chore(deps): update konflux references

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Notes
quay.io/konflux-ci/tekton-catalog/task-build-image-index (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta (source, changelog)	cad04a0 → 1da40a1
quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta (source, changelog)	351b8f1 → 4b3b768
quay.io/konflux-ci/tekton-catalog/task-clair-scan (source, changelog)	3fa03be → 8992475
quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check (source, changelog)	de35caf → 8b50144
quay.io/konflux-ci/tekton-catalog/task-fbc-fips-check-oci-ta (source, changelog)	0312f05 → 54bcb48
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta (source, changelog)	2229dbc → 9917d11
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog)	0eb4cfb → 7f2e8ed
quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta (source, changelog)	47f4e2d → e92d00e
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta (source, changelog)	c89a2bc → c4ef47e
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog)	ba3eff8 → 2ad986f
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog)	92552dd → 0854d92

---

Release Notes

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-build-image-index)

v0.3

Changed

• The task now uses konflux-build-cli for the build step instead of an inline bash
  implementation. This provides more robust error handling and simplified maintenance.
• When ALWAYS_BUILD_INDEX is false and multiple images are provided, the task now
  creates an image index instead of failing. The previous behavior (failing with an error)
  was not useful.
• Image reference validation is now stricter and will fail earlier for invalid formats.

Removed

• COMMIT_SHA parameter (was not used by the task implementation)
• IMAGE_EXPIRES_AFTER parameter (was not used by the task implementation)

Added

• Started tracking changes in this file.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a app-sre member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated multiple Tekton PipelineRun YAMLs: refreshed pinned task bundle digests (sha256), bumped task-build-image-index from v0.2→v0.3 in affected files, and removed COMMIT_SHA and IMAGE_EXPIRES_AFTER parameters from build-image-index task invocations.

Changes

Cohort / File(s)	Summary
deployment-validation-operator pipelines .tekton/deployment-validation-operator-bundle-pull-request.yaml, .tekton/deployment-validation-operator-bundle-push.yaml, .tekton/deployment-validation-operator-pull-request.yaml, .tekton/deployment-validation-operator-push.yaml	Refreshed pinned task bundle @sha256 digests for multiple tasks (task versions unchanged except task-build-image-index bumped 0.2→0.3). Removed COMMIT_SHA and IMAGE_EXPIRES_AFTER from build-image-index params.
FBC OCP 4.12–4.19 pipelines .tekton/fbc-ocp4-{12..19}-pull-request.yaml, .tekton/fbc-ocp4-{12..19}-push.yaml	Replaced @sha256 digests for several tasks (including task-prefetch-dependencies-oci-ta, task-buildah-remote-oci-ta) and upgraded task-build-image-index 0.2→0.3. Removed COMMIT_SHA and IMAGE_EXPIRES_AFTER parameter wiring for build-image-index.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• opokornyy
• BaiyangZhou

Poem

🐇 I hopped through YAML fields tonight,

Sha256s swapped in gentle light,
Index nudged up, two params set free,
Pipelines pruned — a tidy spree,
A rabbit's wink, all checks go right.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(deps): update konflux references' accurately summarizes the main change—updating multiple konflux-related task bundle references and digests across numerous Tekton pipeline YAML files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/references/master

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.tekton/deployment-validation-operator-pull-request.yaml (1)

248-266: ⚠️ Potential issue | 🟡 Minor

Verify handling of the build-image-index=false behavior change in v0.3.

Upgrading task-build-image-index to v0.3 changes how ALWAYS_BUILD_INDEX=false behaves with multiple images: v0.2 would fail when given multiple images with ALWAYS_BUILD_INDEX=false, but v0.3 now creates an index anyway. Since this pipeline passes multiple platform images by default (linux/x86_64 and linux/arm64) and exposes build-image-index as a public parameter, callers setting it to false will experience a silent behavior change. Confirm whether any callers rely on the old semantics, and consider documenting this change.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/deployment-validation-operator-pull-request.yaml around lines 248 -
266, The pipeline now uses the task "build-image-index" with the param
ALWAYS_BUILD_INDEX (and public pipeline param build-image-index), but version
0.3 of task-build-image-index changes semantics so ALWAYS_BUILD_INDEX=false no
longer prevents index creation when multiple images are passed; update this PR
by auditing callers of the pipeline parameter build-image-index to see who
relies on the old behavior, and either (a) pin the taskRef to the older
task-build-image-index version if backward compatibility is required, or (b) add
explicit documentation and a note in the pipeline parameter description (for
build-image-index / ALWAYS_BUILD_INDEX) explaining the v0.3 behavior change and
its impact when IMAGES contains multiple platform images, and optionally add
logic (e.g., a guard task or conditional) to mimic the old failing behavior if
you must preserve prior semantics.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.tekton/deployment-validation-operator-pull-request.yaml:
- Around line 248-266: The pipeline now uses the task "build-image-index" with
the param ALWAYS_BUILD_INDEX (and public pipeline param build-image-index), but
version 0.3 of task-build-image-index changes semantics so
ALWAYS_BUILD_INDEX=false no longer prevents index creation when multiple images
are passed; update this PR by auditing callers of the pipeline parameter
build-image-index to see who relies on the old behavior, and either (a) pin the
taskRef to the older task-build-image-index version if backward compatibility is
required, or (b) add explicit documentation and a note in the pipeline parameter
description (for build-image-index / ALWAYS_BUILD_INDEX) explaining the v0.3
behavior change and its impact when IMAGES contains multiple platform images,
and optionally add logic (e.g., a guard task or conditional) to mimic the old
failing behavior if you must preserve prior semantics.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 14ce1295-b1e6-41fc-be8b-24e9adda9a6a

📥 Commits

Reviewing files that changed from the base of the PR and between 17f036c and 272e2e0.

📒 Files selected for processing (20)

• .tekton/deployment-validation-operator-bundle-pull-request.yaml
• .tekton/deployment-validation-operator-bundle-push.yaml
• .tekton/deployment-validation-operator-pull-request.yaml
• .tekton/deployment-validation-operator-push.yaml
• .tekton/fbc-ocp4-12-pull-request.yaml
• .tekton/fbc-ocp4-12-push.yaml
• .tekton/fbc-ocp4-13-pull-request.yaml
• .tekton/fbc-ocp4-13-push.yaml
• .tekton/fbc-ocp4-14-pull-request.yaml
• .tekton/fbc-ocp4-14-push.yaml
• .tekton/fbc-ocp4-15-pull-request.yaml
• .tekton/fbc-ocp4-15-push.yaml
• .tekton/fbc-ocp4-16-pull-request.yaml
• .tekton/fbc-ocp4-16-push.yaml
• .tekton/fbc-ocp4-17-pull-request.yaml
• .tekton/fbc-ocp4-17-push.yaml
• .tekton/fbc-ocp4-18-pull-request.yaml
• .tekton/fbc-ocp4-18-push.yaml
• .tekton/fbc-ocp4-19-pull-request.yaml
• .tekton/fbc-ocp4-19-push.yaml

[ncaak]

/ok-to-test
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncaak, red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ncaak]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.16%. Comparing base (a8cddf0) to head (add0b4d).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #659   +/-   ##
=======================================
  Coverage   46.16%   46.16%           
=======================================
  Files          22       22           
  Lines        1083     1083           
=======================================
  Hits          500      500           
  Misses        553      553           
  Partials       30       30           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ncaak]

/lgtm

[ncaak]

/test deployment-validation-operator-e2e-tests

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@red-hat-konflux[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/deployment-validation-operator-e2e-tests	add0b4d	link	true	/test deployment-validation-operator-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.