OCPBUGS-87287: Updating openshift-enterprise-registry-container image to be consistent with ART for 5.0

[openshift-bot]

Updating openshift-enterprise-registry-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-registry.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

• Chores
  • Updated build environment to use Go 1.26 with RHEL 9 release tag.
  • Updated container base images to OpenShift 5.0 compatible versions.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/201

[coderabbitai]

Walkthrough

This PR updates the build configuration to use newer OpenShift and Go versions. The CI operator configuration and Dockerfile both switch from OpenShift 4.22 with Go 1.25 to OpenShift 5.0 with Go 1.26 across builder and runtime stages.

Changes

Build Infrastructure Updates

Layer / File(s)	Summary
Base image version updates .ci-operator.yaml, Dockerfile.ocp	CI operator build_root_image.tag and Dockerfile builder/runtime stage base images all updated from OpenShift 4.22 / Go 1.25 to OpenShift 5.0 / Go 1.26 release tags.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies CI operator config and Dockerfile; no test files or Ginkgo tests are present or changed. Check is not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code changes—only configuration and Dockerfile updates for OpenShift 5.0 compatibility. Custom check for test structure is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are limited to CI configuration (.ci-operator.yaml) and Dockerfile updates, which do not contain test code or MicroShift-incompatible APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains no new Ginkgo e2e tests; changes are limited to CI configuration (.ci-operator.yaml) and Dockerfile updates for OpenShift 5.0 compatibility. Check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies build configuration and Dockerfile images. No deployment manifests, operator code, controllers, or scheduling constraints are present; check is inapplicable.
Ote Binary Stdout Contract	✅ Passed	PR only modifies configuration files (.ci-operator.yaml, Dockerfile.ocp), not Go code. OTE stdout checks require Go source analysis, which is unaffected here.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains no new Ginkgo e2e tests or test files. Changes are CI operator and Dockerfile configuration only. Check applicability requires new test code.
No-Weak-Crypto	✅ Passed	PR contains only CI configuration changes (image tag updates); no weak crypto algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) found in source code or modified files.
Container-Privileges	✅ Passed	No privileged container settings found. Container runs as non-root user 1001. PR only updates base image tags for OpenShift 5.0 alignment.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logging found. PR changes are configuration/image updates with no new logging statements that expose passwords, tokens, API keys, PII, or other sensitive information.
Title check	✅ Passed	The title accurately describes the main change: updating container images for OpenShift 5.0 to align with ART configuration, which is reflected in both the .ci-operator.yaml and Dockerfile.ocp changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87287, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating openshift-enterprise-registry-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-registry.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-bot
Once this PR has been reviewed and has the lgtm label, please assign ricardomaraschini for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87287, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Updating openshift-enterprise-registry-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-registry.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

• Chores
• Updated build environment to use Go 1.26 with RHEL 9 release tag.
• Updated container base images to OpenShift 5.0 compatible versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile.ocp (1)

26-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a container HEALTHCHECK in the final image.

The runtime stage has no health check, which violates the Dockerfile policy and weakens runtime failure detection.

Example

+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD ["/usr/bin/distribution", "--version"] || exit 1

As per coding guidelines, "HEALTHCHECK defined."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.ocp` around lines 26 - 31, The final image lacks a Docker
HEALTHCHECK; add a HEALTHCHECK instruction in Dockerfile.ocp near the
ENTRYPOINT/CMD to enable runtime liveness probing. Implement a HEALTHCHECK that
runs a small, fast command appropriate for the registry (for example a HTTP
probe against the registry listen port or a status CLI), and include sensible
options (interval, timeout, retries) so failures are detected but transient
issues are tolerated; ensure the probe exits 0 on healthy and non-zero on
failure, and place the HEALTHCHECK after ENTRYPOINT/CMD so it applies to the
final stage.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.ocp`:
- Line 1: The Dockerfile uses registry.ci.openshift.org images; update both FROM
lines (including the first stage image referenced as "builder") to use the
approved catalog.redhat.com UBI minimal or distroless base images per policy
(replace registry.ci.openshift.org/... with the appropriate catalog.redhat.com
UBI/distroless equivalents), ensuring both build and final stages reference
catalog.redhat.com images.
- Line 3: Replace the unsafe "COPY . ." in Dockerfile.ocp with explicit COPY
instructions for only the build inputs referenced by hack/build-go.sh: inspect
hack/build-go.sh to determine required files (e.g., go.mod, go.sum, the cmd/
pkg/ internal/ directories, and any scripts/configs it invokes) and add one or
more COPY lines for those paths instead of the entire context; also update
.dockerignore to exclude secrets/unnecessary files and ensure no secrets are
passed via ENV or ARG in the Dockerfile.

---

Outside diff comments:
In `@Dockerfile.ocp`:
- Around line 26-31: The final image lacks a Docker HEALTHCHECK; add a
HEALTHCHECK instruction in Dockerfile.ocp near the ENTRYPOINT/CMD to enable
runtime liveness probing. Implement a HEALTHCHECK that runs a small, fast
command appropriate for the registry (for example a HTTP probe against the
registry listen port or a status CLI), and include sensible options (interval,
timeout, retries) so failures are detected but transient issues are tolerated;
ensure the probe exits 0 on healthy and non-zero on failure, and place the
HEALTHCHECK after ENTRYPOINT/CMD so it applies to the final stage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f46b57d0-307a-42ae-a8df-1508ecdc8ef7

📥 Commits

Reviewing files that changed from the base of the PR and between 57039cd and 538ad4d.

📒 Files selected for processing (2)

• .ci-operator.yaml
• Dockerfile.ocp

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use approved catalog.redhat.com base images for both stages.

Both FROM lines currently use registry.ci.openshift.org, which violates the container base-image policy for Dockerfiles.

As per coding guidelines, "Base image: UBI minimal or distroless from catalog.redhat.com."

Also applies to: 6-6

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.ocp` at line 1, The Dockerfile uses registry.ci.openshift.org
images; update both FROM lines (including the first stage image referenced as
"builder") to use the approved catalog.redhat.com UBI minimal or distroless base
images per policy (replace registry.ci.openshift.org/... with the appropriate
catalog.redhat.com UBI/distroless equivalents), ensuring both build and final
stages reference catalog.redhat.com images.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid COPY . .; copy only required build inputs.

COPY . . can unintentionally pull secrets and unrelated files into the build context. Restrict this to explicit paths used by hack/build-go.sh.

Suggested tightening

-COPY . .
+COPY go.mod go.sum ./
+COPY cmd/ ./cmd/
+COPY pkg/ ./pkg/
+COPY hack/ ./hack/
+COPY vendor/ ./vendor/

As per coding guidelines, "COPY specific files, not entire context" and "No secrets in ENV, ARG, or COPY."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	COPY . .
	COPY go.mod go.sum ./
	COPY cmd/ ./cmd/
	COPY pkg/ ./pkg/
	COPY hack/ ./hack/
	COPY vendor/ ./vendor/

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.ocp` at line 3, Replace the unsafe "COPY . ." in Dockerfile.ocp
with explicit COPY instructions for only the build inputs referenced by
hack/build-go.sh: inspect hack/build-go.sh to determine required files (e.g.,
go.mod, go.sum, the cmd/ pkg/ internal/ directories, and any scripts/configs it
invokes) and add one or more COPY lines for those paths instead of the entire
context; also update .dockerignore to exclude secrets/unnecessary files and
ensure no secrets are passed via ENV or ARG in the Dockerfile.

Source: Coding guidelines

[openshift-ci]

@openshift-bot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-upgrade	538ad4d	link	true	/test e2e-aws-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.