Bump ubi9/ubi-minimal from 9.8-1780378819 to 1780379098 in /build

[dependabot]

Bumps ubi9/ubi-minimal from 9.8-1780378819 to 1780379098.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign bmeng for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.27%. Comparing base (81fc2f8) to head (218b7d8).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #642   +/-   ##
=======================================
  Coverage   54.27%   54.27%           
=======================================
  Files         123      123           
  Lines        6204     6204           
=======================================
  Hits         3367     3367           
  Misses       2631     2631           
  Partials      206      206           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• build/Dockerfile is excluded by !build/**
• build/Dockerfile.olm-registry is excluded by !build/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f14bf2da-db2d-4bc5-bbf1-5416cc9b9c41

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This PR updates the UBI minimal base image tag from 9.8-1779809423 to 9.8-1780378819 in both build/Dockerfile and build/Dockerfile.olm-registry runtime stages. No other build steps or configuration changes are made.

Changes

Base Image Version Update

Layer / File(s)	Summary
UBI minimal base image update build/Dockerfile, build/Dockerfile.olm-registry	Runtime base image tag is updated from 9.8-1779809423 to 9.8-1780378819 in both container build configurations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• openshift/managed-upgrade-operator#602: Both PRs update the same UBI minimal base image tag in build/Dockerfile and build/Dockerfile.olm-registry (only the version/digest differs).

Suggested labels

lgtm

Suggested reviewers

• charlesgong
• tkong-redhat

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	main.go line 138 configures zap logger with zap.WriteTo(os.Stdout) in main(), violating OTE Binary Stdout Contract—stdout must be JSON-only for openshift-tests.	Change zap.WriteTo(os.Stdout) to zap.WriteTo(os.Stderr) at main.go:138 to redirect logging to stderr.
Title check	⚠️ Warning	The PR title contains an inconsistency: it states 'from 9.8-1780378819 to 1780379098' but the actual changes show the update is from '9.8-1779809423 to 9.8-1780378819'. The target version in the title is incomplete (missing the '9.8-' prefix) and incorrect.	Correct the PR title to accurately reflect the actual version bump: 'Bump ubi9/ubi-minimal from 9.8-1779809423 to 9.8-1780378819 in /build'

✅ Passed checks (13 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies Docker files (Dockerfile, Dockerfile.olm-registry), not test files. The Ginkgo test name check is not applicable.
Test Structure And Quality	✅ Passed	PR contains only Dockerfile changes with no test files; custom check for Ginkgo test code quality is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	PR only updates Docker base image tags in Dockerfiles; no new Ginkgo e2e tests were added, making the MicroShift test compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates Docker base image tags in build/Dockerfile files; no Ginkgo e2e tests are added or modified. The SNO compatibility check applies only to new e2e tests and is not applicable here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR updates only Docker base image tags in Dockerfiles, not deployment manifests. No scheduling constraints are introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	New Ginkgo e2e tests have no IPv4 hardcoded addresses, IPv4-specific parsing, or external internet connectivity. Tests use only cluster-internal k8s API and Prometheus queries.
No-Weak-Crypto	✅ Passed	PR contains only Docker base image tag updates with no weak cryptographic code, custom crypto implementations, or insecure comparisons introduced or modified.
Container-Privileges	✅ Passed	PR updates Docker base image tags only. No privileged settings, host access, SYS_ADMIN capabilities, allowPrivilegeEscalation, or root execution found. Containers run as non-root users (UID 1001).
No-Sensitive-Data-In-Logs	✅ Passed	PR contains only Docker base image version updates with no logging code or sensitive data exposure in Dockerfiles.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/docker/build/ubi9/ubi-minimal-9.8-1780378819

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

build/Dockerfile.olm-registry (1)

1-26: ⚡ Quick win

Missing HEALTHCHECK directive.

The coding guidelines require a HEALTHCHECK to be defined in Dockerfiles. This file does not include a HEALTHCHECK instruction. As per coding guidelines, container security requirements include: "HEALTHCHECK defined".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile.olm-registry` around lines 1 - 26, Dockerfile is missing a
HEALTHCHECK; add a HEALTHCHECK instruction that probes the operator registry
server endpoint (use the existing grpc_health_probe binary or a short curl
against TCP port 50051) to ensure the container reports healthy/unhealthy
states; place the HEALTHCHECK after COPY of grpc_health_probe and before CMD,
referencing the grpc_health_probe executable and the registry-server port
(EXPOSE 50051) so the image will fail fast when registry-server is unhealthy.

build/Dockerfile (1)

1-27: ⚡ Quick win

Missing HEALTHCHECK directive.

The coding guidelines require a HEALTHCHECK to be defined in Dockerfiles. This file does not include a HEALTHCHECK instruction. As per coding guidelines, container security requirements include: "HEALTHCHECK defined".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` around lines 1 - 27, The Dockerfile is missing a
HEALTHCHECK; add a HEALTHCHECK instruction (e.g., using curl or wget to probe
the operator health endpoint like http://127.0.0.1:8080/healthz) to the
Dockerfile to satisfy the "HEALTHCHECK defined" requirement—place it after the
ENTRYPOINT ["/usr/local/bin/entrypoint"] (and before or after USER ${USER_UID})
and use sensible options (interval, timeout, start-period, retries) so the check
runs periodically and fails appropriately (e.g., HEALTHCHECK --interval=30s
--timeout=5s --start-period=10s --retries=3 CMD curl -f
http://127.0.0.1:8080/healthz || exit 1).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@build/Dockerfile`:
- Line 11: Replace the incorrect UBI9 base tag string "FROM
registry.access.redhat.com/ubi9/ubi-minimal:9.8-1780378819" with the required
"registry.access.redhat.com/ubi9/ubi-minimal:9.6-1755695350" and add a Docker
HEALTHCHECK directive to build/Dockerfile that periodically probes the service
health endpoint (for example, an HTTP GET to /health) with sensible
interval/timeout/retries so the container reports unhealthy on failure; ensure
the HEALTHCHECK uses a non-zero exit on failure and is placed after the final
CMD/ENTRYPOINT in the Dockerfile.

---

Nitpick comments:
In `@build/Dockerfile`:
- Around line 1-27: The Dockerfile is missing a HEALTHCHECK; add a HEALTHCHECK
instruction (e.g., using curl or wget to probe the operator health endpoint like
http://127.0.0.1:8080/healthz) to the Dockerfile to satisfy the "HEALTHCHECK
defined" requirement—place it after the ENTRYPOINT ["/usr/local/bin/entrypoint"]
(and before or after USER ${USER_UID}) and use sensible options (interval,
timeout, start-period, retries) so the check runs periodically and fails
appropriately (e.g., HEALTHCHECK --interval=30s --timeout=5s --start-period=10s
--retries=3 CMD curl -f http://127.0.0.1:8080/healthz || exit 1).

In `@build/Dockerfile.olm-registry`:
- Around line 1-26: Dockerfile is missing a HEALTHCHECK; add a HEALTHCHECK
instruction that probes the operator registry server endpoint (use the existing
grpc_health_probe binary or a short curl against TCP port 50051) to ensure the
container reports healthy/unhealthy states; place the HEALTHCHECK after COPY of
grpc_health_probe and before CMD, referencing the grpc_health_probe executable
and the registry-server port (EXPOSE 50051) so the image will fail fast when
registry-server is unhealthy.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 94ad69e7-68ab-4180-9ceb-c1d599417d6a

📥 Commits

Reviewing files that changed from the base of the PR and between 35338f3 and be52317.

📒 Files selected for processing (2)

• build/Dockerfile
• build/Dockerfile.olm-registry

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify if 9.6 is still the intended base or if the guideline needs updating
echo "Current Dockerfile uses: ubi9/ubi-minimal:9.8"
echo "Guideline specifies: ubi9/ubi-minimal:9.6-1755695350"
echo ""
echo "Checking both Dockerfiles for version consistency:"
rg -n 'ubi9/ubi-minimal:' build/Dockerfile*

Repository: openshift/managed-upgrade-operator

Length of output: 409

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Searching for HEALTHCHECK directives:"
rg -n '^\s*HEALTHCHECK\b' build/Dockerfile build/Dockerfile* || true

echo ""
echo "Showing end of build/Dockerfile (last ~80 lines) to inspect final-stage directives:"
tail -n 80 build/Dockerfile

Repository: openshift/managed-upgrade-operator

Length of output: 872

---

Fix build/Dockerfile: align UBI9 base tag and add HEALTHCHECK
File: build/Dockerfile
Lines: 11

FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1780378819

• Coding guideline requires registry.access.redhat.com/ubi9/ubi-minimal:9.6-1755695350, but this file uses 9.8-1780378819.
• build/Dockerfile has no HEALTHCHECK directive.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` at line 11, Replace the incorrect UBI9 base tag string
"FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1780378819" with the
required "registry.access.redhat.com/ubi9/ubi-minimal:9.6-1755695350" and add a
Docker HEALTHCHECK directive to build/Dockerfile that periodically probes the
service health endpoint (for example, an HTTP GET to /health) with sensible
interval/timeout/retries so the container reports unhealthy on failure; ensure
the HEALTHCHECK uses a non-zero exit on failure and is placed after the final
CMD/ENTRYPOINT in the Dockerfile.

[openshift-ci]

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/test	218b7d8	link	true	/test test
ci/prow/validate	218b7d8	link	true	/test validate

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.