build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys from 1.4.0 to 1.5.0 in the azure-github-dependencies group across 1 directory

[dependabot]

Bumps the azure-github-dependencies group with 1 update in the / directory: github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys.

Updates github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys from 1.4.0 to 1.5.0

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys's releases.

sdk/storage/azdatalake/v1.5.0

1.5.0 (2026-05-15)

Features Added

• Includes all features from 1.5.0-beta.1

sdk/security/keyvault/azadmin/v1.5.0

1.5.0 (2026-05-25)

Other Changes

• Upgraded to API service version 2025-07-01

sdk/security/keyvault/azkeys/v1.5.0

1.5.0 (2026-05-25)

Other Changes

• Upgraded to API service version 2025-07-01

sdk/security/keyvault/azcertificates/v1.5.0

1.5.0 (2026-05-26)

Features Added

• Includes all changes from 1.5.0-beta.1.

sdk/security/keyvault/azsecrets/v1.5.0

1.5.0 (2026-05-26)

Features Added

• Includes all changes from 1.5.0-beta.1.

sdk/data/azcosmos/v1.5.0-beta.7

1.5.0-beta.7 (2026-06-02)

Features Added

• Added retry policy for transient 500, 502, and 504 server errors on read requests. The request is retried once in the current region and, if applicable, once against the next preferred region. Writes are not retried. This matches the behavior of the .NET, Java, and Python Cosmos SDKs. See PR 26821.

Bugs Fixed

• Fixed missing OTel tracing spans for internal queries executed by ReadManyItems. Each per-partition query page now creates a query_items span, matching the tracing behavior of NewQueryItemsPager. See PR 26813.
• 403/WriteForbidden retries refresh the global endpoint manager fire-and-forget (CAS-gated) instead of blocking on a synchronous gem.Update. See PR 26889.
• Connection-error retry policy now attempts up to 3 retries against the current region before failing over, and performs at most one cross-region failover per call. Cross-region failover for writes only occurs when the error proves the request never reached the service (DNS, dial, TLS handshake, ECONNREFUSED, etc.); writes on ambiguous transport failures (e.g. ECONNRESET, EOF, transport-level timeouts) no longer fail over to another region, avoiding potential duplicate writes. Reads still fail over for any transport error. Caller-set context deadlines or cancellations short-circuit the policy without consuming the caller's budget with retries. See PR 26858 and PR 26915.
• HTTP 408 Request Timeout responses are now handled by the Cosmos client retry policy: reads are retried exactly once against another region, and writes are returned to the caller immediately to avoid potential duplicates. See PR 26858.
• Fixed excessive GetDatabaseAccount HTTP calls when using preferred regions, and stopped data-plane retries from trailing into the customer-supplied (default) endpoint once account topology is populated. See PR 26815.
• Partition key range cache now serves concurrent callers from a single in-flight refresh per container, and the cached routing map remains readable while a refresh is in progress. The refresh runs on a detached background context.Background() so a caller's cancellation no longer aborts the shared fetch for other waiters; each caller continues to honor its own context deadline. See PR 26855.
• Partition key range cache change-feed pagination is now resilient to mid-drain throttling. 429 responses are retried indefinitely (with capped linear backoff + jitter) since the service is explicitly asking the client to slow down, and the pages already accumulated are preserved instead of restarting the drain from page 1 on the next refresh. See PR 26855.

Other Changes

• Tightened the default HTTP client: 5s dial timeout (down from azcore's 30s), 65s http.Client.Timeout wall-clock cap per HTTP attempt (was unbounded), larger idle connection pool (1000 total / 100 per host, up from azcore's 100 / 10), and faster HTTP/2 health checks. Caller-supplied Transport and shorter context deadlines are unaffected. See PR 26856.

... (truncated)

Commits

• f4ab3aa Remove arm/ClientOptions.AuxiliaryTenants (#20573)
• a554ef0 Remove azcore multitenant auth API (#20572)
• 0a42300 PutBlobFromURL/UploadBlobFromURL API (#20558)
• be3f449 Fix azcore changelog entry (#20569)
• 380d05a Fix regression - base name overrides in CI (#20563)
• 4bdfb89 Modified challenge policy test (#20554)
• 5ab558f Added support for copy source authorization to append block from url (#20557)
• d2534f7 [Azquery][Readme] Edit pass (#20382)
• e9c77a5 Bump credscan to 2.3.12.23 (#20562)
• dd74ea3 Transaction Validation - Blob Client (#20550)
• Additional commits viewable in compare view

Summary by CodeRabbit

• Chores
  • Updated an underlying SDK to a newer patch release to improve stability, reliability, and compatibility with external services.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 32d99b9a-5f5f-43fb-9e56-a3221695e84e

📥 Commits

Reviewing files that changed from the base of the PR and between 6ad4742 and 5650782.

⛔ Files ignored due to path filters (12)

• go.sum is excluded by !**/*.sum
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/_metadata.json is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/assets.json is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/build.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/models_serde.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/test-resources.json is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/time_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/tsp-location.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

---

📝 Walkthrough

Walkthrough

This PR updates a direct dependency in the HyperShift project's go.mod file: github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys is bumped from v1.4.0 to v1.5.0 in the require block.

Suggested reviewers

• muraee

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors, 1 warning)

Check name	Status	Explanation	Resolution
Container-Privileges	❌ Error	PR adds 3 new K8s manifests with privileged container settings: hostPID/hostNetwork, privileged:true, and allowPrivilegeEscalation:true in kubelet DaemonSet, CSI DaemonSet, and e2e test pod.	Review privilege escalations in new manifest files and ensure proper justification, SCC binding, and RBAC controls before merging.
No-Sensitive-Data-In-Logs	❌ Error	Logging statement logs Key Vault key name/version and full error objects that may contain internal hostnames or vault configuration details in error messages.	Sanitize error logging: use error codes instead of full error objects, or mask sensitive details like vault names from error messages before logging.
Test Structure And Quality	⚠️ Warning	Some Ginkgo tests lack meaningful assertion messages. backup_restore_test.go has 28 assertions without descriptive failure messages, violating requirement #4.	Add meaningful failure messages to all assertions, e.g., Expect(err).NotTo(HaveOccurred(), "failed to pause agent CAPI resources") instead of just Expect(err).NotTo(HaveOccurred()).

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: a dependency version bump from 1.4.0 to 1.5.0 for the Azure Key Vault SDK package.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only updates go.mod dependency version; no test files modified and repository has no Ginkgo tests, making the check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR is a pure dependency version bump (azkeys v1.4.0→v1.5.0) with no deployment manifests, operator code, or controller changes. Check for topology-aware scheduling constraints is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only updates go.mod dependency version (azkeys v1.4.0→v1.5.0); no new Ginkgo e2e tests are added, making the check not applicable.
No-Weak-Crypto	✅ Passed	PR bumps azkeys v1.4.0→v1.5.0 in go.mod only. Code uses RSA-OAEP-256. No weak crypto, custom implementations, or unsafe comparisons found.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/azure-github-dependencies-d29946bdc9

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign cblecker for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

rebase

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hypershift-jira-solve-ci]

That confirms it — 184 characters (185 including newline) vs the 140 max. I have full root cause. Here's the report:

Test Failure Analysis Complete

Job Information

• Prow Job: gitlint / Gitlint (GitHub Actions)
• Build ID: 26911221716 / Job 79389411573
• Run: https://github.com/openshift/hypershift/actions/runs/26911221716/job/79389411573
• PR: build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys from 1.4.0 to 1.5.0 in the azure-github-dependencies group across 1 directory #8629 — build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys from 1.4.0 to 1.5.0
• Author: dependabot[bot]

Test Failure Analysis

Error

3: B1 Line exceeds max length (184>140): "Bumps the azure-github-dependencies group with 1 update
in the / directory: [github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys](https://github.com/Azure/azure-sdk-for-go)."
make: *** [Makefile:614: run-gitlint] Error 1

Summary

The gitlint CI check failed because Dependabot's auto-generated commit message body contains a line (line 3) that is 184 characters long, exceeding the repository's configured body-max-line-length of 140 characters in .gitlint. The offending line is the Dependabot boilerplate description: "Bumps the azure-github-dependencies group with 1 update in the / directory: [github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys](https://github.com/Azure/azure-sdk-for-go)." — which includes both the full Go module path and a Markdown link to the GitHub repo, making it inherently long. This is not a product code issue; it is a tooling mismatch between Dependabot's commit message format and the repo's gitlint rules.

Root Cause

The root cause is a mismatch between Dependabot's auto-generated commit message format and the hypershift repository's gitlint body line-length rule (body-max-line-length = 140).

When Dependabot creates a PR for a dependency group update, it generates a commit body with a summary line in the format:

Bumps the {group-name} group with 1 update in the / directory: [{module-path}]({github-url}).

For this PR, the Go module path github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys is already 68 characters, and when combined with the Markdown link and boilerplate text, the full line reaches 184 characters — 44 characters over the 140-character limit.

This is a known friction point between Dependabot and gitlint: Dependabot does not respect per-repository commit message formatting rules, and its output for long package names (especially deeply-nested Go modules) will inevitably exceed typical line-length limits. The commit title (line 1) is fine at ~86 characters (under the 120-char title-max-length limit) — only the body description line violates the rule.

Recommendations

1. Squash-and-reword on merge (quickest fix): A maintainer can merge this PR using "Squash and merge" and manually edit the commit message to wrap or truncate the long body line before merging.

2. Configure Dependabot commit message template — In .github/dependabot.yml, use the commit-message option with prefix only and keep the body minimal. However, Dependabot does not currently support controlling body line length directly.

3. Add a gitlint ignore rule for Dependabot — Add an ignore rule to .gitlint that exempts Dependabot commits from the body line-length check:

   [ignore-by-author-name]
   regex=dependabot
   ignore=body-max-line-length

4. Increase body-max-line-length — Raise the limit from 140 to 200+ in .gitlint, though this loosens the rule for all contributors.

5. No action needed on the dependency bump itself — The azkeys 1.4.0→1.5.0 update is a semver-minor bump and is unrelated to this CI failure.

Evidence

Evidence	Detail
Failing check	gitlint / Gitlint — GitHub Actions job 79389411573
Gitlint rule violated	B1 (body-max-line-length) — configured max: 140, actual: 184
Offending commit	6ad4742ff8ceb4632368e400b807e46a115d4616
Offending line (line 3 of body)	Bumps the azure-github-dependencies group with 1 update in the / directory: [github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys](https://github.com/Azure/azure-sdk-for-go).
.gitlint config	body-max-line-length = 140 (at repo root)
Commit author	dependabot[bot] — auto-generated message, not manually authored
Makefile target	run-gitlint (line 614) — exits with error code 1 → process exit code 2
PR title (line 1) length	~86 chars — within 120-char title-max-length limit ✅

---

[openshift-ci]

@dependabot[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.