chore(deps): update konflux references

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Notes
quay.io/konflux-ci/tekton-catalog/task-apply-tags	0.2 -> 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-build-image-index	985d1ef -> 8fd2bd1
quay.io/konflux-ci/tekton-catalog/task-buildah	0.7 -> 0.8	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta	0.7 -> 0.8	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-clair-scan	654b989 -> b01d8e2
quay.io/konflux-ci/tekton-catalog/task-clamav-scan	7a4b05f -> 5b5b31e
quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check	267d5bc -> a24d8f3
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check	808fe09 -> e3a55cc
quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks	04f7559 -> 33b7133
quay.io/konflux-ci/tekton-catalog/task-git-clone	d17249e -> 865cdbe
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta	56f65a1 -> 306b69e
quay.io/konflux-ci/tekton-catalog/task-init	0.2 -> 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies	ef5c49a -> c320d5c
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta	3620777 -> c664a6d
quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta	08bba4a -> 6fb61be
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan	aa544e5 -> a99d8fd
quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta	9978b61 -> e8c6357
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta	e7a5157 -> f475b4b
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check	10d6a41 -> d380f0f
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta	49b7d09 -> 0c2ab8c
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta	0.3 -> 0.4	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-show-sbom	beb0616 -> e2c1b4e

---

Configuration

📅 Schedule: Branch creation - Between 05:00 AM and 11:59 PM, only on Saturday ( * 5-23 * * 6 ) in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updated four Tekton pipeline YAMLs: numerous taskRef.bundle image tags/digests were bumped; the rebuild pipeline parameter (pull-request pipelines) and many when conditionals and related param wiring were removed, flattening conditional gating across the pipelines.

Changes

Cohort / File(s)	Summary
E2E Pipelines ./.tekton/maestro-e2e-pull-request.yaml, ./.tekton/maestro-e2e-push.yaml	Replaced many taskRef.bundle values with updated tags/digests and removed rebuild pipeline parameter usages plus several when conditionals and related param wiring that previously gated task execution.
Standard Pull-request Pipeline ./.tekton/maestro-pull-request.yaml	Bumped many task bundle references (e.g., init 0.2→0.3, buildah 0.7→0.8, show-sbom, git-clone, prefetch-dependencies, clair-scan, sast-*, clamav-scan) and removed the public rebuild param, removed input wiring for init, and eliminated multiple when blocks that gated downstream tasks.
Standard Push Pipeline ./.tekton/maestro-push.yaml	Updated numerous task bundle digests and versions (e.g., init, buildah, apply-tags, scans), and removed several gating/parameter blocks tied to init/build results; task ordering largely unchanged.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(deps): update konflux references' clearly and concisely describes the main change—updating Konflux task image references and digests across multiple Tekton pipeline files.
Description check	✅ Passed	The description provides a detailed table of all package updates with version changes and includes migration notes for tasks with breaking changes, directly corresponding to the modifications in the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch konflux/references/main

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.tekton/maestro-pull-request.yaml:
- Line 349: Update the image reference for task-sast-snyk-check to use the
existing Konflux tag 0.1: replace the value string
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:... with
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.1 (keeping the same
registry/repo and removing the nonexistent 0.4@sha256 tag) so the pipeline uses
the available task version.
- Line 165: The Tekton bundle reference uses
quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:ebf06778... but the
pipeline supplies non-standard params (skip-optional, pipelinerun-name,
pipelinerun-uid, enable-cache-proxy); verify that the referenced digest indeed
points to a task-init:0.2 image that documents and accepts these parameters or
replace it with a compatible bundle/digest. To fix, either (a) update the digest
to the official task-init:0.2 that matches the used params or (b) update the
pipeline to only pass parameters supported by the referenced bundle, or (c)
document/point to the custom fork that adds those params; check the bundle's
task definition for parameter names to ensure exact matches before committing.

In @.tekton/maestro-push.yaml:
- Line 393: The tekton task invocation for task-apply-tags:0.3 uses wrong
parameter names; replace IMAGE_URL with IMAGE and change IMAGE_DIGEST to
ADDITIONAL_TAGS (or remove IMAGE_DIGEST if you don't need extra tags) so the
params match the task's interface; update the params block where task:
task-apply-tags:0.3 is referenced to pass the image URL into IMAGE and supply
any extra tags via ADDITIONAL_TAGS (or omit that param).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

konflux-ci tekton-catalog task-sast-snyk-check 0.4 release notes breaking changes

💡 Result:

I couldn’t find any task-sast-snyk-check “0.4” release notes or 0.4-specific breaking changes in Konflux sources. Instead, references to the Konflux Tekton Catalog image show the task being consumed as quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.1 (not 0.4). [1]

In Konflux, breaking/interface changes for tasks are normally handled by bumping the task version and providing a MIGRATION.md (and potentially migration scripts) in the versioned task directory. [2] So if a 0.4 existed, you’d expect it to come with a corresponding migration doc.

If what you’re actually upgrading is the Snyk task configuration (not a 0.4 task image), the Konflux docs note the required secret convention for the Snyk token: secret name snyk-secret with key snyk_token. [3]

Likely explanation: “0.4” is being confused with another Konflux task that does have a :0.4 tag (for example task-deprecated-image-check:0.4 appears in the same Konflux catalog references), while task-sast-snyk-check appears as :0.1 in the places I could verify. [1]

Sources: [1] [2] [3]

---

🏁 Script executed:

# Search for all task-sast-snyk-check references
rg "task-sast-snyk-check" --type yaml

# Also check git history for this file
git log --oneline -20 -- .tekton/maestro-pull-request.yaml

Repository: openshift-online/maestro

Length of output: 114

---

🏁 Script executed:

# Show details of the recent commit
git show 087370f -- .tekton/maestro-pull-request.yaml | head -100

Repository: openshift-online/maestro

Length of output: 3614

---

🏁 Script executed:

# Get the full diff to see the task-sast-snyk-check line
git show 087370f -- .tekton/maestro-pull-request.yaml | grep -A 5 -B 5 "task-sast-snyk-check"

Repository: openshift-online/maestro

Length of output: 452

---

🏁 Script executed:

# Check if there are other Konflux task references in the repo to understand version patterns
rg "quay.io/konflux-ci/tekton-catalog" --type yaml | head -20

Repository: openshift-online/maestro

Length of output: 50

---

🏁 Script executed:

# Check the current state of the file to understand full context
grep -n "task-sast-snyk-check" .tekton/maestro-pull-request.yaml -A 10 -B 5

Repository: openshift-online/maestro

Length of output: 602

---

Change task-sast-snyk-check version from 0.4 to 0.1.
The version 0.4 does not exist in Konflux sources; task-sast-snyk-check is available as 0.1. Using a non-existent image tag will cause pipeline failures at runtime.

🤖 Prompt for AI Agents

In @.tekton/maestro-pull-request.yaml at line 349, Update the image reference
for task-sast-snyk-check to use the existing Konflux tag 0.1: replace the value
string quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:...
with quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.1 (keeping the
same registry/repo and removing the nonexistent 0.4@sha256 tag) so the pipeline
uses the available task version.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

konflux-ci tekton-catalog task-apply-tags 0.3 release notes

💡 Result:

I couldn’t find any published “release notes” specifically for quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3 in the Konflux docs or in an indexed GitHub release/changelog entry for that task version.

What Konflux documents instead is:

• Tekton tasks in the konflux-ci/tekton-catalog registry are versioned, and when a task’s interface changes a new version directory is created and a MIGRATION.md is expected to describe required pipeline changes (and may be paired with an automated migration script). (github.com)
• The apply-tags task’s purpose and configuration options (e.g., ADDITIONAL_TAGS, konflux.additional-tags label, dynamic metadata variables) are documented, but not as per-version release notes. (konflux-ci.dev)

Citations:

• 1: https://github.com/konflux-ci/build-definitions
• 2: https://konflux-ci.dev/docs/building/custom-tags/?utm_source=openai

---

🌐 Web query:

task-apply-tags site:github.com konflux-ci MIGRATION.md

💡 Result:

Web search failed: Server error: no LLM provider could handle the message

---

🌐 Web query:

github konflux-ci build-definitions apply-tags task v0.3

💡 Result:

Web search failed: Server error: no LLM provider could handle the message

---

🌐 Web query:

task-apply-tags 0.3 Konflux

💡 Result:

In Konflux, task-apply-tags is the Tekton bundle image that delivers the apply-tags task (used to apply additional/custom tags to the image produced by your build). (konflux-ci.dev)

To use task-apply-tags:0.3, reference it via the bundles resolver in your Pipeline/PipelineRun:

- name: apply-tags
  runAfter: [build-container]
  params:
    - name: IMAGE
      value: $(tasks.build-container.results.IMAGE_URL)
    - name: ADDITIONAL_TAGS
      value: ["tag1", "tag2"]
  taskRef:
    resolver: bundles
    params:
      - name: name
        value: apply-tags
      - name: bundle
        value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3
      - name: kind
        value: task

ADDITIONAL_TAGS can also be sourced from the konflux.additional-tags label in your Containerfile, or built dynamically (e.g., from PR/branch metadata). (konflux-ci.dev)

If you want to pin the exact bundle digest (recommended for reproducibility), you can look up the digest with skopeo inspect ... | jq -r '.Digest' and then use :0.3@sha256:... in the bundle field. (konflux-ci.dev)

Citations:

• 1: https://konflux-ci.dev/docs/building/custom-tags/?utm_source=openai
• 2: https://konflux-ci.dev/docs/building/custom-tags/?utm_source=openai
• 3: https://konflux-ci.dev/docs/troubleshooting/builds/?utm_source=openai

---

🏁 Script executed:

#!/bin/bash
# Search for MIGRATION files in the repository
find . -type f \( -name "MIGRATION*" -o -name "CHANGELOG*" -o -name "CHANGES*" \) | head -20

# Search for references to task-apply-tags in the repository
echo "=== References to task-apply-tags ==="
rg "task-apply-tags" --type yaml -B2 -A2 | head -50

Repository: openshift-online/maestro

Length of output: 105

---

🏁 Script executed:

#!/bin/bash
# Check if the file exists and read around line 393
if [ -f ".tekton/maestro-push.yaml" ]; then
  echo "=== File found, reading context around line 393 ==="
  wc -l ".tekton/maestro-push.yaml"
  sed -n '375,410p' ".tekton/maestro-push.yaml"
else
  echo "File not found at .tekton/maestro-push.yaml"
  find . -name "maestro-push.yaml" 2>/dev/null
fi

Repository: openshift-online/maestro

Length of output: 1120

---

🌐 Web query:

task-apply-tags IMAGE_URL IMAGE_DIGEST parameters tekton

💡 Result:

Web search failed: Server error: no LLM provider could handle the message

---

🏁 Script executed:

#!/bin/bash
# Search for task definitions or apply-tags references
echo "=== Searching for task definitions in repository ==="
find . -type f \( -name "*.yaml" -o -name "*.yml" \) -exec grep -l "apply-tags" {} \; 2>/dev/null | head -10

# Check git history for maestro-push.yaml
echo ""
echo "=== Git history for maestro-push.yaml ==="
git log --oneline -20 -- .tekton/maestro-push.yaml 2>/dev/null || echo "Git log not available"

# Search for any task definition or description of apply-tags params
echo ""
echo "=== Searching for apply-tags in all files ==="
rg "apply-tags" -C3 --max-count 5

Repository: openshift-online/maestro

Length of output: 317

---

🏁 Script executed:

#!/bin/bash
# Get the git diff for the recent commit
git show 087370f --no-patch --format="%ai %s" 2>/dev/null || echo "Could not get commit info"

echo ""
echo "=== Git diff for maestro-push.yaml ==="
git show 087370f -- .tekton/maestro-push.yaml 2>/dev/null | head -100

echo ""
echo "=== Current maestro-e2e-push.yaml apply-tags section ==="
sed -n '/apply-tags/,/resolver:/p' ./.tekton/maestro-e2e-push.yaml

Repository: openshift-online/maestro

Length of output: 4257

---

🌐 Web query:

quay.io konflux-ci task-apply-tags IMAGE_URL IMAGE_DIGEST version

💡 Result:

In Konflux, the apply-tags Tekton task is shipped as an OCI bundle on Quay and is typically referenced like:

• Bundle: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1 (optionally pin with @sha256:...) [1]

What params it takes (re: IMAGE_URL, IMAGE_DIGEST)

task-apply-tags does not take IMAGE_URL + IMAGE_DIGEST as separate params. It expects:

• IMAGE → set this to the producing task’s IMAGE_URL result (for example, $(tasks.build-container.results.IMAGE_URL)) [1]

Example:

- name: apply-tags
  params:
  - name: IMAGE
    value: $(tasks.build-container.results.IMAGE_URL)
  - name: ADDITIONAL_TAGS
    value: ["tag1", "tag2"]
  taskRef:
    resolver: bundles
    params:
    - name: name
      value: apply-tags
    - name: bundle
      value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1
    - name: kind
      value: task

[1]

Where IMAGE_DIGEST fits

IMAGE_URL and IMAGE_DIGEST are emitted by Konflux build pipelines as results; if you need a digest-pinned image reference, combine them as:

• IMAGE_URL@IMAGE_DIGEST [2]

(That’s commonly used for signature/attestation verification, not for apply-tags.) [2]

“version” meaning on quay.io/konflux-ci tasks

Konflux task bundles are pushed to Quay as task-<name>:<VERSION> where VERSION is the task version (for apply-tags, that’s shown as 0.1 in the docs example). [3]

---

🌐 Web query:

task-apply-tags 0.3 parameters specification

💡 Result:

Web search failed: Server error: no LLM provider could handle the message

---

🏁 Script executed:

#!/bin/bash
# Search for any documentation or comments about apply-tags
echo "=== Searching for documentation files ==="
find . -type f \( -name "README*" -o -name "*.md" \) -exec grep -l "apply-tags\|task-apply-tags" {} \; 2>/dev/null

echo ""
echo "=== Searching for any comments or documentation about IMAGE_URL in task config ==="
rg "IMAGE_URL|IMAGE_DIGEST" -B5 -A5 --type yaml | head -80

echo ""
echo "=== Checking if there are any other task references for comparison ==="
rg "taskRef:" -A10 .tekton/ --type yaml | grep -A10 "apply-tags" | head -30

Repository: openshift-online/maestro

Length of output: 1755

---

Fix parameter names for task-apply-tags:0.3 compatibility.

The task expects IMAGE and ADDITIONAL_TAGS parameters, but the code is passing IMAGE_URL and IMAGE_DIGEST. This mismatch will cause task execution to fail. Update the parameters to match the task's documented interface:

• Change IMAGE_URL → IMAGE (pass the image URL result)
• Change IMAGE_DIGEST → ADDITIONAL_TAGS or remove if not needed for this use case

🤖 Prompt for AI Agents

In @.tekton/maestro-push.yaml at line 393, The tekton task invocation for
task-apply-tags:0.3 uses wrong parameter names; replace IMAGE_URL with IMAGE and
change IMAGE_DIGEST to ADDITIONAL_TAGS (or remove IMAGE_DIGEST if you don't need
extra tags) so the params match the task's interface; update the params block
where task: task-apply-tags:0.3 is referenced to pass the image URL into IMAGE
and supply any extra tags via ADDITIONAL_TAGS (or omit that param).

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.tekton/maestro-e2e-push.yaml:
- Line 546: The task-apply-tags:0.3 invocation uses invalid parameters IMAGE_URL
and IMAGE_DIGEST; change it to the single IMAGE parameter expected by that task
by replacing the IMAGE_URL/IMAGE_DIGEST pair with IMAGE whose value is the
combined image reference from tasks.build-image-index.results (i.e. use
$(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST)),
and remove the standalone IMAGE_DIGEST parameter unless you actually need to
pass ADDITIONAL_TAGS; update the parameter names in the task call to use IMAGE
and drop IMAGE_DIGEST.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .tekton/maestro-e2e-push.yaml | sed -n '530,550p'

Repository: openshift-online/maestro

Length of output: 865

---

🌐 Web query:

task-apply-tags 0.3 parameters IMAGE_URL IMAGE_DIGEST dokumentation

💡 Result:

In der Konflux/Tekton-Catalog Task apply-tags (Bundle quay.io/konflux-ci/tekton-catalog/task-apply-tags:<version>) heißen die relevanten Parameter nicht IMAGE_URL/IMAGE_DIGEST, sondern typischerweise:

• IMAGE: Referenz auf das Image (i.d.R. der Repository/Image-Name, z.B. aus $(tasks.<build>.results.IMAGE_URL)) – so wird die Task in Pipelines aufgerufen. [1]
• ADDITIONAL_TAGS (Array, optional): Liste zusätzlicher Tags, die gesetzt werden sollen. [2]

IMAGE_URL und IMAGE_DIGEST sind in Konflux/Tekton meist Results aus Build-Tasks (z.B. build-container / build-image-index) und werden je nach nachfolgender Task entweder als IMAGE (nur URL/Name) oder als separate Params bei anderen Tasks weitergereicht – der apply-tags-Task-Call nutzt dabei in den Beispielen nur IMAGE. [1]

Quellen: [Konflux “Using custom tags” Doku] [2], [Pipeline-Beispiel mit apply-tags Task-Aufruf] [1].

---

🌐 Web query:

konflux-ci task-apply-tags version 0.3 migration guide

💡 Result:

Web search failed: Server error: no LLM provider could handle the message

---

🏁 Script executed:

# Search for task-apply-tags references or documentation in the repo
rg -i "task-apply-tags" --type yaml --type md -A 5 | head -100

Repository: openshift-online/maestro

Length of output: 50

---

🏁 Script executed:

# Look for any migration notes or documentation files related to task versions
fd -i migration -o -i changelog -o -i "release.*note" | head -20

Repository: openshift-online/maestro

Length of output: 184

---

🌐 Web query:

Konflux tekton-catalog task-apply-tags version 0.3 parameters official documentation

💡 Result:

Official Konflux documentation for the apply-tags Tekton task (used from the quay.io/konflux-ci/tekton-catalog/task-apply-tags:<version> bundle, including 0.3) documents these task parameters:

• IMAGE: the image reference to tag (typically the built image URL/result).
• ADDITIONAL_TAGS (array): extra tags to apply (e.g. ["tag1","tag2"]), including support for dynamically constructed tags. [1]

If you specifically need the exact parameter list as implemented in the task-apply-tags:0.3 bundle, Konflux docs recommend inspecting the bundle contents with Tekton tooling (for example tkn bundle ... / skopeo inspect ...) to see the task spec for that exact version+digest. [2] [3]

Sources: [1] [2] [3]

---

🏁 Script executed:

# Search for any PR notes or comments about this migration in the file or related docs
rg -B 5 -A 5 "apply-tags" .tekton/maestro-e2e-push.yaml

Repository: openshift-online/maestro

Length of output: 781

---

🏁 Script executed:

# Check if there are any references to IMAGE_URL or IMAGE_DIGEST being used elsewhere with apply-tags
rg "IMAGE_URL|IMAGE_DIGEST" .tekton/maestro-e2e-push.yaml | head -20

Repository: openshift-online/maestro

Length of output: 1155

---

Parameters IMAGE_URL and IMAGE_DIGEST are invalid for task-apply-tags:0.3—use IMAGE instead.

The task-apply-tags task in version 0.3 expects IMAGE as the parameter name, not IMAGE_URL. Update lines 535-536 to pass the image reference as a single IMAGE parameter:

- name: IMAGE
  value: $(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST)

Remove the IMAGE_DIGEST parameter (line 537-538) unless ADDITIONAL_TAGS is needed.

