Skip to content

Update registry.redhat.io/ubi9/ubi-minimal Docker digest to 44bc70e release-1.3#2066

Merged
kannon92 merged 1 commit into
release-1.3from
konflux/mintmaker/release-1.3/registry.redhat.io-ubi9-ubi-minimal
Jun 26, 2026
Merged

Update registry.redhat.io/ubi9/ubi-minimal Docker digest to 44bc70e release-1.3#2066
kannon92 merged 1 commit into
release-1.3from
konflux/mintmaker/release-1.3/registry.redhat.io-ubi9-ubi-minimal

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
registry.redhat.io/ubi9/ubi-minimal final digest 1bc3c5c44bc70e

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux Bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. labels Jun 23, 2026
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 91547cca-d524-49ec-9c4b-08bba2341d70

📥 Commits

Reviewing files that changed from the base of the PR and between 45a8d28 and bd77069.

📒 Files selected for processing (3)
  • Dockerfile
  • Dockerfile.kueue
  • must-gather/Dockerfile
✅ Files skipped from review due to trivial changes (1)
  • Dockerfile.kueue

Walkthrough

Three Dockerfiles update their runtime-stage registry.redhat.io/ubi9/ubi-minimal base image to a new pinned SHA256 digest. No other instructions change.

Changes

UBI9 minimal base image digest bump

Layer / File(s) Summary
Runtime base image digests
Dockerfile, Dockerfile.kueue, must-gather/Dockerfile
Each final-stage FROM registry.redhat.io/ubi9/ubi-minimal@sha256:... reference is updated to a new pinned SHA256 digest.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

Suggested reviewers

  • MaysaMacedo
🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the digest update for registry.redhat.io/ubi9/ubi-minimal across the Dockerfiles.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only updates Dockerfile digests; no test files or Ginkgo titles were changed, so no unstable test names are introduced.
Test Structure And Quality ✅ Passed PR only changes three Dockerfiles; no Ginkgo/spec/test files were modified, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed Diff only updates three Dockerfile base-image digests; no Ginkgo e2e tests or MicroShift-relevant APIs were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Only Dockerfile digest pins changed; no new or modified Ginkgo tests or SNO-relevant test logic were added.
Topology-Aware Scheduling Compatibility ✅ Passed Only Dockerfile base-image digest pins changed; no manifests, controllers, or scheduling/topology constraints were introduced.
Ote Binary Stdout Contract ✅ Passed PR only updates Dockerfile image digests; no process-level Go/test code was changed, so no new stdout contract violation is introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The PR only bumps Dockerfile base-image digests; no new Ginkgo e2e tests or network-dependent test code were added.
No-Weak-Crypto ✅ Passed Only Docker base-image digests changed; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons were introduced.
Container-Privileges ✅ Passed PR only bumps ubi-minimal digests in Dockerfiles; no manifest privilege settings like privileged/hostNetwork/allowPrivilegeEscalation are introduced.
No-Sensitive-Data-In-Logs ✅ Passed Only Dockerfile digest pins changed; no logging code or sensitive strings appeared in the modified files.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/release-1.3/registry.redhat.io-ubi9-ubi-minimal

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (4)
Dockerfile (1)

6-29: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Consider adding a HEALTHCHECK directive.

As per path instructions for Dockerfiles, a HEALTHCHECK should be defined to enable container runtime health monitoring. This is a pre-existing gap but would improve production reliability.

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD ["/usr/bin/health-check-command"]
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 6 - 29, The Dockerfile is missing a HEALTHCHECK
directive which is required for container runtime health monitoring. Add a
HEALTHCHECK instruction after the USER directive (which sets the user to 1001)
that defines the health check interval, timeout, start period, and retry count.
The healthcheck command should reference an appropriate health check executable
or script path that can validate the operator is running correctly within the
container.

Source: Path instructions

must-gather/Dockerfile (2)

3-21: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add a USER directive to avoid running as root.

As per path instructions, containers should run as non-root. This Dockerfile lacks a USER directive, meaning the container runs as root (UID 0). This is a pre-existing security gap that should be addressed.

🔒 Proposed fix to run as non-root user
 COPY must-gather/collection-scripts/gather /usr/bin/gather
 COPY must-gather/collection-scripts/gather-kueue /usr/bin/gather-kueue

 # RUN chmod +x /gather /gather-kueue.sh
 RUN chmod +x /usr/bin/gather /usr/bin/gather-kueue

+USER 65532:65532
+
 # ENTRYPOINT /usr/bin/gather
 # ENTRYPOINT ["/gather"]
 CMD ["/bin/bash", "/usr/bin/gather"]
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@must-gather/Dockerfile` around lines 3 - 21, The Dockerfile is missing a USER
directive, which means the container will run as root (UID 0) by default,
creating a security vulnerability. Add a USER directive before the CMD
instruction at the end of the Dockerfile to specify a non-root user to run the
container. The USER directive should reference a valid non-root user that exists
in the UBI9 minimal base image (such as a numeric UID or a standard unprivileged
user available in the base image).

Source: Path instructions


3-39: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Consider adding a HEALTHCHECK directive.

As per path instructions for Dockerfiles, a HEALTHCHECK should be defined. While must-gather is typically a short-lived diagnostic container, adding a health check would align with the container security standards. This is a pre-existing gap.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@must-gather/Dockerfile` around lines 3 - 39, Add a HEALTHCHECK directive to
the Dockerfile to align with container security standards. Insert the
HEALTHCHECK instruction after the CMD directive that sets up the container entry
point. The health check should verify the availability of the must-gather
container, for example by checking if the gather binary is accessible or
responding to basic diagnostic commands. This will ensure the container adheres
to recommended Dockerfile best practices even though must-gather is typically
short-lived.

Source: Path instructions

Dockerfile.kueue (1)

12-45: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Consider adding a HEALTHCHECK directive.

As per path instructions for Dockerfiles, a HEALTHCHECK should be defined. For the Kueue manager, a health check could probe readiness/liveness endpoints if available. This is a pre-existing gap.

HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
  CMD ["/manager", "health-check"] || exit 1
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.kueue` around lines 12 - 45, The Dockerfile lacks a HEALTHCHECK
directive which is recommended for container health monitoring. Add a
HEALTHCHECK directive after the ENTRYPOINT definition that specifies appropriate
interval, timeout, start-period, and retries parameters. The health check
command should probe the manager service's health status by calling an
appropriate health-check endpoint or command that validates the /manager process
is running and healthy.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Dockerfile`:
- Around line 6-29: The Dockerfile is missing a HEALTHCHECK directive which is
required for container runtime health monitoring. Add a HEALTHCHECK instruction
after the USER directive (which sets the user to 1001) that defines the health
check interval, timeout, start period, and retry count. The healthcheck command
should reference an appropriate health check executable or script path that can
validate the operator is running correctly within the container.

In `@Dockerfile.kueue`:
- Around line 12-45: The Dockerfile lacks a HEALTHCHECK directive which is
recommended for container health monitoring. Add a HEALTHCHECK directive after
the ENTRYPOINT definition that specifies appropriate interval, timeout,
start-period, and retries parameters. The health check command should probe the
manager service's health status by calling an appropriate health-check endpoint
or command that validates the /manager process is running and healthy.

In `@must-gather/Dockerfile`:
- Around line 3-21: The Dockerfile is missing a USER directive, which means the
container will run as root (UID 0) by default, creating a security
vulnerability. Add a USER directive before the CMD instruction at the end of the
Dockerfile to specify a non-root user to run the container. The USER directive
should reference a valid non-root user that exists in the UBI9 minimal base
image (such as a numeric UID or a standard unprivileged user available in the
base image).
- Around line 3-39: Add a HEALTHCHECK directive to the Dockerfile to align with
container security standards. Insert the HEALTHCHECK instruction after the CMD
directive that sets up the container entry point. The health check should verify
the availability of the must-gather container, for example by checking if the
gather binary is accessible or responding to basic diagnostic commands. This
will ensure the container adheres to recommended Dockerfile best practices even
though must-gather is typically short-lived.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b11f6551-3f2a-4649-938f-696aef413b38

📥 Commits

Reviewing files that changed from the base of the PR and between 02c1b5b and 1acada9.

📒 Files selected for processing (3)
  • Dockerfile
  • Dockerfile.kueue
  • must-gather/Dockerfile

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/registry.redhat.io-ubi9-ubi-minimal branch from 1acada9 to 45a8d28 Compare June 24, 2026 15:47
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 24, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/registry.redhat.io-ubi9-ubi-minimal branch from 45a8d28 to 563c996 Compare June 25, 2026 14:28
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update registry.redhat.io/ubi9/ubi-minimal docker digest to 8501432 release-1.3 chore(deps): update registry.redhat.io/ubi9/ubi-minimal docker digest to 44bc70e release-1.3 Jun 25, 2026
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{}

@kannon92

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 25, 2026
@kannon92

Copy link
Copy Markdown
Contributor

/retest

…elease-1.3

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/registry.redhat.io-ubi9-ubi-minimal branch from 563c996 to bd77069 Compare June 25, 2026 21:29
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update registry.redhat.io/ubi9/ubi-minimal docker digest to 44bc70e release-1.3 Update registry.redhat.io/ubi9/ubi-minimal Docker digest to 44bc70e release-1.3 Jun 25, 2026
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 25, 2026
@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kannon92

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 26, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 76eb76a and 2 for PR HEAD bd77069 in total

@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown

@red-hat-konflux[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/upgrade-from-4.18-e2e-upgrade-4-18-to-4-19-kueue-1-3 bd77069 link false /test upgrade-from-4.18-e2e-upgrade-4-18-to-4-19-kueue-1-3

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@kannon92 kannon92 merged commit ff871c1 into release-1.3 Jun 26, 2026
24 of 25 checks passed
@red-hat-konflux red-hat-konflux Bot deleted the konflux/mintmaker/release-1.3/registry.redhat.io-ubi9-ubi-minimal branch June 26, 2026 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant