Update Konflux references

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Change	Notes
quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta (source, changelog)	da89466 → d7c57ad
quay.io/konflux-ci/tekton-catalog/task-build-image-index (source, changelog)	b33bfa8 → 0b4251e
quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta (source, changelog)	1d63302 → c38fc46
quay.io/konflux-ci/tekton-catalog/task-clair-scan (source, changelog)	8fad4c2 → 312fb4d
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta (source, changelog)	0.1 → 0.2	⚠️migration⚠️
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta (source, changelog)	7e84b01 → 92956e7
quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta (source, changelog)	7855471 → 581ddbb
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan (source, changelog)	c78924d → 65370cc
quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta (source, changelog)	e5319fc → fc685d6
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta (source, changelog)	ba08e3b → 91980bb
quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta (source, changelog)	99cc372 → 5807ffe
quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta (source, changelog)	8567bb7 → d8115c7

---

Release Notes

konflux-ci/build-definitions (quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta)

v0.2

• Use git-clone implementation from konflux-build-cli instead of inline Bash.
• Removed gitInitImage (deprecated since 0.1), verbose (replaced by logLevel), and userHome (handled by konflux-build-cli) parameters.
• Added logLevel parameter.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 05:00 AM and 11:59 PM, only on Saturday (* 5-23 * * 6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ma-hill for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 90c164b9-c788-4f7d-93c0-8b825990be31

📥 Commits

Reviewing files that changed from the base of the PR and between 43c0474 and d710bec.

📒 Files selected for processing (3)

• .tekton/hyperfleet-api-chart-push.yaml
• .tekton/hyperfleet-api-push.yaml
• .tekton/hyperfleet-api-tag.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual) → reviewed against open PR #199 konflux/references/main instead of the default branch
• openshift-hyperfleet/hyperfleet-adapter (manual) → reviewed against open PR #212 konflux/references/main instead of the default branch
• openshift-hyperfleet/hyperfleet-broker (manual)

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated several pinned build and security-check components used by the release pipelines.
  • No pipeline steps, parameters, or workflow behavior were changed.
  • These updates help keep the build process aligned with the latest approved component versions.

Walkthrough

Updated pinned Tekton bundle digests in .tekton/hyperfleet-api-chart-push.yaml, .tekton/hyperfleet-api-push.yaml, and .tekton/hyperfleet-api-tag.yaml. Pipeline structure, task order, parameters, and workspaces were unchanged. CWE-829, CWE-345.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title matches the main change: updating Konflux task references in Tekton pipelines.
Description check	✅ Passed	The description directly lists the Konflux task reference updates reflected in the diff.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No log statements in the changed Tekton YAMLs; only secret: workspace refs. No CWE-532 secret-in-log finding.
No Hardcoded Secrets	✅ Passed	No hardcoded credentials: these Tekton YAML changes only update OCI bundle digests; no literal apiKey/secret/token/password assignments or embedded creds (CWE-798).
No Weak Cryptography	✅ Passed	PASS: Diff only updates Tekton OCI bundle SHA256 digests in .tekton/*.yaml; no md5/des/rc4/SHA1/ECB or secret comparisons. No CWE-327/CWE-208 issue.
No Injection Vectors	✅ Passed	PASS: Diff vs main only updates Tekton task bundle digests in 3 .tekton YAML files; targeted scans found no exec.Command, SQL fmt.Sprintf, template.HTML, or yaml.Unmarshal sinks (CWE-89/78/79/502).
No Privileged Containers	✅ Passed	PASS: Only task bundle digests changed; no explicit privileged:true, hostPID/Network/IPC, allowPrivilegeEscalation, runAsUser:0, or USER root (CWE-250).
No Pii Or Sensitive Data In Logs	✅ Passed	PASS: No logging statements expose PII; search found only a printf writing a Tekton result, and no slog/logr/zap/fmt.Print* or echo logs in changed files. CWE-532 not triggered.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/references/main

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/references/main

---

_{Comment @coderabbitai help to get the list of available commands.}