chore(deps): Update Konflux task refs by simonbaird · Pull Request #3149 · conforma/cli · GitHub
Skip to content

chore(deps): Update Konflux task refs#3149

Merged
simonbaird merged 1 commit into
conforma:mainfrom
simonbaird:update-init-and-other-konflux-refs
Mar 2, 2026
Merged

chore(deps): Update Konflux task refs#3149
simonbaird merged 1 commit into
conforma:mainfrom
simonbaird:update-init-and-other-konflux-refs

Conversation

@simonbaird

@simonbaird simonbaird commented Mar 2, 2026

Copy link
Copy Markdown
Member

Done like this:

curl -sL https://github.com/simonbaird/konflux-pipeline-patcher/raw/main/pipeline-patcher | bash -s bump-task-refs

But I manually updated these since the bash script doesn't update the tag versions:

  • init 0.3 -> 0.4
  • buildah-remote-oci-ta 0.8 -> 0.9
  • push-dockerfile-oci-ta 0.1 -> 0.2

No migrations are needed iiuc.

The init task was the motivation for this since the 0.3 versions are now expired. I'm doing the other two to keep ahead of things.

Done like this:
  curl -sL https://github.com/simonbaird/konflux-pipeline-patcher/raw/main/pipeline-patcher | bash -s bump-task-refs

But I manually updated these since the bash script doesn't update the tag versions:
- init                   0.3 -> 0.4
- buildah-remote-oci-ta  0.8 -> 0.9
- push-dockerfile-oci-ta 0.1 -> 0.2

No migrations are needed iiuc.

The init task was the motivation for this since the 0.3 versions are
now expired. I'm doing the other two to keep ahead of things.
@qodo-code-review

Copy link
Copy Markdown
Contributor

@qodo-code-review

qodo-code-review Bot commented Mar 2, 2026

Copy link
Copy Markdown
Contributor

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Remediation recommended

1. Digests need allowlist sync 🐞 Bug ⛯ Reliability
Description
These pipelines bump multiple Konflux task bundle digests/versions. If the new digests are not (yet)
included in the Enterprise Contract data-acceptable-bundles allowlist (or if the old ones are
expired), Konflux/EC validation can fail until the allowlist catches up.
Code

.tekton/cli-main-pull-request.yaml[140]

+          value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19
Evidence
The repo’s Enterprise Contract configuration explicitly consumes
oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest, which is commonly used to
allow/deny specific Tekton bundle digests. Repo documentation also shows that matchers can expire
(effectiveUntil) and enforce exact digest matching, so changing digests is a potential gate even
when the tag version is reasonable.

.tekton/cli-main-pull-request.yaml[134-143]
policies/tekton-task/policy.yaml[21-29]
policies/cli/policy.yaml[25-37]
cmd/compare/README.md[244-257]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PR bumps multiple Tekton task bundle digests. Enterprise Contract policies in this repo consume `data-acceptable-bundles`, which can enforce exact digest matching and time-based expiration. If the new digests are not allowlisted yet (or old ones are expired), EC validation may fail.

## Issue Context
This is primarily a coordination/verification step (not a YAML syntax issue). The repo’s EC policy configuration explicitly pulls acceptable-bundles data from Konflux.

## Fix Focus Areas
- .tekton/cli-main-pull-request.yaml[134-145]
- .tekton/cli-main-push.yaml[136-146]
- .tekton/cli-main-pull-request.yaml[237-245]
- .tekton/cli-main-push.yaml[239-247]
- .tekton/cli-main-pull-request.yaml[526-534]
- .tekton/cli-main-push.yaml[528-536]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@codecov

codecov Bot commented Mar 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 55.59% <ø> (+<0.01%) ⬆️
generative 18.49% <ø> (ø)
integration 27.50% <ø> (ø)
unit 68.44% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@simonbaird simonbaird merged commit eca93f9 into conforma:main Mar 2, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants