CNTRLPLANE-3020: Adopt coreos/stream-metadata-go upstream library

[sdminonne]

What this PR does / why we need it:

Replaces 18 custom CoreOS stream metadata Go types in support/releaseinfo/releaseinfo.go with canonical equivalents from github.com/coreos/stream-metadata-go v0.4.11. This eliminates duplicated type definitions, gains upstream helper methods (e.g. GetAMI(), URN()), and lays the groundwork for the dual-stream RHEL NodePool feature.

Scope: Pure refactor — no behavioral changes.

Key type mappings:

Old (HyperShift)	New (upstream)
CoreOSStreamMetadata	stream.Stream
CoreOSArchitecture	stream.Arch
CoreRHCOSImage	*rhcos.Extensions
CoreOSAWSImages	*stream.AwsImage
CoreOSGCPImage	*stream.GcpImage
CoreOSPowerVSImage	*stream.SingleObject
CoreOSKubevirtImages	*stream.ContainerImage
HyperVGen1/HyperVGen2	Gen1/Gen2
SHA256 / URL (PowerVS)	Sha256 / Url

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3020

Special notes for your reviewer:

• All upstream pointer-typed fields have nil checks added at every access point
• The Formats map changed from map[string]map[string]CoreOSFormat to map[string]stream.ImageFormat — access to disk artifacts changed from artifact["disk"] to artifact.Disk
• Import ordering was auto-fixed by make lint-fix

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Improved error handling for missing or incomplete cloud metadata, providing clearer error messages instead of potential crashes across all platforms
  • Enhanced validation and nil checks for AWS, Azure, GCP, KubeVirt, OpenStack, and PowerVS configurations

• Refactor

  • Updated internal metadata infrastructure for improved code maintainability and robustness

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@sdminonne: This pull request references CNTRLPLANE-3020 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Replaces 18 custom CoreOS stream metadata Go types in support/releaseinfo/releaseinfo.go with canonical equivalents from github.com/coreos/stream-metadata-go v0.4.11. This eliminates duplicated type definitions, gains upstream helper methods (e.g. GetAMI(), URN()), and lays the groundwork for the dual-stream RHEL NodePool feature.

Scope: Pure refactor — no behavioral changes.

Key type mappings:

Old (HyperShift)	New (upstream)
CoreOSStreamMetadata	stream.Stream
CoreOSArchitecture	stream.Arch
CoreRHCOSImage	*rhcos.Extensions
CoreOSAWSImages	*stream.AwsImage
CoreOSGCPImage	*stream.GcpImage
CoreOSPowerVSImage	*stream.SingleObject
CoreOSKubevirtImages	*stream.ContainerImage
HyperVGen1/HyperVGen2	Gen1/Gen2
SHA256 / URL (PowerVS)	Sha256 / Url

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3020

Special notes for your reviewer:

• All upstream pointer-typed fields have nil checks added at every access point
• The Formats map changed from map[string]map[string]CoreOSFormat to map[string]stream.ImageFormat — access to disk artifacts changed from artifact["disk"] to artifact.Disk
• Import ordering was auto-fixed by make lint-fix

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates the HyperShift release image metadata schema from a custom internal implementation to the industry-standard github.com/coreos/stream-metadata-go library. The migration adds the external dependency, removes 112 lines of CoreOS-specific type definitions, updates the ReleaseImage.StreamMetadata field type, and rewires all platform-specific image readers (AWS, Azure, GCP, OpenStack, KubeVirt, PowerVS) to extract data from the new schema structure while adding more explicit nil safety checks throughout.

🚥 Pre-merge checks | ✅ 4 | ❌ 7

❌ Failed checks (7 inconclusive)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adopting an upstream coreos/stream-metadata-go library instead of custom types.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sdminonne
Once this PR has been reviewed and has the lgtm label, please assign csrwng for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hypershift-jira-solve-ci]

I now have all the evidence needed. The root cause is clear.

Test Failure Analysis Complete

Job Information

• Prow Job: gitlint / Gitlint (GitHub Actions)
• Build ID: 26963188735 / job 79558738106
• PR: CNTRLPLANE-3020: Adopt coreos/stream-metadata-go upstream library #8673 — CNTRLPLANE-3020: Adopt coreos/stream-metadata-go upstream library
• Branch: CNTRLPLANE-3020 → main
• Commit: 63d6ec6995c74861cc02e4de86d45b3305a02121

Test Failure Analysis

Error

1: CT1 Title does not start with one of fix, feat, chore, docs, style, refactor, perf, test, revert, ci, build: "releaseinfo: adopt coreos/stream-metadata-go upstream library"
make: *** [Makefile:614: run-gitlint] Error 1

Summary

The gitlint check failed because the commit message title uses releaseinfo: as its prefix, which is not one of the allowed Conventional Commits type prefixes configured in the repository's .gitlint file. The repo enforces that all commit titles must begin with one of: fix, feat, chore, docs, style, refactor, perf, test, revert, ci, or build. This is a commit message formatting issue, not a code or test bug.

Root Cause

The commit message title is:

releaseinfo: adopt coreos/stream-metadata-go upstream library

The repository's .gitlint configuration at the repo root enforces the contrib-title-conventional-commits rule, which requires commit titles to follow the Conventional Commits specification. The allowed type prefixes are explicitly configured as:

types = fix,feat,chore,docs,style,refactor,perf,test,revert,ci,build

The prefix releaseinfo is a component/package name, not a Conventional Commits type. The gitlint CT1 rule rejects the title because releaseinfo does not match any of the allowed prefixes.

Recommendations

Amend the commit message title to use a valid Conventional Commits prefix. Since this PR is a pure refactoring that replaces custom types with upstream equivalents, the appropriate prefix is refactor. For example:

refactor(releaseinfo): adopt coreos/stream-metadata-go upstream library

Or more simply:

refactor: adopt coreos/stream-metadata-go upstream library

To fix, run:

git commit --amend -m "refactor(releaseinfo): adopt coreos/stream-metadata-go upstream library" --no-edit
git push --force-with-lease

Either format is valid — type(scope): description or type: description — as long as the type prefix is one of the 11 allowed values.

Evidence

Evidence	Detail
Gitlint rule violated	CT1 (contrib-title-conventional-commits)
Commit title used	releaseinfo: adopt coreos/stream-metadata-go upstream library
Invalid prefix	releaseinfo — not in the allowed types list
Allowed types	fix, feat, chore, docs, style, refactor, perf, test, revert, ci, build
Config file	.gitlint in repo root enforces contrib=contrib-title-conventional-commits
Workflow	.github/workflows/gitlint-reusable.yaml runs make run-gitlint
Exit code	2 (gitlint validation failure)

---

[codecov]

Codecov Report

❌ Patch coverage is 52.94118% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.42%. Comparing base (e25a87a) to head (aeff6d5).
⚠️ Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
support/releaseinfo/testutils/testutils.go	0.00%	10 Missing ⚠️
...ypershift-operator/controllers/nodepool/powervs.go	0.00%	7 Missing ⚠️
...operator/controllers/nodepool/kubevirt/kubevirt.go	25.00%	2 Missing and 1 partial ⚠️
...erator/controllers/nodepool/nodepool_controller.go	50.00%	2 Missing and 1 partial ⚠️
hypershift-operator/controllers/nodepool/azure.go	94.44%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8673      +/-   ##
==========================================
- Coverage   41.44%   41.42%   -0.02%     
==========================================
  Files         756      756              
  Lines       93644    93668      +24     
==========================================
- Hits        38807    38805       -2     
- Misses      52114    52137      +23     
- Partials     2723     2726       +3     

Files with missing lines	Coverage Δ
hypershift-operator/controllers/nodepool/aws.go	69.76% <100.00%> (-0.09%)	⬇️
...erator/controllers/nodepool/openstack/openstack.go	76.22% <100.00%> (-0.20%)	⬇️
support/releaseinfo/deserialize.go	40.00% <100.00%> (ø)
support/releaseinfo/releaseinfo.go	45.85% <ø> (ø)
hypershift-operator/controllers/nodepool/azure.go	89.17% <94.44%> (-1.41%)	⬇️
...operator/controllers/nodepool/kubevirt/kubevirt.go	68.70% <25.00%> (-0.53%)	⬇️
...erator/controllers/nodepool/nodepool_controller.go	42.98% <50.00%> (-0.15%)	⬇️
...ypershift-operator/controllers/nodepool/powervs.go	0.00% <0.00%> (ø)
support/releaseinfo/testutils/testutils.go	0.00% <0.00%> (ø)

... and 3 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.87% <16.66%> (ø)
cpo-hostedcontrolplane	43.50% <ø> (ø)
cpo-other	42.74% <ø> (-0.05%)	⬇️
hypershift-operator	51.53% <64.10%> (-0.03%)	⬇️
other	31.64% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 45: The dependency entry github.com/coreos/stream-metadata-go v0.4.11 in
go.mod has been reviewed for supply-chain and licensing; verify that the Apache
License in the module's LICENSE file complies with your org's approved-license
policy and then either (a) document approval by adding a note to your
dependency/security tracker referencing github.com/coreos/stream-metadata-go
v0.4.11 and the SPDX identifier Apache-2.0, or (b) if it is not approved,
replace or remove the dependency (update go.mod to a compliant alternative or
open an RFC/PR to remove usage in the codebase such as functions/types
referencing the module) and record the decision in your dependency policy
tracker.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1dff7c90-272c-4f48-b407-ea45ed058fb8

📥 Commits

Reviewing files that changed from the base of the PR and between 63d6ec6 and aeff6d5.

⛔ Files ignored due to path filters (7)

• go.sum is excluded by !**/*.sum
• vendor/github.com/coreos/stream-metadata-go/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/stream-metadata-go/stream/artifact_utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/stream-metadata-go/stream/rhcos/rhcos.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/stream-metadata-go/stream/stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/stream-metadata-go/stream/stream_utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (20)

• go.mod
• hypershift-operator/controllers/nodepool/aws.go
• hypershift-operator/controllers/nodepool/aws_test.go
• hypershift-operator/controllers/nodepool/azure.go
• hypershift-operator/controllers/nodepool/azure_test.go
• hypershift-operator/controllers/nodepool/gcp_test.go
• hypershift-operator/controllers/nodepool/kubevirt/kubevirt.go
• hypershift-operator/controllers/nodepool/kubevirt/kubevirt_test.go
• hypershift-operator/controllers/nodepool/nodepool_controller.go
• hypershift-operator/controllers/nodepool/openstack/openstack.go
• hypershift-operator/controllers/nodepool/openstack/openstack_test.go
• hypershift-operator/controllers/nodepool/powervs.go
• hypershift-operator/controllers/nodepool/token_test.go
• support/releaseinfo/deserialize.go
• support/releaseinfo/deserialize_test.go
• support/releaseinfo/fake/fake.go
• support/releaseinfo/registry_image_content_policies_test.go
• support/releaseinfo/releaseinfo.go
• support/releaseinfo/releaseinfo_test.go
• support/releaseinfo/testutils/testutils.go

✅ Files skipped from review due to trivial changes (1)

• hypershift-operator/controllers/nodepool/nodepool_controller.go

🚧 Files skipped from review as they are similar to previous changes (14)

• support/releaseinfo/registry_image_content_policies_test.go
• hypershift-operator/controllers/nodepool/kubevirt/kubevirt.go
• hypershift-operator/controllers/nodepool/openstack/openstack.go
• hypershift-operator/controllers/nodepool/kubevirt/kubevirt_test.go
• support/releaseinfo/deserialize.go
• support/releaseinfo/testutils/testutils.go
• support/releaseinfo/fake/fake.go
• support/releaseinfo/releaseinfo.go
• hypershift-operator/controllers/nodepool/azure_test.go
• hypershift-operator/controllers/nodepool/gcp_test.go
• support/releaseinfo/deserialize_test.go
• hypershift-operator/controllers/nodepool/azure.go
• hypershift-operator/controllers/nodepool/powervs.go
• hypershift-operator/controllers/nodepool/aws_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify stream-metadata-go v0.4.11 for CVEs, license, and stability

echo "=== Checking GitHub Security Advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/coreos/stream-metadata-go") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

echo ""
echo "=== Checking Package Metadata from pkg.go.dev ==="
curl -s "https://pkg.go.dev/github.com/coreos/stream-metadata-go@v0.4.11" | grep -E "(License|Deprecated|Retracted)" || echo "No deprecation/retraction found"

echo ""
echo "=== Checking if v0.4.11 exists on GitHub releases ==="
gh api repos/coreos/stream-metadata-go/releases --jq '.[] | select(.tag_name == "v0.4.11") | {tag_name, prerelease, draft, published_at}'

Repository: openshift/hypershift

Length of output: 491

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

MOD="github.com/coreos/stream-metadata-go"
VER="v0.4.11"

echo "=== Checking OSV for known vulnerabilities ==="
curl -s "https://api.osv.dev/v1/query" \
  -H "content-type: application/json" \
  -d `@-` <<JSON | jq -c '.'
{
  "package": { "name": "'"$MOD"'" },
  "version": "'"$VER"'"
}
JSON

echo ""
echo "=== Extracting license(s) from pkg.go.dev ==="
# Fetch only the relevant part of the licenses tab (best-effort)
curl -s "https://pkg.go.dev/$MOD@$VER?tab=licenses" \
  | rg -o -m 5 'License:\s*</[^>]+>\s*<[^>]+>([^<]+)' || true

# Also output any "License:" lines to avoid missing formatting changes
curl -s "https://pkg.go.dev/$MOD@$VER?tab=licenses" \
  | rg -n "License:" | head -n 20 || true

Repository: openshift/hypershift

Length of output: 291

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

MOD="github.com/coreos/stream-metadata-go"
VER="v0.4.11"

echo "=== Checking OSV for known vulnerabilities (package + version) ==="
payload="$(jq -n --arg name "$MOD" --arg version "$VER" '{package: {name: $name}, version: $version}')"
curl -s "https://api.osv.dev/v1/query" \
  -H "content-type: application/json" \
  -d "$payload" | jq -c '.'

echo ""
echo "=== Checking pkg.go.dev license for v0.4.11 ==="
# Fetch HTML and extract license labels (best-effort; pkg.go.dev markup can vary)
curl -s -L -A "Mozilla/5.0" "https://pkg.go.dev/$MOD@$VER?tab=licenses" \
  | rg -n "License:" | head -n 20

curl -s -L -A "Mozilla/5.0" "https://pkg.go.dev/$MOD@$VER?tab=licenses" \
  | rg -o -m 10 "License:\s*[^<]+" || true

Repository: openshift/hypershift

Length of output: 183

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

MOD="github.com/coreos/stream-metadata-go"
VER="v0.4.11"

echo "=== OSV raw query response ==="
payload="$(jq -n --arg name "$MOD" --arg version "$VER" '{package: {name: $name}, version: $version}')"
curl -sS -D /tmp/osv_headers.txt -o /tmp/osv_body.json \
  -H "content-type: application/json" \
  --data "$payload" \
  https://api.osv.dev/v1/query || true

echo "--- HTTP ---"
cat /tmp/osv_headers.txt

echo "--- Body (first 500 chars) ---"
python3 - <<'PY'
import json, pathlib
p=pathlib.Path("/tmp/osv_body.json")
b=p.read_text(errors="ignore")
print(b[:500])
# try parse if possible
try:
    j=json.loads(b)
    print("\n--- Parsed keys ---")
    print(list(j.keys()))
    print("vulns_count=", len(j.get("vulns", [])) if isinstance(j.get("vulns"), list) else None)
except Exception:
    pass
PY

echo ""
echo "=== pkg.go.dev license tab (presence check) ==="
# Just check whether the page contains "License:" text to avoid brittle parsing
curl -sS -L -A "Mozilla/5.0" "https://pkg.go.dev/$MOD@$VER?tab=licenses" \
  | rg -n "License:" | head -n 20 || true

echo ""
echo "=== Check if module version is yanked via Go proxy ==="
curl -sS -D /tmp/proxy_headers.txt -o /tmp/proxy_info.json \
  "https://proxy.golang.org/$MOD/@v/$VER.info" || true
cat /tmp/proxy_headers.txt
python3 - <<'PY'
import pathlib, json
p=pathlib.Path("/tmp/proxy_info.json")
b=p.read_text(errors="ignore")
print("\n--- proxy info body (first 300 chars) ---")
print(b[:300])
try:
    j=json.loads(b)
    print("\nParsed:", j)
except Exception:
    pass
PY

echo ""
echo "=== Determine upstream license by scanning LICENSE files in module source ==="
tmpdir="$(mktemp -d)"
zip="/tmp/module_src.zip"
curl -sS -L -o "$zip" "https://proxy.golang.org/$MOD/@v/$VER.zip"

python3 - <<'PY'
import zipfile, re, pathlib, io, os, sys
zip_path="/tmp/module_src.zip"
z=zipfile.ZipFile(zip_path)

candidates=[]
for name in z.namelist():
    low=name.lower()
    if any(k in low for k in ["license", "copying", "licence"]):
        if low.endswith((".txt",".md",".rst",".html")) or "license" in low or "copying" in low:
            candidates.append(name)

# Prefer top-level / typical filenames
preferred=[]
for n in candidates:
    base=os.path.basename(n).lower()
    if base in ["license","license.txt","license.md","copying","copying.txt","licence","licence.txt"]:
        preferred.append(n)
for n in preferred + candidates:
    if n not in candidates[:10]:
        pass

top = (preferred + candidates)[:10]
print("License-like file candidates:", top)

keywords = [
    ("Apache License", re.compile(r"Apache License", re.I)),
    ("MIT License", re.compile(r"\bMIT License\b", re.I)),
    ("BSD 2-Clause", re.compile(r"\bRedistribution and use in source and binary forms\b.*\bBSD\b", re.I|re.S)),
    ("BSD 3-Clause", re.compile(r"\bNeither the name of\b.*\bmay be used to endorse\b", re.I|re.S)),
    ("GPLv2", re.compile(r"\bGNU GENERAL PUBLIC LICENSE\b.*Version 2", re.I|re.S)),
    ("GPLv3", re.compile(r"\bGNU GENERAL PUBLIC LICENSE\b.*Version 3", re.I|re.S)),
    ("MPL 2.0", re.compile(r"\bMozilla Public License\b.*2\.0", re.I|re.S)),
]

def classify(text):
    hits=[]
    for label, rx in keywords:
        if rx.search(text):
            hits.append(label)
    # also capture "SPDX-License-Identifier" if present
    spdx=re.findall(r"SPDX-License-Identifier:\s*([^\s]+)", text)
    return hits, spdx

for name in top:
    try:
        data=z.read(name)
    except Exception:
        continue
    # limit amount
    chunk=data[:200000]
    try:
        text=chunk.decode("utf-8", errors="ignore")
    except Exception:
        text=str(chunk)
    hits, spdx=classify(text)
    if hits or spdx:
        print(f"\n--- {name} ---")
        if spdx:
            print("SPDX:", spdx[:5])
        print("Matches:", hits[:10])
        # show first relevant line
        m=re.search(r"(SPDX-License-Identifier[^\n]*|Apache License[^\n]*|MIT License[^\n]*|Mozilla Public License[^\n]*|GNU GENERAL PUBLIC LICENSE[^\n]*)", text, re.I)
        if m:
            print("Example:", m.group(1).strip())
PY

Repository: openshift/hypershift

Length of output: 2296

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

MOD="github.com/coreos/stream-metadata-go"
VER="v0.4.11"

echo "=== License header snippet from module source ==="
zip="/tmp/module_src.zip"
curl -sS -L -o "$zip" "https://proxy.golang.org/$MOD/@v/$VER.zip"

python3 - <<'PY'
import zipfile, re
zip_path="/tmp/module_src.zip"
z=zipfile.ZipFile(zip_path)
# Prefer LICENSE at root
names=[n for n in z.namelist() if n.lower().endswith('/license') or n.lower().endswith('license')]
if not names:
    names=[n for n in z.namelist() if 'license' in n.lower()]
for n in names[:5]:
    data=z.read(n)
    text=data.decode('utf-8', errors='ignore')
    # show a tight snippet around "Apache License"
    m=re.search(r"(Apache License[^\n]{0,200})", text)
    print("\nFILE:", n)
    if m:
        print("SNIPPET:", m.group(1).strip())
    # SPDX line if present
    spdx=re.search(r"SPDX-License-Identifier:\s*([^\n]+)", text)
    if spdx:
        print("SPDX:", spdx.group(1).strip())
    # show first 30 lines (best effort)
    first="\n".join(text.splitlines()[:30])
    print("FIRST_LINES:\n", first)
    break
PY

echo ""
echo "=== Go proxy zip availability (yank check) ==="
curl -sS -I "https://proxy.golang.org/$MOD/@v/$VER.zip" | rg -i "HTTP/|Content-Type|x-goog-stored-content-length" || true

Repository: openshift/hypershift

Length of output: 1962

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
MOD="github.com/coreos/stream-metadata-go"
VER="v0.4.11"

payload="$(jq -n --arg name "$MOD" --arg version "$VER" \
  '{package:{name:$name, ecosystem:"Go"}, version:$version}')"

curl -sS -H "content-type: application/json" \
  -d "$payload" https://api.osv.dev/v1/query | jq -c '.vulns'

Repository: openshift/hypershift

Length of output: 1962

---

Supply-chain checks for github.com/coreos/stream-metadata-go v0.4.11

• No CVEs reported for v0.4.11 (GitHub Security Advisories / OSV came back empty).
• License: module root LICENSE indicates the Apache License.
• Version stability: v0.4.11 is a published non-prerelease GitHub release and https://proxy.golang.org/.../@v/v0.4.11.zip is available (not yanked).

Confirm the Apache license fits your repo/org’s approved-license policy.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 45, The dependency entry github.com/coreos/stream-metadata-go
v0.4.11 in go.mod has been reviewed for supply-chain and licensing; verify that
the Apache License in the module's LICENSE file complies with your org's
approved-license policy and then either (a) document approval by adding a note
to your dependency/security tracker referencing
github.com/coreos/stream-metadata-go v0.4.11 and the SPDX identifier Apache-2.0,
or (b) if it is not approved, replace or remove the dependency (update go.mod to
a compliant alternative or open an RFC/PR to remove usage in the codebase such
as functions/types referencing the module) and record the decision in your
dependency policy tracker.