OCPBUGS-87517: Updating openshift-enterprise-console-operator-container image to be consistent with ART for 5.0

[openshift-bot]

Updating openshift-enterprise-console-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-console-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/216

[coderabbitai]

Walkthrough

This PR upgrades the build infrastructure by updating the CI operator configuration and Dockerfile to use Go 1.26 with OpenShift 5.0, replacing the previous Go 1.25 with OpenShift 4.22 versions across both the builder stage and runtime base image.

Changes

Build and runtime image upgrade to Go 1.26 and OpenShift 5.0

Layer / File(s)	Summary
Upgrade builder and runtime images to Go 1.26 and OpenShift 5.0 .ci-operator.yaml, Dockerfile.ocp	CI operator build root image tag and Dockerfile builder/runtime base images are updated from golang 1.25/openshift 4.22 to golang 1.26/openshift 5.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• openshift/console-operator#1121: Updates CI build root image and corresponding Dockerfile builder image tags to newer Golang/OpenShift versions via the same image-tagging mechanism.

Suggested labels

verified, jira/valid-reference

Suggested reviewers

• spadgett
• TheRealJon
• yapei

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is comprehensive and covers essential information about ART-CI alignment, but does not follow the repository's required template structure.	Reformat the description to include all required template sections: Analysis/Root cause, Solution description, Test setup, Test cases, Browser conformance, Additional info, and Reviewers/assignees.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo tests. The codebase uses only the standard Go testing package with *testing.T. No test names (dynamic or otherwise) to evaluate.
Test Structure And Quality	✅ Passed	PR only modifies CI configuration files (.ci-operator.yaml, Dockerfile.ocp), not test code. Custom check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. All 39 test files use standard Go testing (testing.T), not Ginkgo syntax. Only .ci-operator.yaml and Dockerfile.ocp were modified.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes are configuration-only (container image tags in .ci-operator.yaml and Dockerfile.ocp), so SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only build configuration and container images. No deployment manifests, operator code, or scheduling constraints added or modified.
Ote Binary Stdout Contract	✅ Passed	This PR updates a Kubernetes operator (not an OTE extension). The OTE Binary Stdout Contract applies only to OTE test extensions that communicate with openshift-tests via JSON, not operators.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add new Ginkgo e2e tests. It updates CI config files (.ci-operator.yaml, Dockerfile.ocp). The existing test files use Go's standard testing package, not Ginkgo.
No-Weak-Crypto	✅ Passed	PR makes only infrastructure changes (image tags); no source code modified. Existing crypto uses secure crypto/rand; no weak algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) found.
Container-Privileges	✅ Passed	No privileged container configurations found. All containers run as non-root with strict security contexts and no dangerous capabilities or host access.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains only configuration and image tag updates with no logging statements or sensitive data exposure. No code logging code added.
Title check	✅ Passed	The title accurately describes the main change: updating container images for OpenShift 5.0 to align with ART configuration, which matches the file modifications shown in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-bot
Once this PR has been reviewed and has the lgtm label, please assign spadgett for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87517, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating openshift-enterprise-console-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-console-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87517, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Updating openshift-enterprise-console-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-console-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

• Chores
• Updated build configuration to use Go 1.26 and OpenShift 5.0 base images.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile.ocp (1)

8-34: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a runtime HEALTHCHECK to satisfy container policy.

Final image does not define a health check. Add one appropriate for the operator process (or a lightweight binary probe endpoint check if exposed).
As per coding guidelines, "HEALTHCHECK defined."

Example HEALTHCHECK stub

 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 RUN useradd console-operator
 USER console-operator
 COPY --from=builder /go/src/github.com/openshift/console-operator/console /usr/bin/console
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD ["/usr/bin/console", "version"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.ocp` around lines 8 - 34, Add a Docker HEALTHCHECK to the image so
the operator runtime is validated: in Dockerfile.ocp add a HEALTHCHECK that
either probes the operator's HTTP health endpoint (if the operator exposes one)
or runs a lightweight process check for the console operator binary (e.g.
verifying /usr/bin/console with the "operator" subcommand is running). Place the
HEALTHCHECK after the final COPY/LABEL blocks and before any CMD, reference the
runtime binary "/usr/bin/console" and the "operator" invocation so the check
targets the correct process or endpoint, and configure sensible
interval/retries/start-period values per container policy.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.ocp`:
- Line 1: The Dockerfile uses an unapproved base image "FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS
builder"; update this (and any other FROM lines, e.g., the runtime image) to use
an approved catalog.redhat.com base (UBI minimal or approved distroless) to
comply with container policy. Replace the builder FROM line and the runtime FROM
line(s) with the corresponding catalog.redhat.com UBI minimal or distroless
image tags that match the required runtime (e.g., UBI for Go builds or a
distroless runtime), ensuring the AS builder alias and any subsequent stages
still reference the renamed base.
- Line 4: The Dockerfile currently uses a broad COPY . . in the builder stage
which brings the entire build context (and secrets) into the image; replace that
with explicit COPY commands for only required build inputs (e.g., COPY go.mod
go.sum ./, COPY cmd/ ./cmd/, COPY pkg/ ./pkg/, and any required assets) and
ensure these COPY lines are placed in the same stage referenced by the builder
stage name (the existing COPY . . symbol in the builder stage). This reduces
attack surface and build noise while preserving the same build output.

---

Outside diff comments:
In `@Dockerfile.ocp`:
- Around line 8-34: Add a Docker HEALTHCHECK to the image so the operator
runtime is validated: in Dockerfile.ocp add a HEALTHCHECK that either probes the
operator's HTTP health endpoint (if the operator exposes one) or runs a
lightweight process check for the console operator binary (e.g. verifying
/usr/bin/console with the "operator" subcommand is running). Place the
HEALTHCHECK after the final COPY/LABEL blocks and before any CMD, reference the
runtime binary "/usr/bin/console" and the "operator" invocation so the check
targets the correct process or endpoint, and configure sensible
interval/retries/start-period values per container policy.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 573a8127-20b5-4a2f-a5b9-24e5cdffdbff

📥 Commits

Reviewing files that changed from the base of the PR and between 658550c and 62b8719.

📒 Files selected for processing (2)

• .ci-operator.yaml
• Dockerfile.ocp

📜 Review details

🧰 Additional context used

📓 Path-based instructions (3)

Dockerfile.ocp

📄 CodeRabbit inference engine (TESTING.md)

Build container images using Dockerfile.ocp for OpenShift deployment

Files:

• Dockerfile.ocp

**/{Dockerfile,Containerfile}*

⚙️ CodeRabbit configuration file

**/{Dockerfile,Containerfile}*: Container security (prodsec-skills):

• Base image: UBI minimal or distroless from catalog.redhat.com
• Red Hat images: use floating tags (Red Hat manages updates);
  non-RH images: pin by digest
• Multi-stage builds; no build tools in final image
• USER non-root; never run as root
• COPY specific files, not entire context
• No secrets in ENV, ARG, or COPY
• Read-only rootfs where possible
• No package manager cache in final layer
• HEALTHCHECK defined

Files:

• Dockerfile.ocp

**

⚙️ CodeRabbit configuration file

**: # OpenShift Console Operator - AI Context Hub

This file serves as the central AI documentation hub for the OpenShift Console Operator project. AI assistants (Claude, Cursor, Copilot, CodeRabbit, etc.) use this and the linked documents to understand project context.

Go Version and Dependencies

Go Version and Dependencies

• Go version: 1.24.0 (toolchain: go1.24.4)
• Dependency management: Uses go.mod with vendoring
• Build flags: Use GOFLAGS="-mod=vendor" for builds and tests to ensure vendored dependencies are used
• Key dependencies: openshift/api, openshift/library-go, k8s.io client libraries
• Go version: 1.24.0 (toolchain: go1.24.4)
• Dependency management: Uses go.mod with vendoring
• Build flags: Use GOFLAGS="-mod=vendor" for builds and tests to ensure vendored dependencies are used
• Key dependencies: openshift/api, openshift/library-go, k8s.io client libraries

Quick Reference

This Repository

Document	Purpose
ARCHITECTURE.md	System architecture, components, repository structure
CONVENTIONS.md	Go coding standards, patterns, import organization
TESTING.md	Testing patterns, commands, debugging
README.md	Project README with setup instructions

Console Repository (openshift/console)

For frontend-related guidelines, see the openshift/console repository:

Document	Purpose
STYLEGUIDE.md	Frontend code style guidelines
INTERNATIONALIZATION.md	i18n patterns and translation guidelines
CONTRIBUTING.md	Contribution guidelines for the console project

Project Summary

The **console-operator...

Files:

• Dockerfile.ocp

🔀 Multi-repo context openshift/console

[::openshift/console::] .ci-operator.yaml

• file exists at repo root and contains build_root_image configuration (search hit). This is the CI file the PR updates.

[::openshift/console::] Dockerfile

• FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS gobuilder (line shown by search)
• FROM registry.ci.openshift.org/ocp/builder:rhel-9-base-nodejs-openshift-4.22 AS nodebuilder
• FROM registry.ci.openshift.org/ocp/4.22:base-rhel9

[::openshift/console::] Dockerfile.downloads

• FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS gobuilder

[::openshift/console::] Dockerfile.dev

• FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS gobuilder
• FROM registry.ci.openshift.org/ocp/4.22:base-rhel9

Notes:

• The repository contains multiple Dockerfiles and a .ci-operator.yaml that reference rhel-9-golang-1.25-openshift-4.22 / ocp 4.22 images — these are the locations the PR updates to rhel-9-golang-1.26-openshift-5.0 / ocp 5.0. No other repositories were available to search.

🔇 Additional comments (1)

.ci-operator.yaml (1)

4-4: LGTM!

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Use approved Red Hat base image source per container policy.

Both updated FROM images are pulled from registry.ci.openshift.org, but this policy requires base images from catalog.redhat.com (UBI minimal or distroless). Please switch both builder/runtime bases to approved catalog sources for production image compliance.
As per coding guidelines, "Base image: UBI minimal or distroless from catalog.redhat.com."

Also applies to: 8-8

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.ocp` at line 1, The Dockerfile uses an unapproved base image "FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS
builder"; update this (and any other FROM lines, e.g., the runtime image) to use
an approved catalog.redhat.com base (UBI minimal or approved distroless) to
comply with container policy. Replace the builder FROM line and the runtime FROM
line(s) with the corresponding catalog.redhat.com UBI minimal or distroless
image tags that match the required runtime (e.g., UBI for Go builds or a
distroless runtime), ensuring the AS builder alias and any subsequent stages
still reference the renamed base.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid copying full build context into the builder stage.

COPY . . imports unnecessary files and increases secret/supply-chain exposure risk. Copy only required paths (go.mod, go.sum, cmd/, pkg/, and needed assets).
As per coding guidelines, "COPY specific files, not entire context."

Proposed tightening

-COPY . .
+COPY go.mod go.sum ./
+COPY cmd ./cmd
+COPY pkg ./pkg
+COPY manifests ./manifests
+COPY quickstarts ./quickstarts
+COPY vendor ./vendor

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	COPY . .
	COPY go.mod go.sum ./
	COPY cmd ./cmd
	COPY pkg ./pkg
	COPY manifests ./manifests
	COPY quickstarts ./quickstarts
	COPY vendor ./vendor

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.ocp` at line 4, The Dockerfile currently uses a broad COPY . . in
the builder stage which brings the entire build context (and secrets) into the
image; replace that with explicit COPY commands for only required build inputs
(e.g., COPY go.mod go.sum ./, COPY cmd/ ./cmd/, COPY pkg/ ./pkg/, and any
required assets) and ensure these COPY lines are placed in the same stage
referenced by the builder stage name (the existing COPY . . symbol in the
builder stage). This reduces attack surface and build noise while preserving the
same build output.

Source: Coding guidelines

[openshift-ci]

@openshift-bot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

ART wants to connect issue OCPBUGS-87770 to this PR, but found it is currently hooked up to ['OCPBUGS-87517']. Please consult with #forum-ocp-art if it is not clear what there is to do.