Update docker image updates to v9.8-1782717933

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
registry.access.redhat.com/ubi9/go-toolset	stage	patch	9.8-1781757851 → 9.8-1782717933

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rh-amarin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

The builder stage base image in the Dockerfile is updated from ubi9/go-toolset:9.8-1781757851 to ubi9/go-toolset:9.8-1782717933. No other instructions are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

---

Supply chain note (CWE-829, CWE-494): Tag-pinned images are not digest-pinned. 9.8-1782717933 is a mutable tag — confirm via podman manifest inspect that the resolved digest matches an expected, signed RHEL UBI image before merging. Any build-time image substitution in the registry propagates directly into the compiled adapter binary shipped to the cluster.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is clearly related to the Docker base image version bump in the builder stage.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PASS: PR only changes Dockerfile; no non-test/example log statements with token/password/credential/secret were found (CWE-532).
No Hardcoded Secrets	✅ Passed	Dockerfile only updates a base image tag; no API keys, tokens, passwords, embedded creds, or long base64 literals were present. CWE-798 not triggered.
No Weak Cryptography	✅ Passed	Dockerfile-only image-tag bump; no md5/des/rc4, SHA1-for-security, ECB, or secret-comparison code found (CWE-327/CWE-208).
No Injection Vectors	✅ Passed	PR only retags the Docker builder base image; no SQL/exec/template/yaml sinks or user-controlled input paths changed (CWE-89/78/79/502).
No Privileged Containers	✅ Passed	PASS: PR only bumps the builder base-image tag; no new privileged/host* settings, SYS_ADMIN, or root runtime. Existing USER root is build-only and justified; no CWE-250/269 issue.
No Pii Or Sensitive Data In Logs	✅ Passed	PASS: PR only updates the Dockerfile builder image tag; no log statements or sensitive-data logging changes are present. CWE-532 not implicated.
Description check	✅ Passed	The description matches the Dockerfile base image patch update shown in the diff.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/docker-image-updates

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/docker-image-updates

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 3: The builder image reference in the Dockerfile is still tag-based and
should be pinned by digest. Update the FROM instruction for the builder stage to
use a digest-pinned image reference instead of
registry.access.redhat.com/ubi9/go-toolset:9.8-1782717933, so the build uses a
fixed immutable image and remains reproducible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3be6476c-e698-494a-892e-c443af7259fd

📥 Commits

Reviewing files that changed from the base of the PR and between 04dbbc3 and e92dabd.

📒 Files selected for processing (1)

• Dockerfile

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual) → reviewed against open PR #258 konflux/mintmaker/main/docker-image-updates instead of the default branch
• openshift-hyperfleet/hyperfleet-sentinel (manual) → reviewed against open PR #203 konflux/mintmaker/main/docker-image-updates instead of the default branch
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== Dockerfile ==\n'
cat -n Dockerfile | sed -n '1,40p'

printf '\n== FROM lines ==\n'
rg -n '^FROM\s' Dockerfile

printf '\n== digest references in repo ==\n'
rg -n '`@sha256`:|go-toolset:' -S . || true

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 2022

---

Dockerfile:3 — Pin the builder image by digest. registry.access.redhat.com/ubi9/go-toolset:9.8-1782717933 is still a mutable tag; use a digest-pinned reference to prevent supply-chain drift and keep the build reproducible (CWE-494, CWE-345).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, The builder image reference in the Dockerfile is still
tag-based and should be pinned by digest. Update the FROM instruction for the
builder stage to use a digest-pinned image reference instead of
registry.access.redhat.com/ubi9/go-toolset:9.8-1782717933, so the build uses a
fixed immutable image and remains reproducible.

Source: Path instructions