Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-67233

HyperShift Konflux pipeline tasks are outdated and failing enterprise contract validation

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Rejected
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description

      The HyperShift Konflux build pipelines are using outdated Tekton task versions that fail enterprise contract validation. The buildah-remote-oci-ta task (version 0.5) became unsupported as of 2025-12-11, causing enterprise contract violations. Additionally, 9 other tasks have newer versions available.

      Version-Release number of selected component (if applicable)

      Affects Konflux pipelines

      Steps to Reproduce

        1. Trigger an enterprise contract validation for any HyperShift operator build
          2. Observe the validation failures

      Actual results

      Enterprise contract validation fails with:
      _ _VIOLATION*: buildah-remote-oci-ta task version 0.5 is unsupported (expired 2025-12-11)
      _ _WARNINGS*: 9 additional tasks have newer versions available (apply-tags, build-image-index, clair-scan, ecosystem-cert-preflight-checks, git-clone-oci-ta, init, prefetch-dependencies-oci-ta, push-dockerfile-oci-ta, rpms-signature-scan)

      Expected results

      All Tekton tasks should be using supported versions that pass enterprise contract validation.

      Additional info

      Tasks requiring update:

      Task Current Version Latest Version Type
      buildah-remote-oci-ta 0.5 0.7 VERSION BUMP (CRITICAL)
      apply-tags 0.2 (old digest) 0.2 (new digest) digest update
      build-image-index 0.1 (old digest) 0.1 (new digest) digest update
      clair-scan 0.3 (old digest) 0.3 (new digest) digest update
      ecosystem-cert-preflight-checks 0.2 (old digest) 0.2 (new digest) digest update
      git-clone-oci-ta 0.1 (old digest) 0.1 (new digest) digest update
      init 0.2 (old digest) 0.2 (new digest) digest update
      prefetch-dependencies-oci-ta 0.2 (old digest) 0.2 (new digest) digest update
      push-dockerfile-oci-ta 0.1 (old digest) 0.1 (new digest) digest update
      rpms-signature-scan 0.2 (old digest) 0.2 (new digest) digest update

      Migration notes for buildah-remote-oci-ta 0.5 to 0.7:

      • v0.6: Introduces Contextual SBOM feature - no action required
      • v0.7: INHERIT_BASE_IMAGE_LABELS default changed, but v0.7.1 reverted this - no action required

      _Affected file:_

      • .tekton/pipelines/common-operator-build.yaml

              asegurap1@redhat.com Antoni Segura Puimedon
              asegurap1@redhat.com Antoni Segura Puimedon
              None
              None
              Yu Li Yu Li
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: