ci(deps): bump idna from 3.10 to 3.15 in /hypershift-ci-python

[dependabot]

Bumps idna from 3.10 to 3.15.

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

• Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

• Update to Unicode 17.0.0.
• Issue a deprecation warning for the transitional argument.
• Added lazy-loading to provide some performance improvements.
• Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

3.11 (2025-10-12)

• Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.

... (truncated)

Commits

• af30a09 Release 3.15
• 30314d4 Pre-release 3.15rc0
• 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
• 2987fdb Convert README and HISTORY from reStructuredText to Markdown
• 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
• def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
• bbd8004 Merge pull request #234 from StanFromIreland/patch-1
• edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
• 5557db0 Merge branch 'master' into patch-1
• f11746c Merge pull request #235 from StanFromIreland/patch-2
• Additional commits viewable in compare view

Summary by CodeRabbit

• Chores
  • Updated the idna dependency to version 3.15.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Please specify an area label

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ce7de26b-1e16-4118-a527-980a9c55abcf

📥 Commits

Reviewing files that changed from the base of the PR and between 84ebd8b and 274daa5.

📒 Files selected for processing (1)

• hypershift-ci-python/requirements.txt

✅ Files skipped from review due to trivial changes (1)

• hypershift-ci-python/requirements.txt

---

📝 Walkthrough

Walkthrough

This pull request updates the idna Python package dependency pinned in hypershift-ci-python/requirements.txt from version 3.10 to 3.15. All other package versions remain unchanged. This is a straightforward dependency version bump affecting only a single line in the requirements file.

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping the idna dependency from 3.10 to 3.15 in the hypershift-ci-python directory.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only updates Python dependency (idna 3.10→3.15 in requirements.txt); no Ginkgo test files modified, so check is not applicable.
Test Structure And Quality	✅ Passed	This PR only updates the Python dependency idna from 3.10 to 3.15 in hypershift-ci-python/requirements.txt. It contains no Ginkgo test code changes, making the test structure check inapplicable.
Microshift Test Compatibility	✅ Passed	This PR only updates a Python dependency version (idna 3.10→3.15) in requirements.txt. No new Ginkgo e2e tests are added, making the MicroShift test compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only bumps Python dependency (idna 3.10→3.15) in requirements.txt; no new Ginkgo e2e tests added, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates idna Python dependency in requirements.txt; no deployment manifests, operator code, or controllers modified, so topology-aware scheduling check does not apply.
Ote Binary Stdout Contract	✅ Passed	PR only modifies Python dependency versions in hypershift-ci-python/requirements.txt. The OTE Binary Stdout Contract check applies only to Go binary code, not Python dependencies.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only updates the idna Python dependency version in requirements.txt; it contains no new Ginkgo e2e tests, so the IPv6/disconnected network check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/pip/hypershift-ci-python/idna-3.15

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign devguyio for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hypershift-jira-solve-ci]

Test Failure Analysis Complete

Job Information

• Prow Job: Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main & Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main
• Build ID: Check runs 76961357606 and 76961356211
• Pipeline Runs: hypershift-operator-main-enterprise-contract-jqwt5 and hypershift-operator-enterprise-contract-2blrb
• PR: ci(deps): bump idna from 3.10 to 3.15 in /hypershift-ci-python #8548 — ci(deps): bump idna from 3.10 to 3.15 in /hypershift-ci-python
• Component: hypershift-operator-main
• Snapshot: hypershift-operator-20260520-124817-000
• Started: 2026-05-20T12:48:20Z
• Completed: 2026-05-20T13:01:24Z

Test Failure Analysis

Error

Enterprise Contract verify task FAILURE:
254 success(es), 24 warning(s), 2 failure(s)

Policy violated: trusted_task.trusted — 2 Tekton task bundles used in the
build pipeline are no longer present in the Konflux trusted task list.

Summary

Both Enterprise Contract (EC) checks failed because PR #8548's build pipeline references outdated Tekton task bundle digests. PR #8548 was created on May 19 and its Konflux build ran on May 20 at 12:48 UTC. Three hours later, PR #8557 ("Update Konflux Tekton task bundles") was merged at 16:05 UTC, updating all 18 task bundle digest references in .tekton/pipelines/common-operator-build.yaml. Since PR #8548 was built from pre-#8557 code, its SLSA provenance attestation records the old task digests. When the EC trusted_task.trusted policy validated the built image, it found 2 task bundles whose old versions had been fully removed from the Konflux trusted task list (producing failures), and 16 more whose old digests were deprecated but still in a transition period (producing warnings). This is completely unrelated to the PR's actual code change (bumping idna in hypershift-ci-python/requirements.txt), and every other recent PR that was built after PR #8557 merged passes EC validation with 0 failures.

Root Cause

Stale Tekton task bundle digests in the build pipeline.

PR #8548's branch was forked from main at commit a7d68da (May 20, 12:45 UTC). The Konflux build pipeline (.tekton/pipelines/common-operator-build.yaml) at that commit references old Tekton task bundle digests. PR #8557, which updated all 18 task bundle references to their current versions, was merged ~3 hours later (May 20, 16:05 UTC).

The Enterprise Contract's trusted_task.trusted policy validates that every Tekton task used in the build pipeline appears in the centrally-managed trusted task list. When task bundles are rotated, old digests are eventually removed from this list. Three tasks had version bumps (not just digest rotations), making their old versions fully untrusted:

Task	PR #8548 (old)	Main (current)
build-image-index	0.2@sha256:c7b0f7e1…	0.3@sha256:b33bfa8d…
clamav-scan	0.3@sha256:9f18b216…	0.3.1@sha256:567cb66b…
rpms-signature-scan	0.2@sha256:35a4ccda…	0.2.1@sha256:41720da9…

Two of these three version-bumped tasks produced the 2 EC failures (the third may still be in a trusted transition period). The remaining 15 tasks had only digest changes within the same version, producing 16 additional warnings (old digests deprecated but not yet fully removed).

Proof that this is not related to the PR's code change:

• The PR only modifies hypershift-ci-python/requirements.txt, which is not included in the Containerfile.operator build
• The built image layers are identical to other PRs (same base image digest sha256:cd8d59cb…)
• Every other PR built after PR NO-JIRA: Update Konflux Tekton task bundles #8557 merged (e.g., OCPBUGS-86025: Close HTTP response bodies to prevent goroutine and connection leaks #8560, OCPBUGS-86310: Handle CA bundle aggregation delay by requeuing revocation #8563) passes EC validation with 0 failures

Recommendations

1. Rebase PR ci(deps): bump idna from 3.10 to 3.15 in /hypershift-ci-python #8548 onto main — this will pull in the updated task bundle digests from PR NO-JIRA: Update Konflux Tekton task bundles #8557 and the EC checks will pass on the next build. Run:

   @dependabot rebase
   

   or manually:

   git fetch origin main
   git rebase origin/main
   git push --force-with-lease

2. No code changes needed — the PR's actual change (idna 3.10→3.15) is correct and unaffected. The failure is purely a CI pipeline configuration staleness issue.

3. Consider automating Dependabot rebases — configure Dependabot to auto-rebase stale PRs when the base branch updates, to avoid this class of failure in the future. Add to .github/dependabot.yml:

   rebase-strategy: "auto"

Evidence

Evidence	Detail
PR #8548 build time	2026-05-20T12:48:20Z
PR #8557 merge time	2026-05-20T16:05:39Z (3+ hours AFTER #8548's build)
PR #8548 EC result	254 success, 24 warnings, 2 failures
PR #8563 EC result (passing)	256 success, 8 warnings, 0 failures
PR #8560 EC result (passing)	neutral/warning, 0 failures
Main branch EC result	neutral/warning, 0 failures
PR #8548 base commit	a7d68da (before task bundle update)
Task bundle update PR	#8557 ("Update Konflux Tekton task bundles")
Tasks with version bumps	build-image-index 0.2→0.3, clamav-scan 0.3→0.3.1, rpms-signature-scan 0.2→0.2.1
Total task digests changed	18 out of 18 (all task bundles updated)
PR #8548 image digest	sha256:bb1e99e30c43c6c67add85c51063065424d20d4ef5f7779cd2b5717c044cf4b7
Same base image layer	Both PR #8548 and #8563 share layer sha256:cd8d59cb… (UBI9 minimal)
EC policy violated	trusted_task.trusted — tasks not in Konflux trusted task list
Pipeline file	.tekton/pipelines/common-operator-build.yaml

---

[dependabot]

Sorry, only users with push access can use that command.