Ubi digest and konflux refs bump (main)

[simonbaird]

User description

Also tweak our rpm lockfile maintenance script so it doesn't add the source repos.

Ref: https://issues.redhat.com/browse/EC-1572

---

PR Type

Enhancement, Other

---

Description

• Disable source repos in RPM lock file generation script

• Update UBI-minimal base image digest to latest version

• Update all Konflux Tekton task references with new SHA256 digests

---

Diagram Walkthrough

flowchart LR
  A["RPM Lock Script"] -->|"Disable source repos"| B["rpms.lock.yaml"]
  C["UBI-minimal Image"] -->|"Digest update"| D["Dockerfile & Dockerfile.dist"]
  E["Konflux Catalog"] -->|"SHA256 updates"| F["Tekton Pipelines"]
  B -->|"Remove source entries"| G["Cleaner lock file"]

Loading

File Walkthrough

	Relevant files
Enhancement	update-rpm-lock.sh Disable source repos in RPM lock generation                            hack/update-rpm-lock.sh Commented out code that enables source repositories during RPM lock file generation Added explanatory comment about following MintMaker's approach of leaving source repos disabled Prevents unnecessary churn from source repo entries in automated lock file updates +5/-4
Dependencies	Dockerfile Update UBI-minimal base image digest                                          Dockerfile Updated UBI-minimal base image digest from 53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 to 161a4e29ea482bab6048c2b36031b4f302ae81e4ff18b83e61785f40dc576f5d Ensures latest security patches and updates from UBI-minimal image +1/-1      Dockerfile.dist Update UBI-minimal base image digest                                          Dockerfile.dist Updated UBI-minimal base image digest from 53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 to 161a4e29ea482bab6048c2b36031b4f302ae81e4ff18b83e61785f40dc576f5d Maintains consistency with main Dockerfile +1/-1      cli-main-pull-request.yaml Update Konflux Tekton task bundle digests                                .tekton/cli-main-pull-request.yaml Updated 12 Konflux Tekton task bundle references with new SHA256 digests Tasks updated: task-init, task-git-clone-oci-ta, task-prefetch-dependencies-oci-ta, task-build-image-index, task-source-build-oci-ta, task-tkn-bundle-oci-ta, task-clair-scan, task-ecosystem-cert-preflight-checks, task-apply-tags, task-push-dockerfile-oci-ta, task-rpms-signature-scan +11/-11  cli-main-push.yaml Update Konflux Tekton task bundle digests                                .tekton/cli-main-push.yaml Updated 12 Konflux Tekton task bundle references with new SHA256 digests Tasks updated: task-init, task-git-clone-oci-ta, task-prefetch-dependencies-oci-ta, task-build-image-index, task-source-build-oci-ta, task-tkn-bundle-oci-ta, task-clair-scan, task-ecosystem-cert-preflight-checks, task-apply-tags, task-push-dockerfile-oci-ta, task-rpms-signature-scan +11/-11
Configuration changes	rpms.lock.yaml Remove source RPM entries from lock file                                  rpms.lock.yaml Removed all source RPM entries for aarch64, ppc64le, s390x, and x86_64 architectures Changed source: sections from populated lists to empty arrays [] Eliminates source repos (oniguruma, gzip, jq source packages) from lock file +4/-76

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No auditing: The changes adjust repo handling without introducing or referencing any audit logging for critical actions, but this script and YAML/task updates may not involve auditable events. Referred Code # In the past we used to add enable the source repos, but now we follow the example # set by MintMaker's automated lock file update PRs and leave the source repos disabled #for r in $(dnf repolist --setopt=reposdir="${base_image_repos}" --disabled --quiet|grep -- -source | sed "s/ .*//"); do # dnf config-manager --quiet --setopt=reposdir="${base_image_repos}" "${r}" --set-enabled #done # convert ubi repo ids to archful format for better sbom data sed -i 's/^\[ubi-9-/\[ubi-9-for-$basearch-/' "${base_image_repos}"/*.repo Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error checks: Newly added commented guidance does not change behavior, but surrounding commands (e.g., oc image extract, sed) still appear without explicit error handling in this hunk. Referred Code # extract all /etc/yum.repos.d/* files from the base image oc image extract "${base_img}" --path /etc/yum.repos.d/*.repo:"${base_image_repos}" # In the past we used to add enable the source repos, but now we follow the example # set by MintMaker's automated lock file update PRs and leave the source repos disabled #for r in $(dnf repolist --setopt=reposdir="${base_image_repos}" --disabled --quiet|grep -- -source | sed "s/ .*//"); do # dnf config-manager --quiet --setopt=reposdir="${base_image_repos}" "${r}" --set-enabled #done # convert ubi repo ids to archful format for better sbom data sed -i 's/^\[ubi-9-/\[ubi-9-for-$basearch-/' "${base_image_repos}"/*.repo Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: External refs: Updated Tekton task bundle digests reference external images without visible verification or signature checks within this diff, which may require validation policy elsewhere. Referred Code value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:a558472b2ff44c4179ae97e90b35098dc2ca1456caf8c16c76f38c6863042c81 - name: kind value: task resolver: bundles - name: clone-repository params: - name: url value: $(params.git-url) - name: revision value: $(params.revision) - name: ociStorage value: $(params.output-image).git - name: ociArtifactExpiresAfter value: $(params.image-expires-after) - name: depth value: "0" - name: fetchTags value: "true" runAfter: - init taskRef: ... (clipped 6 lines) Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

No code suggestions found for the PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.54% <ø> (+<0.01%)	⬆️
generative	19.01% <ø> (ø)
integration	27.89% <ø> (ø)
unit	67.57% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[simonbaird]

It's mostly just digest bumps. Should be safe to merge without review.