Skip to content

chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker tag to v9 #241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
red-hat-konflux-kflux-prd-rh02 wants to merge 1 commit into
base: main
Choose a base branch
from
+1 βˆ’1
Open

chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker tag to v9 #241

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
ARG BASE_IMAGE=registry.access.redhat.com/ubi9-micro:latest

FROM registry.access.redhat.com/ubi9/go-toolset:1.26.3-1781757851 AS builder
FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1781757851 AS builder

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check Dockerfile line 3 and related files
echo "=== Dockerfile content (first 10 lines) ===" 
head -10 Dockerfile

echo -e "\n=== Check go.mod for Go version ===" 
head -5 go.mod | grep -E "^go "

echo -e "\n=== Check if there are digest hashes in git history ===" 
git log --oneline -n 5 -- Dockerfile || echo "Git history unavailable"

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 626

🏁 Script executed:

#!/bin/bash
# Check container image standard documentation
echo "=== Container image standard (relevant sections) ===" 
if [ -f "hyperfleet/standards/container-image-standard.md" ]; then
  cat -n hyperfleet/standards/container-image-standard.md | grep -A 5 -B 5 "ubi9/go-toolset"
else
  echo "File not found, searching for it..."
  find . -name "*container-image*" -type f 2>/dev/null | head -5
fi

Repository: openshift-hyperfleet/architecture

Length of output: 2527

🏁 Script executed:

#!/bin/bash
# Verify sentinel's Dockerfile tag format
echo "=== Sentinel Dockerfile line 3 ===" 
head -5 Dockerfile | tail -3
echo -e "\n=== Sentinel go.mod Go version ===" 
head -5 go.mod | grep "^go "

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 263

🏁 Script executed:

#!/bin/bash
# Verify adapter's Dockerfile (since linked context mentions changes there)
echo "=== Adapter Dockerfile line 3 ===" 
head -5 Dockerfile | tail -3
echo -e "\n=== Adapter integration test Dockerfile ===" 
if [ -f "test/Dockerfile.integration" ]; then
  head -10 test/Dockerfile.integration | tail -5
fi
echo -e "\n=== Adapter go.mod Go version ===" 
head -5 go.mod | grep "^go "

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 424

Pin the builder image by digest and use the correct Go toolset version per HyperFleet standards.

Line 3 violates two container hardening requirements:

  1. Digest pinning (CWE-494): Tag-only references allow mutable-tag supply-chain drift. Pin this FROM to @sha256:<digest> to preserve build reproducibility and provenance.

  2. Go toolset version mismatch: The tag :9.8-1781757851 uses a UBI base version number instead of the Go compiler version. HyperFleet container image standards (architecture repo, lines 45–49, 86, 269) mandate ubi9/go-toolset:1.25 for all Go services. Your go.mod declares go 1.25.0, but :9.8 appears to be a UBI base image release that may bundle a different Go compiler version. This tag format violates the documented standard and creates toolchain version uncertainty. Revert to :1.25 with digest pinning: FROM registry.access.redhat.com/ubi9/go-toolset:1.25@sha256:<digest>.

πŸ€– Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, Update the FROM statement in the builder stage to
comply with HyperFleet container hardening standards by replacing the tag
:9.8-1781757851 with :1.25 (to match the Go 1.25.0 version declared in go.mod)
and append a digest pin using `@sha256`:<digest> format. The corrected image
reference should be
registry.access.redhat.com/ubi9/go-toolset:1.25@sha256:<digest> where <digest>
is the actual SHA256 hash of the image. This ensures reproducible builds and
prevents supply chain drift from mutable tags.

Source: Coding guidelines

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: compare Go module versions vs go-toolset tags used in Dockerfiles.
# Expected: explicit, consistent Go version contract across go.mod and Dockerfiles.

set -euo pipefail

echo "== go.mod declared Go versions =="
fd -a '^go\.mod$' | xargs -r rg -nP '^\s*go\s+[0-9]+\.[0-9]+(\.[0-9]+)?\s*$'

echo
echo "== Dockerfiles using ubi9/go-toolset tags =="
fd -a -i 'Dockerfile*' | xargs -r rg -nP '^\s*FROM\s+registry\.access\.redhat\.com/ubi9/go-toolset:[^ @]+' -n

echo
echo "== Integration Dockerfiles (if present) =="
fd -a -i 'Dockerfile.integration' | xargs -r rg -nP '^\s*FROM\s+registry\.access\.redhat\.com/ubi9/go-toolset:[^ @]+'

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 291

🏁 Script executed:

#!/bin/bash
# Verify what the architecture standards say about base images
find . -name "*container*image*standard*" -o -name "*standard*" | head -20

Repository: openshift-hyperfleet/architecture

Length of output: 268

🏁 Script executed:

#!/bin/bash
# Check what hyperfleet-sentinel currently uses
fd -i 'Dockerfile' | xargs -r cat -n

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 2632

🏁 Script executed:

#!/bin/bash
# Check what hyperfleet-adapter currently uses
fd -i 'Dockerfile' | xargs -r cat -n

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 5008

🌐 Web query:

Red Hat UBI 9 go-toolset 9.8 Go compiler version

πŸ’‘ Result:

The Red Hat Universal Base Image (UBI) 9 Go Toolset is provided as a rolling Application Stream, meaning it is regularly updated to the latest supported Go version [1][2][3]. As of June 2026, official Red Hat documentation indicates that the current Go Toolset available for RHEL/UBI 9 has been updated to Go 1.26.2 [4]. While you referenced "go-toolset 9.8," this designation refers to the RHEL/UBI minor release (RHEL 9.8) [5] and not the Go compiler version. Red Hat provides the Go Toolset for RHEL 9 as a package simply named go-toolset, which tracks the latest upstream release [1][3]. You can install it on UBI 9 using the following command [4]: dnf install go-toolset Because the Go Toolset is a rolling stream, users are encouraged to check the latest version of their specific container image by running go version within the container after installation [4][1].

Citations:

🏁 Script executed:

#!/bin/bash
cat -n ./hyperfleet/standards/container-image-standard.md | head -150

Repository: openshift-hyperfleet/architecture

Length of output: 6338

Violates HyperFleet architecture standard; Go version mismatch creates build inconsistency.

The 9.8-1781757851 tag violates the architecture standard (line 45-49, container-image-standard.md) which mandates ubi9/go-toolset:1.25. The 9.8 suffix denotes the RHEL 9.8 release, not a Go compiler version; this image provides Go 1.26.2 (rolling stream as of June 2026), but your go.mod declares go 1.25.0. This creates a silent mismatch (CWE-1104): the build uses an incompatible Go version without explicit pinning.

Additionally, your integration test Dockerfile still references 1.25 while the main build now uses 9.8-*, and hyperfleet-sentinel uses 1.26.3-*β€”three different Go versions across the adapter and sentinel repos, all with go.mod requiring 1.25.0.

Align to the standard: use ubi9/go-toolset:1.25 instead.

πŸ€– Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, The FROM instruction in the builder stage is using an
incorrect tag that violates the HyperFleet architecture standard and creates a
Go version mismatch. The current tag `9.8-1781757851` denotes the RHEL 9.8
release and provides Go 1.26.2, but go.mod declares `go 1.25.0` and the
architecture standard (container-image-standard.md) mandates
`ubi9/go-toolset:1.25`. Replace the tag in the builder stage FROM statement from
`9.8-1781757851` to `1.25` to align with both the go.mod requirement and the
HyperFleet architecture standard.

Sources: Coding guidelines, Linked repositories


ARG GIT_SHA=unknown
ARG GIT_DIRTY=""
Expand Down