[main] chore(deps): update konflux references

[red-hat-konflux]

This PR contains the following updates:

Package	Change
quay.io/konflux-ci/tekton-catalog/task-apply-tags	f44be1b -> 4c2b0a2
quay.io/konflux-ci/tekton-catalog/task-build-image-index	d94cad7 -> 3411aee
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta	7b4c101 -> 27d5644
quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta	ac05dab -> c9eb4f1
quay.io/konflux-ci/tekton-catalog/task-clair-scan	a7cc183 -> 8ec7d7b
quay.io/konflux-ci/tekton-catalog/task-clamav-scan	b0bd597 -> f3d2d17
quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check	db2b267 -> 3640087
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check	f59175d -> 462baed
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta	3a920a8 -> 3dc39ea
quay.io/konflux-ci/tekton-catalog/task-init	bbf313b -> 3ca52e1
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta	970285e -> 5691652
quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta	14fba04 -> 13633d5
quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta	cdbe1a9 -> 78f5244
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta	f950c3c -> d44336d
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta	181d63c -> 8ad28b7
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta	1cf8f6f -> e5a8d3e
quay.io/konflux-ci/tekton-catalog/task-slack-webhook-notification	4e68fe2 -> 69945a3
quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta	2a290f9 -> 282cb5a

---

Configuration

📅 Schedule: Branch creation - "after 5am on saturday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Summary by CodeRabbit

• Chores
  • Updated container images for internal CI/CD pipeline tasks across multiple pipeline configurations.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign paulovmr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

Updated Tekton task bundle image digests across three pipeline configuration files (.tekton/multiarch-pull-request-pipeline.yaml, .tekton/multiarch-push-pipeline.yaml, and .tekton/singlearch-push-pipeline.yaml). All changes replace existing sha256 digests with new values. No structural, control-flow, or behavioral modifications.

Changes

Cohort / File(s)

Summary

Tekton pipeline bundle digest updates .tekton/multiarch-pull-request-pipeline.yaml, .tekton/multiarch-push-pipeline.yaml, .tekton/singlearch-push-pipeline.yaml

Updated sha256 digests for Tekton task bundle references across multiple tasks including Slack notification, init, git-clone-oci-ta, prefetch-dependencies, buildah-remote-oci-ta, build-image-index, source-build-oci-ta, deprecated-image-check, clair-scan, ecosystem-cert-preflight-checks, sast-snyk-check-oci-ta, clamav-scan, sast-coverity-check-oci-ta, coverity-availability-check, sast-shell-check-oci-ta, sast-unicode-check-oci-ta, apply-tags, push-dockerfile-oci-ta, and rpms-signature-scan. No changes to task names, parameters, or control flow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Verify sha256 digests are valid and well-formed
• Confirm digest updates correspond to intended task versions across all three files
• Spot-check for consistency and typos in digest values

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides a detailed table of package updates with before/after digests, but omits required sections from the template: How Has This Been Tested and the self-checklist items.	Add the 'How Has This Been Tested?' section with testing details and complete the self-checklist by checking relevant boxes or explaining why they don't apply.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: updating Konflux references (task bundle digests) across Tekton pipeline configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch konflux/references/main

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 603bf2f and 834a7e3.

📒 Files selected for processing (3)

• .tekton/multiarch-pull-request-pipeline.yaml (16 hunks)
• .tekton/multiarch-push-pipeline.yaml (17 hunks)
• .tekton/singlearch-push-pipeline.yaml (17 hunks)

🔇 Additional comments (3)

.tekton/multiarch-pull-request-pipeline.yaml (1)

128-128: Digest-only updates look consistent with PR objectives.

All 16 bundle reference updates reflect the expected Konflux catalog task digest refreshes. The format is correct (sha256 short digest), and references are properly scoped to the task bundle resolver.

Note: Tasks ecosystem-cert-preflight-checks (line 360) and rpms-signature-scan (line 591) were not updated. Verify this is intentional—their digests may be pinned separately or excluded from the refresh cycle.

Also applies to: 149-149, 178-178, 230-230, 261-261, 287-287, 313-313, 340-340, 386-386, 408-408, 453-453, 474-474, 500-500, 526-526, 551-551, 574-574

.tekton/singlearch-push-pipeline.yaml (1)

42-42: Digest updates are consistent and align with PR objectives.

All 17 bundle digest updates are applied consistently. The slack notification and buildah-oci-ta updates are correct for this single-arch variant. Digests match those in the multiarch pipelines where tasks are shared.

Note: Tasks ecosystem-cert-preflight-checks (line 398) and rpms-signature-scan (line 629) remain unchanged. Confirm this is intentional.

Also applies to: 176-176, 199-199, 228-228, 273-273, 304-304, 330-330, 356-356, 378-378, 424-424, 446-446, 491-491, 512-512, 538-538, 564-564, 589-589, 612-612

.tekton/multiarch-push-pipeline.yaml (1)

42-42: Cross-file consistency verified—digest updates are comprehensive and aligned.

All 17 bundle updates in this push pipeline are consistent with corresponding tasks across the pull-request and single-arch variants. Shared tasks carry identical new digests. The buildah-remote-oci-ta and slack notification updates are correct for this multi-arch push context.

Note: Tasks ecosystem-cert-preflight-checks (line 420) and rpms-signature-scan (line 651) remain unchanged across all three files. This appears intentional and consistent.

Also applies to: 186-186, 209-209, 238-238, 290-290, 321-321, 347-347, 373-373, 400-400, 446-446, 468-468, 513-513, 534-534, 560-560, 586-586, 611-611, 634-634

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jiridanek]

/test-e2e

[jiridanek]

/ok-to-test

[jiridanek]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci]

@red-hat-konflux[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	834a7e3	link	true	/test images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.