Update google.golang.org/genproto digest to 87f3d3e

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
google.golang.org/genproto	indirect	digest	4cfbd41 → 87f3d3e

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux-kflux-prd-rh02]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading github.com/openshift-hyperfleet/hyperfleet-broker v1.1.1
go: downloading github.com/prometheus/client_golang v1.23.2
go: downloading github.com/spf13/cobra v1.8.0
go: downloading github.com/cenkalti/backoff/v5 v5.0.3
go: downloading github.com/spf13/pflag v1.0.10
go: downloading go.opentelemetry.io/otel/sdk v1.43.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading go.opentelemetry.io/otel v1.43.0
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
go: downloading github.com/spf13/viper v1.21.0
go: downloading github.com/google/cel-go v0.27.0
go: downloading github.com/cloudevents/sdk-go/v2 v2.16.2
go: downloading github.com/google/uuid v1.6.0
go: downloading go.opentelemetry.io/contrib/propagators/autoprop v0.68.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0
go: downloading go.opentelemetry.io/otel/trace v1.43.0
go: downloading cloud.google.com/go/pubsub/v2 v2.5.1
go: downloading cloud.google.com/go v0.123.0
go: downloading github.com/ThreeDotsLabs/watermill v1.5.1
go: downloading github.com/ThreeDotsLabs/watermill-amqp/v3 v3.0.2
go: downloading github.com/ThreeDotsLabs/watermill-googlecloud/v2 v2.0.0
go: downloading google.golang.org/grpc v1.81.1
go: downloading google.golang.org/protobuf v1.36.11
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading github.com/prometheus/client_model v0.6.2
go: downloading github.com/prometheus/common v0.66.1
go: downloading github.com/prometheus/procfs v0.17.0
go: downloading golang.org/x/sys v0.45.0
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading go.opentelemetry.io/otel/metric v1.43.0
go: downloading github.com/go-logr/logr v1.4.3
go: downloading github.com/fsnotify/fsnotify v1.9.0
go: downloading github.com/go-viper/mapstructure/v2 v2.5.0
go: downloading github.com/sagikazarmark/locafero v0.12.0
go: downloading github.com/spf13/afero v1.15.0
go: downloading github.com/spf13/cast v1.10.0
go: downloading cel.dev/expr v0.25.1
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260610212136-7ab31c22f7ad
go: downloading golang.org/x/text v0.37.0
go: downloading google.golang.org/genproto v0.0.0-20260618152121-87f3d3e198d3
go: downloading github.com/kylelemons/godebug v1.1.0
go: downloading go.opentelemetry.io/contrib/propagators/aws v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/b3 v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/jaeger v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/ot v1.43.0
go: downloading go.opentelemetry.io/proto/otlp v1.10.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260610212136-7ab31c22f7ad
go: downloading github.com/googleapis/gax-go/v2 v2.21.0
go: downloading go.opencensus.io v0.24.0
go: downloading golang.org/x/sync v0.20.0
go: downloading google.golang.org/api v0.274.0
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading github.com/cenkalti/backoff/v3 v3.2.2
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/rabbitmq/amqp091-go v1.10.0
go: downloading github.com/lithammer/shortuuid/v3 v3.0.7
go: downloading github.com/oklog/ulid v1.3.1
go: downloading github.com/sony/gobreaker v1.0.0
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading go.yaml.in/yaml/v2 v2.4.2
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading go.opentelemetry.io/auto/sdk v1.2.1
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/pelletier/go-toml/v2 v2.2.4
go: downloading go.yaml.in/yaml/v3 v3.0.4
go: downloading github.com/antlr4-go/antlr/v4 v4.13.1
go: downloading go.uber.org/zap v1.27.1
go: downloading go.uber.org/multierr v1.11.0
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0
go: downloading golang.org/x/net v0.55.0
go: downloading golang.org/x/oauth2 v0.36.0
go: downloading cloud.google.com/go/iam v1.11.0
go: downloading cloud.google.com/go/auth v0.18.2
go: downloading github.com/hashicorp/errwrap v1.1.0
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading golang.org/x/exp v0.0.0-20240823005443-9b4947da3948
go: downloading cloud.google.com/go/compute/metadata v0.9.0
go: downloading cloud.google.com/go/auth/oauth2adapt v0.2.8
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0
go: downloading golang.org/x/time v0.15.0
go: downloading github.com/google/s2a-go v0.1.9
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.14
go: downloading golang.org/x/crypto v0.51.0
go: github.com/openshift-hyperfleet/hyperfleet-sentinel/internal/client imports
	github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi: cannot find module providing package github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tirthct for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b4ddbeff-76fd-4c02-935e-62fc424e0af9

