diff --git a/.tekton/network-observability-console-plugin-1-7-push.yaml b/.tekton/network-observability-console-plugin-1-7-push.yaml
index dc4694909..b673a86e3 100644
--- a/.tekton/network-observability-console-plugin-1-7-push.yaml
+++ b/.tekton/network-observability-console-plugin-1-7-push.yaml
@@ -6,6 +6,7 @@ metadata:
     build.appstudio.redhat.com/commit_sha: '{{revision}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/max-keep-runs: "3"
+    build.appstudio.openshift.io/build-nudge-files: "hack/container_digest.sh"
     pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
       == "release-1.7"
   creationTimestamp: null
diff --git a/.tekton/pipeline-ref.yaml b/.tekton/pipeline-ref.yaml
index 9fb6b43f4..e1a039068 100644
--- a/.tekton/pipeline-ref.yaml
+++ b/.tekton/pipeline-ref.yaml
@@ -62,7 +62,7 @@ spec:
     description: Image tag expiration time, time values could be something like
       1h, 2d, 3w for hours, days, and weeks, respectively.
     name: image-expires-after
-  - default: "false"
+  - default: "true"
     description: Build a source image.
     name: build-source-image
     type: string
@@ -250,15 +250,12 @@ spec:
       operator: in
       values:
       - "true"
-
   - name: build-source-image
     params:
     - name: BINARY_IMAGE
       value: $(params.output-image)
     - name: SOURCE_ARTIFACT
       value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
-    - name: CACHI2_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     runAfter:
     - build-image-index
     taskRef:
@@ -279,6 +276,28 @@ spec:
       operator: in
       values:
       - "true"
+  - name: rpms-signature-scan
+    params:
+    - name: image-url
+      value: $(tasks.build-image-index.results.IMAGE_URL)
+    - name: image-digest
+      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
+    runAfter:
+    - build-image-index
+    taskRef:
+      params:
+      - name: name
+        value: rpms-signature-scan
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8
+      - name: kind
+        value: task
+      resolver: bundles
+    when:
+    - input: $(params.skip-checks)
+      operator: in
+      values:
+      - "false"
   - name: deprecated-base-image-check
     params:
     - name: IMAGE_URL