Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v1.26.3-1781070142

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
registry.access.redhat.com/ubi9/go-toolset	stage	patch	1.26.2-1779959429 → 1.26.3-1781070142

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mbrudnoy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated build environment base image to a newer version.

Walkthrough

The builder stage FROM directive in the Dockerfile is updated to reference registry.access.redhat.com/ubi9/go-toolset:1.26.3-1781070142, replacing 1.26.2-1779959429. No other Dockerfile instructions, runtime stage references, build arguments, or environment variables are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

---

Supply chain note — CWE-1357 (Reliance on Insufficiently Trustworthy Component), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere):

Verify the new image digest is pinned or matches the expected SHA256 from Red Hat's registry. Floating tags on builder images are a direct supply chain attack vector in CI/CD pipelines (relevant to broader SLSA L2/L3 posture). Confirm 1.26.3-1781070142 corresponds to an officially published Red Hat UBI9 go-toolset build and that the image pull is authenticated in your pipeline — unauthenticated pulls from registry.access.redhat.com can be rate-limited or, under a compromised mirror, substituted (CVE-adjacent to mirror-poisoning vectors). Pinning by digest (@sha256:...) eliminates this class of risk.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Sec-02: Secrets In Log Output	❌ Error	Line 53 of test/integration/testcontainer.go logs amqpURL containing embedded credentials as a log field via log.Extra("amqp_url", amqpURL).	Remove amqpURL from log field or redact credentials before logging per CWE-532 (Insertion of Sensitive Information into Log File).
No Pii Or Sensitive Data In Logs	⚠️ Warning	Line 53 of test/integration/testcontainer.go logs AMQP URL with embedded credentials via log.Extra("amqp_url", amqpURL), exposing connection secrets to logs.	Remove amqp_url from Extra() call or redact credentials from the URL before logging to prevent credential exposure.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title directly describes the main change: updating the Docker base image tag to v1.26.3-1781070142.
Description check	✅ Passed	Description documents the Docker image tag update from 1.26.2 to 1.26.3, though it's auto-generated by MintMaker/Renovate.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No Hardcoded Secrets	✅ Passed	PR updates Docker base image tag only. No hardcoded secrets: API keys, tokens, passwords, private keys, embedded credentials, or suspicious base64 strings detected.
No Weak Cryptography	✅ Passed	PR updates Go toolset Docker tag 1.26.2→1.26.3; codebase contains no weak crypto primitives (MD5, DES, RC4, SHA1 for security), no custom crypto, no non-constant-time comparisons, no ECB mode.
No Injection Vectors	✅ Passed	Dockerfile change only updates base image tag (1.26.2→1.26.3). No SQL concatenation, unsafe exec.Command, template.HTML, or yaml.Unmarshal patterns present. All RUN commands use hardcoded values; b...
No Privileged Containers	✅ Passed	PR only updates Go toolset base image version (1.26.2→1.26.3). No privileged container configurations (privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, runAsUse...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/docker-image-updates

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/docker-image-updates

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

36-36: ⚠️ Potential issue | 🟠 Major

Missing HEALTHCHECK for container liveness.

The runtime stage (line 36 onwards) has no HEALTHCHECK instruction. Kubernetes or other orchestration systems cannot reliably probe container health without an explicit check. Add a HEALTHCHECK that probes the Sentinel service (listening on 8080 per EXPOSE line 47).

Example HEALTHCHECK for Sentinel

 EXPOSE 8080

+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD curl -f http://localhost:8080/health || exit 1

Also applies to: 49-49

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 36, The runtime stage in the Dockerfile is missing a
HEALTHCHECK instruction, which prevents orchestration systems from reliably
monitoring container liveness. Add a HEALTHCHECK instruction in the runtime
stage (after the FROM ${BASE_IMAGE} line) that probes the Sentinel service on
port 8080 (as indicated by the EXPOSE instruction). Configure the HEALTHCHECK
with appropriate interval, timeout, and retry settings to enable proper health
monitoring by Kubernetes and other orchestration platforms.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@Dockerfile`:
- Line 36: The runtime stage in the Dockerfile is missing a HEALTHCHECK
instruction, which prevents orchestration systems from reliably monitoring
container liveness. Add a HEALTHCHECK instruction in the runtime stage (after
the FROM ${BASE_IMAGE} line) that probes the Sentinel service on port 8080 (as
indicated by the EXPOSE instruction). Configure the HEALTHCHECK with appropriate
interval, timeout, and retry settings to enable proper health monitoring by
Kubernetes and other orchestration platforms.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ebfd23f4-ef4b-4c56-a868-506af785725f

📥 Commits

Reviewing files that changed from the base of the PR and between 6cb186e and 5685e48.

📒 Files selected for processing (1)

• Dockerfile

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)