OAPE-843: 4.22 chore: Rebase openshift/ocp-release-operator-sdk to upstream operator-framework/operator-sdk v1.42.3#457
Conversation
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.78.0 to 1.79.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.78.0...v1.79.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.79.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.1.3 to 4.1.4. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.3...v4.1.4) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.40.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.40.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.43.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.16.5 to 5.17.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.16.5...v5.17.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.17.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/distribution/distribution/v3](https://github.com/distribution/distribution) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/distribution/distribution/releases) - [Commits](distribution/distribution@v3.0.0...v3.1.0) --- updated-dependencies: - dependency-name: github.com/distribution/distribution/v3 dependency-version: 3.1.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…(#7082) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) from 1.36.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.36.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp dependency-version: 1.43.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…p (#7081) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) from 1.36.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.36.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp dependency-version: 1.43.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp](https://github.com/open-telemetry/opentelemetry-go) from 0.12.2 to 0.19.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@log/v0.12.2...v0.19.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp dependency-version: 0.19.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/moby/spdystream](https://github.com/moby/spdystream) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/moby/spdystream/releases) - [Commits](moby/spdystream@v0.5.0...v0.5.1) --- updated-dependencies: - dependency-name: github.com/moby/spdystream dependency-version: 0.5.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/distribution/distribution/v3](https://github.com/distribution/distribution) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/distribution/distribution/releases) - [Commits](distribution/distribution@v3.1.0...v3.1.1) --- updated-dependencies: - dependency-name: github.com/distribution/distribution/v3 dependency-version: 3.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.17.1 to 5.19.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md) - [Commits](go-git/go-git@v5.17.1...v5.19.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.19.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.19.0 to 5.19.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md) - [Commits](go-git/go-git@v5.19.0...v5.19.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.19.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.29 to 1.7.32. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v1.7.29...v1.7.32) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-version: 1.7.32 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…cies (#7106) Signed-off-by: Adam D. Cornett <adc@redhat.com>
Bumps ubi9/ubi-minimal from 9.7 to 9.8. --- updated-dependencies: - dependency-name: ubi9/ubi-minimal dependency-version: '9.8' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps ubi9/ubi-minimal from 9.7 to 9.8. --- updated-dependencies: - dependency-name: ubi9/ubi-minimal dependency-version: '9.8' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps ubi9/ubi-minimal from 9.7 to 9.8. --- updated-dependencies: - dependency-name: ubi9/ubi-minimal dependency-version: '9.8' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ts (#7095) Bumps ubi9/ubi-minimal from 9.7 to 9.8. --- updated-dependencies: - dependency-name: ubi9/ubi-minimal dependency-version: '9.8' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.32 to 1.7.33. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v1.7.32...v1.7.33) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-version: 1.7.33 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Operator SDK v1.42.3 Merge executed via ./UPSTREAM-MERGE.sh v1.42.3 upstream main Overwritten conflicts: <NONE>
|
@PillaiManish: This pull request references OAPE-843 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: PillaiManish The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughThis PR updates release and version references, refreshes Go toolchain and dependency pins, bumps container base images, updates scorecard/operator-sdk testdata, and adds release documentation for the new versions. ChangesRelease and image refresh
Estimated code review effort: 2 (Simple) | ~10 minutes Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 93: The build still depends on the vulnerable Docker module, so update
the dependency chain to remove github.com/docker/docker or replace it with a
patched github.com/moby/moby release. Adjust the module requirement in go.mod
and any related imports or transitive constraints so the legacy
github.com/docker/docker path is no longer pulled in.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| github.com/distribution/reference v0.6.0 // indirect | ||
| github.com/docker/cli v29.2.0+incompatible // indirect | ||
| github.com/docker/distribution v2.8.3+incompatible // indirect | ||
| github.com/docker/docker v28.5.2+incompatible // indirect |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
go mod why -m github.com/docker/docker
go list -deps ./... | rg 'github.com/docker/docker'Repository: openshift/ocp-release-operator-sdk
Length of output: 4979
🌐 Web query:
github.com/docker/docker v28.5.2+incompatible osv advisory CVE
💡 Result:
The version v28.5.2+incompatible of the github.com/docker/docker module is affected by multiple security vulnerabilities [1]. As of July 8, 2026, this module path is considered a legacy path for Docker/Moby, and patches for these vulnerabilities are only available in newer versions (v29.x and later) which have migrated to the github.com/moby/moby module path [1]. Notable CVEs affecting version v28.5.2 and earlier include: - CVE-2026-41567 (GHSA-x86f-5xw2-fm2r): A high-severity vulnerability where the PUT /containers/{id}/archive API can execute a container binary on the host with daemon (root) privileges when handling compressed archives [2][3][1]. - CVE-2026-41568 (GHSA-vp62-88p7-qqf5): A medium-severity race condition during docker cp mount setup that allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem [4][5][1]. - CVE-2026-42306 (GHSA-rg2x-37c3-w2rh): A high-severity issue involving a docker cp race condition that allows bind-mount redirection to a host path [1]. Because the github.com/docker/docker module no longer receives security updates on this path, users are advised to migrate their dependencies to the current github.com/moby/moby module (v29.x or later) to receive these fixes [1]. Users who cannot migrate immediately are advised to follow the mitigation strategies provided in the individual security advisories, such as running only trusted container images and limiting access to sensitive API endpoints [3][4].
Citations:
- 1: Vulnerable transitive dependency: docker/docker v28.3.3 carries multiple open CVEs (CVE-2026-42306, -41567, -34040, +2 more) projectdiscovery/nuclei#7442
- 2: GHSA-x86f-5xw2-fm2r
- 3: GHSA-x86f-5xw2-fm2r
- 4: GHSA-vp62-88p7-qqf5
- 5: https://nvd.nist.gov/vuln/detail/CVE-2026-41568
Remove or upgrade the vulnerable Docker module
github.com/docker/docker v28.5.2+incompatible is still pulled into the build graph and is covered by multiple high-severity OSV advisories. Update the dependency chain or move off the legacy github.com/docker/docker path to a patched github.com/moby/moby release.
🧰 Tools
🪛 OSV Scanner (2.4.0)
[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker
(GO-2026-4883)
[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker
(GO-2026-4887)
[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: Race condition in docker cp allows bind mount redirection to host path in github.com/docker/docker
(GO-2026-5617)
[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap in github.com/docker/docker
(GO-2026-5668)
[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: PUT /containers/{id}/archive executes container binary on the host in github.com/docker/docker
(GO-2026-5746)
[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation
[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: Race condition in docker cp allows bind mount redirection to host path
[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies
[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: PUT /containers/{id}/archive executes container binary on the host
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 93, The build still depends on the vulnerable Docker module,
so update the dependency chain to remove github.com/docker/docker or replace it
with a patched github.com/moby/moby release. Adjust the module requirement in
go.mod and any related imports or transitive constraints so the legacy
github.com/docker/docker path is no longer pulled in.
Sources: Path instructions, Linters/SAST tools
65ad53d to
a197f50
Compare
The upstream v1.42.3 merge updated go.mod to require Go 1.26.3. The Go 1.26 builder images are available under the openshift-5.0 stream (not 4.22). Update CI and release builder images accordingly. Co-authored-by: Cursor <cursoragent@cursor.com>
a197f50 to
828a041
Compare
|
@PillaiManish: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
Rebase to upstream v1.42.3
Ran the following script to create the rebase branch:
./UPSTREAM-MERGE.sh v1.42.3
Made with Cursor
Summary by CodeRabbit
New Features
Bug Fixes
Documentation
Chores