Skip to content

NO-ISSUE: Update github.com/openshift/hive/apis digest to 1653181#1016

Open
red-hat-konflux[bot] wants to merge 1 commit into
masterfrom
konflux/mintmaker/master/github.com-openshift-hive-apis-digest
Open

NO-ISSUE: Update github.com/openshift/hive/apis digest to 1653181#1016
red-hat-konflux[bot] wants to merge 1 commit into
masterfrom
konflux/mintmaker/master/github.com-openshift-hive-apis-digest

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented May 29, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
github.com/openshift/hive/apis require digest a455a021653181

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 29, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@red-hat-konflux[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

This PR contains the following updates:

Package Type Update Change
github.com/openshift/hive/apis require digest a455a0291d3589

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented May 29, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

go.mod updates the github.com/openshift/hive/apis pseudo-version and bumps indirect golang.org/x/net and golang.org/x/sys versions; no other require/replace directives or public APIs are changed.

Changes

Dependency Update

Layer / File(s) Summary
Dependency version updates
go.mod
Updates github.com/openshift/hive/apis pseudo-version in the main require block and bumps indirect golang.org/x/net and golang.org/x/sys versions; golang.org/x/oauth2 and golang.org/x/sync unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

ok-to-test, size/XS

Suggested reviewers

  • danmanor
🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Ipv6 And Disconnected Network Test Compatibility ⚠️ Warning New Ginkgo e2e tests contain hardcoded IPv4 addresses (1.2.3.4, 2.3.4.5, 3.4.5.6, 10.0.36.14, 192.186.126.10) in IPv4-specific CIDR and address assertions that will fail in IPv6-only disconnected C... Update tests to dynamically detect cluster IP family using GetIPAddressFamily() or GetIPFamilyForCluster(), adapt IPv4 addresses/CIDRs accordingly, or wrap with InIPv4ClusterContext() to skip on IPv6-only clusters.
✅ Passed checks (14 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All Ginkgo test names in the PR are static, descriptive, and free of dynamic content (no variables, timestamps, UUIDs, pod names, or generated identifiers). All 56+ test titles use clear, determini...
Test Structure And Quality ✅ Passed PR is a dependency update (go.mod/go.sum changes only). No test code was modified, making the test quality check not applicable to this PR.
Microshift Test Compatibility ✅ Passed This PR only updates Go module dependencies (github.com/openshift/hive/apis and indirect deps). No new Ginkgo e2e tests are added; check not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR only updates go.mod dependencies and adds no new Ginkgo e2e tests, making the SNO Test Compatibility check not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed PR only updates a dependency version in go.mod (github.com/openshift/hive/apis digest). No deployment manifests, operator code, or controller changes are introduced, so the topology-aware schedulin...
Ote Binary Stdout Contract ✅ Passed This PR only updates dependencies (go.mod/go.sum); no source code is modified. Main entry point, init(), controllers, and test suite remain unchanged with no stdout violations. Check not applicable...
No-Weak-Crypto ✅ Passed PR only updates go.mod dependency (hive/apis). No weak crypto patterns (MD5, SHA1, DES, RC4, etc.) found in codebase. No new code or custom crypto implementations.
Container-Privileges ✅ Passed PR contains no container/K8s manifests with privileged:true, hostPID/hostNetwork/hostIPC, SYS_ADMIN capability, or allowPrivilegeEscalation:true. Kubernetes deployment uses runAsNonRoot, allowPrivi...
No-Sensitive-Data-In-Logs ✅ Passed No sensitive data exposure in logs; logging only uses metadata (names/error messages), not actual secret values, passwords, or tokens.
Title check ✅ Passed The title clearly summarizes the main change: updating the github.com/openshift/hive/apis digest.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/master/github.com-openshift-hive-apis-digest

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 29, 2026
@openshift-ci openshift-ci Bot requested review from avishayt and danmanor May 29, 2026 12:22
@openshift-ci

openshift-ci Bot commented May 29, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign eranco74 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 29, 2026
@openshift-ci

openshift-ci Bot commented May 29, 2026

Copy link
Copy Markdown

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/master/github.com-openshift-hive-apis-digest branch from 7aca07b to e5ef206 Compare May 30, 2026 00:21
@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to 91d3589 NO-ISSUE: Update github.com/openshift/hive/apis digest to db81e46 May 30, 2026
@red-hat-konflux

Copy link
Copy Markdown
Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 2 additional dependencies were updated

Details:

Package Change
golang.org/x/net v0.54.0 -> v0.55.0
golang.org/x/sys v0.44.0 -> v0.45.0

@openshift-ci openshift-ci Bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 30, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 18: The PR is missing SBOM/provenance attestations and Sigstore/cosign
signing evidence for the go.mod dependency bumps (modules
github.com/openshift/hive/apis, golang.org/x/net, golang.org/x/sys); update the
CI pipeline to generate and upload an SBOM (e.g., using syft or cyclonedx),
produce provenance attestation (in-toto/slsa or chef/rekor attestation) and sign
the build artifacts with cosign, then attach the CI/build logs or public
artifact links in the PR description showing the SBOM, attestation, and cosign
signature verification for the release artifacts created with these module
updates and reference those artifacts in the PR comment.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4a015993-de4d-4871-b826-37929e65246d

📥 Commits

Reviewing files that changed from the base of the PR and between 7aca07b and e5ef206.

⛔ Files ignored due to path filters (82)
  • go.sum is excluded by !**/*.sum
  • vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/token.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/server_common.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/server_wrap.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/transport_common.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_common.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/readv_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_darwin.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_openbsd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_mips.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod Outdated
github.com/openshift/cluster-api-provider-agent/api v0.0.0-20251202202927-3ad4558809a2
github.com/openshift/custom-resource-status v1.1.3-0.20220503160415-f2fdb4999d87
github.com/openshift/hive/apis v0.0.0-20260527211446-a455a02f440e
github.com/openshift/hive/apis v0.0.0-20260529195552-db81e46ad42b

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify vulnerability status in OSV for exact versions.
curl -s https://api.osv.dev/v1/querybatch -H 'content-type: application/json' -d '{
  "queries": [
    {"package":{"ecosystem":"Go","name":"golang.org/x/net"},"version":"v0.55.0"},
    {"package":{"ecosystem":"Go","name":"golang.org/x/sys"},"version":"v0.45.0"}
  ]
}' | jq .

# Verify the openshift/hive/apis pseudo-version resolves to a real module version.
curl -s "https://proxy.golang.org/github.com/openshift/hive/apis/@v/v0.0.0-20260529195552-db81e46ad42b.info" | jq .

# (Optional but recommended) keep as PR evidence:
# - URL/command output proving SBOM + provenance attestation generation in CI
# - Artifact signing proof (Sigstore/cosign) for release artifacts

Repository: openshift/cluster-api-provider-agent

Length of output: 368


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Show the referenced go.mod lines to confirm exact versions
echo "== go.mod lines 1-140 (to locate 18,110,113) =="
nl -ba go.mod | sed -n '1,140p'

# 2) OSV query with more explicit extraction of each result
echo "== OSV query results =="
OSV_PAYLOAD='{
  "queries": [
    {"package":{"ecosystem":"Go","name":"golang.org/x/net"},"version":"v0.55.0"},
    {"package":{"ecosystem":"Go","name":"golang.org/x/sys"},"version":"v0.45.0"}
  ]
}'
curl -s https://api.osv.dev/v1/querybatch \
  -H 'content-type: application/json' \
  -d "$OSV_PAYLOAD" | jq '{results:[.results[]|{raw:.}]}'

# Also print only vulns arrays (if present)
curl -s https://api.osv.dev/v1/querybatch \
  -H 'content-type: application/json' \
  -d "$OSV_PAYLOAD" | jq '.results[] | {vulns:(.vulns // null), keys:(keys)}'

# 3) Verify the exact versions exist in the Go module proxy (non-yanked check via existence)
echo "== Go proxy `@v/v.info` lookups =="
for mod in "golang.org/x/net" "golang.org/x/sys" "github.com/openshift/hive/apis"; do
  for ver in "v0.55.0" "v0.45.0"; do
    :
  done
done

curl -s "https://proxy.golang.org/golang.org/x/net/@v/v0.55.0.info" | jq .
curl -s "https://proxy.golang.org/golang.org/x/sys/@v/v0.45.0.info" | jq .
curl -s "https://proxy.golang.org/github.com/openshift/hive/apis/@v/v0.0.0-20260529195552-db81e46ad42b.info" | jq .

Repository: openshift/cluster-api-provider-agent

Length of output: 189


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Show go.mod with line numbers (nl not available)
echo "== go.mod lines 1-160 =="
awk '{printf "%4d\t%s\n", NR, $0}' go.mod | sed -n '1,160p'

# 2) OSV query with explicit extraction of each result
echo "== OSV query results =="
OSV_PAYLOAD='{
  "queries": [
    {"package":{"ecosystem":"Go","name":"golang.org/x/net"},"version":"v0.55.0"},
    {"package":{"ecosystem":"Go","name":"golang.org/x/sys"},"version":"v0.45.0"}
  ]
}'
curl -s https://api.osv.dev/v1/querybatch \
  -H 'content-type: application/json' \
  -d "$OSV_PAYLOAD" | jq '.results'

# Print only vulns presence/length (null-safe)
curl -s https://api.osv.dev/v1/querybatch \
  -H 'content-type: application/json' \
  -d "$OSV_PAYLOAD" | jq '
    .results[]
    | {package: (.package // null), vulns_count: ((.vulns // [])|length), vulns: (.vulns // [])}
  '

# 3) Verify versions exist in Go module proxy (existence check)
echo "== Go proxy `@v/v.info` lookups =="
curl -s "https://proxy.golang.org/golang.org/x/net/@v/v0.55.0.info" | jq .
curl -s "https://proxy.golang.org/golang.org/x/sys/@v/v0.45.0.info" | jq .
curl -s "https://proxy.golang.org/github.com/openshift/hive/apis/@v/v0.0.0-20260529195552-db81e46ad42b.info" | jq .

Repository: openshift/cluster-api-provider-agent

Length of output: 8183


🏁 Script executed:

#!/bin/bash
set -euo pipefail

payload='{
  "queries": [
    {"package":{"ecosystem":"Go","name":"github.com/openshift/hive/apis"},"version":"v0.0.0-20260529195552-db81e46ad42b"},
    {"package":{"ecosystem":"Go","name":"golang.org/x/net"},"version":"v0.55.0"},
    {"package":{"ecosystem":"Go","name":"golang.org/x/sys"},"version":"v0.45.0"}
  ]
}'

curl -s https://api.osv.dev/v1/querybatch -H 'content-type: application/json' -d "$payload" \
  | jq '.results[] | {package: .package, vulns_count: ((.vulns // [])|length)}'

# Evidence that the exact versions resolve in proxy.golang.org
curl -s "https://proxy.golang.org/github.com/openshift/hive/apis/@v/v0.0.0-20260529195552-db81e46ad42b.info" | jq .
curl -s "https://proxy.golang.org/golang.org/x/net/@v/v0.55.0.info" | jq .
curl -s "https://proxy.golang.org/golang.org/x/sys/@v/v0.45.0.info" | jq .

Repository: openshift/cluster-api-provider-agent

Length of output: 918


Provide SBOM/provenance attestation and Sigstore/cosign signing evidence for the go.mod dependency bumps (go.mod lines 18, 110, 113).

  • OSV/CVE check for:
    • github.com/openshift/hive/apis v0.0.0-20260529195552-db81e46ad42b
    • golang.org/x/net v0.55.0
    • golang.org/x/sys v0.45.0
      returns vulns_count: 0, and each version resolves via proxy.golang.org ... @v/v.info``.
  • Still required: attach the CI/build output or links proving SBOM + provenance (attestations) are generated, and artifact signing proof (Sigstore/cosign) for the release artifacts produced with these updated modules.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 18, The PR is missing SBOM/provenance attestations and
Sigstore/cosign signing evidence for the go.mod dependency bumps (modules
github.com/openshift/hive/apis, golang.org/x/net, golang.org/x/sys); update the
CI pipeline to generate and upload an SBOM (e.g., using syft or cyclonedx),
produce provenance attestation (in-toto/slsa or chef/rekor attestation) and sign
the build artifacts with cosign, then attach the CI/build logs or public
artifact links in the PR description showing the SBOM, attestation, and cosign
signature verification for the release artifacts created with these module
updates and reference those artifacts in the PR comment.

@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to db81e46 NO-ISSUE: Update github.com/openshift/hive/apis digest to db81e46 - autoclosed May 30, 2026
@red-hat-konflux red-hat-konflux Bot closed this May 30, 2026
@red-hat-konflux red-hat-konflux Bot deleted the konflux/mintmaker/master/github.com-openshift-hive-apis-digest branch May 30, 2026 20:27
@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to db81e46 - autoclosed NO-ISSUE: Update github.com/openshift/hive/apis digest to db81e46 May 31, 2026
@red-hat-konflux red-hat-konflux Bot reopened this May 31, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/master/github.com-openshift-hive-apis-digest branch 3 times, most recently from 190c0cc to ca9fc9f Compare June 4, 2026 16:25
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/master/github.com-openshift-hive-apis-digest branch from ca9fc9f to 4542392 Compare June 15, 2026 16:06
@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to db81e46 NO-ISSUE: Update github.com/openshift/hive/apis digest to 188a312 Jun 15, 2026
@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to 188a312 NO-ISSUE: Update github.com/openshift/hive/apis digest to 188a312 - autoclosed Jun 16, 2026
@red-hat-konflux red-hat-konflux Bot closed this Jun 16, 2026
@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to 188a312 - autoclosed NO-ISSUE: Update github.com/openshift/hive/apis digest to 7c2c258 Jun 20, 2026
@red-hat-konflux red-hat-konflux Bot reopened this Jun 20, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/master/github.com-openshift-hive-apis-digest branch from 518b476 to 4542392 Compare June 20, 2026 04:15
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/master/github.com-openshift-hive-apis-digest branch from 4542392 to 518b476 Compare June 20, 2026 04:15
@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to 7c2c258 NO-ISSUE: Update github.com/openshift/hive/apis digest to 7c2c258 - autoclosed Jun 20, 2026
@red-hat-konflux red-hat-konflux Bot closed this Jun 20, 2026
@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to 7c2c258 - autoclosed NO-ISSUE: Update github.com/openshift/hive/apis digest to 7c2c258 Jun 20, 2026
@red-hat-konflux red-hat-konflux Bot reopened this Jun 20, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/master/github.com-openshift-hive-apis-digest branch 2 times, most recently from 518b476 to 58aa1ce Compare June 20, 2026 20:21
@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to 7c2c258 NO-ISSUE: Update github.com/openshift/hive/apis digest to 7c2c258 - autoclosed Jun 24, 2026
@red-hat-konflux red-hat-konflux Bot closed this Jun 24, 2026
@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to 7c2c258 - autoclosed NO-ISSUE: Update github.com/openshift/hive/apis digest to 7c2c258 Jun 24, 2026
@red-hat-konflux red-hat-konflux Bot reopened this Jun 24, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/master/github.com-openshift-hive-apis-digest branch from 58aa1ce to f04817a Compare June 24, 2026 08:56
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/master/github.com-openshift-hive-apis-digest branch from f04817a to 4943e2d Compare June 27, 2026 20:14
@red-hat-konflux red-hat-konflux Bot changed the title NO-ISSUE: Update github.com/openshift/hive/apis digest to 7c2c258 NO-ISSUE: Update github.com/openshift/hive/apis digest to 1653181 Jun 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant