Update registry.redhat.io/openshift4/ose-must-gather-rhel9 Docker digest to 7658453 release-1.4

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
registry.redhat.io/openshift4/ose-must-gather-rhel9	stage	digest	058e4cf → 7658453

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The builder stage base image digest in must-gather/Dockerfile is updated to a new pinned SHA256 digest for registry.redhat.io/openshift4/ose-must-gather-rhel9. No other Dockerfile instructions change.

Changes

Must-gather image pin update

Layer / File(s)	Summary
Builder digest bump must-gather/Dockerfile	The builder stage FROM line updates the pinned digest for registry.redhat.io/openshift4/ose-must-gather-rhel9; all following Dockerfile instructions remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• openshift/kueue-operator#2036: Updates the same must-gather/Dockerfile builder stage FROM reference for ose-must-gather-rhel9 with a different digest pin.
• openshift/kueue-operator#2067: Also changes the must-gather/Dockerfile builder stage base image digest for ose-must-gather-rhel9.
• openshift/kueue-operator#2072: Modifies the same single-line FROM digest pin in must-gather/Dockerfile without changing the rest of the file.

Suggested labels

lgtm

Suggested reviewers

• MaysaMacedo

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the change: it describes updating the must-gather image digest on release-1.4.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only updates must-gather/Dockerfile image digest; no Ginkgo tests or test titles were added or modified.
Test Structure And Quality	✅ Passed	PR only updates the must-gather Docker image digest; no Ginkgo test code or test behavior is changed, so the checklist is not applicable.
Microshift Test Compatibility	✅ Passed	Only must-gather/Dockerfile changed; no new Ginkgo e2e tests or MicroShift-unsafe APIs were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Only must-gather/Dockerfile changed; no Ginkgo/e2e tests were added or modified, so the SNO check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Only the must-gather builder image digest changed; no replicas, affinity, node selectors, tolerations, or topology-aware scheduling code were added.
Ote Binary Stdout Contract	✅ Passed	Only the must-gather Dockerfile digest changed; no process-level code or stdout writes were modified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Only must-gather/Dockerfile digest changed; no Ginkgo e2e tests or network assumptions were added.
No-Weak-Crypto	✅ Passed	Only change is a Dockerfile base-image sha256 digest; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons found.
Container-Privileges	✅ Passed	PR only updates the must-gather base image digest; the Dockerfile adds no privileged, host*, SYS_ADMIN, or privilege-escalation settings.
No-Sensitive-Data-In-Logs	✅ Passed	Only change is a Dockerfile base-image digest update; no logging code or sensitive literals were added in the modified file.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/release-1.4/registry.redhat.io-openshift4-ose-must-gather-rhel9

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@must-gather/Dockerfile`:
- Around line 1-2: The Dockerfile lacks a USER directive, which means the
container will run as root by default. Add a USER directive with a non-root user
(such as `nobody`, `1000`, or another dedicated application user) before the
final CMD statement at the end of the Dockerfile to ensure the container runs
with appropriate security constraints and least privilege access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 123816f1-0350-44b3-bc18-52a593155921

📥 Commits

Reviewing files that changed from the base of the PR and between e4fc8dc and 5c3b3c6.

📒 Files selected for processing (1)

• must-gather/Dockerfile

[coderabbitai]

🔒 Security & Privacy | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for USER directive in the Dockerfile

# Check for any USER directives in the file
rg -n '^USER\s+' must-gather/Dockerfile

# Also show the full Dockerfile structure to see all stages
cat -n must-gather/Dockerfile

Repository: openshift/kueue-operator

Length of output: 2015

---

Add USER directive with non-root user to final stage.

The Dockerfile is missing a USER directive. Containers default to running as root when no USER is specified. As per path instructions, add a USER command with a non-root user (e.g., nobody, 1000, or a dedicated application user) before the final CMD statement at line 21.

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@must-gather/Dockerfile` around lines 1 - 2, The Dockerfile lacks a USER
directive, which means the container will run as root by default. Add a USER
directive with a non-root user (such as `nobody`, `1000`, or another dedicated
application user) before the final CMD statement at the end of the Dockerfile to
ensure the container runs with appropriate security constraints and least
privilege access.

Sources: Path instructions, Linters/SAST tools

[kannon92]

/retest

[kannon92]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kannon92, red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kannon92]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD e4fc8dc and 2 for PR HEAD 5c3b3c6 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 2472e5c and 1 for PR HEAD 5c3b3c6 in total

[kannon92]

/lgtm

[kannon92]

/lgtm

[kannon92]

/lgtm

[kannon92]

/lgtm

[openshift-ci]

@red-hat-konflux[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/upgrade-from-4.20-e2e-upgrade-4-20-to-4-21-kueue-1-4	fa2e79a	link	false	/test upgrade-from-4.20-e2e-upgrade-4-20-to-4-21-kueue-1-4
ci/prow/upgrade-from-4.18-e2e-upgrade-4-18-to-4-19-kueue-1-4	fa2e79a	link	false	/test upgrade-from-4.18-e2e-upgrade-4-18-to-4-19-kueue-1-4
ci/prow/upgrade-from-4.19-e2e-upgrade-4-19-to-4-20-kueue-1-4	fa2e79a	link	false	/test upgrade-from-4.19-e2e-upgrade-4-19-to-4-20-kueue-1-4

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.