NO-ISSUE: Update github.com/openshift/hive/apis digest to 1653181#1016
NO-ISSUE: Update github.com/openshift/hive/apis digest to 1653181#1016red-hat-konflux[bot] wants to merge 1 commit into
Conversation
|
@red-hat-konflux[bot]: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
Walkthroughgo.mod updates the ChangesDependency Update
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 14 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (14 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: red-hat-konflux[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @red-hat-konflux[bot]. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
7aca07b to
e5ef206
Compare
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 18: The PR is missing SBOM/provenance attestations and Sigstore/cosign
signing evidence for the go.mod dependency bumps (modules
github.com/openshift/hive/apis, golang.org/x/net, golang.org/x/sys); update the
CI pipeline to generate and upload an SBOM (e.g., using syft or cyclonedx),
produce provenance attestation (in-toto/slsa or chef/rekor attestation) and sign
the build artifacts with cosign, then attach the CI/build logs or public
artifact links in the PR description showing the SBOM, attestation, and cosign
signature verification for the release artifacts created with these module
updates and reference those artifacts in the PR comment.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 4a015993-de4d-4871-b826-37929e65246d
⛔ Files ignored due to path filters (82)
go.sumis excluded by!**/*.sumvendor/golang.org/x/net/html/parse.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/html/render.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/html/token.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/server.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/server_common.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/server_wrap.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/transport.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/transport_common.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/writesched_common.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/writesched_priority_rfc7540.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/mkerrors.shis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/readv_unix.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_darwin.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_linux.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_openbsd.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_386.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_amd64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_arm.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_arm64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_loong64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_mips.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_mips64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_ppc.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_s390x.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_linux.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_386.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_arm.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_mips.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_386.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_amd64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_arm.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_arm64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_loong64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_mips.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_mips64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_ppc.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_s390x.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/windows/syscall_windows.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/windows/types_windows.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/windows/zsyscall_windows.gois excluded by!**/vendor/**,!vendor/**vendor/modules.txtis excluded by!**/vendor/**,!vendor/**
📒 Files selected for processing (1)
go.mod
| github.com/openshift/cluster-api-provider-agent/api v0.0.0-20251202202927-3ad4558809a2 | ||
| github.com/openshift/custom-resource-status v1.1.3-0.20220503160415-f2fdb4999d87 | ||
| github.com/openshift/hive/apis v0.0.0-20260527211446-a455a02f440e | ||
| github.com/openshift/hive/apis v0.0.0-20260529195552-db81e46ad42b |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify vulnerability status in OSV for exact versions.
curl -s https://api.osv.dev/v1/querybatch -H 'content-type: application/json' -d '{
"queries": [
{"package":{"ecosystem":"Go","name":"golang.org/x/net"},"version":"v0.55.0"},
{"package":{"ecosystem":"Go","name":"golang.org/x/sys"},"version":"v0.45.0"}
]
}' | jq .
# Verify the openshift/hive/apis pseudo-version resolves to a real module version.
curl -s "https://proxy.golang.org/github.com/openshift/hive/apis/@v/v0.0.0-20260529195552-db81e46ad42b.info" | jq .
# (Optional but recommended) keep as PR evidence:
# - URL/command output proving SBOM + provenance attestation generation in CI
# - Artifact signing proof (Sigstore/cosign) for release artifactsRepository: openshift/cluster-api-provider-agent
Length of output: 368
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# 1) Show the referenced go.mod lines to confirm exact versions
echo "== go.mod lines 1-140 (to locate 18,110,113) =="
nl -ba go.mod | sed -n '1,140p'
# 2) OSV query with more explicit extraction of each result
echo "== OSV query results =="
OSV_PAYLOAD='{
"queries": [
{"package":{"ecosystem":"Go","name":"golang.org/x/net"},"version":"v0.55.0"},
{"package":{"ecosystem":"Go","name":"golang.org/x/sys"},"version":"v0.45.0"}
]
}'
curl -s https://api.osv.dev/v1/querybatch \
-H 'content-type: application/json' \
-d "$OSV_PAYLOAD" | jq '{results:[.results[]|{raw:.}]}'
# Also print only vulns arrays (if present)
curl -s https://api.osv.dev/v1/querybatch \
-H 'content-type: application/json' \
-d "$OSV_PAYLOAD" | jq '.results[] | {vulns:(.vulns // null), keys:(keys)}'
# 3) Verify the exact versions exist in the Go module proxy (non-yanked check via existence)
echo "== Go proxy `@v/v.info` lookups =="
for mod in "golang.org/x/net" "golang.org/x/sys" "github.com/openshift/hive/apis"; do
for ver in "v0.55.0" "v0.45.0"; do
:
done
done
curl -s "https://proxy.golang.org/golang.org/x/net/@v/v0.55.0.info" | jq .
curl -s "https://proxy.golang.org/golang.org/x/sys/@v/v0.45.0.info" | jq .
curl -s "https://proxy.golang.org/github.com/openshift/hive/apis/@v/v0.0.0-20260529195552-db81e46ad42b.info" | jq .Repository: openshift/cluster-api-provider-agent
Length of output: 189
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# 1) Show go.mod with line numbers (nl not available)
echo "== go.mod lines 1-160 =="
awk '{printf "%4d\t%s\n", NR, $0}' go.mod | sed -n '1,160p'
# 2) OSV query with explicit extraction of each result
echo "== OSV query results =="
OSV_PAYLOAD='{
"queries": [
{"package":{"ecosystem":"Go","name":"golang.org/x/net"},"version":"v0.55.0"},
{"package":{"ecosystem":"Go","name":"golang.org/x/sys"},"version":"v0.45.0"}
]
}'
curl -s https://api.osv.dev/v1/querybatch \
-H 'content-type: application/json' \
-d "$OSV_PAYLOAD" | jq '.results'
# Print only vulns presence/length (null-safe)
curl -s https://api.osv.dev/v1/querybatch \
-H 'content-type: application/json' \
-d "$OSV_PAYLOAD" | jq '
.results[]
| {package: (.package // null), vulns_count: ((.vulns // [])|length), vulns: (.vulns // [])}
'
# 3) Verify versions exist in Go module proxy (existence check)
echo "== Go proxy `@v/v.info` lookups =="
curl -s "https://proxy.golang.org/golang.org/x/net/@v/v0.55.0.info" | jq .
curl -s "https://proxy.golang.org/golang.org/x/sys/@v/v0.45.0.info" | jq .
curl -s "https://proxy.golang.org/github.com/openshift/hive/apis/@v/v0.0.0-20260529195552-db81e46ad42b.info" | jq .Repository: openshift/cluster-api-provider-agent
Length of output: 8183
🏁 Script executed:
#!/bin/bash
set -euo pipefail
payload='{
"queries": [
{"package":{"ecosystem":"Go","name":"github.com/openshift/hive/apis"},"version":"v0.0.0-20260529195552-db81e46ad42b"},
{"package":{"ecosystem":"Go","name":"golang.org/x/net"},"version":"v0.55.0"},
{"package":{"ecosystem":"Go","name":"golang.org/x/sys"},"version":"v0.45.0"}
]
}'
curl -s https://api.osv.dev/v1/querybatch -H 'content-type: application/json' -d "$payload" \
| jq '.results[] | {package: .package, vulns_count: ((.vulns // [])|length)}'
# Evidence that the exact versions resolve in proxy.golang.org
curl -s "https://proxy.golang.org/github.com/openshift/hive/apis/@v/v0.0.0-20260529195552-db81e46ad42b.info" | jq .
curl -s "https://proxy.golang.org/golang.org/x/net/@v/v0.55.0.info" | jq .
curl -s "https://proxy.golang.org/golang.org/x/sys/@v/v0.45.0.info" | jq .Repository: openshift/cluster-api-provider-agent
Length of output: 918
Provide SBOM/provenance attestation and Sigstore/cosign signing evidence for the go.mod dependency bumps (go.mod lines 18, 110, 113).
- OSV/CVE check for:
github.com/openshift/hive/apis v0.0.0-20260529195552-db81e46ad42bgolang.org/x/net v0.55.0golang.org/x/sys v0.45.0
returnsvulns_count: 0, and each version resolves viaproxy.golang.org ...@v/v.info``.
- Still required: attach the CI/build output or links proving SBOM + provenance (attestations) are generated, and artifact signing proof (Sigstore/cosign) for the release artifacts produced with these updated modules.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 18, The PR is missing SBOM/provenance attestations and
Sigstore/cosign signing evidence for the go.mod dependency bumps (modules
github.com/openshift/hive/apis, golang.org/x/net, golang.org/x/sys); update the
CI pipeline to generate and upload an SBOM (e.g., using syft or cyclonedx),
produce provenance attestation (in-toto/slsa or chef/rekor attestation) and sign
the build artifacts with cosign, then attach the CI/build logs or public
artifact links in the PR description showing the SBOM, attestation, and cosign
signature verification for the release artifacts created with these module
updates and reference those artifacts in the PR comment.
190c0cc to
ca9fc9f
Compare
ca9fc9f to
4542392
Compare
518b476 to
4542392
Compare
4542392 to
518b476
Compare
518b476 to
58aa1ce
Compare
58aa1ce to
f04817a
Compare
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
f04817a to
4943e2d
Compare
This PR contains the following updates:
a455a02→1653181Warning
Some dependencies could not be looked up. Check the warning logs for more information.
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.