Skip to content

NO-ISSUE: Bump the docker-dependencies group across 1 directory with 2 updates#671

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/docker/docker-dependencies-89fea4dddc
Open

NO-ISSUE: Bump the docker-dependencies group across 1 directory with 2 updates#671
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/docker/docker-dependencies-89fea4dddc

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Feb 2, 2026

Copy link
Copy Markdown
Contributor

Bumps the docker-dependencies group with 2 updates in the / directory: ubi9/go-toolset and ubi9/ubi-minimal.

Updates ubi9/go-toolset from 1.25 to 9.8

Updates ubi9/ubi-minimal from 6fc28bc to ae09ecc

Summary by CodeRabbit

  • Chores
    • Updated base images for improved compatibility and stability.

@dependabot @github

dependabot Bot commented on behalf of github Feb 2, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependabot, docker. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@openshift-ci-robot

Copy link
Copy Markdown

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 2, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@dependabot[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

Bumps the docker-dependencies group with 2 updates in the / directory: ubi9/go-toolset and ubi9/ubi-minimal.

Updates ubi9/go-toolset from 1.25 to 9.7

Updates ubi9/ubi-minimal from 6fc28bc to bb08f23

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Feb 2, 2026
@openshift-ci openshift-ci Bot requested review from gamli75 and rccrdpccl February 2, 2026 13:54
@codecov

codecov Bot commented Feb 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.13%. Comparing base (2b81dd8) to head (bf4d3da).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #671      +/-   ##
==========================================
+ Coverage   61.74%   62.13%   +0.38%     
==========================================
  Files          27       27              
  Lines        1767     1793      +26     
==========================================
+ Hits         1091     1114      +23     
- Misses        510      512       +2     
- Partials      166      167       +1     
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dependabot dependabot Bot force-pushed the dependabot/docker/docker-dependencies-89fea4dddc branch from c14ab93 to 78d0b62 Compare February 9, 2026 13:54
@dependabot dependabot Bot force-pushed the dependabot/docker/docker-dependencies-89fea4dddc branch 3 times, most recently from ffb0c90 to f69938b Compare March 2, 2026 13:17
@dependabot dependabot Bot force-pushed the dependabot/docker/docker-dependencies-89fea4dddc branch from f69938b to 07c0f34 Compare March 30, 2026 13:15
@openshift-ci

openshift-ci Bot commented Mar 30, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign carbonin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dependabot dependabot Bot force-pushed the dependabot/docker/docker-dependencies-89fea4dddc branch from 07c0f34 to 367a326 Compare April 27, 2026 15:10
@coderabbitai

coderabbitai Bot commented Apr 27, 2026

Copy link
Copy Markdown

Walkthrough

Build-stage Go toolset image tags updated to registry.access.redhat.com/ubi9/go-toolset:9.8; registry.access.redhat.com/ubi9/ubi-minimal runtime and packages stages repinned to new sha256 digests in three Dockerfiles. No other Dockerfile instructions were changed.

Changes

Dockerfile base-image and runtime pinning

Layer / File(s) Summary
Build-stage image upgrade
Dockerfile.image-service, Dockerfile.image-service-build, Dockerfile.image-service-mce
golang/builder stage base image changed from registry.access.redhat.com/ubi9/go-toolset:1.25registry.access.redhat.com/ubi9/go-toolset:9.8.
Packages-stage pinning
Dockerfile.image-service-mce
packages stage registry.access.redhat.com/ubi9/ubi-minimal re-pinned to a new sha256 digest.
Runtime-stage pinning
Dockerfile.image-service, Dockerfile.image-service-mce
Final runtime registry.access.redhat.com/ubi9/ubi-minimal re-pinned to a new sha256 digest.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
Stable And Deterministic Test Names ❌ Error Found 3 Ginkgo tests with dynamic names using string concatenation: lines 224, 285, 333 in integration_test/images_test.go use tc.name and version dict values, violating stable test name requirement. Replace dynamic test names with static descriptive strings; move variable values from test names to test bodies (e.g., assertions/setup comments).
Description check ⚠️ Warning The PR description lacks critical sections required by the template including 'How was this code tested?', assignees, and links sections. Add missing template sections: explain how the Docker image updates were tested, properly assign reviewers using /assign or /cc syntax, link any related issues, and complete the checklist items.
✅ Passed checks (13 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: bumping docker dependencies (ubi9/go-toolset and ubi9/ubi-minimal) across the root directory.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Test Structure And Quality ✅ Passed This PR only modifies Dockerfiles (base image updates). It contains no Ginkgo test code, so the test quality check is not applicable.
Microshift Test Compatibility ✅ Passed No Ginkgo e2e tests are added or modified in this PR; it only updates Dockerfile base images. The MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR only updates Docker base images in three Dockerfiles (no code/test changes). The SNO test compatibility check applies to new Ginkgo e2e tests, which are not present in this PR.
Topology-Aware Scheduling Compatibility ✅ Passed PR only updates Dockerfile base images (ubi9/go-toolset, ubi9/ubi-minimal), not deployment manifests or controller code. No scheduling constraints introduced; check is not applicable.
Ote Binary Stdout Contract ✅ Passed PR only modifies Dockerfile base image references; no process-level stdout writes or OTE binary configuration exists to violate the contract.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No Ginkgo e2e tests are added in this PR. The changes are Dockerfile base image updates only (go-toolset and ubi-minimal versions/digests), making this check inapplicable.
No-Weak-Crypto ✅ Passed Pull request only updates Docker base image versions/digests with no weak crypto patterns, custom implementations, or insecure comparisons introduced.
Container-Privileges ✅ Passed No flagged privileged settings found in container/K8s manifests. USER 0 present only in build stage; runtime container runs as non-root UID 1001.
No-Sensitive-Data-In-Logs ✅ Passed PR only updates Docker base image versions in Dockerfiles. No logging statements containing sensitive data (passwords, tokens, API keys, PII) are introduced or modified.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/docker/docker-dependencies-89fea4dddc

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
Dockerfile.image-service-build (1)

1-30: Add a non-root USER directive in the final stage.

This Dockerfile currently runs as root at runtime. The final stage (lines 9–29) lacks an explicit non-root user, which weakens the least-privilege posture. Consider adding a USER directive to run the container with reduced privileges.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.image-service-build` around lines 1 - 30, The final stage runs as
root; create and switch to a non-root user by adding steps after the existing
RUN chmod lines to (1) create a dedicated user/group (e.g., "appuser"), (2) set
a home directory and ensure ownership of GOROOT and GOPATH (use the ENV names
GOROOT and GOPATH), and (3) add a USER appuser directive so the container runs
with reduced privileges; ensure any files/dirs the image needs at runtime are
chown'd to that user before the USER line.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile.image-service-build`:
- Around line 1-30: The final stage runs as root; create and switch to a
non-root user by adding steps after the existing RUN chmod lines to (1) create a
dedicated user/group (e.g., "appuser"), (2) set a home directory and ensure
ownership of GOROOT and GOPATH (use the ENV names GOROOT and GOPATH), and (3)
add a USER appuser directive so the container runs with reduced privileges;
ensure any files/dirs the image needs at runtime are chown'd to that user before
the USER line.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 13c3680d-0ae1-4782-8282-2a61c8cd3273

📥 Commits

Reviewing files that changed from the base of the PR and between e35e6a1 and 367a326.

📒 Files selected for processing (3)
  • Dockerfile.image-service
  • Dockerfile.image-service-build
  • Dockerfile.image-service-mce

@dependabot dependabot Bot force-pushed the dependabot/docker/docker-dependencies-89fea4dddc branch from 367a326 to 17639d2 Compare May 4, 2026 15:55
@coderabbitai

coderabbitai Bot commented May 4, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{"name":"HttpError","status":500,"request":{"method":"PATCH","url":"https://api.github.com/repos/openshift/assisted-image-service/issues/comments/4328129957","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","authorization":"token [REDACTED]","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- This is an auto-generated comment: review in progress by coderabbit.ai -->\n\n> [!NOTE]\n> Currently processing new changes in this PR. This may take a few minutes, please wait...\n> \n> <details>\n> <summary>⚙️ Run configuration</summary>\n> \n> **Configuration used**: Repository: openshift/coderabbit/.coderabbit.yaml\n> \n> **Review profile**: CHILL\n> \n> **Plan**: Enterprise\n> \n> **Run ID**: `b9e09f01-e195-4b79-806d-048c6d3c0c56`\n> \n> </details>\n> \n> <details>\n> <summary>📥 Commits</summary>\n> \n> Reviewing files that changed from the base of the PR and between 367a326444d25992100cb92009339917fa63aa97 and 17639d2a8a06d815d744a8b82515eaf050ef919b.\n> \n> </details>\n> \n> <details>\n> <summary>📒 Files selected for processing (3)</summary>\n> \n> * `Dockerfile.image-service`\n> * `Dockerfile.image-service-build`\n> * `Dockerfile.image-service-mce`\n> \n> </details>\n> \n> \n\n<!-- end of auto-generated comment: review in progress by coderabbit.ai -->\n\n<!-- walkthrough_start -->\n\n## Walkthrough\n\nThree Dockerfile base images are updated: Go toolset upgraded from version 1.25 to 9.7 across all files, and ubi-minimal runtime images pinned to new digest hashes. No build logic, commands, or application steps were modified.\n\n## Changes\n\n|Cohort / File(s)|Summary|\n|---|---|\n|**Dockerfile Base Image Updates** <br> `Dockerfile.image-service`, `Dockerfile.image-service-build`, `Dockerfile.image-service-mce`|Go toolset stage image upgraded from `:1.25` to `:9.7`. Runtime ubi-minimal base images updated to new pinned digest hashes.|\n\n## Estimated code review effort\n\n🎯 1 (Trivial) | ⏱️ ~3 minutes\n\n<!-- walkthrough_end -->\n\n<!-- pre_merge_checks_walkthrough_start -->\n\n<details>\n<summary>🚥 Pre-merge checks | ✅ 11 | ❌ 1</summary>\n\n### ❌ Failed checks (1 inconclusive)\n\n|     Check name    | Status         | Explanation                                                                                                | Resolution                                                                                                                                                                                                        |\n| :---------------: | :------------- | :--------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| Description check | ❓ Inconclusive | The PR description lacks detailed context about the changes and testing approach required by the template. | Add sections explaining the reasoning for these dependency updates, how the changes were tested, and confirm the checklist items (especially unit tests requirement). Verify if documentation updates are needed. |\n\n<details>\n<summary>✅ Passed checks (11 passed)</summary>\n\n|                    Check name                    | Status   | Explanation                                                                                                                                                              |\n| :----------------------------------------------: | :------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n|                    Title check                   | ✅ Passed | The title accurately describes the main change: bumping docker dependencies (go-toolset and ubi-minimal) across the repository.                                          |\n|                Docstring Coverage                | ✅ Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.                                                               |\n|                Linked Issues check               | ✅ Passed | Check skipped because no linked issues were found for this pull request.                                                                                                 |\n|            Out of Scope Changes check            | ✅ Passed | Check skipped because no linked issues were found for this pull request.                                                                                                 |\n|        Stable And Deterministic Test Names       | ✅ Passed | This PR updates Docker base images in Dockerfiles without modifying any Ginkgo test names or test titles.                                                                |\n|            Test Structure And Quality            | ✅ Passed | PR contains only Dockerfile dependency updates with no Ginkgo test code changes.                                                                                         |\n|           Microshift Test Compatibility          | ✅ Passed | Pull request only modifies Dockerfile base image references and does not add any Ginkgo e2e tests.                                                                       |\n|  Single Node Openshift (Sno) Test Compatibility  | ✅ Passed | Pull request only modifies Dockerfiles to update container base image versions with no Ginkgo e2e tests added.                                                           |\n|      Topology-Aware Scheduling Compatibility     | ✅ Passed | PR contains only Dockerfile modifications updating base image versions and digests for build purposes with no Kubernetes scheduling constraints or deployment manifests. |\n|            Ote Binary Stdout Contract            | ✅ Passed | PR contains only Dockerfile base image version updates with no source code modifications.                                                                                |\n| Ipv6 And Disconnected Network Test Compatibility | ✅ Passed | This PR only modifies Docker base image versions in three Dockerfile files with no new Ginkgo e2e test code added.                                                       |\n\n</details>\n\n<sub>✏️ Tip: You can configure your own custom pre-merge checks in the settings.</sub>\n\n</details>\n\n<!-- pre_merge_checks_walkthrough_end -->\n\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing Touches</summary>\n\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n- [ ] <!-- {\"checkboxId\": \"6ba7b810-9dad-11d1-80b4-00c04fd430c8\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Commit unit tests in branch `dependabot/docker/docker-dependencies-89fea4dddc`\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n\n<!-- tips_start -->\n\n---\n\n\n<!-- review_rate_limit_status_start -->\n<sub>Review rate limit: 8/10 reviews remaining, refill in 8 minutes and 30 seconds.</sub>\n<!-- review_rate_limit_status_end -->\n\n<sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>\n\n<!-- tips_end -->\n\n<!-- internal state start -->\n\n\n<!-- DwQgtGAEAqAWCWBnSTIEMB26CuAXA9mAOYCmGJATmriQCaQDG+Ats2bgFyQAOFk+AIwBWJBrngA3EsgEBPRvlqU0AgfFwA6NPEgQAfACgjoCEYDEZyAAUASpETZWaCrKPR1AGxJcAcgHkwAEkAZWCAVQBRLgAhR25IXFgSSFp8BgBrSjAlbjIlDAZ4aUgiCnxseLQGMsRkAEYU+ApRAhdIAHd1WEgAJkgK2mpiyAMfRwFKLgA2AHYGkbCbABkuWFxcbkQOAHptoi7sAQ0mZm38XIxEBAAzXG20WqQaWjB4ZjRSMERKCXgGEm23GwHg821m8wMYW+FC4OTyKnwuAA2gJEQBdSAjYLlCj/SACKgFWCwkgXQaou6pDKUbZUzIUbKkvJkQrSMAADgAnNcSGgACy0QUMTEGaDOUi4fGEhjEyDveBYLG4ajYLb8C4imwkX4kdqUNW46q0bgMBgeAA0JTQzA88BmAFYRUsVCQPGrEPAAF4A4KWoRNNDbCRoW0vZo85oFZIjADCzSG9GoXB6AAYelMwGnMz1oHUAMwce0F+1TABaRgAItJqvBuOJ8BgOAYoLFmJsEkkUml6YyySyishSuV4gqO8lmtx8B7WvIyoiOl0Eu18P1uIMaFsDJioId4Jy9oQCPg3SROJBrmVmJA6hoeo6CJBORoZlvdP01Pvd2BmAq3iGuBeLAKKw6iQFM1wMD07ICMKD4zLQfIkHyDrNjAna2Cgg5kMozz4vIVZkgikqYPQAxDMgTAYMqCqUPiDwAkeJ6Sn+pDIFUTAULQCpEB4sgaOYlgxiwbBUcgDhOC4RhQOcZBXPAtxgIUYBlBSPBTrhaA8LWro0QoVFlCCtEYIi8l/NQ8ANlwiTjqSU7qPgbSqsU1labktrkHpuAGV4FAANz2KIDYvIgyqkAk0i4MgnQgviyRefARCkM0iZ4Cw5kMCGvH8HwaC3LRmCQB4RC4FeHguh4KRMhgXEYEQ/BYJR1wJdgVD1hgGhocklFecePmVTQYjIM0ACO2BNHQnkkAAHpF6DVf03zINsG6SlYZTtMB7zVcgD7xYltEud8lH0CFHwkB1ABiDnqm1IaQEIgiIJaAAGy0RZAAD8z2FU8yBKE15D0A9AiIP5r3cNp7k2aN420N9e1JWxMVHUFXyhckwOIB1WqTtODnyKgjXNclKBYEsADi0AALJyoo52oTJlw3LginwMpgjzsZuGJNQY7WHY03cLahS4Fl4aUCyxTGZAABSgQ2AAgphDjJCRpNmtgSj0C5BHwqpCrXA57y3RVAgeN2kCC2Vv61XzGEOQlCqWi5uDLpVfYFPIZEbpAAAUu77kQh74Me3zEfNAfbF+P4YH+HgAJSWmrPOSrr1VEQuMXNIgx5SHp1zC7N2AYF4tR23YqB0OodAdYExFuiutohRNaDBvAZVm8kafkvOJxbbQO2wLzGVYBMpMSPgmT0L8mkYX37CbtukDPQAAnC6eqc0Aj0c9L1r1VPeSs01S8jQu/L/vhGqWwFCkOfq/r4f9ijQ83Rqzfd974/Gcj/8FUfyQe+l89bzmaIzIB39VJminIAr+B8M5XHwBtYAj8WTyAwNaEgegUBEGMs0PSXE2qIAgfA/WuCHLJBQQfNBkAMFsGwUid4D0KAAB8Y4ORYRoLhaJz5qwfqQ+cxcEp4Moagz2tDMEMOAMIihBD1AWQwHoHh/EoBwC6sJdg+JzYZHVh4TWE13LpDYvNcWkZ/g7RXBDNyulureVolSYx9A1pIM2mrJIHhuBJ3mppLmqtUR4HPO3biytsDFA+NoS4kpGZyQUmQIg2x/RUDALaHkDBZBmhIGAIW2B9hYENnwUaEUFFsX8ZKFyKlESAEwCGQJAh6/AcvxZsYBDAGBMFAPI/Brg4AIMQbCrUJrzyolwXg/BhAtEkMUOQCglBUFUOoLQOh9CtPAKohAyBUAFTQKlXp5B+n0EGWeKgG1xLvDaFMpgMyVBqE0NoXQzSjDLNMAYCs3ZKBNS8BoFimToS/H+E2AARICgwFhIAK0CDsnCE0TnOHkPgLpMpMCsVFJ2F51IKDvOSMZDaTk2K0N1LRLU9AAASvMwjRECJySA5MVyMTDigd4YVfbPSDmAWlp4OBPhmM9eO55rouWZceRF30BBjQ8CddGpNm5oHoHC5eLK2WcBvHeZ6tcsDlOLuINg9h0aWlAt7ZynZnrR1/O8Dwwr6L0rOgkFcPjdRaQwIDRorFcCWgnGVQotsXK8G1BZVUy8rhoDvFMZ6WSFSOrKrIWinREjoEaNcCMmiGznUgD4FciIkh8BFe3cVpInquO2paa6HdXRRQlrTLiTUa4POBZYBWHgaCtWKdavmSgzTOHMg2ZAsrBYOVwtdIEZs/iWyovI6QqFU2WympOCgzxASHGFsO8QuB5CtrKo2ztjAh61Qmr7VF9IMX1SyvqmQoraDbAoBqt4yRt7fEtWFUxktEDx0aUsGiFEt2kFoFwAA1D0bYYAehGAiCFP8uELk2R1BtEg8be1cCplXRwBhAX/Kkk8vdbz27nS+V8H4fxMlZrFQCoFIKwUQr2fYRwpzYXwo/WOtR+JT3VLlYK2q31TphSxQtYoz1mj7BCi4LQpppBY2SkPTQJwo4fgPKykOTEOXPm+gqKVMqunPQ4Eq+058EW1WCS5YuMzeLBOpda0Op5IBSAoB6BsXHtYrgvWqzsSnlSGT4IgGsdY5r0AFZK5zZr80D15XwAVZVapKXcrge+Qc3jTsirw+az1mDdlIBgFVKa03WUzae7VubLRkF+GUDAIlJTBgoPAFQpdC18CYNwWQ2wZSJfoObfYwo9T4Ia6ZKtDySP1pwk23anZV3tqIZ0ydMWJr9vnUO9go7EDjqTX7dD6LMN0VvV8yAD6oybsRckBsvFn1GFfeQd922v2QG/XUf9dQgMgeNgMum62fV2ug/ks88GuKIeQ6hsAlZXlLY+dhn5eHvx/KQ8R2t4LkuQpOpRmFI3tNIvo4tg9nGcWrnXHdqiETaI3uSF8tU/LuBVHSGdYhnnAkYIqvZzVyR2PFEQNGmUy9jWx1NRwMqK1vqASvPNiGDqJpcWdc2zA6bKBeO1oagjMy2MSoqKUaVBrkgCpk6ZiLd7khc/M/qBRy8NPwxXM9TlqWJ0i8y9m/zebxSOAXrljA+WGxFfM84Mrnc83XTQNwIWZk2o8CJx8YJzd2yteSO1yttBGkCVBT19dlxm0uUG9HrtXSe0zvG3wAdC7pviDHVAfwPgIgHbfVt7dp3v15n/Xma7mqEzTIg0UKDMGZ1wYQ8wUHKGmktLacOlT3TCCQ/IwcrgRyKMSXkOcumszrkLLuYYTvfd1AAH14AD3n80SDdB5+nRndP4wKzIB5lmGgPM6Y+Qn9oHeTknIeh1BTCmBgAhL8385HmPMF+6gzGuGgKYeY0BoE5DMbfjyUAc+uAi+y+q+de6+HSSyne3q8+AC8+MoogRiG+yoW+SyBgAA3q+P8kgLYNENolPEJKwOwFYOpHQP8gBCGN8OaNgUgH4BZqVoKGQBQeeFQSQDQZiP8g4vFLVEJBZmdIEFRJQBTsEMqDQCwRgQAL4cGQD/LgY2BXLqAADqZQNAa07gosJALBH+J4Mh/yZUIUMYSQGQWoDg9aiALBSIr4mIWBmIdhshiBGQPgmCLB/yGhXgm6SB/yMh9h/yp0uAqoLBXkoSPhdh/yVsmAHaGArh9GS6Hh7ELUQwWUSgbmpWEwg8weESRepAXAIqbYwSdI9i1CBQA4fs8qsmdKaszOccPKVQNQGRD2uM9kAm3h1hYRDWWhXA/y7QzgsctUrR9hnBx8DYTURALUnRrBuhbRnBDsuSIYRhSBzhbArhcRWhbR0hbRthgxchxh6QSxEx/yqK/GwSfBygpAAx2x/hgRVkF67B0xshERGCbUrhE61wxcYgTahs+mpMfM8OE0GKFilswYeiQwXYDAxxtsTA/BpAHUwQ6QtYvOdU3BpWkJ+A0JXUuxGgFxvh2cx4eACirhKh1cYJEJRAyA+SfMbxBQw2P4jwnqSQV4D4iA5kiA1w8gLkUJZxcUsA2csAx4Ye2J7RdMrhPRFAfRRAgpMxpWcxHgCxThLhXRyJ3EFh6xoRWxvhjhexCpshh2U8kAgQtQoS76XhoRnBVxFhNxIR9x4RU6IWURrhcp6Q9g8JHuE0EwGUTktCjcCoepSAKspa+CXx80FJiQqAQIWcJAhSIUWJppshHRIpvR3EkpshsxCo8xux+xrhhidABp/pCstQwmRWKG9hGx9h6pYRmpmZXRfgASsqwQ1WyQRh22xpGQyZfhYh1xCQtxsZNpQskRzxXRjpzpCJbpogWyt60s2Z9AfpRpHQZaQZ9AIZayPAwIlOkZRpmgbZ8ZXRop4pbZqZFOjpVZKZeAfg1w9ZMkTZ26iA+Zi0iARZqpmx1pjx9pXRcAqAGEx6kAi2K2uODKxQo4SOmGUUXQ5QkoIesgwSmA8g5MPpQc4UIUEibAXafAK0CQng0gMZ1plZ2p/yoh5WyQCs80VYDaMcTwQ60A70+xFhPZ25DxFAZQFAbZ5pQR3Z1pwxGAox4x2hbBPZB56ZixuFDAqoBAzAxZdhpZdh5ZnBL5A5shc8DY1EMeu2+Ev2B6YiaSaO5EC4Ma0ssFGA6Q8FaF4G2RmFbZOFyxb570ohF6Yg4xoK80AAitgCGOoLIFucKTuYmf0T2SxZaXcYMbIRxVxc0DxVMYFf8vxbKRmUJSJSwOJZiJJTYc+baf2QSV0VYKuQ9lGVEiXPICHqUUBR4Tjmrg9gmlGI4l2FLPONKomBgDBXBSuCQD0HFBFFjOZTFZZbIVTH8DUMzDAO9EQYTuIGoLaMuh5UoAmWKUmb5R2RaV2VaRFcFcTBMTodQdaVFUebFSFPFY+WWSlX2U8elfJVlSNBuYevlYoB1sgEVc5CuPqp5FjpmhamthZlZjHtGt0HpY1ZbC1QhbNLVTXB1YJV1XhdxB4amkoJAH4BcDEpKL7MEMZDypRYhUNeZKNW5RNQcbuTNdaX5QtQFdsctWMaFZQeFdsZtZ1QccJTtWJXtVJQdXaXJf8gpZjkphdd+WpctgVRlMNt7MEiVa9VrhumrALm1YFgxmbkCBQLjMUJ9V6ZAAANKHDCGnh06IG0DAjBKUT8YRKzTXQ5DmyyAO5bTyRtVYURUWUHHQDnDHj4BECyBgAKyinJD1lJCa3uR1Ro0jVBLjW0WeWyE40+V41zWsWLVE2BScUrVhXrURWU0g3U1xV00llqmM1pUNiuGs1KVdp5Wc1ooHqC3/ma6Wba5fny3Sw5wtR4gmU81RHtU9lW2uF+A0CQDRBpltCiGpABJCT6RVC4BY2uGUCMXMWh3+U9nE3cVk2x0U3SlpnRUJ2uE02iUJWQBJWQDSUPGpVHUZ1vnLn2y50FXFA/mF1WpvVNqjiJDNBdxc0eEAk6VfUrjkAbT6WGVNV/XGX3aA0CkN1U2uGBDcASBTAOX0AVhICUTkBiATQ+CnjLgUBOko2Sje3wAY1+3Wl0XdHeUSmzUqjzXBGE04mR0hWrW8UbWz2Hm/1dFL27Up1PmW0UOyFVipG1je6akj04Mx34NhGyXHVuHoR2ApHube7upGL9TaBeD7KKXTTESlK/G0aVUrRQUe5lBVDdBnWwx4R8w0Btjs7nRtm4l6LM0KyCgBQfEboRE2x1TlK8g5zikS3WS3oaVexrjkSWh8kbQclyNzn4IrR0Bi75xNCMmdialNzMRaPIC+zSC5CFCZReyxxlLi1qPNBFbPqQAABqlA8kBMXSVIVumO3uX5zgmKJAdAQN/tk1Xl01wdS1hD0dY9pDjs5DC9ip1YpWdYBJ6xr4aIehBhuAtgjDgjPD1wnIfIKY9oPQDAN+fIaAdQUwozAgKYdQdQtAME7IeYAg4znI9oKY7IP+dQaAJA9oJAozfInItAYzMwvI7I1wJYtAMweYJA1+t+qYV+Fx+hDwvTNg7hBxUwAgVzX+KYJAMwT+9odQvz7I9oSg9+aYh+1zn+xTKgPQV+DAYzKYUw+z1wAgfISzAgeY7IMzuLCE9o1wyztAF+rziCwItA+B3YtgHDehXEtANgxc/TrTbUjpYdhNXBS+TLGAXz7LdTnBDLPLqKNlyp/LBNBgkhO+EAPAzQcBlApACBuxiA8+UB9yneWyBA8+hOTkKBQweraB9ymBbzIUVg45dACsuAWoa+tARBP4uAQkGqFBKYUrgBPe2r5rerNAqr80+gQAA=== -->\n\n<!-- internal state end -->"},"request":{"retryCount":3,"signal":{},"retries":3,"retryAfter":16}},"response":{"url":"https://api.github.com/repos/openshift/assisted-image-service/issues/comments/4328129957","status":500,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset","content-length":"0","content-security-policy":"default-src 'none'","content-type":"application/json; charset=utf-8","date":"Mon, 04 May 2026 15:56:23 GMT","referrer-policy":"origin-when-cross-origin, strict-origin-when-cross-origin","server":"github.com","strict-transport-security":"max-age=31536000; includeSubdomains; preload","vary":"Accept-Encoding, Accept, X-Requested-With","x-accepted-github-permissions":"issues=write; pull_requests=write","x-content-type-options":"nosniff","x-frame-options":"deny","x-github-api-version-selected":"2022-11-28","x-github-media-type":"github.v3; format=json","x-github-request-id":"4297:27A2C8:B7CB6D:2D882A5:69F8C1A4","x-ratelimit-limit":"15000","x-ratelimit-remaining":"14634","x-ratelimit-reset":"1777913389","x-ratelimit-resource":"core","x-ratelimit-used":"366","x-xss-protection":"0"},"data":""}}

@dependabot dependabot Bot force-pushed the dependabot/docker/docker-dependencies-89fea4dddc branch from 17639d2 to aa4d7f9 Compare May 4, 2026 15:58

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile.image-service-build`:
- Line 1: The Dockerfile uses registry.access.redhat.com/ubi9/go-toolset:9.7
which provides Go 1.17.7 and conflicts with the module's go version go1.25.5;
update the FROM line in Dockerfile.image-service-build to a tag that includes Go
1.25.x (for example use registry.access.redhat.com/ubi9/go-toolset:1.25 or a
later 1.25.* tag) so the build toolchain matches the go.mod requirement and
avoids incompatible compiler behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b9e09f01-e195-4b79-806d-048c6d3c0c56

📥 Commits

Reviewing files that changed from the base of the PR and between 367a326 and 17639d2.

📒 Files selected for processing (3)
  • Dockerfile.image-service
  • Dockerfile.image-service-build
  • Dockerfile.image-service-mce
✅ Files skipped from review due to trivial changes (2)
  • Dockerfile.image-service-mce
  • Dockerfile.image-service

Comment thread Dockerfile.image-service-build Outdated
@@ -1,4 +1,4 @@
FROM registry.access.redhat.com/ubi9/go-toolset:1.25 AS golang
FROM registry.access.redhat.com/ubi9/go-toolset:9.7 AS golang

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What Go version is included in Red Hat UBI9 go-toolset 9.7 image?

💡 Result:

The Go version included in the Red Hat UBI9 go-toolset 9.7 image is Go 1.17.7. This is based on official Red Hat documentation for RHEL 9 / UBI9 go-toolset packages, which specify go-toolset-1.17.7 as the package providing Go 1.17. The image tags like 9.7-1776962329 correspond to UBI 9.7 base with the go-toolset module installed, and documentation confirms this version for RHEL9/UBI9. Newer docs for Go 1.22/1.25 toolsets exist but are not tied to the specific 9.7 tag.

Citations:


🌐 Web query:

Red Hat UBI9 go-toolset versioning scheme documentation

💡 Result:

Red Hat UBI9 go-toolset follows a rolling versioning scheme as part of the Red Hat Enterprise Linux (RHEL) Application Streams. Go Toolset is classified as a "Rolling Application Stream," meaning Red Hat releases updates to the latest upstream Go versions through asynchronous errata, typically within 3 months of each upstream Go release (which occurs every 6 months). Only the latest version is supported; previous versions are retired after a short maintenance period. Key aspects of the versioning scheme: - Package name: go-toolset (no major version prefix like gcc-toolset; the Go version is specified in documentation). - Installation in UBI9: Use yum install -y go-toolset on registry.access.redhat.com/ubi9/ubi base image, or pull registry.access.redhat.com/ubi9/go-toolset directly. - Updates track upstream Go releases (e.g., Go 1.19.6, 1.20.10, 1.21.0, 1.25 in various docs; latest noted as Go 1.25.3 available in RHEL 9.7 as of Dec 2025). - Life cycle: Rolling, with support only for the current version per RHEL minor release. See retired streams for past versions (e.g., Go 1.17.x to 1.18.4 retired). - Official tracking: Red Hat Go Toolset Development Status Page and Application Streams Life Cycle document. For the most current version, check the Red Hat Ecosystem Catalog or pull the latest image tag.

