Bump ubi9/ubi-minimal from 9.8-1780378819 to 1780379098 in /build

[dependabot]

Bumps ubi9/ubi-minimal from 9.8-1780378819 to 1780379098.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated base container runtime images to latest stable versions for enhanced security and platform compatibility.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign clcollins for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

This PR updates the runtime base image references in two Docker build configurations. The final stage base image ubi9/ubi-minimal is updated to a newer tag in both build/Dockerfile and build/Dockerfile.olm-registry, with no changes to builder stages, artifact copies, or runtime configuration.

Changes

Base image updates

Layer / File(s)	Summary
UBI minimal base image updates build/Dockerfile, build/Dockerfile.olm-registry	Both Dockerfiles updated from prior ubi-minimal tags to newer versions; builder stages and all runtime setup remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• openshift/managed-upgrade-operator#602: Both PRs bump the ubi9/ubi-minimal base image tag in the same Dockerfiles without changing any other build steps.
• openshift/managed-upgrade-operator#643: Both PRs update the ubi-minimal base image tag used in Docker build stages, so the changes are directly related.

Suggested reviewers

• charlesgong
• tkong-redhat

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating the ubi9/ubi-minimal base image version across multiple Dockerfiles in the /build directory.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR only modifies Dockerfile base image tags (build/Dockerfile and build/Dockerfile.olm-registry); no test files or Ginkgo test names are modified, making this custom check not applicable.
Test Structure And Quality	✅ Passed	PR only modifies Dockerfile base images (build/Dockerfile and build/Dockerfile.olm-registry). No Ginkgo test code changes present, so test structure check is not applicable.
Microshift Test Compatibility	✅ Passed	PR contains only Dockerfile base image tag updates; no new Ginkgo e2e tests are added, so MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates Docker base image tags in build/Dockerfile and build/Dockerfile.olm-registry; no new Ginkgo e2e tests are added, making the SNO test compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Docker base image tags in Dockerfiles, not deployment manifests, operator code, or scheduling constraints, which is outside the scope of the topology-aware scheduling check.
Ote Binary Stdout Contract	✅ Passed	PR only modifies Docker base image tags in Dockerfile files; no Go code changes related to stdout/logging behavior.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only updates Docker base image versions in Dockerfile configuration files; no new Ginkgo e2e tests are added. The custom check is not applicable to non-test code changes.
No-Weak-Crypto	✅ Passed	PR only updates Docker base images (ubi9/ubi-minimal tag). No weak crypto patterns (MD5/SHA1/DES/RC4/ECB/custom crypto) found in any codebase files.
Container-Privileges	✅ Passed	PR only updates base image tags; no privileged settings (privileged: true, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation: true, runAsUser: 0) introduced in Dockerfiles or K8s manifests.
No-Sensitive-Data-In-Logs	✅ Passed	This PR only updates Docker base image tags and contains no new logging statements that could expose sensitive data like passwords, tokens, keys, PII, or other confidential information.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/docker/build/ubi9/ubi-minimal-1780379098

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

@dependabot[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/validate	3b30374	link	true	/test validate

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.27%. Comparing base (f636f43) to head (3b30374).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #644   +/-   ##
=======================================
  Coverage   54.27%   54.27%           
=======================================
  Files         123      123           
  Lines        6204     6204           
=======================================
  Hits         3367     3367           
  Misses       2631     2631           
  Partials      206      206           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

build/Dockerfile.olm-registry (1)

7-7: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Same UBI minimal tag format issue applies here.

This Dockerfile has the same tag format concern as build/Dockerfile at line 11. The tag 1780379098 appears to be missing the UBI version prefix and should follow the format {{.Labels.version}}-{{.Labels.release}}.

Given the FIPS context noted in the comment at line 6 ("ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available"), selecting the correct UBI version is particularly critical for this OLM registry image to ensure OpenSSL compatibility with FIPS-enabled clusters.

Please verify using the same verification script provided for build/Dockerfile line 11.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile.olm-registry` at line 7, The FROM image tag on the OLM
registry Dockerfile uses a raw numeric tag ("1780379098") instead of the
templated UBI version-release format; update the FROM line for
registry.access.redhat.com/ubi9/ubi-minimal to use the same templated tag
pattern ({{.Labels.version}}-{{.Labels.release}}) used in the other Dockerfile
so the UBI version is explicit and compatible with FIPS/OpenSSL requirements,
and re-run the same verification script used for the other Dockerfile to confirm
the tag format and FIPS-related image choice are correct.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@build/Dockerfile`:
- Line 11: The pinned UBI image tag
"registry.access.redhat.com/ubi9/ubi-minimal:1780379098" is release-only and
must be changed to the boilerplate-compatible versioned tag; update the FROM
line so the tag follows the boilerplate pattern (UBI version plus release) e.g.
"registry.access.redhat.com/ubi9/ubi-minimal:<UBI-version>-<release>" so it
matches the boilerplate’s expected "{{.Labels.version}}-{{.Labels.release}}"
format used by the openshift/golang-osd-operator updater; make the same change
in the other Dockerfile that pins the same image.

---

Duplicate comments:
In `@build/Dockerfile.olm-registry`:
- Line 7: The FROM image tag on the OLM registry Dockerfile uses a raw numeric
tag ("1780379098") instead of the templated UBI version-release format; update
the FROM line for registry.access.redhat.com/ubi9/ubi-minimal to use the same
templated tag pattern ({{.Labels.version}}-{{.Labels.release}}) used in the
other Dockerfile so the UBI version is explicit and compatible with FIPS/OpenSSL
requirements, and re-run the same verification script used for the other
Dockerfile to confirm the tag format and FIPS-related image choice are correct.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dac2df12-d45c-4203-8f90-cb05263ba659

📥 Commits

Reviewing files that changed from the base of the PR and between f636f43 and 3b30374.

📒 Files selected for processing (2)

• build/Dockerfile
• build/Dockerfile.olm-registry

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify the UBI minimal tag format and check for valid tags

echo "=== Checking if tag 1780379098 exists and its labels ==="
skopeo inspect --override-os linux --override-arch amd64 docker://registry.access.redhat.com/ubi9/ubi-minimal:1780379098 --format "Tag: {{.Name}}:{{.Tag}}\nVersion: {{.Labels.version}}\nRelease: {{.Labels.release}}\nExpected format: {{.Labels.version}}-{{.Labels.release}}" 2>&1 || echo "Tag may not exist or be accessible"

echo ""
echo "=== Checking what the boilerplate update script would generate ==="
skopeo inspect --override-os linux --override-arch amd64 docker://registry.access.redhat.com/ubi9/ubi-minimal --format "Recommended tag: {{.Name}}:{{.Labels.version}}-{{.Labels.release}}"

echo ""
echo "=== Inspecting boilerplate image to determine expected UBI version ==="
skopeo inspect docker://quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.6 --format "Boilerplate labels: {{.Labels}}" 2>&1 | grep -i ubi || echo "Could not determine UBI version from boilerplate"

Repository: openshift/managed-upgrade-operator

Length of output: 467

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Find Dockerfiles using ubi-minimal tags ==="
fd -a "Dockerfile*" . | cat
echo
rg -n --hidden --no-ignore -S "ubi9/ubi-minimal:" . || true

echo
echo "=== Inspect build/Dockerfile ==="
ls -la build/Dockerfile || true
sed -n '1,80p' build/Dockerfile || true

echo
echo "=== Search for boilerplate guidance / tag construction contract ==="
rg -n --hidden --no-ignore -S "Labels\.version|Labels\.release|ubi version|ubi-minimal|version\-\{\{\.Labels\.version\}\}" . || true
rg -n --hidden --no-ignore -S "update:95-103|golang-osd-operator/update" . || true

echo
echo "=== Locate the specific boilerplate update script snippet mentioned ==="
# Try to find files matching the hinted path fragments
fd -a "update" boilerplate . --type f || true
fd -a "*golang-osd-operator*" boilerplate . --type f || true
fd -a "update" . --type f -S || true

Repository: openshift/managed-upgrade-operator

Length of output: 4069

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Show boilerplate/openshift/golang-osd-operator/update around 85-115 ==="
sed -n '80,130p' boilerplate/openshift/golang-osd-operator/update | cat -n

echo
echo "=== Search for ubi-minimal tags with only :<digits> (no 9.x- prefix) ==="
rg -n --hidden --no-ignore -S "ubi9/ubi-minimal:[0-9]{6,}" . || true

echo
echo "=== Search for ubi-minimal tags with version-release format (e.g., 9.*-*) ==="
rg -n --hidden --no-ignore -S "ubi9/ubi-minimal:9\\.[0-9]+-" . || true

echo
echo "=== Inspect build/Dockerfile.olm-registry too ==="
sed -n '1,60p' build/Dockerfile.olm-registry | cat -n

echo
echo "=== Inspect CLAUDE.md line with container base ==="
sed -n '1,40p' CLAUDE.md | cat -n

Repository: openshift/managed-upgrade-operator

Length of output: 6770

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search for ubi9/ubi-minimal tags across repo ==="
rg -n --hidden --no-ignore -S "ubi9/ubi-minimal:" . || true

echo
echo "=== Search for the specific tag 1780379098 ==="
rg -n --hidden --no-ignore -S "1780379098" . || true

echo
echo "=== Inspect boilerplate/openshift/golang-osd-operator/update.cfg (if present) ==="
ls -ლა boilerplate/openshift/golang-osd-operator/update.cfg 2>/dev/null || true
sed -n '1,200p' boilerplate/openshift/golang-osd-operator/update.cfg 2>/dev/null || true

echo
echo "=== Inspect boilerplate/openshift/golang-osd-operator/Dockerfile template (if present) ==="
fd -a "Dockerfile*.template*" boilerplate/openshift/golang-osd-operator . || true
fd -a "Dockerfile*" boilerplate/openshift/golang-osd-operator . || true
for f in $(fd -a "Dockerfile*" boilerplate/openshift/golang-osd-operator .); do
  echo "--- $f"
  sed -n '1,120p' "$f" | cat -n
done 2>/dev/null || true

Repository: openshift/managed-upgrade-operator

Length of output: 6616

---

Fix UBI minimal tag pinning to match boilerplate’s expected {{.Labels.version}}-{{.Labels.release}} format

boilerplate/openshift/golang-osd-operator/update replaces UBI tags using {{.Name}}:{{.Labels.version}}-{{.Labels.release}}, but build/Dockerfile and build/Dockerfile.olm-registry pin registry.access.redhat.com/ubi9/ubi-minimal:1780379098 (release-only, missing the UBI version component). Update these Dockerfiles to the versioned 9.x-<release> tag produced by the boilerplate update logic so the UBI version matches the boilerplate base image.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` at line 11, The pinned UBI image tag
"registry.access.redhat.com/ubi9/ubi-minimal:1780379098" is release-only and
must be changed to the boilerplate-compatible versioned tag; update the FROM
line so the tag follows the boilerplate pattern (UBI version plus release) e.g.
"registry.access.redhat.com/ubi9/ubi-minimal:<UBI-version>-<release>" so it
matches the boilerplate’s expected "{{.Labels.version}}-{{.Labels.release}}"
format used by the openshift/golang-osd-operator updater; make the same change
in the other Dockerfile that pins the same image.

Source: Coding guidelines

[dependabot]

Superseded by #652.