🤖 Prompt for AI Agents

In @.tekton/maestro-e2e-push.yaml at line 546, The task-apply-tags:0.3
invocation uses invalid parameters IMAGE_URL and IMAGE_DIGEST; change it to the
single IMAGE parameter expected by that task by replacing the
IMAGE_URL/IMAGE_DIGEST pair with IMAGE whose value is the combined image
reference from tasks.build-image-index.results (i.e. use
$(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST)),
and remove the standalone IMAGE_DIGEST parameter unless you actually need to
pass ADDITIONAL_TAGS; update the parameter names in the task call to use IMAGE
and drop IMAGE_DIGEST.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.tekton/maestro-push.yaml (1)

310-325: ⚠️ Potential issue | 🟠 Major

Change task-sast-snyk-check:0.4 to version 0.1.

Version 0.4 does not exist in the Konflux Tekton catalog. The only published version available is 0.1. Bundle resolution will fail at runtime with the current version reference.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.tekton/maestro-pull-request.yaml:
- Line 45: Update the task image tags to published versions: change the
task-sast-snyk-check image reference to use tag 0.1 (replace any occurrence of
task-sast-snyk-check:0.4) and change task-deprecated-image-check to tag 0.4
(replace any task-deprecated-image-check:0.5), and verify task-init:0.3 and
task-buildah:0.8 exist by running skopeo inspect as suggested; if migration docs
exist in konflux-ci/build-definitions apply migrations via pmt migrate or follow
the Konflux migration guide for task-init and task-buildah before finalizing the
changes.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's read the file to see all bundle references
cat -n .tekton/maestro-pull-request.yaml | head -360

Repository: openshift-online/maestro

Length of output: 14018

---

🏁 Script executed:

# Extract the bundle references at the mentioned lines
sed -n '45p;155p;172p;192p;236p;281p;303p;325p;350p' .tekton/maestro-pull-request.yaml

Repository: openshift-online/maestro

Length of output: 1372

---

🏁 Script executed:

# Search for all bundle references in the file to get the full picture
rg 'quay\.io/konflux-ci/tekton-catalog' .tekton/maestro-pull-request.yaml -A 0

Repository: openshift-online/maestro

Length of output: 1657

---

🌐 Web query:

quay.io konflux-ci build-definitions task-init 0.3 migration

💡 Result:

quay.io/konflux-ci/tekton-catalog/task-init:0.3 is a Tekton Task bundle upgrade; if that upgrade requires pipeline changes, Konflux expects them to be delivered as a task migration (so MintMaker/Renovate can apply them automatically, or you can apply them yourself with pmt). The general mechanism is documented here: task migrations live alongside the task version in konflux-ci/build-definitions, and are applied by the pipeline-migration-tool (pmt). [1]

What to do when upgrading task-init to 0.3

1. Update your pipeline’s bundle reference from task-init:0.2... to task-init:0.3... (including digest). Konflux docs show the bundle-ref format and how to refresh a digest with skopeo inspect. [2]
2. If the Renovate/MintMaker PR indicates “migration”, apply it locally using pmt migrate with an “upgrade” JSON that includes:
   • depName: quay.io/konflux-ci/tekton-catalog/task-init
   • currentValue: 0.2 (or whatever you have)
   • newValue: 0.3
   • packageFile: your .tekton/<pipeline>.yaml file
     The Konflux “Applying task migrations” doc shows the exact workflow and command shape. [3]
3. If there is no migration delivered, you must follow the manual instructions (typically a MIGRATION.md for that task/version in build-definitions). This fallback path is explicitly called out in the same migration doc. [3]

Where the task-init 0.3 migration would be (if present)

In konflux-ci/build-definitions, migrations are version-scoped scripts kept under the task’s version directory (a migrations/ folder) and are intended to be executed by pmt to rewrite your Pipeline/PipelineRun YAML in-place. [1]

If you paste the diff from your Renovate PR (or your .tekton/*.yaml snippet showing the task-init bundle update), I can tell you exactly what to put into the pmt migrate -u ... payload for the 0.2 -> 0.3 upgrade.

Sources: [1] https://github.com/konflux-ci/build-definitions (Task Migration section) • [2] https://konflux-ci.dev/docs/troubleshooting/builds/ • [3] https://konflux-ci.dev/docs/building/apply-task-migrations/

---

🌐 Web query:

build-definitions task-buildah 0.8 changelog migration parameter

💡 Result:

In konflux-ci/build-definitions, the Buildah Tekton task exposes build-arg support via two parameters:

• BUILD_ARGS_FILE → passed to Buildah as --build-arg-file (useful when you want args in a repo file).
• BUILD_ARGS → passed to Buildah as repeated --build-arg values (useful when you want args directly in PipelineRun params).
  These are documented as supported parameters of the Konflux Buildah tasks. [1]

Migration (what you typically need to change in your pipeline)

To adopt the build-arg parameters (e.g., when moving to a task bundle like task-buildah:0.8), the Konflux docs describe updating your .tekton/* PipelineRuns/Pipelines roughly like this: [1]

1. Add a pipeline parameter (example names from docs):

• build-args-file (string, default "") and/or
• build-args (array, default [])

2. Wire it into the Buildah task (often the task is named build-container) by adding task params:

• BUILD_ARGS_FILE: "$(params.build-args-file)" and/or
• BUILD_ARGS: "$(params.build-args)"

Where the “changelog” / exact 0.8 delta is recorded

This repo’s convention is that interface changes (params/results/workspaces) are accompanied by versioned task directories and a MIGRATION.md (and optionally scripts under migrations/) explaining exactly what changed and what to edit. [3]

How to apply migrations automatically

Konflux supports applying these task migrations via MintMaker (automatic in Renovate PRs) or manually using pipeline-migration-tool (pmt). [2]

Sources: [1] [2] [3]

---

🌐 Web query:

build-definitions task-sast-snyk-check 0.4 version available

💡 Result:

No—task-sast-snyk-check in the Konflux build-definitions / quay.io/konflux-ci/tekton-catalog catalog is referenced as version 0.1, not 0.4 [1][2]. In the same Konflux task set, 0.4 commonly shows up for a different task (for example, task-deprecated-image-check:0.4) [1][2].

---

🌐 Web query:

task-sast-snyk-check version 0.4 quay.io konflux-ci tekton-catalog

💡 Result:

In quay.io/konflux-ci/tekton-catalog, the Snyk SAST Tekton task is not versioned as 0.4. The catalog references it as:

• quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.1 (the tag seen in downstream release/update notes) [1]
• In some pipelines, the Snyk SAST step is wired via the OCI trusted-artifacts variant: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.1 [2]

Konflux docs describe this as the sast-snyk-check task that runs Snyk Code SAST and requires a Snyk token secret to be configured (commonly snyk-secret) [3].

Why you may be seeing “0.4”: other Konflux catalog tasks (e.g., task-deprecated-image-check) do use a 0.4 tag, which can be easy to confuse with the Snyk task versioning [2].

Sources:
[1] OpenShift CI release note showing task-sast-snyk-check:0.1 digest updates
[2] Konflux pipeline/task reference snippet showing task-sast-snyk-check-oci-ta:0.1 and task-deprecated-image-check:0.4
[3] Konflux documentation for enabling the Snyk SAST task (sast-snyk-check)

---

🌐 Web query:

quay.io/konflux-ci/tekton-catalog task-init 0.3 version available

💡 Result:

I couldn’t find any public reference showing that quay.io/konflux-ci/tekton-catalog/task-init:0.3 exists. The Konflux documentation examples currently reference task-init:0.2 (including a pinned digest), and suggest using skopeo inspect to check the current digest for a given tag. [1]

To verify whether 0.3 is available, query Quay directly (example from the docs for 0.2):

skopeo inspect --no-tags docker://quay.io/konflux-ci/tekton-catalog/task-init:0.3 | jq -r '.Digest'

If that command returns an error (e.g., tag not found), then 0.3 is not published; if it returns a digest, then 0.3 exists and you can use :0.3@sha256:<digest> in your Tekton bundle reference. [1]

Source:
[1] Konflux docs – “Troubleshooting Builds” (shows task-init:0.2 and the skopeo inspect method) (konflux-ci.dev)

Citations:

• 1: https://konflux-ci.dev/docs/troubleshooting/builds/?utm_source=openai

---

🌐 Web query:

quay.io/konflux-ci/tekton-catalog task-deprecated-image-check 0.5 version available

💡 Result:

I couldn’t find any evidence that quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5 exists publicly. All the references I can locate point to version 0.4 as the currently used/published tag (including updates that only change the 0.4 digest). [1], [2], [3]

If you want to verify directly against Quay, query the tag API for 0.5 (it will return has_additional:false with an empty tags list if the tag doesn’t exist): [4]

curl -s "https://quay.io/api/v1/repository/konflux-ci/tekton-catalog/task-deprecated-image-check/tag/?onlyActiveTags=true&specificTag=0.5"

Sources:
[1] https://origin-release.apps.ci.l2s4.p1.openshiftapps.com/releasestream/4.17.0-0.okd-scos/release/4.17.0-0.okd-scos-2025-02-23-210454?from=4.16.0-0.okd-scos-2024-11-24-110045
[2] https://newreleases.io/project/github/openshift/source-to-image/release/v1.5.0
[3] https://gist.github.com/brianwcook/1c9aae1c096cce81f16101af1086506c
[4] https://docs.projectquay.io/use_quay.html

---

🌐 Web query:

konflux-ci build-definitions github task-buildah task-init task-deprecated-image-check 0.8 0.3 0.5

💡 Result:

In konflux-ci/build-definitions, Tekton Tasks are versioned under task/<task-name>/<version>/… and are released as OCI bundles to quay.io/konflux-ci/tekton-catalog/task-<task-name>:<version> (the bundle tag is the task VERSION). [1]

So the three items you listed correspond to these expected repo locations + bundle refs:

• task-buildah 0.8

  • GitHub path: task/buildah/0.8/… [1]
  • Bundle image: quay.io/konflux-ci/tekton-catalog/task-buildah:0.8 [1]

• task-init 0.3

  • GitHub path: task/init/0.3/… [1]
  • Bundle image: quay.io/konflux-ci/tekton-catalog/task-init:0.3 [1]

• task-deprecated-image-check 0.5

  • GitHub path: task/deprecated-image-check/0.5/… [1]
  • Bundle image: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5 [1]

Source(s)
[1] https://github.com/konflux-ci/build-definitions

---

Fix bundle versions: task-sast-snyk-check and task-deprecated-image-check have incorrect tags.

• Line 325 (task-sast-snyk-check): Version 0.4 does not exist. Public references show only 0.1 is available.
• Line 281 (task-deprecated-image-check): Version 0.5 does not exist. Current published version is 0.4.

For task-init:0.3 (line 155) and task-buildah:0.8 (line 236), verify these versions exist using skopeo inspect before merging:

skopeo inspect --no-tags docker://quay.io/konflux-ci/tekton-catalog/task-init:0.3
skopeo inspect --no-tags docker://quay.io/konflux-ci/tekton-catalog/task-buildah:0.8

If migration documents exist in konflux-ci/build-definitions, apply them via pmt migrate or manually as described in the Konflux task migration guide.

🤖 Prompt for AI Agents

In @.tekton/maestro-pull-request.yaml at line 45, Update the task image tags to
published versions: change the task-sast-snyk-check image reference to use tag
0.1 (replace any occurrence of task-sast-snyk-check:0.4) and change
task-deprecated-image-check to tag 0.4 (replace any
task-deprecated-image-check:0.5), and verify task-init:0.3 and task-buildah:0.8
exist by running skopeo inspect as suggested; if migration docs exist in
konflux-ci/build-definitions apply migrations via pmt migrate or follow the
Konflux migration guide for task-init and task-buildah before finalizing the
changes.

[clyang82]

LGTM