Update Konflux references

[st3penta]

User description

Contains major bumps for build-image-index and buildah-remote-oci-ta tasks.

---

PR Type

Enhancement

---

Description

• Update Konflux task references with new SHA digests

• Bump buildah-remote-oci-ta task to version 0.7

• Bump build-image-index task to version 0.2

• Standardize YAML formatting with consistent indentation

---

Diagram Walkthrough

flowchart LR
  A["Tekton Pipeline Files"] -->|Update task digests| B["buildah-remote-oci-ta v0.7"]
  A -->|Update task digests| C["build-image-index v0.2"]
  A -->|Update task digests| D["Other task references"]
  A -->|Standardize formatting| E["YAML indentation"]

Loading

File Walkthrough

Relevant files

Configuration changes

cli-main-pull-request.yaml Update Konflux task references and formatting                        .tekton/cli-main-pull-request.yaml Updated task bundle references with new SHA digests for multiple Konflux tasks Bumped buildah-remote-oci-ta from 0.5 to 0.7 with new digest Bumped build-image-index from 0.1 to 0.2 with new digest Standardized YAML indentation and formatting throughout the file (converted single quotes to double quotes for consistency) +541/-541 cli-main-push.yaml Update Konflux task bundle digests                                              .tekton/cli-main-push.yaml Updated task bundle SHA digests for init, git-clone-oci-ta, build-image-index, tkn-bundle-oci-ta, apply-tags, and rpms-signature-scan tasks Bumped build-image-index task digest (0.1 version) Updated rpms-signature-scan task digest +6/-6

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Audit Logging: The changes update Tekton pipeline tasks and parameters without introducing or modifying any explicit audit logging of critical actions; if audit logging is required at this layer, it is not evident in the new additions. Referred Code pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ finally: [] params: - description: Source Repository URL name: git-url type: string - default: "" description: Revision of the Source Repository name: revision type: string - description: Fully Qualified Output Image name: output-image type: string - description: >- OCI repository of the CLI image to use as a reference in the Tekton bundle. When setting this value, take into account where the CLI image will be available for usage. For certain workflows, e.g. pull request, this should be the repo in which the CLI image is built into because those CLI images are not promoted to another location. For merge workflows that go through a release, for example, this should be the repository for which the CLI image will be released to. name: bundle-cli-ref-repo ... (clipped 521 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Error Handling: The PR updates pipeline task references and parameters but does not add explicit error handling or edge-case management in the new YAML, which may be acceptable if handled within referenced tasks, but cannot be verified from the diff alone. Referred Code tasks: - name: init params: - name: image-url value: $(params.output-image) - name: rebuild value: $(params.rebuild) - name: skip-checks value: $(params.skip-checks) taskRef: params: - name: name value: init - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:75b88ee5e134a22ee35eb974808dfe6a63693115fa445208a9060a7175b448cf - name: kind value: task resolver: bundles - name: clone-repository params: - name: url ... (clipped 428 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: User Error Detail: No user-facing error messaging is introduced in the new YAML; security of error details depends on the bundled tasks, which cannot be assessed from this diff. Referred Code params: - name: name value: buildah-remote-oci-ta - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.7@sha256:b24359805297760c87cbce7b4c378267bc83aa1b9a3ac8431829f80bc26ed5d7 - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - "true" - name: build-image-index params: - name: IMAGE value: $(params.output-image) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) ... (clipped 125 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Input Validation: The pipeline parameters (e.g., 'git-url', 'revision', 'output-image') are passed to external tasks without visible validation in the YAML; validation may occur within tasks, but this is not verifiable from the diff. Referred Code - description: Source Repository URL name: git-url type: string - default: "" description: Revision of the Source Repository name: revision type: string - description: Fully Qualified Output Image name: output-image type: string - description: >- OCI repository of the CLI image to use as a reference in the Tekton bundle. When setting this value, take into account where the CLI image will be available for usage. For certain workflows, e.g. pull request, this should be the repo in which the CLI image is built into because those CLI images are not promoted to another location. For merge workflows that go through a release, for example, this should be the repository for which the CLI image will be released to. name: bundle-cli-ref-repo type: string - default: . description: Path to the source code of an application's component from where to build image. name: path-context type: string - default: Dockerfile description: Path to the Dockerfile inside the context specified by parameter path-context name: dockerfile ... (clipped 47 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Align task version with other pipelines Update the build-image-index task in cli-main-push.yaml from version 0.1 to 0.2 to match the version used in cli-main-pull-request.yaml for consistency. .tekton/cli-main-pull-request.yaml [277-284] - name: build-image-index params: - name: IMAGE value: $(params.output-image) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: ALWAYS_BUILD_INDEX value: $(params.build-image-index) - name: IMAGES value: - $(tasks.build-container.results.IMAGE_REF[*]) runAfter: - build-container taskRef: params: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:4c83fd5b679fd07269953b6d5ac667a96096ed2c4dc942d5aea28d989655b109 + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:39561ac43e325159497c10c0284cf61dfddf39e39100ca5e3df6b73c5d96db8b - name: kind value: task resolver: bundles [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a version inconsistency for the build-image-index task between the pull-request and push pipelines, which could lead to different build behaviors. Aligning the versions is a critical fix for pipeline consistency and correctness.	Medium
Update

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.82% <ø> (ø)
generative	18.99% <ø> (ø)
integration	27.92% <ø> (ø)
unit	67.60% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.