enterprise contract update

[ec-automation]

No description provided.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ec-automation[bot]
Once this PR has been reviewed and has the lgtm label, please assign lcarva for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• components/enterprise-contract/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

Code Review by Gemini

The changes in components/enterprise-contract/kustomization.yaml primarily involve updating references to newer versions of the Enterprise Contract controller's Custom Resource Definitions (CRDs) and the associated Tekton task bundle and its Git revision.

Observations:

• Dependency Updates: The pull request updates the ref for the enterprise-contract-controller CRDs, the verify_ec_task_bundle image, and the verify_ec_task_git_revision. These are routine dependency updates.
• Consistency: The verify_ec_task_bundle image tag (kf-38f45e69a0205377e5b1b040e53baa3a8fda0d74) correctly reflects the new verify_ec_task_git_revision (38f45e69a0205377e5b1b040e53baa3a8fda0d74). This consistency is good.
• Reproducibility: Using specific commit hashes for Git revisions and SHA256 digests for image bundles ensures reproducibility, which is a good practice.

Bugs/Issues:

No bugs or syntax issues are present in the provided diff. The changes are valid updates to the referenced versions.

Suggested Improvements:

While the code changes themselves are syntactically correct, it is crucial to ensure the compatibility and stability of these updated dependencies.

• Compatibility Testing: Verify that the new version of the Enterprise Contract controller CRDs (05b2ae3928e41bf53104b944069bafc49fbc3f8d) is fully compatible with the updated Tekton task bundle and its associated Git revision. This typically involves running integration and end-to-end tests in a staging environment.

Exact lines of files that need to be changed:

No changes are required to the lines provided in the diff, as they represent valid version updates.

[github-actions]

Code Review by Gemini

The changes in this pull request involve updating version references for the enterprise contract controller CRDs and the associated Tekton task bundle and its git revision.

Review Summary:

The changes appear to be a routine update of dependencies. The new verify_ec_task_bundle image tag (kf-01dc64a7c23ba6564cdf8844bf479aea7756a0c1) consistently matches the verify_ec_task_git_revision (01dc64a7c23ba6564cdf8844bf479aea7756a0c1), which is good practice for ensuring the bundled task corresponds to the specified source code.

No bugs or issues were found in the provided diff. The updates are consistent and follow the pattern of pinning to specific commit hashes and image digests.

Suggested Improvements:

No specific code changes are suggested as the current updates are consistent and correctly formatted for Kustomize. However, for future reference:

• Verification of new versions: Ensure that the new versions of the enterprise-contract-controller CRDs and the Tekton task bundle have been thoroughly tested for compatibility and functionality within the target environment before deployment.

[github-actions]

Code Review by Gemini

The provided diff updates specific versions and hashes for the Enterprise Contract components.

The changes include:

1. Updating the ref for the enterprise-contract-controller CRD.
2. Updating the verify_ec_task_bundle image and its SHA256 digest.
3. Updating the verify_ec_task_git_revision for the Tekton task source.

Review:

• Consistency: The new verify_ec_task_bundle tag (kf-c7c8b3c4d7135f4801bf6aed1e375c9ad0285427) now consistently matches the verify_ec_task_git_revision (c7c8b3c4d7135f4801bf6aed1e375c9ad0285427). This is a good practice, ensuring the image bundle is built from the specified Git revision.
• Immutability: Using specific commit hashes for the CRD ref and Git revision, along with SHA256 digests for container images, promotes immutability and reproducibility, which is a robust approach for managing dependencies.

Bugs and Issues:
No bugs or logical issues are apparent in the provided code changes. The updates are primarily to configuration values (versions/hashes) and are syntactically correct for a kustomization.yaml file.

Suggested Improvements:
Given that the changes are routine version updates and are internally consistent, there are no specific code changes to suggest for improvement within this diff. The current approach of pinning to specific hashes and digests is a good practice.

[github-actions]

Code Review by Gemini

The changes update the versions of the Enterprise Contract Controller CRD, the verify_ec_task_bundle image, and the verify_ec_task_git_revision.

No bugs or issues were found in the provided diff. The changes are syntactically correct Kustomize updates, updating specific commit hashes and image digests. The consistency between the verify_ec_task_bundle tag and verify_ec_task_git_revision is noted.

No improvements are suggested for the exact lines of files that need to be changed, as the current updates are direct version bumps and are correctly formatted.

[github-actions]

Code Review by Gemini

The changes in kustomization.yaml update the references for the enterprise-contract-controller CRD, the verify_ec_task_bundle image, and the verify_ec_task_git_revision. These updates appear to be consistent and syntactically correct.

No bugs or issues were found in the provided diff. The changes are straightforward dependency version updates.

No specific code changes are suggested as the current updates are consistent and valid. It is important to ensure that the new versions referenced (CRD, task bundle, and git revision) have been thoroughly tested and are compatible with the existing environment.

[github-actions]

Code Review by Gemini

The changes involve updating the Git revisions for the enterprise-contract-controller CRD and the conforma/tekton-task bundle, along with its corresponding Git revision and SHA256 digest.

The updates appear to be consistent:

• The verify_ec_task_bundle image tag kf-d0654835c0017d65ea1b8c0b77fce01d0ffca0d8 matches the verify_ec_task_git_revision d0654835c0017d65ea1b8c0b77fce01d0ffca0d8. This indicates that the task bundle is built from the specified Git revision.

No bugs or issues are found in the provided diff. The changes are straightforward version updates.

[konflux-ci-qe-bot]

🤖 Pipeline Failure Analysis

Category: Test

The end-to-end tests failed due to failures in enterprise contract verification and the Konflux demo build's release pipeline.

📋 Technical Details

Immediate Cause

The Prow job failed because two critical end-to-end test suites, enterprise-contract-suite and konflux-demo-suite, reported failures. Specifically, the enterprise contract verification task indicated a "FAILURE" status due to policy violations, and a Konflux demo build's PipelineRun failed unexpectedly.

Contributing Factors

Multiple verify-enterprise-contract TaskRuns failed when the STRICT parameter was enabled, indicating that the build artifacts did not adhere to the defined enterprise contract policies. This suggests potential issues with the build process producing non-compliant artifacts or a misconfiguration of the enterprise contract policies themselves. Additionally, the failure of the managed-8dwt2 PipelineRun in the Konflux demo suite points to a problem within the release pipeline execution or its dependencies. The additional_context reveals that several verify-enterprise-contract TaskRuns failed with TEST_OUTPUT indicating "FAILURE" and policy violations when STRICT was true.

Impact

These test failures directly blocked the successful completion of the Prow job, preventing the validation of the application's infrastructure deployment and its end-to-end functionality. The failures indicate that the system is not meeting its contract compliance standards or that release pipelines are not functioning as expected.

🔍 Evidence

appstudio-e2e-tests/redhat-appstudio-e2e

Category: test
Root Cause: The end-to-end tests failed because the enterprise contract verification process reported a "FAILURE" and a Konflux demo build's release pipeline did not complete successfully. These indicate issues within the application's integration or deployment logic.

Logs:

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/build-log.txt line 1058

• [FAILED] [29.263 seconds]
[enterprise-contract-suite Conforma E2E tests] test creating and signing an image and task verify-enterprise-contract task Release Policy [It] verifies redhat products pass the redhat policy rule collection before release  [ec, pipeline]
/tmp/tmp.klpR46zewa/tests/enterprise-contract/contract.go:347

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/build-log.txt line 1076

[FAILED] Expected
      <[]v1.TaskRunResult | len:1, cap:4>: [
          {
              Name: "TEST_OUTPUT",
              Type: "string",
              Value: {
                  Type: "string",
                  StringVal: "{\"timestamp\":\"1769164387\",\"namespace\":\"\",\"successes\":360,\"failures\":6,\"warnings\":18,\"result\":\"FAILURE\"}
",
                  ArrayVal: nil,
                  ObjectVal: nil,
              },
          },
      ]
  not to contain elements
      <[]*tekton.TaskRunResultMatcher | len:1, cap:1>: [
          {
              name: "TEST_OUTPUT",
              jsonPath: "{$.result}",
              value: nil,
              jsonValue: <string>"[\"FAILURE\"]",
              jsonMatcher: <*matchers.MatchJSONMatcher | 0xc001b06db0>{ 
                  JSONToMatch: <string>"[\"FAILURE\"]",
                  firstFailurePath: nil,
              },
          },
      ]
  In [It] at: /tmp/tmp.klpR46zewa/tests/enterprise-contract/contract.go:380 @ 01/23/26 10:33:11.065

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/build-log.txt line 1080

• [FAILED] [0.059 seconds]
[konflux-demo-suite] Maven project - Default build when Release PipelineRun is triggered [It] should eventually succeed [konflux, upstream-konflux]
/tmp/tmp.klpR46zewa/tests/konflux-demo/konflux-demo.go:388

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/build-log.txt line 1082

[FAILED] did not expect PipelineRun konflux-opwl-managed/managed-8dwt2 to fail
  Expected
      <bool>: true
  not to be true
  In [It] at: /tmp/tmp.klpR46zewa/tests/konflux-demo/konflux-demo.go:392 @ 01/23/26 10:37:14.225

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/build-log.txt line 1106

Error: error when running e2e tests: running "ginkgo --seed=1769163261 --timeout=1h30m0s --grace-period=30s --output-interceptor-mode=none --label-filter=ec,konflux --no-color --json-report=e2e-report.json --junit-report=e2e-report.xml --procs=20 --nodes=20 --p --output-dir=/logs/artifacts ./cmd --" failed with exit code 1
make: *** [Makefile:25: ci/test/e2e] Error 1

---

Analysis powered by prow-failure-analysis | Build: 2014641675783114752

[konflux-ci-qe-bot]

🤖 Pipeline Failure Analysis

Category: Infrastructure

The pipeline failed because it encountered a Docker Hub rate limiting error while pulling a Helm chart for PostgreSQL, preventing the deployment of necessary test infrastructure.

📋 Technical Details

Immediate Cause

The appstudio-e2e-tests/redhat-appstudio-e2e step failed because the CI job exceeded Docker Hub's unauthenticated pull rate limit when attempting to download the PostgreSQL Helm chart (oci://registry-1.docker.io/bitnamichartssecure/postgresql). This resulted in a "429 Too Many Requests" error from the Docker Hub registry.

Contributing Factors

This is an external rate limiting issue by Docker Hub. There are no indications of misconfiguration within the pipeline's code or deployment scripts. The additional_context does not reveal any specific cluster-level issues that would exacerbate or cause this rate limiting.

Impact

The inability to pull the required Helm chart prevented the successful bootstrapping and deployment of the PostgreSQL database, which is a necessary component for the end-to-end tests. This blocked the pipeline execution before any specific tests could be run or evaluated.

🔍 Evidence

appstudio-e2e-tests/redhat-appstudio-e2e

Category: infrastructure
Root Cause: The CI job failed because it exceeded the unauthenticated pull rate limit for Docker Hub while attempting to download a Helm chart for PostgreSQL. This is an external rate limiting issue from Docker Hub, not an issue with the pipeline's configuration or code.

Logs:

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/build-log.txt line 1180

postgres failed with:
[{"lastTransitionTime":"2026-02-02T15:18:25Z","message":"Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = error pulling OCI chart: failed to pull OCI chart: failed to get command args to log: 'helm pull oci://registry-1.docker.io/bitnamichartssecure/postgresql --version 17.0.2 --destination /tmp/ae1b9c87-4112-41e1-8570-06404a22e209' failed exit status 1: Error: failed to copy: httpReadSeeker: failed open: unexpected status code https://registry-1.docker.io/v2/bitnamichartssecure/postgresql/manifests/sha256:6761aad2d5e01b5462284aa31f1c58e676deee8b8266491f95b22ecfd0f1113d: 429 Too Many Requests - Server message: toomanyrequests: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit","type":"ComparisonError"}]

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/build-log.txt line 1536

postgres failed with:
[{"lastTransitionTime":"2026-02-02T15:27:41Z","message":"Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = error pulling OCI chart: failed to pull OCI chart: failed to get command args to log: 'helm pull oci://registry-1.docker.io/bitnamichartssecure/postgresql --version 17.0.2 --destination /tmp/3fb8450c-7d27-4799-b12d-79becaeba235' failed exit status 1: Error: failed to copy: httpReadSeeker: failed open: unexpected status code https://registry-1.docker.io/v2/bitnamichartssecure/postgresql/manifests/sha256:6761aad2d5e01b5462284aa31f1c58e676deee8b8266491f95b22ecfd0f1113d: 429 Too Many Requests - Server message: toomanyrequests: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit","type":"ComparisonError"}]

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/build-log.txt line 1546

Error: error when bootstrapping cluster: reached maximum number of attempts (2). error: exit status 1

---

Analysis powered by prow-failure-analysis | Build: 2018339384100655104

[konflux-ci-qe-bot]

🤖 Pipeline Failure Analysis

Category: Timeout

The AppStudio e2e tests timed out due to underlying Tekton components, specifically the TektonAddon and its related deployments, being in an unready state.

📋 Technical Details

Immediate Cause

The appstudio-e2e-tests/redhat-appstudio-e2e step timed out after 2 hours of execution, and the process failed to terminate gracefully within the subsequent 15-second grace period. This indicates that the test execution environment or the tests themselves were stuck and unresponsive.

Contributing Factors

Analysis of the additional context reveals that the TektonAddon 'addon' is in an error state. Its InstallerSetReady and Ready conditions are False because "openshift console resources" are not ready, with the tkn-cli-serve deployment being specifically non-ready. Similarly, TektonConfig 'config' reports ComponentsReady as False, indicating a need to reconcile the TektonAddon. These underlying issues with Tekton, which is essential for the e2e test execution, likely prevented the tests from starting or completing within the allocated time. The applicationsets.json also shows multiple applications in an 'OutOfSync' and 'Missing' health state, which could indicate broader instability in application deployments that the e2e tests are intended to validate.

Impact

The timeout of the e2e tests prevented the successful completion of the Prow job, blocking the integration and deployment pipeline. This failure means that the new changes in PR #7103 have not been validated by the e2e test suite, potentially allowing regressions or issues to be merged.

🔍 Evidence

appstudio-e2e-tests/redhat-appstudio-e2e

Category: timeout
Root Cause: The end-to-end tests timed out because the underlying processes exceeded the allowed execution time, likely due to the extensive setup and configuration steps involved before the tests could actually start or complete.

Logs:

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/log.txt line 696

{"component":"entrypoint","file":"sigs.k8s.io/prow/pkg/entrypoint/run.go:169","func":"sigs.k8s.io/prow/pkg/entrypoint.Options.ExecuteProcess","level":"error","msg":"Process did not finish before 2h0m0s timeout","severity":"error","time":"2026-02-02T18:25:20Z"}

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/log.txt line 698

{"component":"entrypoint","file":"sigs.k8s.io/prow/pkg/entrypoint/run.go:267","func":"sigs.k8s.io/prow/pkg/entrypoint.gracefullyTerminate","level":"error","msg":"Process did not exit before 15s grace period","severity":"error","time":"2026-02-02T18:25:35Z"}

---

Analysis powered by prow-failure-analysis | Build: 2018358888641859584

[konflux-ci-qe-bot]

🤖 Pipeline Failure Analysis

Category: Infrastructure

Pipeline failed due to degraded Argo CD application states preventing end-to-end tests from running.

📋 Technical Details

Immediate Cause

The redhat-appstudio-e2e step failed because critical Argo CD applications (build-service-in-cluster-local and pipeline-service-in-cluster-local) were not synchronizing correctly, exhibiting Degraded and OutOfSync statuses. This prevented the necessary services from being available for the end-to-end tests.

