Bump github.com/openshift-online/ocm-sdk-go from 0.1.456 to 0.1.500

[dependabot]

Bumps github.com/openshift-online/ocm-sdk-go from 0.1.456 to 0.1.500.

Release notes

Sourced from github.com/openshift-online/ocm-sdk-go's releases.

Release 0.1.500

• Update model to 0.0.454
  • Add the ZeroEgress type and include in the AWS as a field.

Release 0.1.499

• [OCM-22967](https://redhat.atlassian.net/browse/OCM-22967) | fix: removing pgx dependency

Release 0.1.498

• Update model to 0.0.453
  • Add OidcIssuerUrl field to ARO-HCP Azure type for workload identity federation
  • Add Visibility field and AzureKmsEncryptionVisibility type to AzureKmsEncryption

Release 0.1.497

• Update model to 0.0.452
  • Add the AvailableChannels method to the Version resource

Release 0.1.496

• Update model to 0.0.451
  • Add the GcpDnsDomain type and include in the DNSDomain as a field.

Release 0.1.495

• Update model to 0.0.450
  • Add ImageDigestMirrors field to ClusterRegistryConfig for ARO-HCP.

Release 0.1.494

• Update model to 0.0.449
  • Add ARO-HCP ControlPlaneUpgradePolicies resource to manage control plane upgrade policies
  • Add ARO-HCP NodePoolUpgradePolicies resource to manage node pool upgrade policies
  • Simplify ARO-HCP upgrade policy types by removing scheduling-related fields (Schedule, ScheduleType, UpgradeType, NextRun, EnableMinorVersionUpgrades)

Release 0.1.493

• Update model to 0.0.448
  • Add VnetIntegrationSubnetResourceID field to ARO-HCP Azure type for SWIFT networking (Azure Container Networking Interface) support
  • Expose ARO-HCP cluster's provision shard subresource GET endpoint
  • Expose ARO-HCP provision shard global endpoints

Release 0.1.492

• Update model to 0.0.447
  • Make Topology attribute of ARO-HCP ProvisionShard required and restrict its allowed value to shared
  • Expand EtcdEncryption attribute description for ROSA-HCP Clusters

Release 0.1.491

• Update model to 0.0.446
  • Add AzureShard and ProvisionShardMaestroConfig to ARO-HCP ProvisionShard

... (truncated)

Changelog

Sourced from github.com/openshift-online/ocm-sdk-go's changelog.

0.1.500 Apr 01 2026

• Update model to 0.0.454
  • Add the ZeroEgress type and include in the AWS as a field.

0.1.499 Mar 31 2026

• [OCM-22967](https://redhat.atlassian.net/browse/OCM-22967) | fix: removing pgx dependency

0.1.498 Mar 11 2026

• Update model to 0.0.453
  • Add OidcIssuerUrl field to ARO-HCP Azure type for workload identity federation
  • Add Visibility field and AzureKmsEncryptionVisibility type to AzureKmsEncryption

0.1.497 Feb 25 2026

• Update model to 0.0.452
  • Add the AvailableChannels method to the Version resource

0.1.496 Feb 24 2026

• Update model to 0.0.451
  • Add the GcpDnsDomain type and include in the DNSDomain as a field.

0.1.495 Feb 23 2026

• Update model to 0.0.450
  • Add ImageDigestMirrors field to ClusterRegistryConfig for ARO-HCP.

0.1.494 Feb 12 2026

• Update model to 0.0.449
  • Add ARO-HCP ControlPlaneUpgradePolicies resource to manage control plane upgrade policies
  • Add ARO-HCP NodePoolUpgradePolicies resource to manage node pool upgrade policies
  • Simplify ARO-HCP upgrade policy types by removing scheduling-related fields (Schedule, ScheduleType, UpgradeType, NextRun, EnableMinorVersionUpgrades)

0.1.493 Jan 25 2026

• Update model to 0.0.448
  • Add VnetIntegrationSubnetResourceID field to ARO-HCP Azure type for SWIFT networking (Azure Container Networking Interface) support
  • Expose ARO-HCP cluster's provision shard subresource GET endpoint
  • Expose ARO-HCP provision shard global endpoints

0.1.492

• Update model to 0.0.447
  • Make Topology attribute of ARO-HCP ProvisionShard required and restrict its allowed value to shared
  • Expand EtcdEncryption attribute description for ROSA-HCP Clusters

0.1.491

• Update model to 0.0.446
  • Add AzureShard and ProvisionShardMaestroConfig to ARO-HCP ProvisionShard

... (truncated)

Commits

• 529cfd7 Merge pull request #1167 from marcolan018/ocm-23443
• 4c9e685 chore: bump version to 0.1.500
• 585c1b9 [OCM-23443](https://redhat.atlassian.net/browse/OCM-23443) | feat: add ZeroEgress into AWS
• f19f64f Merge pull request #1153 from gurnben/add-makefile-quick-start
• 25c4d91 Merge pull request #1152 from gurnben/add-dependabot
• ed7e088 Merge pull request #1151 from gurnben/readme-and-docs-improvements
• c43e011 Merge pull request #1150 from gurnben/agent-readiness-improvements
• 697fd8a Add one-command build/setup: README.md (Quick Start section)
• a5482fd Add Dependabot configuration for dependency security scanning
• 08f46d2 Improve README structure: add missing Installation, Usage, and Development se...
• Additional commits viewable in compare view

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated project dependencies and runtime version to latest compatible versions for improved stability.

Walkthrough

This PR updates the Go module manifest (go.mod) with multiple dependency version changes: Go directive set to 1.24.0, ocm-sdk-go bumped to v0.1.500, github.com/golang-jwt/jwt/v4 to v4.5.2, adds ocm-api-model/* indirect deps, and updates several golang.org/x/* indirect modules.

Changes

Go module manifest updates

Layer / File(s)	Summary
Go directive go.mod	Change go directive from 1.24 to 1.24.0.
Primary SDK bump go.mod	github.com/openshift-online/ocm-sdk-go upgraded from v0.1.456 to v0.1.500.
JWT library go.mod	github.com/golang-jwt/jwt/v4 (indirect) upgraded from v4.4.1 to v4.5.2.
New ocm-api-model indirects go.mod	Added github.com/openshift-online/ocm-api-model/clientapi and .../model at v0.0.454 (indirect).
golang.org/x/ indirect bumps* go.mod	Updated indirect modules: golang.org/x/net → v0.39.0, golang.org/x/sys → v0.32.0, golang.org/x/term → v0.31.0, golang.org/x/text → v0.24.0, golang.org/x/tools → v0.32.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly identifies the main change: bumping the ocm-sdk-go dependency from v0.1.456 to v0.1.500, which matches the primary modification in go.mod.
Description check	✅ Passed	The description comprehensively documents the dependency bump with release notes, changelog entries, and commit references that directly relate to the ocm-sdk-go version update in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/github.com/openshift-online/ocm-sdk-go-0.1.500

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign dustman9000 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 63-64: Update the two ocm-api-model module versions in go.mod from
v0.0.454 to the existing tag v0.0.453: change
github.com/openshift-online/ocm-api-model/clientapi and
github.com/openshift-online/ocm-api-model/model to reference v0.0.453, then run
`go mod tidy` (or equivalent) to refresh the lockfile and verify the build;
ensure no other references still point to v0.0.454.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: b28170df-de23-4f3b-bc86-86cf66530357

📥 Commits

Reviewing files that changed from the base of the PR and between fd99cf8 and 4733aaf.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify ocm-api-model dependencies at v0.0.454 exist

echo "=== Checking ocm-api-model/clientapi v0.0.454 ==="
gh api repos/openshift-online/ocm-api-model/tags --jq '.[] | select(.name == "clientapi/v0.0.454") | .name' 2>/dev/null || echo "clientapi v0.0.454 not found as expected tag"

echo -e "\n=== Checking ocm-api-model/model v0.0.454 ==="
gh api repos/openshift-online/ocm-api-model/tags --jq '.[] | select(.name == "model/v0.0.454") | .name' 2>/dev/null || echo "model v0.0.454 not found as expected tag"

# Alternative: Check if they resolve via go
echo -e "\n=== Attempting to resolve via go list ==="
go list -m -versions github.com/openshift-online/ocm-api-model/clientapi@v0.0.454 2>&1
go list -m -versions github.com/openshift-online/ocm-api-model/model@v0.0.454 2>&1

Repository: openshift-online/rosa-e2e

Length of output: 1875

---

🌐 Web query:

ocm-api-model clientapi v0.0.454 release GitHub

💡 Result:

Result: I could not find a GitHub release for openshift-online/ocm-api-model at version v0.0.454. What I found instead (authoritative sources): - The repository’s latest release is v0.0.453, published 2026-03-11, and the releases page lists only up to that version in the data returned by search. [1][2][3] - The tag page I could locate is for v0.0.453 (not v0.0.454). [2] Because I didn’t find any release/tag named v0.0.454 in the repository’s GitHub releases/tag pages via search, there’s no v0.0.454 release information (release notes / CHANGES.md diff / commit) I can cite. If you meant a different repo (e.g., open-cluster-management-io/api, guidewire-oss/ocm-api, or another fork) or a different version string, tell me the exact GitHub owner/repo and version format you expect, and I’ll re-check.

Citations:

• 1: https://github.com/openshift-online/ocm-api-model/releases
• 2: https://github.com/openshift-online/ocm-api-model/releases/tag/v0.0.453
• 3: https://github.com/openshift-online/ocm-api-model

---

🌐 Web query:

ocm-api-model model v0.0.454 release GitHub

💡 Result:

I couldn’t find any GitHub release/tag for openshift-online/ocm-api-model with version v0.0.454. What I found instead: - The repository’s GitHub Releases page shows the latest release as v0.0.453 (published 2026-03-11). [1][2] - A direct lookup for v0.0.454 on the releases/tag URL didn’t return a matching release page, while v0.0.453 has a release/tag page. [3] If you meant a different repository (for example a fork or a different package name than ocm-api-model), tell me the exact GitHub org/repo (or the correct version string) and I’ll re-run the search.

Citations:

• 1: https://github.com/openshift-online/ocm-api-model/releases
• 2: https://github.com/openshift-online/ocm-api-model
• 3: https://github.com/openshift-online/ocm-api-model/releases/tag/v0.0.453

---

Update ocm-api-model dependencies to v0.0.453.

Version v0.0.454 does not exist in the openshift-online/ocm-api-model repository. The latest available release is v0.0.453 (published 2026-03-11). Both github.com/openshift-online/ocm-api-model/clientapi and github.com/openshift-online/ocm-api-model/model must be updated to v0.0.453.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 63 - 64, Update the two ocm-api-model module versions in
go.mod from v0.0.454 to the existing tag v0.0.453: change
github.com/openshift-online/ocm-api-model/clientapi and
github.com/openshift-online/ocm-api-model/model to reference v0.0.453, then run
`go mod tidy` (or equivalent) to refresh the lockfile and verify the build;
ensure no other references still point to v0.0.454.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 74: The dependency golang.org/x/oauth2 is pinned to v0.23.0 which
contains security advisories; update the module declaration for
golang.org/x/oauth2 in go.mod to at least v0.27.0 (preferably v0.36.0) and then
run go get golang.org/x/oauth2@v0.36.0 (or go get golang.org/x/oauth2@v0.27.0)
followed by go mod tidy to update go.sum; verify by rebuilding and running tests
to ensure no breaking changes in any code referencing golang.org/x/oauth2.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: c969a063-ae64-4ce5-b052-8071ec03cb09

📥 Commits

Reviewing files that changed from the base of the PR and between 4733aaf and 9acf744.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the first patched golang.org/x/oauth2 version for GO-2025-3488 and GHSA-6v2p-p543-phr9, and what upgrade version is currently recommended?

💡 Result:

For GO-2025-3488 and GHSA-6v2p-p543-phr9 in golang.org/x/oauth2, the first patched version is v0.27.0 (both advisories list 0.27.0 as the fixed/patched version; earlier versions are affected) [1][2]. As of 2026-05-13, the currently recommended upgrade version is the latest golang.org/x/oauth2 release, v0.36.0 [3][4].

Citations:

• 1: GHSA-6v2p-p543-phr9
• 2: https://pkg.go.dev/vuln/GO-2025-3488
• 3: https://go.googlesource.com/oauth2/+/refs/tags/v0.34.0
• 4: https://osv.dev/GO-2025-3488

---

Upgrade golang.org/x/oauth2 from v0.23.0 to at least v0.27.0 (or preferably the latest v0.36.0) to fix GO-2025-3488 and GHSA-6v2p-p543-phr9.

v0.23.0 has HIGH severity advisories that are resolved in v0.27.0 and later.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 74-74: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 74-74: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 74, The dependency golang.org/x/oauth2 is pinned to v0.23.0
which contains security advisories; update the module declaration for
golang.org/x/oauth2 in go.mod to at least v0.27.0 (preferably v0.36.0) and then
run go get golang.org/x/oauth2@v0.36.0 (or go get golang.org/x/oauth2@v0.27.0)
followed by go mod tidy to update go.sum; verify by rebuilding and running tests
to ensure no breaking changes in any code referencing golang.org/x/oauth2.

[dependabot]

Superseded by #55.