Bump github.com/openshift-online/ocm-sdk-go from 0.1.456 to 0.1.504 in the ocm-sdk group across 1 directory

[dependabot]

Bumps the ocm-sdk group with 1 update in the / directory: github.com/openshift-online/ocm-sdk-go.

Updates github.com/openshift-online/ocm-sdk-go from 0.1.456 to 0.1.504

Release notes

Sourced from github.com/openshift-online/ocm-sdk-go's releases.

Release 0.1.501

• Update model to 0.0.456
  • Add access_shared_role_arn field to AWS Disaster Recovery backup config
  • Add node_count field to AutoNode status

Release 0.1.500

• Update model to 0.0.454
  • Add the ZeroEgress type and include in the AWS as a field.

Release 0.1.499

• [OCM-22967](https://redhat.atlassian.net/browse/OCM-22967) | fix: removing pgx dependency

Release 0.1.498

• Update model to 0.0.453
  • Add OidcIssuerUrl field to ARO-HCP Azure type for workload identity federation
  • Add Visibility field and AzureKmsEncryptionVisibility type to AzureKmsEncryption

Release 0.1.497

• Update model to 0.0.452
  • Add the AvailableChannels method to the Version resource

Release 0.1.496

• Update model to 0.0.451
  • Add the GcpDnsDomain type and include in the DNSDomain as a field.

Release 0.1.495

• Update model to 0.0.450
  • Add ImageDigestMirrors field to ClusterRegistryConfig for ARO-HCP.

Release 0.1.494

• Update model to 0.0.449
  • Add ARO-HCP ControlPlaneUpgradePolicies resource to manage control plane upgrade policies
  • Add ARO-HCP NodePoolUpgradePolicies resource to manage node pool upgrade policies
  • Simplify ARO-HCP upgrade policy types by removing scheduling-related fields (Schedule, ScheduleType, UpgradeType, NextRun, EnableMinorVersionUpgrades)

Release 0.1.493

• Update model to 0.0.448
  • Add VnetIntegrationSubnetResourceID field to ARO-HCP Azure type for SWIFT networking (Azure Container Networking Interface) support
  • Expose ARO-HCP cluster's provision shard subresource GET endpoint
  • Expose ARO-HCP provision shard global endpoints

Release 0.1.492

• Update model to 0.0.447
  • Make Topology attribute of ARO-HCP ProvisionShard required and restrict

... (truncated)

Changelog

Sourced from github.com/openshift-online/ocm-sdk-go's changelog.

Changes

This document describes the relevant changes between releases of the OCM API SDK.

0.1.501

• Update model to 0.0.456
  • Add access_shared_role_arn field to AWS Disaster Recovery backup config
  • Add node_count field to AutoNode status

0.1.500 Apr 01 2026

• Update model to 0.0.454
  • Add the ZeroEgress type and include in the AWS as a field.

0.1.499 Mar 31 2026

• [OCM-22967](https://redhat.atlassian.net/browse/OCM-22967) | fix: removing pgx dependency

0.1.498 Mar 11 2026

• Update model to 0.0.453
  • Add OidcIssuerUrl field to ARO-HCP Azure type for workload identity federation
  • Add Visibility field and AzureKmsEncryptionVisibility type to AzureKmsEncryption

0.1.497 Feb 25 2026

• Update model to 0.0.452
  • Add the AvailableChannels method to the Version resource

0.1.496 Feb 24 2026

• Update model to 0.0.451
  • Add the GcpDnsDomain type and include in the DNSDomain as a field.

0.1.495 Feb 23 2026

• Update model to 0.0.450
  • Add ImageDigestMirrors field to ClusterRegistryConfig for ARO-HCP.

0.1.494 Feb 12 2026

• Update model to 0.0.449
  • Add ARO-HCP ControlPlaneUpgradePolicies resource to manage control plane upgrade policies
  • Add ARO-HCP NodePoolUpgradePolicies resource to manage node pool upgrade policies
  • Simplify ARO-HCP upgrade policy types by removing scheduling-related fields (Schedule, ScheduleType, UpgradeType, NextRun, EnableMinorVersionUpgrades)

0.1.493 Jan 25 2026

• Update model to 0.0.448
  • Add VnetIntegrationSubnetResourceID field to ARO-HCP Azure type for SWIFT networking (Azure Container Networking Interface) support
  • Expose ARO-HCP cluster's provision shard subresource GET endpoint

... (truncated)

Commits

• 142b4cf Merge pull request #1177 from openshift-online/sync-model/v0.0.459
• 14bc981 chore: bump ocm-api-model to v0.0.459
• acb82a5 Merge pull request #1175 from openshift-online/sync-model/v0.0.457
• 1960dc0 chore: bump ocm-api-model to v0.0.457
• 787223b Merge pull request #1174 from vkareh/automated-release-pipeline
• e62dcdb ci: add automated release pipeline
• 739df3e Merge pull request #1173 from openshift-online/ocm-24592-release-prep
• a459c93 [OCM-24592](https://redhat.atlassian.net/browse/OCM-24592) | chore: release ocm-sdk-go v0.1.501
• a207e5d [OCM-24592](https://redhat.atlassian.net/browse/OCM-24592) | chore: release preparation for v0.0.456
• 529cfd7 Merge pull request #1167 from marcolan018/ocm-23443
• Additional commits viewable in compare view

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The go.mod file updates the Go directive to 1.24.0, bumps github.com/openshift-online/ocm-sdk-go to v0.1.503, updates github.com/golang-jwt/jwt/v4 to v4.5.2, adds github.com/openshift-online/ocm-api-model/clientapi and .../model at v0.0.457, and upgrades several golang.org/x/* indirect dependencies.

Changes

Dependency version upgrades

Layer / File(s)	Summary
Go toolchain and primary SDK version bump go.mod	Go directive updated to 1.24.0 and github.com/openshift-online/ocm-sdk-go bumped from v0.1.456 to v0.1.503.
JWT version upgrade go.mod	github.com/golang-jwt/jwt/v4 updated from v4.4.1 to v4.5.2.
OCM API model modules go.mod	Adds indirect github.com/openshift-online/ocm-api-model/clientapi and .../model at v0.0.457.
Standard library indirect upgrades go.mod	Upgrades golang.org/x/net, x/sys, x/term, x/text, and x/tools to newer versions; x/oauth2 and x/time remain unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	PR adds .github/workflows/branch-protection-check.yml (line 92: echo of full API response) and .github/workflows/dependabot-auto-merge.yml (lines 196,199: cat of response.json) that log sensitive A...	Remove or filter sensitive data from logged API responses: sanitize $protection_json echo statement and avoid cating response.json containing GraphQL mutation results to stdout.
Title check	⚠️ Warning	The PR title claims a bump to v0.1.504, but the actual change is to v0.1.503 according to the raw_summary and pr_objectives.	Update the PR title to accurately reflect the actual version bump: 'Bump github.com/openshift-online/ocm-sdk-go from 0.1.456 to 0.1.503'.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto	✅ Passed	No weak crypto algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish), ECB mode, custom crypto, or unsafe secret comparisons detected in codebase or dependency updates.
Container-Privileges	✅ Passed	PR only modifies go.mod dependency versions. No container manifests with privilege configurations were added or modified. All existing container/K8s configs contain no privileged settings.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets detected. PR only updates go.mod/go.sum with dependency versions; code properly handles secrets via environment variables with appropriate serialization guards.
No-Injection-Vectors	✅ Passed	No injection vectors detected. The PR is a Dependabot dependency update (go.mod/go.sum changes) with new test framework code containing no SQL concatenation, shell injection, eval/exec, unsafe yaml...
Ai-Attribution	✅ Passed	This is a Dependabot dependency update PR (not AI-generated). Commit 639896f authored by dependabot[bot] contains only standard version bump changes with no AI tool involvement or mentions.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/ocm-sdk-f6f7f28218

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign tiwillia for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 74: The go.mod currently pins golang.org/x/oauth2 at v0.23.0 which is
vulnerable (CVE-2025-22868); update the dependency to v0.27.0 or later by
changing the module version in go.mod (golang.org/x/oauth2) and then run `go get
golang.org/x/oauth2@v0.27.0` or `go mod tidy` to ensure the new version is
recorded and modules are re-resolved; verify builds and tests (imports
referencing oauth2) succeed after the upgrade.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: b6e4dbba-fa8f-4c87-8782-4f4dcff3f97c

📥 Commits

Reviewing files that changed from the base of the PR and between 6275161 and 926ea43.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for available security patches and usage of oauth2.

# Check which dependency requires oauth2
go mod graph | grep 'golang.org/x/oauth2'

# Search for direct usage of oauth2 in the codebase
rg -n --type=go 'golang.org/x/oauth2|"oauth2"' -C 2

Repository: openshift-online/rosa-e2e

Length of output: 6685

---

🏁 Script executed:

# Check the actual go.mod file to see the context of line 74
head -n 80 go.mod | tail -n 15

Repository: openshift-online/rosa-e2e

Length of output: 770

---

🌐 Web query:

GO-2025-3488 golang.org/x/oauth2 vulnerability

💡 Result:

GO-2025-3488 is a security vulnerability identified in the golang.org/x/oauth2 package, specifically within the golang.org/x/oauth2/jws sub-package [1][2][3]. It is also tracked as CVE-2025-22868 and GHSA-6v2p-p543-phr9 [1][4]. The vulnerability involves improper validation of the syntactic correctness of input tokens [5]. An attacker can exploit this by passing a malicious, malformed token to the application, which causes unexpected memory consumption during the parsing process [1][2][3]. This can lead to a denial of service (DoS) condition, where the application consumes excessive resources, potentially delaying or denying service to legitimate users [5]. The issue was addressed in version 0.27.0 of the golang.org/x/oauth2 package [1][2][3]. Users are advised to update to version 0.27.0 or later to mitigate this risk [5]. The vulnerability was publicly disclosed on February 26, 2025 [1][2][4].

Citations:

• 1: https://osv.dev/GO-2025-3488
• 2: https://pkg.go.dev/vuln/GO-2025-3488
• 3: https://groups.google.com/g/golang-announce/c/wImnF7NFhJE
• 4: https://nvd.nist.gov/vuln/detail/CVE-2025-22868
• 5: https://vulert.com/vuln-db/go-golang-org-x-oauth2-195815

---

🌐 Web query:

GHSA-6v2p-p543-phr9 golang.org/x/oauth2 vulnerability

💡 Result:

GHSA-6v2p-p543-phr9 is a high-severity security vulnerability (CVSS 7.5) affecting the golang.org/x/oauth2 module [1]. It is also tracked as CVE-2025-22868 [1][2]. The vulnerability is described as an "Improper Validation of Syntactic Correctness of Input" [1]. Specifically, an attacker can provide a maliciously malformed token that causes the application to consume unexpected amounts of memory during the parsing process, potentially leading to a denial-of-service condition [1][2]. While the advisory is filed under the golang.org/x/oauth2 module, technical discussions indicate that the underlying issue resides within the golang.org/x/oauth2/jws package [3]. Users are advised to update to version 0.27.0 or later to mitigate this vulnerability [1][2]. It is important to note that some projects may include the main oauth2 module without including the vulnerable jws package; in such cases, those projects would not be susceptible to this specific vulnerability [3].

Citations:

• 1: https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9
• 2: x/vulndb: potential Go vuln in golang.org/x/oauth2: GHSA-6v2p-p543-phr9 golang/vulndb#3813
• 3: [GHSA-6v2p-p543-phr9] golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability github/advisory-database#5995

---

🏁 Script executed:

# Check if jws or token parsing is actually used in the codebase
rg 'oauth2/jws|ParseToken|ParseJWT' --type=go

Repository: openshift-online/rosa-e2e

Length of output: 51

---

🏁 Script executed:

# Check if oauth2 is used directly in the code
rg 'oauth2\.' --type=go -m 5

Repository: openshift-online/rosa-e2e

Length of output: 51

---

Upgrade golang.org/x/oauth2 to address HIGH severity security vulnerability.

The current version v0.23.0 contains CVE-2025-22868 (GO-2025-3488), a vulnerability involving improper validation of token syntax that can cause unexpected memory consumption and lead to denial of service. Upgrade to v0.27.0 or later to resolve this issue.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 74-74: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 74-74: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 74, The go.mod currently pins golang.org/x/oauth2 at v0.23.0
which is vulnerable (CVE-2025-22868); update the dependency to v0.27.0 or later
by changing the module version in go.mod (golang.org/x/oauth2) and then run `go
get golang.org/x/oauth2@v0.27.0` or `go mod tidy` to ensure the new version is
recorded and modules are re-resolved; verify builds and tests (imports
referencing oauth2) succeed after the upgrade.

[github-actions]

/retest

[github-actions]

/retest

[github-actions]

/retest

[github-actions]

/retest

[github-actions]

/retest

[github-actions]

/retest

[coderabbitai]

♻️ Duplicate comments (1)

go.mod (1)

74-74: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical oauth2 vulnerability remains unresolved.

This line is unchanged in the current PR, but golang.org/x/oauth2 v0.23.0 contains CVE-2025-22868 (GO-2025-3488), a HIGH severity vulnerability that can cause denial of service through memory exhaustion. This issue was previously flagged and remains unresolved. Upgrade to v0.27.0 or later to address this vulnerability.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 74, The go.mod currently pins golang.org/x/oauth2 to v0.23.0
which contains a HIGH-severity CVE; update the dependency to v0.27.0 or later by
changing the module version in go.mod (golang.org/x/oauth2 -> v0.27.0+) and then
run `go get golang.org/x/oauth2@v0.27.0` (or higher) followed by `go mod tidy`
(and `go test ./...`) to refresh go.sum and verify nothing breaks; ensure any
usages of oauth2 types/functions compile against the updated package and adjust
import code in the codebase if any API changes surface.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@go.mod`:
- Line 74: The go.mod currently pins golang.org/x/oauth2 to v0.23.0 which
contains a HIGH-severity CVE; update the dependency to v0.27.0 or later by
changing the module version in go.mod (golang.org/x/oauth2 -> v0.27.0+) and then
run `go get golang.org/x/oauth2@v0.27.0` (or higher) followed by `go mod tidy`
(and `go test ./...`) to refresh go.sum and verify nothing breaks; ensure any
usages of oauth2 types/functions compile against the updated package and adjust
import code in the codebase if any API changes surface.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 00e95fbc-eea6-44c4-9d77-c892614523a6

📥 Commits

Reviewing files that changed from the base of the PR and between 9ce15e8 and a6782e2.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[github-actions]

Dependabot Auto-Merge Status

This PR meets the criteria for auto-merge but could not be automatically merged due to repository permissions.

• Update type: version-update:semver-patch
• Dependencies: github.com/openshift-online/ocm-sdk-go

Please review and merge manually if appropriate.

[coderabbitai]

♻️ Duplicate comments (1)

go.mod (1)

74-74: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Unresolved: HIGH severity vulnerability in golang.org/x/oauth2 persists.

The golang.org/x/oauth2 v0.23.0 dependency contains CVE-2025-22868 (GO-2025-3488)—improper token validation allowing DoS via unexpected memory consumption. A previous review flagged this, but it remains unpatched in this PR. Even though most of the dependency tree is being updated (ocm-sdk-go 0.1.456→0.1.503), oauth2 was not bumped to v0.27.0 or later.

Next steps:

1. Verify whether ocm-sdk-go v0.1.503 permits oauth2 ≥v0.27.0 or mandates v0.23.0
2. If permitted, upgrade oauth2 immediately before merge

🔍 Verification script

#!/bin/bash
# Check which versions of oauth2 are compatible with ocm-sdk-go v0.1.503

# Fetch go.mod of ocm-sdk-go v0.1.503 to see its oauth2 requirement
curl -s "https://raw.githubusercontent.com/openshift-online/ocm-sdk-go/v0.1.503/go.mod" | grep -A 2 'oauth2'

# Check if oauth2 v0.27.0 is available
go list -m -json golang.org/x/oauth2@v0.27.0 2>&1 | head -20

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 74, The golang.org/x/oauth2 dependency at version v0.23.0
contains a HIGH severity vulnerability (CVE-2025-22868) that must be resolved
before merging. First, verify whether ocm-sdk-go v0.1.503 allows oauth2 versions
>= v0.27.0 by checking the go.mod file of ocm-sdk-go v0.1.503 (you can fetch
this from the official repository or use go get commands to test compatibility).
If v0.27.0 or later is permitted, update the golang.org/x/oauth2 dependency in
the go.mod file from v0.23.0 to v0.27.0 or a newer patched version to resolve
the vulnerability. If the newer version is not compatible with ocm-sdk-go
v0.1.503, investigate whether ocm-sdk-go itself needs to be updated to a version
that supports the patched oauth2 release.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@go.mod`:
- Line 74: The golang.org/x/oauth2 dependency at version v0.23.0 contains a HIGH
severity vulnerability (CVE-2025-22868) that must be resolved before merging.
First, verify whether ocm-sdk-go v0.1.503 allows oauth2 versions >= v0.27.0 by
checking the go.mod file of ocm-sdk-go v0.1.503 (you can fetch this from the
official repository or use go get commands to test compatibility). If v0.27.0 or
later is permitted, update the golang.org/x/oauth2 dependency in the go.mod file
from v0.23.0 to v0.27.0 or a newer patched version to resolve the vulnerability.
If the newer version is not compatible with ocm-sdk-go v0.1.503, investigate
whether ocm-sdk-go itself needs to be updated to a version that supports the
patched oauth2 release.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b6f2253d-02c0-4370-aed4-1db3082cedcb

📥 Commits

Reviewing files that changed from the base of the PR and between a6782e2 and 639896f.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[github-actions]

/retest

[github-actions]

/retest

[github-actions]

Dependabot Auto-Merge Status

This PR meets the criteria for auto-merge but could not be automatically merged due to repository permissions.

• Update type: version-update:semver-patch
• Dependencies: github.com/openshift-online/ocm-sdk-go

Please review and merge manually if appropriate.

[github-actions]

Dependabot Auto-Merge Status

This PR meets the criteria for auto-merge but could not be automatically merged due to repository permissions.

• Update type: version-update:semver-patch
• Dependencies: github.com/openshift-online/ocm-sdk-go

Please review and merge manually if appropriate.

[openshift-ci]

@dependabot[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main	17957d8	link	true	/test ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.