Contributing Factors

The additional_context reveals that multiple Argo CD ApplicationSets were in an OutOfSync or Missing state, and the build-service-in-cluster-local application itself had a Degraded health status. Additionally, the tektonaddons.json indicates that Tekton Addons were not ready, with conditions reporting False due to issues with console resources and the tkn-cli-serve deployment. These underlying issues likely contributed to the Argo CD application synchronization problems. The konflux-ci-unregister-sprayproxy step timing out is a secondary failure, occurring after the primary issue had already blocked test execution.

Impact

The failure of the Argo CD applications to synchronize directly blocked the execution of the redhat-appstudio-e2e tests, causing the overall pipeline to fail. The inability to deploy and maintain the necessary services in a healthy state prevented validation of the AppStudio infrastructure through end-to-end testing.

🔍 Evidence

appstudio-e2e-tests/konflux-ci-unregister-sprayproxy

Category: timeout
Root Cause: The mage -v ci:unregisterSprayproxy command exceeded the 10-minute timeout limit, indicating the unregistration process did not complete within the expected timeframe.

Logs:

artifacts/appstudio-e2e-tests/konflux-ci-unregister-sprayproxy/artifacts/build-log.txt:309

{"component":"entrypoint","file":"sigs.k8s.io/prow/pkg/entrypoint/run.go:169","func":"sigs.k8s.io/prow/pkg/entrypoint.Options.ExecuteProcess","level":"error","msg":"Process did not finish before 10m0s timeout","severity":"error","time":"2026-02-06T12:16:05Z"}

artifacts/appstudio-e2e-tests/konflux-ci-unregister-sprayproxy/artifacts/build-log.txt:310

{"component":"entrypoint","file":"sigs.k8s.io/prow/pkg/entrypoint/run.go:267","func":"sigs.k8s.io/prow/pkg/entrypoint.gracefullyTerminate","level":"error","msg":"Process did not exit before 1m0s grace period","severity":"error","time":"2026-02-06T12:17:06Z"}

appstudio-e2e-tests/redhat-appstudio-e2e

Category: infrastructure
Root Cause: The Argo CD applications failed to synchronize, leading to a degraded state and preventing the end-to-end tests from running. This indicates an issue with the Argo CD operator or its configuration within the cluster.

Logs:

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 747

build-service-in-cluster-local                      Synced   Degraded

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 748

Waiting 10 seconds for application sync

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 750

build-service-in-cluster-local                      Synced   Degraded

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 751

Waiting 10 seconds for application sync

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 1191

pipeline-service-in-cluster-local                   OutOfSync   Missing

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 1194

Waiting 10 seconds for application sync

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 1203

pipeline-service-in-cluster-local                   OutOfSync   Missing

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 1206

Waiting 10 seconds for application sync

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 1656

build-service-in-cluster-local                      Synced   Degraded

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 1657

Waiting 10 seconds for application sync

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 1659

build-service-in-cluster-local                      Synced   Degraded

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 1660

Waiting 10 seconds for application sync

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 2069

build-service-in-cluster-local                      Synced   Degraded

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 2070

Waiting 10 seconds for application sync

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 2072

build-service-in-cluster-local                      Synced   Degraded

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 2073

Waiting 10 seconds for application sync

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 2174

make: *** [Makefile:25: ci/test/e2e] Terminated

artifacts/appstudio-e2e-tests/redhat-appstudio-e2e/step.txt line 2175

{"component":"entrypoint","file":"sigs.k8s.io/prow/pkg/entrypoint/run.go:264","func":"sigs.k8s.io/prow/pkg/entrypoint.gracefullyTerminate","level":"error","msg":"Process gracefully exited before 15s grace period","severity":"error","time":"2026-02-06T11:59:03Z"}

---

Analysis powered by prow-failure-analysis | Build: 2019717549226201088

[openshift-ci]

@ec-automation[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/konflux-e2e-v416-optional	71017e9	link	false	/test konflux-e2e-v416-optional

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.