📥 Commits

Reviewing files that changed from the base of the PR and between af8acb7 and 7f33fef.

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated a Go dependency version to maintain compatibility with external libraries and ensure continued stability.

Walkthrough

go.mod updates the indirect dependency google.golang.org/genproto from v0.0.0-20260209200024-4cfbd4190f57 to pseudo-version 87f3d3e198d3. No exported declarations, interfaces, or application logic are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Supply chain flag — CWE-1357 (Reliance on Insufficiently Trustworthy Component).

google.golang.org/genproto is an indirect dependency resolved to a pseudo-version (commit hash 87f3d3e198d3), not a tagged release. Pseudo-versions pin a specific upstream commit but bypass semantic versioning guarantees and changelogs.

Verify before merging:

1. Confirm the commit hash is from the canonical upstream repo. Run go mod download -json google.golang.org/genproto@v0.0.0-...-87f3d3e198d3 and cross-check the hash against https://github.com/googleapis/go-genproto. Verify the commit is public and reachable.
2. Check go.sum integrity. Ensure go.sum was updated atomically with this go.mod change and the new hash entry is covered by the checksum database (sum.golang.org). Tampered checksums are a direct supply chain vector.
3. Identify what forced this bump. Indirect dependency changes are transitive. Run go mod why google.golang.org/genproto to trace the dependency path and confirm whether a direct dependency that requires it was intentionally bumped elsewhere in this PR or upstream.
4. Verify go.sum diff presence. If go.sum was not updated, the build is broken. If it was updated but not visible in this PR diff, that is a review gap — the new checksum line must be independently scrutinized against the Go checksum database.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and specifically describes the main change: updating the google.golang.org/genproto digest to version 87f3d3e.
Description check	✅ Passed	The description documents the dependency update with version change details, though it lists digest 7ab31c2 in objectives versus 87f3d3e in title—possible automated tool inconsistency.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No secrets, tokens, passwords, or credentials found in log statements across all in-scope production Go files (14 examined, 0 violations detected).
No Hardcoded Secrets	✅ Passed	No hardcoded secrets detected. Comprehensive scan found no API keys, tokens, passwords, private keys, or embedded credentials in the 102 added/modified files.
No Weak Cryptography	✅ Passed	No weak cryptography primitives found. Scanned 27 Go files across cmd/, internal/, pkg/, test/ - no MD5, DES, RC4, SHA1-security, ECB, custom crypto, or insecure secret comparisons detected.
No Injection Vectors	✅ Passed	PR updates google.golang.org/genproto dependency only; no code changes. Scanned for SQL/command/template/YAML injection patterns—none found in application code.
No Privileged Containers	✅ Passed	PR modifies only go.mod; no Kubernetes manifests, Helm templates, or Dockerfiles were added/modified. Check does not apply to dependency updates.
No Pii Or Sensitive Data In Logs	✅ Passed	No logging statements expose PII, session IDs, raw request/response bodies, or credentials. Debug config logging uses RedactedCopy() for safe copying; config struct contains no auth fields.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/google.golang.org-genproto-digest

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/google.golang.org-genproto-digest

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: updates to go.mod needed, disabled by -mod=readonly; to update it:\n\tgo mod tidy\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 138-140: The google.golang.org/genproto module on line 138 uses a
bare commit hash format (7ab31c22f7ad) which is invalid Go module syntax and
lacks checksum verification. Replace the bare commit hash with a proper
pseudoversion format matching the submodule versions on lines 139-140
(v0.0.0-20260401024825-9d38bb4040a9), or revert to the previous stable version
v0.0.0-20260209200024-4cfbd4190f57 to restore supply chain integrity and ensure
go.sum validation is applied across all dependencies.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7485b438-a262-4ffe-aaf9-61d5b614b3e7

📥 Commits

Reviewing files that changed from the base of the PR and between 6cb186e and af8acb7.

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the go.mod version string format and go.sum consistency

# Check if line 138 is truncated or genuinely malformed
echo "=== Line 138 from go.mod ==="
sed -n '138p' go.mod

# Check go.sum for entries matching the new version
echo "=== go.sum entries for 7ab31c22f7ad ==="
grep -i '7ab31c22f7ad' go.sum || echo "NOT FOUND in go.sum"

# Check go.sum for genproto entries (all)
echo "=== All genproto entries in go.sum ==="
grep 'google.golang.org/genproto' go.sum | head -20

# Attempt to validate module syntax (requires go command)
echo "=== Module integrity check ==="
if command -v go &> /dev/null; then
  go mod verify 2>&1 || echo "Module verification failed"
else
  echo "Go toolchain unavailable; cannot run go mod verify"
fi

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 1409

---

🏁 Script executed:

#!/bin/bash
# Check the full go.mod context around lines 138-140
echo "=== Context: lines 135-145 from go.mod ==="
sed -n '135,145p' go.mod

# Check if 7ab31c22f7ad appears elsewhere in go.mod or go.sum
echo "=== All occurrences of 7ab31c22f7ad ==="
grep -r '7ab31c22f7ad' . 2>/dev/null || echo "NOT FOUND anywhere"

# Verify git history: has this hash been used before in dependencies?
echo "=== Check git log for 7ab31c22f7ad ==="
git log --oneline --all | grep -i '7ab31c22f7ad' | head -5 || echo "No matching commits in log"

# Decode pseudoversion: what date does 20260401024825 represent?
echo "=== Timestamp analysis ==="
python3 <<'PY'
import datetime
timestamp_str = "20260401024825"
try:
    dt = datetime.datetime.strptime(timestamp_str, "%Y%m%d%H%M%S")
    print(f"Timestamp {timestamp_str} → {dt.isoformat()}")
except ValueError as e:
    print(f"Invalid timestamp: {e}")
PY

# Check if the parent genproto module MUST match submodule versions
echo "=== Checking go.mod for genproto module dependency tree ==="
grep -A2 -B2 'google.golang.org/genproto' go.mod | head -20

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 1286

---

CWE-829: Line 138 uses bare commit hash without checksum verification — supply chain integrity violation.

google.golang.org/genproto 7ab31c22f7ad // indirect is invalid Go module syntax. Valid pseudoversions require v0.0.0-<timestamp>-<hash> format. The bare commit hash 7ab31c22f7ad:

• Has NO entry in go.sum (checksum validation bypassed for parent module)
• Mismatches submodule versions pinned at v0.0.0-20260401024825-9d38bb4040a9 (lines 139–140)
• Cannot be resolved as a valid go.mod reference

This breaks the integrity chain: submodules are cryptographically verified via go.sum; the parent module is unverified. The orphaned reference violates Go module versioning guarantees and creates a supply chain attack surface. Correct line 138 to use the proper pseudoversion matching lines 139–140, or revert to the previous stable version v0.0.0-20260209200024-4cfbd4190f57.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 138 - 140, The google.golang.org/genproto module on line
138 uses a bare commit hash format (7ab31c22f7ad) which is invalid Go module
syntax and lacks checksum verification. Replace the bare commit hash with a
proper pseudoversion format matching the submodule versions on lines 139-140
(v0.0.0-20260401024825-9d38bb4040a9), or revert to the previous stable version
v0.0.0-20260209200024-4cfbd4190f57 to restore supply chain integrity and ensure
go.sum validation is applied across all dependencies.

Source: Coding guidelines