NO-JIRA: chore(deps): weekly dependabot consolidation

[hypershift-jira-solve-ci]

Summary

Weekly consolidation of dependabot dependency updates.

Consolidated PRs

• build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys from 1.4.0 to 1.5.0 in the azure-github-dependencies group across 1 directory #8629: build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys from 1.4.0 to 1.5.0 in the azure-github-dependencies group
• fix(deps): bump urllib3 from 2.6.3 to 2.7.0 in /hypershift-ci-python #8482: fix(deps): bump urllib3 from 2.6.3 to 2.7.0 in /hypershift-ci-python

Commits

1. chore(deps): update root module dependencies
2. chore(deps): update vendored dependencies

---

Assisted-by: Claude (via Claude Code)

---

Note: This PR was auto-generated by the dependabot-triage periodic CI job. See the full report for token usage, cost breakdown, and detailed output.

Summary by CodeRabbit

• Chores
  • Bumped Azure Key Vault SDK dependency to v1.5.0.
  • No changes to public APIs or exported interfaces; behavior remains compatible.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@hypershift-jira-solve-ci[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

Weekly consolidation of dependabot dependency updates.

Consolidated PRs

• build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys from 1.4.0 to 1.5.0 in the azure-github-dependencies group across 1 directory #8629: build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys from 1.4.0 to 1.5.0 in the azure-github-dependencies group
• fix(deps): bump urllib3 from 2.6.3 to 2.7.0 in /hypershift-ci-python #8482: fix(deps): bump urllib3 from 2.6.3 to 2.7.0 in /hypershift-ci-python

Commits

1. chore(deps): update root module dependencies
2. chore(deps): update vendored dependencies

---

Assisted-by: Claude (via Claude Code)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 250f53c6-5802-469e-adad-bced86098049

📥 Commits

Reviewing files that changed from the base of the PR and between e0b2946 and 230172e.

⛔ Files ignored due to path filters (12)

• go.sum is excluded by !**/*.sum
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/_metadata.json is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/assets.json is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/build.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/models_serde.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/test-resources.json is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/time_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/tsp-location.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

---

📝 Walkthrough

Walkthrough

This PR updates the Azure Key Vault SDK dependency in the HyperShift repository from v1.4.0 to v1.5.0. The change modifies a single line in go.mod to reference the newer version of the github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys package. No other module requirements, replace directives, or code changes are included in this update.

Suggested reviewers

• csrwng
• Nirshal

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	cmd/kubeconfig/create.go logs raw kubeconfig data at line 202 containing certificates/credentials, and logs kubeconfig secret references at line 184.	Remove sensitive data logging: avoid outputting raw kubeconfig contents (certificates, tokens) and secret names in error messages.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change as a weekly dependabot consolidation, which directly corresponds to the PR's purpose of consolidating dependency updates including the Azure SDK and urllib3 bumps.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR test names are stable/deterministic. One fmt.Sprintf in test/envtest/generator.go uses hardcoded strings only, no dynamic elements like UUIDs, timestamps, pod names, or node names.
Test Structure And Quality	✅ Passed	Ginkgo tests meet all 5 requirements: single responsibility, setup/cleanup blocks, timeouts on waits, meaningful assertions, and consistent patterns.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Azure SDK dependency in go.mod; no deployment manifests, operator code, or controllers are modified or added, so topology-aware scheduling check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only updates go.mod dependency version (azure-sdk-for-go azkeys v1.4.0→v1.5.0); no new Ginkgo e2e tests are added, so check is not applicable.
No-Weak-Crypto	✅ Passed	PR only updates dependencies (azkeys v1.5.0, urllib3 v2.7.0); no weak crypto, custom implementations, or non-constant-time comparisons detected in code.
Container-Privileges	✅ Passed	PR contains no privileged container settings. The "privileged" keyword found is a Tekton parameter (default: false), not a K8s securityContext setting.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hypershift-jira-solve-ci[bot]
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.68%. Comparing base (9b67f7b) to head (230172e).
⚠️ Report is 25 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8634      +/-   ##
==========================================
- Coverage   45.84%   40.68%   -5.17%     
==========================================
  Files         440      755     +315     
  Lines       52824    93363   +40539     
==========================================
+ Hits        24218    37985   +13767     
- Misses      26816    52645   +25829     
- Partials     1790     2733     +943     

see 315 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.70% <ø> (?)
cpo-hostedcontrolplane	41.80% <ø> (ø)
cpo-other	41.39% <ø> (ø)
hypershift-operator	50.82% <ø> (ø)
other	31.61% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bryan-cox]

/retest
/area hypershift-operator

[bryan-cox]

/cc @bryan-cox

[bryan-cox]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-azure-self-managed | Build: 2060403953098559488 | Cost: $ | Failed step: hypershift-azure-run-e2e-self-managed

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-05-30T00:18:28Z
• View Job
• View Job History

e2e-aks

• Status: ✅ PASS
• Started: 2026-05-29T16:52:43Z
• View Job
• View Job History

[bryan-cox]

/retest

[openshift-ci]

@hypershift-jira-solve-ci[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

Now I have the complete picture. Here is the analysis:

Test Failure Analysis Complete

Job Information

• Prow Job: codecov/project (GitHub Check Run, not a Prow CI job)
• Build ID: Check Run ID 78617155331
• PR: NO-JIRA: chore(deps): weekly dependabot consolidation #8634 — NO-JIRA: chore(deps): weekly dependabot consolidation
• Repository: openshift/hypershift
• Base Commit: 9b67f7b (merge of PR CNTRLPLANE-3329: Rebuild runner image on gocacheprog and pipeline changes #8633)
• Head Commit: 230172e

