[KONFLUX-13286] Replace appstudio-utils image with task-runner

[jsmid1]

Summary

• The appstudio-utils image is being decommissioned ,task-runner is the replacement.
• Replaces quay.io/konflux-ci/appstudio-utils:latest with quay.io/konflux-ci/task-runner:v1 in release/cli.yaml
• Also updates test fixture image references in pkg/schema/examples/hacbs2_valid.json so it won't be flagged by image deprecation scans.

Issue: KONFLUX-13286

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR standardizes Tekton runner images: the HACBS example switches to quay.io/konflux-ci/task-runner:1.7.0, and three steps in release/cli.yaml switch to quay.io/konflux-ci/task-runner:v1, preserving commands and arguments.

Changes

Container image reference updates

Layer / File(s)	Summary
Example schema update pkg/schema/examples/hacbs2_valid.json	The appstudio-configure-build task's step environment.image is changed to quay.io/konflux-ci/task-runner:1.7.0.
Release pipeline task image updates release/cli.yaml	The expand-snapshot taskSpec expand step and the push taskSpec copy-cli and copy-cli-old-org steps switch their runner images to quay.io/konflux-ci/task-runner:v1, keeping the existing hack/copy-snapshot-image.sh invocations and parameters unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: replacing the appstudio-utils image with task-runner across the codebase.
Description check	✅ Passed	The description is directly related to the changeset, explaining the deprecation of appstudio-utils and its replacement with task-runner in the affected files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@release/cli.yaml`:
- Line 94: Replace every mutable image reference
"quay.io/konflux-ci/task-runner:v1" with the digest-pinned form
"quay.io/konflux-ci/task-runner@sha256:<approved-digest>" so the release steps
are immutable; update all occurrences of that image string in the manifest (the
entries currently using :v1) to use the approved sha256 digest and ensure the
exact approved digest is used consistently across the release steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 32ed78f5-978c-4827-b6df-eb6de30eb0d6

📥 Commits

Reviewing files that changed from the base of the PR and between 0d00682 and c6c21d7.

📒 Files selected for processing (2)

• pkg/schema/examples/hacbs2_valid.json
• release/cli.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether task-runner references in release pipeline are digest-pinned.
# Expected: task-runner references exist, but none are pinned with `@sha256` in current PR state.

rg -n 'image:\s*quay\.io/konflux-ci/task-runner' release/cli.yaml
rg -n 'image:\s*quay\.io/konflux-ci/task-runner@sha256:' release/cli.yaml

Repository: conforma/cli

Length of output: 320

---

Pin task-runner references by digest in release steps.

Lines 94, 184, 190, 203, and 210 use the mutable tag :v1, which allows unreviewed image drift in the release pipeline and weakens supply-chain guarantees. Pin each reference to a specific digest instead:

image: quay.io/konflux-ci/task-runner@sha256:<approved-digest>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release/cli.yaml` at line 94, Replace every mutable image reference
"quay.io/konflux-ci/task-runner:v1" with the digest-pinned form
"quay.io/konflux-ci/task-runner@sha256:<approved-digest>" so the release steps
are immutable; update all occurrences of that image string in the manifest (the
entries currently using :v1) to use the approved sha256 digest and ensure the
exact approved digest is used consistently across the release steps.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.59% <ø> (-0.01%)	⬇️
generative	17.82% <ø> (ø)
integration	26.56% <ø> (ø)
unit	69.04% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

♻️ Duplicate comments (1)

release/cli.yaml (1)

94-94: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Pin task-runner references by digest in release steps.

Lines 94, 184, 190, 203, and 210 use the mutable tag :v1, which allows unreviewed image drift in the release pipeline and weakens supply-chain guarantees. Pin each reference to a specific digest instead.

Run the following script to retrieve the current digest for task-runner:v1 and verify the image exists:

#!/bin/bash
# Verify task-runner:v1 image exists and get its current digest for pinning

echo "Checking if quay.io/konflux-ci/task-runner:v1 exists and retrieving digest..."
skopeo inspect docker://quay.io/konflux-ci/task-runner:v1 | jq -r '.Digest'

echo ""
echo "To pin by digest, replace 'quay.io/konflux-ci/task-runner:v1' with:"
echo "quay.io/konflux-ci/task-runner@sha256:<digest-from-above>"

echo ""
echo "Checking for any known vulnerabilities..."
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: CONTAINER, package: "konflux-ci/task-runner") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
    }
  }
}'

🔒 Recommended fix to pin by digest

After retrieving the digest from the verification script above, apply this pattern to all five occurrences:

-        image: quay.io/konflux-ci/task-runner:v1
+        image: quay.io/konflux-ci/task-runner@sha256:<digest>

Apply to lines: 94, 184, 190, 203, 210

Also applies to: 184-184, 190-190, 203-203, 210-210

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release/cli.yaml` at line 94, Replace all mutable task-runner image tags
"quay.io/konflux-ci/task-runner:v1" with an immutable digest-pinned form
"quay.io/konflux-ci/task-runner@sha256:<digest>" in release/cli.yaml wherever
that exact tag appears (the five occurrences of the same string), by first
obtaining the current digest (e.g., via skopeo inspect or your registry tooling)
and then performing a find-and-replace of "quay.io/konflux-ci/task-runner:v1" ->
"quay.io/konflux-ci/task-runner@sha256:<digest>" so every image reference (the
string "quay.io/konflux-ci/task-runner:v1") is replaced with the digest-pinned
URI.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@release/cli.yaml`:
- Line 94: Replace all mutable task-runner image tags
"quay.io/konflux-ci/task-runner:v1" with an immutable digest-pinned form
"quay.io/konflux-ci/task-runner@sha256:<digest>" in release/cli.yaml wherever
that exact tag appears (the five occurrences of the same string), by first
obtaining the current digest (e.g., via skopeo inspect or your registry tooling)
and then performing a find-and-replace of "quay.io/konflux-ci/task-runner:v1" ->
"quay.io/konflux-ci/task-runner@sha256:<digest>" so every image reference (the
string "quay.io/konflux-ci/task-runner:v1") is replaced with the digest-pinned
URI.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 4940a0e2-fa62-4f8d-8b83-954459e1aa2d

📥 Commits

Reviewing files that changed from the base of the PR and between c6c21d7 and 5829ec1.

📒 Files selected for processing (2)

• pkg/schema/examples/hacbs2_valid.json
• release/cli.yaml