Konflux task refs and other dependency updates (main)

[simonbaird]

Includes also:

• stop using the non-standard vanguard tekton bundle repo
• golang version update
• containerd golang module updates
• update go-containerregistry fork dependency related to EC-1866
• misc additional small fixes

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR updates Tekton bundle references and policy images, bumps Go toolchain and base image pins, adjusts a helper script, and refreshes Go module dependencies across the root, tools, and acceptance modules.

Changes

Repository infrastructure refresh

Layer / File(s)	Summary
Tekton bundles and policies .tekton/cli-main-pull-request.yaml, .tekton/cli-main-push.yaml, policies/cli/policy.yaml, policies/tekton-task/policy.yaml	PipelineRun task bundle digests and policy image references are updated, including the rpms-signature-scan bundle source change and the removal of one CLI policy data source entry.
Toolchain and image pins .tool-versions, Dockerfile, Dockerfile.dist, acceptance/kubernetes/kind/acceptance.Dockerfile	Go toolchain pins and container base image references are updated in tool versioning files, Dockerfiles, and the acceptance kind Dockerfile.
Build helper and CI tooling hack/ubi-base-image-bump.sh, .github/workflows/checks-codecov.yaml, Makefile	The UBI bump script stops after committing, and CI tool verification moves to the new tools-ci target.
Go module dependency refresh go.mod, tools/go.mod, acceptance/go.mod, tools/kubectl/go.mod	The root, tools, acceptance, and kubectl Go modules update Go directives, replace targets, and multiple direct and indirect dependency versions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and reflects the main changes: Konflux task refs plus dependency and toolchain updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The description matches the changeset by mentioning Tekton bundle repo changes, Go version updates, containerd module bumps, and the go-containerregistry fork update.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:28 PM UTC · Completed 6:39 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

Review

Findings

High

• [protected-path] .github/workflows/checks-codecov.yaml, Dockerfile, Dockerfile.dist, policies/cli/policy.yaml, policies/tekton-task/policy.yaml — This PR modifies files under protected paths (.github/, Dockerfile, policies/) but has no linked issue providing authorization for these changes. Protected paths require human approval regardless of change nature. The changes themselves (CI workflow consolidation to make tools-ci, base image digest updates, policy namespace migration from enterprise-contract to conforma) appear consistent with the stated dependency update intent, but governance files require explicit authorization.
  Remediation: Link an authorizing issue that covers the protected-path changes, or obtain explicit human reviewer approval.

Low

• [logic-error] hack/ubi-base-image-bump.sh:48 — The PR comments out three branch-creation lines (CURRENT_BRANCH, PR_BRANCH, git checkout -b) rather than deleting them, and removes the --no-push flag handling and push/PR-creation instructions. The commented-out lines are dead code that could confuse future maintainers about whether branch creation is intended to be re-enabled.

Previous run

Review

Findings

High

• [protected-path] Dockerfile, Dockerfile.dist, .github/workflows/checks-codecov.yaml, policies/cli/policy.yaml, policies/tekton-task/policy.yaml — This PR modifies files under protected paths (.github/, Dockerfile, policies/) but has no linked issue providing authorization for these changes. While the PR description explains the rationale (golang version bump, policy org rename, vanguard deprecation), human approval is always required for protected-path changes.
  Remediation: Link an issue authorizing these infrastructure changes, or obtain explicit human reviewer approval for the protected-path modifications.

Medium

• [logic-error] acceptance/kubernetes/kind/kind.go:486, acceptance/kubernetes/kind/kubernetes.go:448 — Registry URL changed from registry.image-registry.svc.cluster.local:<port> to 127.0.0.1:<port>. The $REGISTRY variable is expanded into container image references consumed by the ec binary running inside Tekton TaskRun pods, where 127.0.0.1 resolves to the pod's own loopback rather than the Kind node. However, image.go already uses 127.0.0.1:<port> at lines 273 and 374 for analogous in-cluster references, with an explicit comment noting that the DNS name causes name resolution failures in the Tekton Pipeline controller. The PR aligns Registry() with this pre-existing pattern.
  Remediation: Verify that acceptance tests pass with this change in a Kind cluster. If they do not, consider localhost:<port> which go-containerregistry also treats as plaintext HTTP.

