Devfile registry konflux component task image references are not seeing updates #1667
Description
/kind bug
Which area is this bug related to?
/area ci
/area registry
Bug Summary
Describe the bug:
The devfile/registry component is missing task image patch PRs that can be seen for devfile/devfile-web, example.
As a result, devfile/registry PR checks are now failing due to violations in the enterprise contract testing.
To Reproduce:
Open a PR from a branch that is up to date with main.
Expected behavior
Konflux should send patch PRs for updating the task images to prevent these failures.
Any logs, error output, screenshots etc? Provide the devfile that sees this bug, if applicable
✕ [Violation] slsa_build_scripted_build.image_built_by_trusted_task
ImageRef: quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:8912fff86fec37595e606c2c7322bd9ce07f2e7d72aa2a75875e2dc6c41a7e82
Reason: Image
"quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:8912fff86fec37595e606c2c7322bd9ce07f2e7d72aa2a75875e2dc6c41a7e82"
not built by a trusted task: Build Task(s) "buildah" are not trusted
Title: Image built by trusted Task
Description: Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result. To exclude
this rule add "slsa_build_scripted_build.image_built_by_trusted_task" to the `exclude` section of the policy configuration.
Solution: Make sure the build Pipeline definition uses a trusted Task to build images.
✕ [Violation] tasks.required_tasks_found
ImageRef: quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:8912fff86fec37595e606c2c7322bd9ce07f2e7d72aa2a75875e2dc6c41a7e82
Reason: One of "buildah", "buildah-10gb", "buildah-6gb", "buildah-8gb", "buildah-remote", "buildah-oci-ta",
"buildah-remote-oci-ta" tasks is missing
Title: All required tasks were included in the pipeline
Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
more of "tasks.required_tasks_found:buildah", "tasks.required_tasks_found:buildah-10gb",
"tasks.required_tasks_found:buildah-6gb", "tasks.required_tasks_found:buildah-8gb", "tasks.required_tasks_found:buildah-remote",
"tasks.required_tasks_found:buildah-oci-ta", "tasks.required_tasks_found:buildah-remote-oci-ta" to the `exclude` section of the
policy configuration.
Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
xref:ec-cli:ROOT:configuration.adoc#_data_sources[data] under the key 'required-tasks'.
✕ [Violation] trusted_task.trusted
ImageRef: quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:8912fff86fec37595e606c2c7322bd9ce07f2e7d72aa2a75875e2dc6c41a7e82
Reason: Pipeline task "build-container" uses an untrusted task reference,
oci://quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:aebfe04c80f7fd937628fad760c095c6a0efacb048f2c98e5d5e7f2b0f134cf9
Title: Tasks are trusted
Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
this rule add "trusted_task.trusted:buildah" to the `exclude` section of the policy configuration.
Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
when newer versions are made available.
✕ [Violation] trusted_task.trusted
ImageRef: quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:8912fff86fec37595e606c2c7322bd9ce07f2e7d72aa2a75875e2dc6c41a7e82
Reason: Pipeline task "coverity-availability-check" uses an untrusted task reference,
oci://quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.1@sha256:dfe1150a94c7464c4a1e0b5a2bfdab4c9c97f51a992f8a479a43acc64ffcbf73
Title: Tasks are trusted
Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
this rule add "trusted_task.trusted:coverity-availability-check" to the `exclude` section of the policy configuration.
Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
when newer versions are made available.
Additional context
Any workaround?
Manual update to these references would fix the current failures but further failures will occur when the image refs are outdated again.
Suggestion on how to fix the bug
Configuration change for Konflux patching should be made, possible change is needed to the renovate configuration.
Metadata
Metadata
Assignees
Type
Projects
Status