Bump the kubernetes group across 1 directory with 3 updates

[dependabot]

Bumps the kubernetes group with 2 updates in the / directory: k8s.io/apimachinery and k8s.io/client-go.

Updates k8s.io/apimachinery from 0.32.1 to 0.36.2

Commits

• ae3f98e Update dependencies to v0.36.2 tag
• 2ec982d Merge pull request #139508lalitc375/automated-cherry-pick-of-#139480
• 6a88102 Fix wrong marking of errors
• efb7f26 Merge remote-tracking branch 'origin/master' into release-1.36
• d966e56 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 79b3632 Merge pull request #137864 from yongruilin/dv-dra-mismatch
• a8822f7 Add slice and map union member support with tests
• 7dba2d0 Use IsZero instead of IsNil for union ratcheting check
• d95710f Fix union validation ratcheting when oldObj is nil
• 729062d Merge pull request #137849 from bryantbiggs/deps/update-kube-openapi
• Additional commits viewable in compare view

Updates k8s.io/client-go from 0.32.1 to 0.36.2

Commits

• 877f535 Update dependencies to v0.36.2 tag
• f22a53e Merge remote-tracking branch 'origin/master' into release-1.36
• a948641 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 7e44ffc Add Workload-Aware Preemption fields to Workload and PodGroup APIs
• df2d882 Merge pull request #136989 from nojnhuh/podgroup-resourceclaim
• 4eece52 Workload API: PodGroup ResourceClaims (KEP-5729)
• 3d35c51 Merge pull request #137190 from everpeace/KEP-5491-alpha
• 0434117 Merge pull request #137028 from nmn3m/feature/dra-resource-pool-status
• ba785be Drop CSR analogy, mark ObjectMeta +required,reduce limits (maxItems=500, maxL...
• 4a9c878 Add ResourcePoolStatusRequest API types and generated code
• Additional commits viewable in compare view

Updates k8s.io/utils from 0.0.0-20241104100929-3ea5e8cea738 to 0.0.0-20260210185600-b8788abfbbc2

Commits

• See full diff in compare view

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to version 1.26.0.
  • Upgraded dependencies including Kubernetes-related packages to maintain compatibility and improve overall stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 10ac0913-c2db-4f19-a0a7-f77649c62d64

📥 Commits

Reviewing files that changed from the base of the PR and between 80c3a17 and b662898.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

---

Walkthrough

This PR updates the Go module dependencies for the rosa-e2e project. The Go toolchain is bumped from 1.24 to 1.26.0, direct Kubernetes client libraries are upgraded to v0.36.2, and transitive dependencies are coordinated to compatible newer versions with composition changes to the indirect dependency set.

Changes

Go Module Dependencies Update

Layer / File(s)	Summary
Go toolchain version directive go.mod	Go version directive is updated from go 1.24 to go 1.26.0.
Direct Kubernetes client library upgrades go.mod	Direct k8s.io module dependencies (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, k8s.io/utils) are upgraded from v0.32.1 to v0.36.2 release versions.
Indirect dependency ecosystem refresh go.mod	Indirect dependencies across multiple ecosystems (go-restful, go-logr, go-openapi, JWT, protobuf, golang.org/x, k8s.io, sigs.k8s.io) are upgraded to compatible versions; gogo/protobuf and google/gofuzz are removed; structured-merge-diff/v4 is replaced with structured-merge-diff/v6; and related sigs.k8s.io entries are synchronized.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The PR adds logging of unfiltered HTTP response bodies from OIDC token endpoint (line 74 in rhobs.go), which could expose authentication tokens or sensitive error details in test logs.	Filter response bodies before logging; only include status codes and generic error messages, not full response content from authentication endpoints.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping Kubernetes dependencies (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go) across the root directory.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found. PR only updates Kubernetes dependencies.
Container-Privileges	✅ Passed	The PR only modifies go.mod and go.sum for dependency updates. No K8s manifests or container configs with privilege settings are present or modified.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets detected. PR only modifies go.mod and go.sum with dependency version updates and SHA256 checksums; no credentials, API keys, tokens, passwords, or private keys found.
No-Injection-Vectors	✅ Passed	PR contains only dependency version updates in go.mod/go.sum with no new code additions. No injection vectors are introduced; existing yaml usage is safe (uses yaml.v3 Unmarshal, not unsafe Load).
Ai-Attribution	✅ Passed	No AI tools were mentioned in PR or commits; this is a standard Dependabot automated dependency update with no AI involvement.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/kubernetes-fe08b70ac6

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign dustman9000 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 3: The go.mod module directive was bumped to "go 1.26.0" but CI is still
using the "golang-1.24" image tag; update the CI operator configuration to use a
Go 1.26 image (replace "golang-1.24" with the matching "golang-1.26" or
equivalent image tag) so the CI runtime matches the go 1.26 requirement and
avoids build failures.
- Around line 13-16: go.mod was bumped to k8s.io client libs v0.36.1 which
contains breaking changes; inspect the codebase for uses of removed/changed APIs
(search for imports or symbols like client-go/tools/bootstrap, util/cert/triple,
any cert generation functions that return *rsa.PrivateKey or expect x509 key
pairs, usages of crypto.Signer vs concrete keys, scale client types/methods
(scale.Interface, Scale subresource calls), and watch helpers like
watchtools.Until or watch.Until) and either migrate those callsites to the new
APIs (replace bootstrap usage with the new bootstrap helpers, switch cert key
handling to crypto.Signer-based APIs, adapt scale client calls to the new scale
client interfaces, and migrate watch tool usage to the updated Until semantics)
or pin go.mod back to the previous known-good client-go version; update imports
and call signatures accordingly and run `go build`/`go test` to validate.
- Line 45: The go.mod currently resolves transitive github.com/golang-jwt/jwt/v4
v4.4.1 and github.com/golang/glog v1.0.0 which are vulnerable; update go.mod to
pin safe minimum versions by adding explicit require directives for
github.com/golang-jwt/jwt/v4 at v4.5.2 (or later) and github.com/golang/glog at
v1.2.4 (or later), then run module tidy/resolve (e.g., go get
github.com/golang-jwt/jwt/v4@v4.5.2 && go get github.com/golang/glog@v1.2.4 &&
go mod tidy) so the transitive graph uses the patched versions.
- Line 46: go.mod currently pins the indirect module github.com/golang/glog at
v1.0.0 which is vulnerable; update the dependency chain so
github.com/golang/glog is at least v1.2.4 by either bumping the upstream
module(s) that pull it (e.g., update github.com/openshift-online/ocm-sdk-go and
any rosa-e2e/pkg/framework dependency versions) or directly forcing the version
in your go.mod (add an explicit require for github.com/golang/glog v1.2.4 or
later), then run go get / go mod tidy to refresh go.sum and verify builds/tests
pass; reference modules: github.com/golang/glog,
github.com/openshift-online/ocm-sdk-go, rosa-e2e/pkg/framework.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: e3b3b994-dccf-4c30-9736-1902329f79b8

📥 Commits

Reviewing files that changed from the base of the PR and between b29775a and 450ff12.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

CI configuration mismatch will break builds.

The go.mod now requires Go 1.26.0, but the CI operator configuration at ci-operator/openshift-online-rosa-e2e-main.yaml lines 4-9 is still pinned to golang-1.24 image tag. This mismatch will cause build failures when CI attempts to build the project with Go 1.24 while the module requires 1.26.0.