Citations:


This base image contains Go 1.17.7, which is incompatible with your go.mod requirement of Go 1.25.5.

The UBI9 go-toolset tag 9.7 contains Go 1.17.7 (per Red Hat official documentation), not the Go 1.25 you need. Your go.mod specifies toolchain go1.25.5, so switching to this image will cause your build to fail with toolchain version errors or silently build with an incompatible Go version that doesn't support 1.25 features.

Use registry.access.redhat.com/ubi9/go-toolset:1.25 or a more recent tag that includes Go 1.25.x.

🧰 Tools
🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.image-service-build` at line 1, The Dockerfile uses
registry.access.redhat.com/ubi9/go-toolset:9.7 which provides Go 1.17.7 and
conflicts with the module's go version go1.25.5; update the FROM line in
Dockerfile.image-service-build to a tag that includes Go 1.25.x (for example use
registry.access.redhat.com/ubi9/go-toolset:1.25 or a later 1.25.* tag) so the
build toolchain matches the go.mod requirement and avoids incompatible compiler
behavior.

…2 updates

Bumps the docker-dependencies group with 2 updates in the / directory: ubi9/go-toolset and ubi9/ubi-minimal.


Updates `ubi9/go-toolset` from 1.25 to 9.8

Updates `ubi9/ubi-minimal` from `6fc28bc` to `ae09ecc`

---
updated-dependencies:
- dependency-name: ubi9/go-toolset
  dependency-version: '9.7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: docker-dependencies
- dependency-name: ubi9/ubi-minimal
  dependency-version: latest
  dependency-type: direct:production
  dependency-group: docker-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/docker/docker-dependencies-89fea4dddc branch from aa4d7f9 to bf4d3da Compare June 8, 2026 12:33

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.image-service`:
- Line 48: The Dockerfile currently pins the Red Hat base image by digest in the
FROM line (the entry starting with "FROM
registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:…"); change this to
use a floating tag managed by Red Hat (e.g., replace the digest form with
":latest" or a UBI version tag like ":9.8") so the image receives upstream
updates and complies with the Red Hat images guideline.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 84e3473a-3bb0-4228-a436-6f1deb4ee35a

📥 Commits

Reviewing files that changed from the base of the PR and between aa4d7f9 and bf4d3da.

📒 Files selected for processing (3)
  • Dockerfile.image-service
  • Dockerfile.image-service-build
  • Dockerfile.image-service-mce
🚧 Files skipped from review as they are similar to previous changes (1)
  • Dockerfile.image-service-mce

Comment thread Dockerfile.image-service

## Runtime
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:6fc28bcb6776e387d7a35a2056d9d2b985dc4e26031e98a2bd35a7137cd6fd71
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:ae09ecc3d754bc1726cbda3e2599cc7839e09fe1cc547ce173cf669b645be3cc

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Red Hat images should use floating tags, not digest pins.

The ubi-minimal image is from Red Hat (registry.access.redhat.com), so per coding guidelines it should use a floating tag like :latest or :9.8 to allow Red Hat to manage updates. Pinning by digest (:latest@sha256:ae09ec...) prevents automatic security updates and violates the guideline: "Red Hat images: use floating tags (Red Hat manages updates)."

🔧 Suggested fix
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:ae09ecc3d754bc1726cbda3e2599cc7839e09fe1cc547ce173cf669b645be3cc
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest

Or use a specific UBI version tag:

-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:ae09ecc3d754bc1726cbda3e2599cc7839e09fe1cc547ce173cf669b645be3cc
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:ae09ecc3d754bc1726cbda3e2599cc7839e09fe1cc547ce173cf669b645be3cc
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.image-service` at line 48, The Dockerfile currently pins the Red
Hat base image by digest in the FROM line (the entry starting with "FROM
registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:…"); change this to
use a floating tag managed by Red Hat (e.g., replace the digest form with
":latest" or a UBI version tag like ":9.8") so the image receives upstream
updates and complies with the Red Hat images guideline.

Source: Coding guidelines

@openshift-ci

openshift-ci Bot commented Jun 8, 2026

Copy link
Copy Markdown

@dependabot[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/edge-lint bf4d3da link true /test edge-lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant