Skip to content

chore(deps): update build#3653

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/build
Open

chore(deps): update build#3653
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/build

Conversation

@renovate

@renovate renovate Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
quay.io/konflux-ci/build-trusted-artifacts tekton-step-image digest 7c51a35a03e798
quay.io/konflux-ci/konflux-build-cli digest 0415613185c379
quay.io/konflux-ci/konflux-build-cli tekton-step-image digest ae68489185c379
quay.io/konflux-ci/task-runner tekton-step-image minor 2.0.02.1.0
quay.io/konflux-ci/tekton-catalog/task-apply-tags digest 3ab84416387614
quay.io/konflux-ci/tekton-catalog/task-init digest 421003a0680117
quay.io/konflux-ci/tekton-catalog/task-push-dockerfile digest 0b111489992e78
quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta digest 5a6cbebe19d134
quay.io/konflux-ci/tekton-catalog/task-source-build digest e1e6252d8e53d9
quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta digest 7c5575a2dd5b3e
registry.redhat.io/openshift4/ose-cli tekton-step-image digest d87faca3c21766

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Release Notes

konflux-ci/task-runner (quay.io/konflux-ci/task-runner)

v2.1.0

Compare Source

Date: 2026-07-08

Installed Software
  • git-lfs added (3.7.1-5.el10_2.5)
  • cosign 3.0.5 => 3.1.1
  • huggingface-hub 1.17.0 => 1.22.0
  • oc 4.21.0 => 4.22.0
  • syft 1.44.0 => 1.46.0
  • awscli 1.45.18 => 1.45.40
  • coreutils-single 9.5-7.el10 => 9.5-8.el10_2
  • kubectl 1.36.1 => 1.36.2
  • olot 0.1.17 => 0.1.18
  • openssl 3.5.5-3.el10_2 => 3.5.5-4.el10_2
  • rsync 3.4.1-6.el10_2 => 3.4.4-1.el10_2
  • skopeo 1.22.2-1.el10_2 => 1.22.2-2.el10_2
  • tkn 0.44.1 => 0.44.2
  • yq 4.53.2 => 4.53.3
Added
  • Added git-lfs to support cloning LFS-enabled repositories in the
    git-clone task and its derived production variants.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested review from a team, Allda and jedinym as code owners July 1, 2026 10:30
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:33 AM UTC · Completed 10:37 AM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review — approve

PR: #3653 — chore(deps): update build
Author: renovate[bot]
Verdict: Approve ✅

Summary

Standard automated Renovate dependency update bumping container image digests and tags across 23 Tekton task YAML files. All changes are mechanical 1:1 image reference substitutions — no logic, scripts, parameters, or code were modified.

Images updated:

Image Change
quay.io/konflux-ci/build-trusted-artifacts digest rotation
quay.io/konflux-ci/konflux-build-cli digest rotation
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor, adds git-lfs + tool version bumps)
quay.io/konflux-ci/tekton-catalog/task-* (6 bundles) digest rotation
registry.redhat.io/openshift4/ose-cli digest rotation

Review dimensions

Dimension Result
Correctness ✅ No issues — image references consistent within Renovate group, sha256 digests valid, task-runner version bump uniform across all 15 applicable files
Security ✅ No issues — all images pinned to sha256 digests, trusted registries only (quay.io/konflux-ci, registry.redhat.io), no RBAC/permission/secrets changes
Intent & coherence ✅ Mechanical change — scope authorization implicit from automated dependency update
Style & conventions ✅ No issues — value-only changes follow existing image:tag@sha256:digest pattern
Documentation ✅ No staleness — no new public symbols, parameters, or behavioral changes introduced
Cross-repo contracts ⏭ Skipped — no exported interfaces, schemas, or APIs modified
Previous run

Review — ✅ Approve

Automated dependency update by Renovate — image reference changes only.

Changes Verified

This PR updates container image references across 23 Tekton task definition files. All changes are mechanical 1:1 replacements of image digests/tags with no logic, API, or behavioral modifications.

Image Update Type Files
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor) 14
quay.io/konflux-ci/konflux-build-cli digest only 10
quay.io/konflux-ci/build-trusted-artifacts digest only 5
External task bundles (apply-tags, init, push-dockerfile, source-build) digest only 6

Correctness

  • All 47 additions are paired with 47 deletions — pure image reference substitutions.
  • New SHA256 digests are consistent across all files referencing the same image (verified by cross-file grep).
  • The konflux-build-cli update converges two previously-different digests (0415613 and ae68489 in pnc-prebuild-git-clone-oci-ta/0.2) to a single new digest (46d3af8), improving consistency.
  • The task-runner 2.1.0 release notes show additive changes only (git-lfs added, tool version bumps) — no breaking changes.

Security

  • All image references use @sha256: digest pinning, ensuring immutable, tamper-resistant image resolution. ✅
  • All images originate from the project's own registry (quay.io/konflux-ci/). ✅
  • No new privileges, volume mounts, or security context changes. ✅

Intent & Scope

  • PR is authored by renovate[bot] and matches the standard Renovate dependency update pattern.
  • Changes are appropriately scoped to image references only — no task logic or API surface modifications.
  • Per project conventions (.cursor/rules/tekton.mdc), automated image digest bumps do not require task version bumps or changelog entries.

Documentation

  • No documentation updates needed — image digest changes don't affect user-facing docs or task APIs.

No findings.

Previous run (2)

Review — approve

Summary

Automated Renovate dependency update bumping container image digests and one minor version across 23 Tekton task definition files. All 48 changed lines are 1:1 image reference replacements — no logic, API, or behavioral changes.

Changes verified

Image Update type Occurrences
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor + digest) 20
quay.io/konflux-ci/konflux-build-cli digest only 15
quay.io/konflux-ci/build-trusted-artifacts digest only 6
registry.redhat.io/openshift4/ose-cli digest only 1
External task bundles (apply-tags, init, push-dockerfile, push-dockerfile-oci-ta, source-build, source-build-oci-ta) digest only 6

Analysis

  • Correctness: Every changed line is an image reference replacement. No script logic, task parameters, or resource specifications are modified. Digest consistency verified — each old digest maps to exactly one new digest across all files.
  • Security: All images remain pinned by sha256 digest, maintaining supply chain integrity. No new image sources or registries introduced. All references remain within quay.io/konflux-ci/ and registry.redhat.io/.
  • Intent & coherence: Standard automated dependency update via Renovate, appropriately scoped. The task-runner minor version bump (2.0.02.1.0) adds git-lfs support and updates installed tool versions — backward-compatible per semver.
  • Style/conventions: Per project convention (.cursor/rules/tekton.mdc), automated image digest bumps do not require a task version bump or changelog entry. The task-runner minor bump is a dependency image change, not a task definition API change.
  • Documentation: No documentation changes needed for image digest updates.
  • Cross-repo contracts: No API surface changes. Task interfaces (parameters, results, workspaces) are unchanged.
Previous run (3)

Review — Approve ✅

Automated Renovate dependency update — all changes are mechanical 1:1 image reference replacements across 23 Tekton task YAML files. No logic, parameters, scripts, permissions, or task structure changes.

Images updated

Image Change
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35a03e798
quay.io/konflux-ci/konflux-build-cli digest 0415613/ae6848946d3af8
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor; adds git-lfs, updates cosign/syft/oc/others)
quay.io/konflux-ci/tekton-catalog/* (6 bundles) digest-only bumps
registry.redhat.io/openshift4/ose-cli digest d87faca3c21766

Verified

  • Digest consistency: all instances of each old digest within the PR scope are updated to the same new digest — no partial updates.
  • Supply chain: all images remain pinned by sha256 digest to trusted project-owned registries (quay.io/konflux-ci/, registry.redhat.io/).
  • Excluded files are expected: archived-tasks/buildah-min/ retains old konflux-build-cli digest (archived, outside Renovate's includePaths); task/build-vm-image/0.2/ retains task-runner:2.0.0 (separate Renovate group).
  • No security surface changes: no RBAC, secrets, permissions, or auth code touched.
  • No test modifications: no risk of assertion weakening or test integrity issues.
  • No documentation staleness: no in-repo docs reference the specific digest values or version strings being changed in this PR.
Previous run (4)

Review — approve

PR: #3653 — chore(deps): update build
Author: renovate[bot]
Scope: 23 files changed (47 additions, 47 deletions) — all mechanical image reference updates

Summary

This is a Renovate-managed dependency update that bumps container image digests and one minor version across Tekton task definitions. All changes are 1:1 line replacements of image references — no logic, parameter, or structural changes.

Images updated:

Image Change Files
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35...a03e798... 5
quay.io/konflux-ci/konflux-build-cli digest 0415613.../ae68489...46d3af8... 8
quay.io/konflux-ci/task-runner 2.0.02.1.0 + digest 12
quay.io/konflux-ci/tekton-catalog/task-* digest-only 6 (external-task bundles)

Analysis

Correctness — All changes are purely image reference swaps. No script logic, task parameters, or pipeline structure is modified. The task-runner minor bump (2.0.0 → 2.1.0) adds git-lfs and updates tool versions (cosign, syft, kubectl, etc.) per the v2.1.0 changelog. This is backward-compatible and does not alter task behavior.

Security — All images remain pinned by full sha256 digest, maintaining supply-chain integrity. All images originate from the project's own registry (quay.io/konflux-ci/). No new image sources introduced.

Intent & coherence — The PR matches its declared purpose (automated dependency update). It is appropriately scoped to the build Renovate group. The task/build-vm-image/ references to the old task-runner digest are not included, likely managed by a separate Renovate group — this is expected behavior, not an omission.

Style/conventions — Image references follow the existing format exactly (image:tag@sha256:digest). Per the project's [tekton rules](CLAUDE.md → .cursor/rules/tekton.mdc), automated image digest bumps do not require task version bumps or changelog entries.

Documentation — No documentation changes needed for digest-only updates per project convention.

Cross-repo contracts — No API, schema, or interface changes. Task signatures (parameters, results, workspaces) are unchanged.

Verdict

Approve — Clean, mechanical dependency update. All images properly digest-pinned. No behavioral changes to any Tekton task.

Previous run (5)

Review — approve

Automated dependency digest/version update from Renovate — no logic changes detected.

This PR updates container image references across 23 Tekton task and external-task YAML files. All changes are strictly mechanical: old @sha256: digests are swapped for new ones, with one minor version bump.

Changes verified

Image Update type Files
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor) 15 task YAMLs
quay.io/konflux-ci/konflux-build-cli digest only 8 task YAMLs
quay.io/konflux-ci/build-trusted-artifacts digest only 6 task YAMLs
quay.io/konflux-ci/tekton-catalog/task-* (6 images) digest only 6 external-task YAMLs
registry.redhat.io/openshift4/ose-cli digest only 1 task YAML

Correctness

  • All image references maintain the image:tag@sha256:digest pinning pattern — supply chain integrity preserved.
  • The task-runner 2.0.0 → 2.1.0 bump is a backward-compatible minor release (adds git-lfs, updates tool versions like cosign, syft, kubectl, oc, skopeo).
  • Digest values are consistent across all files referencing the same image — no mixed-version conflicts.
  • The konflux-build-cli update unifies two previously divergent digests (0415613 and ae68489) to a single new digest (de6acbe), improving consistency.

Security

  • No new privileges, capabilities, or security context changes.
  • No script modifications — only image reference lines changed.
  • All images sourced from trusted registries (quay.io/konflux-ci/, registry.redhat.io/).
  • Pinned digests prevent tag-mutation attacks.

Scope & intent

  • Standard Renovate bot dependency update, appropriately scoped to image references only.
  • No task API changes, no parameter changes, no behavioral modifications.
  • Per project rules (.cursor/rules/tekton.mdc): "Automated image digest bumps do not necessarily require a version bump or changelog entry."

Documentation

  • No documentation updates needed — no API or behavioral changes.

No blocking findings. This is a clean dependency update.

Previous run (6)

Review — ✅ Approve

Summary

Routine Renovate dependency update for the build group. All 37 changed files contain purely mechanical container image digest and version swaps with no logic, script, or configuration changes. The diff is perfectly symmetric (+64/−64).

Images updated

Image Change
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35...a03e798...
quay.io/konflux-ci/konflux-build-cli digest 0415613... / ae68489...de6acbe...
quay.io/konflux-ci/task-runner 2.0.02.1.0 (adds git-lfs, updates cosign, syft, kubectl, etc.)
tekton-catalog task bundles digest-only updates
registry.redhat.io/openshift4/ose-cli digest d87faca...3c21766...

Review dimensions

  • Correctness: All instances within the "build" Renovate group scope are updated consistently. Files outside this group (build-vm-image, archived-tasks) are managed by separate Renovate groups or intentionally excluded.
  • Security: All images use @sha256: digest pinning — good supply-chain practice.
  • Intent & coherence: Well-scoped automated dependency update. The Renovate config (renovate.json) explicitly groups these files under "groupName": "build".
  • Style/conventions: Follows established image reference patterns.
  • Documentation: Per project rules (tekton.mdc), "Automated image digest bumps do not necessarily require a version bump or changelog entry."
  • Cross-repo contracts: No API, parameter, or behavioral changes — only image references updated.

No findings.

Previous run (7)

Review — ✅ Approve

PR: #3653chore(deps): update build
Author: renovate[bot]
Scope: 37 files · 64 additions / 64 deletions

Summary

Standard automated dependency update from Renovate. All changes are mechanical image reference updates across external-task/ and task/ YAML files — no logic, parameters, scripts, or task interfaces are modified.

Images updated

Image Change
quay.io/konflux-ci/build-trusted-artifacts:latest digest 7c51a35a03e798
quay.io/konflux-ci/konflux-build-cli:latest digest 0415613/ae68489de6acbe
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor — adds git-lfs, tool version bumps)
quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3 digest only
quay.io/konflux-ci/tekton-catalog/task-init:0.4.2 digest only
quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3.1 digest only
quay.io/konflux-ci/tekton-catalog/task-p...:0.3.1 digest only
quay.io/konflux-ci/tekton-catalog/task-source-build:0.3 digest only
quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3 digest only
registry.redhat.io/openshift4/ose-cli:v4.12 digest only

Review dimensions

Correctness — All image references maintain @sha256: digest pinning. The task-runner version tag is consistently updated from 2.0.02.1.0 across all 20 affected files. The konflux-build-cli consolidates two previously-diverged latest digests into a single current digest. The 1:1 addition/deletion ratio confirms mechanical replacement with no structural changes.