Test Failure Analysis

Error

codecov/project: 40.68% (-5.17%) compared to 9b67f7b
Project coverage dropped from 45.84% to 40.68% — a 5.17 percentage-point decrease.
Files: 440 → 755 (+315), Lines: 52,824 → 93,363 (+40,539)

Summary

This is a false-positive coverage regression. All unit tests pass, and the PR modifies zero coverable files (only go.mod, go.sum, and vendor/ — all in Codecov's ignore list). The coverage "drop" is caused by a stale, incomplete baseline: the Unit Tests workflow on the PR's base commit (9b67f7b) was cancelled mid-run, so only 3 of 5 coverage shards were uploaded to Codecov. When the PR uploads all 5 shards, Codecov compares full coverage (755 files) against partial coverage (440 files), producing a phantom -5.17% drop.

Root Cause

The failure chain is:

1. PR base commit has incomplete coverage data. PR NO-JIRA: chore(deps): weekly dependabot consolidation #8634 branches from commit 9b67f7b on main. The Unit Tests (Reusable) workflow (ID 26623590420) that ran on this commit was cancelled before all shards finished:

   • ✅ cpo-hostedcontrolplane — completed, coverage uploaded
   • ✅ cpo-other — completed, coverage uploaded
   • ✅ hypershift-operator — completed, coverage uploaded
   • ❌ cmd-support — cancelled, no coverage uploaded
   • ❌ other — cancelled, no coverage uploaded

2. Codecov baseline is partial. With only 3/5 shards uploaded, Codecov recorded the base commit as having 45.84% coverage across 440 files. The cmd-support and other shards (covering ./cmd/..., ./support/..., ./karpenter-operator/..., ./pkg/..., and 20+ other package trees) were never measured.

3. PR uploads complete coverage. The PR's workflow run (ID 26638573775) completed all 5 shards successfully, uploading coverage for 755 files (40.68%). Codecov's PR comment confirms the two missing shards show (?) — meaning "no baseline data available for comparison."

4. Apples-to-oranges comparison. Codecov compares 755-file total coverage (40.68%) against 440-file partial coverage (45.84%), yielding a -5.17% phantom drop. The 315 "new" files are simply the cmd-support and other packages that were never measured on the base.

5. Default threshold triggers failure. The project's codecov.yml has no explicit coverage.project threshold, so Codecov uses its default behavior: fail if project coverage decreases from the base. The -5.17% drop exceeds this, causing the codecov/project check to report failure.

6. Branch is stale. The Codecov report warns "Report is 25 commits behind head on main." More recent commits on main (e.g., 988f2be8, 048bebc4) have complete 5-shard coverage uploads. Rebasing the PR would use one of these complete baselines instead.

7. Recent main-branch runs are stuck. The 7 most recent Unit Tests (Reusable) runs on main (from 84e68271 through ab1e63be, spanning May 29 18:36 to May 30 00:43) are all in queued status with conclusion: null — they have never started. This means even the latest main commits may lack fresh coverage data, though earlier successful runs (988f2be8 at 16:42) did upload complete coverage.

Recommendations

1. Rebase PR NO-JIRA: chore(deps): weekly dependabot consolidation #8634 onto latest main — This changes the merge base to a commit with complete 5-shard coverage, eliminating the phantom drop. This is the immediate fix.

2. Investigate queued workflow runs on main — The last 7 Unit Tests (Reusable) push-triggered runs on main are stuck in queued status and never started. This may be a runner availability issue (arc-runner-set). If runs continue to queue without executing, future PRs will also accumulate stale baselines.

3. Add an explicit coverage threshold to codecov.yml — The current config has no coverage.project section. Adding a threshold with appropriate tolerance (e.g., threshold: 1%) would prevent false-positive failures from minor coverage fluctuations or partial uploads:

   coverage:
     project:
       default:
         threshold: 1%

4. Consider after_n_builds setting — Codecov can be configured to wait for all expected uploads before computing coverage. Setting after_n_builds: 5 in codecov.yml would ensure partial shard uploads (from cancelled runs) never form a baseline:

   codecov:
     notify:
       after_n_builds: 5

5. No code changes needed in this PR — The PR modifies only go.mod, go.sum, and vendored files, all of which are in Codecov's ignore list. The Codecov report itself confirms: "All modified and coverable lines are covered by tests."

Evidence

Evidence	Detail
Check Run conclusion	failure — "40.68% (-5.17%) compared to 9b67f7b"
PR modified files	13 files: go.mod, go.sum, 10 vendor/ files, vendor/modules.txt — all in Codecov ignore list
Codecov confirmation	"All modified and coverable lines are covered by tests"
Base commit workflow (ID 26623590420)	Cancelled — cmd-support and other shards never completed
Base coverage	45.84% across 440 files (3/5 shards only)
PR coverage	40.68% across 755 files (5/5 shards)
Missing shards on base	cmd-support: (?), other: (?) — no baseline data
File count delta	+315 files — packages from cmd-support and other shards not measured on base
Stale branch warning	"Report is 25 commits behind head on main"
Unit Tests workflow on PR (ID 26638573775)	All 5 shards succeeded
Recent main runs stuck	7 runs from 84e68271 to ab1e63be are queued / conclusion: null
Next successful main run after base	988f2be8 (ID 26649903933) — all 5 shards completed successfully

---

[bryan-cox]

/override codecov/project

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: codecov/project

Details

In response to this:

/override codecov/project

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.