🔧 Required CI config update

Update ci-operator/openshift-online-rosa-e2e-main.yaml:

 build_root:
   image_stream_tag:
     name: release
     namespace: openshift
-    tag: golang-1.24
+    tag: golang-1.26

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, The go.mod module directive was bumped to "go 1.26.0" but
CI is still using the "golang-1.24" image tag; update the CI operator
configuration to use a Go 1.26 image (replace "golang-1.24" with the matching
"golang-1.26" or equivalent image tag) so the CI runtime matches the go 1.26
requirement and avoids build failures.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find which direct dependency brings in golang-jwt/jwt
go mod why github.com/golang-jwt/jwt/v4

# Check for available updates
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/golang-jwt/jwt/v4") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift-online/rosa-e2e

Length of output: 2164

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find which direct dependency brings in glog
go mod why github.com/golang/glog

# Query GitHub advisories for glog
gh api graphql -f query='
{
  securityVulnerabilities(first: 20, ecosystem: GO, package: "github.com/golang/glog") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}'

Repository: openshift-online/rosa-e2e

Length of output: 524

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant section of go.mod around the reported lines
nl -ba go.mod | sed -n '35,60p'

Repository: openshift-online/rosa-e2e

Length of output: 112

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show relevant section of go.mod around lines 45-55
awk 'NR>=35 && NR<=60 {printf "%d:%s\n", NR, $0}' go.mod

Repository: openshift-online/rosa-e2e

Length of output: 1586

---

Fix vulnerable jwt-go and glog versions in go.mod

go.mod pins transitive github.com/golang-jwt/jwt/v4 v4.4.1 and github.com/golang/glog v1.0.0 with security advisories:

• jwt/v4: HIGH — excessive memory allocation during header parsing (< 4.5.2; first patched 4.5.2); LOW — error-handling documentation in ParseWithClaims (< 4.5.1; first patched 4.5.1)
• glog: MODERATE — insecure temporary file usage (< 1.2.4; first patched 1.2.4)

Update the dependency graph (or add a targeted require override) so transitive resolution uses at least jwt/v4 >= 4.5.2 and glog >= 1.2.4.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 45-45: github.com/golang-jwt/jwt/v4 4.4.1: Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt

(GO-2024-3250)

---

[HIGH] 45-45: github.com/golang-jwt/jwt/v4 4.4.1: Excessive memory allocation during header parsing in github.com/golang-jwt/jwt

(GO-2025-3553)

---

[HIGH] 45-45: github.com/golang-jwt/jwt/v4 4.4.1: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations

(GHSA-29wx-vh33-7x7r)

---

[HIGH] 45-45: github.com/golang-jwt/jwt/v4 4.4.1: jwt-go allows excessive memory allocation during header parsing

(GHSA-mh63-6h87-95cp)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 45, The go.mod currently resolves transitive
github.com/golang-jwt/jwt/v4 v4.4.1 and github.com/golang/glog v1.0.0 which are
vulnerable; update go.mod to pin safe minimum versions by adding explicit
require directives for github.com/golang-jwt/jwt/v4 at v4.5.2 (or later) and
github.com/golang/glog at v1.2.4 (or later), then run module tidy/resolve (e.g.,
go get github.com/golang-jwt/jwt/v4@v4.5.2 && go get
github.com/golang/glog@v1.2.4 && go mod tidy) so the transitive graph uses the
patched versions.

Source: Linters/SAST tools

[github-actions]

/retest

[github-actions]

/retest

[github-actions]

/retest

[github-actions]

/retest

[github-actions]

/retest

[github-actions]

/retest

[openshift-ci]

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	b662898	link	true	/test lint
ci/prow/unit	b662898	link	true	/test unit
ci/prow/images	b662898	link	true	/test images
ci/prow/periodics-images	b662898	link	true	/test periodics-images
ci/prow/e2e-rosa-classic-smoke	b662898	link	false	/test e2e-rosa-classic-smoke
ci/prow/e2e-rosa-hcp-smoke	b662898	link	false	/test e2e-rosa-hcp-smoke
ci/prow/upgrade-images	b662898	link	true	/test upgrade-images
ci/prow/ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main	b662898	link	true	/test ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.