Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v1.26.3-1781070142

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
registry.access.redhat.com/ubi9/go-toolset	stage	patch	1.26.2-1779959429 → 1.26.3-1781070142

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rafabene for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated Go toolset version from 1.26.2 to 1.26.3 in the build environment, incorporating the latest patch improvements and bug fixes.

Walkthrough

The Dockerfile's multi-stage builder FROM image tag is bumped from ubi9/go-toolset:1.26.2 to ubi9/go-toolset:1.26.3. The stage alias builder is retained. No other instructions in any stage are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

---

Supply chain surface — verify before merge.

This is a build-time base image substitution (CWE-829: Inclusion of Functionality from Untrusted Control Sphere). Confirm the following before merging:

1. Digest pinning — Is the new tag pinned to a specific SHA256 digest in the FROM line? A floating tag like :1.26.3 without @sha256:... is a supply chain risk. Verify the image reference in the diff includes the full digest.
2. Image provenance — Confirm ubi9/go-toolset:1.26.3 is pulled from the expected registry (registry.access.redhat.com or registry.redhat.io) and not a mirrored or shadowed source.
3. CVE delta — Run grype or trivy against the new image to confirm the bump does not introduce new CVEs relative to 1.26.2.
4. Go 1.26.3 release notes — Verify this patch release does not include breaking changes affecting the API, Sentinel, Adapter, or Broker build outputs.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the single change: updating the go-toolset Docker base image tag from 1.26.2 to 1.26.3 in the Dockerfile.
Description check	✅ Passed	The description documents the Docker image version update with a clear changelog table showing the patch version bump for the base image, matching the file-level changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR only updates Dockerfile go-toolset version; no logging code modifications. No secrets, tokens, passwords, or credentials found in log statements of production code.
No Hardcoded Secrets	✅ Passed	Dockerfile contains only a version bump (1.26.2 → 1.26.3). No hardcoded secrets, API keys, tokens, passwords, private keys, long base64 strings, or credential-embedded URLs detected.
No Weak Cryptography	✅ Passed	No weak cryptography (crypto/md5, crypto/des, crypto/rc4, SHA1 for security, ECB) or unsafe constant-time comparisons detected. PR updates go-toolset base image version only.
No Injection Vectors	✅ Passed	No SQL string concatenation (CWE-89), exec.Command injection (CWE-78), template.HTML injection (CWE-79), or unsafe yaml.Unmarshal (CWE-502) patterns found. Application uses GORM with parameterized...
No Privileged Containers	✅ Passed	PR updates only go-toolset base image version; no privileged containers, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or runAsUser:0 configurations added or modified.
No Pii Or Sensitive Data In Logs	✅ Passed	Dockerfile update contains no logging statements (slog, logr, zap, log, fmt.Print*, echo) that could expose PII, session IDs, credentials, or sensitive customer data. RUN commands only use standard...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/docker-image-updates

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/docker-image-updates

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 1: The BASE_IMAGE argument uses a floating `:latest` tag instead of being
pinned to a specific digest, which violates container hardening guidelines and
increases supply-chain attack surface. Replace the `:latest` tag in the ARG
BASE_IMAGE definition with a specific digest in the format `@sha256`:... (for
example, registry.access.redhat.com/ubi9-micro@sha256:...). This single change
will automatically apply to all references of ${BASE_IMAGE}, including the FROM
statement that uses it.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 90f2a0eb-ff29-4201-b163-e022f4c1770a

📥 Commits

Reviewing files that changed from the base of the PR and between b4bff38 and 4f36a97.

📒 Files selected for processing (1)

• Dockerfile

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚖️ Poor tradeoff

Pre-existing: Runtime base image not digest-pinned (CWE-250).

Line 1 defines ARG BASE_IMAGE=registry.access.redhat.com/ubi9-micro:latest (using :latest tag). Line 39 references it in FROM ${BASE_IMAGE}. Per container hardening guidelines, base images must be pinned by digest (@sha256:...), not floating tags. This violates CWE-250 and increases supply-chain attack surface. Not caused by this PR, but should be addressed before merge.

Also applies to: 39-39

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 1, The BASE_IMAGE argument uses a floating `:latest` tag
instead of being pinned to a specific digest, which violates container hardening
guidelines and increases supply-chain attack surface. Replace the `:latest` tag
in the ARG BASE_IMAGE definition with a specific digest in the format
`@sha256`:... (for example, registry.access.redhat.com/ubi9-micro@sha256:...).
This single change will automatically apply to all references of ${BASE_IMAGE},
including the FROM statement that uses it.

Source: Coding guidelines