Skip to content

oadp-1.3: OADP-7568,OADP-7571: Fix CVEs: bump Go to 1.25.8, update dependencies#394

Open
kaovilai wants to merge 3 commits into
openshift:oadp-1.3from
kaovilai:oadp-13-cve
Open

oadp-1.3: OADP-7568,OADP-7571: Fix CVEs: bump Go to 1.25.8, update dependencies#394
kaovilai wants to merge 3 commits into
openshift:oadp-1.3from
kaovilai:oadp-13-cve

Conversation

@kaovilai
Copy link
Copy Markdown
Member

@kaovilai kaovilai commented Apr 17, 2026

Summary

  • Bump Go from 1.23.0 to 1.25.0 with toolchain go1.25.8
  • Update golang.org/x/crypto, golang.org/x/net, google.golang.org/grpc, google.golang.org/api
  • Update konflux Dockerfile to golang 1.25 builder

Test plan

  • go build ./... compiles successfully
  • go vet ./... passes cleanly
  • CI passes

Note

Responses generated with Claude

@kaovilai @claude @happy-otter
OADP-7568,OADP-7571: Fix CVEs: bump Go to 1.25.8, update dependencies
017b672 
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
Copilot AI review requested due to automatic review settings April 17, 2026 19:25
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 17, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Apr 17, 2026
edited by openshift-ci Bot
Loading

@kaovilai: This pull request references OADP-7568 which is a valid jira issue.

This pull request references OADP-7571 which is a valid jira issue.

Details

In response to this:

Summary

  • Bump Go from 1.23.0 to 1.25.0 with toolchain go1.25.8
  • Update golang.org/x/crypto, golang.org/x/net, google.golang.org/grpc, google.golang.org/api
  • Update konflux Dockerfile to golang 1.25 builder

Test plan

  • go build ./... compiles successfully
  • go vet ./... passes cleanly
  • CI passes

[!Note]
Responses generated with Claude

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 17, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 72b623ef-181a-4550-ab7e-f499848a5a94

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 17, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 17, 2026
Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the OADP 1.3 plugin’s Go toolchain and module dependencies to address reported CVEs, and aligns the Konflux build image with the new Go version.

Changes:

  • Bump go.mod language version to Go 1.25 and set toolchain go1.25.8.
  • Update a wide set of Go module dependencies (notably golang.org/x/*, google.golang.org/*, and related transitive deps).
  • Update konflux.Dockerfile to use the RHEL9 Go 1.25 builder image.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
konflux.Dockerfile Switches Konflux builder image to Go 1.25.
go.mod Bumps Go version/toolchain and updates required module versions.
go.sum Refreshes dependency checksums consistent with the module updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go.mod
Comment on lines +3 to +5
go 1.25.0

toolchain go1.23.6
toolchain go1.25.8
Copy link

Copilot AI Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bumping go.mod to go 1.25.0 + toolchain go1.25.8 will break the default make build flow: the Makefile’s default BUILD_IMAGE is openshift/origin-release:golang-1.14 (Makefile:19), and Go 1.14 cannot parse the toolchain directive (and won’t support Go 1.25 language version). Please update the build container used by make build (or otherwise adjust the build instructions) so local/CI builds don’t fail after this Go bump.

Copilot uses AI. Check for mistakes.
kaovilai and others added 2 commits April 17, 2026 18:18
@kaovilai @claude @happy-otter
OADP-7568: Cherry-pick mock GetBucketRegion for unit tests
9b9ae7b 
Cherry-pick of openshift#365 (7e4a7d4) from oadp-dev to fix S3 bucket test
failures in CI. Uses mock instead of real S3 calls.

Conflicts resolved:
- common/types.go: added new constants (SkipBuildConfigConfigMapRestore,
  registry SA annotations)
- serviceaccount/backup.go: kept oadp-1.3 struct layout (no sccCache)
- Removed files not in oadp-1.3 (vmfr_restore_test.go, itemblock.go)

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
@kaovilai @claude @happy-otter
OADP-7568: Fix envtest CI: update setup-envtest for new artifact loca…
ae13960 
…tion

Old setup-envtest downloads kubebuilder test binaries from deprecated
GCS bucket which now returns 401. Update to latest version per
kubernetes-sigs/kubebuilder#4082.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 17, 2026

@kaovilai: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@kaovilai
Copy link
Copy Markdown
Member Author

kaovilai commented Apr 20, 2026

/hold for velero bump from crd update

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 20, 2026
@kaovilai
Copy link
Copy Markdown
Member Author

kaovilai commented Apr 20, 2026

/unhold crd change pretty-no-op seen in openshift/velero#498

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shubham-pampattiwar shubham-pampattiwar Awaiting requested review from shubham-pampattiwar

@sseago sseago Awaiting requested review from sseago

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kaovilai @openshift-ci-robot