Merge branch 'main' into sast-unicode-check-oci-ta

.github/workflows/go-ci.yaml

@@ -13,12 +13,12 @@ jobs:
           - task-generator/trusted-artifacts
     steps:
       - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a
         with:
           go-version-file: './${{matrix.path}}/go.mod'
           cache-dependency-path: ./${{matrix.path}}/go.sum
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@160a1d779cee256901ff3d68ef8ccc63ac8a04f8
+        uses: golangci/golangci-lint-action@eab1d2f3d76f26c09e2ab8c957fe5bb64bf46b89
         with:
           working-directory: ${{matrix.path}}
           args: "--timeout=10m --build-tags='normal periodic'"
@@ -33,7 +33,7 @@ jobs:
     steps:
       - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb
       - name: Install Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a
         with:
           go-version-file: './${{matrix.path}}/go.mod'
           cache-dependency-path: ./${{matrix.path}}/go.sum
@@ -73,7 +73,7 @@ jobs:
           - task-generator/trusted-artifacts
     steps:
       - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a
         with:
           go-version-file: './${{matrix.path}}/go.mod'
           cache-dependency-path: ./${{matrix.path}}/go.sum

.github/workflows/temp-block-buildah.yaml

@@ -10,23 +10,25 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
 
       - name: Check that the size of buildah-remote-oci-ta doesn't increase
-        env:
-          BASE: ${{ github.event.pull_request.base.sha }}
         run: |
           #!/bin/bash
           set -euo pipefail
 
           buildah_remote_oci_ta=task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
-          prev_size=$(git show "$BASE:$buildah_remote_oci_ta" | wc -c)
+          # 34172 is the largest that the file has ever been *and worked*.
+          # 34200 is known to be too large (see b2f800cc603ec0907ad2b3962d46919a535e158e,
+          # which had to be reverted). The actual limit is somewhere in between.
+          safe_size=34172
           current_size=$(wc -c < "$buildah_remote_oci_ta")
 
-          if [[ "$current_size" -gt "$prev_size" ]]; then
+          if [[ "$current_size" -gt "$safe_size" ]]; then
             cat << EOF >&2
-          This PR increases the size of $buildah_remote_oci_ta.
+          This PR increases the size of $buildah_remote_oci_ta beyond the known safe limit.
+
+          safe_size=$safe_size
+          current_size=$current_size
 
           Due to https://github.com/tektoncd/pipeline/issues/8388, this is risky;
           the resulting bundle may not be resolvable by Tekton.

.tekton/tasks/ec-checks.yaml

@@ -23,7 +23,7 @@ spec:
       $(all_tasks_dir all_tasks-ec)
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe
     script: |
       set -euo pipefail
 
@@ -37,7 +37,7 @@ spec:
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   - name: validate-build-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe
     script: |
       set -euo pipefail
 

pipelines/enterprise-contract.yaml

@@ -114,7 +114,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4f21e71a63ead03ab856631a43e12e62ed261934bd8a686f0ab75e8ec7a2037f
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:f6fb0800d707b7eb6f3ccfc0026c39bb3a5b944aa1ecacc7d8de6cb2fa1a67a6
           - name: name
             value: verify-enterprise-contract
           - name: kind

stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml

@@ -78,7 +78,6 @@ spec:
     API_SERVER_URL=$("${OC[@]}" get cti "$CLUSTER_NAME" -o=jsonpath='{.status.apiServerURL}')
     echo "API Server URL: $API_SERVER_URL"
     echo -n "$API_SERVER_URL" > "$(step.results.apiServerURL.path)"
-    export KUBECONFIG=$CLUSTER_KUBECONFIG
-    CONSOLE_URL=https://$(oc get route console -n openshift-console -o go-template --template="{{.spec.host}}")
+    CONSOLE_URL=https://$(oc --kubeconfig "$CLUSTER_KUBECONFIG" get route console -n openshift-console -o go-template --template="{{.spec.host}}")
     echo "Console URL: $CONSOLE_URL"
     echo -n "$CONSOLE_URL" > "$(step.results.consoleURL.path)"

task/build-image-index/0.1/build-image-index.yaml

@@ -163,7 +163,7 @@ spec:
         add:
           - SETFCAP
 
-  - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd
+  - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af
     name: create-sbom
     computeResources:
       limits:

task/buildah-oci-ta/0.2/buildah-oci-ta.yaml

@@ -590,7 +590,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: prepare-sboms
-      image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd
+      image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af
       workingDir: /var/workdir
       script: |
         echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json"

task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml

@@ -704,7 +704,7 @@ spec:
       requests:
         cpu: 100m
         memory: 256Mi
-    image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd
+    image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af
     name: prepare-sboms
     script: |
       #!/bin/bash

task/buildah-remote/0.2/buildah-remote.yaml

@@ -682,7 +682,7 @@ spec:
       requests:
         cpu: 100m
         memory: 256Mi
-    image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd
+    image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af
     name: prepare-sboms
     script: |
       #!/bin/bash

task/buildah/0.2/buildah.yaml

@@ -534,7 +534,7 @@ spec:
       runAsUser: 0
 
   - name: prepare-sboms
-    image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd
+    image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af
     computeResources:
       limits:
         memory: 512Mi

task/generate-odcs-compose/0.1/generate-odcs-compose.yaml

@@ -21,7 +21,7 @@ spec:
       description: Directory to write the result .repo files.
   steps:
     - name: generate-odcs-compose
-      image: quay.io/redhat-appstudio/tools@sha256:10b96ff065c51dec133d9b23d277fd8260d15f38c39b94ae9735f34fec8429af
+      image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61
       env:
         - name: CLIENT_ID
           valueFrom:

task/generate-odcs-compose/0.2/generate-odcs-compose.yaml

@@ -21,7 +21,7 @@ spec:
       description: Directory to write the result .repo files.
   steps:
     - name: generate-odcs-compose
-      image: quay.io/redhat-appstudio/tools@sha256:10b96ff065c51dec133d9b23d277fd8260d15f38c39b94ae9735f34fec8429af
+      image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61
       env:
         - name: CLIENT_ID
           valueFrom:

task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml

@@ -241,7 +241,7 @@ spec:
         requests:
           memory: 6Gi
     - name: merge-cachi2-sbom
-      image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd
+      image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af
       workingDir: /var/workdir
       script: |
         cachi2_sbom=./cachi2/output/bom.json

task/rpm-ostree/0.2/rpm-ostree.yaml

@@ -222,7 +222,7 @@ spec:
       - mountPath: /var/lib/containers
         name: varlibcontainers
   - name: merge-cachi2-sbom
-    image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd
+    image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af
     script: |
       cachi2_sbom=./cachi2/output/bom.json
       if [ -f "$cachi2_sbom" ]; then

task/rpms-signature-scan/0.1/rpms-signature-scan.yaml

@@ -48,7 +48,7 @@ spec:
         optional: true
   steps:
     - name: rpms-signature-scan
-      image: quay.io/redhat-appstudio/tools@sha256:10b96ff065c51dec133d9b23d277fd8260d15f38c39b94ae9735f34fec8429af
+      image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61
       volumeMounts:
         - name: workdir
           mountPath: "$(params.workdir)"

task/rpms-signature-scan/0.2/rpms-signature-scan.yaml

@@ -44,7 +44,7 @@ spec:
         optional: true
   steps:
     - name: rpms-signature-scan
-      image: quay.io/redhat-appstudio/tools@sha256:10b96ff065c51dec133d9b23d277fd8260d15f38c39b94ae9735f34fec8429af
+      image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61
       volumeMounts:
         - name: workdir
           mountPath: "$(params.workdir)"

task/source-build-oci-ta/0.1/source-build-oci-ta.yaml

@@ -114,7 +114,7 @@ spec:
             | .name + "@" + $matched.digest
         ' <<<"$sbom" | tee "$BASE_IMAGES_FILE"
     - name: build
-      image: quay.io/konflux-ci/source-container-build:latest@sha256:d564bce07b9d9fee8fcd781cd60f47f29d86d0bd7c6586a2cde2b845493ad881
+      image: quay.io/konflux-ci/source-container-build:latest@sha256:2b945fc0f4ff54b711f4d4d2c99476c7dab073d885f615c9414ea134652557df
       workingDir: /var/workdir
       env:
         - name: SOURCE_DIR

task/source-build/0.1/source-build.yaml

@@ -102,7 +102,7 @@ spec:
         ' <<< "$sbom" | tee "$BASE_IMAGES_FILE"
 
     - name: build
-      image: quay.io/konflux-ci/source-container-build:latest@sha256:d564bce07b9d9fee8fcd781cd60f47f29d86d0bd7c6586a2cde2b845493ad881
+      image: quay.io/konflux-ci/source-container-build:latest@sha256:2b945fc0f4ff54b711f4d4d2c99476c7dab073d885f615c9414ea134652557df
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       computeResources: