[release-1.36] Update Konflux references

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Change	Notes
quay.io/konflux-ci/tekton-catalog/task-apply-tags (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-build-image-index (source, changelog)	0.1 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta (source, changelog)	0.5 → 0.10	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check (source, changelog)	f59175d → e78d0d3
quay.io/konflux-ci/tekton-catalog/task-fbc-fips-check-oci-ta (source, changelog)	286eff4 → 935adb6
quay.io/konflux-ci/tekton-catalog/task-fbc-target-index-pruning-check (source, changelog)	cd86fe9 → a7696d9
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta (source, changelog)	0.1 → 0.2	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-init (source, changelog)	0.2 → 0.4	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta (source, changelog)	0.2 → 0.3	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-show-sbom (source, changelog)	beb0616 → a7346ed
quay.io/konflux-ci/tekton-catalog/task-validate-fbc (source, changelog)	730dd40 → 3031538

---

Release Notes

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-apply-tags)

v0.3

• Switched from bash implementation to Konflux Build CLI.
• Deprecated older 0.1 and 0.2 versions.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-build-image-index)

v0.3

Changed

• The task now uses konflux-build-cli for the build step instead of an inline bash
  implementation. This provides more robust error handling and simplified maintenance.
• When ALWAYS_BUILD_INDEX is false and multiple images are provided, the task now
  creates an image index instead of failing. The previous behavior (failing with an error)
  was not useful.
• Image reference validation is now stricter and will fail earlier for invalid formats.

Removed

• COMMIT_SHA parameter (was not used by the task implementation)
• IMAGE_EXPIRES_AFTER parameter (was not used by the task implementation)

Added

• Started tracking changes in this file.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta)

v0.10

This version introduces konflux-build-cli. The build step replaces most of the Bash with
konflux-build-cli image build. Other steps still use Bash, this will change soon.

We expect version 0.10 to behave the same as version 0.9 for the vast majority
of use cases. All known (minor) differences documented below.

Added

• The vcs-url label. Previously, the task would inject the following vcs-related labels:
  • org.opencontainers.image.revision and its legacy counterpart,
    vcs-ref
  • org.opencontainers.image.source and nothing else
    • Version 0.10 adds the missing legacy counterpart, vcs-url

Changed

• The precedence of default annotations (those injected by the task automatically)
  • Before: ANNOTATIONS_FILE < ANNOTATIONS < default annotations
  • Now: default annotations < ANNOTATIONS_FILE < ANNOTATIONS
• When handling the YUM_REPOS_D_SRC and YUM_REPOS_D_FETCHED directories,
  injects only regular files into /etc/yum.repos.d. Previously, the task would
  inject the directories as a whole. /etc/yum.repos.d is a flat structure, so
  the task now injects only regular files to avoid injecting unexpected content.
• Prefetch integration:
  • Looks for both prefetch.env and cachi2.env in the prefetch dir (in this order).
    Version 0.3.1 of the prefetch task added prefetch.env and a future version
    will remove cachi2.env.
  • Doesn't rely specifically on cachi2.repo files to enable RPM integration,
    just needs any *.repo file at the expected path.
  • In case the YUM_REPOS_D_SRC or YUM_REPOS_D_FETCHED directories contain
    a repo file with the same name as the repo file from Hermeto, the Hermeto
    repo takes precedence. Previously, YUM_REPOS_* would take precedence.
  • Doesn't copy the prefetch files to /tmp, instead copies them to a directory
    on the same filesystem as the original files. This uses copy-on-write and avoids
    duplicating the underlying data.
• Red Hat subscription-manager integration:
  • Will mount the RHSM CA certificates into the build in two cases:
    • When using ACTIVATION_KEY and the containerfile doesn't include
      subscription-manager register (same as before)
    • When using ENTITLEMENT_SECRET (not done before and should have been)
  • When mounting RHSM CA certificates, mounts the whole /etc/rhsm/ca directory
    instead of mounting a specific file. This closes #​1621.

Fixed

• Injecting metadata to /usr/share/buildinfo and /root/buildinfo:
  • Does not write any new files or modify any existing files in the source directory,
    injects the files using a separate build-context.
  • Will log a warning if the TARGET param is set and SKIP_INJECTIONS=false
    (using TARGET disables metadata injection anyway). Metadata injection never
    worked with a non-default target, version 0.10 just adds the warning.
  • Injecting labels.json:
    • Will skip LABEL instructions in stages that don't affect the labels of the final image.
    • Will correctly omit the io.buildah.version label when SOURCE_DATE_EPOCH is non-empty.
      Previously, labels.json would always include io.buildah.version.
• Pre-pulling base images for hermetic builds and base-arch verification (see 0.9.4):
  • Also pulls images referenced in COPY --from=$image and RUN --mount=from=$image.
    Previously, would only pull images referenced as FROM $image.
  • Does not pull images for unused stages (unless SKIP_UNUSED_STAGES=false).
  • Will skip image references with transports that don't
    represent pullable images. Specifically, will only pull transport-less references
    and docker:// references. Previously, the task would skip oci-archive: references
    but fail on any other kind of non-standard reference.
• Modifying the containerfile to set prefetch environment variables in RUN instructions:

  • No longer mangles RUN instructions that use the exec form or a bare here-doc.
    Instead skips the instruction and logs a warning.

    RUN ["echo", "skips exec-form commands"]
    
    RUN <<EOF
    echo "skips bare heredocs"
    EOF
    
    RUN bash -e <<EOF
    echo "supports heredocs if they start with something other than the <<marker"
    EOF

    • This partially fixes #​1200, in the sense that the containerfile at least
      doesn't become broken. The unsupported instructions don't automatically get
      the variables that may be required to make the hermetic build work though.

  • Fixes dozens of small bugs that most users never would have hit. For example,
    version 0.10:

    • Doesn't mangle heredoc lines that look line RUN instructions
    • Doesn't inject text into the middle of a string with quoted/escaped whitespace
    • Properly handles backtick-escaped containerfiles

v0.9

Fixed

• Validate base image architecture before build. The task now fails if a base image
  doesn't match the host architecture, preventing silent emulation builds.

v0.8

Fixed

• Platform build arguments (BUILDPLATFORM, TARGETPLATFORM) now correctly include CPU variant
  for ARM architectures (e.g., linux/arm/v7 or linux/arm64/v8 instead of just linux/arm
  or linux/arm64).

v0.7

Added

• Started tracking changes in this file.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta)

v0.2

• Use git-clone implementation from konflux-build-cli instead of inline Bash.
• Removed gitInitImage (deprecated since 0.1), verbose (replaced by logLevel), and userHome (handled by konflux-build-cli) parameters.
• Added logLevel parameter.

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-init)

v0.4

• Pipeline upgrade: Remove PipelineRun parameter sast-target-dirs with invalid attributes from PipelineRun .spec.params definition

v0.3

• Remove params image-url, rebuild and skip-checks
• Remove task result build

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta)

v0.3

• Added enable-package-registry-proxy parameter to enable use of the package registry proxy when prefetching dependencies.
• Added SERVICE_CA_TRUST_CONFIG_MAP_NAME and SERVICE_CA_TRUST_CONFIG_MAP_KEY parameters to mount the OpenShift service CA for verifying TLS connections to in-cluster services such as the package registry proxy.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 05:00 AM and 11:59 PM, only on Saturday (* 5-23 * * 6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux-kflux-prd-rh02[bot]
Once this PR has been reviewed and has the lgtm label, please assign maschmid for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dsimansk]

/ok-to-test

[Kaustubh-pande]

/retest

[rudyredhat1]

/retest serverless-must-gather-136-on-pull-request

[openshift-ci]

@rudyredhat1: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

/test 414-images

/test 414-operator-e2e

/test 414-test-upgrade

/test 419-images

/test 419-operator-e2e

/test 419-test-upgrade

/test 420-images

/test 420-operator-e2e

/test 420-test-upgrade

The following commands are available to trigger optional jobs:

/test 414-kitchensink-e2e

/test 414-kitchensink-upgrade

/test 414-mesh-e2e

/test 414-mesh-upgrade

/test 414-test-soak

/test 414-ui-e2e

/test 414-upstream-e2e

/test 414-upstream-e2e-kafka

/test 419-kitchensink-e2e

/test 419-kitchensink-upgrade

/test 419-mesh-e2e

/test 419-mesh-upgrade

/test 419-test-soak

/test 419-ui-e2e

/test 419-upstream-e2e

/test 419-upstream-e2e-kafka

/test 420-kitchensink-e2e

/test 420-kitchensink-upgrade

/test 420-mesh-e2e

/test 420-mesh-upgrade

/test 420-test-soak

/test 420-ui-e2e

/test 420-upstream-e2e

/test 420-upstream-e2e-kafka

Details

In response to this:

/retest serverless-must-gather-136-on-pull-request

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rudyredhat1]

retest "Validate / Generated files are committed"

[rudyredhat1]

/retest