DNM test pipeline#4171
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Tekton pipeline bundle reference across multiple environment configurations, including stable, testing, and rawhide streams. The changes replace immutable image digests with mutable tags. Feedback was provided regarding the security and reproducibility risks associated with using mutable tags, recommending the use of immutable digests instead to ensure consistent pipeline behavior.
| # Shared configuration | ||
| config: | ||
| pipeline_bundle: quay.io/bootc-devel/tekton-catalog/pipeline-buildah-build-bootc-multi-platform-oci-ta@sha256:2678dd50429012f562c349ad52bce30f4bba3a0f6832b874c303e418d5b8a4ae | ||
| pipeline_bundle: quay.io/bootc-devel/tekton-catalog-pr:buildah-build-bootc-multi-platform-oci-ta-011e8d8d5823c6986e10be9f1bb91c0d4c1d8b0d |
There was a problem hiding this comment.
Using mutable tags for Tekton bundles is discouraged as it can lead to non-reproducible builds and security risks (e.g., tag overwriting). It is highly recommended to use the immutable image digest (@sha256:...) instead of a tag, even for testing purposes, to ensure the pipeline behavior remains consistent and secure. This applies to all generated PipelineRun files as well.
joelcapitao
force-pushed
the
update-konflux-pipeline
branch
from
9dc807f to
796f3af
Compare
1 participant
No description provided.