Merge branch 'main' into ecosystem-bundle-validation

.github/workflows/check-buildah-remote.yaml

@@ -7,7 +7,7 @@ jobs:
     name: Check Buildah Remote
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Install Go
         uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
         with:

.github/workflows/checkton.yaml

@@ -16,7 +16,7 @@ jobs:
 
       - name: Run Checkton
         id: checkton
-        uses: chmeliik/checkton@v0.2.2
+        uses: chmeliik/checkton@v0.3.0
         with:
           # Set to false when re-enabling SARIF uploads
           fail-on-findings: true

.github/workflows/go-ci.yaml

@@ -12,13 +12,13 @@ jobs:
           - task-generator/remote
           - task-generator/trusted-artifacts
     steps:
-      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc
+      - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
         with:
           go-version-file: './${{matrix.path}}/go.mod'
           cache-dependency-path: ./${{matrix.path}}/go.sum
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@ea0c88120e8fe1b09b2134dc97e879870b61b7ce
+        uses: golangci/golangci-lint-action@160a1d779cee256901ff3d68ef8ccc63ac8a04f8
         with:
           working-directory: ${{matrix.path}}
           args: "--timeout=10m --build-tags='normal periodic'"
@@ -31,7 +31,7 @@ jobs:
           - task-generator/remote
           - task-generator/trusted-artifacts
     steps:
-      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc
+      - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb
       - name: Install Go
         uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
         with:
@@ -72,7 +72,7 @@ jobs:
           - task-generator/remote
           - task-generator/trusted-artifacts
     steps:
-      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc
+      - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
         with:
           go-version-file: './${{matrix.path}}/go.mod'
@@ -84,7 +84,7 @@ jobs:
           # we let the report trigger content trigger a failure using the GitHub Security features.
           args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...'
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@6e3a010dfe7e41114c548b680d885bbd55b2834e
+        uses: github/codeql-action/upload-sarif@a6c8729a5d7573eb8d440e52a9645ce4db61d97c
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: results.sarif

.tekton/pull-request.yaml

@@ -312,6 +312,8 @@ spec:
                 oc delete --ignore-not-found deployment --all -n $(params.e2e_test_namespace)
                 oc delete --ignore-not-found eventlisteners --all -n $(params.e2e_test_namespace)
   # Added a timeout due to https://issues.redhat.com/browse/STONEBLD-2265
+  # If this timeout increases, the age of stale resources should be increased too.
+  # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/tekton-ci/production/cleanup-cronjob.yaml
   timeouts:
     pipeline: "2h"
   workspaces:

.tekton/tasks/ec-checks.yaml

@@ -13,7 +13,7 @@ spec:
     This task can be used to run enterprise contract checks
   steps:
   - name: gather-tasks
-    image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
+    image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
     # the cluster will set imagePullPolicy to IfNotPresent
     workingDir: $(workspaces.source.path)/source

.tekton/tasks/task-lint.yaml

@@ -23,7 +23,7 @@ spec:
       default: ["--help"]
   steps:
     - name: ensure-params-not-in-script
-      image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
+      image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       script: |

appstudio-utils/Dockerfile

@@ -2,7 +2,7 @@ FROM registry.access.redhat.com/ubi9/ubi
 
 RUN curl -L https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64 -o /usr/bin/jq && chmod +x /usr/bin/jq
 RUN curl -L https://github.com/mikefarah/yq/releases/download/v4.25.1/yq_linux_amd64 -o /usr/bin/yq && chmod +x /usr/bin/yq
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest-4.9/openshift-client-linux.tar.gz | tar -xz -C /usr/bin/
+RUN curl -L https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest-4.10/openshift-client-linux.tar.gz | tar -xz -C /usr/bin/
 RUN curl -L https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-amd64 -o /usr/bin/cosign && chmod +x /usr/bin/cosign
 RUN curl -L https://github.com/tektoncd/cli/releases/download/v0.32.2/tkn_0.32.2_Linux_x86_64.tar.gz | tar -xz --no-same-owner -C /usr/bin/ tkn
 RUN curl -L https://github.com/sigstore/rekor/releases/download/v0.5.0/rekor-cli-linux-amd64 -o /usr/bin/rekor-cli && chmod +x /usr/bin/rekor-cli

policies/all-tasks.yaml

@@ -28,8 +28,3 @@ sources:
         - results
         - step_image_registries
         - trusted_artifacts
-      exclude:
-        # https://issues.redhat.com/browse/KFLUXBUGS-1111
-        - step_image_registries.step_images_permitted:generate-odcs-compose/noversion
-        # https://issues.redhat.com/browse/KFLUXBUGS-1110
-        - step_image_registries.step_images_permitted:verify-signed-rpms/noversion

renovate.json

@@ -67,6 +67,11 @@
       "schedule": ["on monday and wednesday"],
       "groupName": "shared"
     },
+    {
+      "groupName": "github-actions",
+      "matchManagers": ["github-actions"],
+      "schedule": ["on monday"]
+    },
     {
       "matchPackageNames": [
         "quay.io/konflux-ci/clamav-db"

stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/README.md

@@ -10,6 +10,7 @@ This StepAction provisions an ephemeral cluster using Hypershift with 3 worker n
 |instanceType|AWS EC2 instance type for worker nodes. Supported values: `m5.large`, `m5.xlarge`, `m5.2xlarge`, `m6g.large`, `m6g.xlarge`, `m6g.2xlarge`|m6g.large|false|
 |insecureSkipTLSVerify|Skip TLS verification when accessing the EaaS hub cluster. This should not be set to "true" in a production environment.|false|false|
 |timeout|How long to wait for cluster provisioning to complete.|30m|false|
+|imageContentSources|Alternate registry information containing a list of sources and their mirrors in yaml format. See: https://hypershift-docs.netlify.app/how-to/disconnected/image-content-sources|""|false|
 
 ## Results
 |name|description|

stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/eaas-create-ephemeral-cluster-hypershift-aws.yaml

@@ -6,7 +6,7 @@ spec:
   description: >-
     This StepAction provisions an ephemeral cluster using Hypershift with 3 worker nodes in AWS.
     It does so by creating a ClusterTemplateInstance in a space on an EaaS cluster.
-  image: registry.redhat.io/openshift4/ose-cli@sha256:15da03b04318bcc842060b71e9dd6d6c2595edb4e8fdd11b0c6781eeb03ca182
+  image: quay.io/konflux-ci/appstudio-utils:5d8df82bdad43c3a71c9eb1a525a25e946777dc4@sha256:0901c58b85d6a05f75782bd8dd64b849a5b7d44f9f36c78a6ee33161278c96a4
   params:
     - name: eaasSpaceSecretRef
       type: string
@@ -32,6 +32,12 @@ spec:
       type: string
       default: 30m
       description: How long to wait for cluster provisioning to complete.
+    - name: imageContentSources
+      type: string
+      default: ""
+      description: >-
+        Alternate registry information containing a list of sources and their mirrors in yaml format.
+        See: https://hypershift-docs.netlify.app/how-to/disconnected/image-content-sources
   results:
     - name: clusterName
       description: The name of the generated ClusterTemplateInstance resource.
@@ -51,40 +57,45 @@ spec:
       value: "$(params.insecureSkipTLSVerify)"
     - name: TIMEOUT
       value: "$(params.timeout)"
+    - name: IMAGE_CONTENT_SOURCES
+      value: "$(params.imageContentSources)"
   script: |
     #!/bin/bash
     set -eo pipefail
 
     cat <<EOF > cti.yaml
+    ---
     apiVersion: clustertemplate.openshift.io/v1alpha1
     kind: ClusterTemplateInstance
     metadata:
       generateName: cluster-
     spec:
       clusterTemplateRef: hypershift-aws-cluster
-      parameters:
-        - name: instanceType
-          value: $INSTANCE_TYPE
-        - name: version
-          value: $VERSION
-        - name: timeout
-          value: $TIMEOUT
+      parameters: []
     EOF
 
+    yq -i '.spec.parameters += {"name": "instanceType", "value": strenv(INSTANCE_TYPE)}' cti.yaml
+    yq -i '.spec.parameters += {"name": "version", "value": strenv(VERSION)}' cti.yaml
+    yq -i '.spec.parameters += {"name": "timeout", "value": strenv(TIMEOUT)}' cti.yaml
+    yq -i '.spec.parameters += {"name": "imageContentSources", "value": strenv(IMAGE_CONTENT_SOURCES)}' cti.yaml
+
+    echo "Creating the following resource:"
+    cat cti.yaml
+
     trap 'rm -f "$KUBECONFIG"' EXIT
     echo "$KUBECONFIG_VALUE" > $KUBECONFIG
 
-    OC=(oc --insecure-skip-tls-verify="$INSECURE_SKIP_TLS_VERIFY")
-    CTI_NAME=$("${OC[@]}" create -f cti.yaml -o=jsonpath='{.metadata.name}')
+    KUBECTL=(kubectl --insecure-skip-tls-verify="$INSECURE_SKIP_TLS_VERIFY")
+    CTI_NAME=$("${KUBECTL[@]}" create -f cti.yaml -o=jsonpath='{.metadata.name}')
     echo "Created ClusterTemplateInstance $CTI_NAME"
     echo -n $CTI_NAME > $(step.results.clusterName.path)
 
     echo "Waiting for ClusterTemplateInstance to be ready ($TIMEOUT timeout)"
-    if "${OC[@]}" wait cti "$CTI_NAME" --for=jsonpath='{.status.phase}'=Ready --timeout="$TIMEOUT"; then
+    if "${KUBECTL[@]}" wait cti "$CTI_NAME" --for=jsonpath='{.status.phase}'=Ready --timeout="$TIMEOUT"; then
       echo "Successfully provisioned $CTI_NAME"
       exit 0
     else
-      "${OC[@]}" get cti "$CTI_NAME" -o yaml
+      "${KUBECTL[@]}" get cti "$CTI_NAME" -o yaml
       echo "Failed to provision $CTI_NAME"
       exit 1
     fi

task-generator/remote/go.mod

@@ -5,7 +5,7 @@ go 1.22.0
 toolchain go1.23.2
 
 require (
-	github.com/tektoncd/pipeline v0.65.0
+	github.com/tektoncd/pipeline v0.65.2
 	k8s.io/api v0.31.0
 	k8s.io/apimachinery v0.31.0
 	k8s.io/cli-runtime v0.30.3

task-generator/remote/go.sum

@@ -320,8 +320,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc=
-github.com/tektoncd/pipeline v0.65.0 h1:MIXXt/OeV/SLQ0KYXXBzPHBwXe2iIhgZcJBHkkgzaYY=
-github.com/tektoncd/pipeline v0.65.0/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ=
+github.com/tektoncd/pipeline v0.65.2 h1:N63Xb9uiunewPVDTz4nGamJOtVg+Q38Cy4LRpvr+2e4=
+github.com/tektoncd/pipeline v0.65.2/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

task-generator/trusted-artifacts/go.mod

@@ -5,7 +5,7 @@ go 1.22.7
 require (
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.20.2
-	github.com/tektoncd/pipeline v0.65.0
+	github.com/tektoncd/pipeline v0.65.2
 	github.com/zregvart/tkn-fmt v0.0.0-20240614122620-a2995427266c
 	k8s.io/api v0.30.1
 	mvdan.cc/sh/v3 v3.10.0

task-generator/trusted-artifacts/go.sum

@@ -347,8 +347,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc=
-github.com/tektoncd/pipeline v0.65.0 h1:MIXXt/OeV/SLQ0KYXXBzPHBwXe2iIhgZcJBHkkgzaYY=
-github.com/tektoncd/pipeline v0.65.0/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ=
+github.com/tektoncd/pipeline v0.65.2 h1:N63Xb9uiunewPVDTz4nGamJOtVg+Q38Cy4LRpvr+2e4=
+github.com/tektoncd/pipeline v0.65.2/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ=
 github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8=
 github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck=
 github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY=

task-generator/trusted-artifacts/golden/source-build/base.yaml

@@ -46,7 +46,7 @@ spec:
         mountPath: /var/source-build
   steps:
     - name: get-base-images
-      image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
+      image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       env:
         - name: BASE_IMAGES
           value: "$(params.BASE_IMAGES)"

task-generator/trusted-artifacts/golden/source-build/ta.yaml

@@ -59,7 +59,7 @@ spec:
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
     - name: get-base-images
-      image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
+      image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       env:
         - name: BASE_IMAGES
           value: $(params.BASE_IMAGES)

task/acs-deploy-check/0.1/acs-deploy-check.yaml

@@ -57,7 +57,7 @@ spec:
         oc annotate taskrun $(context.taskRun.name) task.output.location=logs
 
     - name: rox-deploy-check
-      image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
+      image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       volumeMounts:
         - name: repository
           mountPath: /workspace/repository

task/build-image-index/0.1/build-image-index.yaml

@@ -72,7 +72,7 @@ spec:
       - name: shared-dir
         mountPath: /index-build-data
   steps:
-  - image: quay.io/konflux-ci/buildah-task:latest@sha256:5cbd487022fb7ac476cbfdea25513b810f7e343ec48f89dc6a4e8c3c39fa37a2
+  - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
     # the cluster will set imagePullPolicy to IfNotPresent
     name: build
@@ -163,7 +163,7 @@ spec:
         add:
           - SETFCAP
 
-  - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:1a7db0fe9fd10addcd77d9fda9a490bd8a686e1f8fe92ca124b9891121edb9d6
+  - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd
     name: create-sbom
     computeResources:
       limits:
@@ -192,7 +192,7 @@ spec:
         --output-path /index-build-data/sbom-results.json
 
   - name: upload-sbom
-    image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
+    image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
     script: |
       #!/bin/bash
       set -e

task/build-vm-image/0.1/build-vm-image.yaml

@@ -65,7 +65,7 @@ spec:
         name: varlibcontainers
   steps:
     - name: use-trusted-artifact
-      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:e0e457b6af10e44ff6b90208a9e69adc863a865e1c062c4cb84bf3846037d74d
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac
       args:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source

task/buildah-oci-ta/0.1/buildah-oci-ta.yaml

@@ -215,13 +215,13 @@ spec:
         name: workdir
   steps:
     - name: use-trusted-artifact
-      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:e0e457b6af10e44ff6b90208a9e69adc863a865e1c062c4cb84bf3846037d74d
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac
       args:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
     - name: build
-      image: quay.io/konflux-ci/buildah-task:latest@sha256:5cbd487022fb7ac476cbfdea25513b810f7e343ec48f89dc6a4e8c3c39fa37a2
+      image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
       args:
         - $(params.BUILD_ARGS[*])
       workingDir: /var/workdir
@@ -456,7 +456,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: merge-syft-sboms
-      image: registry.access.redhat.com/ubi9/python-39:1-197.1729767844@sha256:e7f5b60728d8e71588272e28b88c2e8fe9e63609347fb379b8c1625df886e189
+      image: registry.access.redhat.com/ubi9/python-39:9.5-1731645406@sha256:84c028923cd3c8554c9b5c1423a553a4cb8f3ee88c17a3d87756c9b08f5e8fe7
       workingDir: /var/workdir
       script: |
         #!/bin/python3
@@ -490,7 +490,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: merge-cachi2-sbom
-      image: quay.io/redhat-appstudio/cachi2:0.13.0@sha256:eb34cfe3fea20997eebd8164dc93eedb2fd7a60dc1fb4afcc1b1ff43df9d6667
+      image: quay.io/redhat-appstudio/cachi2:0.14.0@sha256:3088e307f41894c0654b69bb199a4648ba31721d6173099cf6ca8ff259c0e457
       workingDir: /var/workdir
       script: |
         if [ -f "sbom-cachi2.json" ]; then
@@ -503,7 +503,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: create-purl-sbom
-      image: registry.access.redhat.com/ubi9/python-39:1-197.1729767844@sha256:e7f5b60728d8e71588272e28b88c2e8fe9e63609347fb379b8c1625df886e189
+      image: registry.access.redhat.com/ubi9/python-39:9.5-1731645406@sha256:84c028923cd3c8554c9b5c1423a553a4cb8f3ee88c17a3d87756c9b08f5e8fe7
       workingDir: /var/workdir
       script: |
         #!/bin/python3
@@ -530,7 +530,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: inject-sbom-and-push
-      image: quay.io/konflux-ci/buildah-task:latest@sha256:5cbd487022fb7ac476cbfdea25513b810f7e343ec48f89dc6a4e8c3c39fa37a2
+      image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
       workingDir: /var/workdir
       volumeMounts:
         - mountPath: /var/lib/containers