Security — All images remain pinned by sha256 digest. No new privileges, security contexts, environment variables, or secret references are introduced. Images come from trusted first-party registries (quay.io/konflux-ci, registry.redhat.io).

Intent & coherence — Standard Renovate-managed dependency update, appropriately scoped to image reference updates only. Files in archived-tasks/ are correctly excluded. The build-vm-image task is not included, which is expected per Renovate grouping rules. No version bump or changelog entry is required per project conventions for automated digest bumps.

Style/conventions — Image references follow the project's established image:tag@sha256:digest pinning pattern. No formatting or whitespace changes.

Documentation — No documentation changes needed; these are image digest bumps with no user-facing behavior changes.

Cross-repo contracts — No API, schema, or interface changes. Task parameters, results, and workspaces are unchanged.

No findings.

Previous run (8)

Review — ✅ Approve

PR: #3653 — chore(deps): update build
Author: renovate[bot]
Verdict: Approve — no findings

Summary

Automated Renovate dependency update bumping container image references across 37 Tekton task YAML files. All changes are mechanical 1:1 substitutions of image digests/tags:

Image Update
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor)
quay.io/konflux-ci/konflux-build-cli digest update
quay.io/konflux-ci/build-trusted-artifacts digest update
quay.io/konflux-ci/tekton-catalog/task-* digest updates (6 bundles)
registry.redhat.io/openshift4/ose-cli digest update

Review dimensions

Dimension Result
Correctness ✅ No findings — pure image reference substitutions, no logic changes
Security ✅ No findings — all images digest-pinned, trusted registries, no permission/context changes
Intent & coherence ✅ Mechanical change — authorization implicit from automated nature
Style & conventions ✅ Image reference format consistent with existing patterns
Documentation ✅ No stale documentation references found
Cross-repo contracts ⏭ Skipped — no exported interfaces modified

No findings at any severity level. This is a safe, routine dependency update.

Previous run (9)

Review — approve

Scope: Automated dependency update (Renovate) bumping container image digest pins and one minor version across 37 Tekton task/pipeline YAML files.

Changes verified

All 64 additions replace exactly one image reference each, with a corresponding deletion of the old reference. No task parameters, scripts, resource limits, volume mounts, or structural YAML were modified. The five image groups updated:

Image Update type Files
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor) 20
quay.io/konflux-ci/konflux-build-cli digest only 14
quay.io/konflux-ci/build-trusted-artifacts digest only 8
quay.io/konflux-ci/tekton-catalog/* (6 bundles) digest only 6
registry.redhat.io/openshift4/ose-cli digest only 1

Correctness

  • All image references retain @sha256: digest pinning — no floating tags were introduced.
  • The task-runner minor bump (2.1.0) adds git-lfs and updates tooling versions (cosign, syft, kubectl, etc.) per the upstream CHANGELOG. This is a non-breaking addition.
  • Two previously-divergent konflux-build-cli digests (ae68489 in git-clone v0.2 tasks, 0415613 elsewhere) now converge to a single digest (fddbb4c). This is a positive alignment.

Security

  • All images are from trusted first-party registries (quay.io/konflux-ci/, registry.redhat.io/).
  • Digest pinning ensures immutable, verifiable image pulls.
  • No new container privileges, volume mounts, or environment variables introduced.

Scope & intent

  • Standard Renovate-managed dependency update, consistent with the project's renovate.json configuration.
  • Per the project's Tekton rules, automated image digest bumps do not require task version bumps or changelog entries.

PR body

  • No injection patterns detected. Content is standard Renovate output with package tables and upstream release notes.

No findings. This is a clean, mechanical dependency update.

Previous run (10)

Review — approve

Summary

Automated Renovate dependency update bumping container image digests and tags across 37 Tekton task YAML files. All changes are mechanical 1:1 image reference replacements.

Images updated:

Image Change
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35...fd6a900...
quay.io/konflux-ci/konflux-build-cli digest 0415613.../ae68489...fddbb4c...
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor) + new digest
quay.io/konflux-ci/tekton-catalog/task-* (6 bundles) digest-only updates
registry.redhat.io/openshift4/ose-cli digest d87faca...3c21766...

Checks performed

  • Correctness — All 64 image references maintain @sha256: digest pinning. Tag versions are consistent across all occurrences of each image. The 9 test files in the diff only update image references — no test logic, assertions, or expected values were modified.
  • Security — No secrets, credentials, or tokens introduced. No permission/RBAC changes. No securityContext modifications. All additions are pure image URI replacements with no injection patterns or suspicious content.
  • Intent & coherence — Mechanical Renovate bot change. Authorization inferred from automated dependency management tooling.
  • Style & conventions — All replacements follow the established registry/image:tag@sha256:digest format consistent with surrounding context.
  • Documentation — No in-repo documentation references specific image versions that would be made stale by these changes.
  • Cross-repo contracts — Skipped (no exported interfaces, schemas, or APIs modified).

No findings at or above the configured severity threshold.

Previous run (11)

Review — ✅ Approve

PR: #3653chore(deps): update build
Author: renovate[bot]
Scope: 37 files changed (64 additions, 64 deletions) — container image digest/tag updates only

Change Summary

This is an automated Renovate dependency update that bumps container image references across Tekton task definitions in the build group. All changes are confined to image digest and tag rotations — no logic, script, or configuration changes.

Images updated:

Image Change Files
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor) 20 task/test files
quay.io/konflux-ci/konflux-build-cli digest rotation 14 task files
quay.io/konflux-ci/build-trusted-artifacts digest rotation 10 task files
registry.redhat.io/openshift4/ose-cli digest rotation 1 task file
quay.io/konflux-ci/tekton-catalog/task-* digest rotations 6 external-task files

Analysis

  • Correctness: All changes are mechanical 1:1 image reference substitutions. Each old digest is consistently replaced with the corresponding new digest across all occurrences. The task-runner v2.1.0 release notes confirm backward compatibility (adds git-lfs, bumps tool versions).
  • Security: All images remain pinned by @sha256: digest, maintaining supply chain integrity. Images are pulled from trusted registries (quay.io/konflux-ci/, registry.redhat.io/). The konflux-build-cli consolidates two prior digests (0415613, ae68489) to a single new digest (fddbb4c), which is expected behavior for Renovate normalizing to the latest.
  • Scope: All 37 modified files fall within the build Renovate group defined in renovate.json and are owned by @konflux-ci/build-maintainers per CODEOWNERS.
  • Documentation: No documentation impact — digest-only changes do not affect docs.
  • Cross-repo contracts: No API or interface changes. External task bundle references update to newer digests of the same version tags.

No findings at or above the low severity threshold.


Labels: Automated Renovate dependency digest/tag update for build-related Tekton tasks

Previous run (12)

Review — approve

PR: #3653 — chore(deps): update build
Author: renovate[bot]
Changes: 37 files, 64 additions, 64 deletions

Summary

Clean automated dependency update by Renovate. All 128 changed lines are 1:1 container image reference substitutions in Tekton task YAML files. No logic, scripts, parameters, permissions, or structural changes.

Images updated:

Image Change Occurrences
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor bump + digest) 20
quay.io/konflux-ci/konflux-build-cli digest only 14
quay.io/konflux-ci/build-trusted-artifacts digest only 8
External task bundles (6 images) digest only 6
registry.redhat.io/openshift4/ose-cli digest only 1

Review dimensions

Dimension Result
Correctness ✅ No findings. All image references are internally consistent. The task-runner 2.0.0→2.1.0 bump is applied uniformly across all files in the build Renovate group. The konflux-build-cli update correctly consolidates two prior digests into one.
Security ✅ No findings. All images sourced from trusted registries (quay.io/konflux-ci/*, registry.redhat.io). All references use @sha256: digest pinning. No permission, RBAC, or secrets changes.
Intent & coherence ✅ Mechanical dependency update — authorization implicit from automated nature.
Style & conventions ✅ No findings. Value-only changes follow the existing image: registry/path:tag@sha256:digest pattern.
Documentation currency ✅ No findings attributable to this PR.
Cross-repo contracts ⏭ Skipped — no API surface changes.

No blocking findings. This is a routine, well-formed dependency update.

Previous run (13)

Review — ✅ Approve

Automated dependency digest/version bump — all changes are mechanical image reference replacements.

Summary

This Renovate-generated PR bumps container image references across 37 Tekton task definition files. Every change is a 1:1 swap of an old @sha256: digest (or tag+digest) for a new one. No task logic, parameters, scripts, or API surfaces are modified.

Images updated

Image Change type Scope
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor) 18 files (tasks + tests)
quay.io/konflux-ci/konflux-build-cli digest bump 14 files (buildah, git-clone, build-image-index variants)
quay.io/konflux-ci/build-trusted-artifacts digest bump 9 files (OCI-TA variants)
quay.io/konflux-ci/tekton-catalog/task-* digest bumps 6 external-task refs
registry.redhat.io/openshift4/ose-cli digest bump 1 file (update-infra-deployments)

Analysis

  • Correctness: All digest values are consistent — each image maps to exactly one new digest across all files. The konflux-build-cli update correctly converges two previously-different digests (ae68489... for git-clone variants, 0415613... for buildah variants) to a single new digest (fddbb4c...), which is expected when the upstream image unifies.
  • Security: All image references remain pinned by @sha256: content-addressable digests. No unpinned tags, no new permissions, no security context changes.
  • Scope: Changes are strictly within the expected Renovate update scope — image references only. No task version labels, scripts, parameters, or Tekton resource definitions were modified.
  • Versioning: Per project convention (.cursor/rules/tekton.mdc), automated image digest bumps do not require task version bumps or changelog entries. The task-runner 2.0.0 → 2.1.0 minor bump (adding git-lfs, updating cosign/syft/etc.) is a dependency-level change, not a task API change.
  • Cross-repo contracts: No APIs, schemas, or interfaces are affected — only internal image references.
  • Documentation: No documentation changes needed for digest-only bumps.
Previous run (14)

Review — ✅ Approve

PR: #3653chore(deps): update build
Author: renovate[bot] (automated dependency update)
Scope: 37 files, 63 additions / 63 deletions — all image reference updates

Summary

Standard Renovate dependency update bumping container image digests and one minor version across Tekton task definitions. All changes are mechanical 1:1 replacements of image references.

Images updated:

Image Change
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor bump; adds git-lfs, updates cosign, syft, oc, kubectl, etc.)
quay.io/konflux-ci/konflux-build-cli digest-only (consolidates two prior digests to one)
quay.io/konflux-ci/build-trusted-artifacts digest-only
tekton-catalog/task-apply-tags:0.3 digest-only
tekton-catalog/task-init:0.4.2 digest-only
tekton-catalog/task-push-dockerfile{,-oci-ta}:0.3.1 digest-only
tekton-catalog/task-source-build{,-oci-ta}:0.3 digest-only

Checks performed

  • Digest pinning — all images use @sha256: immutable references
  • Trusted registry — all images sourced from quay.io/konflux-ci/
  • Internal consistency — each old digest/tag maps to exactly one new digest/tag across all files
  • No logic changes — no scripts, parameters, security contexts, or task structure modified
  • Versioning policy — per project rules, automated image digest bumps do not require task version bumps or changelog entries
  • No injection patterns — PR body contains standard Renovate template content only

No findings above the reporting threshold.

Previous run (15)

Review — ✅ Approve

PR: #3653 — chore(deps): update build
Author: renovate[bot] (automated)
Scope: 37 files, 64 additions, 64 deletions — image digest and version updates only

Summary

This is an automated Renovate dependency update PR that bumps container image references across Tekton task definitions. All changes are 1:1 image reference replacements with no logic, configuration, or behavioral changes.

Images updated:

Image Change
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a351868577
quay.io/konflux-ci/konflux-build-cli digest ae68489/0415613fddbb4c
quay.io/konflux-ci/task-runner minor 2.0.02.1.0 (adds git-lfs, updates cosign, syft, kubectl, etc.)
registry.redhat.io/openshift4/ose-cli digest d87faca3c21766
External task bundles (apply-tags, init, push-dockerfile, source-build) digest-only updates

Review dimensions

Correctness: All changes are mechanical digest/version replacements. Each old digest is consistently replaced by the same new digest across all files — no mismatches. The task-runner minor bump (2.0.0 → 2.1.0) is additive (adds git-lfs, updates tool versions) with no breaking changes per the changelog.

Security: All images use @sha256: digest pinning (supply chain best practice). All images come from trusted registries (quay.io/konflux-ci/, registry.redhat.io/). No new images, no privilege changes, no new capabilities added to task steps.

Intent & coherence: This is a standard automated dependency update that matches the dependencies label and Renovate bot authorship. The scope is appropriate — image references only.

Style/conventions: Consistent with project conventions. Per .cursor/rules/tekton.mdc: "Automated image digest bumps do not necessarily require a version bump or changelog entry."

Documentation currency: No documentation changes needed — image digest updates don't affect docs.

Injection defense: PR body contains standard Renovate formatting with no instruction-like injection patterns detected.

No findings.

Previous run (16)

Review

Verdict: Approve

This is a standard Renovate bot dependency update for the build group. All 37 changed files contain exclusively container image reference updates — no logic, scripts, parameters, or task structure changes.

Changes verified

Image Update type Change
quay.io/konflux-ci/build-trusted-artifacts:latest digest 7c51a35...1868577...
quay.io/konflux-ci/konflux-build-cli:latest digest 0415613... / ae68489...fddbb4c...
quay.io/konflux-ci/task-runner minor + digest 2.0.02.1.0
registry.redhat.io/openshift4/ose-cli:v4.12 digest d87faca...3c21766...
quay.io/konflux-ci/tekton-catalog/task-* digest various

Correctness

  • All changes are 1:1 image reference replacements (old digest → new digest).
  • All images remain properly pinned to immutable sha256 digests.
  • The konflux-build-cli digest consolidation (two old digests converging to one) is consistent — both the image: and value: patterns were updated.
  • The task-runner 2.0.0 → 2.1.0 minor bump adds git-lfs support and routine software version updates (cosign, syft, kubectl, etc.) per the release notes. This is additive and backward-compatible.
  • Remaining task-runner references at older versions (1.4.1, 1.5.0, 1.6.0, 1.8.1) are in archived-tasks/, stepactions/, .tekton/, or other Renovate groups (eaas, modelcar-oci, ko-builder, tekton-ci) — correctly out of scope for the build group.

Security

  • All images use sha256 digest pinning — immutable and tamper-resistant.
  • All registries are trusted (quay.io/konflux-ci/, registry.redhat.io/).
  • No new images, capabilities, volume mounts, security contexts, or secret references added.

Scope & intent

  • All 37 modified files match the build group matchFileNames in renovate.json.
  • No files outside the expected external-task/ and task/ directories were touched.

No findings

No blocking or notable issues identified.

Previous run (17)

Review

Verdict: Approve

Summary

This is an automated Renovate dependency update PR that bumps container image digests and tags across 31 Tekton task definition YAML files. All changes are mechanical image reference updates — no logic, script, parameter, or structural YAML changes.

Changes

Five container images are updated:

Image Change
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor version bump)
quay.io/konflux-ci/konflux-build-cli digest 0415613fddbb4c
quay.io/konflux-ci/konflux-build-cli digest ae68489fddbb4c
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a351868577
registry.redhat.io/openshift4/ose-cli digest d87faca3c21766

Analysis

  • Correctness: All image references use tag@sha256:digest pinning, which is the supply chain security best practice. The task-runner bump from 2.0.0 to 2.1.0 is a backwards-compatible minor release that adds git-lfs and updates bundled tools (cosign, syft, kubectl, etc.). No task parameters, scripts, or resource configurations are modified.
  • Security: All images are from trusted registries (quay.io/konflux-ci/*, registry.redhat.io/openshift4/*). Digest pinning ensures immutable image references. No security contexts, RBAC, or privilege escalations are changed.
  • Scope: The 31 changed files exactly match the Renovate build group configuration in renovate.json. Files in other Renovate groups (e.g., build-vm-image, archived-tasks) correctly retain their existing digests for separate management.
  • Consistency: Two different old konflux-build-cli digests (0415613 from 0.10 tasks and ae68489 from 0.2 tasks) are consolidated to a single new digest (fddbb4c), which is correct behavior.
  • Documentation: No documentation changes needed — image digest updates don't affect user-facing documentation.

No findings at severity low or above.

Previous run (18)

Review — ✅ Approve

Automated dependency update by Renovate — image digest and tag bumps across 31 Tekton task YAML files.

Changes reviewed

Image Update Files
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor + digest) 24 files
quay.io/konflux-ci/konflux-build-cli digest-only (0415613..., ae68489...fddbb4c...) 15 files
quay.io/konflux-ci/build-trusted-artifacts digest-only (7c51a35...1868577...) 10 files

Evaluation

  • Correctness: All digest replacements are consistent — every old reference within the "build" Renovate group is updated to the corresponding new digest. The task-runner minor version bump (2.0.0 → 2.1.0) adds git-lfs support and upgrades embedded tools (cosign, syft, kubectl, etc.) per the v2.1.0 changelog. Two different old konflux-build-cli digests converge to one new digest — this is expected as the git-clone tasks were on a slightly older version.
  • Security: All images use @sha256: digest pinning (immutable references). All images are from the trusted quay.io/konflux-ci/ registry. No privilege escalation or security context changes.
  • Scope: The 31 changed files exactly match the "build" group defined in renovate.json. The 8 task/build-vm-image/ files with old task-runner:2.0.0 references are intentionally in a separate "build-vm-image" Renovate group and will be updated independently.
  • Style: Changes follow existing conventions — image references maintain the <registry>/<image>:<tag>@sha256:<digest> format throughout.
  • Documentation: No documentation updates needed for image digest bumps.
  • No injection detected in PR body, commit messages, or release notes.

No findings at or above the low severity threshold.

Previous run (19)

Review

Verdict: approve

Summary

This is an automated Renovate dependency update PR that bumps container image references across 31 Tekton task YAML files. All changes are mechanical digest/tag updates with no logic, parameter, or script modifications.

Images updated:

Image Old New Type
quay.io/konflux-ci/task-runner 2.0.0@sha256:4b01fbf... 2.1.0@sha256:c34c933... Minor version bump
quay.io/konflux-ci/konflux-build-cli latest@sha256:0415613... / latest@sha256:ae68489... latest@sha256:fddbb4c... Digest update (converges two prior digests)
quay.io/konflux-ci/build-trusted-artifacts latest@sha256:7c51a35... latest@sha256:1868577... Digest update
registry.redhat.io/openshift4/ose-cli v4.12@sha256:d87faca... v4.12@sha256:3c21766... Digest update

Correctness

  • All image reference substitutions are consistent — each old digest maps to exactly one new digest across all files.
  • The konflux-build-cli image converges two prior digests (0415613... for build/push steps, ae68489... for clone steps) into one (fddbb4c...). This is expected behavior from Renovate when both references resolve to the same upstream image.
  • No scripts, parameters, volume mounts, or security contexts are modified.
  • The task-runner bump from 2.0.02.1.0 is a minor version change. Per the release notes, it adds git-lfs and updates various bundled tools (cosign, syft, kubectl, etc.) — no breaking changes.

Security

  • All images continue to use sha256 digest pinning — the supply chain integrity model is preserved.
  • Image sources are all from trusted registries (quay.io/konflux-ci/, registry.redhat.io/).
  • No new privileges, capabilities, or security context changes.

Scope & coherence

  • The PR is appropriately scoped as a grouped dependency update from Renovate.
  • The build-vm-image task files still reference the older task-runner:2.0.0 digest but are not included in this PR — this is consistent with Renovate's grouping configuration and does not indicate a problem with this PR.
  • The archived-tasks/ directory correctly retains old references (archived tasks are not actively maintained).

No findings.


Labels: Automated Renovate dependency digest/version bumps for build-related container images

Previous run (20)

Review — approve

PR: #3653 — Update build
Author: renovate[bot]
Scope: Automated dependency digest/tag updates across 31 Tekton task YAML files

Summary

This is a Renovate-managed dependency update PR that bumps container image references for three images used across Tekton task definitions:

Image Change
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor version bump, new digest)
quay.io/konflux-ci/konflux-build-cli digest-only update (two old digests → single new digest)
quay.io/konflux-ci/build-trusted-artifacts digest-only update

Analysis

Correctness — All 57 line changes are mechanical image reference replacements. Each old digest is consistently replaced with the corresponding new digest across all files in the PR scope. No script logic, task parameters, or configuration values are modified. The task-runner minor version bump (v2.1.0) adds git-lfs and updates bundled tooling — a backward-compatible change per the release notes.

Security — All image references remain pinned by SHA256 digest, preserving supply-chain integrity. No new security contexts, privilege escalations, or RBAC changes. Images continue to come from the same trusted registry (quay.io/konflux-ci/).

Intent & coherence — The PR scope exactly matches the Renovate "build" package rule group defined in renovate.json. Files in other Renovate groups (e.g., build-vm-image) are intentionally excluded and will receive separate PRs. The archived-tasks/ directory is outside the configured includePaths and correctly excluded.

Style/conventions — Image reference format (image:tag@sha256:digest) is consistent with existing patterns. No whitespace or formatting changes.

Documentation — No documentation updates are needed for image digest bumps.

Cross-repo contracts — The task-runner 2.0.0 → 2.1.0 bump is additive (adds git-lfs, updates existing tools). No API or interface changes that would affect downstream consumers.

Verdict

No findings. This is a clean, well-scoped automated dependency update with consistent replacements and proper digest pinning.

Previous run (21)

Review

Verdict: ✅ Approve

This is a well-scoped Renovate bot dependency update for the build package group. All 58 line changes are mechanical 1:1 image reference substitutions across 31 Tekton task YAML files.

Changes reviewed

Image Update type Change
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35...1868577...
quay.io/konflux-ci/konflux-build-cli digest 0415613... / ae68489...fddbb4c...
quay.io/konflux-ci/task-runner minor + digest 2.0.02.1.0
registry.redhat.io/openshift4/ose-cli digest d87faca...3c21766...

Checks performed

  • Correctness: Every change is a direct image reference substitution — no script logic, parameters, or YAML structural changes. The 58-addition / 58-deletion symmetry confirms no lines were added or removed.
  • Security: All image references remain pinned by @sha256: digest, maintaining supply chain integrity. No new privileges, volume mounts, or security context changes.
  • Scope & coherence: The renovate.json build group definition matches exactly the 31 files changed in this PR. Other tasks (build-vm-image, ecosystem-cert-preflight-checks, package-operator, etc.) belong to separate Renovate groups and are correctly excluded.
  • Consistency: Verified that each old digest is fully replaced across all files in the build group — no stale references remain within the PR's scope.
  • task-runner 2.1.0: The minor version bump adds git-lfs support and updates bundled tool versions (cosign, syft, kubectl, etc.). This is a backward-compatible change per semver.
  • Documentation: No documentation impact — image reference updates do not affect docs.
  • Injection defense: PR body contains only standard Renovate-generated content. No instruction-like patterns detected.
Previous run (22)

Review — approve

Automated dependency update from Renovate bot. All changes are mechanical image reference bumps — no logic, script, or parameter modifications.

Changes reviewed

This PR updates container image references across 31 Tekton task YAML files in the task/ directory, scoped to the Renovate build group:

Image Change
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor; adds git-lfs, updates cosign/syft/skopeo/etc.)
quay.io/konflux-ci/konflux-build-cli digest-only update (two prior digests converge to a single new digest)
quay.io/konflux-ci/build-trusted-artifacts digest-only update
registry.redhat.io/openshift4/ose-cli digest-only update (tag remains v4.12)

Verification

  • Digest pinning preserved: All image references use @sha256: pinning — no floating tags.
  • Scope matches Renovate config: The 31 changed files correspond exactly to the paths listed in the "build" package group in renovate.json. Files outside this group (e.g., task/build-vm-image/, archived-tasks/) are correctly excluded and handled by their own Renovate groups.
  • No code changes: Every hunk is a single-line image: or value: field replacement. No scripts, parameters, security contexts, or resource limits were modified.
  • Registries are trusted: All images come from quay.io/konflux-ci/ or registry.redhat.io/ — internal/known registries.
  • No injection patterns: PR body contains standard Renovate content with no instruction-like patterns.
Previous run (23)

Review — ✅ Approve

PR: #3653Update build
Author: renovate[bot]
Verdict: Approve — no blocking findings

Summary

This is a standard Renovate dependency update PR that bumps container image digests and versions across 31 Tekton task YAML files. All changes are mechanical 1:1 substitutions of image: field values with no logic, script, or permission modifications.

Images updated:

Image Change
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35d352c22
quay.io/konflux-ci/konflux-build-cli digest 0415613 / ae68489fddbb4c
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor) + digest update
registry.redhat.io/openshift4/ose-cli digest d87faca3c21766 (tag v4.12 preserved)

Review dimensions

Dimension Result
Correctness ✅ All image references consistently updated. Two old konflux-build-cli digests correctly consolidated to one new digest. No missed files — task/build-vm-image/ uses a separate Renovate group. Test files contain only image reference changes with no assertion weakening.
Security ✅ All images use @sha256: digest pinning for supply chain integrity. The ose-cli tag v4.12 is preserved (digest-only change). No scripts, permissions, or security-relevant code modified.
Intent & coherence ✅ Mechanical value-only change by Renovate bot. Authorization inferred from automated dependency management nature.
Style & conventions ✅ Image reference format (registry/image:tag@sha256:digest) is consistent with existing patterns.
Documentation ✅ No documentation references specific image digests or the task-runner 2.0.0 version in a user-facing way. No staleness introduced.
Cross-repo contracts ✅ Skipped — no exported interfaces or API schemas modified.

Notes

  • The task-runner 2.0.02.1.0 minor bump adds git-lfs support and updates several bundled tools (cosign, syft, oc, etc.) per the v2.1.0 changelog.
  • Files under task/build-vm-image/ are intentionally excluded — they belong to a separate Renovate update group per renovate.json.
Previous run (24)

Review — Approve ✅

PR #3653 — Update build (Renovate dependency digest/version bumps)

Summary

This is a mechanical Renovate bot dependency update that makes 64 line-for-line image reference replacements across 36 Tekton task YAML files. Three container images are updated:

Image Change
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35...d352c22...
quay.io/konflux-ci/konflux-build-cli digest 0415613... / ae68489...fddbb4c...
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor bump + new digest)

Review dimensions

Dimension Result
Correctness ✅ No issues — digest consistency verified across all 36 files; format preservation confirmed (tag+digest vs digest-only patterns maintained); intentional omissions verified (archived-tasks/ excluded by Renovate config, build-vm-image/ in separate Renovate group)
Security ✅ No issues — no secrets, injection patterns, permission changes, or Unicode anomalies; all images remain pinned to SHA256 digests within quay.io/konflux-ci/ namespace
Intent & coherence ✅ Mechanical change — scope authorization implicit from automated dependency update nature
Style & conventions ✅ No issues — all replacements follow established image:tag@sha256:digest patterns
Documentation currency ✅ No issues — no documentation references stale versions or digests
Cross-repo contracts ✅ No issues — no changes to task params, results, workspaces, or other public API surface

Verdict

Clean dependency update with no findings. All images remain pinned to content-addressable digests. The task-runner minor version bump (2.0.02.1.0) adds git-lfs support and updates bundled tool versions — no breaking changes per the release notes.

Previous run (25)

Review — ✅ Approve

Summary

Automated Renovate dependency update bumping container image digests and tags across 36 Tekton task YAML files. All changes are mechanical 1-line image reference substitutions with no behavioral code modifications.

Images updated:

Image Change
quay.io/konflux-ci/konflux-build-cli digest 0415613... / ae68489...fddbb4c...
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35...d352c22...
quay.io/konflux-ci/task-runner 2.0.02.1.0 (minor bump + new digest)
registry.redhat.io/openshift4/ose-cli digest d87faca...3c21766...

Findings

No blocking findings across all review dimensions:

  • Correctness — All digest updates are internally consistent. Two previously-divergent konflux-build-cli digests correctly converge to the same new digest. No remaining stale references to old digests within scope (out-of-scope files in build-vm-image/ and archived-tasks/ are in separate Renovate groups or excluded paths). Test files only update the runner image — no assertions weakened.
  • Security — Pure value-only substitutions. All images maintain @sha256: digest pinning. No permission, securityContext, or RBAC changes. No injection patterns detected.
  • Intent & coherence — Mechanical Renovate bot update; authorization implicit.
  • Style & conventions — All changes follow existing image reference patterns (image: registry/path:tag@sha256:digest).
  • Documentation currency — No in-scope documentation references the old versions or digests.
  • Cross-repo contracts — No exported interfaces, schemas, or public APIs modified.
Previous run (26)

Review — ✅ Approve

Automated dependency update — image digest and minor version bumps across 36 Tekton task files.

Changes verified

This Renovate PR updates four container images used in Tekton task steps within the build dependency group:

Image Update type Old → New
quay.io/konflux-ci/konflux-build-cli digest 0415613... / ae68489...fddbb4c...
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35...d352c22...
quay.io/konflux-ci/task-runner minor + digest 2.0.02.1.0 (4b01fbf...c34c933...)
registry.redhat.io/openshift4/ose-cli digest d87faca...3c21766...

Checks performed

  • Digest consistency: All references to each image now point to the same new digest — no mixed versions within the PR.
  • Scope correctness: The 36 modified files match the build group defined in renovate.json. Files under task/build-vm-image/ and archived-tasks/ are correctly excluded (separate Renovate group and out-of-scope, respectively).
  • Supply chain security: Every image reference uses @sha256: digest pinning. No tag-only references.
  • No logic changes: All 65 additions and 65 deletions are 1:1 image reference replacements. No scripts, parameters, or task structure changes.
  • task-runner v2.1.0 changelog: Adds git-lfs and bumps existing tool versions (cosign, syft, skopeo, yq, etc.). Backward-compatible minor release with no breaking changes.
  • PR body: Standard Renovate output. No injection patterns detected.

No findings at or above the reporting threshold.

Previous run (27)

Review of #3653 — Update build

Verdict: ✅ Approve

This is a standard automated Renovate dependency update bumping container image digests and one minor version tag across 36 Tekton task YAML files.

Changes reviewed

Image Update type Old → New
quay.io/konflux-ci/konflux-build-cli digest 0415613 / ae68489fddbb4c
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35d352c22
quay.io/konflux-ci/task-runner minor + digest 2.0.0@4b01fbf2.1.0@c34c933

Reviewed dimensions

  • Correctness: All 64 changed lines are consistent — each image's new digest is used uniformly across all references. No stale references to old digests remain in the active task directories. The task-runner 2.1.0 digest matches other files in the repo already using that version.
  • Security: All images use @sha256: digest pinning. No secrets, injection patterns, permission changes, or Unicode anomalies detected. Images are sourced from the project's own quay.io/konflux-ci/ registry namespace.
  • Intent & coherence: Mechanical Renovate update — scope authorization is implicit.
  • Style & conventions: Image reference format is consistent with surrounding context. No style deviations.
  • Documentation currency: No documentation references specific image digests or the task-runner:2.0.0 version in a way that becomes stale from this update.
  • Cross-repo contracts: No exported interfaces, schemas, or APIs are modified — not applicable.

No findings at or above the reporting threshold.

Previous run (28)

Review — ✅ Approve

Verdict: Approve — automated dependency digest/tag update with no behavioral changes.

Summary

This is a Renovate-managed PR that updates image references across 36 Tekton task YAML files in the build package group. All changes are pure image digest and/or tag substitutions:

Image Update type Change
quay.io/konflux-ci/konflux-build-cli digest 0415613fddbb4c (and ae68489fddbb4c for v0.2 git-clone tasks)
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35d352c22
quay.io/konflux-ci/task-runner minor + digest 2.0.02.1.0 (4b01fbfc34c933)
registry.redhat.io/openshift4/ose-cli digest d87faca3c21766

Analysis

Correctness: Every change is a 1:1 line substitution of an image reference — no script logic, task parameters, volume mounts, or resource specs are modified. The task-runner 2.1.0 release notes confirm only additive changes (git-lfs added, tool version bumps) with no breaking changes.

Security: All images use digest-pinned references (@sha256:...), ensuring immutable and tamper-resistant image pulls. Source registries (quay.io/konflux-ci/, registry.redhat.io/) are the project's established trusted registries.

Scope & consistency: The PR correctly covers all files in the build Renovate group as defined in renovate.json. The build-vm-image task files (which also reference task-runner:2.0.0) are intentionally excluded — they belong to a separate Renovate group (build-vm-image) and will be updated in their own PR. Archived tasks under archived-tasks/ are outside the Renovate includePaths scope.

No findings above the severity threshold.

Previous run (29)

Review — ✅ Approve

PR: #3653 — Update build
Author: renovate[bot]
Scope: Automated dependency digest/version updates across 36 Tekton task YAML files

Summary

This is an automated Renovate dependency update that bumps container image references across the build group of Tekton tasks. All changes are mechanical image digest or tag+digest replacements with no logic or behavioral modifications.

Images updated:

Image Change
quay.io/konflux-ci/konflux-build-cli digest 0415613 / ae68489fddbb4c
quay.io/konflux-ci/build-trusted-artifacts digest 7c51a35d352c22
quay.io/konflux-ci/task-runner 2.0.02.1.0 (digest 4b01fbfc34c933)
registry.redhat.io/openshift4/ose-cli digest d87faca3c21766

Analysis

  • Correctness: All image references consistently use the same new digest per image across all 36 changed files. No partial or mixed-version updates detected.
  • Security: All images remain pinned by SHA256 digest, preventing tag-based supply chain attacks. Images are from first-party (quay.io/konflux-ci/) and trusted vendor (registry.redhat.io/) registries. No new privileges or security contexts introduced.
  • Scope: The update is correctly scoped per renovate.json — the build group covers exactly the directories modified. task/build-vm-image/ is intentionally in a separate Renovate group and archived-tasks/ is outside includePaths. Both are expected exclusions.
  • Version bump risk: The task-runner minor bump (2.0.0 → 2.1.0) adds git-lfs and updates bundled tool versions (cosign, syft, oc, kubectl, etc.). This is additive and backward-compatible per semver.
  • Documentation: No documentation changes needed — image digest updates don't affect user-facing docs.
  • Conventions: Changes follow the established pattern of image:tag@sha256:digest pinning used throughout the repository.

No findings.

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jul 1, 2026
@renovate renovate Bot changed the title Update quay.io/konflux-ci/konflux-build-cli:latest Docker digest to 0fbe847 Update quay.io/konflux-ci/konflux-build-cli Docker digest to 0fbe847 Jul 1, 2026
@renovate renovate Bot changed the title Update quay.io/konflux-ci/konflux-build-cli Docker digest to 0fbe847 Update quay.io/konflux-ci/konflux-build-cli:latest Docker digest to 0fbe847 Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/build branch from 338475d to e850a4b Compare July 1, 2026 11:57
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:00 PM UTC · Completed 12:05 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge dependencies Pull requests that update a dependency file and removed ready-for-merge All reviewers approved — ready to merge labels Jul 1, 2026
@fmudry

fmudry commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Do NOT merge. We are in the middle of moving some build tasks out of build definitions.

@renovate renovate Bot changed the title Update quay.io/konflux-ci/konflux-build-cli:latest Docker digest to 0fbe847 Update quay.io/konflux-ci/konflux-build-cli Docker digest to 0fbe847 Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/build branch from e850a4b to 3db8bd7 Compare July 1, 2026 15:07
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 3:10 PM UTC · Completed 3:16 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 1, 2026
@renovate renovate Bot changed the title Update quay.io/konflux-ci/konflux-build-cli Docker digest to 0fbe847 Update quay.io/konflux-ci/konflux-build-cli:latest Docker digest to ae68489 Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/build branch from 3db8bd7 to 492e64b Compare July 1, 2026 18:55
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 6:58 PM UTC · Completed 7:07 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 1, 2026
@renovate renovate Bot changed the title Update quay.io/konflux-ci/konflux-build-cli:latest Docker digest to ae68489 Update quay.io/konflux-ci/konflux-build-cli Docker digest to ae68489 Jul 1, 2026
@renovate renovate Bot changed the title Update quay.io/konflux-ci/konflux-build-cli Docker digest to ae68489 Update quay.io/konflux-ci/konflux-build-cli:latest Docker digest to ae68489 Jul 2, 2026
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:00 AM UTC · Completed 2:07 AM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:27 AM UTC · Completed 8:31 AM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:13 AM UTC · Completed 10:21 AM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:24 AM UTC · Completed 10:28 AM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 3:51 PM UTC · Completed 3:57 PM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 4:15 PM UTC · Completed 4:20 PM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@konflux-ci-qe-bot

Copy link
Copy Markdown

**Scenario: **
@renovate[bot]: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name Status Rerun command Build Log Test Log
build-definitions-pull-request-fgm55 Failed /retest View Pipeline Log View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

  1. Install ORAS (see the ORAS installation guide).
  2. Download artifacts with the following commands:
mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/konflux-team/build-definitions:8735f02e39c651cf2e024ec681898e6d2d17ae77

Test results analysis

🚨 Error occurred while running the E2E tests, list of failed Spec(s):

➡️ [failed] [It] [build-service-suite Build templates E2E test] HACBS pipelines scenario prefetch-yarn-modern (docker-build) build-definitions ec pipelines runs ec pipeline pipelines/enterprise-contract.yaml [build, build-templates, HACBS, pipeline-service, pipeline, build-templates-e2e]

Click to view logs

Expected
    : 
to equal
    : enterprise-contract

OCI Artifact Browser URL

<not enabled>

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 15, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:39 AM UTC · Completed 7:44 AM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 15, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:00 AM UTC · Completed 8:05 AM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@konflux-ci-qe-bot

Copy link
Copy Markdown

**Scenario: **
@renovate[bot]: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name Status Rerun command Build Log Test Log
build-definitions-pull-request-rv2s9 Failed /retest View Pipeline Log View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

  1. Install ORAS (see the ORAS installation guide).
  2. Download artifacts with the following commands:
mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/konflux-team/build-definitions:0fe22392c64d271e27b98a788716b5fb21ae4768

Test results analysis

🚨 Error occurred while running the E2E tests, list of failed Spec(s):

➡️ [failed] [It] [build-service-suite Build templates E2E test] HACBS pipelines scenario sample-python-basic-oci (docker-build-oci-ta) should eventually finish successfully for component with Git source URL https://github.com/konflux-qe-bd/devfile-sample-python-basic and Pipeline docker-build-oci-ta [build, build-templates, HACBS, pipeline-service, pipeline, build-templates-e2e, source-build-e2e]

Click to view logs

Expected success, but got an error:
    <*errors.errorString | 0xc007ee3040>: 
    CouldntGetTask: Pipeline build-templates-e2e/test-comp-wain-on-pull-request-mcmnz can't be Run; it contains Tasks that don't exist: Couldn't retrieve Task "resolver type bundles\nname = buildah-oci-ta\n": error requesting remote resource: error getting "bundleresolver" "build-templates-e2e/bundles-d558e3e18e4bd3070c45b81f31cdd9b7": cannot retrieve the oci image: GET https://quay.io/v2/konflux-ci/pull-request-builds/manifests/sha256:780292f418ba90be4d5104d091e89fe734ce33b888b7bb018b5b3f77bc07f28d: MANIFEST_UNKNOWN: manifest unknown; map[]
    {
        s: "CouldntGetTask: Pipeline build-templates-e2e/test-comp-wain-on-pull-request-mcmnz can't be Run; it contains Tasks that don't exist: Couldn't retrieve Task \"resolver type bundles\\nname = buildah-oci-ta\\n\": error requesting remote resource: error getting \"bundleresolver\" \"build-templates-e2e/bundles-d558e3e18e4bd3070c45b81f31cdd9b7\": cannot retrieve the oci image: GET https://quay.io/v2/konflux-ci/pull-request-builds/manifests/sha256:780292f418ba90be4d5104d091e89fe734ce33b888b7bb018b5b3f77bc07f28d: MANIFEST_UNKNOWN: manifest unknown; map[]",
    }

OCI Artifact Browser URL

<not enabled>

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 15, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 4:25 PM UTC · Completed 4:29 PM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 15, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 4:47 PM UTC · Completed 4:55 PM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 16, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 9:59 AM UTC · Completed 10:03 AM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 16, 2026

Copy link
Copy Markdown

🤖 Review · ❌ Terminated · Started 12:16 PM UTC · Ended 12:20 PM UTC
Commit: 14477fe · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@konflux-ci-qe-bot

Copy link
Copy Markdown

**Scenario: **
@renovate[bot]: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name Status Rerun command Build Log Test Log
build-definitions-pull-request-wjj6v Failed /retest View Pipeline Log View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

  1. Install ORAS (see the ORAS installation guide).
  2. Download artifacts with the following commands:
mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/konflux-team/build-definitions:efc20cafd921f59500f855f4ac0b6763ff4276f0

Test results analysis

🚨 Error occurred while running the E2E tests, list of failed Spec(s):

➡️ [failed] [It] [build-service-suite Build templates E2E test] HACBS pipelines scenario from-scratch (docker-build) should eventually finish successfully for component with Git source URL https://github.com/konflux-qe-bd/docker-file-from-scratch and Pipeline docker-build [build, build-templates, HACBS, pipeline-service, pipeline, build-templates-e2e, source-build-e2e]

Click to view logs

Expected success, but got an error:
    <*errors.errorString | 0xc004b14c50>: 
    CouldntGetTask: Pipeline build-templates-e2e/test-comp-arvb-on-pull-request-zkpz4 can't be Run; it contains Tasks that don't exist: Couldn't retrieve Task "resolver type bundles\nname = build-image-index\n": error requesting remote resource: error getting "bundleresolver" "build-templates-e2e/bundles-b178be681a37b78d21387660b57ab443": cannot retrieve the oci image: GET https://quay.io/v2/konflux-ci/pull-request-builds/manifests/sha256:84afb0418eb199ca4320df43779d18cfc7a89609c657c3e74e00672df1088e5b: MANIFEST_UNKNOWN: manifest unknown; map[]
    {
        s: "CouldntGetTask: Pipeline build-templates-e2e/test-comp-arvb-on-pull-request-zkpz4 can't be Run; it contains Tasks that don't exist: Couldn't retrieve Task \"resolver type bundles\\nname = build-image-index\\n\": error requesting remote resource: error getting \"bundleresolver\" \"build-templates-e2e/bundles-b178be681a37b78d21387660b57ab443\": cannot retrieve the oci image: GET https://quay.io/v2/konflux-ci/pull-request-builds/manifests/sha256:84afb0418eb199ca4320df43779d18cfc7a89609c657c3e74e00672df1088e5b: MANIFEST_UNKNOWN: manifest unknown; map[]",
    }

OCI Artifact Browser URL

<not enabled>

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 16, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 5:37 PM UTC · Completed 5:45 PM UTC
Commit: 14477fe · View workflow run →

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ready-for-merge All reviewers approved — ready to merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants