Bump the go-minor-patch group across 1 directory with 10 updates

[dependabot]

Bumps the go-minor-patch group with 7 updates in the / directory:

Package	From	To
github.com/go-logr/logr	1.4.2	1.4.3
github.com/prometheus/client_golang	1.19.1	1.23.2
go.uber.org/zap	1.26.0	1.28.0
google.golang.org/grpc	1.68.1	1.81.1
k8s.io/api	0.31.4	0.36.1
k8s.io/client-go	0.31.4	0.36.1
sigs.k8s.io/controller-runtime	0.19.4	0.24.1

Updates github.com/go-logr/logr from 1.4.2 to 1.4.3

Release notes

Sourced from github.com/go-logr/logr's releases.

v1.4.3

Minor release.

What's Changed

• Fix slog tests for 1.25 by @​hoeppi-google in go-logr/logr#361
• Remove one exception from Slog testing by @​thockin in go-logr/logr#362

New Contributors

• @​hoeppi-google made their first contribution in go-logr/logr#361

Full Changelog: go-logr/logr@v1.4.2...v1.4.3

Commits

• 38a1c47 build(deps): bump github/codeql-action from 3.28.17 to 3.28.18
• f08bedd build(deps): bump actions/setup-go from 5.4.0 to 5.5.0
• 6295e99 build(deps): bump golangci/golangci-lint-action from 7.0.0 to 8.0.0
• 028840d build(deps): bump github/codeql-action from 3.28.15 to 3.28.17
• 511e5fa Merge pull request #367 from go-logr/dependabot/github_actions/github/codeql-...
• d806463 build(deps): bump github/codeql-action from 3.28.13 to 3.28.15
• 158c311 Merge pull request #366 from thockin/master
• c79ddb3 Update to support golangci-lint v2
• 20a64ba build(deps): bump github/codeql-action from 3.28.12 to 3.28.13
• 0385e14 Add comments around slog exceptions
• Additional commits viewable in compare view

Updates github.com/prometheus/client_golang from 1.19.1 to 1.23.2

Release notes

Sourced from github.com/prometheus/client_golang's releases.

v1.23.2 - 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

• [release-1.23] Upgrade to prometheus/common@v0.66.1 by @​aknuds1 in prometheus/client_golang#1869
• [release-1.23] Cut v1.23.2 by @​aknuds1 in prometheus/client_golang#1870

Full Changelog: prometheus/client_golang@v1.23.1...v1.23.2

v1.23.1 - 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

• [release-1.23] Upgrade to prometheus/common v0.66 by @​aknuds1 in prometheus/client_golang#1866
• [release-1.23] Cut v1.23.1 by @​aknuds1 in prometheus/client_golang#1867

Full Changelog: prometheus/client_golang@v1.23.0...v1.23.1

v1.23.0 - 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

... (truncated)

Changelog

Sourced from github.com/prometheus/client_golang's changelog.

1.23.2 / 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

1.23.1 / 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

1.23.0 / 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

1.22.0 / 2025-04-07

⚠️ This release contains potential breaking change if you use experimental zstd support introduce in #1496 ⚠️

Experimental support for zstd on scrape was added, controlled by the request Accept-Encoding header. It was enabled by default since version 1.20, but now you need to add a blank import to enable it. The decision to make it opt-in by default was originally made because the Go standard library was expected to have default zstd support added soon, golang/go#62513 however, the work took longer than anticipated and it will be postponed to upcoming major Go versions.

e.g.:

import (
  _ "github.com/prometheus/client_golang/prometheus/promhttp/zstd"
)

• [FEATURE] prometheus: Add new CollectorFunc utility #1724
• [CHANGE] Minimum required Go version is now 1.22 (we also test client_golang against latest go version - 1.24) #1738
• [FEATURE] api: WithLookbackDelta and WithStats options have been added to API client. #1743
• [CHANGE] ⚠️ promhttp: Isolate zstd support and klauspost/compress library use to promhttp/zstd package. #1765

1.21.1 / 2025-03-04

• [BUGFIX] prometheus: Revert of Inc, Add and Observe cumulative metric CAS optimizations (#1661), causing regressions on low contention cases.
• [BUGFIX] prometheus: Fix GOOS=ios build, broken due to process_collector_* wrong build tags.

1.21.0 / 2025-02-17

⚠️ This release contains potential breaking change if you upgrade github.com/prometheus/common to 0.62+ together with client_golang. ⚠️

... (truncated)

Commits

• 8179a56 Cut v1.23.2 (#1870)
• 4142b59 Merge pull request #1869 from prometheus/arve/upgrade-common
• 4ff40f0 Cut v1.23.1 (#1867)
• 989b029 Upgrade to prometheus/common v0.66 (#1866)
• e4b2208 Cut v1.23.0 (#1848)
• d9492af cut v1.23.0-rc.1 (#1842)
• aeae8a0 Cut v1.23.0-rc.0 (#1837)
• b157309 Update common Prometheus files (#1832)
• a704e28 build(deps): bump the github-actions group with 3 updates (#1826)
• c774311 Fix errNotImplemented reference (#1835)
• Additional commits viewable in compare view

Updates go.uber.org/zap from 1.26.0 to 1.28.0

Release notes

Sourced from go.uber.org/zap's releases.

v1.28.0

Enhancements:

• #1534[]: Add zapcore.CheckPreWriteHook and CheckedEntry.Before method for transforming entries before they are written to any Cores.

#1534: uber-go/zap#1534

v1.27.1

Enhancements:

• #1501[]: prevent Object from panicking on nils
• #1511[]: Fix a race condition in WithLazy.

Thanks to @​rabbbit, @​alshopov, @​jquirke, @​arukiidou for their contributions to this release.

#1501: uber-go/zap#1501 #1511: uber-go/zap#1511

v1.27.0

Enhancements:

• #1378[]: Add WithLazy method for SugaredLogger.
• #1399[]: zaptest: Add NewTestingWriter for customizing TestingWriter with more flexibility than NewLogger.
• #1406[]: Add Log, Logw, Logln methods for SugaredLogger.
• #1416[]: Add WithPanicHook option for testing panic logs.

Thanks to @​defval, @​dimmo, @​arxeiss, and @​MKrupauskas for their contributions to this release.

#1378: uber-go/zap#1378 #1399: uber-go/zap#1399 #1406: uber-go/zap#1406 #1416: uber-go/zap#1416

Changelog

Sourced from go.uber.org/zap's changelog.

1.28.0 (27 Apr 2026)

Enhancements:

• #1534[]: Add zapcore.CheckPreWriteHook and CheckedEntry.Before method for transforming entries before they are written to any Cores.

1.27.1 (19 Nov 2025)

Enhancements:

• #1501[]: prevent Object from panicking on nils
• #1511[]: Fix a race condition in WithLazy.

Thanks to @​rabbbit, @​alshopov, @​jquirke, @​arukiidou for their contributions to this release.

#1501: uber-go/zap#1501 #1511: uber-go/zap#1511

1.27.0 (20 Feb 2024)

Enhancements:

• #1378[]: Add WithLazy method for SugaredLogger.
• #1399[]: zaptest: Add NewTestingWriter for customizing TestingWriter with more flexibility than NewLogger.
• #1406[]: Add Log, Logw, Logln methods for SugaredLogger.
• #1416[]: Add WithPanicHook option for testing panic logs.

Thanks to @​defval, @​dimmo, @​arxeiss, and @​MKrupauskas for their contributions to this release.

#1378: uber-go/zap#1378 #1399: uber-go/zap#1399 #1406: uber-go/zap#1406 #1416: uber-go/zap#1416

Commits

• 5b81b37 release v1.28.0 (#1547)
• 0ab0d5a zapcore: Add PreWriteHook for transforming entries before write (#1534)
• d278c59 [chore] CI: test on Go 1.26 (#1535)
• 16fb16b chore(dep): replace archived gopkg.in/yaml.v3 with officially maintained go.y...
• 7b755a3 release 1.27.1 (#1521)
• d6b395b Update lazy logger not to materialize unless it's being written to (#1519)
• 4b9cea0 ci: Test with Go 1.24, Go 1.25 (#1508)
• 7c80d7b Fix race condition in WithLazy implementation (#1426) (#1511)
• 07077a6 Prevent zap.Object from panicing on nils (#1501)
• a6afd05 Fix lint check name (#1502)
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.68.1 to 1.81.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.81.1

Security

• xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per gRFC A41. (#9111)
  • Special Thanks: @​al4an444

Bug Fixes

• otel: Segregate client and server RPC information used for metrics and traces, to avoid one overwriting the other. (#9081)

Release 1.81.0

Behavior Changes

• balancer/rls: Switch gauge metrics to asynchronous emission (once per collection cycle) to reduce telemetry noise and align with other gRPC language implementations. (#8808)

Dependencies

• Minimum supported Go version is now 1.25. (#8969)

Bug Fixes

• xds: Use the leaf cluster's security config for the TLS handshake instead of the aggregate cluster's config. (#8956)
• transport: Send a RST_STREAM when receiving an END_STREAM when the stream is not already half-closed. (#8832)
• xds: Fix ADS resource name validation to prevent a panic. (#8970)

New Features

• grpc/stats: Add support for custom labels in per-call metrics (gRFC A108). (#9008)
• xds: Add support for Server Name Indication (SNI) and SAN validation (gRFC A101). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_SNI=true environment variable. (#9016)
• xds: Add support to control which fields get propagated from ORCA backend metric reports to LRS load reports (gRFC A85). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true. (#9005)
• xds: Add metrics to track xDS client connectivity and cached resource state (gRFC A78). (#8807)
• stats/otel: Enhance grpc.subchannel.disconnections metric by adding disconnection reason to the grpc.disconnect_error label (gRFC A94). This provides granular insights into why subchannels are closing. (#8973)
• mem: Add mem.Buffer.Slice() API to slice the buffer like a slice. (#8977)
  • Special Thanks: @​ash2k

Performance Improvements

• alts: Pool read buffers to lower memory utilization when sockets are unreadable. (#8964)
• transport: Pool HTTP/2 framer read buffers to reduce idle memory consumption. Currently limited to Linux for ALTS and non-encrypted transports (TCP, Unix). To disable, set GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false and report any issues. (#9032)

Release 1.80.0

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see #5288 for details. (#8837)
• xds: update resource error handling and re-resolution logic (#8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

... (truncated)

Commits

• caf0772 Change version from 1.81.1-dev to 1.81.1 (#9122)
• 6ccbeeb Cherry-pick #9111 into v1.81.x (#9121)
• b33c29e Cherry-pick #9081 into v1.81.x (#9102)
• c45fae6 Change version to 1.81.1-dev (#9063)
• cb18228 Change version to 1.81.0 (#9062)
• 96748f9 Cherry-pick #9105 to 1.81.x (#9106)
• 9183222 Cherry pick #9055, #9032 to v1.81.x (#9095)
• 5cba6da Revert "deps: update dependencies for all modules (#9065)" (#9067)
• af8a936 deps: update dependencies for all modules (#9065)
• cdc60df transport: optimize heap allocations in ready reader and update syscall conne...
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.36.5 to 1.36.11

Updates k8s.io/api from 0.31.4 to 0.36.1

Commits

• 25001c8 Update dependencies to v0.36.1 tag
• 879d396 Merge remote-tracking branch 'origin/master' into release-1.36
• 030d81f Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• aef6eb6 Add granular authorization for DRA ResourceClaim status updates
• 91061ea Merge pull request #136589 from tosi3k/preemption-mode
• e6b81e2 Add Workload-Aware Preemption fields to Workload and PodGroup APIs
• f8fce2e Merge pull request #136989 from nojnhuh/podgroup-resourceclaim
• b928f5e Workload API: PodGroup ResourceClaims (KEP-5729)
• 61bd78e Merge pull request #137190 from everpeace/KEP-5491-alpha
• 6bf46eb Merge pull request #137028 from nmn3m/feature/dra-resource-pool-status
• Additional commits viewable in compare view

Updates k8s.io/apimachinery from 0.31.4 to 0.36.1

Commits

• 7af103a Update dependencies to v0.36.1 tag
• efb7f26 Merge remote-tracking branch 'origin/master' into release-1.36
• d966e56 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 79b3632 Merge pull request #137864 from yongruilin/dv-dra-mismatch
• a8822f7 Add slice and map union member support with tests
• 7dba2d0 Use IsZero instead of IsNil for union ratcheting check
• d95710f Fix union validation ratcheting when oldObj is nil
• 729062d Merge pull request #137849 from bryantbiggs/deps/update-kube-openapi
• 13b12e6 dependencies: bump kube-openapi to drop ginkgo/gomega indirect deps
• 27f4670 Merge pull request #136657 from Jefftree/sharding-test
• Additional commits viewable in compare view

Updates k8s.io/client-go from 0.31.4 to 0.36.1

Commits

• 55ef15a Update dependencies to v0.36.1 tag
• f22a53e Merge remote-tracking branch 'origin/master' into release-1.36
• a948641 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 7e44ffc Add Workload-Aware Preemption fields to Workload and PodGroup APIs
• df2d882 Merge pull request #136989 from nojnhuh/podgroup-resourceclaim
• 4eece52 Workload API: PodGroup ResourceClaims (KEP-5729)
• 3d35c51 Merge pull request #137190 from everpeace/KEP-5491-alpha
• 0434117 Merge pull request #137028 from nmn3m/feature/dra-resource-pool-status
• ba785be Drop CSR analogy, mark ObjectMeta +required,reduce limits (maxItems=500, maxL...
• 4a9c878 Add ResourcePoolStatusRequest API types and generated code
• Additional commits viewable in compare view

Updates sigs.k8s.io/controller-runtime from 0.19.4 to 0.24.1

Release notes

Sourced from sigs.k8s.io/controller-runtime's releases.

v0.24.1

What's Changed

• [release-0.24] 🐛 Fix regression in Apply typed error handling by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3516

Full Changelog: kubernetes-sigs/controller-runtime@v0.24.0...v0.24.1

v0.24.0

⚠️ Breaking Changes

• Dependencies: Update to k8s.io/* v1.36 (#3506 #3462 #3486 #3450)

🐛 Bug Fixes

• Cache: Fix IndexField blocking until informer is synced (#3445)
• Cache: Wait for cache sync when ReaderFailOnMissingInformer is true (#3425)
• Client: Update typed ApplyConfigurations with server response (#3475)
• Fakeclient: Fix SSA status patch resource version check (#3443)
• Fakeclient: Fix panic when using CRs with embedded pointer structs (#3431)
• Fakeclient: Fix status apply if existing object has managedFields set (#3430)
• Fakeclient: Retry GenerateName on AlreadyExists collisions (#3498)
• HTTP servers: Wire up base context into http servers (#3452)

🌱 Others

• Builder/Webhooks: Remove deprecated custom path function (#3465)
• Cache: Test cache reader waits for cache sync (#3434)
• Certwatcher: Deflake certwatcher tests (#3457)
• Dependencies: Use forked version of btree (#3449)
• Envtest: Ensure envtest stops the whole process group (#3447)
• Logging: Add missing space in zap-log-level flag description (#3492)
• Misc: Adopt new(x) over ptr.To(x) and re-enable newexpr lint (#3489)
• Owners: Cleanup (#3453)
• Recorder: Add logger into context for structured logging (#3454)
• Recorder: Switch to StartLogging for event debug logs (#3451)
• Scheme: Deprecate the scheme builder (#3461)
• Source/Kind: Improve logging for dynamic type kind source (#3494)
• Webhooks: Reduce memory usage of default webhooks (#3463 #3468)

🌱 CI & linters

• Chore: Update golangci-lint version to v2.8.0 (#3448)
• Chore: Update golangci-lint version to v2.10.1 (#3470)
• Chore: Update golangci-lint version to v2.11.3 (#3482)
• Migrate away from custom GitHub action approval workflow (#3491)
• Release: Auto-create git tags for the tools/setup-envtest submodule (#3476)

📖 Additionally, there has been 1 contribution to our documentation. (#3477)

Dependencies

... (truncated)

Commits

• 3be3f1b Merge pull request #3516 from k8s-infra-cherrypick-robot/cherry-pick-3515-to-...
• 0f7b33d Fix regression in Apply typed error handling
• d3eaef3 Merge pull request #3475 from alvaroaleman/fixfix
• 3296f32 🐛 Update typed Applyconfigurations with server response
• c8b4b9d Merge pull request #3506 from troy0820/troy0820/update-deps-k8s
• 557c314 update to k8s.io v1.36.0
• e4a998c Merge pull request #3499 from kubernetes-sigs/dependabot/github_actions/all-g...
• 1a31c56 Merge pull request #3498 from vieux/fix-fake-client-generatename-retry
• 80bc294 fakeclient: retry GenerateName on AlreadyExists collisions (match K8s 1.32 be...
• 77b730a 🌱 Bump the all-github-actions group with 2 updates
• Additional commits viewable in compare view

Updates sigs.k8s.io/yaml from 1.4.0 to 1.6.0

Release notes

Sourced from sigs.k8s.io/yaml's releases.

v1.6.0

What's Changed

• Add "kyaml" support and yamlfmt by @​thockin in kubernetes-sigs/yaml#132

v1.5.0

• Bugfix: Handle unhashable keys during merge (kubernetes-sigs/yaml#122)
• Improvement: wrap errors returned by JSON unmarshal (kubernetes-sigs/yaml#106)
• Deprecation: Deprecate code in goyaml.v2 and goyaml.v3 directories, and redirect to equivalents in go.yaml.in/yaml/v2 and go.yaml.in/yaml/v3 (kubernetes-sigs/yaml#133)

Full Changelog: kubernetes-sigs/yaml@v1.4.0...v1.5.0

Commits

• 048d724 Merge pull request #132 from thockin/master
• 23c836c Bolster tests, mostly in error-handling
• 2e3340b Add compact output tests
• 4a4f539 Add test case for tabs in multi-line strings
• 13509ad Change which methods get a newline and fix tests
• 59c2c43 Add compact mode so KYAML can be used in more places
• abc1add kyaml: Implement escaping closer to YAML spec
• 7749171 Add a yamlfmt cmd
• a932007 Add KYAML support
• 0f318dc Merge pull request #134 from kubernetes-sigs/forgot-to-add-redirects-for-cons...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Codex review

Blocking

• go.mod raises the module requirement to go 1.26.0, but dockerfiles/Dockerfile still builds with golang:1.23. The CI image job runs make image-build, which uses this Dockerfile via Makefile and Makefile, so image builds will fail as soon as go mod download sees the higher Go requirement. This PR needs to update the Docker builder image or avoid raising go beyond the builder version.

Should-fix

• None found.

Nit

• None found.

I did not find vendor-neutral naming, proto/contract, CRD, or generated-code issues in the PR diff; it only changes go.mod and go.sum.

Verdict: changes-requested.

[github-actions]

Codex review

Blocking
None.

Should-fix

• go.mod:10: google.golang.org/protobuf is pinned to a pseudo-version (v1.36.12-0.20260120151049-f2248ac996af) even though the PR advertises a patch bump to v1.36.11. For a dependency-only PR, this should use the stable tagged release unless there is a documented reason to depend on an untagged commit.

• go.mod:3 / dockerfiles/Dockerfile:3 / CONTRIBUTING.md:9: the module and image now require Go 1.26.3, but contributor docs still say Go 1.23 or newer. Update the documented minimum/toolchain expectation so local contributors do not hit surprising failures.

Nit
None.

No vendor-neutral naming, proto contract, or gRPC fail-open issues in this diff. I could not run tests because the workspace is read-only and go could not create its module cache.

Verdict: changes-requested.

[github-actions]

Codex review

Blocking

• config/crd/bases/inferencecache.io_cachebackends.yaml:1181 and config/crd/bases/inferencecache.io_cachebackends.yaml:1365 expand the public v1alpha1 CRD with Kubernetes 1.36-era pod fields/semantics, but the project still defaults dev/envtest to Kubernetes 1.31 in Makefile:18, Makefile:30, and README.md:57. That lets users submit a CacheBackend accepted by this CRD that the controller can later copy into Pods unsupported by the documented/default cluster version. Either align the supported/default Kubernetes version and tests/docs to 1.36, or keep the CRD override surface constrained to the currently supported Kubernetes API.

Should-fix

• go.mod:10 pins google.golang.org/protobuf to an unreleased pseudo-version, while the PR body says the bump is to 1.36.11. For a dependency-only PR, this should use the intended tagged release or clearly justify the pseudo-version. If intentional, also update the PR metadata/tooling pins so reviewers are not validating a different dependency than the one described.

Nit

• No vendor-neutral naming issues found in the changed core surfaces.
• No proto contract changes were introduced.

I could not run Go verification commands in this sandbox because the workspace is read-only and the local Go tool tried to create/download module/toolchain cache.

Verdict: changes-requested.

[github-actions]

Codex review

Blocking

• None found against the vendor-neutral, proto contract, or gRPC fail-open rules.

Should-fix

• go.mod: the PR body says protobuf is bumped to v1.36.11, but the module pins google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af, an unreleased pseudo-version. This should be a tagged protobuf release unless there is a deliberate reason to depend on that exact commit.
• go.mod raises the module minimum to go 1.26.3, but the repo still documents “Go 1.23 or newer” in CONTRIBUTING.md, and CI still installs older pinned tools such as golangci-lint v1.64.8 from Makefile. If the project now requires Go 1.26.3, update the contributor/tooling matrix in the same PR.

Nit

• Makefile: raising COVER_MIN from 65 to 80 is unrelated to the dependency bump. Fine if intentional, but it makes this Dependabot PR a policy change too.

Checks

• make verify-naming passed.
• I could not run Go tests/coverage in this sandbox because Go could not create a module cache on the read-only filesystem.

Verdict: changes-requested.

[EdHasNoLife]

Thanks for the review — addressing the items:

• Go version docs (Should-fix): fixed in 54ab1d3 — CONTRIBUTING.md now states Go 1.26.3, matching the go directive.
• protobuf pseudo-version (Should-fix): not actionable as a downgrade. google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af is required transitively by the k8s.io 0.36 modules (apimachinery, client-go, apiextensions-apiserver) and controller-runtime v0.24.1 — they pin that exact pseudo-version, so MVS selects it over the v1.36.11 that grpc/genproto request (go mod graph confirms). Pinning to a tagged release just gets bumped back by go mod tidy. The "v1.36.11" in the PR body is Dependabot's group summary; the resolved graph is correct.
• Pinned tools / golangci-lint v1.64.8 (Should-fix): functional on go1.26 — make ci-lint passes in this PR's run. Bumping the linter is deferred to a separate change to avoid pulling in new findings unrelated to this bump.
• COVER_MIN 65→80 (Nit): intentional — bundled at the maintainer's request to ratchet the gate now that logic coverage sits at 81.2%. Acknowledged this makes the PR a policy change alongside the dependency bump.

[github-actions]

Codex review

Blocking

• api/v1alpha1/groupversion_info.go and api/v1alpha1/cachebackend_types.go: AddToScheme = SchemeBuilder.AddToScheme is bound while the runtime.SchemeBuilder is still empty; the later init() Register calls won’t be seen because runtime.SchemeBuilder.AddToScheme uses the builder value. This makes cachev1alpha1.AddToScheme(scheme) a no-op, so the controller/fake client won’t have CacheBackend registered. Use runtime.NewSchemeBuilder(addKnownTypes) with the registration funcs present up front, or make AddToScheme a wrapper that calls the current builder.

