updating pipelines for EC + Dockerfile according to tests

.tekton/operator-1-0-gamma-pull-request.yaml

@@ -196,10 +196,10 @@ spec:
           value: task
         resolver: bundles
       when:
-      - input: $(params.hermetic)
-        operator: in
+      - input: $(params.prefetch-input)
+        operator: notin
         values:
-        - "true"
+        - "{}"
       workspaces:
       - name: source
         workspace: workspace

.tekton/operator-1-0-gamma-push.yaml

@@ -193,10 +193,10 @@ spec:
           value: task
         resolver: bundles
       when:
-      - input: $(params.hermetic)
-        operator: in
+      - input: $(params.prefetch-input)
+        operator: notin
         values:
-        - "true"
+        - "{}"
       workspaces:
       - name: source
         workspace: workspace

.tekton/sigstore-operator-bundle-pull-request.yaml

@@ -30,6 +30,12 @@ spec:
     value: .
   - name: revision
     value: '{{revision}}'
+  - name: prefetch-input
+    value: ''
+  - name: hermetic
+    value: "true"
+  - name: source-build
+    value: "true"
   pipelineSpec:
     finally:
     - name: show-sbom
@@ -190,10 +196,10 @@ spec:
           value: task
         resolver: bundles
       when:
-      - input: $(params.hermetic)
-        operator: in
+      - input: $(params.prefetch-input)
+        operator: notin
         values:
-        - "true"
+        - "{}"
       workspaces:
       - name: source
         workspace: workspace

.tekton/sigstore-operator-bundle-push.yaml

@@ -27,6 +27,12 @@ spec:
     value: .
   - name: revision
     value: '{{revision}}'
+  - name: prefetch-input
+    value: ''
+  - name: source-build
+    value: "true"
+  - name: hermetic
+    value: "true"
   pipelineSpec:
     finally:
     - name: show-sbom
@@ -187,10 +193,10 @@ spec:
           value: task
         resolver: bundles
       when:
-      - input: $(params.hermetic)
-        operator: in
+      - input: $(params.prefetch-input)
+        operator: notin
         values:
-        - "true"
+        - "{}"
       workspaces:
       - name: source
         workspace: workspace

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.21 as builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.21@sha256:98a0ff138c536eee98704d6909699ad5d0725a20573e2c510a60ef462b45cce0 as builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -24,9 +24,29 @@ COPY client/ client/
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
 RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager main.go
 
-FROM registry.access.redhat.com/ubi9-minimal
+FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:582e18f13291d7c686ec4e6e92d20b24c62ae0fc72767c46f30a69b1a6198055
 WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532:65532
 
+LABEL description="The image for the rhtas-operator."
+LABEL io.k8s.description="The image for the rhtas-operator."
+LABEL io.k8s.display-name="RHTAS operator container image for Red Hat Trusted Artifact Signer."
+LABEL io.openshift.tags="rhtas-operator, Red Hat Trusted Artifact Signer."
+LABEL summary="Operator for the rhtas-operator."
+LABEL com.redhat.component="rhtas-operator"
+
+LABEL features.operators.openshift.io/cni="false"
+LABEL features.operators.openshift.io/disconnected="false"
+LABEL features.operators.openshift.io/disconnected="false"
+LABEL features.operators.openshift.io/fips-compliant="false"
+LABEL features.operators.openshift.io/proxy-aware="false"
+LABEL features.operators.openshift.io/cnf="false"
+LABEL features.operators.openshift.io/cni="false"
+LABEL features.operators.openshift.io/csi="false"
+LABEL features.operators.openshift.io/tls-profiles="false"
+LABEL features.operators.openshift.io/token-auth-aws="false"
+LABEL features.operators.openshift.io/token-auth-azure="false"
+LABEL features.operators.openshift.io/token-auth-gcp="false"
+
 ENTRYPOINT ["/manager"]

bundle.Dockerfile

@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi9/ubi-micro
+FROM registry.access.redhat.com/ubi9/ubi-micro@sha256:d72202acf3073b61cb407e86395935b7bac5b93b16071d2b40b9fb485db2135d
 
 # Core bundle labels.
 LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
@@ -17,18 +17,18 @@ LABEL io.openshift.tags="rhtas-operator-bundle, rhtas-operator, Red Hat Trusted
 LABEL summary="Operator Bundle for the rhtas-operator."
 LABEL com.redhat.component="sigstore-operator-bundle"
 
-LABEL features.operators.openshift.io/cni=false
-LABEL features.operators.openshift.io/disconnected=false
-LABEL features.operators.openshift.io/disconnected=false
-LABEL features.operators.openshift.io/fips-compliant=false
-LABEL features.operators.openshift.io/proxy-aware=false
-LABEL features.operators.openshift.io/cnf=false
-LABEL features.operators.openshift.io/cni=false
-LABEL features.operators.openshift.io/csi=false
-LABEL features.operators.openshift.io/tls-profiles=false
-LABEL features.operators.openshift.io/token-auth-aws=false
-LABEL features.operators.openshift.io/token-auth-azure=false
-LABEL features.operators.openshift.io/token-auth-gcp=false
+LABEL features.operators.openshift.io/cni="false"
+LABEL features.operators.openshift.io/disconnected="false"
+LABEL features.operators.openshift.io/disconnected="false"
+LABEL features.operators.openshift.io/fips-compliant="false"
+LABEL features.operators.openshift.io/proxy-aware="false"
+LABEL features.operators.openshift.io/cnf="false"
+LABEL features.operators.openshift.io/cni="false"
+LABEL features.operators.openshift.io/csi="false"
+LABEL features.operators.openshift.io/tls-profiles="false"
+LABEL features.operators.openshift.io/token-auth-aws="false"
+LABEL features.operators.openshift.io/token-auth-azure="false"
+LABEL features.operators.openshift.io/token-auth-gcp="false"
 
 
 # Labels for testing.

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -2,6 +2,16 @@ apiVersion: operators.coreos.com/v1alpha1
 kind: ClusterServiceVersion
 metadata:
   annotations:
+    features.operators.openshift.io/disconnected: "false"
+    features.operators.openshift.io/fips-compliant: "false"
+    features.operators.openshift.io/proxy-aware: "false"
+    features.operators.openshift.io/cnf: "false"
+    features.operators.openshift.io/cni: "false"
+    features.operators.openshift.io/csi: "false"
+    features.operators.openshift.io/tls-profiles: "false"
+    features.operators.openshift.io/token-auth-aws: "false"
+    features.operators.openshift.io/token-auth-azure: "false"
+    features.operators.openshift.io/token-auth-gcp: "false"
     alm-examples: |-
       [
         {

config/default/manager_auth_proxy_patch.yaml

@@ -31,7 +31,7 @@ spec:
           capabilities:
             drop:
               - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
+        image: gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"

fbc/v4.11/catalog/rhtas-operator/catalog.json

@@ -206,8 +206,8 @@
     ],
     "relatedImages": [
         {
-            "name": "",
-            "image": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1"
+            "name": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1",
+            "image": "gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522"
         },
         {
             "name": "",

fbc/v4.12/catalog/rhtas-operator/catalog.json

@@ -206,8 +206,8 @@
     ],
     "relatedImages": [
         {
-            "name": "",
-            "image": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1"
+            "name": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1",
+            "image": "gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522"
         },
         {
             "name": "",

fbc/v4.13/catalog/rhtas-operator/catalog.json

@@ -206,8 +206,8 @@
     ],
     "relatedImages": [
         {
-            "name": "",
-            "image": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1"
+            "name": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1",
+            "image": "gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522"
         },
         {
             "name": "",

fbc/v4.14/catalog/rhtas-operator/catalog.json

@@ -206,8 +206,8 @@
     ],
     "relatedImages": [
         {
-            "name": "",
-            "image": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1"
+            "name": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1",
+            "image": "gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522"
         },
         {
             "name": "",

fbc/v4.15/catalog/rhtas-operator/catalog.json

@@ -206,8 +206,8 @@
     ],
     "relatedImages": [
         {
-            "name": "",
-            "image": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1"
+            "name": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1",
+            "image": "gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522"
         },
         {
             "name": "",

fbc/v4.16/catalog/rhtas-operator/catalog.json

@@ -206,8 +206,8 @@
     ],
     "relatedImages": [
         {
-            "name": "",
-            "image": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1"
+            "name": "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1",
+            "image": "gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522"
         },
         {
             "name": "",