Update Konflux references

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Notes
quay.io/konflux-ci/tekton-catalog/task-apply-tags (source, changelog)	0.1 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-build-image-index (source, changelog)	0.1 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta (source, changelog)	0.4 → 0.9	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-clair-scan (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-clamav-scan (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check (source, changelog)	0b35292 → 8b50144
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check (source, changelog)	5d63b92 → 5ff16b7
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog)	0.1 → 0.2	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks (source, changelog)	302828e → b4ac586
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta (source, changelog)	9709088 → 2c388d2
quay.io/konflux-ci/tekton-catalog/task-init (source, changelog)	0.2 → 0.4	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta (source, changelog)	0.1 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog)	c0798ff → 50bbe2e
quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta (source, changelog)	7c845b1 → e92d00e
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta (source, changelog)	a591675 → c4ef47e
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog)	0.3 → 0.4	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog)	9a6ec55 → 2ad986f
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog)	0.1 → 0.4	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog)	0.2 → 0.4	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-show-sbom (source, changelog)	04f15cb → 04994df
quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta (source, changelog)	0.2 → 0.3	⚠️migration⚠️

---

Release Notes

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-apply-tags)

v0.3

• Switched from bash implementation to Konflux Build CLI.
• Deprecated older 0.1 and 0.2 versions.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-build-image-index)

v0.3

Changed

• The task now uses konflux-build-cli for the build step instead of an inline bash
  implementation. This provides more robust error handling and simplified maintenance.
• When ALWAYS_BUILD_INDEX is false and multiple images are provided, the task now
  creates an image index instead of failing. The previous behavior (failing with an error)
  was not useful.
• Image reference validation is now stricter and will fail earlier for invalid formats.

Removed

• COMMIT_SHA parameter (was not used by the task implementation)
• IMAGE_EXPIRES_AFTER parameter (was not used by the task implementation)

Added

• Started tracking changes in this file.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta)

v0.9

Fixed

• Version bump to stay in sync with buildah-remote-oci-ta. The remote variant now has --fail
  flag and error handling on the curl call that retrieves the SSH key from the OTP server.

v0.8

Fixed

• Platform build arguments (BUILDPLATFORM, TARGETPLATFORM) now correctly include CPU variant
  for ARM architectures (e.g., linux/arm/v7 or linux/arm64/v8 instead of just linux/arm
  or linux/arm64).

v0.7

Added

• Started tracking changes in this file.

konflux-ci/konflux-test-tasks (quay.io/konflux-ci/tekton-catalog/task-clair-scan)

v0.3

Changed

• Replaced quay.io/konflux-ci/oras:latest image with quay.io/konflux-ci/task-runner:1.5.0 in the oci-attach-report step.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-init)

v0.4

• Task started using konflux build cli instead of bash script.

v0.3

• Remove params image-url, rebuild and skip-checks
• Remove task result build

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta)

v0.3

• Removed deprecated dev-package-managers parameter.
• Switched from bash implementation to Konflux Build CLI.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta)

v0.3

Fixed

• Use Dockerfile as the file name in the uploaded artifact, regardless of the name of the actual file.

v0.2

Removed

• BREAKING: Support for Dockerfile downloading in Konflux Build Pipeline.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Summary by CodeRabbit

• Chores
  • Updated Tekton CI/CD pipeline task bundle versions and container image digests across all pipeline configurations.
  • Refined parameter passing between build and scanning tasks for improved data consistency.
  • Enhanced image digest propagation to downstream security scanning tasks for better artifact traceability and validation.

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hunterkepley]

/ok-to-test

[hunterkepley]

/lgtm

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 65c7416 and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 1 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1b11ac and 2 for PR HEAD 3244bb3 in total

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: eab6ccd1-c84a-4620-a1f5-eb0c38d2fb13

📥 Commits

Reviewing files that changed from the base of the PR and between 18f6a58 and 9ab05bc.

📒 Files selected for processing (4)

• .tekton/rosa-cli-e2e-test-pull-request.yaml
• .tekton/rosa-cli-e2e-test-push.yaml
• .tekton/rosa-pull-request.yaml
• .tekton/rosa-push.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• .tekton/rosa-cli-e2e-test-pull-request.yaml
• .tekton/rosa-pull-request.yaml

---

Walkthrough

Updated four Tekton PipelineRun YAMLs: bumped many task bundle image digests/versions, rewired parameters so build-image-index publishes IMAGE_URL/IMAGE_DIGEST consumed by build-source-image and some SAST tasks, collapsed multi-line param descriptions, and removed explicit null metadata.creationTimestamp values.