Should-fix

• go.mod: the PR body says protobuf is bumped to v1.36.11, but the diff pins google.golang.org/protobuf to an unreleased pseudo-version. Prefer a tagged release unless this specific commit is required and documented.

Nit

• None.

I did not find vendor-neutral naming or proto contract violations in the changed files. I could not run Go validation in this read-only sandbox because go cannot create its module/cache directories.

Verdict: changes-requested.

[EdHasNoLife]

Re: the Blocking item on AddToScheme being a no-op — this is a false positive. It assumes runtime.SchemeBuilder.AddToScheme has a value receiver, but it's a pointer receiver:

// k8s.io/apimachinery/pkg/runtime/scheme_builder.go
type SchemeBuilder []func(*Scheme) error
func (sb *SchemeBuilder) AddToScheme(s *Scheme) error { ... }
func (sb *SchemeBuilder) Register(funcs ...func(*Scheme) error) { ... }

SchemeBuilder is a *runtime.SchemeBuilder, so AddToScheme = SchemeBuilder.AddToScheme captures the pointer, not a copy of the (then-empty) slice. The init() Register calls append through that same pointer, and AddToScheme dereferences it at call time — so it sees every registration. This mirrors kubebuilder's own AddToScheme = SchemeBuilder.AddToScheme idiom (controller-runtime's scheme.Builder.AddToScheme is likewise a pointer receiver).

Empirically confirmed against the actual package:

s := runtime.NewScheme()
_ = cachev1alpha1.AddToScheme(s)
s.Recognizes(cachev1alpha1.GroupVersion.WithKind("CacheBackend")) // => true

This is also why the existing internal/controller tests (which call AddToScheme then drive a fake client holding CacheBackend) pass. Added a comment in 9885012 noting the pointer-receiver semantics so it isn't misread again.

[github-actions]

Codex review

Blocking

• api/v1alpha1/groupversion_info.go:24: AddToScheme = SchemeBuilder.AddToScheme is now bound against *runtime.SchemeBuilder before the init() registrations run. runtime.SchemeBuilder.AddToScheme uses the builder value, so this can capture the empty builder and ignore the later registrations at api/v1alpha1/groupversion_info.go:28 and api/v1alpha1/cachebackend_types.go:243. The controller calls this at cmd/controller/main.go:32, so the manager scheme may not know CacheBackend. Wrap it instead, e.g. func(s *runtime.Scheme) error { return SchemeBuilder.AddToScheme(s) }, and add a test that AddToScheme registers CacheBackend/CacheBackendList.

Should-fix

• go.mod:10 and go.sum:158: the PR body says protobuf moves to v1.36.11, but the actual module is pinned to the pseudo-version v1.36.12-0.20260120151049-f2248ac996af. That is not a normal minor/patch Dependabot release bump and should either be corrected to a tagged release or explicitly justified. Same pattern appears for github.com/modern-go/reflect2 at go.mod:36.

Nit

• api/v1alpha1/groupversion_info.go:21: the comment says AddToScheme has a pointer receiver, which is misleading for runtime.SchemeBuilder and contributed to the bug above.

Verdict: changes-requested.

I could not run the test suite locally because the provided sandbox is read-only and go cannot create its module/cache directories.

[github-actions]

Codex review

Blocking
None.

Should-fix
None.

Nit
go.mod:10 pins google.golang.org/protobuf to an unreleased pseudo-version while the PR body says the bump is to 1.36.11. Prefer a released tag for a Dependabot minor/patch PR unless there is a specific reason to track that commit.

Verdict
approve-with-nits

I did not find vendor-neutral naming violations, proto/design drift, gRPC contract changes, or breaking CRD/API changes in this diff. Local tests were not runnable here because the installed Go is 1.24.13 and the PR now requires go >= 1.26.3.