Skip to content

[release-4.16] OCPBUGS-77299: go mod vendor for 4.16#2615

Open
fgallott wants to merge 6 commits intoopenshift:release-4.16from
fgallott:hermetic-4.16
Open

[release-4.16] OCPBUGS-77299: go mod vendor for 4.16#2615
fgallott wants to merge 6 commits intoopenshift:release-4.16from
fgallott:hermetic-4.16

Conversation

@fgallott
Copy link
Copy Markdown

@fgallott fgallott commented Mar 9, 2026
edited
Loading

ART can't build openshift-enterprise-hyperkube hermetically, versions openshift-4.16 backwards

The error is the following:

Error: PackageRejected: The content of the vendor directory is not consistent with go.mod. Please check the logs for more details.
  Please try running `go mod vendor` and committing the changes.
  Note that you may need to `git add --force` ignored files in the vendor/ dir.

successful build with these changes

@openshift-ci-robot openshift-ci-robot added backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Mar 9, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 9, 2026

@fgallott: This pull request references Jira Issue OCPBUGS-77299, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.z) matches configured target version for branch (4.16.z)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-77300 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-77300 targets the "4.17.z" version, which is one of the valid target versions: 4.17.0, 4.17.z
  • bug has dependents

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

ART can't build openshift-enterprise-hyperkube hermetically, versions openshift-4.16 backwards

The error is the following:

Error: PackageRejected: The content of the vendor directory is not consistent with go.mod. Please check the logs for more details.
 Please try running `go mod vendor` and committing the changes.
 Note that you may need to `git add --force` ignored files in the vendor/ dir.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 9, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot requested a review from wangke19 March 9, 2026 14:00
@fgallott fgallott mentioned this pull request Mar 9, 2026
Open
@openshift-ci openshift-ci bot requested review from deads2k and tkashem March 9, 2026 14:02
@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Mar 9, 2026
@fgallott fgallott mentioned this pull request Mar 9, 2026
Open
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 9, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3c03785f-33d4-4c01-8ab4-5b16e9f4084c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

This was referenced Mar 9, 2026
Open
Open
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 10, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@fgallott
Copy link
Copy Markdown
Author

fgallott commented Mar 10, 2026

@bertinatto may you help me review this one? thank you!

@bertinatto
Copy link
Copy Markdown
Member

bertinatto commented Mar 11, 2026

@bertinatto may you help me review this one? thank you!

@fgallott there are several non-optional jobs failing.

We can't use go mod directly in this repo, we use the hack/update-vendor.sh script instead.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 12, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 12, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@fgallott fgallott marked this pull request as draft March 12, 2026 13:21
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 12, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 12, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@fgallott fgallott marked this pull request as ready for review March 12, 2026 13:24
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 12, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 12, 2026

@fgallott: This pull request references Jira Issue OCPBUGS-77299, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.z) matches configured target version for branch (4.16.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-77300 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-77300 targets the "4.17.z" version, which is one of the valid target versions: 4.17.0, 4.17.z
  • bug has dependents

Requesting review from QA contact:
/cc @wangke19

Details

In response to this:

ART can't build openshift-enterprise-hyperkube hermetically, versions openshift-4.16 backwards

The error is the following:

Error: PackageRejected: The content of the vendor directory is not consistent with go.mod. Please check the logs for more details.
 Please try running `go mod vendor` and committing the changes.
 Note that you may need to `git add --force` ignored files in the vendor/ dir.

Root Cause

On release-4.16, hack/update-vendor.sh replaces vendored staging modules (under vendor/k8s.io/) with symlinks pointing to ../../staging/src/k8s.io/. Hermetic builds require the vendor directory to be fully self-contained and do not follow symlinks that reference files outside vendor/.

This issue does not affect release-4.17+ because upstream Kubernetes switched from go mod vendor + staging symlinks to go work vendor (Go workspaces), which vendors staging modules as real files.

Fix

Modified hack/update-vendor.sh Phase 8 to copy staging components into vendor/ (cp -r) instead of symlinking them (ln -s). This makes the vendor directory self-contained and compatible with hermetic builds, while preserving identical build behavior since Go treats vendored symlinks and real files the same way.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from bertinatto March 12, 2026 13:44
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 27, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 27, 2026

@fgallott: This pull request references Jira Issue OCPBUGS-77299, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.z) matches configured target version for branch (4.16.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-77300 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-77300 targets the "4.17.z" version, which is one of the valid target versions: 4.17.0, 4.17.z
  • bug has dependents

Requesting review from QA contact:
/cc @wangke19

Details

In response to this:

ART can't build openshift-enterprise-hyperkube hermetically, versions openshift-4.16 backwards

The error is the following:

Error: PackageRejected: The content of the vendor directory is not consistent with go.mod. Please check the logs for more details.
 Please try running `go mod vendor` and committing the changes.
 Note that you may need to `git add --force` ignored files in the vendor/ dir.

successful build with these changes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@fgallott fgallott marked this pull request as ready for review March 27, 2026 14:56
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 27, 2026
@openshift-ci openshift-ci bot requested a review from jerpeter1 March 27, 2026 14:57
@fgallott
UPSTREAM: <carry>: fix staging test discovery after hermetic vendor
d31f989 
rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 27, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 27, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 27, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fgallott
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fgallott
Copy link
Copy Markdown
Author

fgallott commented Mar 28, 2026

/test verify

@fgallott
UPSTREAM: <carry>: fix unit tests
46837a4 
rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 29, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 29, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 29, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@fgallott
UPSTREAM: <carry>: fix verify after hermetic vendor
a69a693 
rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 30, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 30, 2026

@fgallott: This pull request references Jira Issue OCPBUGS-77299, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.z) matches configured target version for branch (4.16.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-77300 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-77300 targets the "4.17.z" version, which is one of the valid target versions: 4.17.0, 4.17.z
  • bug has dependents

Requesting review from QA contact:
/cc @wangke19

Details

In response to this:

ART can't build openshift-enterprise-hyperkube hermetically, versions openshift-4.16 backwards

The error is the following:

Error: PackageRejected: The content of the vendor directory is not consistent with go.mod. Please check the logs for more details.
 Please try running `go mod vendor` and committing the changes.
 Note that you may need to `git add --force` ignored files in the vendor/ dir.

successful build with these changes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@fgallott
Copy link
Copy Markdown
Author

fgallott commented Mar 30, 2026

@bertinatto I fixed the tests, may you have a look now?

bertinatto
bertinatto reviewed Apr 10, 2026
View reviewed changes
Comment thread hack/update-codegen.sh Outdated

function codegen::informers() {
GO111MODULE=on GOPROXY=off go install \
GO111MODULE=on GOFLAGS=-mod=mod go install \
Copy link
Copy Markdown
Member

@bertinatto bertinatto Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe it's safer to use -mod=readonly instead?

Copy link
Copy Markdown
Author

@fgallott fgallott Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good call, it should be indeed safer! I'll switch all of them to -mod=readonly

Copy link
Copy Markdown
Author

@fgallott fgallott Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bertinatto I've updated all the PRs

Comment thread hack/update-vendor.sh
# staging/src/k8s.io/<repo>. For hermetic builds the vendor directory must be
# exactly what `go mod vendor` produces (no symlinks, no extra files, and
# modules.txt must not be modified). The go mod vendor command already handles
# the staging replace directives in go.mod and vendors the imported packages.
Copy link
Copy Markdown
Member

@bertinatto bertinatto Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear to me how you avoided the problem that the linking fixed. Do you mind explaining that?

Copy link
Copy Markdown
Member

@bertinatto bertinatto Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I understand correctly that linking was done because go mod vendor doesn't copy files that were not directly imported, like test files?

Copy link
Copy Markdown
Author

@fgallott fgallott Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, you're right. the symlinks existed because go mod vendor only copies imported packages, but the codegen tools expect vendor/k8s.io/<repo> to contain the full source tree (including as you said test packages that aren't directly imported).

I'm not actually avoiding the problem, but simply moving the solution. The symlinks are removed from update-vendor.sh so the vendor directory stays clean for hermetic builds (Konflux requires vendor/ to match exactly what go mod vendor produces). And in update-codegen.sh the symlinks are temporarily recreated before codegen runs, then everything is restored via a trap on EXIT. This way the vendor directory is correct for builds, and codegen still has access to the full staging source trees when it needs them.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Apr 13, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Apr 13, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@fgallott
UPSTREAM: <carry>: switch to -mod=readonly
ee14eb4 
rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Apr 13, 2026

@fgallott: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 13, 2026

@fgallott: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bertinatto bertinatto bertinatto left review comments

@wangke19 wangke19 Awaiting requested review from wangke19

@deads2k deads2k Awaiting requested review from deads2k

@tkashem tkashem Awaiting requested review from tkashem

@jerpeter1 jerpeter1 Awaiting requested review from jerpeter1

Assignees

No one assigned

Labels

backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. vendor-update Touching vendor dir or related files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fgallott @openshift-ci-robot @bertinatto