Devfile registry konflux component task image references are not seeing updates

[michael-valdron]

/kind bug

Which area is this bug related to?

/area ci
/area registry

Bug Summary

Describe the bug:

The devfile/registry component is missing task image patch PRs that can be seen for devfile/devfile-web, example.

As a result, devfile/registry PR checks are now failing due to violations in the enterprise contract testing.

To Reproduce:

Open a PR from a branch that is up to date with main.

Expected behavior

Konflux should send patch PRs for updating the task images to prevent these failures.

Any logs, error output, screenshots etc? Provide the devfile that sees this bug, if applicable

✕ [Violation] slsa_build_scripted_build.image_built_by_trusted_task
  ImageRef: quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:8912fff86fec37595e606c2c7322bd9ce07f2e7d72aa2a75875e2dc6c41a7e82
  Reason: Image
  "quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:8912fff86fec37595e606c2c7322bd9ce07f2e7d72aa2a75875e2dc6c41a7e82"
  not built by a trusted task: Build Task(s) "buildah" are not trusted
  Title: Image built by trusted Task
  Description: Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result. To exclude
  this rule add "slsa_build_scripted_build.image_built_by_trusted_task" to the `exclude` section of the policy configuration.
  Solution: Make sure the build Pipeline definition uses a trusted Task to build images.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:8912fff86fec37595e606c2c7322bd9ce07f2e7d72aa2a75875e2dc6c41a7e82
  Reason: One of "buildah", "buildah-10gb", "buildah-6gb", "buildah-8gb", "buildah-remote", "buildah-oci-ta",
  "buildah-remote-oci-ta" tasks is missing
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:buildah", "tasks.required_tasks_found:buildah-10gb",
  "tasks.required_tasks_found:buildah-6gb", "tasks.required_tasks_found:buildah-8gb", "tasks.required_tasks_found:buildah-remote",
  "tasks.required_tasks_found:buildah-oci-ta", "tasks.required_tasks_found:buildah-remote-oci-ta" to the `exclude` section of the
  policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  xref:ec-cli:ROOT:configuration.adoc#_data_sources[data] under the key 'required-tasks'.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:8912fff86fec37595e606c2c7322bd9ce07f2e7d72aa2a75875e2dc6c41a7e82
  Reason: Pipeline task "build-container" uses an untrusted task reference,
  oci://quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:aebfe04c80f7fd937628fad760c095c6a0efacb048f2c98e5d5e7f2b0f134cf9
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:buildah" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/devfiles-tenant/devfile-registry-main/devfile-registry-main@sha256:8912fff86fec37595e606c2c7322bd9ce07f2e7d72aa2a75875e2dc6c41a7e82
  Reason: Pipeline task "coverity-availability-check" uses an untrusted task reference,
  oci://quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.1@sha256:dfe1150a94c7464c4a1e0b5a2bfdab4c9c97f51a992f8a479a43acc64ffcbf73
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:coverity-availability-check" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

Additional context

Any workaround?

Manual update to these references would fix the current failures but further failures will occur when the image refs are outdated again.

Suggestion on how to fix the bug

Configuration change for Konflux patching should be made, possible change is needed to the renovate configuration.

[michael-valdron]

Applying devfile/registry#546 workaround to help unblock PRs until long term solution is completed.