Skip to content

chore: Update OpenTelemetry dependencies to v1.44.0#230

Merged
rsampaio merged 1 commit into
mainfrom
fix/update-opentelemetry-packages
Jul 9, 2026
Merged

chore: Update OpenTelemetry dependencies to v1.44.0#230
rsampaio merged 1 commit into
mainfrom
fix/update-opentelemetry-packages

Conversation

@rsampaio

@rsampaio rsampaio commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Bump indirect OpenTelemetry API/SDK modules in the agent and vendored SDK module to address reported CVEs, including the SDK module's required Go directive update for OTel v1.44.0.

Description

Checklist

  • I am familiar with the Contributing Guidelines.
  • New or existing tests cover these changes.
  • The documentation is up to date with these changes.

Summary by CodeRabbit

  • Chores
    • Bumped the Go toolchain to 1.26.5 across builds, CI, and documentation.
    • Refreshed dependencies, including QUIC-Go and OpenTelemetry modules.
    • Updated golangci-lint installation to use the official installer and pinned v2.12.2 for consistent linting.
  • Security
    • Updated vulnerability scanning to run govulncheck across all Go packages (./...) instead of scanning the built binary only.

@rsampaio rsampaio changed the title cccccdbrdudillibftdillnrjbjvhcgkhdidjcvkknkfUpdate OpenTelemetry dependencies to v1.44.0 Update OpenTelemetry dependencies to v1.44.0 Jul 9, 2026
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Updates Go version references across build, CI, lint, and docs files, switches the CI lint installer to a pinned script, changes the vuln check target to scan packages, and bumps module dependencies in the main and SDK go.mod files.

Changes

Go version, CI, and dependency updates

Layer / File(s) Summary
Go version propagation
Dockerfile, .github/workflows/ci.yml, .github/workflows/release.yml, .golangci.yml, CONTRIBUTING.md, docs/development.md, go.mod
Updates the Go version to 1.26.5 across build, CI, lint, contributor, development, and module configuration files.
Pinned CI lint installer
Dockerfile.citests
Switches the CI lint installation to golangci-lint.run/install.sh and pins golangci-lint to v2.12.2, while also bumping the CI test image Go base image to 1.26.5.
Package-scope vuln scan
Makefile
Changes the vuln target to run govulncheck ./... and removes the fleetint build dependency from that target.
Module dependency bumps
go.mod, third_party/fleet-intelligence-sdk/go.mod
Bumps github.com/quic-go/quic-go, adds indirect OpenTelemetry modules, updates golang.org/x/sys, and raises the SDK module Go directive to 1.25.0.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches a real part of the changeset: updating OpenTelemetry dependencies to v1.44.0.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/update-opentelemetry-packages

Comment @coderabbitai help to get the list of available commands.

@rsampaio
rsampaio requested a review from jingxiang-z July 9, 2026 16:18
@jingxiang-z

Copy link
Copy Markdown
Collaborator

There are some vulnerabilities in the CI govul check, could you update them also.

@jingxiang-z
jingxiang-z self-requested a review July 9, 2026 16:26
Bump indirect OpenTelemetry API/SDK modules in the agent and vendored SDK module to address reported CVEs, including the SDK module's required Go directive update for OTel v1.44.0.

Update golang image to include latest update of the os package

The vuln target scanned bin/fleetint with -mode=binary. The binary is
built with -ldflags '-s', which strips the symbol table, so govulncheck
cannot tell which packages are linked and falls back to module-level
matching. GO-2026-5932 marks the x/crypto openpgp packages as
unmaintained in every version with no fixed release, so the check
failed even though nothing in the agent imports openpgp.

Switch to source mode (govulncheck ./...), which does precise import
and call-graph analysis. It reports GO-2026-5932 as informational only
and still fails the build if code actually reaches a vulnerable symbol.
The fleetint prerequisite is dropped since the binary is no longer
needed for the scan.

Signed-off-by: Rodrigo Sampaio Vaz <rvaz@nvidia.com>
@rsampaio
rsampaio force-pushed the fix/update-opentelemetry-packages branch from 88d3603 to fa18130 Compare July 9, 2026 21:25

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
Makefile (1)

155-159: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the govulncheck version.

Using @latest makes vulnerability results and tool behavior non-reproducible, while an already-installed version bypasses installation entirely. Define a repository-owned version and install/check that exact version so CI and local runs use the same scanner.

+GOVULNCHECK_VERSION := vX.Y.Z
+
 vuln: ## run vulnerability check
 	`@echo` "Running vulnerability check..."
 	`@if` ! command -v govulncheck >/dev/null 2>&1; then \
 		echo "Installing govulncheck..."; \
-		$(GO) install golang.org/x/vuln/cmd/govulncheck@latest; \
+		$(GO) install golang.org/x/vuln/cmd/govulncheck@$(GOVULNCHECK_VERSION); \
 	fi
 	`@govulncheck` ./...

Also consider validating the installed version rather than only checking whether the binary exists.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 155 - 159, The govulncheck install in the Makefile is
non-reproducible because it uses `@latest` and only checks for the binary’s
presence. Introduce a repository-owned govulncheck version constant in the
Makefile, install that exact version in the existing govulncheck target, and
update the check to verify the installed version matches the pinned one before
skipping installation. Keep the existing govulncheck invocation, but ensure CI
and local runs use the same scanner version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Makefile`:
- Around line 155-159: The govulncheck install in the Makefile is
non-reproducible because it uses `@latest` and only checks for the binary’s
presence. Introduce a repository-owned govulncheck version constant in the
Makefile, install that exact version in the existing govulncheck target, and
update the check to verify the installed version matches the pinned one before
skipping installation. Keep the existing govulncheck invocation, but ensure CI
and local runs use the same scanner version.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 59673478-d20c-4083-a6c3-d8ed4c1cda77

📥 Commits

Reviewing files that changed from the base of the PR and between 88d3603 and fa18130.

⛔ Files ignored due to path filters (2)
  • go.sum is excluded by !**/*.sum
  • third_party/fleet-intelligence-sdk/go.sum is excluded by !**/*.sum
📒 Files selected for processing (10)
  • .github/workflows/ci.yml
  • .github/workflows/release.yml
  • .golangci.yml
  • CONTRIBUTING.md
  • Dockerfile
  • Dockerfile.citests
  • Makefile
  • docs/development.md
  • go.mod
  • third_party/fleet-intelligence-sdk/go.mod
✅ Files skipped from review due to trivial changes (6)
  • docs/development.md
  • Dockerfile
  • CONTRIBUTING.md
  • .github/workflows/ci.yml
  • .golangci.yml
  • .github/workflows/release.yml
🚧 Files skipped from review as they are similar to previous changes (3)
  • Dockerfile.citests
  • third_party/fleet-intelligence-sdk/go.mod
  • go.mod

@rsampaio rsampaio changed the title Update OpenTelemetry dependencies to v1.44.0 chore: Update OpenTelemetry dependencies to v1.44.0 Jul 9, 2026
@rsampaio
rsampaio merged commit b7e7093 into main Jul 9, 2026
9 checks passed
@rsampaio
rsampaio deleted the fix/update-opentelemetry-packages branch July 9, 2026 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants