Update Konflux references

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Change	Notes
quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta (source, changelog)	d3d7e18 → da89466
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta (source, changelog)	0.9 → 0.10	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog)	88f4fd6 → 3c4f60e
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta (source, changelog)	3dc78af → 7e84b01
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog)	237c54b → c78924d
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta (source, changelog)	3cbb353 → e5319fc
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog)	0.4 → 0.5	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog)	2238120 → 99cc372

---

Release Notes

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta)

v0.10

Fixed

• The injected labels.json file will now better match the actual image labels
  in cases when the containerfile includes quoted LABEL values. This is a result
  of dockerfile-json#16.

---

Configuration

📅 Schedule: Branch creation - Between 05:00 AM and 11:59 PM, only on Saturday ( * 5-23 * * 6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign crizzo71 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 51f7099d-922d-489f-93fe-6c56966096c5

📥 Commits

Reviewing files that changed from the base of the PR and between 3a764ef and 31152ad.

📒 Files selected for processing (3)

• .tekton/hyperfleet-sentinel-chart-push.yaml
• .tekton/hyperfleet-sentinel-push.yaml
• .tekton/hyperfleet-sentinel-tag.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated CI/CD pipeline task bundle references with new immutable image digests for build and security scanning operations to ensure consistent execution across deployment workflows.

Walkthrough

Eighteen taskRef bundle digest references are rotated across three Tekton PipelineRun files (.tekton/hyperfleet-sentinel-chart-push.yaml, .tekton/hyperfleet-sentinel-push.yaml, .tekton/hyperfleet-sentinel-tag.yaml). Affected tasks span dependency prefetch, container build, Helm chart build, ecosystem cert preflight checks, Snyk SAST, shell check, Unicode check, and RPM signature scan. In the tag PipelineRun, three tasks (buildah-oci-ta, sast-snyk-check-oci-ta, sast-unicode-check-oci-ta) also receive version bumps alongside their digest rotation. No pipeline structure, parameters, workspaces, or execution ordering changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

---

Supply chain surface — CWE-829 (Inclusion of Functionality from Untrusted Control Sphere):

Digest pinning is the correct control here. Verify each new sha256 digest against the upstream Konflux catalog release record before merging. A compromised or mis-attributed digest in a taskRef bundle is a direct CI/CD code execution vector — the task runs with pipeline service account privileges inside the cluster.

Specific check: the tag PipelineRun bumps buildah-oci-ta, sast-snyk-check-oci-ta, and sast-unicode-check-oci-ta to new version numbers, not just new digests. Confirm the version bump in push and chart-push is absent intentionally and not an oversight — version skew across PipelineRuns for the same task is a drift risk (CWE-1395).

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update Konflux references' accurately summarizes the main change: updating references to Konflux CI Tekton catalog tasks across three pipeline files.
Description check	✅ Passed	The description provides comprehensive detail on the dependency updates with a structured table, commit/version changes, links to source repositories, and migration warnings for breaking changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR modifies only YAML Tekton configuration files (.tekton/*.yaml) with bundle digest updates; no Go code or log statements were changed or added.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets found. All SHA256 hex strings are container image digests. Secret references use template variables. No API keys, passwords, tokens, or embedded credentials detected.
No Weak Cryptography	✅ Passed	No weak cryptography detected. Code uses no MD5, DES, RC4, SHA1 for security, or ECB mode. PR changes only update Tekton task SHA256 digest references.
No Injection Vectors	✅ Passed	PR updates Tekton task bundle digests. No injection vectors introduced. Existing CWE-89 pattern in buildSearchString() is not exploitable (additionalFilters unused in production).
No Privileged Containers	✅ Passed	No privileged container configurations (privileged: true, hostPID, hostNetwork, hostIPC, runAsUser: 0, allowPrivilegeEscalation: true) found. PR only updates Tekton task bundle image digests; no se...
No Pii Or Sensitive Data In Logs	✅ Passed	PR modifies only Tekton PipelineRun YAML configuration files with task bundle digest updates; no source code files or logging statements added/modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/references/main

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/references/main

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}