OCPCLOUD-3614: bump k8s and openshift deps#1520
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThe PR refreshes Go, OpenShift, Kubernetes, controller-runtime, and indirect dependencies, expands staging replacements, removes obsolete modules, and updates status events to pass messages as explicit format arguments. ChangesDependency and status event updates
Estimated code review effort: 2 (Simple) | ~15 minutes Suggested reviewers: Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Around line 10-12: Update the OpenShift Kubernetes replacement versions in
go.mod to match the pins recorded in vendor/modules.txt, or regenerate the
vendor tree from the current go.mod so both references use
20260716191900-78acd4d422b2. Keep the k8s.io/apiserver, k8s.io/kubelet, and
k8s.io/kubernetes replacement entries consistent.
- Around line 53-54: Update the module’s Go version declaration in go.mod from
1.25.0 to 1.26.0, leaving the existing dependency versions unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: d7872606-c9f5-41f8-88c9-6c541e75ef36
📒 Files selected for processing (1)
go.mod
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
go.mod (1)
8-17: 🔒 Security & Privacy | 🔵 TrivialComplete the dependency supply-chain verification before merge.
The pins are exact, but verify the companion
go.sumhashes, OSV findings, license compatibility, SBOM/provenance generation, and Sigstore/cosign signing for the new OpenShift/Kubernetes fork revisions and dependency updates. As per path instructions, all of these checks are required for dependency-manifest changes.Also applies to: 27-59
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` around lines 8 - 17, Complete supply-chain verification for the dependency updates in go.mod, including matching go.sum hashes, OSV vulnerability checks, license compatibility review, SBOM and provenance generation, and Sigstore/cosign signature verification for the OpenShift Ginkgo and Kubernetes fork revisions. Apply the same checks to all dependency changes covered by the comment’s range and record or preserve the resulting verification artifacts as required by repository instructions.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 3: Update the go.mod Go toolchain configuration from go 1.26.0 to
explicitly require Go 1.26.5 for builds, using a toolchain declaration or
equivalent minimum CI/release builder setting. Ensure builds no longer depend on
the ambient toolchain.
---
Nitpick comments:
In `@go.mod`:
- Around line 8-17: Complete supply-chain verification for the dependency
updates in go.mod, including matching go.sum hashes, OSV vulnerability checks,
license compatibility review, SBOM and provenance generation, and
Sigstore/cosign signature verification for the OpenShift Ginkgo and Kubernetes
fork revisions. Apply the same checks to all dependency changes covered by the
comment’s range and record or preserve the resulting verification artifacts as
required by repository instructions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| module github.com/openshift/machine-api-operator | ||
|
|
||
| go 1.25.0 | ||
| go 1.26.0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/usr/bin/env bash
set -euo pipefail
go version
go env GOTOOLCHAIN
rg -n --hidden -g '!vendor/**' \
'toolchain go|go-version|setup-go|FROM golang|GO_VERSION' .Repository: openshift/machine-api-operator
Length of output: 584
Use Go 1.26.5 for builds
go 1.26.0 leaves builds dependent on the ambient toolchain. Pin toolchain go1.26.5, or make the minimum CI/release builder version explicit.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 3, Update the go.mod Go toolchain configuration from go
1.26.0 to explicitly require Go 1.26.5 for builds, using a toolchain declaration
or equivalent minimum CI/release builder setting. Ensure builds no longer depend
on the ambient toolchain.
01ca5db to
09e0915
Compare
Go vet now flags passing a variable as the format argument to Eventf. Use "%s" as the format string and pass the variable as an argument. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
… staging The openshift/kubernetes fork adds APIs (AddAlwaysLocalDelegateForPrefix, AddOverlappingGroupVersion, etc.) in the kube-aggregator staging area that aren't in the upstream released module, causing build failures. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
go.mod (1)
27-59: 🔒 Security & Privacy | 🔵 TrivialAdd the missing dependency supply-chain checks.
go mod verifyis already in place; add the remaining refresh gates for license review, OSV/govulncheck scanning, SBOM/provenance attestations, and cosign signing of release artifacts.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` around lines 27 - 59, Add the dependency supply-chain refresh gates alongside the existing go mod verify check: include license review, OSV/govulncheck vulnerability scanning, SBOM and provenance attestations, and cosign signing validation for release artifacts. Reuse the repository’s established dependency or release-check configuration and keep go mod verify intact.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 333: Update the go.opentelemetry.io/otel/sdk dependency from v1.40.0 to
v1.43.0, preserving its indirect dependency designation and ensuring the module
metadata reflects the upgraded version.
---
Nitpick comments:
In `@go.mod`:
- Around line 27-59: Add the dependency supply-chain refresh gates alongside the
existing go mod verify check: include license review, OSV/govulncheck
vulnerability scanning, SBOM and provenance attestations, and cosign signing
validation for release artifacts. Reuse the repository’s established dependency
or release-check configuration and keep go mod verify intact.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
The staticcheck warnings these suppressed no longer fire after the k8s.io dependency bump. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@hongkailiu: This pull request references OCPCLOUD-3614 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest-required |
1 similar comment
|
/retest-required |
|
@hongkailiu: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
After the pull:
Summary by CodeRabbit
Summary
Chores
Bug Fixes