Skip to content

Update google.golang.org/genproto/googleapis/api digest to f0a9213#212

Open
red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest
Open

Update google.golang.org/genproto/googleapis/api digest to f0a9213#212
red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest

Conversation

@red-hat-konflux-kflux-prd-rh02

@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
google.golang.org/genproto/googleapis/api indirect digest 9d38bb4f0a9213

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@openshift-ci openshift-ci Bot requested review from ciaranRoche and jsell-rh July 6, 2026 04:02
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rh-amarin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated several bundled dependencies to newer versions.
    • Removed a couple of unused dependencies from the project.
    • Kept other existing version pins unchanged.

Walkthrough

go.mod removes the indirect github.com/oapi-codegen/runtime and github.com/apapsch/go-jsonmerge/v2 requirements and updates indirect golang.org/x/crypto, golang.org/x/net, golang.org/x/sys, golang.org/x/text, google.golang.org/genproto/googleapis/api, and google.golang.org/genproto/googleapis/rpc versions. No exported or public entities changed. Supply-chain surface: verify the new module provenance and matching go.sum entries. CWE-1104.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Suggested labels: dependencies, supply-chain, go.mod

Suggested reviewers: module-maintainers

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main dependency digest update in the changeset.
Description check ✅ Passed The description is about the same dependency update and is relevant to the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed Only go.mod and go.sum changed; no slog/logr/zap/fmt.Print* code paths were added, so no secret-bearing log fields/interpolations.
No Hardcoded Secrets ✅ Passed Changed files are go.mod/go.sum only; additions are module versions and h1 checksums, with no apiKey/secret/token/password literals or embedded credentials.
No Weak Cryptography ✅ Passed PR only changes go.mod/go.sum; diff and repo scan show no crypto/md5, crypto/des, crypto/rc4, ECB, or unsafe secret comparisons introduced.
No Injection Vectors ✅ Passed PASS: Diff only updates go.mod/go.sum; no SQL/exec/template.HTML/yaml.Unmarshal changes, so no CWE-89/78/79/502 sink introduced.
No Privileged Containers ✅ Passed Only go.mod/go.sum changed; no Kubernetes/OpenShift manifests, Helm templates, or Dockerfiles were touched, and no privileged settings were present in the diff.
No Pii Or Sensitive Data In Logs ✅ Passed PASS: Diff only updates go.mod/go.sum; no logging statements or code paths changed, so no CWE-532 PII/log exposure surface.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest

Comment @coderabbitai help to get the list of available commands.

@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

Closing — waiting for Go 1.26 bump (HYPERFLEET-1311). Renovate will recreate with proper go.sum after the bump.

@rafabene rafabene closed this Jul 6, 2026
@rafabene rafabene reopened this Jul 6, 2026
@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

/ok-to-test

@hyperfleet-ci-bot

hyperfleet-ci-bot Bot commented Jul 6, 2026

Copy link
Copy Markdown

Risk Score: 0 — risk/low

Signal Detail Points
PR size 52 lines +0
Sensitive paths none +0

Computed by hyperfleet-risk-scorer

@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot force-pushed the konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest branch from 68a4dcc to 3a37454 Compare July 6, 2026 20:04
@rafabene

rafabene commented Jul 7, 2026

Copy link
Copy Markdown
Member

/retest

Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot force-pushed the konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest branch from 3a37454 to ebda401 Compare July 7, 2026 20:03
@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot changed the title Update google.golang.org/genproto/googleapis/api digest to 925bb5d Update google.golang.org/genproto/googleapis/api digest to f0a9213 Jul 7, 2026
@red-hat-konflux-kflux-prd-rh02

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
golang.org/x/crypto v0.49.0 -> v0.51.0
golang.org/x/net v0.52.0 -> v0.55.0
golang.org/x/sys v0.42.0 -> v0.45.0
golang.org/x/text v0.35.0 -> v0.37.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 -> v0.0.0-20260630182238-925bb5da69e7

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 128: Upgrade the indirect golang.org/x/crypto dependency in go.mod from
v0.51.0 to v0.52.0 or later and refresh go.sum so the module graph resolves to
the fixed release; keep the change scoped to the dependency entry and ensure any
related checksum updates are included.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9aa26284-7dae-4456-aff8-82343a9eac50

📥 Commits

Reviewing files that changed from the base of the PR and between 3a37454 and ebda401.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum, !**/go.sum
📒 Files selected for processing (1)
  • go.mod
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

Comment thread go.mod
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.49.0 // indirect
golang.org/x/net v0.52.0 // indirect
golang.org/x/crypto v0.51.0 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf 'go.mod excerpt:\n'
nl -ba go.mod | sed -n '118,136p'

printf '\nGo crypto references:\n'
rg -n 'golang.org/x/crypto|golang.org/x/term|golang.org/x/sys' go.mod go.sum

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 234


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "go.mod excerpt:"
awk 'NR>=118 && NR<=136 { printf "%4d  %s\n", NR, $0 }' go.mod

echo
echo "go.sum references:"
rg -n 'golang.org/x/crypto|golang.org/x/term|golang.org/x/sys' go.sum go.mod || true

echo
echo "module graph entries for golang.org/x/crypto (if go is available):"
if command -v go >/dev/null 2>&1; then
  go list -m all 2>/dev/null | rg '^golang.org/x/crypto(\s|$)' || true
else
  echo "go command not available"
fi

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 3160


🌐 Web query:

golang.org/x/crypto v0.51.0 vulnerability GO-2026 ssh agent advisories

💡 Result:

The version golang.org/x/crypto v0.51.0 is affected by multiple security vulnerabilities related to the ssh/agent package, which were addressed in version v0.52.0 [1]. Key security advisories affecting v0.51.0 include: 1. Pathological Input Panic: A vulnerability (CVE-2026-46598 / GO-2026-5033) exists where specifically crafted wire bytes can cause a client panic when creating an ed25519.PrivateKey [2][3][4]. 2. Dropped Agent Constraints: A vulnerability (CVE-2026-39832 / GO-2026-5006) occurs where constraint extensions (such as destination restrictions) are silently stripped when forwarding keys to a remote agent, potentially allowing unauthorized use of the key [5][6]. 3. Unenforced Confirmation Constraints: A vulnerability (CVE-2026-39833 / GO-2026-5005) exists where the in-memory keyring accepted but failed to enforce the ConfirmBeforeUse constraint, allowing keys to sign without the expected confirmation prompt [7][8]. These issues were resolved in golang.org/x/crypto v0.52.0, released on May 22, 2026 [9][1]. Users are advised to upgrade to v0.52.0 or later to mitigate these risks [1].

Citations:


Upgrade golang.org/x/crypto to v0.52.0 or later.
v0.51.0 is still in the module graph and is affected by CVE-2026-39833 / GO-2026-5005, CVE-2026-39832 / GO-2026-5006, and CVE-2026-46598 / GO-2026-5033. Refresh go.sum with the fixed release.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

(GO-2026-5005)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent

(GO-2026-5006)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh

(GO-2026-5013)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh

(GO-2026-5014)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

(GO-2026-5015)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

(GO-2026-5016)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh

(GO-2026-5017)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh

(GO-2026-5018)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh

(GO-2026-5019)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh

(GO-2026-5020)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts

(GO-2026-5021)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh

(GO-2026-5023)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent

(GO-2026-5033)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions

(GHSA-45gg-vh54-h5m9)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto vulnerable to auth bypass via unenforced @revoked status

(GHSA-5cgq-3rg8-m6cv)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow

(GHSA-78mq-xcr3-xm33)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: FIDO/U2F security key physical presence check can be bypassed

(GHSA-89gr-r52h-f8rx)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking pathological inputs can lead to client panic

(GHSA-9m57-25v3-79x9)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys

(GHSA-f5wc-c3c7-36mc)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto doesn't enforce invoking key constraints

(GHSA-jppx-rxg9-jmrx)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking byte arithmetic causes underflow and panic

(GHSA-q4h4-gmj2-qvw2)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking memory leak when rejecting channels can lead to DoS

(GHSA-qpw4-5x99-6vjp)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto vulnerable to infinite loop on large channel writes

(GHSA-rm3j-f69w-wqmq)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses

(GHSA-vgwf-h737-ff37)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS

(GHSA-w879-237q-wc7r)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement

(GHSA-x527-x647-q7gg)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 128, Upgrade the indirect golang.org/x/crypto dependency in
go.mod from v0.51.0 to v0.52.0 or later and refresh go.sum so the module graph
resolves to the fixed release; keep the change scoped to the dependency entry
and ensure any related checksum updates are included.

Sources: Path instructions, Linters/SAST tools

@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown

@red-hat-konflux-kflux-prd-rh02[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/presubmits-integration ebda401 link true /test presubmits-integration
ci/prow/unit ebda401 link true /test unit
ci/prow/lint ebda401 link true /test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant