-
Bug
-
Resolution: Unresolved
-
Major
-
4.21.0
Description of problem:
The Konflux tag pipeline for HyperShift fails enterprise contract validation with the following violation: Pre-Build-Script task runner image "registry.access.redhat.com/ubi10/ubi:10.0-1753787353@sha256:d68f8048fb1ef6eece6dc93173173a1746f5f29014e4ef1c9da39572392a8acf" is not in the SBOM **Violation Code**: `pre_build_script_task.pre_build_script_task_runner_image_in_sbom`
Version-Release number of selected component (if applicable):
n/a
How reproducible:
100%
Steps to Reproduce:
1. Create a tag in the openshift/hypershift repository (e.g., `v0.1.69`) 2. Konflux automatically triggers the tag pipeline (`.tekton/hypershift-operator-main-tag.yaml`) 3. The pipeline runs the `extract-tag` task which uses `run-script-oci-ta` with a script runner image
Actual results:
4. The enterprise contract validation fails because the script runner image is not included in the SBOM
Expected results:
The enterprise contract validation passes and a release is generated.
Additional info: