feat: Add cosign signature verification for Tekton Bundles by bennyz · Pull Request #279 · centos-automotive-suite/automotive-dev-operator

bennyz · 2026-05-10T16:54:06Z

Summary

Related Issues

Type of Change

Testing

Unit tests pass (make test)
Linter passes (make lint)
Manifests are up to date (make manifests generate)
Tested on OpenShift cluster (if applicable)

Summary by CodeRabbit

New Features
- Added task bundle signature verification for secure builds using cosign public keys.
- Introduced caib image inspect command to display build provenance and reproducibility details.
- Added CLI flags: --reproducible, --task-bundle-ref, and --restore-sources for enhanced build reproducibility.
Chores
- Upgraded Go toolchain to 1.25 and updated dependencies.

Signed-off-by: Benny Zlotnik <bzlotnik@redhat.com> Assisted-by: claude-opus-4.6

coderabbitai · 2026-05-10T16:54:21Z

Warning

Rate limit exceeded

@bennyz has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 30 minutes and 4 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bbb7eb6f-5ab6-40d8-96ed-baa641644ad6

📥 Commits

Reviewing files that changed from the base of the PR and between 7bb2e4a and 1e9f5ff.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum, !**go.sum

📒 Files selected for processing (2)

go.mod
internal/controller/imagebuild/controller.go

📝 Walkthrough

Walkthrough

This PR adds optional cosign-based signature verification for Tekton task bundles during secure builds. It extends the OperatorConfig API schema with verification toggles, implements a bundle verification library, wires verification into the build API and controller, improves registry credential discovery, adds comprehensive tests and documentation, and updates all tooling to Go 1.25.

Changes

Bundle Verification Feature

Layer / File(s)	Summary
API Schema & Types `api/v1alpha1/operatorconfig_types.go`, `api/v1alpha1/zz_generated.deepcopy.go`	Adds `OSBuildsConfig.TaskBundleVerify` (bool) and `TaskBundleCosignKeyRef` (*corev1.ConfigMapKeySelector) with XValidation rule requiring the key reference when verification is enabled; updates DeepCopyInto for safe pointer handling.
Bundle Verification Library `internal/common/bundleverify/verify.go`	New `VerifyBundle(ctx, bundleRef, cosignPubKeyPEM, registryOpts...)` function unmarshals PEM public key, loads cosign verifier, parses OCI bundle reference, configures cosign check options to ignore Tlog/SCT, and calls cosign.VerifyImageSignatures.
Build API Verification Wiring `internal/buildapi/server.go`	`resolveTaskBundleRef` now loads OperatorConfig, enforces digest-pinned refs, and calls new `verifyTaskBundle` helper; `verifyTaskBundle` reads cosign key PEM from referenced ConfigMap and returns HTTP 400/403/500 for config/verification/read failures; removed prior `validateSecureBuild` helper.
Registry Credential Discovery `cmd/caib/registryauth/loader.go`, `cmd/caib/inspectcmd/inspect.go`	Exports `FileCandidates()` returning priority-ordered candidate `auth.json` paths; updates `LoadAuthFileForRegistry` and referrer discovery to probe candidates via `credentials.NewFileStore` when inline DockerAuthConfig is absent.
Controller Bundle Verification `internal/controller/imagebuild/controller.go`	Extends secure build task handling to conditionally verify task bundle signature by fetching cosign key from referenced ConfigMap and calling `bundleverify.VerifyBundle` with digest-pinned ref; verification errors surface as secure build failures.
Build API Tests `internal/buildapi/bundle_verify_test.go`	Ginkgo tests for `verifyTaskBundle` and `resolveTaskBundleRef` including fake client helper, cases for missing config/key, digest-pinning validation, OperatorConfig load errors, and fail-closed behavior with deadline exceeded.
BundleVerify Unit Tests `internal/common/bundleverify/verify_test.go`	Unit tests validating `VerifyBundle` error behavior for invalid PEM key and malformed bundle reference inputs.
CLI Documentation `cmd/caib/README.md`	Updates `caib image build/disk/build-dev` flag docs with `--secure`, `--reproducible`, `--task-bundle-ref`, and `--restore-sources`; adds new `caib image inspect` command section for reading provenance/OCI referrers; documents Secure & Reproducible Builds and end-to-end rebuild workflow.
Go Dependencies `go.mod`	Updates to Go 1.25.0, adds direct dependencies for `github.com/google/go-containerregistry`, `github.com/sigstore/cosign/v2`, and `github.com/sigstore/sigstore`; bumps several `k8s.io/*` modules; refreshes and pins many indirect modules across sigstore, container tooling, and related transitive dependencies.
CI, Docker, and Misc `.github/workflows/build.yml`, `.github/workflows/e2e.yml`, `.github/workflows/lint.yml`, `.github/workflows/test-images.yml`, `Dockerfile`, `.gitignore`	All CI workflows, Dockerfile builder stage, and .gitignore updated for Go 1.25 toolchain (replacing 1.24); Dockerfile builder image bumped from `ubi9/go-toolset:1.24.6` to `1.25.9`; .gitignore bundle pattern anchored to root.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

centos-automotive-suite/automotive-dev-operator#275: Modifies task-bundle plumbing and reproducible build annotations; related to this PR's task-bundle-ref handling and verification wiring.
centos-automotive-suite/automotive-dev-operator#197: Modifies OperatorConfig and secure Tekton bundle-based build validation; related through shared OSBuildsConfig and secure-build control flow.
centos-automotive-suite/automotive-dev-operator#135: Extends OSBuildsConfig and modifies api/v1alpha1/operatorconfig_types.go; related through shared API schema changes and deepcopy handling.

Suggested reviewers

bkhizgiy

Poem

🐰 A bundle arrives with a signature bold,
Cosign verifies what the cryptography told,
ConfigMaps hold secrets in keys nested deep,
While OperatorConfig watches the build as it leaps,
Secure and reproducible, now all checks are found!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 36.36% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: Add cosign signature verification for Tekton Bundles' accurately summarizes the main feature addition across the changeset: implementing cosign signature verification for Tekton Task Bundles.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 3

🧹 Nitpick comments (5)

internal/buildapi/server.go (2)
1239-1242: ⚡ Quick win

Misconfiguration vs transient error are conflated as HTTP 500.

When the cosign key ConfigMap is genuinely absent (admin enabled taskBundleVerify without creating the CM), this returns 500, suggesting a server fault. The CRD requires taskBundleCosignKeyRef when taskBundleVerify=true, but does not enforce that the referenced ConfigMap exists, so a missing CM is a legitimate misconfiguration. Distinguishing IsNotFound and returning 400 would help operators diagnose without searching server logs:
 	cm := &corev1.ConfigMap{}
 	if err := k8sClient.Get(ctx, types.NamespacedName{Name: cosignKeyRef.Name, Namespace: namespace}, cm); err != nil {
+		if k8serrors.IsNotFound(err) {
+			return http.StatusBadRequest, fmt.Errorf("cosign key ConfigMap %q not found in namespace %q", cosignKeyRef.Name, namespace)
+		}
 		return http.StatusInternalServerError, fmt.Errorf("failed to read cosign key ConfigMap %q: %w", cosignKeyRef.Name, err)
 	}
Note: this would require updating the corresponding test in bundle_verify_test.go (which currently expects 500 for the missing-CM case).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/buildapi/server.go` around lines 1239 - 1242, The current
k8sClient.Get call in the handler conflates a missing cosign key ConfigMap with
server/internal errors; change the error handling around k8sClient.Get(ctx,
types.NamespacedName{Name: cosignKeyRef.Name, Namespace: namespace}, cm) to
detect apierrors.IsNotFound(err) and return http.StatusBadRequest with a clear
message about the missing/misconfigured cosign key reference (including
cosignKeyRef.Name and namespace), while keeping other errors as
http.StatusInternalServerError; also update the expectation in
bundle_verify_test.go for the missing-CM case to expect 400 instead of 500.
1189-1208: 💤 Low value

Defensive nil-check on operatorConfig would harden resolveTaskBundleRef.

loadOperatorConfigFn is a package-level variable that test code already overrides (see bundle_verify_test.go). If a future test or implementation returns (nil, nil) (e.g., to model "no config" without an error), Line 1201 (operatorConfig.Spec.OSBuilds == nil ...) panics with NPE before the not-set 400 branch can run.
 	operatorConfig, err := loadOperatorConfigFn(ctx, k8sClient, namespace)
 	if err != nil {
 		return "", http.StatusInternalServerError, fmt.Errorf("secureBuild requested but OperatorConfig could not be read: %w", err)
 	}
+	if operatorConfig == nil {
+		return "", http.StatusInternalServerError, fmt.Errorf("secureBuild requested but OperatorConfig is nil")
+	}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/buildapi/server.go` around lines 1189 - 1208, The code calls
loadOperatorConfigFn and then dereferences operatorConfig.Spec which can NPE if
loadOperatorConfigFn returns (nil, nil); update the resolveTaskBundleRef logic
to check if operatorConfig == nil (and return the same 400-style error used when
the config field is missing) before accessing operatorConfig.Spec or
operatorConfig.Spec.OSBuilds; specifically, in the block after
loadOperatorConfigFn (and before using
operatorConfig.Spec.OSBuilds.TaskBundleRef) add a nil-check for operatorConfig
and handle it identically to the "not set" branch so the subsequent
TrimSpace/MatchString checks never dereference a nil pointer.
internal/buildapi/bundle_verify_test.go (1)
127-170: ⚡ Quick win

Consider adding a test for the OperatorConfig fallback path.

The current resolveTaskBundleRef cases cover (a) SecureBuild=false, (b) explicit non-digest-pinned ref, and (c) operator-config load failure, but not the path where req.TaskBundleRef is empty and the resolver falls back to operatorConfig.Spec.OSBuilds.TaskBundleRef. That branch has its own digest-pinning check (Line 1205-1206 of server.go) and the "OSBuilds.TaskBundleRef is not set" 400 (Line 1201-1202). A small case asserting the digest-pinned fallback resolves successfully (with TaskBundleVerify=false so verifyTaskBundle is skipped) would lock in that contract.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/buildapi/bundle_verify_test.go` around lines 127 - 170, Add a test
covering the fallback where req.TaskBundleRef is empty and resolveTaskBundleRef
reads operatorConfig.Spec.OSBuilds.TaskBundleRef: stub loadOperatorConfigFn to
return an automotivev1alpha1.OperatorConfig whose Spec.OSBuilds.TaskBundleRef is
a digest-pinned ref and set TaskBundleVerify=false in the returned config (so
verifyTaskBundle is skipped), call resolveTaskBundleRef with
BuildRequest{SecureBuild:true, TaskBundleRef:""}, and assert no error, ref
equals the operatorConfig ref, and status==0; also add a separate small test
asserting that when operatorConfig.Spec.OSBuilds.TaskBundleRef is unset the call
returns an HTTP 400 as per the OSS branch.
internal/common/bundleverify/verify.go (1)
35-43: ⚡ Quick win

Support RSA and Ed25519 cosign keys by using signature.LoadDefaultVerifier.

The current code rejects valid cosign keys generated with RSA or Ed25519 (cosign generate-key-pair defaults to ECDSA P-256 but users can supply other keys). Replace the hard ECDSA type assertion with signature.LoadDefaultVerifier(pubKey), which automatically selects the appropriate algorithm and hash for any supported key type. This also eliminates the hashForCurve helper function, simplifying the code.

Before implementing this change, add tests for RSA and Ed25519 key scenarios to verify the updated implementation works correctly with non-ECDSA keys.
Suggested diff
-	ecdsaKey, ok := pubKey.(*ecdsa.PublicKey)
-	if !ok {
-		return fmt.Errorf("cosign public key is %T, expected *ecdsa.PublicKey", pubKey)
-	}
-
-	verifier, err := signature.LoadECDSAVerifier(ecdsaKey, hashForCurve(ecdsaKey.Curve))
+	verifier, err := signature.LoadDefaultVerifier(pubKey)
 	if err != nil {
-		return fmt.Errorf("creating ECDSA verifier: %w", err)
+		return fmt.Errorf("creating verifier: %w", err)
 	}
The hashForCurve helper (lines 17–26) can also be removed as it is no longer needed.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/common/bundleverify/verify.go` around lines 35 - 43, The code
currently type-asserts pubKey to *ecdsa.PublicKey and calls
signature.LoadECDSAVerifier; replace that block to call
signature.LoadDefaultVerifier(pubKey) so RSA and Ed25519 keys are accepted
(remove the ecdsaKey type assertion and the LoadECDSAVerifier call), and delete
the now-unused hashForCurve helper; after making this change, add unit tests
exercising RSA and Ed25519 cosign keys to verify signature.LoadDefaultVerifier
handles those cases.
cmd/caib/README.md (1)
617-629: ⚡ Quick win

Clarify the relationship between --output-dir and --restore-sources in the rebuild workflow.

The rebuild workflow shows using both inspect -o ./rebuild/ (line 620) and --restore-sources quay.io/org/my-os:v1@sha256:def... (line 627). It's not immediately clear why both are needed, since one downloads artifacts locally while the other references an OCI registry.

Consider adding a brief explanation that:

The local download (-o ./rebuild/) provides the manifest and metadata for inspection

The --restore-sources flag tells the build process to fetch archived sources from the registry at build time

This would help users understand that they use the downloaded manifest but the build fetches sources from the OCI referrer, not from the local download.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/caib/README.md` around lines 617 - 629, The README example is ambiguous
about why both `caib image inspect -o ./rebuild/` and `--restore-sources
quay.io/org/my-os:...` are used; update the text near the `caib image inspect`
and `caib image build` example to explicitly state that the `-o ./rebuild/`
download provides the manifest and metadata (e.g., `manifest.aib.yml`) for local
inspection, while the `--restore-sources` flag given to `caib image build`
instructs the build to fetch archived sources from the OCI registry at build
time (the build uses the local manifest but restores sources from the specified
OCI referrer), so users understand both are required for inspection +
reproducible rebuild.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/caib/README.md`:
- Around line 224-225: The README currently lists --reproducible and
--restore-sources for the image build and image build-dev commands but omits
them from the image disk command; update the image disk section to explicitly
state whether those flags are supported by the image disk command by either
adding the two flags to the image disk flag table (include `--reproducible` and
`--restore-sources` with matching descriptions) if they are supported, or add a
brief note under the image disk command explaining why image disk does not
support `--reproducible` and `--restore-sources` (e.g., because image disk
creates a disk from an existing container rather than performing a build),
referencing the commands `image disk`, `image build`, `image build-dev` and the
flags `--reproducible` and `--restore-sources`.

In `@go.mod`:
- Around line 20-21: Update the cosign dependency and pin fulcio to a fixed
version: change the module version for github.com/sigstore/cosign/v2 from v2.5.0
to v2.6.3 in go.mod and add an explicit replace or require to force
github.com/sigstore/fulcio to v1.8.5 (to address GHSA-59jp-pj84-45mr) so that
cosign pulls the fixed transitive dependency; after making these changes run
your vuln scanner (govulncheck/osv-scanner) and `go mod tidy` to verify the
vulnerabilities are resolved and modules are consistent.

In `@internal/common/bundleverify/verify.go`:
- Around line 30-62: The VerifyBundle function currently doesn't pass registry
auth into cosign, causing private-registry verification to fail; add a way to
inject a keychain/auth into VerifyBundle (e.g. extend signature with a new
parameter or options struct for a remote auth keychain or path to docker
config/serviceaccount token) and thread it into the cosign CheckOpts via
CheckOpts.RegistryClientOpts =
[]ociremote.RegistryClientOption{ociremote.WithRemoteOptions(remote.WithAuthFromKeychain(myKeychain))}
(or equivalent remote.WithAuthFromKeychain call) so cosign uses the provided
credentials when calling cosign.VerifyImageSignatures; also add failing unit
tests first that exercise VerifyBundle against a simulated private registry (or
mock cosign/remote) that fails without auth and succeeds when the injected
keychain is provided, then implement the fix so the tests pass.

---

Nitpick comments:
In `@cmd/caib/README.md`:
- Around line 617-629: The README example is ambiguous about why both `caib
image inspect -o ./rebuild/` and `--restore-sources quay.io/org/my-os:...` are
used; update the text near the `caib image inspect` and `caib image build`
example to explicitly state that the `-o ./rebuild/` download provides the
manifest and metadata (e.g., `manifest.aib.yml`) for local inspection, while the
`--restore-sources` flag given to `caib image build` instructs the build to
fetch archived sources from the OCI registry at build time (the build uses the
local manifest but restores sources from the specified OCI referrer), so users
understand both are required for inspection + reproducible rebuild.

In `@internal/buildapi/bundle_verify_test.go`:
- Around line 127-170: Add a test covering the fallback where req.TaskBundleRef
is empty and resolveTaskBundleRef reads
operatorConfig.Spec.OSBuilds.TaskBundleRef: stub loadOperatorConfigFn to return
an automotivev1alpha1.OperatorConfig whose Spec.OSBuilds.TaskBundleRef is a
digest-pinned ref and set TaskBundleVerify=false in the returned config (so
verifyTaskBundle is skipped), call resolveTaskBundleRef with
BuildRequest{SecureBuild:true, TaskBundleRef:""}, and assert no error, ref
equals the operatorConfig ref, and status==0; also add a separate small test
asserting that when operatorConfig.Spec.OSBuilds.TaskBundleRef is unset the call
returns an HTTP 400 as per the OSS branch.

In `@internal/buildapi/server.go`:
- Around line 1239-1242: The current k8sClient.Get call in the handler conflates
a missing cosign key ConfigMap with server/internal errors; change the error
handling around k8sClient.Get(ctx, types.NamespacedName{Name: cosignKeyRef.Name,
Namespace: namespace}, cm) to detect apierrors.IsNotFound(err) and return
http.StatusBadRequest with a clear message about the missing/misconfigured
cosign key reference (including cosignKeyRef.Name and namespace), while keeping
other errors as http.StatusInternalServerError; also update the expectation in
bundle_verify_test.go for the missing-CM case to expect 400 instead of 500.
- Around line 1189-1208: The code calls loadOperatorConfigFn and then
dereferences operatorConfig.Spec which can NPE if loadOperatorConfigFn returns
(nil, nil); update the resolveTaskBundleRef logic to check if operatorConfig ==
nil (and return the same 400-style error used when the config field is missing)
before accessing operatorConfig.Spec or operatorConfig.Spec.OSBuilds;
specifically, in the block after loadOperatorConfigFn (and before using
operatorConfig.Spec.OSBuilds.TaskBundleRef) add a nil-check for operatorConfig
and handle it identically to the "not set" branch so the subsequent
TrimSpace/MatchString checks never dereference a nil pointer.

In `@internal/common/bundleverify/verify.go`:
- Around line 35-43: The code currently type-asserts pubKey to *ecdsa.PublicKey
and calls signature.LoadECDSAVerifier; replace that block to call
signature.LoadDefaultVerifier(pubKey) so RSA and Ed25519 keys are accepted
(remove the ecdsaKey type assertion and the LoadECDSAVerifier call), and delete
the now-unused hashForCurve helper; after making this change, add unit tests
exercising RSA and Ed25519 cosign keys to verify signature.LoadDefaultVerifier
handles those cases.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 185b93f6-5405-4e4e-ac8f-094430ccb916

📥 Commits

Reviewing files that changed from the base of the PR and between 4105ec4 and d58c304.

⛔ Files ignored due to path filters (291)

config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml is excluded by !config/crd/bases/**
go.sum is excluded by !**/*.sum, !**go.sum
vendor/github.com/asaskevich/govalidator/.gitignore is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/.travis.yml is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/LICENSE is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/README.md is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/arrays.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/converter.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/doc.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/error.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/numerics.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/patterns.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/types.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/utils.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/validator.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/wercker.yml is excluded by !vendor/**
vendor/github.com/blang/semver/.travis.yml is excluded by !vendor/**
vendor/github.com/blang/semver/LICENSE is excluded by !vendor/**
vendor/github.com/blang/semver/README.md is excluded by !vendor/**
vendor/github.com/blang/semver/json.go is excluded by !vendor/**
vendor/github.com/blang/semver/package.json is excluded by !vendor/**
vendor/github.com/blang/semver/range.go is excluded by !vendor/**
vendor/github.com/blang/semver/semver.go is excluded by !vendor/**
vendor/github.com/blang/semver/sort.go is excluded by !vendor/**
vendor/github.com/blang/semver/sql.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/LICENSE is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/build.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/errorutil/errors.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/estargz.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/gzip.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/testutil.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/types.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/.gitignore is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/LICENSE is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/Makefile is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/README.md is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/ber.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/decrypt.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/encrypt.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/pkcs7.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/sign.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/verify.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/verify_test_dsa.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/LICENSE is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/README.md is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/borrowed.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/rfc3161_struct.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/signing_cert_v2_struct.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/timestamp.go is excluded by !vendor/**
vendor/github.com/docker/cli/AUTHORS is excluded by !vendor/**
vendor/github.com/docker/cli/LICENSE is excluded by !vendor/**
vendor/github.com/docker/cli/NOTICE is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/config.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_unix.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_windows.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/credentials.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_darwin.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_linux.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_windows.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/file_store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/native_store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/memorystore/store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/types/authconfig.go is excluded by !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/addr.go is excluded by !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/authchallenge.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/.travis.yml is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/LICENSE is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/README.markdown is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/big.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/bigbytes.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/bytes.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/comma.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/commaf.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/ftoa.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/humanize.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/number.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/ordinals.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/si.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/times.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/.gitignore is excluded by !vendor/**
vendor/github.com/go-chi/chi/.travis.yml is excluded by !vendor/**
vendor/github.com/go-chi/chi/CHANGELOG.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/CONTRIBUTING.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/LICENSE is excluded by !vendor/**
vendor/github.com/go-chi/chi/README.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/chain.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/chi.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/context.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/basic_auth.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/compress.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/content_charset.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/content_encoding.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/content_type.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/get_head.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/heartbeat.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/logger.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/middleware.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/nocache.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/profiler.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/realip.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/recoverer.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/request_id.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/route_headers.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/strip.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/terminal.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/throttle.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/timeout.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/url_format.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/value.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/middleware/wrap_writer.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/mux.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/tree.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.codecov.yml is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/analyzer.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/debug.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/fixer.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/flatten.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/flatten_name.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/flatten_options.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/debug/debug.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/normalize/normalize.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/operations/operations.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/replace/replace.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/schutils/flatten_schema.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/sortref/keys.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/sortref/sort_ref.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/mixin.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/schema.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/errors/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/errors/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/errors/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/errors/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/errors/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/errors/api.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/auth.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/headers.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/middleware.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/parsing.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/schema.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.travis.yml is excluded by !vendor/**
vendor/github.com/go-openapi/loads/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/loads/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/loads/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/loads/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/loaders.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/options.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/spec.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/bytestream.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/auth_info.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/keepalive.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/opentelemetry.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/opentracing.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/response.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/runtime.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_auth_info.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_operation.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_response.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/constants.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/csv.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/csv_options.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/discard.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/file.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/headers.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/interfaces.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/json.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/logger/logger.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/logger/standard.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/context.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/router.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/server.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/util.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/header/header.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/negotiate.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/not_implemented.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/operation.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/parameter.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/rapidoc.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/redoc.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/router.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/security.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/spec.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/swaggerui.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/swaggerui_oauth2.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/ui_options.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/untyped/api.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/validation.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/security/authenticator.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/security/authorizer.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/statuses.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/text.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/values.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/xml.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/yamlpc/yaml.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/spec/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/spec/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/spec/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/spec/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/spec/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/spec/cache.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/contact_info.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/debug.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/embed.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/errors.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/expander.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/external_docs.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/header.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/info.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/items.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/license.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/normalizer.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/normalizer_nonwindows.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/normalizer_windows.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/operation.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/parameter.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/path_item.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/paths.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/properties.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/ref.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/resolver.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/response.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/responses.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/schema.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/schema_loader.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/schemas/jsonschema-draft-04.json is excluded by !vendor/**
vendor/github.com/go-openapi/spec/schemas/v2/schema.json is excluded by !vendor/**
vendor/github.com/go-openapi/spec/security_scheme.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/spec.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/swagger.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/tag.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/url_go19.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/validations.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/xml_object.go is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/bson.go is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/date.go is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/default.go is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/duration.go is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/format.go is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/time.go is excluded by !vendor/**
vendor/github.com/go-openapi/strfmt/ulid.go is excluded by !vendor/**
vendor/github.com/go-openapi/validate/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/validate/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/validate/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/validate/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/validate/BENCHMARK.md is excluded by !vendor/**
vendor/github.com/go-openapi/validate/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/validate/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/validate/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/validate/context.go is excluded by !vendor/**
vendor/github.com/go-openapi/validate/debug.go is excluded by !vendor/**
vendor/github.com/go-openapi/validate/default_validator.go is excluded by !vendor/**
vendor/github.com/go-openapi/validate/doc.go is excluded by !vendor/**

📒 Files selected for processing (9)

api/v1alpha1/operatorconfig_types.go
api/v1alpha1/zz_generated.deepcopy.go
cmd/caib/README.md
cmd/caib/inspectcmd/inspect.go
cmd/caib/registryauth/loader.go
go.mod
internal/buildapi/bundle_verify_test.go
internal/buildapi/server.go
internal/common/bundleverify/verify.go

bennyz · 2026-05-11T04:54:02Z

@ambient-code please review

bennyz · 2026-05-11T04:54:08Z

@coderabbitai review

coderabbitai · 2026-05-11T04:54:13Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 203: The go.mod currently pins github.com/tektoncd/pipeline at v1.6.0
which is vulnerable; update the dependency line for github.com/tektoncd/pipeline
to a fixed version (minimum v1.11.1, preferably the current stable v1.12.0),
then run your module update (e.g., go get or the equivalent) and go mod tidy to
refresh the lockfile and vendor data; after updating, run unit/integration tests
and verify any pipeline API changes in call sites that import
github.com/tektoncd/pipeline to fix compilation or behavioral regressions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6a5a4aeb-6b2b-4d88-8edb-60ddbf0b11e7

📥 Commits

Reviewing files that changed from the base of the PR and between d58c304 and eb8399f.

⛔ Files ignored due to path filters (283)

config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml is excluded by !config/crd/bases/**
config/crd/bases/automotive.sdv.cloud.redhat.com_workspaces.yaml is excluded by !config/crd/bases/**
go.sum is excluded by !**/*.sum, !**go.sum
vendor/github.com/Azure/go-ansiterm/LICENSE is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/README.md is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/SECURITY.md is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/constants.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/context.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/csi_entry_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/csi_param_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/escape_intermediate_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/escape_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/event_handler.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/ground_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/osc_string_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/parser.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/parser_action_helpers.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/parser_actions.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/states.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/utilities.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/ansi.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/api.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/attr_translation.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/cursor_helpers.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/erase_helpers.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/scroll_helper.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/utilities.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/win_event_handler.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/.gitignore is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/.travis.yml is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/LICENSE is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/README.md is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/arrays.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/converter.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/doc.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/error.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/numerics.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/patterns.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/types.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/utils.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/validator.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/wercker.yml is excluded by !vendor/**
vendor/github.com/blang/semver/.travis.yml is excluded by !vendor/**
vendor/github.com/blang/semver/LICENSE is excluded by !vendor/**
vendor/github.com/blang/semver/README.md is excluded by !vendor/**
vendor/github.com/blang/semver/json.go is excluded by !vendor/**
vendor/github.com/blang/semver/package.json is excluded by !vendor/**
vendor/github.com/blang/semver/range.go is excluded by !vendor/**
vendor/github.com/blang/semver/semver.go is excluded by !vendor/**
vendor/github.com/blang/semver/sort.go is excluded by !vendor/**
vendor/github.com/blang/semver/sql.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/LICENSE is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/build.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/errorutil/errors.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/estargz.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/gzip.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/testutil.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/types.go is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/LICENSE is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/NOTICE is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/oidc/jose.go is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/oidc/verify.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/.gitignore is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/LICENSE is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/Makefile is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/README.md is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/ber.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/decrypt.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/encrypt.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/pkcs7.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/sign.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/verify.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/verify_test_dsa.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/LICENSE is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/README.md is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/borrowed.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/rfc3161_struct.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/signing_cert_v2_struct.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/timestamp.go is excluded by !vendor/**
vendor/github.com/docker/cli/AUTHORS is excluded by !vendor/**
vendor/github.com/docker/cli/LICENSE is excluded by !vendor/**
vendor/github.com/docker/cli/NOTICE is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/config.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_unix.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_windows.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/credentials.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_darwin.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_linux.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_windows.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/file_store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/native_store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/memorystore/store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/types/authconfig.go is excluded by !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/addr.go is excluded by !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/authchallenge.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/.travis.yml is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/LICENSE is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/README.markdown is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/big.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/bigbytes.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/bytes.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/comma.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/commaf.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/ftoa.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/humanize.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/number.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/ordinals.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/si.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/times.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/.gitignore is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/CHANGELOG.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/CONTRIBUTING.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/LICENSE is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/Makefile is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/README.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/SECURITY.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/chain.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/chi.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/context.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/basic_auth.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/clean_path.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/compress.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/content_charset.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/content_encoding.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/content_type.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/get_head.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/heartbeat.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/logger.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/maybe.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/middleware.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/nocache.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/page_route.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/path_rewrite.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/profiler.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/realip.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/recoverer.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/request_id.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/request_size.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/route_headers.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/strip.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/sunset.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/supress_notfound.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/terminal.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/throttle.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/timeout.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/url_format.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/value.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/wrap_writer.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/mux.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/path_value.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/path_value_fallback.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/pattern.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/pattern_fallback.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/tree.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.codecov.yml is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/analyzer.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/debug.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/errors.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/fixer.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/flatten.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/flatten_name.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/flatten_options.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/debug/debug.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/normalize/normalize.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/operations/operations.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/replace/errors.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/replace/replace.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/schutils/flatten_schema.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/sortref/keys.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/sortref/sort_ref.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/mixin.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/schema.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/errors/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/errors/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/errors/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/errors/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/errors/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/errors/api.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/auth.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/headers.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/middleware.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/parsing.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/schema.go is excluded by !vendor/**
vendor/github.com/go-openapi/jsonpointer/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !vendor/**
vendor/github.com/go-openapi/jsonreference/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/jsonreference/NOTICE is excluded by !vendor/**
vendor/github.com/go-openapi/jsonreference/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go is excluded by !vendor/**
vendor/github.com/go-openapi/jsonreference/reference.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.travis.yml is excluded by !vendor/**
vendor/github.com/go-openapi/loads/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/loads/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/loads/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/loads/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/errors.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/loaders.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/options.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/spec.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/bytestream.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/auth_info.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/keepalive.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/opentelemetry.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/response.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/runtime.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_auth_info.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_operation.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_response.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/constants.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/csv.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/csv_options.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/discard.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/file.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/go.work.sum is excluded by !**/*.sum, !vendor/**
vendor/github.com/go-openapi/runtime/headers.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/interfaces.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/json.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/logger/logger.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/logger/standard.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/context.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/router.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/server.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/util.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/header/header.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/negotiate.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/not_implemented.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/operation.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/parameter.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/rapidoc.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/redoc.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/router.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/security.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/spec.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/swaggerui.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/swaggerui_oauth2.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/ui_options.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/untyped/api.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/validation.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/security/authenticator.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/security/authorizer.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/statuses.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/text.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/values.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/xml.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/yamlpc/yaml.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/spec/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/spec/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/spec/CODE_OF_CONDUCT.md is excluded by !vendor/**

📒 Files selected for processing (15)

.github/workflows/build.yml
.github/workflows/e2e.yml
.github/workflows/lint.yml
.github/workflows/test-images.yml
.gitignore
Dockerfile
api/v1alpha1/operatorconfig_types.go
api/v1alpha1/zz_generated.deepcopy.go
cmd/caib/README.md
config/manager/kustomization.yaml
go.mod
internal/buildapi/bundle_verify_test.go
internal/buildapi/server.go
internal/common/bundleverify/verify.go
internal/common/bundleverify/verify_test.go

✅ Files skipped from review due to trivial changes (5)

config/manager/kustomization.yaml
Dockerfile
.gitignore
.github/workflows/build.yml
cmd/caib/README.md

🚧 Files skipped from review as they are similar to previous changes (2)

api/v1alpha1/operatorconfig_types.go
internal/buildapi/server.go

coderabbitai · 2026-05-11T04:59:11Z

GHSA-j5q5-j9gm-2w5c

 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/tektoncd/pipeline v1.6.0


⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Check latest Tekton Pipeline release and security advisories echo "=== Latest Tekton Pipeline releases ===" gh api repos/tektoncd/pipeline/releases --jq '.[0:3] | .[] | {tag_name, published_at, name}' echo -e "\n=== Security advisories for tektoncd/pipeline ===" gh api graphql -f query=' { repository(owner: "tektoncd", name: "pipeline") { vulnerabilityAlerts(first: 10) { nodes { securityAdvisory { ghsaId summary severity publishedAt } vulnerableManifestFilename vulnerableRequirements fixedIn } } } }' echo -e "\n=== Known CVEs affecting v1.6.0 ===" for ghsa in GHSA-94jr-7pqp-xhcq GHSA-j5q5-j9gm-2w5c GHSA-m2cx-gpqf-qf74 GHSA-cv4x-93xx-wgfj GHSA-wjxp-xrpv-xpff; do echo "--- $ghsa ---" gh api advisories/$ghsa --jq '{severity, summary, fixed_versions: .vulnerabilities[0].first_patched_version}' done

Repository: centos-automotive-suite/automotive-dev-operator

Length of output: 1935

Upgrade Tekton Pipeline immediately: v1.6.0 is severely outdated and vulnerable.

v1.6.0 contains multiple known vulnerabilities including 1 CRITICAL and 4 HIGH/MEDIUM severity issues. Most critical: GHSA-j5q5-j9gm-2w5c (path traversal in git resolver) allows arbitrary file reads from the resolver pod, and GHSA-94jr-7pqp-xhcq (git argument injection) enables RCE via unsanitized revision parameters. Current stable release is v1.12.0; upgrade path to v1.11.1 or later is recommended.

🧰 Tools

🪛 OSV Scanner (2.3.6)

[CRITICAL] 203-203: github.com/tektoncd/pipeline 1.6.0: Pipelines do not validate child UIDs in github.com/tektoncd/pipeline

(GO-2023-1901)

[CRITICAL] 203-203: github.com/tektoncd/pipeline 1.6.0: Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun in github.com/tektoncd/pipeline

(GO-2026-4730)

[CRITICAL] 203-203: github.com/tektoncd/pipeline 1.6.0: Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod in github.com/tektoncd/pipeline

(GO-2026-4761)

[CRITICAL] 203-203: github.com/tektoncd/pipeline 1.6.0: Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE

(GHSA-94jr-7pqp-xhcq)

[CRITICAL] 203-203: github.com/tektoncd/pipeline 1.6.0: Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun

(GHSA-cv4x-93xx-wgfj)

[CRITICAL] 203-203: github.com/tektoncd/pipeline 1.6.0: Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod

(GHSA-j5q5-j9gm-2w5c)

[CRITICAL] 203-203: github.com/tektoncd/pipeline 1.6.0: Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

(GHSA-m2cx-gpqf-qf74)

[CRITICAL] 203-203: github.com/tektoncd/pipeline 1.6.0: Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching

(GHSA-rmx9-2pp3-xhcr)

[CRITICAL] 203-203: github.com/tektoncd/pipeline 1.6.0: Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check

(GHSA-rx35-6rhx-7858)

[CRITICAL] 203-203: github.com/tektoncd/pipeline 1.6.0: Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL

(GHSA-wjxp-xrpv-xpff)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` at line 203, The go.mod currently pins github.com/tektoncd/pipeline at v1.6.0 which is vulnerable; update the dependency line for github.com/tektoncd/pipeline to a fixed version (minimum v1.11.1, preferably the current stable v1.12.0), then run your module update (e.g., go get or the equivalent) and go mod tidy to refresh the lockfile and vendor data; after updating, run unit/integration tests and verify any pipeline API changes in call sites that import github.com/tektoncd/pipeline to fix compilation or behavioral regressions.

ambient-code

Thanks for the PR! The cosign verification flow is well-designed — loading OperatorConfig once in resolveTaskBundleRef and passing it through to verifyTaskBundle is clean, and the CEL validation rule on the CRD correctly enforces the taskBundleCosignKeyRef requirement. The fail-closed behavior on OperatorConfig load errors is the right call for a security feature.

The documentation additions (secure builds guide, image inspect) are thorough and well-structured.

A few items to address below — one looks like an accidental commit, one is a dependency consistency issue, and a couple of smaller suggestions.

Bump Go from 1.24 to 1.25 across go.mod, Dockerfile, and CI workflows to enable cosign v2.6.3 with security fixes: - cosign v2.5.0 → v2.6.3 - fulcio v1.6.6 → v1.8.5 (fixes GHSA-59jp-pj84-45mr SSRF, GHSA-f83f-xpx7-ffpw OOM) - timestamp-authority v1.2.5 → v2.0.3 (fixes GHSA-4qg8-fj49-pxjh OOM) - k8s.io/* v0.33 → v0.34 (required by cosign v2.6.3) Also fixes .gitignore: `bundle/` → `/bundle/` to stop ignoring vendor/*/bundle/ directories (was hiding sigstore vendor packages from git, causing CI build failures). Assisted-by: claude-opus-4.6

Add optional cosign public-key verification of Tekton task bundles when secure builds are enabled. OperatorConfig gains taskBundleVerify (bool) and taskBundleCosignKeyRef (ConfigMapKeySelector) fields. Key design choices: - LoadDefaultVerifier instead of ECDSA-only — supports RSA/Ed25519 keys - Registry auth via DefaultKeychain in CheckOpts.RegistryClientOpts — uses pod SA credentials for private registry access - IgnoreTlog/IgnoreSCT: offline verification with explicit public key - ConfigMap not found returns 400 (misconfiguration), not 500 - Nil OperatorConfig guard prevents NPE on (nil, nil) return Assisted-by: claude-opus-4.6

…spect docs Document new secure and reproducible build workflow in caib README: - --secure, --reproducible, --task-bundle-ref, --restore-sources flags - caib image inspect command for build provenance - Rebuilding from prior builds workflow - Note that image disk does not support --reproducible/--restore-sources (creates disk from existing container, not a full build) Assisted-by: claude-opus-4.6

Ensures Tekton Bundle signature is verified when ImageBuild CRs are created directly (bypassing the API server). Uses ConfigMapKeySelector for flexible cosign public key reference. Assisted-by: claude-opus-4.6

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 21-26: The dependency versions are misaligned: update
sigs.k8s.io/controller-runtime to the v0.22.x line (to match Kubernetes v0.34)
and also bump k8s.io/apiextensions-apiserver to v0.34.1 so all k8s/* modules
(k8s.io/apimachinery, k8s.io/apiserver, k8s.io/client-go,
k8s.io/apiextensions-apiserver) use v0.34.1; alternatively, if you prefer the
older stack, downgrade k8s.io/apimachinery, k8s.io/apiserver, and
k8s.io/client-go back to the v0.33.x line to remain compatible with
sigs.k8s.io/controller-runtime v0.21.0—apply the chosen change in go.mod and run
go mod tidy to update go.sum.

In `@internal/controller/imagebuild/controller.go`:
- Around line 947-961: The error handling in the secure-build block treats all
errors as configuration errors by prefixing them with "secureBuild", which
causes transient VerifyBundle failures to be considered terminal; modify the
block around operatorConfig.Spec.OSBuilds.TaskBundleVerify (including
cosignKeyRef validation, the r.Get(ConfigMap) lookup, and the
bundleverify.VerifyBundle call) so that only genuine configuration issues
(missing cosignKeyRef, missing ConfigMap key, failed r.Get due to
NotFound/misconfig) return errors prefixed with "secureBuild", while runtime
verification errors from bundleverify.VerifyBundle are returned without the
"secureBuild" prefix (or requeued/propagated) so they are treated as transient
and can be retried. Ensure the unique symbols referenced (TaskBundleVerify,
TaskBundleCosignKeyRef, cosignKeyRef, r.Get, corev1.ConfigMap,
bundleverify.VerifyBundle) are the ones updated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 749a5e7e-c5f5-456a-8e10-4d392c5e69bb

📥 Commits

Reviewing files that changed from the base of the PR and between eb8399f and 7bb2e4a.

⛔ Files ignored due to path filters (283)

config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml is excluded by !config/crd/bases/**
config/crd/bases/automotive.sdv.cloud.redhat.com_workspaces.yaml is excluded by !config/crd/bases/**
go.sum is excluded by !**/*.sum, !**go.sum
vendor/github.com/Azure/go-ansiterm/LICENSE is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/README.md is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/SECURITY.md is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/constants.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/context.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/csi_entry_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/csi_param_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/escape_intermediate_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/escape_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/event_handler.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/ground_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/osc_string_state.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/parser.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/parser_action_helpers.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/parser_actions.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/states.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/utilities.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/ansi.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/api.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/attr_translation.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/cursor_helpers.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/erase_helpers.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/scroll_helper.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/utilities.go is excluded by !vendor/**
vendor/github.com/Azure/go-ansiterm/winterm/win_event_handler.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/.gitignore is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/.travis.yml is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/LICENSE is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/README.md is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/arrays.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/converter.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/doc.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/error.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/numerics.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/patterns.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/types.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/utils.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/validator.go is excluded by !vendor/**
vendor/github.com/asaskevich/govalidator/wercker.yml is excluded by !vendor/**
vendor/github.com/blang/semver/.travis.yml is excluded by !vendor/**
vendor/github.com/blang/semver/LICENSE is excluded by !vendor/**
vendor/github.com/blang/semver/README.md is excluded by !vendor/**
vendor/github.com/blang/semver/json.go is excluded by !vendor/**
vendor/github.com/blang/semver/package.json is excluded by !vendor/**
vendor/github.com/blang/semver/range.go is excluded by !vendor/**
vendor/github.com/blang/semver/semver.go is excluded by !vendor/**
vendor/github.com/blang/semver/sort.go is excluded by !vendor/**
vendor/github.com/blang/semver/sql.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/LICENSE is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/build.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/errorutil/errors.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/estargz.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/gzip.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/testutil.go is excluded by !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/types.go is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/LICENSE is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/NOTICE is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/oidc/jose.go is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go is excluded by !vendor/**
vendor/github.com/coreos/go-oidc/v3/oidc/verify.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/.gitignore is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/LICENSE is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/Makefile is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/README.md is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/ber.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/decrypt.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/encrypt.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/pkcs7.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/sign.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/verify.go is excluded by !vendor/**
vendor/github.com/digitorus/pkcs7/verify_test_dsa.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/LICENSE is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/README.md is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/borrowed.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/rfc3161_struct.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/signing_cert_v2_struct.go is excluded by !vendor/**
vendor/github.com/digitorus/timestamp/timestamp.go is excluded by !vendor/**
vendor/github.com/docker/cli/AUTHORS is excluded by !vendor/**
vendor/github.com/docker/cli/LICENSE is excluded by !vendor/**
vendor/github.com/docker/cli/NOTICE is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/config.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_unix.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_windows.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/credentials.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_darwin.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_linux.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_windows.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/file_store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/native_store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/memorystore/store.go is excluded by !vendor/**
vendor/github.com/docker/cli/cli/config/types/authconfig.go is excluded by !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/addr.go is excluded by !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/authchallenge.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/.travis.yml is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/LICENSE is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/README.markdown is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/big.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/bigbytes.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/bytes.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/comma.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/commaf.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/ftoa.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/humanize.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/number.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/ordinals.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/si.go is excluded by !vendor/**
vendor/github.com/dustin/go-humanize/times.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/.gitignore is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/CHANGELOG.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/CONTRIBUTING.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/LICENSE is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/Makefile is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/README.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/SECURITY.md is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/chain.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/chi.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/context.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/basic_auth.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/clean_path.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/compress.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/content_charset.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/content_encoding.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/content_type.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/get_head.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/heartbeat.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/logger.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/maybe.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/middleware.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/nocache.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/page_route.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/path_rewrite.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/profiler.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/realip.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/recoverer.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/request_id.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/request_size.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/route_headers.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/strip.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/sunset.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/supress_notfound.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/terminal.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/throttle.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/timeout.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/url_format.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/value.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/middleware/wrap_writer.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/mux.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/path_value.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/path_value_fallback.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/pattern.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/pattern_fallback.go is excluded by !vendor/**
vendor/github.com/go-chi/chi/v5/tree.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.codecov.yml is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/analyzer.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/debug.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/errors.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/fixer.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/flatten.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/flatten_name.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/flatten_options.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/debug/debug.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/normalize/normalize.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/operations/operations.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/replace/errors.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/replace/replace.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/schutils/flatten_schema.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/sortref/keys.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/sortref/sort_ref.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/mixin.go is excluded by !vendor/**
vendor/github.com/go-openapi/analysis/schema.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/errors/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/errors/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/errors/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/errors/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/errors/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/errors/api.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/auth.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/headers.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/middleware.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/parsing.go is excluded by !vendor/**
vendor/github.com/go-openapi/errors/schema.go is excluded by !vendor/**
vendor/github.com/go-openapi/jsonpointer/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !vendor/**
vendor/github.com/go-openapi/jsonreference/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/jsonreference/NOTICE is excluded by !vendor/**
vendor/github.com/go-openapi/jsonreference/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go is excluded by !vendor/**
vendor/github.com/go-openapi/jsonreference/reference.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/loads/.travis.yml is excluded by !vendor/**
vendor/github.com/go-openapi/loads/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/loads/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/loads/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/loads/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/errors.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/loaders.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/options.go is excluded by !vendor/**
vendor/github.com/go-openapi/loads/spec.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.gitattributes is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/CODE_OF_CONDUCT.md is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/bytestream.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/auth_info.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/keepalive.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/opentelemetry.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/response.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client/runtime.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_auth_info.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_operation.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/client_response.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/constants.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/csv.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/csv_options.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/discard.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/file.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/go.work.sum is excluded by !**/*.sum, !vendor/**
vendor/github.com/go-openapi/runtime/headers.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/interfaces.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/json.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/logger/logger.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/logger/standard.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/context.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/LICENSE is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/README.md is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/router.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/server.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/denco/util.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/doc.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/header/header.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/negotiate.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/not_implemented.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/operation.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/parameter.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/rapidoc.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/redoc.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/router.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/security.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/spec.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/swaggerui.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/swaggerui_oauth2.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/ui_options.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/untyped/api.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/middleware/validation.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/request.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/security/authenticator.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/security/authorizer.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/statuses.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/text.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/values.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/xml.go is excluded by !vendor/**
vendor/github.com/go-openapi/runtime/yamlpc/yaml.go is excluded by !vendor/**
vendor/github.com/go-openapi/spec/.editorconfig is excluded by !vendor/**
vendor/github.com/go-openapi/spec/.gitignore is excluded by !vendor/**
vendor/github.com/go-openapi/spec/.golangci.yml is excluded by !vendor/**
vendor/github.com/go-openapi/spec/CODE_OF_CONDUCT.md is excluded by !vendor/**

📒 Files selected for processing (15)

.github/workflows/build.yml
.github/workflows/e2e.yml
.github/workflows/lint.yml
.github/workflows/test-images.yml
.gitignore
Dockerfile
api/v1alpha1/operatorconfig_types.go
api/v1alpha1/zz_generated.deepcopy.go
cmd/caib/README.md
go.mod
internal/buildapi/bundle_verify_test.go
internal/buildapi/server.go
internal/common/bundleverify/verify.go
internal/common/bundleverify/verify_test.go
internal/controller/imagebuild/controller.go

✅ Files skipped from review due to trivial changes (7)

Dockerfile
.gitignore
.github/workflows/lint.yml
.github/workflows/e2e.yml
.github/workflows/test-images.yml
api/v1alpha1/zz_generated.deepcopy.go
cmd/caib/README.md

🚧 Files skipped from review as they are similar to previous changes (6)

internal/common/bundleverify/verify_test.go
.github/workflows/build.yml
api/v1alpha1/operatorconfig_types.go
internal/common/bundleverify/verify.go
internal/buildapi/server.go
internal/buildapi/bundle_verify_test.go

VerifyBundle errors (registry timeouts, network issues) should requeue for retry, not permanently fail the build. Only config errors (missing key ref, missing ConfigMap) use the "secureBuild" prefix that triggers terminal failure classification. Assisted-by: claude-opus-4.6

controller-runtime v0.21 targets k8s 1.33 (v0.33.x), but k8s modules were already bumped to v0.34. Upgrade controller-runtime to v0.22.5 and all k8s.io modules to v0.34.7 for consistent compatibility. Assisted-by: claude-opus-4.6

fix: auto-discover auth file for ORAS referrers discovery

687856d

Signed-off-by: Benny Zlotnik <bzlotnik@redhat.com> Assisted-by: claude-opus-4.6

coderabbitai Bot reviewed May 10, 2026

View reviewed changes

Comment thread cmd/caib/README.md

Comment thread go.mod Outdated

Comment thread internal/common/bundleverify/verify.go Outdated

bennyz force-pushed the bundle-management branch from d58c304 to eb8399f Compare May 10, 2026 17:41

coderabbitai Bot reviewed May 11, 2026

View reviewed changes

ambient-code Bot reviewed May 11, 2026

View reviewed changes

Comment thread config/manager/kustomization.yaml Outdated

Comment thread go.mod Outdated

Comment thread internal/buildapi/server.go

Comment thread internal/common/bundleverify/verify.go

Comment thread Dockerfile Outdated

bennyz force-pushed the bundle-management branch 2 times, most recently from a86b435 to a54c0da Compare May 11, 2026 05:20

bennyz added 3 commits May 11, 2026 08:26

bennyz force-pushed the bundle-management branch from a54c0da to 190fdc9 Compare May 11, 2026 05:26

feat: add cosign bundle verification in controller reconciler

7bb2e4a

Ensures Tekton Bundle signature is verified when ImageBuild CRs are created directly (bypassing the API server). Uses ConfigMapKeySelector for flexible cosign public key reference. Assisted-by: claude-opus-4.6

coderabbitai Bot reviewed May 11, 2026

View reviewed changes

Comment thread go.mod Outdated

Comment thread internal/controller/imagebuild/controller.go Outdated

bennyz added 2 commits May 11, 2026 09:12

bennyz requested a review from bkhizgiy May 11, 2026 07:34

bkhizgiy approved these changes May 11, 2026

View reviewed changes

bennyz merged commit 5b74656 into centos-automotive-suite:main May 11, 2026
4 checks passed

bennyz deleted the bundle-management branch May 11, 2026 13:28

coderabbitai Bot mentioned this pull request May 12, 2026

feat: add private registry support to workspaces #280

Merged

10 tasks

Conversation

bennyz commented May 10, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Related Issues

Type of Change

Testing

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented May 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Rate limit exceeded

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Suggested reviewers

Poem

❌ Failed checks (1 warning)

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bennyz commented May 11, 2026

Uh oh!

bennyz commented May 11, 2026

Uh oh!

coderabbitai Bot commented May 11, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 11, 2026

Choose a reason for hiding this comment

Uh oh!

ambient-code Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

bennyz commented May 10, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 10, 2026 •

edited

Loading