Changes

Cohort / File(s)	Summary
Task bundle & metadata updates .tekton/rosa-cli-e2e-test-pull-request.yaml, .tekton/rosa-cli-e2e-test-push.yaml, .tekton/rosa-pull-request.yaml, .tekton/rosa-push.yaml	Bumped many Tekton taskRef bundle image digests/versions (e.g., task-show-sbom, task-init, task-git-clone-oci-ta, task-buildah-oci-ta, task-build-image-index, task-source-build-oci-ta, scanning/SAST/apply/push tasks). Replaced explicit metadata.creationTimestamp: null with unset/blank. Collapsed several multi-line parameter description strings to single lines.
Build task parameter rewiring .tekton/...-pull-request.yaml, .tekton/...-push.yaml (both CLI and main pipelines)	Removed passing COMMIT_SHA and IMAGE_EXPIRES_AFTER into build-image-index task invocations. Changed build-source-image.BINARY_IMAGE to consume $(tasks.build-image-index.results.IMAGE_URL) instead of $(params.output-image) and added BINARY_IMAGE_DIGEST from $(tasks.build-image-index.results.IMAGE_DIGEST).
Downstream image-digest wiring .tekton/rosa-pull-request.yaml, .tekton/rosa-push.yaml	Added image-digest parameter wired from $(tasks.build-image-index.results.IMAGE_DIGEST) to Coverity/SAST-related tasks (e.g., sast-coverity-check-oci-ta, sast-unicode-check-oci-ta).

Sequence Diagram(s)

mermaid
sequenceDiagram
participant PR as PipelineRun
participant BI as build-image-index
participant BS as build-source-image
participant SAST as SAST/Coverity tasks
participant Reg as Image Registry

PR->>BI: start task
BI-->>PR: results: IMAGE_URL, IMAGE_DIGEST
PR->>BS: start with BINARY_IMAGE=IMAGE_URL, BINARY_IMAGE_DIGEST=IMAGE_DIGEST
BS->>Reg: push source/binary image (uses IMAGE_URL)
PR->>SAST: start with image-digest=IMAGE_DIGEST
SAST->>Reg: scan image by digest

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description includes a comprehensive table of package updates with version changes and migration notes, plus detailed release notes. However, it lacks the structured sections required by the template (PR Summary, Detailed Description, Type of Change, etc.) and does not follow the commit format requirement with a Jira ticket prefix.	Restructure the description to match the repository template: add PR Summary, Detailed Description sections, select the appropriate Type of Change checkbox, and ensure commit messages follow [JIRA-TICKET] | [TYPE]: format.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update Konflux references' directly and clearly summarizes the main change: updating Konflux/tekton-catalog image references and task versions across four YAML files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This PR exclusively modifies Tekton pipeline YAML configuration files (.tekton/*.yaml) with no Go test files or Ginkgo test definitions present.
Test Structure And Quality	✅ Passed	This custom check is designed to review Ginkgo test code quality, but this PR modifies only Tekton YAML CI/CD pipeline configuration files.
Microshift Test Compatibility	✅ Passed	This PR only updates Tekton CI/CD pipeline configuration files in .tekton/ directory and does not add any new Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR exclusively modifies .tekton YAML configuration files; no Go test files or Ginkgo e2e tests were added or modified.
Topology-Aware Scheduling Compatibility	✅ Passed	The modified Tekton PipelineRun files contain no Pod/Deployment scheduling constraints (affinity, nodeSelector, tolerations, etc.) that would conflict with alternative OpenShift topologies.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML configuration files in .tekton/ directory for Tekton/Konflux pipelines with no Go source code changes, making OTE Binary Stdout Contract check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only Tekton pipeline YAML configuration files with no new Ginkgo e2e tests added. Custom check applies only to newly added Ginkgo test code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/references/master

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hunterkepley, red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign gdbranco for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@red-hat-konflux[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/coverage	8add80d	link	true	/test coverage
ci/prow/commits	18f6a58	link	true	/test commits

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.