switching to hardened images to reduce image size and CVE footprint

[acornett21]

Summary by CodeRabbit

• Chores
  • Updated container base images for improved compatibility and maintenance. The build and runtime environments now use updated Red Hat UBI-based images while preserving all existing functionality and build configurations.

[coderabbitai]

Walkthrough

The Dockerfile replaces both stage base images with internal Red Hat registry images: the builder stage moves from docker.io/golang:1.26 to registry.access.redhat.com/hi/go:1.26-builder, and the runtime stage moves from registry.access.redhat.com/ubi10/ubi-micro:latest to registry.access.redhat.com/hi/core-runtime:latest. All other build steps remain unchanged.

Changes

Dockerfile Base Image Update

Layer / File(s)	Summary
Builder and runtime base image replacement Dockerfile	Builder stage switches from golang:1.26 to registry.access.redhat.com/hi/go:1.26-builder; runtime stage switches from ubi10/ubi-micro:latest to registry.access.redhat.com/hi/core-runtime:latest. All other instructions are unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• redhat-openshift-ecosystem/preflight-trigger#128: Also modifies only the Dockerfile builder and runtime base image references in the same Go 1.26 / UBI10 context.

Suggested reviewers

• bcrochet
• komish

🚥 Pre-merge checks | ✅ 6 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Test assertions lack meaningful failure messages. All Expect() calls are missing context to help diagnose failures when tests fail.	Add descriptive messages to all Expect() assertions (e.g., Expect(err).NotTo(HaveOccurred(), "failed to create test pod"))

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: switching Docker base images to hardened Red Hat UBI images with the stated goals of reducing image size and CVE footprint.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR use stable, deterministic strings with no dynamic content (UUIDs, timestamps, pod/namespace names, IPs, etc.). All tests follow best practices.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 6: Verify the builder image specified in the FROM statement
(registry.access.redhat.com/hi/go:1.26-builder) includes the make utility
required by the build command, and if not available, add it via a RUN
instruction. Additionally, replace the `:latest` tag on the runtime image
(registry.access.redhat.com/hi/core-runtime:latest) with a specific version
number to ensure reproducible builds and prevent unintended updates when the
image is rebuilt.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e5335888-52e5-4466-ac78-6e4b635a8fa4

📥 Commits

Reviewing files that changed from the base of the PR and between e94099c and e337c6e.

📒 Files selected for processing (1)

• Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the new builder image is accessible and has required tools
# Note: This assumes you have credentials configured for registry.access.redhat.com

# Try to inspect the image (requires authentication)
podman inspect registry.access.redhat.com/hi/go:1.26-builder 2>&1 | head -20

# Try to pull and inspect Go version (if accessible)
podman pull registry.access.redhat.com/hi/go:1.26-builder 2>&1 && \
podman run --rm registry.access.redhat.com/hi/go:1.26-builder go version

# Check if make is available
podman run --rm registry.access.redhat.com/hi/go:1.26-builder which make

Repository: redhat-openshift-ecosystem/preflight-trigger

Length of output: 244

---

Verify builder image includes make and pin runtime image version for reproducibility.

The switch to Red Hat hardened images from the public registry.access.redhat.com registry is supported—the registry is publicly accessible and requires no authentication. The -builder variant image includes development tools for compilation.

Two minor items to verify:

1. Confirm the make utility is available in the registry.access.redhat.com/hi/go:1.26-builder image, as the build command on line 15 requires it.
2. Pin the runtime image on line 18 from registry.access.redhat.com/hi/core-runtime:latest to a specific version tag for reproducible builds and to avoid unexpected updates.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 6, Verify the builder image specified in the FROM
statement (registry.access.redhat.com/hi/go:1.26-builder) includes the make
utility required by the build command, and if not available, add it via a RUN
instruction. Additionally, replace the `:latest` tag on the runtime image
(registry.access.redhat.com/hi/core-runtime:latest) with a specific version
number to ensure reproducible builds and prevent unintended updates when the
image is rebuilt.

[acornett21]

It looks like the base id has changed, so we can not write files.