Low

• [edge-case] hack/ubi-base-image-bump.sh:46 — Branch creation code is commented out rather than removed, leaving dead commented code. The --no-push flag handling and push/PR-creation workflow are fully removed. This is a development helper script and the simplification appears intentional.

Previous run (2)

Review

Findings

High

• [protected-path] .github/workflows/checks-codecov.yaml, Dockerfile, Dockerfile.dist, policies/cli/policy.yaml, policies/tekton-task/policy.yaml — This PR modifies files under protected paths (.github/, Dockerfile, policies/) which require human approval. The PR has no linked issue to justify the changes to governance and infrastructure files. While the changes appear to be routine dependency updates and organizational renames, human review is required for protected-path modifications.
  Remediation: Link a corresponding issue/epic that authorizes these protected-path changes, and obtain human maintainer approval.

Low

• [logic error] hack/ubi-base-image-bump.sh — The script now comments out branch creation and removes the push/--no-push logic, so it commits directly on whatever branch is checked out. This changes the expected workflow, though no callers in the repo use --no-push and the script is a manual-use utility.

• [code organization] hack/ubi-base-image-bump.sh:46 — Commented-out code block introduced (CURRENT_BRANCH, PR_BRANCH, git checkout lines). Consider removing these lines entirely rather than leaving disabled code.

• [version skew] go.mod — k8s.io/apiextensions-apiserver remains at v0.35.4 while k8s.io/api, k8s.io/apimachinery, k8s.io/client-go are updated to v0.36.0. This is a minor version skew in indirect dependencies; Go module resolution handles this gracefully in practice.

• [style consistency] Makefile:201 — The new tools-ci target uses a Unicode bullet character in echo output, while all other @echo statements in the Makefile use plain ASCII text.

• [missing-authorization] PR-wide — Non-trivial PR with no linked issue. The changes are coordinated dependency updates, version bumps, and build config changes whose scope is self-evident from the PR description.

Previous run (3)

Review

Findings

High

• [protected-path] Dockerfile, Dockerfile.dist, .github/workflows/checks-codecov.yaml, policies/cli/policy.yaml, policies/tekton-task/policy.yaml — This PR modifies files under protected paths (.github/, Dockerfile, policies/) without a linked issue providing authorization. Protected paths contain governance and infrastructure files that require human approval. The PR description explains the changes (golang version update, vanguard migration, policy URL update) but lacks a linked issue for traceability.
  Remediation: Link a tracking issue that authorizes these infrastructure changes, or obtain explicit human approval.

Low

• [removal-staleness] hack/ubi-base-image-bump.sh — The --no-push flag becomes obsolete after this change since the push logic is entirely removed. While the practical impact is negligible (no push occurs regardless), the flag is silently ignored rather than explicitly removed or documented as deprecated.

• [edge-case] Makefile:200 — The new tools-ci target is not declared as .PHONY, inconsistent with the convention used for all other non-file targets in this Makefile (ci, test, lint, benchmark, etc.).

Previous run (4)

Review

Findings

High

• [protected-path] .github/workflows/checks-codecov.yaml, Dockerfile, Dockerfile.dist, policies/cli/policy.yaml, policies/tekton-task/policy.yaml — This PR modifies files under protected paths (.github/, Dockerfile, policies/) but has no linked issue providing authorization for these changes. While the PR description explains the rationale (dependency updates, vanguard deprecation, enterprise-contract→conforma rebranding), protected-path changes require a linked issue for traceability. Human approval is required regardless.

Low

• [missing .PHONY declaration] Makefile:200 — The new tools-ci target lacks a .PHONY declaration. All other non-file targets in this Makefile have one. If a file or directory named tools-ci were ever created in the repo root, make tools-ci would check its timestamp rather than unconditionally executing the recipe.

• [removed flag silently ignored] hack/ubi-base-image-bump.sh — The --no-push flag handling was removed along with the push/PR-creation logic. If a caller passes --no-push, it will now be silently ignored. The net behavior is unchanged (commit is made, no push happens since push was also removed), but the flag contract changed without error feedback.

Previous run (5)

Review

Findings

High

• [protected-path] Dockerfile, Dockerfile.dist, policies/cli/policy.yaml, policies/tekton-task/policy.yaml — This PR modifies files under protected paths (Dockerfile, policies/). No linked issue is provided to authorize changes to governance or infrastructure files. Human approval is required for all protected-path changes regardless of context.
  Remediation: Link an authorizing issue to this PR, or obtain explicit human approval for the protected-path changes.

Medium

• [stale-doc] docs/modules/ROOT/pages/configuration.adoc — Documentation contains multiple examples showing the old policy URL oci::quay.io/enterprise-contract/ec-release-policy:latest instead of the new oci::quay.io/conforma/release-policy:latest. Users following this documentation will reference the old registry path.
  Remediation: Replace all instances of quay.io/enterprise-contract/ec-release-policy with quay.io/conforma/release-policy throughout configuration.adoc.

• [stale-doc] docs/modules/ROOT/pages/ec_fetch_policy.adoc:55 — Example command shows the old policy URL quay.io/enterprise-contract/ec-release-policy:latest.
  Remediation: Update the example to use quay.io/conforma/release-policy:latest.

• [stale-doc] docs/modules/ROOT/pages/ec_inspect_policy.adoc:28 — Example commands show the old policy URL quay.io/enterprise-contract/ec-release-policy.
  Remediation: Update both examples to use quay.io/conforma/release-policy.

Low

• [Policy Source Change] policies/cli/policy.yaml:36 — The policy OCI source is changing from enterprise-contract to conforma organization. The :latest tag was already in use (explicitly intentional per inline comment) and is not introduced by this PR. The rename is consistent with the broader enterprise-contract to conforma rebrand.

• [Data Source Removal] policies/cli/policy.yaml:31 — The vanguard data source is being removed as documented in the PR body ("stop using the non-standard vanguard tekton bundle repo"). The old comment stated it was expected to be retired.

• [edge-case] hack/ubi-base-image-bump.sh:46 — After commenting out branch creation, the comment says "Make a branch" but the code is commented out below. The --no-push flag handler is also removed since push logic was removed entirely. No external callers found; no functional regression.

• [dependency-coherence] go.mod:63 — Forked go-containerregistry dependency updated from v0.20.7 to v0.21.8. The PR body mentions EC-1866 as the reason. The replace directive and comment documenting the fork remain accurate.

---

Labels: PR updates Go module dependencies, Dockerfiles, and Tekton CI pipeline configurations.

Previous run (6)

Review

Findings

High

• [protected-path] policies/cli/policy.yaml, policies/tekton-task/policy.yaml — These files are under the policies/ protected path. The PR has no linked issue providing authorization for modifying governance/infrastructure files. Protected-path changes always require human approval regardless of context.
  Remediation: Link to an issue or design document that authorizes the policy source migration, or obtain explicit human maintainer approval.

Low

• [stale-reference] benchmark/simple/simple.go:88 — Stale reference to quay.io/enterprise-contract/ec-release-policy remains in benchmark code. This reference uses a pinned SHA digest so it will continue to resolve unless the old image is deleted, but it should be updated for consistency with the policy source migration.
• [stale-reference] benchmark/simple/prepare_data.sh:36 — Same stale SHA-pinned reference to quay.io/enterprise-contract/ec-release-policy in benchmark data preparation script.
• [stale-reference] hack/demo.sh:53 — Stale reference to quay.io/enterprise-contract/ec-release-policy:latest in demo script. Unlike the benchmark files, this uses a floating :latest tag and is more likely to diverge from the canonical policy source.
• [stale-reference] cmd/inspect/inspect_policy.go:73 — CLI help text examples reference quay.io/enterprise-contract/ec-release-policy. May confuse users as the project migrates to the conforma namespace.
• [stale-reference] cmd/fetch/fetch_policy.go:87 — CLI help text example references quay.io/enterprise-contract/ec-release-policy:latest. Same concern as the inspect command help text.

