chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker tag to v9

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
registry.access.redhat.com/ubi9/go-toolset	stage	major	1.26.3-1781757851 → 9.8-1781757851

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ciaranroche for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated build infrastructure base image to improve compatibility and support.

Walkthrough

The Dockerfile builder stage base image is updated from registry.access.redhat.com/ubi9/go-toolset:1.26.3-... to registry.access.redhat.com/ubi9/go-toolset:9.8-.... No other instructions, build arguments, copy steps, or runtime stage references are modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

---

Supply chain surface — CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

The tag 9.8-... follows the UBI9 minor-release versioning scheme, while 1.26.3-... appeared to encode a Go toolchain version. Confirm:

1. Tag resolution is pinned. A floating or mutable tag (9.8 without a full digest suffix) allows the upstream registry to silently swap image content — classic image-tag hijack vector. Verify whether the full tag in the Dockerfile includes an immutable digest (@sha256:...). If not, this is a supply chain risk regardless of registry trust.

2. Go toolchain version. The previous tag encoded Go 1.26.3. The new tag 9.8 encodes a UBI9 release, not a Go version. Confirm the actual Go version bundled in go-toolset:9.8-... meets the project's minimum Go version requirement. A downgrade in compiler version can reintroduce known CVEs fixed in later Go releases (e.g., CVEs in net/http, crypto/tls).

3. RHSA coverage. Red Hat ubi9/go-toolset images receive errata. Confirm the specific build tag pulled here has no open critical/important RHSAs before merging.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately describes the main change: updating a Docker image tag to a new major version in a Dockerfile.
Description check	✅ Passed	Description details the specific dependency update with package name, type, and version change (1.26.3-1781757851 → 9.8-1781757851).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	This PR updates only a Docker image tag in Dockerfile (1.26.3→9.8), introducing no new Go code with logging statements. No secrets/tokens/passwords appear in log output.
No Hardcoded Secrets	✅ Passed	Dockerfile contains no hardcoded secrets: all ARG values are placeholders/empty strings/image refs; ENV variables are standard build paths; image tag numeric component is documented metadata, not a...
No Weak Cryptography	✅ Passed	No weak cryptographic primitives (MD5, DES, RC4, SHA1 for security, ECB) or improper secret comparisons found in codebase. PR only updates Docker image tag; no crypto code changes.
No Injection Vectors	✅ Passed	PR changes only Dockerfile base image tag from 1.26.3-1781757851 to 9.8-1781757851. No injection vectors (CWE-78, CWE-89, CWE-79, CWE-502) detected in code.
No Privileged Containers	✅ Passed	Dockerfile and Kubernetes manifests contain no privileged container configurations (no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation: true). Builder stage...
No Pii Or Sensitive Data In Logs	✅ Passed	PR only updates Dockerfile base image tag (1.26.3→9.8); introduces no new logging statements. Existing codebase uses MaskingMiddleware to redact PII.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/major-docker-image-updates

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/major-docker-image-updates

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 3: Update the FROM statement in the builder stage to comply with
HyperFleet container hardening standards by replacing the tag :9.8-1781757851
with :1.25 (to match the Go 1.25.0 version declared in go.mod) and append a
digest pin using `@sha256`:<digest> format. The corrected image reference should
be registry.access.redhat.com/ubi9/go-toolset:1.25@sha256:<digest> where
<digest> is the actual SHA256 hash of the image. This ensures reproducible
builds and prevents supply chain drift from mutable tags.
- Line 3: The FROM instruction in the builder stage is using an incorrect tag
that violates the HyperFleet architecture standard and creates a Go version
mismatch. The current tag `9.8-1781757851` denotes the RHEL 9.8 release and
provides Go 1.26.2, but go.mod declares `go 1.25.0` and the architecture
standard (container-image-standard.md) mandates `ubi9/go-toolset:1.25`. Replace
the tag in the builder stage FROM statement from `9.8-1781757851` to `1.25` to
align with both the go.mod requirement and the HyperFleet architecture standard.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dcbc2e14-ac5a-42e3-8b4d-1171a311a9d3

📥 Commits

Reviewing files that changed from the base of the PR and between b429415 and fd61df0.

📒 Files selected for processing (1)

• Dockerfile

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check Dockerfile line 3 and related files
echo "=== Dockerfile content (first 10 lines) ===" 
head -10 Dockerfile

echo -e "\n=== Check go.mod for Go version ===" 
head -5 go.mod | grep -E "^go "

echo -e "\n=== Check if there are digest hashes in git history ===" 
git log --oneline -n 5 -- Dockerfile || echo "Git history unavailable"

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 626

---

🏁 Script executed:

#!/bin/bash
# Check container image standard documentation
echo "=== Container image standard (relevant sections) ===" 
if [ -f "hyperfleet/standards/container-image-standard.md" ]; then
  cat -n hyperfleet/standards/container-image-standard.md | grep -A 5 -B 5 "ubi9/go-toolset"
else
  echo "File not found, searching for it..."
  find . -name "*container-image*" -type f 2>/dev/null | head -5
fi

Repository: openshift-hyperfleet/architecture

Length of output: 2527

---

🏁 Script executed:

#!/bin/bash
# Verify sentinel's Dockerfile tag format
echo "=== Sentinel Dockerfile line 3 ===" 
head -5 Dockerfile | tail -3
echo -e "\n=== Sentinel go.mod Go version ===" 
head -5 go.mod | grep "^go "

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 263

---

🏁 Script executed:

#!/bin/bash
# Verify adapter's Dockerfile (since linked context mentions changes there)
echo "=== Adapter Dockerfile line 3 ===" 
head -5 Dockerfile | tail -3
echo -e "\n=== Adapter integration test Dockerfile ===" 
if [ -f "test/Dockerfile.integration" ]; then
  head -10 test/Dockerfile.integration | tail -5
fi
echo -e "\n=== Adapter go.mod Go version ===" 
head -5 go.mod | grep "^go "

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 424

---

Pin the builder image by digest and use the correct Go toolset version per HyperFleet standards.

Line 3 violates two container hardening requirements:

1. Digest pinning (CWE-494): Tag-only references allow mutable-tag supply-chain drift. Pin this FROM to @sha256:<digest> to preserve build reproducibility and provenance.

2. Go toolset version mismatch: The tag :9.8-1781757851 uses a UBI base version number instead of the Go compiler version. HyperFleet container image standards (architecture repo, lines 45–49, 86, 269) mandate ubi9/go-toolset:1.25 for all Go services. Your go.mod declares go 1.25.0, but :9.8 appears to be a UBI base image release that may bundle a different Go compiler version. This tag format violates the documented standard and creates toolchain version uncertainty. Revert to :1.25 with digest pinning: FROM registry.access.redhat.com/ubi9/go-toolset:1.25@sha256:<digest>.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, Update the FROM statement in the builder stage to
comply with HyperFleet container hardening standards by replacing the tag
:9.8-1781757851 with :1.25 (to match the Go 1.25.0 version declared in go.mod)
and append a digest pin using `@sha256`:<digest> format. The corrected image
reference should be
registry.access.redhat.com/ubi9/go-toolset:1.25@sha256:<digest> where <digest>
is the actual SHA256 hash of the image. This ensures reproducible builds and
prevents supply chain drift from mutable tags.

Source: Coding guidelines

---

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: compare Go module versions vs go-toolset tags used in Dockerfiles.
# Expected: explicit, consistent Go version contract across go.mod and Dockerfiles.

set -euo pipefail

echo "== go.mod declared Go versions =="
fd -a '^go\.mod$' | xargs -r rg -nP '^\s*go\s+[0-9]+\.[0-9]+(\.[0-9]+)?\s*$'

echo
echo "== Dockerfiles using ubi9/go-toolset tags =="
fd -a -i 'Dockerfile*' | xargs -r rg -nP '^\s*FROM\s+registry\.access\.redhat\.com/ubi9/go-toolset:[^ @]+' -n

echo
echo "== Integration Dockerfiles (if present) =="
fd -a -i 'Dockerfile.integration' | xargs -r rg -nP '^\s*FROM\s+registry\.access\.redhat\.com/ubi9/go-toolset:[^ @]+'

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 291

---

🏁 Script executed:

#!/bin/bash
# Verify what the architecture standards say about base images
find . -name "*container*image*standard*" -o -name "*standard*" | head -20

Repository: openshift-hyperfleet/architecture

Length of output: 268

---

🏁 Script executed:

#!/bin/bash
# Check what hyperfleet-sentinel currently uses
fd -i 'Dockerfile' | xargs -r cat -n

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 2632

---

🏁 Script executed:

#!/bin/bash
# Check what hyperfleet-adapter currently uses
fd -i 'Dockerfile' | xargs -r cat -n

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 5008

---

🌐 Web query:

Red Hat UBI 9 go-toolset 9.8 Go compiler version

💡 Result:

The Red Hat Universal Base Image (UBI) 9 Go Toolset is provided as a rolling Application Stream, meaning it is regularly updated to the latest supported Go version [1][2][3]. As of June 2026, official Red Hat documentation indicates that the current Go Toolset available for RHEL/UBI 9 has been updated to Go 1.26.2 [4]. While you referenced "go-toolset 9.8," this designation refers to the RHEL/UBI minor release (RHEL 9.8) [5] and not the Go compiler version. Red Hat provides the Go Toolset for RHEL 9 as a package simply named go-toolset, which tracks the latest upstream release [1][3]. You can install it on UBI 9 using the following command [4]: dnf install go-toolset Because the Go Toolset is a rolling stream, users are encouraged to check the latest version of their specific container image by running go version within the container after installation [4][1].

Citations:

• 1: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html-single/using_go_1.25_toolset/index
• 2: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/considerations_in_adopting_rhel_9/assembly_compilers-and-development-tools_considerations-in-adopting-rhel-9
• 3: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html-single/using_go_1.23_toolset/index
• 4: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html/using_go_1.26.2_toolset/container-images-with-go-toolset
• 5: https://access.redhat.com/errata/RHEA-2024:6290

---

🏁 Script executed:

#!/bin/bash
cat -n ./hyperfleet/standards/container-image-standard.md | head -150

Repository: openshift-hyperfleet/architecture

Length of output: 6338

---

Violates HyperFleet architecture standard; Go version mismatch creates build inconsistency.

The 9.8-1781757851 tag violates the architecture standard (line 45-49, container-image-standard.md) which mandates ubi9/go-toolset:1.25. The 9.8 suffix denotes the RHEL 9.8 release, not a Go compiler version; this image provides Go 1.26.2 (rolling stream as of June 2026), but your go.mod declares go 1.25.0. This creates a silent mismatch (CWE-1104): the build uses an incompatible Go version without explicit pinning.

Additionally, your integration test Dockerfile still references 1.25 while the main build now uses 9.8-*, and hyperfleet-sentinel uses 1.26.3-*—three different Go versions across the adapter and sentinel repos, all with go.mod requiring 1.25.0.

Align to the standard: use ubi9/go-toolset:1.25 instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, The FROM instruction in the builder stage is using an
incorrect tag that violates the HyperFleet architecture standard and creates a
Go version mismatch. The current tag `9.8-1781757851` denotes the RHEL 9.8
release and provides Go 1.26.2, but go.mod declares `go 1.25.0` and the
architecture standard (container-image-standard.md) mandates
`ubi9/go-toolset:1.25`. Replace the tag in the builder stage FROM statement from
`9.8-1781757851` to `1.25` to align with both the go.mod requirement and the
HyperFleet architecture standard.

Sources: Coding guidelines, Linked repositories