chore(deps): update konflux references main

[red-hat-konflux]

This PR contains the following updates:

Package	Change
quay.io/konflux-ci/tekton-catalog/task-clamav-scan (source, changelog)	171eca5 → 567cb66
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check (source, changelog)	5ff16b7 → 57d1f55
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog)	2468c01 → 25dcef1
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog)	ce4bace → 1d807f6
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog)	0854d92 → 90efa58

---

Configuration

📅 Schedule: Branch creation - Between 05:00 AM and 11:59 PM, only on Saturday ( * 5-23 * * 6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Summary by CodeRabbit

• Chores
  • Updated security scanning task references in the CI/CD pipeline, including image verification, malware detection, and signature validation tools.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b07b782f-3570-401b-bcff-3f7c742f73ec

📥 Commits

Reviewing files that changed from the base of the PR and between 8bde303 and 4842410.

📒 Files selected for processing (4)

• .tekton/jobset-operator-bundle-main-pull-request.yaml
• .tekton/jobset-operator-bundle-main-push.yaml
• .tekton/jobset-operator-main-pull-request.yaml
• .tekton/jobset-operator-main-push.yaml

---

Walkthrough

This PR updates Tekton task bundle image digests across four pipeline configuration files for five security scanning tasks: deprecated-base-image-check, ecosystem-cert-preflight-checks, clamav-scan, sast-unicode-check, and rpms-signature-scan. No task logic, parameters, ordering, or conditions were modified.

Changes

Tekton Task Bundle Digest Updates

Layer / File(s)	Summary
Bundle Reference Pinning .tekton/jobset-operator-bundle-main-pull-request.yaml, .tekton/jobset-operator-bundle-main-push.yaml, .tekton/jobset-operator-main-pull-request.yaml, .tekton/jobset-operator-main-push.yaml	SHA256 digests are updated for five task bundle references: task-deprecated-image-check, task-ecosystem-cert-preflight-checks, task-clamav-scan, task-sast-unicode-check-oci-ta, and task-rpms-signature-scan. All other task configuration, parameters, ordering, conditions, and workspace settings remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	The code in cmd/jobset-operator/main.go contains fmt.Printf() calls on lines 17 and 30 that write non-JSON output to stdout, violating the OTE Binary Stdout Contract.	Replace fmt.Printf() calls with fmt.Fprintf(os.Stderr, ...) to redirect error messages to stderr instead of stdout.
Microshift Test Compatibility	⚠️ Warning	PR adds four Ginkgo e2e tests using operator.openshift.io/v1 API group unavailable on MicroShift without compatibility guards.	Add [apigroup:operator.openshift.io] tags or [Skipped:MicroShift] labels to test names to ensure MicroShift CI skips these tests.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and directly describes the main change: updating Konflux task bundle references to newer digests across four Tekton pipeline configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR does not modify test files or introduce new tests; existing tests use stable deterministic names with no dynamic information.
Test Structure And Quality	✅ Passed	This pull request exclusively modifies Tekton pipeline configuration files to update task bundle SHA256 digests, containing no test code changes.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR modifies only Tekton pipeline YAML configuration files with SHA256 digest updates. No new Ginkgo e2e test code was added.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR updates only Tekton task bundle image digests without introducing any scheduling constraints like pod anti-affinity, topology spread constraints, or node selectors that would affect OpenShift topology compatibility.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The custom check for IPv6 and disconnected network test compatibility is not applicable to this PR, which only updates Tekton task bundle SHA256 digests in YAML configuration files without adding new Ginkgo e2e tests.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/references/main

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.