chore(deps): update konflux references main

[red-hat-konflux]

This PR contains the following updates:

Package	Change
quay.io/konflux-ci/tekton-catalog/task-build-image-index (source, changelog)	550afde → b33bfa8
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta (source, changelog)	681d9f6 → 75ecb66
quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta (source, changelog)	f667d11 → 7700725
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog)	9c30072 → 88f4fd6
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta (source, changelog)	13d49df → d30f13d
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta (source, changelog)	a2efbcd → 3dc78af
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog)	d4e3499 → 237c54b
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta (source, changelog)	c4ef47e → 3cbb353
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog)	8f3ecbe → 0ebf28a
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog)	90efa58 → 2238120
quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta (source, changelog)	0917cfc → 8567bb7

---

Configuration

📅 Schedule: Branch creation - Between 05:00 AM and 11:59 PM, only on Saturday ( * 5-23 * * 6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ba9cfa41-cfcc-4edb-ab93-d69ac6551bc2

📥 Commits

Reviewing files that changed from the base of the PR and between d9cfe43 and 6a1b222.

📒 Files selected for processing (4)

• .tekton/jobset-operator-bundle-main-pull-request.yaml
• .tekton/jobset-operator-bundle-main-push.yaml
• .tekton/jobset-operator-main-pull-request.yaml
• .tekton/jobset-operator-main-push.yaml

✅ Files skipped from review due to trivial changes (1)

• .tekton/jobset-operator-bundle-main-pull-request.yaml

---

Walkthrough

Four Tekton PipelineRun manifests are updated with refreshed SHA256 digests for multiple bundled tasks (git-clone-oci-ta, prefetch-dependencies-oci-ta, buildah(-remote)-oci-ta, build-image-index, source-build-oci-ta, ecosystem-cert-preflight-checks, sast-* checks, and rpms-signature-scan). Only taskRef.bundle SHAs changed; wiring, params, workspaces, runAfter, and when conditions are unchanged.

Changes

Tekton Task Bundle Digest Updates

Layer / File(s)	Summary
Bundle workflow digest updates .tekton/jobset-operator-bundle-main-pull-request.yaml, .tekton/jobset-operator-bundle-main-push.yaml	Replaced taskRef.bundle SHA256 digests for multiple tasks (git-clone-oci-ta, prefetch-dependencies-oci-ta, buildah-oci-ta, build-image-index, source-build-oci-ta, ecosystem-cert-preflight-checks, sast-snyk-check-oci-ta, sast-shell-check-oci-ta, sast-unicode-check-oci-ta, rpms-signature-scan) in bundle pipeline variants.
Main workflow digest updates .tekton/jobset-operator-main-pull-request.yaml, .tekton/jobset-operator-main-push.yaml	Replaced taskRef.bundle SHA256 digests for the same set of tasks (git-clone-oci-ta, prefetch-dependencies-oci-ta, buildah-remote-oci-ta, build-image-index, source-build-oci-ta, ecosystem-cert-preflight-checks, sast-snyk-check-oci-ta, sast-shell-check-oci-ta, sast-unicode-check-oci-ta, rpms-signature-scan) in main pipeline variants.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/jobset-operator#374: Both PRs update Tekton PipelineRun task bundle SHA256 digests for overlapping tasks (ecosystem-cert-preflight-checks, rpms-signature-scan).
• openshift/jobset-operator#335: Both PRs update taskRef.bundle SHA256 pins for overlapping tasks (e.g., rpms-signature-scan, buildah*) without changing pipeline wiring.
• openshift/jobset-operator#358: Both PRs modify bundle digests in .tekton/jobset-operator-*.yaml for overlapping tasks (digest-only changes).

Suggested labels

lgtm

Suggested reviewers

• ardaguclu
• rh-roman

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	Code contains OTE Binary Stdout Contract violations: fmt.Printf writes to stdout in main() function and command Run callback (lines 17, 30) instead of stderr.	Replace fmt.Printf with fmt.Fprintf(os.Stderr, ...) for lines 17 and 30 in cmd/jobset-operator/main.go to redirect output to stderr.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): update konflux references main' accurately describes the main change: updating Tekton task bundle digests for konflux-hosted container images across multiple pipeline files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names are stable and deterministic with no dynamic information (pod names, timestamps, UUIDs, node names, IPs). Test titles clearly describe tested functionality.
Test Structure And Quality	✅ Passed	PR #377 only modified Tekton pipeline configuration files, not test code. The custom check requires reviewing Ginkgo test quality, which is not applicable here.
Microshift Test Compatibility	✅ Passed	PR only updates Tekton task bundle digests in YAML files; does not add new Ginkgo e2e tests. Existing tests use only compatible Kubernetes/custom APIs, not flagged unavailable OpenShift APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only updates Tekton YAML configuration files with new image digests; no new Ginkgo e2e tests were added, so SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Tekton task bundle digests and vendored code. No operator deployment manifests or scheduling constraints were added or modified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies Tekton CI configuration files (.tekton/*.yaml), not Ginkgo e2e tests. Check is not applicable—no new Ginkgo tests were added.
No-Weak-Crypto	✅ Passed	PR updates Tekton bundle digests (SHA256 hashes only). No weak crypto (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB), custom implementations, or non-constant-time comparisons detected in codebase.
Container-Privileges	✅ Passed	No privileged configurations found. All containers use restrictive security contexts with runAsNonRoot and allowPrivilegeEscalation: false.
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates Tekton bundle digest references in YAML config files. No logging code was added, modified, or removed. No sensitive data exposure found in logging or environment variable definitions.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/references/main

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tjungblu]

/lgtm

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.