Skip to content

build(deps): bump sigs.k8s.io/prow to 5aca44b7f08f#5059

Merged
openshift-merge-bot[bot] merged 3 commits into
openshift:mainfrom
Prucek:vendor-prow
Apr 23, 2026
Merged

build(deps): bump sigs.k8s.io/prow to 5aca44b7f08f#5059
openshift-merge-bot[bot] merged 3 commits into
openshift:mainfrom
Prucek:vendor-prow

Conversation

@Prucek

@Prucek Prucek commented Mar 27, 2026

Copy link
Copy Markdown
Member

Summary

  • Bump sigs.k8s.io/prow from feedafda4290 (Mar 25) to 5aca44b7f08f (Apr 16)
  • Updates transitive dependencies

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added a new release notes plugin configuration with support for customizable guidelines URL.
  • Chores

    • Updated Go toolchain and upgraded multiple core and transitive dependencies for enhanced compatibility and stability.
    • Removed unnecessary empty fields from plugin approval configurations across repository settings.

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@openshift-ci openshift-ci Bot requested review from hector-vido and pruan-rht March 27, 2026 15:07
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 27, 2026
@coderabbitai

coderabbitai Bot commented Mar 27, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Bumps Go toolchain in go.mod (1.25.5 → 1.25.8) and updates ~32 dependency version constraints. Adjusts multiple Prow plugin config YAMLs by removing empty commandHelpLink entries and adds a release_note.guidelines_url. Updates corresponding test expectations.

Changes

Cohort / File(s) Summary
Dependency & Toolchain
go.mod
Updated Go toolchain directive to 1.25.8 and bumped ~32 dependency versions (Prometheus, many golang.org/x/* modules, Tekton, gRPC, OpenTelemetry, testify, prow, etc.).
Unit test expectations
pkg/prowconfigsharding/prowconfigsharding_test.go
Adjusted expected sharded plugin YAML strings to remove commandHelpLink: "" entries in several approve blocks.
Integration inputs (plugin configs)
test/integration/repo-init/input/core-services/prow/02_config/_plugins.yaml, test/integration/repo-init/input/core-services/prow/02_config/openshift/_pluginconfig.yaml, test/integration/repo-init/input/core-services/prow/02_config/org/*/_pluginconfig.yaml
Added release_note.guidelines_url to _plugins.yaml. Removed empty commandHelpLink keys and corrected approve indentation/structure in multiple repo-specific _pluginconfig.yaml inputs.
Integration expected outputs
test/integration/repo-init/expected/core-services/prow/02_config/_plugins.yaml, .../openshift/_pluginconfig.yaml, .../org/*/_pluginconfig.yaml
Updated expected outputs to reflect removal of commandHelpLink and the new release_note.guidelines_url where applicable; YAML structure/indentation adjusted accordingly.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: a dependency bump of sigs.k8s.io/prow to a specific commit, which is the primary purpose of the PR.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR does not introduce Ginkgo test files or dynamic test names. All tests use standard Go testing.T with static, descriptive test names.
Test Structure And Quality ✅ Passed The custom check targets Ginkgo test code quality, but this PR contains only standard Go testing framework changes with no Ginkgo tests present.
Microshift Test Compatibility ✅ Passed The PR does not add any new Ginkgo e2e tests. Changes are limited to Go test fixtures, dependency versions, and integration test data.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This pull request does not add any new Ginkgo e2e tests. Changes consist of Go module dependency updates, unit test fixture string updates, and YAML configuration test fixtures. No Ginkgo test patterns detected.
Topology-Aware Scheduling Compatibility ✅ Passed PR changes only go.mod dependencies and Prow test configuration files; no Kubernetes deployment manifests, operators, or scheduling constraints are introduced.
Ote Binary Stdout Contract ✅ Passed PR modifies only go.mod, test code strings, and test fixture YAML files—no executable process-level code changes that could write to stdout.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed This PR does not add any new Ginkgo e2e tests. Changes are limited to Go module updates, unit test fixture strings, and YAML configuration files, none of which contain Ginkgo test constructs.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Makefile`:
- Line 84: Update the PR description to document the broader infrastructure
migration introduced by this commit: explicitly state that the Makefile now uses
Podman (referencing the changed invocation "podman run --rm"), that tooling
defaults in hack/lint.sh and hack/build-and-push.sh align with Podman, and list
other changes included in the PR such as the prow dependency bump, Claude AI
plugins, new documentation, and updated build targets; mention any new
contributor requirements (e.g., Podman vs Docker) and note migration steps or
compatibility considerations for downstream users.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4ce8e6e3-0ac3-42ae-adef-4c8f5ff45471

📥 Commits

Reviewing files that changed from the base of the PR and between f2ff3cb and a363019.

⛔ Files ignored due to path filters (233)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/stretchr/testify/assert/assertion_compare.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/stretchr/testify/assert/assertion_format.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/stretchr/testify/assert/assertion_forward.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/stretchr/testify/assert/assertion_order.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/stretchr/testify/assert/assertions.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/stretchr/testify/assert/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/stretchr/testify/assert/http_assertions.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/stretchr/testify/assert/yaml/yaml_custom.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/stretchr/testify/assert/yaml/yaml_default.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/stretchr/testify/assert/yaml/yaml_fail.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/Makefile is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/instruments.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/metric.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/metric/meter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/metric/noop/noop.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/metric/syncfloat64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/metric/syncint64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/exemplar.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/exemplar/filter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/exemplar/fixed_size_reservoir.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/exemplar/histogram_reservoir.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/exemplar/storage.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/instrument.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/instrumentkind_string.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/aggregate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/atomic.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/drop.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/exponential_histogram.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/filtered_reservoir.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/histogram.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/lastvalue.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/limit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/sum.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/observ/instrumentation.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/reservoir/concurrent_safe.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/reservoir/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/x/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/internal/x/x.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/manual_reader.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/meter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/metricdata/temporality_string.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/periodic_reader.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/pipeline.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/provider.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/reader.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/metric/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/error_type.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/exception.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/otelconv/metric.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/schema.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_x86.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !vendor/**, !**/vendor/**
  • vendor/modules.txt is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/apis/prowjobs/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/apis/prowjobs/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/bugzilla/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/cache/cache.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/config/cache.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/config/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/config/jobs.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/config/prow-config-documented.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/config/tide.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/crier/reporters/gerrit/reporter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/deck/jobs/jobs.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/genyaml/genyaml.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/genyaml/populate_struct.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/gerrit/adapter/adapter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/gerrit/client/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/hook/server.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/interrupts/interrupts.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/io/opener.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/jira/jira.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/kube/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/logrusutil/logrusutil.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/moonraker/moonraker.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/pjutil/filter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/pjutil/pjutil.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/pjutil/tot.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/pluginhelp/hook/hook.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/approve/approvers/owners.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/assign/assign.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/blockade/blockade.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/blunderbuss/blunderbuss.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/bugzilla/bugzilla.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/cat/cat.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/cla/cla.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/dog/dog.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/goose/goose.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/heart/heart.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/issue-management/link-issue.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/jira/jira.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/plugin-config-documented.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/plugins.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/pony/pony.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/releasenote/releasenote.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/respond.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/slackevents/slackevents.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/testfreeze/checker/checker.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/transfer-issue/transfer-issue.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/trick-or-treat/trick-or-treat.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/trigger/generic-comment.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/trigger/push.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/plugins/trigger/trigger.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/pod-utils/decorate/podspec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/pod-utils/downwardapi/jobspec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/repoowners/repoowners.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/sidecar/censor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/sidecar/run.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/slack/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/throttle/throttle.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/tide/blockers/blockers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/tide/gerrit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/tide/github.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/tide/history/history.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/tide/status.go is excluded by !vendor/**, !**/vendor/**
  • vendor/sigs.k8s.io/prow/pkg/tide/tide.go is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (4)
  • Makefile
  • go.mod
  • pkg/api/ephemeralcluster/v1/zz_generated.deepcopy.go
  • pkg/api/zz_generated.deepcopy.go

Comment thread Makefile Outdated
# make update-vendor
update-vendor:
docker run --rm \
podman run --rm \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check if there are other references to docker/podman in the Makefile or related scripts

echo "=== Checking for docker references in Makefile ==="
rg -n 'docker' Makefile || echo "No docker references found in Makefile"

echo ""
echo "=== Checking for podman references in Makefile ==="
rg -n 'podman' Makefile || echo "No podman references found in Makefile"

echo ""
echo "=== Checking hack/ scripts for container runtime references ==="
rg -n 'docker|podman' hack/ || echo "No references found in hack/"

Repository: openshift/ci-tools

Length of output: 6282


🏁 Script executed:

#!/bin/bash
# Check for documentation about container engine requirements

echo "=== Searching for documentation mentioning docker/podman ==="
find . -name "README*" -o -name "CONTRIBUTING*" -o -name "*.md" | head -20 | xargs grep -l "docker\|podman" 2>/dev/null || echo "No relevant docs found"

echo ""
echo "=== Checking go.mod or similar for any clues ==="
ls -la go.* 2>/dev/null | head -10

echo ""
echo "=== Checking if there's a .github/workflows or CI config ==="
find .github -type f -name "*.yaml" -o -name "*.yml" 2>/dev/null | head -10 | xargs grep -n "docker\|podman" 2>/dev/null | head -20

Repository: openshift/ci-tools

Length of output: 377


🏁 Script executed:

#!/bin/bash
# Check the full context of the update-vendor target in Makefile

echo "=== Reading lines around 84 in Makefile to understand the update-vendor target ==="
sed -n '75,95p' Makefile

Repository: openshift/ci-tools

Length of output: 847


🏁 Script executed:

#!/bin/bash
# Check git history for recent changes to this line or area

echo "=== Git log for Makefile changes (recent) ==="
git log --oneline -20 -- Makefile

Repository: openshift/ci-tools

Length of output: 168


🏁 Script executed:

#!/bin/bash
# Check the specific commit that changed this line

echo "=== Viewing the commit that touched Makefile ==="
git show --stat a363019ec | head -30

echo ""
echo "=== Checking the diff for line 84 ==="
git show a363019ec -- Makefile | grep -A 5 -B 5 "podman\|docker" | head -40

Repository: openshift/ci-tools

Length of output: 3538


🏁 Script executed:

#!/bin/bash
# Let's check if there's any documentation in README files

echo "=== Checking main README ==="
if [ -f README.md ]; then cat README.md | grep -A 3 -B 3 "docker\|podman" || echo "No mention in main README"; fi

echo ""
echo "=== Checking for CONTRIBUTING docs ==="
find . -name "CONTRIBUTING*" -type f 2>/dev/null | xargs cat 2>/dev/null | head -50

Repository: openshift/ci-tools

Length of output: 4064


Document the broader infrastructure changes in the PR description.

This commit is much larger than the PR description indicates—it includes not just the prow dependency bump, but also a comprehensive infrastructure migration including Claude AI plugins, new documentation, and updated build targets. The Makefile switch from Docker to Podman is part of this larger change.

While the Podman default is consistent with existing patterns elsewhere in the codebase (hack/lint.sh and hack/build-and-push.sh already default to Podman), the PR description should explicitly mention that tooling requirements are changing. This ensures contributors and downstream users understand the infrastructure migration and can plan accordingly.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@Makefile` at line 84, Update the PR description to document the broader
infrastructure migration introduced by this commit: explicitly state that the
Makefile now uses Podman (referencing the changed invocation "podman run --rm"),
that tooling defaults in hack/lint.sh and hack/build-and-push.sh align with
Podman, and list other changes included in the PR such as the prow dependency
bump, Claude AI plugins, new documentation, and updated build targets; mention
any new contributor requirements (e.g., Podman vs Docker) and note migration
steps or compatibility considerations for downstream users.

@Prucek Prucek force-pushed the vendor-prow branch 2 times, most recently from fc50f52 to 01fbfb2 Compare March 30, 2026 12:40
@Prucek

Prucek commented Mar 30, 2026

Copy link
Copy Markdown
Member Author

/retest
/test e2e

@petr-muller

Copy link
Copy Markdown
Member

/cc

@openshift-ci openshift-ci Bot requested a review from petr-muller April 4, 2026 00:40
@petr-muller

Copy link
Copy Markdown
Member

When this gets revived, please bump this further to include kubernetes-sigs/prow@5aca44b to resolve a rehearse bug that caused silent spurious retry successes on internal rebase conflicts. I originally had this fix in #5108 but the actual bug was in upstream code and fixed in kubernetes-sigs/prow#684

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 16, 2026
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 23, 2026
@Prucek Prucek changed the title build(deps): bump sigs.k8s.io/prow to feedafda4290 build(deps): bump sigs.k8s.io/prow to 5aca44b7f08f Apr 23, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
go.mod (1)

3-3: Consider upgrading Go toolchain to 1.26.2, the current latest stable version (April 2026). Go 1.25.8 is a valid released version, but 1.26.2 is available if compatibility with your dependencies allows.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, The go.mod currently pins the Go toolchain to "go 1.25.8";
update that to "go 1.26.2" to use the latest stable toolchain, then run a full
build and test cycle (go mod tidy, go build, go test ./...) to catch any
incompatibilities; locate and edit the go directive in go.mod (the line
containing "go 1.25.8") and replace it with "go 1.26.2", adjust any CI/workflow
matrix entries that reference Go versions to include 1.26.2, and fix any minor
compatibility issues reported by the build/tests.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 210: Update the OpenTelemetry SDK module reference from
go.opentelemetry.io/otel/sdk v1.40.0 to at least v1.43.0 to address the
GHSA-hfvc-g4fc-pqhx PATH hijacking vulnerability; change the module version in
go.mod (the entry for go.opentelemetry.io/otel/sdk) and then run the Go tooling
to fetch and tidy dependencies (e.g., go get with the target version and go mod
tidy) so the lockfile and sums are updated accordingly.
- Line 275: Update the indirect dependency github.com/go-jose/go-jose/v4 from
v4.1.3 to v4.1.4 to pull in the security fix for the JWE decryption issue
(GHSA-78h2-9frx-2jm8): change the version string for
github.com/go-jose/go-jose/v4 to v4.1.4 in go.mod, then run the module tooling
(e.g., go get github.com/go-jose/go-jose/v4@v4.1.4 and go mod tidy) to update
go.sum and vendor files as needed.

---

Nitpick comments:
In `@go.mod`:
- Line 3: The go.mod currently pins the Go toolchain to "go 1.25.8"; update that
to "go 1.26.2" to use the latest stable toolchain, then run a full build and
test cycle (go mod tidy, go build, go test ./...) to catch any
incompatibilities; locate and edit the go directive in go.mod (the line
containing "go 1.25.8") and replace it with "go 1.26.2", adjust any CI/workflow
matrix entries that reference Go versions to include 1.26.2, and fix any minor
compatibility issues reported by the build/tests.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 966af1d1-060f-413c-810b-9d55c5c1bf2e

📥 Commits

Reviewing files that changed from the base of the PR and between 01fbfb2 and 66917f3.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
go.opentelemetry.io/otel/sdk v1.40.0 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for newer versions of otel/sdk with security fixes

# Check Go module proxy for available versions
curl -s 'https://proxy.golang.org/go.opentelemetry.io/otel/sdk/@v/list' | tail -10

# Check for security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "go.opentelemetry.io/otel/sdk") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift/ci-tools

Length of output: 702


Upgrade OpenTelemetry SDK to patch HIGH severity PATH hijacking vulnerability.

The current version v1.40.0 is vulnerable to GHSA-hfvc-g4fc-pqhx (BSD kenv command not using absolute path enables PATH hijacking). Upgrade to v1.43.0 or later to resolve this vulnerability.

🧰 Tools
🪛 OSV Scanner (2.3.5)

[HIGH] 210-210: go.opentelemetry.io/otel/sdk 1.40.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 210, Update the OpenTelemetry SDK module reference from
go.opentelemetry.io/otel/sdk v1.40.0 to at least v1.43.0 to address the
GHSA-hfvc-g4fc-pqhx PATH hijacking vulnerability; change the module version in
go.mod (the entry for go.opentelemetry.io/otel/sdk) and then run the Go tooling
to fetch and tidy dependencies (e.g., go get with the target version and go mod
tidy) so the lockfile and sums are updated accordingly.

Comment thread go.mod
github.com/go-git/go-billy/v5 v5.6.2 // indirect
github.com/go-git/go-git/v5 v5.14.0 // indirect
github.com/go-jose/go-jose/v4 v4.1.2 // indirect
github.com/go-jose/go-jose/v4 v4.1.3 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for newer versions of go-jose with security fixes

# Check for latest releases
gh api repos/go-jose/go-jose/releases --jq '.[0:5] | .[] | {tag_name, published_at, name}'

# Check for security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "github.com/go-jose/go-jose/v4") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift/ci-tools

Length of output: 1127


Upgrade go-jose to v4.1.4 to address HIGH severity JWE decryption vulnerability.

The current version v4.1.3 is vulnerable to GHSA-78h2-9frx-2jm8 ("Go JOSE Panics in JWE decryption"). Upgrade to v4.1.4 or later, which was released on 2026-04-04 with a fix for this vulnerability.

🧰 Tools
🪛 OSV Scanner (2.3.5)

[HIGH] 275-275: github.com/go-jose/go-jose/v4 4.1.3: Go JOSE Panics in JWE decryption

(GHSA-78h2-9frx-2jm8)

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 275, Update the indirect dependency
github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 to pull in the security fix
for the JWE decryption issue (GHSA-78h2-9frx-2jm8): change the version string
for github.com/go-jose/go-jose/v4 to v4.1.4 in go.mod, then run the module
tooling (e.g., go get github.com/go-jose/go-jose/v4@v4.1.4 and go mod tidy) to
update go.sum and vendor files as needed.

Remove commandHelpLink from approve plugin serialization and add
release_note default to match new prow version behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Prucek

Prucek commented Apr 23, 2026

Copy link
Copy Markdown
Member Author

/label tide/merge-method-squash

@openshift-ci openshift-ci Bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Apr 23, 2026
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@droslean

Copy link
Copy Markdown
Member

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Apr 23, 2026
@openshift-ci

openshift-ci Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: droslean, Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 0dc0fdf and 2 for PR HEAD 5b34ea2 in total

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

@petr-muller

Copy link
Copy Markdown
Member

/test secret-bootstrapper-validation

@petr-muller

Copy link
Copy Markdown
Member

/test breaking-changes

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

@petr-muller

Copy link
Copy Markdown
Member

/test e2e

@openshift-ci

openshift-ci Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

@Prucek: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/breaking-changes 5b34ea2 link false /test breaking-changes

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 191feee into openshift:main Apr 23, 2026
16 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants