Skip to content

Update google.golang.org/genproto/googleapis/api digest to f0a9213#212

Open
red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest
Open

Update google.golang.org/genproto/googleapis/api digest to f0a9213#212
red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest

Conversation

@red-hat-konflux-kflux-prd-rh02

@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
google.golang.org/genproto/googleapis/api indirect digest 9d38bb4f0a9213

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

go.mod updates indirect versions for golang.org/x/crypto, golang.org/x/net, golang.org/x/sys, golang.org/x/text, google.golang.org/genproto/googleapis/api, and google.golang.org/genproto/googleapis/rpc. Other listed indirect module versions remain unchanged. Supply-chain surface: verify module provenance and matching go.sum entries. CWE-1104.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed No non-test/example Go log statements expose token/password/credential/secret fields or interpolations; no CWE-532 exposure found.
No Hardcoded Secrets ✅ Passed Only go.mod/go.sum dependency bumps; no hardcoded creds, embedded user:pass URLs, or apiKey/secret/token/password literals found (CWE-798/321).
No Weak Cryptography ✅ Passed Only go.mod/go.sum changed; no banned primitives, custom crypto, or secret comparisons found. No CWE-327/CWE-328 regression in this diff.
No Injection Vectors ✅ Passed Only go.mod/go.sum version bumps; no SQL, exec.Command, template.HTML, or yaml.Unmarshal changes in the diff (CWE-89/CWE-78/CWE-79/CWE-502).
No Privileged Containers ✅ Passed Only go.mod/go.sum changed; no K8s/OpenShift manifests, Helm templates, or Dockerfiles. No new privileged settings (CWE-269/CWE-732).
No Pii Or Sensitive Data In Logs ✅ Passed No changed logging statements; PR is dependency-only, so no new CWE-532 log-exposure path.
Title check ✅ Passed The title identifies a real dependency digest update, though the PR also changes other indirect modules.
Description check ✅ Passed The description directly describes the dependency digest update reflected in the changeset.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest

Comment @coderabbitai help to get the list of available commands.

@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

Closing — waiting for Go 1.26 bump (HYPERFLEET-1311). Renovate will recreate with proper go.sum after the bump.

@rafabene rafabene closed this Jul 6, 2026
@rafabene rafabene reopened this Jul 6, 2026
@rafabene

rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

/ok-to-test

@hyperfleet-ci-bot

hyperfleet-ci-bot Bot commented Jul 6, 2026

Copy link
Copy Markdown

Risk Score: 0 — risk/low

Signal Detail Points
PR size 40 lines +0
Sensitive paths none +0

Computed by hyperfleet-risk-scorer

@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot force-pushed the konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest branch from 68a4dcc to 3a37454 Compare July 6, 2026 20:04
@rafabene

rafabene commented Jul 7, 2026

Copy link
Copy Markdown
Member

/retest

@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot force-pushed the konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest branch from 3a37454 to ebda401 Compare July 7, 2026 20:03
@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot changed the title Update google.golang.org/genproto/googleapis/api digest to 925bb5d Update google.golang.org/genproto/googleapis/api digest to f0a9213 Jul 7, 2026
@red-hat-konflux-kflux-prd-rh02

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
golang.org/x/crypto v0.49.0 -> v0.51.0
golang.org/x/net v0.52.0 -> v0.55.0
golang.org/x/sys v0.42.0 -> v0.45.0
golang.org/x/text v0.35.0 -> v0.37.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 -> v0.0.0-20260630182238-925bb5da69e7

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 128: Upgrade the indirect golang.org/x/crypto dependency in go.mod from
v0.51.0 to v0.52.0 or later and refresh go.sum so the module graph resolves to
the fixed release; keep the change scoped to the dependency entry and ensure any
related checksum updates are included.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9aa26284-7dae-4456-aff8-82343a9eac50

📥 Commits

Reviewing files that changed from the base of the PR and between 3a37454 and ebda401.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum, !**/go.sum
📒 Files selected for processing (1)
  • go.mod
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

Comment thread go.mod
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.49.0 // indirect
golang.org/x/net v0.52.0 // indirect
golang.org/x/crypto v0.51.0 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf 'go.mod excerpt:\n'
nl -ba go.mod | sed -n '118,136p'

printf '\nGo crypto references:\n'
rg -n 'golang.org/x/crypto|golang.org/x/term|golang.org/x/sys' go.mod go.sum

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 234


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "go.mod excerpt:"
awk 'NR>=118 && NR<=136 { printf "%4d  %s\n", NR, $0 }' go.mod

echo
echo "go.sum references:"
rg -n 'golang.org/x/crypto|golang.org/x/term|golang.org/x/sys' go.sum go.mod || true

echo
echo "module graph entries for golang.org/x/crypto (if go is available):"
if command -v go >/dev/null 2>&1; then
  go list -m all 2>/dev/null | rg '^golang.org/x/crypto(\s|$)' || true
else
  echo "go command not available"
fi

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 3160


🌐 Web query:

golang.org/x/crypto v0.51.0 vulnerability GO-2026 ssh agent advisories

💡 Result:

The version golang.org/x/crypto v0.51.0 is affected by multiple security vulnerabilities related to the ssh/agent package, which were addressed in version v0.52.0 [1]. Key security advisories affecting v0.51.0 include: 1. Pathological Input Panic: A vulnerability (CVE-2026-46598 / GO-2026-5033) exists where specifically crafted wire bytes can cause a client panic when creating an ed25519.PrivateKey [2][3][4]. 2. Dropped Agent Constraints: A vulnerability (CVE-2026-39832 / GO-2026-5006) occurs where constraint extensions (such as destination restrictions) are silently stripped when forwarding keys to a remote agent, potentially allowing unauthorized use of the key [5][6]. 3. Unenforced Confirmation Constraints: A vulnerability (CVE-2026-39833 / GO-2026-5005) exists where the in-memory keyring accepted but failed to enforce the ConfirmBeforeUse constraint, allowing keys to sign without the expected confirmation prompt [7][8]. These issues were resolved in golang.org/x/crypto v0.52.0, released on May 22, 2026 [9][1]. Users are advised to upgrade to v0.52.0 or later to mitigate these risks [1].

Citations:


Upgrade golang.org/x/crypto to v0.52.0 or later.
v0.51.0 is still in the module graph and is affected by CVE-2026-39833 / GO-2026-5005, CVE-2026-39832 / GO-2026-5006, and CVE-2026-46598 / GO-2026-5033. Refresh go.sum with the fixed release.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

(GO-2026-5005)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent

(GO-2026-5006)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh

(GO-2026-5013)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh

(GO-2026-5014)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

(GO-2026-5015)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

(GO-2026-5016)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh

(GO-2026-5017)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh

(GO-2026-5018)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh

(GO-2026-5019)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh

(GO-2026-5020)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts

(GO-2026-5021)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh

(GO-2026-5023)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent

(GO-2026-5033)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions

(GHSA-45gg-vh54-h5m9)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto vulnerable to auth bypass via unenforced @revoked status

(GHSA-5cgq-3rg8-m6cv)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow

(GHSA-78mq-xcr3-xm33)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: FIDO/U2F security key physical presence check can be bypassed

(GHSA-89gr-r52h-f8rx)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking pathological inputs can lead to client panic

(GHSA-9m57-25v3-79x9)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys

(GHSA-f5wc-c3c7-36mc)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto doesn't enforce invoking key constraints

(GHSA-jppx-rxg9-jmrx)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking byte arithmetic causes underflow and panic

(GHSA-q4h4-gmj2-qvw2)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking memory leak when rejecting channels can lead to DoS

(GHSA-qpw4-5x99-6vjp)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto vulnerable to infinite loop on large channel writes

(GHSA-rm3j-f69w-wqmq)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses

(GHSA-vgwf-h737-ff37)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS

(GHSA-w879-237q-wc7r)


[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement

(GHSA-x527-x647-q7gg)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 128, Upgrade the indirect golang.org/x/crypto dependency in
go.mod from v0.51.0 to v0.52.0 or later and refresh go.sum so the module graph
resolves to the fixed release; keep the change scoped to the dependency entry
and ensure any related checksum updates are included.

Sources: Path instructions, Linters/SAST tools

@rafabene rafabene changed the title Update google.golang.org/genproto/googleapis/api digest to f0a9213 rebase! Update google.golang.org/genproto/googleapis/api digest to f0a9213 Jul 8, 2026
Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot force-pushed the konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest branch from ebda401 to f869f69 Compare July 8, 2026 16:03
@red-hat-konflux-kflux-prd-rh02 red-hat-konflux-kflux-prd-rh02 Bot changed the title rebase! Update google.golang.org/genproto/googleapis/api digest to f0a9213 Update google.golang.org/genproto/googleapis/api digest to f0a9213 Jul 8, 2026

@rafabene rafabene left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rafabene

rafabene commented Jul 8, 2026

Copy link
Copy Markdown
Member

/lgtm

@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rafabene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label Jul 8, 2026
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rafabene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant