Skip to content

OAPE-843: 4.22 chore: Rebase openshift/ocp-release-operator-sdk to upstream operator-framework/operator-sdk v1.42.3#457

Open
PillaiManish wants to merge 28 commits into
openshift:mainfrom
PillaiManish:v1.42.3-rebase-main
Open

OAPE-843: 4.22 chore: Rebase openshift/ocp-release-operator-sdk to upstream operator-framework/operator-sdk v1.42.3#457
PillaiManish wants to merge 28 commits into
openshift:mainfrom
PillaiManish:v1.42.3-rebase-main

Conversation

@PillaiManish

@PillaiManish PillaiManish commented Jul 8, 2026

Copy link
Copy Markdown
Member

Rebase to upstream v1.42.3

Ran the following script to create the rebase branch:
./UPSTREAM-MERGE.sh v1.42.3

Made with Cursor

Summary by CodeRabbit

  • New Features

    • Updated release references to v1.42.3 across build, test, and documentation artifacts.
  • Bug Fixes

    • Refreshed bundled tooling and test images so scorecard, operator SDK, and helm/operator workflows stay aligned with v1.42.3.
  • Documentation

    • Updated installation and CLI documentation to use v1.42.3 assets (including the default decompression image to UBI9 9.8).
    • Added upgrade notes for v1.42.3 (no migrations).
  • Chores

    • Bumped build environments to Go 1.26 and UBI9 9.8 across supported images and CI.

acornett21 and others added 27 commits March 12, 2026 09:53
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.78.0 to 1.79.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.78.0...v1.79.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.79.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.1.3 to 4.1.4.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](go-jose/go-jose@v4.1.3...v4.1.4)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.40.0 to 1.43.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.40.0...v1.43.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/sdk
  dependency-version: 1.43.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.16.5 to 5.17.1.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.16.5...v5.17.1)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.17.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/distribution/distribution/v3](https://github.com/distribution/distribution) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/distribution/distribution/releases)
- [Commits](distribution/distribution@v3.0.0...v3.1.0)

---
updated-dependencies:
- dependency-name: github.com/distribution/distribution/v3
  dependency-version: 3.1.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…(#7082)

Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) from 1.36.0 to 1.43.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.36.0...v1.43.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  dependency-version: 1.43.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…p (#7081)

Bumps [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) from 1.36.0 to 1.43.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.36.0...v1.43.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
  dependency-version: 1.43.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp](https://github.com/open-telemetry/opentelemetry-go) from 0.12.2 to 0.19.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@log/v0.12.2...v0.19.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
  dependency-version: 0.19.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/moby/spdystream](https://github.com/moby/spdystream) from 0.5.0 to 0.5.1.
- [Release notes](https://github.com/moby/spdystream/releases)
- [Commits](moby/spdystream@v0.5.0...v0.5.1)

---
updated-dependencies:
- dependency-name: github.com/moby/spdystream
  dependency-version: 0.5.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/distribution/distribution/v3](https://github.com/distribution/distribution) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/distribution/distribution/releases)
- [Commits](distribution/distribution@v3.1.0...v3.1.1)

---
updated-dependencies:
- dependency-name: github.com/distribution/distribution/v3
  dependency-version: 3.1.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.17.1 to 5.19.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](go-git/go-git@v5.17.1...v5.19.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.19.0 to 5.19.1.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](go-git/go-git@v5.19.0...v5.19.1)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.29 to 1.7.32.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.7.29...v1.7.32)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-version: 1.7.32
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…cies (#7106)

Signed-off-by: Adam D. Cornett <adc@redhat.com>
Bumps ubi9/ubi-minimal from 9.7 to 9.8.

---
updated-dependencies:
- dependency-name: ubi9/ubi-minimal
  dependency-version: '9.8'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps ubi9/ubi-minimal from 9.7 to 9.8.

---
updated-dependencies:
- dependency-name: ubi9/ubi-minimal
  dependency-version: '9.8'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps ubi9/ubi-minimal from 9.7 to 9.8.

---
updated-dependencies:
- dependency-name: ubi9/ubi-minimal
  dependency-version: '9.8'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ts (#7095)

Bumps ubi9/ubi-minimal from 9.7 to 9.8.

---
updated-dependencies:
- dependency-name: ubi9/ubi-minimal
  dependency-version: '9.8'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.32 to 1.7.33.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.7.32...v1.7.33)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-version: 1.7.33
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Signed-off-by: Adam D. Cornett <adc@redhat.com>
Operator SDK v1.42.3

Merge executed via ./UPSTREAM-MERGE.sh v1.42.3 upstream main

Overwritten conflicts:
<NONE>
@openshift-ci-robot

openshift-ci-robot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@PillaiManish: This pull request references OAPE-843 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead.

Details

In response to this:

Rebase to upstream v1.42.3

Ran the following script to create the rebase branch:
./UPSTREAM-MERGE.sh v1.42.3

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 8, 2026
@openshift-ci openshift-ci Bot requested a review from grokspawn July 8, 2026 11:42
@openshift-ci openshift-ci Bot requested a review from oceanc80 July 8, 2026 11:42
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: PillaiManish
Once this PR has been reviewed and has the lgtm label, please assign oceanc80 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 41eeb328-bcb8-4254-8222-da1f10b93ff6

📥 Commits

Reviewing files that changed from the base of the PR and between a197f50 and 828a041.

📒 Files selected for processing (2)
  • .ci-operator.yaml
  • release/helm/Dockerfile
✅ Files skipped from review due to trivial changes (1)
  • .ci-operator.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • release/helm/Dockerfile

Walkthrough

This PR updates release and version references, refreshes Go toolchain and dependency pins, bumps container base images, updates scorecard/operator-sdk testdata, and adds release documentation for the new versions.

Changes

Release and image refresh

Layer / File(s) Summary
Release versions and toolchain
Makefile, UPSTREAM-VERSION, patches/03-setversion.patch, go.mod, .ci-operator.yaml, release/helm/Dockerfile
Release version constants, version derivation, Go toolchain and dependency versions, and CI/build image references are updated together.
Container base image bumps
images/custom-scorecard-tests/Dockerfile, images/helm-operator/Dockerfile, images/operator-sdk/Dockerfile, images/scorecard-test/Dockerfile, images/scorecard-test-kuttl/Dockerfile, images/scorecard-untar/Dockerfile, internal/olm/fbcutil/util.go
Builder and runtime base images are bumped across the Dockerfiles, and the default init image tag is updated to match.
Testdata version bumps
testdata/go/v4/memcached-operator/..., testdata/go/v4/monitoring/memcached-operator/..., testdata/helm/memcached-operator/...
Operator SDK, helm-operator, and scorecard-test references are updated across Go and Helm testdata.
Documentation updates
website/content/en/docs/cli/operator-sdk_run_bundle.md, website/content/en/docs/installation/_index.md, website/content/en/docs/upgrading-sdk-version/v1.42.2.md, website/content/en/docs/upgrading-sdk-version/v1.42.3.md
CLI, installation, and upgrade-version documentation update version defaults and add release note pages.

Estimated code review effort: 2 (Simple) | ~10 minutes


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error htpasswd.authenticateUser now logs WithField("username", username) on auth failures, which can expose user identifiers/PII in logs. Remove the username from log fields or redact/hash it; keep only a generic auth-failure message and non-sensitive context.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly states the main change: rebasing ocp-release-operator-sdk to upstream operator-sdk v1.42.3.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test titles were changed; the PR only touches config/docs/vendor and one non-test Go utility file.
Test Structure And Quality ✅ Passed No _test.go or Ginkgo spec files changed; the diff is version bumps, docs, configs, and vendor updates, so this check is not applicable.
Microshift Test Compatibility ✅ Passed PASS: HEAD^..HEAD only changes .ci-operator.yaml and release/helm/Dockerfile; no Go/e2e test files or new Ginkgo specs were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo/e2e tests were added or modified; only CI and Helm Dockerfile base-image tags changed.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: The PR only bumps versions/base images/docs; no deployment manifests/controllers add anti-affinity, node selectors, PDBs, or topology-aware scheduling logic.
Ote Binary Stdout Contract ✅ Passed No repo-owned main/TestMain/suite-setup code changed; diff is version/image bumps and vendored Ginkgo CLI updates, with no new stdout writes in OTE entrypoints.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the diff is version bumps/docs/configs, and search found no It()/Describe() or IPv4-only network code in changed Go files.
No-Weak-Crypto ✅ Passed Only exact hits were generated stdlib metadata listing crypto/des, md5, rc4, and sha1; no new weak-crypto code or secret comparisons were introduced.
Container-Privileges ✅ Passed Touched files only retag images/build roots; no privileged, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation, or root-run changes were introduced.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 93: The build still depends on the vulnerable Docker module, so update
the dependency chain to remove github.com/docker/docker or replace it with a
patched github.com/moby/moby release. Adjust the module requirement in go.mod
and any related imports or transitive constraints so the legacy
github.com/docker/docker path is no longer pulled in.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

Comment thread go.mod
github.com/distribution/reference v0.6.0 // indirect
github.com/docker/cli v29.2.0+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker v28.5.2+incompatible // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
go mod why -m github.com/docker/docker
go list -deps ./... | rg 'github.com/docker/docker'

Repository: openshift/ocp-release-operator-sdk

Length of output: 4979


🌐 Web query:

github.com/docker/docker v28.5.2+incompatible osv advisory CVE

💡 Result:

The version v28.5.2+incompatible of the github.com/docker/docker module is affected by multiple security vulnerabilities [1]. As of July 8, 2026, this module path is considered a legacy path for Docker/Moby, and patches for these vulnerabilities are only available in newer versions (v29.x and later) which have migrated to the github.com/moby/moby module path [1]. Notable CVEs affecting version v28.5.2 and earlier include: - CVE-2026-41567 (GHSA-x86f-5xw2-fm2r): A high-severity vulnerability where the PUT /containers/{id}/archive API can execute a container binary on the host with daemon (root) privileges when handling compressed archives [2][3][1]. - CVE-2026-41568 (GHSA-vp62-88p7-qqf5): A medium-severity race condition during docker cp mount setup that allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem [4][5][1]. - CVE-2026-42306 (GHSA-rg2x-37c3-w2rh): A high-severity issue involving a docker cp race condition that allows bind-mount redirection to a host path [1]. Because the github.com/docker/docker module no longer receives security updates on this path, users are advised to migrate their dependencies to the current github.com/moby/moby module (v29.x or later) to receive these fixes [1]. Users who cannot migrate immediately are advised to follow the mitigation strategies provided in the individual security advisories, such as running only trusted container images and limiting access to sensitive API endpoints [3][4].

Citations:


Remove or upgrade the vulnerable Docker module
github.com/docker/docker v28.5.2+incompatible is still pulled into the build graph and is covered by multiple high-severity OSV advisories. Update the dependency chain or move off the legacy github.com/docker/docker path to a patched github.com/moby/moby release.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker

(GO-2026-4883)


[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker

(GO-2026-4887)


[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: Race condition in docker cp allows bind mount redirection to host path in github.com/docker/docker

(GO-2026-5617)


[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap in github.com/docker/docker

(GO-2026-5668)


[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: PUT /containers/{id}/archive executes container binary on the host in github.com/docker/docker

(GO-2026-5746)


[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation

(GHSA-pxq6-2prw-chj9)


[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: Race condition in docker cp allows bind mount redirection to host path

(GHSA-rg2x-37c3-w2rh)


[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

(GHSA-vp62-88p7-qqf5)


[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies

(GHSA-x744-4wpc-v9h2)


[HIGH] 93-93: github.com/docker/docker 28.5.2+incompatible: Docker: PUT /containers/{id}/archive executes container binary on the host

(GHSA-x86f-5xw2-fm2r)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 93, The build still depends on the vulnerable Docker module,
so update the dependency chain to remove github.com/docker/docker or replace it
with a patched github.com/moby/moby release. Adjust the module requirement in
go.mod and any related imports or transitive constraints so the legacy
github.com/docker/docker path is no longer pulled in.

Sources: Path instructions, Linters/SAST tools

@PillaiManish PillaiManish force-pushed the v1.42.3-rebase-main branch from 65ad53d to a197f50 Compare July 9, 2026 05:08
The upstream v1.42.3 merge updated go.mod to require Go 1.26.3.
The Go 1.26 builder images are available under the openshift-5.0
stream (not 4.22). Update CI and release builder images accordingly.

Co-authored-by: Cursor <cursoragent@cursor.com>
@PillaiManish PillaiManish force-pushed the v1.42.3-rebase-main branch from a197f50 to 828a041 Compare July 9, 2026 05:10
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@PillaiManish: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@mytreya-rh

Copy link
Copy Markdown

/lgtm
cc: @chiragkyal

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants