chore(deps): Update ubi-minimal base image

[simonbaird]

No description provided.

[coderabbitai]

📝 Walkthrough

Walkthrough

Refresh pinned container base image digests in three Dockerfiles, upgrade the jq RPM lock entries for four architectures, and perform widespread Go dependency version bumps across acceptance/go.mod, go.mod, tools/go.mod, and tools/kubectl/go.mod.

Changes

Dependency & build artifacts

Layer / File(s)	Summary
Base image digest updates Dockerfile, Dockerfile.dist, acceptance/kubernetes/kind/acceptance.Dockerfile	The ubi-minimal base image digest is updated to a new pinned SHA256 in production, distribution, and acceptance Dockerfiles.
jq RPM lock updates rpms.lock.yaml	The jq package is upgraded from el9_7.0.2 to el9_8.2 across aarch64, ppc64le, s390x, and x86_64, updating RPM URLs, checksums, and EVR/sourcerpm metadata.
acceptance/go.mod dependency changes acceptance/go.mod	Bump direct and indirect dependencies (google/go-containerregistry, sigstore, tekton, k8s libs), remove some indirect OpenCensus/cloud modules, and add/update Prometheus/OpenTelemetry entries.
project go.mod updates go.mod	Bump multiple direct requirements and perform a large indirect refresh across OpenTelemetry, Prometheus, Google/GRPC, AWS, and Kubernetes-related modules.
tools/go.mod dependency changes tools/go.mod	Update many indirect tooling dependencies: cloud SDKs (GCP/Azure/AWS), docker/cli, Prometheus OTLP translator, Sigstore, Tekton, OpenTelemetry, and golang.org/x/* modules.
tools/kubectl/go.mod updates tools/kubectl/go.mod	Bump indirect go-openapi and other tooling dependencies, plus a broad refresh of Prometheus, golang.org/x, and k8s.io indirect modules.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: updating the ubi-minimal base image digest across multiple Dockerfiles and related dependencies.
Description check	✅ Passed	No description was provided by the author, but this is a very lenient check that passes with any description related to the changeset or no description at all.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.61% <ø> (+<0.01%)	⬆️
generative	17.82% <ø> (ø)
integration	26.56% <ø> (ø)
unit	69.04% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

tools/kubectl/go.mod (1)

5-5: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Align Kubernetes dependency minors in tools/kubectl/go.mod

• k8s.io/kubernetes v1.34.2 (line 5) is mixed with k8s.io/api, k8s.io/apimachinery, and k8s.io/client-go at v0.35.4 (lines 79–82); align these to the same Kubernetes minor to avoid incompatibilities.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/kubectl/go.mod` at line 5, The go.mod mixes Kubernetes minor versions:
k8s.io/kubernetes is set to v1.34.2 while k8s.io/api, k8s.io/apimachinery and
k8s.io/client-go are at v0.35.4; update these dependencies so all
Kubernetes-related modules share the same minor version (either bump
k8s.io/kubernetes to the 1.35.x series to match v0.35.4 modules or downgrade the
other three to the 0.34.x equivalents), e.g., adjust the version strings for
k8s.io/kubernetes, k8s.io/api, k8s.io/apimachinery, and k8s.io/client-go to the
same Kubernetes minor to avoid incompatibilities.

tools/go.mod (1)

15-15: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix Kubernetes module version skew in tools/go.mod.

tools/go.mod pins k8s.io/kubernetes v1.34.2 (line 15) while k8s.io/api, k8s.io/apimachinery, k8s.io/apiserver, k8s.io/client-go, and k8s.io/component-base are pinned to v0.35.4 (lines 604–610). This cross-minor mismatch (core 1.34 vs libs ~1.35) is high risk for dependency/tooling/build compatibility; align all k8s.io/* pins to the same minor series.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/go.mod` at line 15, Update the Kubernetes core module pin so all
k8s.io/* modules use the same minor series: change the k8s.io/kubernetes
requirement (currently v1.34.2) to the matching 1.35 series used by the other
modules (e.g., v1.35.4) so it aligns with k8s.io/api, k8s.io/apimachinery,
k8s.io/apiserver, k8s.io/client-go, and k8s.io/component-base (v0.35.4) and then
run go mod tidy to verify dependency resolution.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@acceptance/go.mod`:
- Line 16: The acceptance module lists github.com/google/go-containerregistry
v0.21.5 in require but a replace directive pointing to
github.com/conforma/go-containerregistry v0.20.7-... overrides it, so the
acceptance build won’t use upstream v0.21.5; to fix, update the acceptance
go.mod to either remove the replace directive that targets
github.com/conforma/go-containerregistry (so the required
github.com/google/go-containerregistry v0.21.5 is used) or change the require to
match the replaced version and author (or update the replace to point at a
v0.21.x mirror if intentional); locate the require entry for
github.com/google/go-containerregistry and the replace directive for
github.com/conforma/go-containerregistry and make them consistent (remove or
adjust the replace) so the module resolution uses the intended version.

---

Outside diff comments:
In `@tools/go.mod`:
- Line 15: Update the Kubernetes core module pin so all k8s.io/* modules use the
same minor series: change the k8s.io/kubernetes requirement (currently v1.34.2)
to the matching 1.35 series used by the other modules (e.g., v1.35.4) so it
aligns with k8s.io/api, k8s.io/apimachinery, k8s.io/apiserver, k8s.io/client-go,
and k8s.io/component-base (v0.35.4) and then run go mod tidy to verify
dependency resolution.

In `@tools/kubectl/go.mod`:
- Line 5: The go.mod mixes Kubernetes minor versions: k8s.io/kubernetes is set
to v1.34.2 while k8s.io/api, k8s.io/apimachinery and k8s.io/client-go are at
v0.35.4; update these dependencies so all Kubernetes-related modules share the
same minor version (either bump k8s.io/kubernetes to the 1.35.x series to match
v0.35.4 modules or downgrade the other three to the 0.34.x equivalents), e.g.,
adjust the version strings for k8s.io/kubernetes, k8s.io/api,
k8s.io/apimachinery, and k8s.io/client-go to the same Kubernetes minor to avoid
incompatibilities.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 0c147247-c36a-4567-981d-63e69fa18dcd

📥 Commits

Reviewing files that changed from the base of the PR and between 01a3a1f and 5576633.

⛔ Files ignored due to path filters (4)

• acceptance/go.sum is excluded by !**/*.sum
• go.sum is excluded by !**/*.sum
• tools/go.sum is excluded by !**/*.sum
• tools/kubectl/go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• acceptance/go.mod
• go.mod
• tools/go.mod
• tools/kubectl/go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether replace overrides the intended upgraded version and where else this pattern exists.
set -euo pipefail

echo "== acceptance/go.mod relevant lines =="
sed -n '1,90p' acceptance/go.mod | nl -ba | sed -n '1,90p'

echo
echo "== All go-containerregistry require/replace entries across repo =="
rg -n --type=gomod 'github.com/google/go-containerregistry|replace\s+github.com/google/go-containerregistry'

Repository: conforma/cli

Length of output: 156

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="acceptance/go.mod"
echo "== File exists? =="
test -f "$FILE" && echo "Found $FILE" || (echo "Missing $FILE" && exit 1)

echo
echo "== acceptance/go.mod (lines 1-120, numbered) =="
awk '{printf "%4d\t%s\n", NR, $0}' "$FILE" | sed -n '1,120p'

echo
echo "== Search for go-containerregistry require/replace across repo =="
rg -n --type=gomod 'github.com/google/go-containerregistry' -S . || true

echo
echo "== Specifically: replace go-containerregistry across repo =="
rg -n --type=gomod 'replace\s+github.com/google/go-containerregistry' -S . || true

Repository: conforma/cli

Length of output: 6513

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== All go-containerregistry replace directives (any go.mod) =="
rg -n --glob '*/go.mod' --hidden --follow 'replace\s+github\.com/google/go-containerregistry\s*=>' .

echo
echo "== All go-containerregistry require entries (any go.mod) =="
rg -n --glob '*/go.mod' --hidden --follow 'require\s*\(?.*github\.com/google/go-containerregistry\s+v' . || true

echo
echo "== All occurrences of go-containerregistry in any go.mod =="
rg -n --glob '*/go.mod' --hidden --follow 'github\.com/google/go-containerregistry' .

Repository: conforma/cli

Length of output: 947

---

go-containerregistry v0.21.5 bump is effectively overridden in acceptance by replace

• acceptance/go.mod requires github.com/google/go-containerregistry v0.21.5 (line 16) but replaces it with github.com/conforma/go-containerregistry v0.20.7-0.20250703195040-6f40a3734728 (line 51), so the acceptance build won’t use the upstream v0.21.5 code directly.
• Repo search shows this replace exists only in acceptance/go.mod, so the shadowing is scoped to the acceptance module.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@acceptance/go.mod` at line 16, The acceptance module lists
github.com/google/go-containerregistry v0.21.5 in require but a replace
directive pointing to github.com/conforma/go-containerregistry v0.20.7-...
overrides it, so the acceptance build won’t use upstream v0.21.5; to fix, update
the acceptance go.mod to either remove the replace directive that targets
github.com/conforma/go-containerregistry (so the required
github.com/google/go-containerregistry v0.21.5 is used) or change the require to
match the replaced version and author (or update the replace to point at a
v0.21.x mirror if intentional); locate the require entry for
github.com/google/go-containerregistry and the replace directive for
github.com/conforma/go-containerregistry and make them consistent (remove or
adjust the replace) so the module resolution uses the intended version.