Bump ubi9/ubi-minimal from 9.7-1776833838 to 1780379098 in /build

[dependabot]

Bumps ubi9/ubi-minimal from 9.7-1776833838 to 1780379098.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated the runtime base image to improve stability and security.

[coderabbitai]

Walkthrough

The Dockerfile's final runtime stage base image is updated from the previous pinned tag to a new pinned tag for registry.access.redhat.com/ubi9/ubi-minimal. All other build stages and configuration remain unchanged.

Changes

Base Image Update

Layer / File(s)	Summary
Runtime base image tag update build/Dockerfile	The registry.access.redhat.com/ubi9/ubi-minimal base image tag is pinned to a new version identifier.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• openshift/ocm-agent#236: Both PRs only bump the registry.access.redhat.com/ubi9/ubi-minimal base-image tag in build/Dockerfile.

Suggested labels

lgtm

Suggested reviewers

• vaidehi411
• xiaoyu74

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New Ginkgo e2e tests in test/e2e/ocm_agent_tests.go build URLs using fmt.Sprintf("%s/path", host) without IPv6 brackets, violating IPv6 compatibility requirements for disconnected environments.	Replace fmt.Sprintf URL construction with net.JoinHostPort() or add IPv6 bracket-wrapping logic. For example: use fmt.Sprintf("http://%s/path", net.JoinHostPort(host, port)) or detect IPv6 and add brackets accordingly.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating the Docker base image tag from one version to another in the /build directory.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies build/Dockerfile (Docker base image tag update); no test files are changed, making this check not applicable to the PR.
Test Structure And Quality	✅ Passed	This PR only modifies build/Dockerfile (base image tag update). No test files are modified, so the Ginkgo test code quality check is not applicable.
Microshift Test Compatibility	✅ Passed	PR only modifies build/Dockerfile base image tag; no new Ginkgo e2e tests are added, so MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates a Docker base image tag in build/Dockerfile; no new Ginkgo e2e tests are added, making the SNO compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only updates a Docker base image tag in build/Dockerfile. It does not add/modify deployment manifests, operator code, or controllers, so the topology-aware scheduling check is not applicable.
Ote Binary Stdout Contract	✅ Passed	Check is not applicable: OTE Binary Stdout Contract audits Go process-level code, but this PR only modifies build/Dockerfile, a non-executable configuration file.
No-Weak-Crypto	✅ Passed	PR only updates a Docker base image tag and introduces no weak cryptographic algorithms, custom crypto implementations, or non-constant-time secret comparisons.
Container-Privileges	✅ Passed	PR modifies only Dockerfile base image tag. No privilege escalation detected in code: no privileged mode, host access, SYS_ADMIN capability, or allowPrivilegeEscalation. Container runs as non-root.
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates Docker base image tag; no logging statements or code changes that could expose sensitive data (passwords, tokens, API keys, PII, etc.) are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/docker/build/ubi9/ubi-minimal-1780379098

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign smarthall for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

build/Dockerfile (1)

10-26: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Missing HEALTHCHECK directive.

The Dockerfile does not include a HEALTHCHECK directive, which is required by the coding guidelines. A HEALTHCHECK helps container orchestrators determine if the container is functioning correctly.

As per coding guidelines: "HEALTHCHECK defined"

🏥 Proposed fix to add HEALTHCHECK

FROM registry.access.redhat.com/ubi9/ubi-minimal:1780379098

LABEL io.openshift.managed.name="ocm-agent" \
  io.openshift.managed.description="Agent to interact with OCM on managed clusters"

COPY --from=builder /workdir/build/_output/ocm-agent /usr/local/bin/

ADD build/bin/* /usr/local/bin/

ENV USER_UID=1000 \
  USER_NAME=ocm-agent
RUN /usr/local/bin/user_setup

USER ${USER_UID}

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD ["/usr/local/bin/ocm-agent", "healthcheck"] || exit 1

ENTRYPOINT [ "/usr/local/bin/entrypoint" ]

Note: Adjust the healthcheck command based on the actual health check mechanism supported by ocm-agent.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` around lines 10 - 26, Add a Docker HEALTHCHECK directive
before ENTRYPOINT to satisfy the "HEALTHCHECK defined" guideline: add a
HEALTHCHECK line (for example with --interval, --timeout, --start-period,
--retries) that runs the agent's health probe binary (e.g.
/usr/local/bin/ocm-agent healthcheck or the appropriate subcommand) and returns
non-zero on failure; place it after the USER ${USER_UID} and before ENTRYPOINT [
"/usr/local/bin/entrypoint" ] so the container runtime can detect unhealthy
containers.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@build/Dockerfile`:
- Line 10: Replace the pinned Red Hat base image tag in the Dockerfile's FROM
instruction (currently using
registry.access.redhat.com/ubi9/ubi-minimal:1780379098) with a floating tag such
as :9 or :latest so Red Hat can manage updates automatically; update the FROM
line to reference registry.access.redhat.com/ubi9/ubi-minimal:<floating-tag> and
commit the change.

---

Outside diff comments:
In `@build/Dockerfile`:
- Around line 10-26: Add a Docker HEALTHCHECK directive before ENTRYPOINT to
satisfy the "HEALTHCHECK defined" guideline: add a HEALTHCHECK line (for example
with --interval, --timeout, --start-period, --retries) that runs the agent's
health probe binary (e.g. /usr/local/bin/ocm-agent healthcheck or the
appropriate subcommand) and returns non-zero on failure; place it after the USER
${USER_UID} and before ENTRYPOINT [ "/usr/local/bin/entrypoint" ] so the
container runtime can detect unhealthy containers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8d25cd69-fbf0-4c52-965d-34086a4630ae

📥 Commits

Reviewing files that changed from the base of the PR and between b7992c3 and 065d619.

📒 Files selected for processing (1)

• build/Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Red Hat images should use floating tags, not pinned tags.

The coding guidelines specify that Red Hat images should use floating tags so that Red Hat can manage updates automatically. However, this Dockerfile uses a pinned tag (1780379098). Consider using a floating tag like :9 or :latest instead to align with the guideline and allow Red Hat to manage security updates.

As per coding guidelines: "Red Hat images: use floating tags (Red Hat manages updates); non-RH images: pin by digest"

🔄 Proposed fix to use floating tag

-FROM registry.access.redhat.com/ubi9/ubi-minimal:1780379098
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM registry.access.redhat.com/ubi9/ubi-minimal:1780379098
	FROM registry.access.redhat.com/ubi9/ubi-minimal:9

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` at line 10, Replace the pinned Red Hat base image tag in
the Dockerfile's FROM instruction (currently using
registry.access.redhat.com/ubi9/ubi-minimal:1780379098) with a floating tag such
as :9 or :latest so Red Hat can manage updates automatically; update the FROM
line to reference registry.access.redhat.com/ubi9/ubi-minimal:<floating-tag> and
commit the change.

[openshift-ci]

@dependabot[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.67%. Comparing base (b7992c3) to head (065d619).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #239   +/-   ##
=======================================
  Coverage   55.67%   55.67%           
=======================================
  Files          23       23           
  Lines        1895     1895           
=======================================
  Hits         1055     1055           
  Misses        785      785           
  Partials       55       55           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.