Previous run (7)

Review

Findings

High

• [protected-path] policies/cli/policy.yaml — This file is under the policies/ protected path. The PR has no linked issue providing justification for modifying governance/infrastructure files. Protected-path changes always require human approval. The changes include removing the konflux-vanguard/data-acceptable-bundles data source and migrating the policy source from enterprise-contract/ec-release-policy to conforma/release-policy.
  Remediation: Link an issue authorizing the policy source migration, or obtain explicit human maintainer approval for the protected-path change.

Medium

• [stale-reference] policies/tekton-task/policy.yaml:29 — The PR updates policies/cli/policy.yaml to use the new policy image oci::quay.io/conforma/release-policy:latest (replacing oci::quay.io/enterprise-contract/ec-release-policy:latest), but the sibling policy file policies/tekton-task/policy.yaml at line 29 still references the old oci::quay.io/enterprise-contract/ec-release-policy:latest. If the intent is to migrate away from the enterprise-contract registry, this file should also be updated to remain consistent.
  Remediation: Update policies/tekton-task/policy.yaml line 29 to use oci::quay.io/conforma/release-policy:latest, or confirm this file is intentionally left on the old reference for now.

Low

• [consumer-completeness] policies/cli/policy.yaml:31 — The konflux-vanguard/data-acceptable-bundles data source is being removed while simultaneously the rpms-signature-scan task bundle is moved from the konflux-vanguard registry to tekton-catalog. The remaining tekton-catalog/data-acceptable-bundles data source must include the new task-rpms-signature-scan:0.2 digest for EC validation to pass. This cannot be verified without querying the OCI registry, but if the new digest is not yet listed in the acceptable bundles data, the pipeline will fail the acceptable_bundles policy check.

---

Labels: PR modifies CI pipeline configurations (.tekton/) and policy configuration (policies/)

[fullsend-ai-review]

See the review comment for full details.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	53.44% <ø> (ø)
generative	16.79% <ø> (ø)
integration	27.66% <ø> (ø)
unit	69.13% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[simonbaird]

I might be wrong, but I don't think "protected path" considerations mentioned by @fullsend-ai-review apply here.

[simonbaird]

Good catch on the [stale-reference] comment. Fixed in next revision. Also I've added a golang module upgrade that should fix the CVE violation.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:16 PM UTC · Completed 8:27 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Review · ⚠️ Cancelled · Started 9:44 PM UTC · Ended 9:50 PM UTC
Commit: 47d3320 · View workflow run →

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@acceptance/go.mod`:
- Line 16: Update acceptance/go.mod to match the newer go-containerregistry fork
used by the root module: the current replace for
github.com/google/go-containerregistry still points acceptance at the older
github.com/conforma/go-containerregistry revision, so change that replace to the
same v0.21.8-based fork/version used elsewhere. Make the same alignment in the
related replace entry referenced by the comment so acceptance builds and go mod
download resolve the intended fork instead of the stale one.

In `@Dockerfile`:
- Line 19: The Go builder stage still uses the mutable golang:1.26.3 tag, so
update the Dockerfile build stage to pin that base image by digest, matching the
existing digest-pinned pattern used in Dockerfile.dist. Keep the change
localized to the FROM instruction for the build stage so the builder image is
reproducible and supply-chain hardened.

In `@tools/kubectl/go.mod`:
- Line 5: The Kubernetes staging dependencies in tools/kubectl/go.mod are on
mixed release lines, with k8s.io/kubernetes and k8s.io/kubectl still on v0.34.2
while the other Kubernetes modules are on v0.36.0. Update the remaining v0.34.2
entries in the go.mod file so all Kubernetes-related dependencies use the same
release version, and verify the module set stays consistent across
k8s.io/kubernetes, k8s.io/kubectl, and the staging packages referenced there.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 3243c460-fc70-4a62-af01-bd07696ecaa5

📥 Commits

Reviewing files that changed from the base of the PR and between 42cab74 and 1a25108.

⛔ Files ignored due to path filters (4)

• acceptance/go.sum is excluded by !**/*.sum
• go.sum is excluded by !**/*.sum
• tools/go.sum is excluded by !**/*.sum
• tools/kubectl/go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• .tool-versions
• Dockerfile
• Dockerfile.dist
• acceptance/go.mod
• acceptance/kubernetes/kind/acceptance.Dockerfile
• go.mod
• hack/ubi-base-image-bump.sh
• tools/go.mod
• tools/kubectl/go.mod

✅ Files skipped from review due to trivial changes (1)

• .tool-versions

Done I think.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:53 PM UTC · Completed 10:05 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Review · ⚠️ Cancelled · Started 12:39 PM UTC · Ended 12:45 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 12:48 PM UTC · Completed 12:58 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:32 PM UTC · Completed 1:43 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:14 PM UTC · Completed 2:25 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[simonbaird]

Not sure why the acceptance test is failing, since it passes for me locally.

Update: Was due to conforma/go-containerregistry#7 .

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 3:17 PM UTC · Completed 3:31 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:20 PM UTC · Completed 6:29 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

Done IIUC.

[robnester-rh]

Nit: typo in pr description ("out")

Otherwise LGTM

[fullsend-ai-retro]

🤖 Finished Retro · ✅ Success · Started 8:26 PM UTC · Completed 8:35 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-retro]

Retro: PR #3357 — Konflux task refs and dependency updates

This was a human-authored PR by simonbaird with 14 commits spanning dependency updates, Konflux task ref changes, Go version bumps, and misc fixes. The review agent (fullsend-ai-review[bot]) ran 8 times, posting 6 CHANGES_REQUESTED and 2 DISMISSED verdicts, plus 17 inline comments. Of those 17 comments, only 2 were acted on (missing .PHONY declaration and k8s version skew) — a 12% actionable rate.

The most notable pattern: the same finding about commented-out code in hack/ubi-base-image-bump.sh was raised in 5+ separate inline comments across multiple review runs, even after the author explicitly replied "Accurate, but I still don't want to change it." The review agent ignored these replies and continued re-flagging.

Existing issues that cover the problems observed

All key improvement opportunities are already tracked in fullsend-ai/fullsend:

• #1672 — Review agent should honor explicit author dismissals of findings. This is the exact scenario observed here: author replies acknowledging but declining a finding, bot re-raises it on every subsequent run.
• #2115 — Use COMMENT verdict (not CHANGES_REQUESTED) for human-authored PRs with only medium/low findings. Would have prevented 6 blocking reviews on this PR where all code-quality findings were low-severity.
• #1500 — Do not re-request changes for unchanged findings. The same findings persisted across 8 runs.
• #1013 — Deduplicate findings across iterations on the same PR.
• #1068 — Do not file CHANGES_REQUESTED for governance-only findings (protected-path) that cannot be resolved by code changes.

What went well

• The .PHONY and k8s version skew catches were genuinely useful.
• coderabbitai[bot] produced actionable findings (Dockerfile pin-by-digest → follow-up issue Pin Go builder image in Dockerfile by digest #3359, k8s dep alignment).
• The review agent's sticky comment format with history of previous runs provided good traceability.

No new proposals filed

The problems observed are well-covered by existing open issues, particularly #1672 (author dismissal honoring) and #2115 (COMMENT verdict for human PRs). Implementing these would address the core friction: 8 blocking reviews with a 12% actionable rate on a human-authored dependency update PR.