Multiple deps updates (main branch)#3243
Merged
simonbaird merged 16 commits intoconforma:mainfrom Apr 16, 2026
Merged
Conversation
📝 WalkthroughWalkthroughThis pull request updates Go toolchain versions (1.25.3 → 1.25.8), refreshes many Go module dependency versions across multiple go.mod files, updates Docker base images, updates Tekton task bundle digests, adds a go-mod helper script, adjusts a Tekton download URL, fixes/adds small documentation text and CLI flag docs, and makes small test and lint-suppression changes. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.11.4)Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions Comment |
- github.com/evanphx/json-patch@v5.9.11+incompatible - github.com/gkampitakis/go-snaps@v0.5.19 - github.com/go-openapi/strfmt@v0.26.1 - go-openapi/swag submodules to v0.25.5 - github.com/google/go-containerregistry@v0.21.0 Ref: https://redhat.atlassian.net/browse/EC-1766
Also: - k8s.io/apiextensions-apiserver@v0.34.3 - k8s.io packages to v0.35.3 in acceptance Ref: https://redhat.atlassian.net/browse/EC-1766
It was aleady updated in some mod files. Update the build image and asdf config to match. Ref: https://redhat.atlassian.net/browse/SECURESIGN-3982 Ref: https://redhat.atlassian.net/browse/SECURESIGN-3984 Ref: https://redhat.atlassian.net/browse/EC-1766
IIUC it was moved off googleapis.com some time ago. Ref: https://redhat.atlassian.net/browse/EC-1766
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
acceptance/go.mod (1)
278-282:⚠️ Potential issue | 🟠 MajorAdd the moby/go-archive compatibility replace directive to
tools/go.modThe root
go.modandacceptance/go.modapply a replace directive formoby/go-archive v0.2.0 => v0.1.0due to Docker28.5.2incompatibility. However,tools/go.modalso depends ongithub.com/docker/docker v28.5.2+incompatible(line 185) without the corresponding replace directive. This inconsistency causes build behavior to diverge—apply the same replace totools/go.modat the end:replace github.com/moby/go-archive v0.2.0 => github.com/moby/go-archive v0.1.0🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@acceptance/go.mod` around lines 278 - 282, Add the same replace directive currently present in root/acceptance modules to the tools module by appending the exact line "replace github.com/moby/go-archive v0.2.0 => github.com/moby/go-archive v0.1.0" to tools/go.mod (place it at the end of the file among other replace directives) so that the dependency on github.com/docker/docker v28.5.2+incompatible resolves consistently with the rest of the repository.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@acceptance/go.mod`:
- Around line 93-94: Update the dependency string "github.com/docker/docker" to
v29.3.1 (or later) in any go.mod that currently lists v28.5.2+incompatible; run
`go get github.com/docker/docker@v29.3.1` (or the chosen newer version) in each
module, then run `go mod tidy` and re-run tests/CI to ensure builds pass and
transitive deps are updated; ensure the change is applied to every go.mod that
referenced the old version so GHSA-pxq6-2prw-chj9 and GHSA-x744-4wpc-v9h2 are
patched.
In `@docs/modules/ROOT/pages/ec_test.adoc`:
- Line 93: Update the hardcoded parser list in
docs/modules/ROOT/pages/ec_test.adoc so it matches the CLI's dynamic list: use
the source of truth produced by parser.Parsers() (see cmd/test/test.go around
where parser.Parsers() is used) or regenerate the docs from the CLI help output;
remove the wrongly listed "ignore" entry (it's a path-matching flag, not a
parser) so the doc list exactly mirrors parser.Parsers() output.
In `@go.mod`:
- Line 12: The go.mod entry pins github.com/docker/docker to v28.5.2 which has a
known HIGH-severity AuthZ plugin vulnerability; update the dependency to v29.3.1
(or the latest >= v29.3.1) in go.mod, run go get to fetch the new version and go
mod tidy to update the lockfile, then run the test suite/build to confirm
nothing breaks; if immediate upgrade is not possible, add a short comment in
go.mod noting that the project does not use Docker plugins/AuthZ and that the
dependency upgrade is planned to v29.3.1+ to mitigate the CVE.
In `@tools/go.mod`:
- Around line 185-186: The go.mod entry for the dependency
github.com/docker/docker is pinned to v28.5.2+incompatible (the line containing
"github.com/docker/docker v28.5.2+incompatible") which has known
vulnerabilities; update that module requirement to a patched release (pick the
minimal patched tag >= the fix for GHSA-pxq6-2prw-chj9 / GHSA-x744-4wpc-v9h2 /
GO-2026-4883 / GO-2026-4887), then run dependency resolution to update the lock
info (e.g., use the appropriate go command to fetch the target
github.com/docker/docker@<patched-version> and run go mod tidy) so the
go.sum/go.mod reflect the safe version. Ensure no other code imports rely on the
incompatible suffix or breaking changes from the new tag; if they do, adjust
imports or constraints accordingly.
---
Outside diff comments:
In `@acceptance/go.mod`:
- Around line 278-282: Add the same replace directive currently present in
root/acceptance modules to the tools module by appending the exact line "replace
github.com/moby/go-archive v0.2.0 => github.com/moby/go-archive v0.1.0" to
tools/go.mod (place it at the end of the file among other replace directives) so
that the dependency on github.com/docker/docker v28.5.2+incompatible resolves
consistently with the rest of the repository.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: c6dd4f8c-eb1b-428c-bf40-f16d8329823a
⛔ Files ignored due to path filters (3)
acceptance/go.sumis excluded by!**/*.sumgo.sumis excluded by!**/*.sumtools/go.sumis excluded by!**/*.sum
📒 Files selected for processing (14)
.tekton/cli-main-pull-request.yaml.tekton/cli-main-push.yaml.tool-versionsDockerfileDockerfile.distacceptance/go.moddocs/modules/ROOT/pages/ec_opa_run.adocdocs/modules/ROOT/pages/ec_opa_sign.adocdocs/modules/ROOT/pages/ec_opa_test.adocdocs/modules/ROOT/pages/ec_test.adocgo.modhack/tekton/tekton.shtools/go.modtools/kubectl/go.mod
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Fixes a problem running the linter related to tablewriter.Table changes.
Avoid a lint gripe about it being missing.
Also fixes a lint error. Not sure why it started appearing now - perhaps the signature of that function changed.
Avoid this lint error:
SA1019: in_toto.ProvenanceStatementSLSA1 is deprecated:
ProvenanceStatementSLSA1 exists for historical compatibility and
should not be used. To generate an ITE-6 v1 Statement with an ITE-9
Provenance v1 predicate, use the Go APIs provided in
https://github.com/in-toto/attestation/tree/main/go. (staticcheck)
simonbaird
force-pushed
the
main-deps-update
branch
from
e6fa416 to
08f6381
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (1)
go.mod (1)
12-12:⚠️ Potential issue | 🟠 MajorUpgrade off
github.com/docker/docker v28.5.2+incompatiblebefore release.Line 12 still pins a version flagged by OSV/GHSA high-severity advisories; the compatibility replace at Lines 426-429 keeps that vulnerable pin in place. Please move to a patched Docker/Moby line (>= 29.3.1) and then re-evaluate whether the
moby/go-archivedowngrade is still required.
As per coding guidelines, "**: Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."Use this read-only verification script to confirm all current pins and OSV status:
#!/bin/bash set -euo pipefail echo "1) Locate all docker/docker version pins in go.mod files" fd 'go\.mod$' -t f -x rg -n 'github.com/docker/docker\s+v' echo echo "2) Query OSV for the root go.mod pinned version" PINNED_VERSION="$(awk '/github.com\/docker\/docker[[:space:]]+v/{print $2; exit}' go.mod)" echo "Pinned version in root go.mod: ${PINNED_VERSION}" curl -sS https://api.osv.dev/v1/query \ -H 'Content-Type: application/json' \ -d "{\"package\":{\"ecosystem\":\"Go\",\"name\":\"github.com/docker/docker\"},\"version\":\"${PINNED_VERSION}\"}" \ | jq '{version:"'"${PINNED_VERSION}"'", vuln_count:(.vulns|length), vuln_ids:[.vulns[].id]}'Also applies to: 426-429
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@go.mod` at line 12, Update the vulnerable github.com/docker/docker module pin in go.mod from v28.5.2+incompatible to a patched release (>= v29.3.1) and then re-check whether the explicit replace that downgrades moby/go-archive (the compatibility replace referenced at lines 426-429) is still necessary; modify the module version in the go.mod top-level require entry for github.com/docker/docker and remove or adjust the replace for moby/go-archive as appropriate, then run the provided OSV verification script to confirm no remaining advisories.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@go.mod`:
- Line 12: Update the vulnerable github.com/docker/docker module pin in go.mod
from v28.5.2+incompatible to a patched release (>= v29.3.1) and then re-check
whether the explicit replace that downgrades moby/go-archive (the compatibility
replace referenced at lines 426-429) is still necessary; modify the module
version in the go.mod top-level require entry for github.com/docker/docker and
remove or adjust the replace for moby/go-archive as appropriate, then run the
provided OSV verification script to confirm no remaining advisories.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: e3a7a22b-be39-45ee-9647-58de9a915d60
⛔ Files ignored due to path filters (3)
acceptance/go.sumis excluded by!**/*.sumgo.sumis excluded by!**/*.sumtools/go.sumis excluded by!**/*.sum
📒 Files selected for processing (19)
.gitleaks.toml.tekton/cli-main-pull-request.yaml.tekton/cli-main-push.yaml.tool-versionsDockerfileDockerfile.distacceptance/acceptance_test.goacceptance/attestation/attestation.goacceptance/go.moddocs/modules/ROOT/pages/ec_opa_run.adocdocs/modules/ROOT/pages/ec_opa_sign.adocdocs/modules/ROOT/pages/ec_opa_test.adocdocs/modules/ROOT/pages/ec_test.adocgo.modhack/go-mod-upgrade-helper.shhack/tekton/tekton.shpkg/schema/slsa_provenance_v0.2_test.gotools/go.modtools/kubectl/go.mod
✅ Files skipped from review due to trivial changes (12)
- .tool-versions
- tools/kubectl/go.mod
- docs/modules/ROOT/pages/ec_opa_sign.adoc
- acceptance/attestation/attestation.go
- .gitleaks.toml
- docs/modules/ROOT/pages/ec_opa_test.adoc
- docs/modules/ROOT/pages/ec_test.adoc
- hack/tekton/tekton.sh
- Dockerfile.dist
- Dockerfile
- docs/modules/ROOT/pages/ec_opa_run.adoc
- .tekton/cli-main-pull-request.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
- .tekton/cli-main-push.yaml
- tools/go.mod
joejstuart
approved these changes
Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Similar to PR #3233 but I threw in a ubi and konflux task ref update. Also similar to #3242 but I didn't do so much squashing this time.
(All this is co-authored by @claude as per usual.)
Ref: https://redhat.atlassian.net/browse/EC-1766