Skip to content

Misc deps updates (for release-v0.8 branch)#3397

Open
simonbaird wants to merge 10 commits into
conforma:release-v0.8from
simonbaird:misc-deps-update-v0.8
Open

Misc deps updates (for release-v0.8 branch)#3397
simonbaird wants to merge 10 commits into
conforma:release-v0.8from
simonbaird:misc-deps-update-v0.8

Conversation

@simonbaird

Copy link
Copy Markdown
Member

Similar to #3396, but this branch did get some updates more recently, e.g. the golang upgrade happened already here.

simonbaird and others added 6 commits July 9, 2026 15:00
I'm about to update some modules, and this makes life easier. Bring
the scripts from main branch into release-v0.8 branch.

The ubi script was already here, but bring in some tweaks from main
branch.
Also stop using konflux-ci/konflux-vanguard quay org for the
rpms-signature-scan task.

Done like this:

  curl -sL https://github.com/simonbaird/konflux-pipeline-patcher/raw/main/pipeline-patcher  | bash -s bump-task-refs
This fixes some go mod tidy errors that we've been ignoring for a
while.

Older knative.dev/eventing versions import
knative.dev/pkg/{metrics,tracing/config} which have been removed
upstream. Fix by excluding v0.30.3 in tools and requiring minimum
v0.49.2 in acceptance (the first version that dropped the removed
imports).

Based on commit 4fb63b3 in main branch.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Commit created like this:

  hack/go-mod-upgrade-helper golang.org/x/crypto/ssh
Commit created like this:

  hack/go-mod-upgrade-helper golang.org/x/net
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: d114c7b4-11b5-4be9-b240-1b519dce6b92

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 9, 2026

Copy link
Copy Markdown

🤖 Finished Review · ❌ Failure · Started 7:21 PM UTC · Completed 7:33 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review — Approve ✅

Routine dependency update PR targeting the release-v0.8 branch. All changes are consistent and well-scoped. Reviewed across correctness, security, intent/coherence, style, documentation, and cross-repo contract dimensions.

Summary of changes

Area Changes
Tekton pipelines SHA256 digest bumps for 14 task bundles in both cli-v08-pull-request.yaml and cli-v08-push.yaml. rpms-signature-scan also migrated from konflux-vanguardtekton-catalog registry.
Container base image UBI9 minimal digest updated consistently in Dockerfile and Dockerfile.dist.
Go dependencies Updates across all 4 Go modules (root, acceptance/, tools/, tools/kubectl/): k8s.io v0.35→v0.36, go-git v5.19.0→v5.19.1, kustomize v0.20→v0.21, containerd v2.2→v2.3, plus standard golang.org/x and OpenTelemetry bumps.
Dependency cleanup Removed unused transitive deps: blendle/zapdriver, census-instrumentation/opencensus-proto, go-kit/log, gogo/protobuf, golang/protobuf, opencensus.io, gregjones/httpcache, prometheus/statsd_exporter.
knative workaround Added knative.dev/eventing v0.49.2 (require/exclude) to resolve removed package imports in knative.dev/pkg.
New script hack/go-mod-upgrade-helper.sh — convenience script to update a Go package across all modules with auto-commit.
Modified script hack/ubi-base-image-bump.sh — simplified by removing auto-branch-creation and push/PR logic; now only commits.

Findings

Low — Pre-release protobuf on release branch (go.mod, all modules)

google.golang.org/protobuf is pinned to pseudo-version v1.36.12-0.20260120151049-f2248ac996af rather than a stable release tag. This is consistent across all 4 modules and likely required by the k8s.io v0.36.0 dependency chain, but worth tracking for a release branch. Once upstream publishes a stable v1.36.12+, consider updating to the tagged release.

Observations (non-blocking)

  • Tekton task bundle updates: All 14 tasks updated with matching digests between PR and push pipelines — confirmed symmetric.
  • k8s.io version alignment: k8s.io/apiextensions-apiserver and k8s.io/apiserver remain at v0.35.4 while core k8s.io packages move to v0.36.0. This version skew is common in the k8s Go module ecosystem and is compatible.
  • --no-gpg-sign in helper script: Used in hack/go-mod-upgrade-helper.sh for agent/automation convenience. The inline comment explains signing is restored on rebase. Acceptable for a developer helper script.
  • hack/ubi-base-image-bump.sh simplification: Branch creation and push logic are commented out rather than deleted. This is fine for a helper script where the old behavior may be useful as reference.
  • TIDY_ARGS empty array expansion: The script uses "${TIDY_ARGS[@]}" with set -o nounset enabled. This is safe in bash 4.4+ (empty array [@] expands to nothing without triggering unbound variable errors), which is the standard on modern systems.

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • Dockerfile
  • Dockerfile.dist

Labels: PR updates Go dependencies, container base images, and CI pipeline task bundles for the release-v0.8 branch

Previous run

Review — comment

Scope: Dependency updates for the release-v0.8 branch — Tekton task bundle digest bumps, UBI9 base image digest updates, Go module version upgrades (golang.org/x/*, OpenTelemetry, knative, prometheus), and a knative.dev/eventing compatibility fix. Includes a new hack/go-mod-upgrade-helper.sh developer script and simplification of hack/ubi-base-image-bump.sh.

The dependency update payload (12 of 14 files) is mechanical and correct. Digests are properly pinned, version bumps are consistent across all four Go modules, and the rpms-signature-scan registry migration from konflux-vanguard to tekton-catalog aligns with main. No security concerns were identified.

Findings below are limited to the two helper scripts and are non-blocking.


Findings

1. Missing input validation for required argument — hack/go-mod-upgrade-helper.sh:31 (medium · error handling)

With set -o nounset enabled, PKG="${POSITIONAL[0]}" will abort with a cryptic unbound variable error when no positional argument is provided. The script requires a package name to function, but the failure mode gives no indication of correct usage.

Suggested fix:

if [[ ${#POSITIONAL[@]} -eq 0 ]]; then
  echo "Usage: $0 <package> [jira-id] [--ignore-tidy-error]" >&2
  exit 1
fi

2. Unquoted variables in shell commands — hack/ubi-base-image-bump.sh (low · quoting-convention)

Several variables are used unquoted where the repo's other hack/ scripts consistently quote them:

  • Line 29: docker://$UBI_MINIMAL → should be "docker://${UBI_MINIMAL}"
  • Line 36: sed ... -i $d → should be sed ... -i "$d"
  • Line 52: git add ${DOCKER_FILES[@]} → should be git add "${DOCKER_FILES[@]}"

The current values are space-free so this is cosmetic today, but it deviates from the quoting discipline in sibling scripts (e.g., go-mod-upgrade-helper.sh correctly quotes "$PKG", "${JIRA_REF_OPT[@]}").

3. Empty array expansion with nounset — hack/go-mod-upgrade-helper.sh:43 (low · shell portability)

"${TIDY_ARGS[@]}" when TIDY_ARGS is empty could trigger an unbound variable error on bash < 4.4. Since UBI9 ships bash 5.1+ this is safe in practice, but the portable idiom ${TIDY_ARGS[@]+"${TIDY_ARGS[@]}"} would avoid the edge case.


No security, documentation, or cross-repo contract concerns. No CI pipeline permissions or secrets were modified.


Labels: PR is a dependency update with CI pipeline config changes and developer tooling additions

@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 54.86% <ø> (+<0.01%) ⬆️
generative 18.14% <ø> (ø)
integration 26.99% <ø> (ø)
unit 68.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Commit created like this:

  hack/go-mod-upgrade-helper k8s.io/kubectl@v0.36.0
Commit created like this:

  hack/go-mod-upgrade-helper github.com/containerd/containerd
Commit created like this:

  hack/go-mod-upgrade-helper github.com/containerd/containerd/v2
Also updates github.com/go-git/go-billy/v5

Commit created like this:

  hack/go-mod-upgrade-helper github.com/go-git/go-git/v5
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 9, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:28 PM UTC · Completed 8:34 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment dependencies Pull requests that update a dependency file go Pull requests that update Go code ci labels Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci dependencies Pull requests that update a dependency file go Pull requests that update Go code requires-manual-review Review requires human judgment size: XXL

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants