LCORE-858: konflux: update tasks versions

[raptorsun]

Description

this PR resolves the EC issues of trusted_task.trusted and tasks.required_untrusted_task_found.

  ✕ [Violation] tasks.required_untrusted_task_found
    ImageRef: quay.io/redhat-user-workloads/lightspeed-core-tenant/lightspeed-stack@sha256:616cd1e1ecb1a880b6faac279e534c25ffc01c874fa879d24c1a244fa0fc6f89
    Reason: Required task "sast-unicode-check-oci-ta" is required and present but not from a trusted task
    Term: sast-unicode-check-oci-ta
    Title: All required tasks are from trusted tasks
    Description: Ensure that the all required tasks are resolved from trusted tasks. To exclude this rule add
    "tasks.required_untrusted_task_found:sast-unicode-check-oci-ta" to the `exclude` section of the policy configuration.
    Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.
  
  ✕ [Violation] trusted_task.trusted
    ImageRef: quay.io/redhat-user-workloads/lightspeed-core-tenant/lightspeed-stack@sha256:616cd1e1ecb1a880b6faac279e534c25ffc01c874fa879d24c1a244fa0fc6f89
    Reason: Untrusted version of PipelineTask "coverity-availability-check" (Task "coverity-availability-check") was included in
    build chain comprised of: coverity-availability-check. Please upgrade the task version to:
    sha256:36400873d3031df128c55aa71ee11d322c3e55fd8f13dc5779098fbc117c0aa3
    Term: coverity-availability-check
    Title: Tasks are trusted
    Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
    first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
    creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
    fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
    this rule add "trusted_task.trusted:coverity-availability-check" to the `exclude` section of the policy configuration.
    Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
    trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
    when newer versions are made available.

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Updated internal CI/CD pipeline infrastructure to maintain build system compatibility and reliability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated Tekton task bundle image digest references across two pipeline configuration files (.tekton/lightspeed-stack-pull-request.yaml and .tekton/lightspeed-stack-push.yaml) with new SHA256 values. Task names, bundle field structure, and control flow remain unchanged; only image digest values were modified.

Changes

Cohort / File(s)	Change Summary
Tekton Pipeline Image Digest Updates .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Updated bundle image SHA256 digests across multiple Tekton task references (pull-request and push pipelines). Task structures, names, and control flow remain intact.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Verify that all image digest updates point to valid, trusted container image repositories
• Confirm that the new digests correspond to expected Tekton task versions
• Check that no task names or structure were inadvertently modified

Suggested reviewers

• tisnik

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change—updating Tekton task bundle image digests across Konflux pipeline configurations to resolve enforcement-check violations and ensure tasks use trusted versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4269f0b and b82db2f.

📒 Files selected for processing (2)

• .tekton/lightspeed-stack-pull-request.yaml (7 hunks)
• .tekton/lightspeed-stack-push.yaml (7 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: build-pr
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: E2E: server mode / ci
• GitHub Check: E2E: library mode / azure
• GitHub Check: E2E: server mode / azure
• GitHub Check: E2E: library mode / ci

🔇 Additional comments (4)

.tekton/lightspeed-stack-push.yaml (3)

500-509: ✓ coverity-availability-check digest matches recommended upgrade.

The updated digest for coverity-availability-check on line 506 (sha256:36400873d3031df128c55aa71ee11d322c3e55fd8f13dc5779098fbc117c0aa3) aligns with the EC policy recommendation in the PR objectives to resolve the trusted_task.trusted violation.

---

320-340: Task bundle digests updated consistently across the pipeline.

All deprecated-base-image-check, sast-snyk-check, sast-coverity-check, sast-shell-check, sast-unicode-check, and rpms-signature-scan task references have been updated with new SHA256 digests. The changes maintain consistency with the pull-request pipeline file and all tasks reference official Konflux registry paths, which is appropriate for trusted task resolution.

---

541-566: Verify sast-unicode-check-oci-ta digest resolves the trusted task requirement.

The sast-unicode-check-oci-ta task on line 558 was updated to address the tasks.required_untrusted_task_found EC violation. Ensure this new digest (sha256:e5a8d3e8e7be7246a1460385b95c084ea6e8fe7520d40fe4389deb90f1bf5176) is available from the trusted Konflux catalog and that it resolves the enforcement check.

.tekton/lightspeed-stack-pull-request.yaml (1)

501-517: ✓ Pull-request pipeline digest updates are consistent with push pipeline.

The task bundle digests in the pull-request pipeline (lines 336, 416, 488, 509, 535, 561, 623) match the corresponding updates in the push pipeline file. This ensures both pipelines resolve the same EC violations and use the same trusted task versions.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}