Add Red Hat Hardened Images to mirror

[feichashao]

What

This PR adds some Red Hat Hardened images to the mirror.

Why

Red Hat Hardened Images provides the latest Go version, which reduces the CVE to near 0.

We have a repo which would like to keep up with the latest Go version, hence, we will need the CI image to have the latest version in order to perform tests.

Hardened Images: https://images.redhat.com/

Doc about adding mirror: https://docs.ci.openshift.org/how-tos/external-images/

Summary by CodeRabbit

• Chores
  • Updated image mirroring configuration to support additional Go versions including FIPS-enabled builds (1.25 and 1.26) and their latest variants, improving container image availability for CI/CD pipelines.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: feichashao
Once this PR has been reviewed and has the lgtm label, please assign hector-vido for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• core-services/image-mirroring/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Image mirroring configuration adds supplemental CI image mappings for multiple ci/hi-go FIPS and FIPS-builder variants (Go 1.25, 1.26, and latest), each pointing to the corresponding registry.access.redhat.com/hi/go Red Hat-hosted image.

Changes

Supplemental FIPS image mappings

Layer / File(s)	Summary
Supplemental CI image entries for Go FIPS variants core-services/image-mirroring/_config.yaml	Configuration adds supplementalCIImages mappings for ci/hi-go:1.25-fips-builder, ci/hi-go:1.26-fips-builder, ci/hi-go:1.25-fips, ci/hi-go:1.26-fips, ci/hi-go:latest-fips, and ci/hi-go:latest-fips-builder, each pointing to the corresponding registry.access.redhat.com/hi/go:* image.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• openshift/release#79664: Also modifies core-services/image-mirroring/_config.yaml by adding supplemental CI image entries for Go-related toolset images.

Suggested labels

lgtm, approved, rehearsals-ack

Suggested reviewers

• pruan-rht
• psalajova
• jmguzik

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add Red Hat Hardened Images to mirror' directly corresponds to the changeset, which adds Red Hat Hardened Images (ci/hi-go) entries to the image mirroring configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only YAML image mirror configuration; custom check for Ginkgo test naming is not applicable as no test files are involved.
Test Structure And Quality	✅ Passed	PR contains only YAML configuration changes to image mirroring settings, no Ginkgo test code exists to evaluate against the test quality requirements.
Microshift Test Compatibility	✅ Passed	PR contains only YAML configuration changes to image mirroring (_config.yaml); no Ginkgo e2e tests are added, so MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR; only a YAML configuration file for image mirroring is modified. The SNO test compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only an image mirror configuration file with no deployment manifests, operator code, controllers, or scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	PR only modifies YAML configuration file and repository infrastructure; no OTE binary code or process-level stdout writes present.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR only contains YAML configuration changes for image mirroring, not test code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

@feichashao, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't rebase candidate onto 7becb35c79d86dd2c7b69efdfc148c4e117b6a90 due to conflicts

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@core-services/image-mirroring/_config.yaml`:
- Around line 242-253: The current mirror mappings for the ci/hi-go entries
(ci/hi-go:1.25-fips-builder, ci/hi-go:1.26-fips-builder, ci/hi-go:1.25-fips,
ci/hi-go:1.26-fips, ci/hi-go:latest-fips, ci/hi-go:latest-fips-builder) point to
registry.access.redhat.com/hi/go which does not resolve; update each mapping to
the actual Hardened Images Docker Hub repository hardened-images/dhi/golang and
use the catalog tag format 1.<go-version>-<distro>-fips-dev (e.g., replace
registry.access.redhat.com/hi/go:1.26-fips with
hardened-images/dhi/golang:1.26-fips-dev), ensuring the tag names exactly match
those shown in the Hardened Images catalog for the corresponding Go versions and
builder/runtime variants.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a73ed2a1-a488-4230-90a8-07b09f515f8c

📥 Commits

Reviewing files that changed from the base of the PR and between 7becb35 and 6452770.

📒 Files selected for processing (1)

• core-services/image-mirroring/_config.yaml

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@feichashao: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@feichashao: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.