Skip to content

Ubi base image digest bump for release-v0.6 branch #3101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
simonbaird merged 2 commits into from
Feb 9, 2026
Merged

Ubi base image digest bump for release-v0.6 branch #3101

simonbaird merged 2 commits into from
Feb 9, 2026
+18 −18

Conversation

@simonbaird
Copy link
Member

@simonbaird simonbaird commented Feb 9, 2026

Also update some Konflux refs.

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Feb 9, 2026

Review Summary by Qodo

Update UBI base image and Konflux task digests

✨ Enhancement

Grey Divider

Walkthroughs

Description 
• Update UBI-minimal base image digest to latest version
• Bump Konflux task reference digests across pipeline configs
• Apply updates to both pull-request and push pipeline definitions
• Synchronize Dockerfile and Dockerfile.dist base image digests
Diagram 
flowchart LR
  A["Base Image Digest"] -->|update| B["Dockerfile"]
  A -->|update| C["Dockerfile.dist"]
  D["Konflux Task Refs"] -->|update| E["cli-v06-pull-request.yaml"]
  D -->|update| F["cli-v06-push.yaml"]
Loading

Grey Divider

File Changes

1. Dockerfile Dependencies +1/-1

Update UBI-minimal base image digest

• Update UBI-minimal base image digest from
 bb08f2300cb8d12a7eb91dddf28ea63692b3ec99e7f0fa71a1b300f2756ea829 to
 759f5f42d9d6ce2a705e290b7fc549e2d2cd39312c4fa345f93c02e4abb8da95

Dockerfile

2. Dockerfile.dist Dependencies +1/-1

Update UBI-minimal base image digest

• Update UBI-minimal base image digest from
 bb08f2300cb8d12a7eb91dddf28ea63692b3ec99e7f0fa71a1b300f2756ea829 to
 759f5f42d9d6ce2a705e290b7fc549e2d2cd39312c4fa345f93c02e4abb8da95

Dockerfile.dist

3. .tekton/cli-v06-pull-request.yaml Dependencies +8/-8

Bump Konflux task reference digests

• Update task-init digest from ebf06778aeacbbeb081f9231eafbdfdb8e380ad04e211d7ed80ae9101e37fd82 to
 a482890d072df3aff9cf5db0ff2b9ec04fa6bb006cfd9da9817805fdd11a73f5
• Update task-buildah-oci-ta digest from
 55528db67cb34b0346896df28280deb510d7fc7122e8f93aa406b1ca5449b3e0 to
 cde309fc09b68c39ca283c4b121ddf99d900e3ff2cf3d5e7951cb707eeeddfae
• Update task-build-image-index digest from
 05d3d8a5ded44c51b074a56a408ddf5d65c56b4c15e110abb1a99e3aff269d49 to
 8c422a5380a3d877257003dee153190322af84fe6f4f25e9eee7d8bf61a62577
• Update 6 additional Konflux task digests for ecosystem-cert-preflight-checks,
 sast-snyk-check-oci-ta, clamav-scan, sast-shell-check-oci-ta, and push-dockerfile-oci-ta

.tekton/cli-v06-pull-request.yaml

View more (1)
4. .tekton/cli-v06-push.yaml Dependencies +8/-8

Bump Konflux task reference digests

• Update task-init digest from ebf06778aeacbbeb081f9231eafbdfdb8e380ad04e211d7ed80ae9101e37fd82 to
 a482890d072df3aff9cf5db0ff2b9ec04fa6bb006cfd9da9817805fdd11a73f5
• Update task-buildah-oci-ta digest from
 55528db67cb34b0346896df28280deb510d7fc7122e8f93aa406b1ca5449b3e0 to
 cde309fc09b68c39ca283c4b121ddf99d900e3ff2cf3d5e7951cb707eeeddfae
• Update task-build-image-index digest from
 05d3d8a5ded44c51b074a56a408ddf5d65c56b4c15e110abb1a99e3aff269d49 to
 8c422a5380a3d877257003dee153190322af84fe6f4f25e9eee7d8bf61a62577
• Update 6 additional Konflux task digests for ecosystem-cert-preflight-checks,
 sast-snyk-check-oci-ta, clamav-scan, sast-shell-check-oci-ta, and push-dockerfile-oci-ta

.tekton/cli-v06-push.yaml

Grey Divider

Qodo Logo

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Feb 9, 2026

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Remediation recommended

1. RPM lockfile drift 🐞 Bug ⛯ Reliability
Description 
• Dockerfile.dist changes the final-stage UBI base image digest, which can affect the resolved RPM
  repos and package EVRs used for the image.
• The repository maintains rpms.lock.yaml as a generated artifact derived from Dockerfile.dist’s
  base image plus rpms.in.yaml; this PR doesn’t update rpms.lock.yaml, so it may now be stale and no
  longer match what the updated base image would resolve.
Code

Dockerfile.dist[46]

+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:759f5f42d9d6ce2a705e290b7fc549e2d2cd39312c4fa345f93c02e4abb8da95
Evidence 
The RPM lockfile generation script explicitly parses the mounted Dockerfile (Dockerfile.dist is
mounted as Dockerfile) to determine the base image, extracts repo definitions from that base image,
and generates rpms.lock.yaml from that base image and rpms.in.yaml. Since Dockerfile.dist’s base
image digest changed, rpms.lock.yaml should be regenerated to ensure it still corresponds to the
current base image and installed package set.

Dockerfile.dist[46-65]
hack/update-rpm-lock.sh[59-105]
rpms.in.yaml[17-30]
rpms.lock.yaml[17-23]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`Dockerfile.dist` bumps the UBI9 minimal base image digest, but `rpms.lock.yaml` (a generated RPM lockfile tied to the base image and `rpms.in.yaml`) is not updated. This can create drift between the intended/published RPM lock data and what would be resolved using the new base image.

### Issue Context
The repo includes `hack/update-rpm-lock.sh` which mounts `Dockerfile.dist` as `Dockerfile`, extracts repo definitions from the base image, and generates `rpms.lock.yaml`.

### Fix Focus Areas
- Dockerfile.dist[46-64]
- hack/update-rpm-lock.sh[59-105]
- rpms.in.yaml[17-30]
- rpms.lock.yaml[1-30]

### Suggested fix steps
1. Run `hack/update-rpm-lock.sh` (or the documented equivalent in your environment) to regenerate `rpms.lock.yaml` using the updated `Dockerfile.dist`.
2. Commit any resulting changes to `rpms.lock.yaml`.
3. If regeneration is intentionally not required for this repo/workflow, add a short comment in the PR description or repo docs clarifying why the lockfile is expected to remain unchanged when the base image digest changes.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@simonbaird
Copy link
Member Author

simonbaird commented Feb 9, 2026

The rpm lock file update script did run, but no updates were produced.

Not much to review here. It's green, so let's merge.

@simonbaird simonbaird merged commit e4be37a into conforma:release-v0.6 Feb 9, 2026
9 of 10 checks passed
@codecov
Copy link

codecov bot commented Feb 9, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
generative 70.92% <ø> (ø)
integration 70.92% <ø> (ø)
unit 70.92% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@simonbaird