Make bump-version.sh hermetic and manually update bundle files

[AnnaZivkovic]

Summary

This PR implements automated FBC (File-Based Catalog) updates with dynamic version generation for Konflux builds. The operator version is now automatically generated as BASE_VERSION-COMMIT_SHA (e.g.,
1.3.0-abc1234) ensuring version synchronization between the operator build and FBC catalog updates.

1. Dynamic Version Generation

• New run-script task in single-arch-build-pipeline.yaml runs hack/bump-version.sh before building
• Version format: BASE_VERSION-COMMIT_SHA where:
  • BASE_VERSION comes from Makefile (e.g., 1.3.0)
  • COMMIT_SHA is the git commit hash (first 7 chars)
• COMMIT_SHA is passed to the script via the SCRIPT parameter as an environment variable
• Script updates all version references across config files, Dockerfiles, bundle manifests, and Makefile

2. Hermetic Build Compliance

Problem: Enterprise Contract (EC) policies require hermetic builds (network isolation), but the original script downloaded tools (yq, operator-sdk, kustomize, controller-gen). Therefore we can not use make bundle

Summary by CodeRabbit

• New Features

  • Added an automated version-bump step in the build pipeline that produces version metadata consumed by downstream stages.

• Improvements

  • Added configurable package registry proxy control for dependency prefetch during builds.
  • Enhanced version management to support dynamic version generation with flexible input sources.
  • Updated build pipeline tasks to use newer task versions for improved reliability.

• Chores

  • Removed obsolete SAST configuration parameters from the build pipeline.

• CI

  • Increased linting timeout to reduce false timeouts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 956e916d-db4a-4525-ad31-09800350ff39

📥 Commits

Reviewing files that changed from the base of the PR and between f2582a5 and 280d2cb.

📒 Files selected for processing (1)

• .golangci.yaml

---

Walkthrough

The PR integrates a refactored version-bumping script into the Tekton build pipeline. The hack/bump-version.sh script now supports dynamic version generation from Makefile with optional commit-based suffixes, uses sed for manifest edits instead of yq, and directly updates bundle outputs. The Tekton pipeline adds a new run-script task that executes this script and introduces an enable-package-registry-proxy parameter while removing sast-target-dirs. Downstream build and SAST tasks are rewired to consume the script's artifact instead of prefetch artifacts.

Changes

Build pipeline version scripting refactor

Layer / File(s)	Summary
Bump version script refactoring hack/bump-version.sh	Version input now follows a fallback chain: CLI argument, OPERATOR_VERSION environment variable, or auto-generation from Makefile with optional commit SHA. yq-based YAML editing is replaced with sed -i across manifest files, Dockerfiles, and bundle outputs. The script directly edits bundle files and no longer invokes make bundle.
Pipeline parameter changes and run-script task .tekton/single-arch-build-pipeline.yaml	Pipeline parameters are updated: enable-package-registry-proxy is added to control prefetch behavior, and sast-target-dirs is removed. A new hermetic run-script task executes the refactored version script and outputs SCRIPT_ARTIFACT and SCRIPT_RUNNER_IMAGE_REFERENCE for downstream consumers.
Dependency prefetch and build task rewiring .tekton/single-arch-build-pipeline.yaml	Task bundle references for init and prefetch-dependencies are updated to new digests. Build tasks (build-container, build-source-image, push-dockerfile) now consume SCRIPT_ARTIFACT from run-script instead of SOURCE_ARTIFACT from prefetch-dependencies for source input.
Scan task updates and SAST task rewiring .tekton/single-arch-build-pipeline.yaml	Task bundle references for scan tasks (deprecated-base-image-check, clair-scan, ecosystem-cert-preflight-checks, rpms-signature-scan) are updated to new digests. SAST check tasks (snyk, coverity, shell, unicode) are rewired to use SCRIPT_ARTIFACT from run-script as source input, and TARGET_DIRS parameter is removed from all SAST tasks.
CI lint timeout .golangci.yaml	golangci-lint run.timeout increased from 5m to 10m.

Sequence Diagram(s)

sequenceDiagram
  participant Pipeline
  participant RunScriptTask
  participant ScriptRunnerImage
  participant BuildContainer
  participant Snyk
  Pipeline->>RunScriptTask: schedule run-script (hermetic)
  RunScriptTask->>ScriptRunnerImage: execute ./hack/bump-version.sh
  RunScriptTask->>Pipeline: publish SCRIPT_ARTIFACT + SCRIPT_RUNNER_IMAGE_REFERENCE
  Pipeline->>BuildContainer: pass SCRIPT_ARTIFACT and ADDITIONAL_BASE_IMAGES
  Pipeline->>Snyk: pass SCRIPT_ARTIFACT as source for scan

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• Prashanth684
• aleskandro

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main changes: making bump-version.sh hermetic and manually updating bundle files, which aligns with the PR's primary objectives of removing runtime tool downloads and replacing make bundle with sed-based file edits.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Check not applicable. PR modifies only non-test files (.golangci.yaml, .tekton YAML, hack/bump-version.sh). No Ginkgo test files are changed.
Test Structure And Quality	✅ Passed	PR does not modify or add any Ginkgo test files. Changes limited to Tekton pipelines, shell scripts, and linter config.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests found in PR. Changes are limited to pipeline configuration, shell scripts, and linter settings.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	New e2e tests added are SNO-compatible. They test multiarch scheduling logic that works on single-node clusters. No tests assume multiple nodes, HA failover, node distribution, or multi-node scaling.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only Tekton pipeline config, version-bump script, and linter timeout. No deployment manifests, operator code, or scheduling constraints are added or modified.
Ote Binary Stdout Contract	✅ Passed	PR modifies only infrastructure config (Tekton pipeline YAML, linter config) and shell scripts. No Go code changes present, so OTE Binary Stdout Contract check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not introduce Ginkgo e2e tests. Modifications are to Tekton pipeline YAML, a bash script, and linter config. IPv6/disconnected network test check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/single-arch-build-pipeline.yaml:
- Around line 190-191: Replace the mutable tag value for the environment
variable SCRIPT_RUNNER_IMAGE with an immutable image reference pinned by digest:
run podman inspect registry.access.redhat.com/ubi9/go-toolset:1.25 --format
'{{.Digest}}' (or use equivalent registry API) to obtain the image digest, then
update SCRIPT_RUNNER_IMAGE's value to
registry.access.redhat.com/ubi9/go-toolset@sha256:<DIGEST>; ensure the pinned
reference matches what is recorded in ADDITIONAL_BASE_IMAGES so the run-script
task becomes hermetic.

In `@hack/bump-version.sh`:
- Around line 17-19: The script reads and then rewrites the Makefile's VERSION
causing compound suffixes; change the BASE_VERSION extraction (the BASE_VERSION
assignment that uses grep/awk) to strip any existing -<sha> suffix (e.g., remove
anything from the first '-' onward or match only the semver part) so you always
start from the pure base version before appending a new suffix; apply the same
sanitization wherever BASE_VERSION is re-read or used later (refer to the
BASE_VERSION variable and the grep/awk extraction around that block and the
similar logic at the later BASE_VERSION uses on lines referenced 87-88).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3104aa8c-970f-4d61-9937-48fdf12c730e

📥 Commits

Reviewing files that changed from the base of the PR and between 3b04aff and f2582a5.

📒 Files selected for processing (2)

• .tekton/single-arch-build-pipeline.yaml
• hack/bump-version.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# First, let's read the file to see the current state
cat -n .tekton/single-arch-build-pipeline.yaml | sed -n '180,200p'

Repository: openshift/multiarch-tuning-operator

Length of output: 881

---

🏁 Script executed:

# Check for SCRIPT_RUNNER_IMAGE usage throughout the codebase
rg "SCRIPT_RUNNER_IMAGE" -n

Repository: openshift/multiarch-tuning-operator

Length of output: 61

---

🏁 Script executed:

# Look for patterns of image references and how they're typically handled
rg "value: registry\." -n .tekton/ -A 1 -B 1 | head -50

Repository: openshift/multiarch-tuning-operator

Length of output: 556

---

🏁 Script executed:

# Check if there's documentation on hermetic builds or image pinning
fd -t f -name "*.md" | xargs rg -l "hermetic|digest|image.*pin" 2>/dev/null | head -5

Repository: openshift/multiarch-tuning-operator

Length of output: 529

---

🏁 Script executed:

# Search for SCRIPT_RUNNER_IMAGE_REFERENCE usage
rg "SCRIPT_RUNNER_IMAGE_REFERENCE" -n

Repository: openshift/multiarch-tuning-operator

Length of output: 61

---

🏁 Script executed:

# Look for the run-script task definition and how it handles SCRIPT_RUNNER_IMAGE
rg "run-script" -n .tekton/ -B 5 -A 10

Repository: openshift/multiarch-tuning-operator

Length of output: 12349

---

🏁 Script executed:

# Check how the downstream build task uses the image reference
rg "ADDITIONAL_BASE_IMAGES" -n .tekton/ -B 3 -A 3

Repository: openshift/multiarch-tuning-operator

Length of output: 668

---

🏁 Script executed:

# Look for other uses of digest pinning (sha256:) in the codebase
rg "`@sha256`:" -n .tekton/

Repository: openshift/multiarch-tuning-operator

Length of output: 10040

---

🏁 Script executed:

# Check if there's documentation about hermetic builds
cat -n README.md 2>/dev/null | head -50 || echo "No README in root"
rg -l "hermetic" . --type md

Repository: openshift/multiarch-tuning-operator

Length of output: 2982

---

🏁 Script executed:

# Check if there are other examples of mutable tags in runner images across .tekton files
rg "value: .*:" .tekton/ | grep -v "`@sha256`" | grep -v "params\." | grep -v "tasks\." | grep -v "results\." | head -20

Repository: openshift/multiarch-tuning-operator

Length of output: 1683

---

🏁 Script executed:

# Look for any documentation on image pinning or hermetic builds
find . -name "*.md" -o -name "*.txt" | xargs grep -l "image.*pin\|hermetic.*image" 2>/dev/null | head -5

Repository: openshift/multiarch-tuning-operator

Length of output: 61

---

🏁 Script executed:

# Check git history to see if SCRIPT_RUNNER_IMAGE was recently added or changed
git log --oneline -20 -- .tekton/single-arch-build-pipeline.yaml 2>/dev/null | head -10

Repository: openshift/multiarch-tuning-operator

Length of output: 151

---

🏁 Script executed:

# Check if there are comments or discussions around this image in the file
cat -n .tekton/single-arch-build-pipeline.yaml | grep -B 5 -A 5 "SCRIPT_RUNNER_IMAGE"

Repository: openshift/multiarch-tuning-operator

Length of output: 969

---

🏁 Script executed:

# Let's check if there's a .git directory and can see the actual commit details
git show f2582a50 --stat 2>/dev/null | head -20

Repository: openshift/multiarch-tuning-operator

Length of output: 791

---

🏁 Script executed:

# Search for any issue or PR references related to hermetic builds or image pinning
rg "hermetic|SCRIPT_RUNNER_IMAGE" -i . --type md 2>/dev/null | head -10

Repository: openshift/multiarch-tuning-operator

Length of output: 264

---

🏁 Script executed:

# Check if UBI 9 go-toolset:1.25 specifically is documented or if there's a known digest
web_search
UBI 9 go-toolset 1.25 registry.access.redhat.com image digest

Repository: openshift/multiarch-tuning-operator

Length of output: 172

---

🌐 Web query:

UBI 9 go-toolset 1.25 registry.access.redhat.com image digest sha256

💡 Result:

The registry.access.redhat.com/ubi9/go-toolset container image is a frequently updated, rolling-release image provided by Red Hat [1][2]. Because it is updated regularly to include the latest security patches and Go toolchain versions, there is no single, static SHA256 digest for the image [3][4][5]. To obtain the current, specific SHA256 digest for the ubi9/go-toolset image, you should query the Red Hat Container Registry directly using a tool like skopeo or podman. You can retrieve the digest for the latest version by running the following command: podman inspect registry.access.redhat.com/ubi9/go-toolset --format '{{.Digest}}' Alternatively, if you have skopeo installed, you can inspect the remote image without pulling it: skopeo inspect docker://registry.access.redhat.com/ubi9/go-toolset | grep Digest These commands will return the current, immutable digest for the image tag currently available in the registry [6]. For production environments, it is recommended to use this specific digest in your Dockerfiles or container manifests to ensure build reproducibility [3][4]. You can find further information and documentation on using these images in the Red Hat Ecosystem Catalog [1][7].

Citations:

• 1: https://catalog.redhat.com/en/software/containers/ubi9/go-toolset/61e5c00b4ec9945c18787690
• 2: https://access.redhat.com/errata/RHBA-2025:22778
• 3: Update registry.access.redhat.com/ubi9/go-toolset Docker digest to 8a634d6 redhat-cop/github-actions#409
• 4: Update registry.access.redhat.com/ubi9/go-toolset Docker digest to 56fc848 redhat-cop/github-actions#451
• 5: https://multi.ocp.releases.ci.openshift.org/releasetag/4.22.0-rc.0
• 6: https://dev.to/lyraalishaikh/stop-pulling-containers-just-to-mirror-them-practical-skopeo-for-safer-image-promotion-1kf3
• 7: https://catalog.redhat.com/software/containers/ubi9/go-toolset/61e5c00b4ec9945c18787690

---

Pin SCRIPT_RUNNER_IMAGE by digest.

The registry.access.redhat.com/ubi9/go-toolset:1.25 tag is mutable and receives rolling updates, so the run-script task can execute different code across builds despite HERMETIC=true. While the resolved reference is recorded in ADDITIONAL_BASE_IMAGES for tracking, this does not prevent the image from being re-pulled with different content. Pinning by digest is required to achieve true hermetic behavior and is consistent with the recent commit's goal of fixing hermetic compliance violations.

Proposed fix

-    - name: SCRIPT_RUNNER_IMAGE
-      value: registry.access.redhat.com/ubi9/go-toolset:1.25
+    - name: SCRIPT_RUNNER_IMAGE
+      value: registry.access.redhat.com/ubi9/go-toolset@sha256:<pinned-digest>

Obtain the digest using: podman inspect registry.access.redhat.com/ubi9/go-toolset:1.25 --format '{{.Digest}}'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/single-arch-build-pipeline.yaml around lines 190 - 191, Replace the
mutable tag value for the environment variable SCRIPT_RUNNER_IMAGE with an
immutable image reference pinned by digest: run podman inspect
registry.access.redhat.com/ubi9/go-toolset:1.25 --format '{{.Digest}}' (or use
equivalent registry API) to obtain the image digest, then update
SCRIPT_RUNNER_IMAGE's value to
registry.access.redhat.com/ubi9/go-toolset@sha256:<DIGEST>; ensure the pinned
reference matches what is recorded in ADDITIONAL_BASE_IMAGES so the run-script
task becomes hermetic.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep Makefile's base version stable.

Makefile is now both the source of BASE_VERSION and the target for the derived BASE_VERSION-<sha> value. A second run against the same checkout will compound the suffix and produce versions like 1.3.0-abc1234-def5678, which breaks the intended format.

Proposed fix

-        BASE_VERSION=$(grep -E "^VERSION \?=" Makefile | awk '{print $3}')
+        BASE_VERSION=$(grep -E "^VERSION \?=" Makefile | awk '{print $3}' | sed -E 's/-[0-9a-f]{7}$//')

Also applies to: 87-88

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/bump-version.sh` around lines 17 - 19, The script reads and then
rewrites the Makefile's VERSION causing compound suffixes; change the
BASE_VERSION extraction (the BASE_VERSION assignment that uses grep/awk) to
strip any existing -<sha> suffix (e.g., remove anything from the first '-'
onward or match only the semver part) so you always start from the pure base
version before appending a new suffix; apply the same sanitization wherever
BASE_VERSION is re-read or used later (refer to the BASE_VERSION variable and
the grep/awk extraction around that block and the similar logic at the later
BASE_VERSION uses on lines referenced 87-88).

[openshift-ci]

@AnnaZivkovic: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocp416-e2e-gcp	280d2cb	link	true	/test ocp416-e2e-gcp

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jcpowermac]

/lgtm
/approve

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jcpowermac
Once this PR has been reviewed and has the lgtm label, please assign annazivkovic for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment