.github/workflows/check-buildah-remote.yaml

@@ -9,7 +9,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683   # v4
       - name: Install Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed   # v5
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a   # v5
         with:
           go-version-file: './task-generator/remote/go.mod'
       - name: Check buildah remote

.github/workflows/go-ci.yaml

@@ -18,7 +18,7 @@ jobs:
           go-version-file: './${{matrix.path}}/go.mod'
           cache-dependency-path: ./${{matrix.path}}/go.sum
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@0e1fd32b0c0584f0d28eec08848dfd2bf6a909d9
+        uses: golangci/golangci-lint-action@2f13b8027d5e60ac6e32b086a0dc4d2ae4cb3f77
         with:
           working-directory: ${{matrix.path}}
           args: "--timeout=10m --build-tags='normal periodic'"
@@ -84,7 +84,7 @@ jobs:
           # we let the report trigger content trigger a failure using the GitHub Security features.
           args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...'
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@6f9e628e6f9a18c785dd746325ba455111df1b67
+        uses: github/codeql-action/upload-sarif@5b6e617dc0241b2d60c2bccea90c56b67eceb797
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: results.sarif

.github/workflows/run-task-tests.yaml

@@ -60,7 +60,7 @@ jobs:
         with:
           repository: 'konflux-ci/konflux-ci'
           path: konflux-ci
-          ref: 13c9f7f0f90d615249c8d4d67a18c919b7bb3d95
+          ref: d75f101479361f078a862d21bc8bb82cf6d265d5
 
       - name: Create k8s Kind Cluster
         if: steps.tasks-to-be-tested.outputs.tasklist != ''

.tekton/push.yaml

@@ -148,6 +148,11 @@ spec:
                 value: "$(params.revision)"
               - name: GIT_URL
                 value: "$(params.git-url)"
+              - name: GITHUB_TOKEN
+                valueFrom:
+                  secretKeyRef:
+                    name: "{{ git_auth_secret }}"
+                    key: "git-provider-token"
               script: |
                 #!/bin/bash
                 set -euo pipefail

.tekton/scripts/build-acceptable-bundles.sh

@@ -7,10 +7,14 @@ set -o pipefail
 DATA_BUNDLE_REPO="${DATA_BUNDLE_REPO:-quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles}"
 mapfile -t BUNDLES < <(cat "$@")
 
+pr_number=$(gh search prs --repo konflux-ci/build-definitions --merged "${REVISION}" --json number --jq '.[].number')
+
+# changed files in a PR
+mapfile -t changed_files < <(gh pr view "https://github.com/konflux-ci/build-definitions/pull/${pr_number}" --json files --jq '.files.[].path')
 # store a list of changed task files
 task_records=()
 # loop over all changed files
-for path in $(git log -m -1 --name-only --pretty="format:" "${REVISION}"); do
+for path in "${changed_files[@]}"; do
     # check that the file modified is the task file
     if [[ "${path}" == task/*/*/*.yaml ]]; then
         IFS='/' read -r -a path_array <<< "${path}"
@@ -30,6 +34,11 @@ printf '%s\n' "${task_records[@]}"
 echo "Bundles to be added:"
 printf '%s\n' "${BUNDLES[@]}"
 
+if [[ -z ${task_records[*]} && -z ${BUNDLES[*]} ]]; then
+    echo Nothing to do...
+    exit 0
+fi
+
 # The OPA data bundle is tagged with the current timestamp. This has two main
 # advantages. First, it prevents the image from accidentally not having any tags,
 # and getting garbage collected. Second, it helps us create a timeline of the

.tekton/scripts/create-task-pipeline-bundle-repos.sh

@@ -47,7 +47,7 @@ locate_in_all_namespaces() {
                 --arg description "" \
                 '$ARGS.named'
             )
-            if ! err_msg=$(curl --oauth2-bearer "${QUAY_TOKEN}" "https://quay.io/api/v1/repository" --json "$payload" | jq '.error_message // empty');
+            if ! err_msg=$(curl --oauth2-bearer "${QUAY_TOKEN}" "https://quay.io/api/v1/repository" --data-binary "$payload" -H "Content-Type: application/json" -H "Accept: application/json" | jq '.error_message // empty');
             then
               echo "curl returned an error when creating the repository. See the error above."
               exit 1

.tekton/tasks/e2e-test.yaml

@@ -30,7 +30,7 @@ spec:
       type: string
   steps:
     - name: e2e-test
-      image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:a666fc1761e539cb9ea4f411edc1346430c774ae
+      image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:20c1bfce4c79ae2fa14265923df95e120679f6ec
       command: ["/konflux-e2e/konflux-e2e.test"]
       # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened
       # against build-definitions to update this tag

CODEOWNERS

@@ -48,18 +48,24 @@
 /task/tkn-bundle                    @konflux-ci/ec
 /task/tkn-bundle-oci-ta             @konflux-ci/ec
 /task/verify-enterprise-contract    @konflux-ci/ec
+/pipelines/enterprise-contract.yaml @konflux-ci/ec
 /.tekton/tasks/ec-checks.yaml       @konflux-ci/ec
 
 # renovate groupName=integration
-/task/clair-scan                      @konflux-ci/integration-service-maintainers
-/task/clamav-scan                     @konflux-ci/integration-service-maintainers
-/task/deprecated-image-check          @konflux-ci/integration-service-maintainers
-/task/fbc-related-image-check         @konflux-ci/integration-service-maintainers
-/task/fbc-target-index-pruning-check  @konflux-ci/integration-service-maintainers
-/task/fbc-validation                  @konflux-ci/integration-service-maintainers
-/task/inspect-image                   @konflux-ci/integration-service-maintainers
-/task/sbom-json-check                 @konflux-ci/integration-service-maintainers
-/task/validate-fbc                    @konflux-ci/integration-service-maintainers
+/task/clair-scan                                @konflux-ci/integration-service-maintainers
+/task/clamav-scan                               @konflux-ci/integration-service-maintainers
+/task/deprecated-image-check                    @konflux-ci/integration-service-maintainers
+/task/fbc-fips-check                            @konflux-ci/integration-service-maintainers
+/task/fbc-fips-check-oci-ta                     @konflux-ci/integration-service-maintainers
+/task/fbc-related-image-check                   @konflux-ci/integration-service-maintainers
+/task/fbc-target-index-pruning-check            @konflux-ci/integration-service-maintainers
+/task/fbc-validation                            @konflux-ci/integration-service-maintainers
+/task/inspect-image                             @konflux-ci/integration-service-maintainers
+/task/sbom-json-check                           @konflux-ci/integration-service-maintainers
+/task/validate-fbc                              @konflux-ci/integration-service-maintainers
+/task/fips-operator-bundle-check                @konflux-ci/integration-service-maintainers
+/task/fips-operator-bundle-check-oci-ta         @konflux-ci/integration-service-maintainers
+/stepactions/fips-operator-check-step-action    @konflux-ci/integration-service-maintainers
 
 # renovate groupName=integration
 /task/coverity-availability-check           @konflux-ci/integration-service-maintainers @kdudka
@@ -76,10 +82,8 @@
 # renovate groupName=preflight
 /task/ecosystem-cert-preflight-checks   @acornett21 @bcrochet @komish @skattoju
 
-# renovate groupName=eaas
+# maitained in tekton-tools, thus should be ignored by renovate
 /task/provision-env-with-ephemeral-namespace    @amisstea @avi-biton @gbenhaim @omeramsc @yftacherzog
-
-# renovate groupName=rpm-tasks
 /task/generate-odcs-compose @amisstea @avi-biton @gbenhaim @yftacherzog
 /task/rpms-signature-scan   @amisstea @avi-biton @gbenhaim @yftacherzog
 /task/verify-signed-rpms    @amisstea @avi-biton @gbenhaim @yftacherzog
@@ -112,6 +116,9 @@
 /task/oci-copy          @ralphbean
 /task/oci-copy-oci-ta   @ralphbean
 
+# renovate groupName=buildpack
+/task/build-paketo-builder-oci-ta @cmoulliard
+
 # These are auto-generated and often require changes when tasks change.
 # Allow anyone with write access to approve the changes.
 /pipelines/*/README.md

appstudio-utils/Dockerfile

@@ -10,6 +10,10 @@ RUN curl -L https://github.com/open-policy-agent/conftest/releases/download/v0.3
 RUN curl -L https://github.com/enterprise-contract/ec-cli/releases/download/snapshot/ec_linux_amd64 -o /usr/bin/ec && chmod +x /usr/bin/ec && ec version
 RUN curl -L https://github.com/cli/cli/releases/download/v2.60.1/gh_2.60.1_linux_amd64.tar.gz | tar -xz  -C /usr/bin --wildcards "gh_*/bin/gh" --strip-components=2 --no-same-owner
 
+# 1.2.0 is the minimum required version
+RUN curl -L https://github.com/oras-project/oras/releases/download/v1.2.1/oras_1.2.1_linux_amd64.tar.gz | \
+    tar -xz --no-same-owner -C /usr/bin oras
+
 RUN dnf -y --setopt=tsflags=nodocs install \
     git \
     skopeo \