Update docker image updates to v1.26.4-1782717933

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
registry.access.redhat.com/ubi9/go-toolset	stage	patch	1.26.3-1781757851 → 1.26.4-1782717933

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mliptak0 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9788efac-cec3-4a91-8446-5b303632fafb

📥 Commits

Reviewing files that changed from the base of the PR and between 959295f and db27fba.

📒 Files selected for processing (1)

• Dockerfile

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual) → reviewed against open PR #203 konflux/mintmaker/main/docker-image-updates instead of the default branch
• openshift-hyperfleet/hyperfleet-adapter (manual) → reviewed against open PR #217 konflux/mintmaker/main/docker-image-updates instead of the default branch
• openshift-hyperfleet/hyperfleet-broker (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• Dockerfile

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated the build environment to a newer Go toolset base image for the container build process.

Walkthrough

The Dockerfile builder stage base image tag changes from registry.access.redhat.com/ubi9/go-toolset:1.26.3-1781757851 to registry.access.redhat.com/ubi9/go-toolset:1.26.4-1782717933. No other instructions change.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Supply chain note (CWE-829, CWE-494): This is a mutable tag bump in a CI/CD build surface. Verify the new Red Hat image tag maps to the expected digest in the Red Hat catalog, and prefer @sha256:<digest> pinning to reduce substitution risk.

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
No Pii Or Sensitive Data In Logs	⚠️ Warning	CWE-532: pkg/services/{cluster,node_pool}.go logs caller; pkg/auth/context.go defaults identity to email, so audit logs can expose email addresses.	Redact or omit caller identity from logs, or map it to a non-PII opaque ID before logging; keep email only in protected audit storage if required.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title matches the Dockerfile stage image tag bump.
Description check	✅ Passed	The description is directly related to the image dependency update in the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	Only Dockerfile changed; diff is a base-image tag bump. No log statements with token/password/credential/secret fields or interpolations were introduced.
No Hardcoded Secrets	✅ Passed	Dockerfile only updates the base image; no apiKey/secret/token/password literals, embedded creds, or long base64 blobs were introduced (CWE-798/321).
No Weak Cryptography	✅ Passed	Only the Dockerfile builder image tag changed; no weak-crypto primitives or non-constant-time secret comparisons were added (CWE-327/CWE-326 not implicated).
No Injection Vectors	✅ Passed	Dockerfile-only image bump; no CWE-89/78/79/502 sinks or user-controlled code paths were introduced.
No Privileged Containers	✅ Passed	No privileged flags found in deployable manifests; Dockerfile's USER root is builder-stage only and justified, final runtime runs as 65532:65532 (CWE-250).

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/docker-image-updates

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/docker-image-updates

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 3: The builder stage base image is still referenced by a mutable tag, so
update the FROM line in the Dockerfile to use an immutable digest-pinned
reference instead of
registry.access.redhat.com/ubi9/go-toolset:1.26.3-1782377916. Keep the builder
stage name the same, but replace the tag with the corresponding `@sha256`: digest
so the toolchain used by the builder cannot change unexpectedly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 89083f0b-4898-40e7-a35c-970849f15a2f

📥 Commits

Reviewing files that changed from the base of the PR and between 43c0474 and 959295f.

📒 Files selected for processing (1)

• Dockerfile

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Dockerfile =="
cat -n Dockerfile

echo
echo "== tekton refs =="
rg -n "Dockerfile|go-toolset|ubi9/go-toolset|buildah|kaniko" .tekton .github . 2>/dev/null | head -n 200

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 6385

---

Pin the builder base image by digest.
registry.access.redhat.com/ubi9/go-toolset:1.26.3-1782377916 is still mutable, so a tag retarget can change the toolchain used to compile this binary under the same commit (CWE-494). Replace it with an immutable @sha256: reference.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, The builder stage base image is still referenced by a
mutable tag, so update the FROM line in the Dockerfile to use an immutable
digest-pinned reference instead of
registry.access.redhat.com/ubi9/go-toolset:1.26.3-1782377916. Keep the builder
stage name the same, but replace the tag with the corresponding `@sha256`: digest
so the toolchain used by the builder cannot change unexpectedly.

Source: Path instructions