Skip to content

Bump github.com/cli/go-gh/v2 from 2.4.0 to 2.13.0#99

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/go_modules/github.com/cli/go-gh/v2-2.13.0
Jul 2, 2026
Merged

Bump github.com/cli/go-gh/v2 from 2.4.0 to 2.13.0#99
github-actions[bot] merged 1 commit into
mainfrom
dependabot/go_modules/github.com/cli/go-gh/v2-2.13.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/cli/go-gh/v2 from 2.4.0 to 2.13.0.

Release notes

Sourced from github.com/cli/go-gh/v2's releases.

v2.13.0

What's Changed

✨ Features

🐛 Fixes

📚 Docs & Chores

:dependabot: Dependencies

New Contributors

Full Changelog: cli/go-gh@v2.12.2...v2.13.0

v2.12.2

What's Changed

Full Changelog: cli/go-gh@v2.12.1...v2.12.2

v2.12.1

Security

A security vulnerability has been identified in go-gh where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing.

For more information, see GHSA-g9f5-x53j-h563

Full Changelog: cli/go-gh@v2.12.0...v2.12.1

v2.12.0

Introducing experimental support for rendering markdown with customizable, accessible colors

Users with low vision or color blindness rely upon the terminal's ability to change how colors appear, however this requires CLIs to use a limited set of colors:

The markdown rendered for GitHub CLI and extensions defaults to 8-bit colors that users cannot easily customize in this way.

Now, users can force rendered markdown to use customizable, accessible colors by doing one of the following:

... (truncated)

Commits
  • a0a6e89 Merge pull request #201 from cli/kw/bump-go-1.25.0
  • 1585603 Merge pull request #202 from cli/babakks/explain-resp-body-close
  • ec8f5ca docs(pkg/api): explain HandleHTTPError does not close resp body
  • 5a975a9 Update Go version to 1.25.0
  • 41e1e0d Merge pull request #200 from cli/babakks/upgrade-golangci-lint
  • f6d1f60 chore: upgrade to Golangci-lint v2.6
  • b7798dc docs: fix incorrect godoc usages
  • 32287ae refactor: lift break condition into the loop
  • ff8ebd0 chore: disable QF1008 from staticcheck rules
  • c6bd235 chore: remove redundant/deprecated // +build tags
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated the Go toolchain version and refreshed several bundled dependencies to newer releases.
    • Improved overall build and runtime compatibility through library upgrades.

Bumps [github.com/cli/go-gh/v2](https://github.com/cli/go-gh) from 2.4.0 to 2.13.0.
- [Release notes](https://github.com/cli/go-gh/releases)
- [Commits](cli/go-gh@v2.4.0...v2.13.0)

---
updated-dependencies:
- dependency-name: github.com/cli/go-gh/v2
  dependency-version: 2.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added area/dependency Issues or PRs related to dependency changes ok-to-test Indicates a non-member PR verified by an org member that is safe to test. labels Jul 2, 2026
@github-actions github-actions Bot enabled auto-merge (squash) July 2, 2026 06:10
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Walkthrough

This PR updates go.mod: the Go toolchain directive changes from 1.25 to 1.25.0, and several indirect and direct dependencies are upgraded, including github.com/google/uuid, golang.org/x/sync, golang.org/x/text, github.com/cli/go-gh/v2, golang.org/x/crypto, golang.org/x/net, and golang.org/x/sys, with github.com/kr/text replaced by github.com/kr/pretty.

Changes

go.mod Dependency Updates

Layer / File(s) Summary
Toolchain and dependency version bumps
go.mod
Go directive updated to 1.25.0; indirect and direct dependencies upgraded including google/uuid, x/sync, x/text, cli/go-gh/v2, x/crypto, x/net, x/sys; kr/text replaced with kr/pretty.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Related Issues

None mentioned.

Related PRs

None mentioned.

Suggested labels: dependencies, go

Suggested reviewers: N/A

Poem:
A rabbit hopped through go.mod's lines,
Bumped versions, swapped a few designs,
Text became pretty, sync grew keen,
1.25.0 now the toolchain's seen,
Hop hop, the modules align! 🐇

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately states the main dependency bump made in this PR and matches the primary change described in the summary.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PASS: The diff only changes go.mod and go.sum; no *_test.go files or Ginkgo titles were added or modified, so no unstable test names are introduced.
Test Structure And Quality ✅ Passed PR only changes go.mod/go.sum; no Ginkgo test code or test structure changes to review, so this check is not applicable.
Microshift Test Compatibility ✅ Passed PASS: This PR only bumps dependencies; I գտ found no _test.go files or Ginkgo e2e tests, so no MicroShift-unsafe test changes to flag.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The PR tree only changes go.mod; no test files or new Ginkgo e2e tests were added, so SNO compatibility isn’t implicated.
Topology-Aware Scheduling Compatibility ✅ Passed PR only bumps dependencies in a CLI repo; no deployment manifests, controllers, or scheduling/topology constraints were added or modified.
Ote Binary Stdout Contract ✅ Passed PASS: The PR only updates go.mod, and main.go/init only register subcommands—no stdout writes or log redirection changes in process-level startup code.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR only updates go.mod; no Ginkgo/e2e test files or networking assumptions were added.
No-Weak-Crypto ✅ Passed PR only updates go.mod; scans found no new MD5/SHA1/DES/RC4/ECB or secret-compare changes. Existing md5 helper is pre-existing.
Container-Privileges ✅ Passed Only go.mod/go.sum changed; no container/K8s manifests or privileged settings were added.
No-Sensitive-Data-In-Logs ✅ Passed PR diff is limited to go.mod and go.sum; no logging code was added or modified, so no new sensitive data exposure in logs.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/go_modules/github.com/cli/go-gh/v2-2.13.0

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign dustman9000 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 46: The go.mod dependency pin for golang.org/x/oauth2 is using a
vulnerable version and should be updated. Bump the exact version entry in go.mod
to a patched release, and verify any related auth usage in
pkg/sources/github/github.go still builds cleanly with the new oauth2 version.
Keep the version pinned exactly as required and ensure the known CVE/OSV issue
is addressed in the dependency graph.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3ec9be0c-e2e5-4dfe-b2cc-112cb31402ad

📥 Commits

Reviewing files that changed from the base of the PR and between 146ff7d and 590d6dc.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
golang.org/x/net v0.17.0 // indirect
golang.org/x/crypto v0.36.0 // indirect
golang.org/x/net v0.38.0 // indirect
golang.org/x/oauth2 v0.13.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Update the vulnerable oauth2 pin.

golang.org/x/oauth2 v0.13.0 is flagged by OSV scanner (GO-2025-3488 / GHSA-6v2p-p543-phr9), and this repo uses go-gh's auth package in pkg/sources/github/github.go. Leaving it here keeps a known-vulnerable release in the graph. As per path instructions, pin exact versions and flag known CVEs in go.mod.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[HIGH] 46-46: golang.org/x/oauth2 0.13.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)


[HIGH] 46-46: golang.org/x/oauth2 0.13.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 46, The go.mod dependency pin for golang.org/x/oauth2 is
using a vulnerable version and should be updated. Bump the exact version entry
in go.mod to a patched release, and verify any related auth usage in
pkg/sources/github/github.go still builds cleanly with the new oauth2 version.
Keep the version pinned exactly as required and ensure the known CVE/OSV issue
is addressed in the dependency graph.

Sources: Path instructions, Linters/SAST tools

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@dependabot[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@github-actions github-actions Bot merged commit 9195c15 into main Jul 2, 2026
5 of 6 checks passed
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/cli/go-gh/v2-2.13.0 branch July 2, 2026 06:22
@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (146ff7d) to head (590d6dc).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@          Coverage Diff          @@
##            main     #99   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files         34      34           
  Lines       1594    1594           
=====================================
  Misses      1594    1594           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/dependency Issues or PRs related to dependency changes ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant