast-snyk-check-oci-ta from version 0.4 to 0.5, you should rely on the automated migration process provided by Konflux [1]. As of June 2026, version 0.5 of sast-snyk-check-oci-ta has been released in the konflux-sast-tasks repository [2]. Konflux automates task upgrades using the pipeline-migration-tool (pmt), which is integrated into the regular pull request workflow for updating Tekton tasks [1]. If you need to verify or apply these changes manually: 1. Locate the MIGRATION.md file within the task's directory in the konflux-sast-tasks source repository (specifically task/sast-snyk-check-oci-ta/0.5/MIGRATION.md) [2]. This file contains the authoritative, version-specific instructions regarding any required parameter, result, or workspace changes that may have been introduced in the 0.5 release. 2. If your automated build update is not triggering or applying correctly, you can use the pmt CLI tool in your component repository to apply the migration. You will need to generate the appropriate upgrade data—which maps the old bundle (0.4) to the new bundle (0.5)—and execute the pmt migrate command [1]. Because task migrations can involve specific breaking changes to inputs (parameters) or outputs (results), checking the MIGRATION.md file in the source repository is the mandatory step to ensure compatibility with your existing pipeline definition [1][2].

Citations:

• 1: https://konflux-ci.dev/docs/building/apply-task-migrations/
• 2: konflux-ci/konflux-sast-tasks@6badd94

---

🏁 Script executed:

#!/bin/bash
# Check for migration docs or upgrade notes related to the task versions
find . -type f -name "*.md" | xargs grep -l "migration\|upgrade\|0.10\|0.9" 2>/dev/null || echo "No migration docs found"

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 133

---

🏁 Script executed:

#!/bin/bash
# Check the actual pipeline file for workspace bindings and result usage
cat -n .tekton/hyperfleet-adapter-push.yaml | grep -A 5 -B 5 "workspaces\|results\|buildah-oci-ta"

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 11190

---

🏁 Script executed:

#!/bin/bash
# Verify current versions in hyperfleet-api
grep -n "buildah-oci-ta\|sast-snyk-check-oci-ta" .tekton/hyperfleet-api-push.yaml | head -20

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 469

---

🏁 Script executed:

#!/bin/bash
# Verify current versions in hyperfleet-sentinel
grep -n "buildah-oci-ta\|sast-snyk-check-oci-ta" .tekton/hyperfleet-sentinel-push.yaml | head -20

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 474

---

Block merge until task-upgrade breaking changes are evaluated.

This PR upgrades buildah-oci-ta 0.9→0.10 and sast-snyk-check-oci-ta 0.4→0.5, both with documented breaking changes (CWE-829: Improper Initialization, CWE-436: Untrusted Input). No migration evidence exists in-repo:

1. buildah-oci-ta 0.10 requires: runner image change to konflux-build-cli, workspace binding removal from spec, result references to IMAGE_URL/IMAGE_DIGEST/IMAGE_REF/SBOM_BLOB_URL, securityContext validation (now runs as root explicitly), and re-testing of hermetic/prefetch/annotations/labels behavior via kbc.

2. sast-snyk-check-oci-ta 0.5 requires: automated migration via Konflux pmt tool against MIGRATION.md from konflux-sast-tasks source, with mandatory parameter/result/workspace validation.

3. Platform version skew: hyperfleet-api and hyperfleet-sentinel remain pinned to 0.9 and 0.4 respectively. Post-merge, CI behavior diverges across services, creating integration risk.

PR objectives explicitly require migration-guide review. Verify all breaking changes are handled before unblocking.

References

- buildah-oci-ta 0.10 changelog: https://github.com/konflux-ci/build-definitions/commit/09d4dc96a727135bed510140067cf40eab2f3819 - sast-snyk-check-oci-ta 0.5 migration: https://docs.konflux-ci.dev/apply-task-migrations/

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/hyperfleet-adapter-push.yaml at line 234, Before committing the task
version upgrades for buildah-oci-ta to 0.10 and sast-snyk-check-oci-ta to 0.5 in
the hyperfleet-adapter-push.yaml file, you must complete the breaking change
migrations documented in the task changelogs. For buildah-oci-ta 0.10, update
the runner image to konflux-build-cli, remove workspace bindings from the spec,
update all result references to use
IMAGE_URL/IMAGE_DIGEST/IMAGE_REF/SBOM_BLOB_URL, validate the securityContext
configuration, and test the hermetic, prefetch, annotations, and labels
behavior. For sast-snyk-check-oci-ta 0.5, run the automated migration using the
Konflux pmt tool against the MIGRATION.md file and validate all parameters,
results, and workspace configurations. Additionally, update the task versions in
hyperfleet-api and hyperfleet-sentinel configurations from 0.9 and 0.4
respectively to match the new versions (0.10 and 0.5) to eliminate platform
version skew. Document all migration changes with evidence in the repository
before unblocking the merge.

Source: Linked repositories