Skip to content

Dependency bump#672

Merged
openshift-merge-bot[bot] merged 16 commits into
openshift:masterfrom
chamalabey:ROSAENG-60414-new
Jul 2, 2026
Merged

Dependency bump#672
openshift-merge-bot[bot] merged 16 commits into
openshift:masterfrom
chamalabey:ROSAENG-60414-new

Conversation

@chamalabey

@chamalabey chamalabey commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

What type of PR is this?

CVE fix

What this PR does / why we need it?

Dependency update for MUO

Which Jira/Github issue(s) this PR fixes?

Fixes #ROSAENG-60414

Special notes for your reviewer:

Pre-checks (if applicable):

  • Tested latest changes against a cluster

Summary by CodeRabbit

  • Chores
    • Updated CI, build, and developer tooling to newer versions, including the Go toolchain, container images, and linting/pre-commit hook versions.
    • Refreshed dependency versions across the project to align with the latest supported releases.
    • Adjusted ownership metadata and team alias lists.

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)
  • build/Dockerfile is excluded by !build/**
  • build/Dockerfile.olm-registry is excluded by !build/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dbd63129-7d3d-40d2-899e-9c5ee489fe7c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

Updates Go toolchain baseline from 1.26 to 1.25, refreshes direct and indirect go.mod dependencies, bumps golangci-lint from v2.0.2 to v2.7.2 across pre-commit configs, updates CI build image and e2e Dockerfile base image, and removes stale OWNERS_ALIASES entries.

Changes

Dependency and Toolchain Updates

Layer / File(s) Summary
Go toolchain and dependency refresh
go.mod, test/e2e/Dockerfile
Downgrades Go toolchain from 1.26.x to 1.25.x; refreshes direct dependencies (OpenAPI, ginkgo/gomega, OpenShift/OCM, Prometheus, controller-runtime) and indirect transitive set; updates e2e builder image to rhel_9_1.26.
golangci-lint bump to v2.7.2
prek.toml, .pre-commit-config.yaml, hack/prek.ci.toml, .claude/hooks/README.md
Updates pinned golangci-lint revision from v2.0.2 to v2.7.2 across all pre-commit hook configuration files and the hooks README.
CI image, OWNERS cleanup, and formatting
.ci-operator.yaml, OWNERS_ALIASES, deploy_pko/Cleanup-OLM-Job.yaml
Bumps CI build root image tag to image-v8.4.1; removes devppratik, dem4gus, and casey-williams-rh from OWNERS aliases; applies whitespace-only fixes in Cleanup-OLM-Job.yaml.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title is related to the change but too generic to describe the main dependency and tooling updates. Use a more specific title, such as "Bump Go and golangci-lint dependencies" or similar.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR changes only config/docs and dependency files; no _test.go files or Ginkgo test titles were modified.
Test Structure And Quality ✅ Passed No Ginkgo test code changed here; the diff has zero *_test.go files and only config/dependency/fixture updates.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added or modified; the diff only changes dependency/config/fixture files, so MicroShift compatibility isn’t impacted.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Go test files or new Ginkgo specs were added; the PR only changes dependency/config files.
Topology-Aware Scheduling Compatibility ✅ Passed No scheduling logic was added/changed; the only Deployment manifest in the diff is a generated test fixture that matches the unchanged template’s master affinity.
Ote Binary Stdout Contract ✅ Passed PR only changes go.mod/go.sum and hook/config docs; no Go source or process-level setup code was modified, so no new stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were introduced; the existing test/e2e suite uses cluster clients only and shows no hardcoded IPv4 or public-internet dependencies.
No-Weak-Crypto ✅ Passed Exact scans found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, insecure TLS, custom crypto, or ConstantTimeCompare use in the touched files or repo.
Container-Privileges ✅ Passed Touched manifests contain no privileged/root-escalation settings; the job uses restricted-v2 and there are no hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation:true changes.
No-Sensitive-Data-In-Logs ✅ Passed Diff only updates config/docs and lint hook pins; no added logging or sensitive-data output was present.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 26, 2026
@codecov-commenter

codecov-commenter commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.33%. Comparing base (2435d3f) to head (777659c).
⚠️ Report is 6 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #672   +/-   ##
=======================================
  Coverage   54.33%   54.33%           
=======================================
  Files         123      123           
  Lines        6212     6212           
=======================================
  Hits         3375     3375           
  Misses       2631     2631           
  Partials      206      206           
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 87: The go.mod file still pins an indirect vulnerable dependency,
github.com/moby/spdystream v0.5.0, so update the direct module that brings it in
(likely k8s.io/client-go or another Kubernetes-related dependency) to a release
that depends on a patched spdystream version, or otherwise override it to a
fixed release if needed. Use the module graph around github.com/moby/spdystream
and the affected dependency entry in go.mod to identify the transitive source,
then refresh the dependency set so the indirect requirement resolves to a
non-vulnerable version.
- Around line 7-41: The dependency set is mismatched:
sigs.k8s.io/controller-runtime is still on v0.21.0 while the k8s.io/api,
k8s.io/apimachinery, and k8s.io/client-go modules are on v0.35.1. Update the
controller-runtime requirement to the matching v0.23.x line, or alternatively
downgrade the Kubernetes modules to the compatible v0.33.x series. Keep the
version alignment consistent across the Kubernetes stack so the go.mod set stays
supported.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7e2e92ef-5870-4c48-b916-d4ae33e48924

📥 Commits

Reviewing files that changed from the base of the PR and between 10dc3b9 and ad0602b.

⛔ Files ignored due to path filters (23)
  • boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
  • boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
  • boilerplate/_lib/subscriber-propose-update is excluded by !boilerplate/**
  • boilerplate/openshift/golang-osd-e2e/update is excluded by !boilerplate/**
  • boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
  • boilerplate/openshift/golang-osd-operator/docs/pre-commit.md is excluded by !boilerplate/**
  • boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**
  • build/Dockerfile is excluded by !build/**
  • build/Dockerfile.olm-registry is excluded by !build/**
  • deploy_pko/.test-fixtures/config-with-proxy/Cleanup-OLM-Job.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/ClusterRole-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/ClusterRoleBinding-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/ConfigMap-trusted-ca-bundle.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/CustomResourceDefinition-upgradeconfigs.upgrade.managed.openshift.io.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/Deployment-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/Role-managed-upgrade-operator-other.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/Role-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/Role-prometheus-k8s.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/RoleBinding-managed-upgrade-operator-other.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/RoleBinding-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/RoleBinding-prometheus-k8s.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/ServiceAccount-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (5)
  • .ci-operator.yaml
  • .tekton/OWNERS
  • OWNERS_ALIASES
  • go.mod
  • test/e2e/Dockerfile
💤 Files with no reviewable changes (2)
  • .tekton/OWNERS
  • OWNERS_ALIASES

Comment thread go.mod
Comment thread go.mod Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@prek.toml`:
- Line 37: The golangci-lint version update is only applied in prek.toml, but
the enforced CI/local prek configuration still points at the old revision.
Update hack/prek.ci.toml so the prek-ci hook uses the same golangci-lint rev as
prek.toml, and keep .pre-commit-config.yaml aligned if it still defines the same
hook. Verify the sync in the prek-related config entries rather than only
changing the top-level config.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: eb039d86-a6cc-44f4-adc2-296fa6079c14

📥 Commits

Reviewing files that changed from the base of the PR and between e86b630 and d9a018c.

⛔ Files ignored due to path filters (14)
  • deploy_pko/.test-fixtures/config-with-proxy/Cleanup-OLM-Job.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/ClusterRole-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/ClusterRoleBinding-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/ConfigMap-trusted-ca-bundle.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/CustomResourceDefinition-upgradeconfigs.upgrade.managed.openshift.io.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/Deployment-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/Role-managed-upgrade-operator-other.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/Role-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/Role-prometheus-k8s.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/RoleBinding-managed-upgrade-operator-other.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/RoleBinding-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/RoleBinding-prometheus-k8s.yaml is excluded by !**/.test-fixtures/**
  • deploy_pko/.test-fixtures/config-with-proxy/ServiceAccount-managed-upgrade-operator.yaml is excluded by !**/.test-fixtures/**
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (4)
  • deploy/crds/upgrade.managed.openshift.io_upgradeconfigs.yaml
  • deploy_pko/Cleanup-OLM-Job.yaml
  • go.mod
  • prek.toml
✅ Files skipped from review due to trivial changes (2)
  • deploy/crds/upgrade.managed.openshift.io_upgradeconfigs.yaml
  • deploy_pko/Cleanup-OLM-Job.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • go.mod

Comment thread prek.toml
@chamalabey

Copy link
Copy Markdown
Contributor Author

/retest

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@chamalabey: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@tkong-redhat

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 30, 2026
@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chamalabey, tkong-redhat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [chamalabey,tkong-redhat]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@chamalabey

Copy link
Copy Markdown
Contributor Author

/retest

@openshift-merge-bot openshift-merge-bot Bot merged commit 512fbce into openshift:master Jul 2, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants