Update google.golang.org/genproto/googleapis/api digest to 7ab31c2

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
google.golang.org/genproto/googleapis/api	indirect	digest	9d38bb4 → 7ab31c2

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux-kflux-prd-rh02]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading github.com/cenkalti/backoff/v5 v5.0.3
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
go: downloading go.opentelemetry.io/otel v1.43.0
go: downloading go.opentelemetry.io/otel/sdk v1.43.0
go: downloading github.com/spf13/pflag v1.0.10
go: downloading github.com/spf13/viper v1.21.0
go: downloading github.com/google/cel-go v0.27.0
go: downloading github.com/openshift-hyperfleet/hyperfleet-broker v1.1.1
go: downloading github.com/prometheus/client_golang v1.23.2
go: downloading github.com/spf13/cobra v1.8.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/cloudevents/sdk-go/v2 v2.16.2
go: downloading github.com/google/uuid v1.6.0
go: downloading go.opentelemetry.io/contrib/propagators/autoprop v0.68.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0
go: downloading go.opentelemetry.io/otel/trace v1.43.0
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading go.opentelemetry.io/otel/metric v1.43.0
go: downloading github.com/go-logr/logr v1.4.3
go: downloading github.com/fsnotify/fsnotify v1.9.0
go: downloading github.com/go-viper/mapstructure/v2 v2.5.0
go: downloading github.com/sagikazarmark/locafero v0.12.0
go: downloading github.com/spf13/afero v1.15.0
go: downloading github.com/spf13/cast v1.10.0
go: downloading cel.dev/expr v0.25.1
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260610212136-7ab31c22f7ad
go: downloading google.golang.org/protobuf v1.36.11
go: downloading google.golang.org/genproto v0.0.0-20260209200024-4cfbd4190f57
go: downloading golang.org/x/text v0.35.0
go: downloading cloud.google.com/go/pubsub/v2 v2.4.0
go: downloading cloud.google.com/go v0.123.0
go: downloading github.com/ThreeDotsLabs/watermill v1.5.1
go: downloading github.com/ThreeDotsLabs/watermill-amqp/v3 v3.0.2
go: downloading github.com/ThreeDotsLabs/watermill-googlecloud/v2 v2.0.0
go: downloading google.golang.org/grpc v1.80.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading github.com/prometheus/client_model v0.6.2
go: downloading github.com/prometheus/common v0.66.1
go: downloading github.com/prometheus/procfs v0.17.0
go: downloading golang.org/x/sys v0.42.0
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/kylelemons/godebug v1.1.0
go: downloading go.opentelemetry.io/contrib/propagators/aws v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/b3 v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/jaeger v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/ot v1.43.0
go: downloading go.opentelemetry.io/proto/otlp v1.10.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260526163538-3dc84a4a5aaa
go: downloading go.opentelemetry.io/auto/sdk v1.2.1
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/pelletier/go-toml/v2 v2.2.4
go: downloading go.yaml.in/yaml/v3 v3.0.4
go: downloading github.com/antlr4-go/antlr/v4 v4.13.1
go: downloading github.com/googleapis/gax-go/v2 v2.17.0
go: downloading go.opencensus.io v0.24.0
go: downloading golang.org/x/sync v0.20.0
go: downloading google.golang.org/api v0.266.0
go: downloading github.com/cenkalti/backoff/v3 v3.2.2
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/rabbitmq/amqp091-go v1.10.0
go: downloading github.com/lithammer/shortuuid/v3 v3.0.7
go: downloading github.com/oklog/ulid v1.3.1
go: downloading github.com/sony/gobreaker v1.0.0
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading go.yaml.in/yaml/v2 v2.4.2
go: downloading go.uber.org/zap v1.27.1
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0
go: downloading go.uber.org/multierr v1.11.0
go: downloading golang.org/x/net v0.52.0
go: downloading golang.org/x/oauth2 v0.35.0
go: downloading cloud.google.com/go/iam v1.5.3
go: downloading golang.org/x/exp v0.0.0-20240823005443-9b4947da3948
go: downloading cloud.google.com/go/auth v0.18.1
go: downloading github.com/hashicorp/errwrap v1.1.0
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading cloud.google.com/go/compute/metadata v0.9.0
go: downloading cloud.google.com/go/auth/oauth2adapt v0.2.8
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0
go: downloading golang.org/x/time v0.14.0
go: downloading github.com/google/s2a-go v0.1.9
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.12
go: downloading golang.org/x/crypto v0.49.0
go: github.com/openshift-hyperfleet/hyperfleet-sentinel/internal/client imports
	github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi: cannot find module providing package github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign vkareh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated internal dependencies to maintain compatibility and stability.

Walkthrough

go.mod updates a single indirect dependency: google.golang.org/genproto/googleapis/api moves from pseudo-version v0.0.0-20260401024825-9d38bb4040a9 to commit hash 7ab31c22f7ad. No other module entries, Go version declarations, or replace/exclude directives are touched.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Supply chain flag (CWE-1357 / CWE-829): 7ab31c22f7ad is a raw commit hash, not a tagged release. Verify this hash is present in the canonical googleapis/go-genproto upstream repository and matches an expected, reviewed commit. Untagged hashes in go.mod expand the attack surface for dependency confusion and commit substitution. Confirm go.sum has been updated with the corresponding hash digest and that no replace directive silently redirects this module to a fork.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly matches the changeset: updating google.golang.org/genproto/googleapis/api to digest 7ab31c2.
Description check	✅ Passed	The description is related to the changeset, documenting the dependency digest update from 9d38bb4 to 7ab31c2.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	Comprehensive scan of 125 log statements across non-test Go files found no tokens, passwords, credentials, or secrets being logged via slog, log, logr, zap, or fmt.Print* functions.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets (API keys, tokens, passwords, private keys, credentials, embedded URLs, or suspicious base64 strings) detected in PR changes to go.mod; only a dependency version hash update.
No Weak Cryptography	✅ Passed	PR contains only go.mod dependency version update; no weak cryptographic primitives (md5, des, rc4, SHA1 for security, ECB, non-constant-time comparisons) introduced or used in codebase.
No Injection Vectors	✅ Passed	PR contains only go.mod dependency version update (google.golang.org/genproto/googleapis/api). No SQL concatenation (CWE-89), exec.Command (CWE-78), template.HTML (CWE-79), or yaml.Unmarshal (CWE-5...
No Privileged Containers	✅ Passed	PR modifies only go.mod; no Kubernetes manifests, Helm templates, or Dockerfiles changed. Custom check targets container privilege configurations in those file types only.
No Pii Or Sensitive Data In Logs	✅ Passed	PR modifies only go.mod (dependency config). No logging code, statements, or PII/sensitive data exposure in logs—check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: updates to go.mod needed, disabled by -mod=readonly; to update it:\n\tgo mod tidy\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 139: The google.golang.org/genproto/googleapis/api dependency on line 139
of go.mod has a malformed version string (7ab31c22f7ad) that lacks the required
v prefix and pseudo-version format (should be v0.0.0-20260401024825-9d38bb4040a9
per go.sum). Fix this by replacing the truncated hash with the complete
pseudo-version string. Additionally, synchronize the genproto version across all
affected modules in the workspace (hyperfleet-api, hyperfleet-adapter, and
hyperfleet-broker) to use a consistent version to prevent protobuf message type
incompatibilities during gRPC interface marshaling, particularly for the Pub/Sub
message types constructed in hyperfleet-broker.
- Line 139: The google.golang.org/genproto/googleapis/api module declaration
uses a bare commit hash instead of the Go module version format. Replace the
bare commit hash with the properly formatted version string that matches the
entry in go.sum, which should follow the v0.0.0-<yyyymmddhhmmss>-<hash> format
to ensure consistency between go.mod and go.sum and allow go mod tidy to work
correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 497f1dc5-fadd-4c19-8dfc-2f8682a29c04

📥 Commits

Reviewing files that changed from the base of the PR and between 6cb186e and 46af341.

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify genproto version alignment across hyperfleet repositories
# Check go.sum files to confirm actual resolved versions

# List all genproto-related entries across workspace
fd -e 'go.sum' --exec grep 'google.golang.org/genproto' {} + | sort -u

# Extract unique versions
fd -e 'go.sum' --exec grep 'google.golang.org/genproto/googleapis/api' {} + | awk '{print $NF}' | sort -u

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 66

---

🏁 Script executed:

#!/bin/bash
# Check go.mod and go.sum directly for genproto entries
echo "=== hyperfleet-sentinel go.mod ==="
if [ -f go.mod ]; then
  cat -n go.mod | grep -A2 -B2 'genproto' || echo "No genproto found in go.mod"
else
  echo "go.mod not found"
fi

echo -e "\n=== hyperfleet-sentinel go.sum ==="
if [ -f go.sum ]; then
  grep 'google.golang.org/genproto' go.sum | head -20 || echo "No genproto found in go.sum"
else
  echo "go.sum not found"
fi

echo -e "\n=== Full go.mod content (first 150 lines) ==="
if [ -f go.mod ]; then
  head -150 go.mod | cat -n
fi

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 9655

---

🏁 Script executed:

#!/bin/bash
# Check hyperfleet-api go.mod and go.sum for genproto
echo "=== hyperfleet-api go.mod ==="
if [ -f go.mod ]; then
  grep -n 'genproto' go.mod || echo "No genproto found"
fi

echo -e "\n=== hyperfleet-api go.sum ==="
if [ -f go.sum ]; then
  grep 'google.golang.org/genproto/googleapis/api' go.sum
fi

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 585

---

🏁 Script executed:

#!/bin/bash
# Check hyperfleet-adapter go.mod and go.sum for genproto
echo "=== hyperfleet-adapter go.mod ==="
if [ -f go.mod ]; then
  grep -n 'genproto' go.mod || echo "No genproto found"
fi

echo -e "\n=== hyperfleet-adapter go.sum ==="
if [ -f go.sum ]; then
  grep 'google.golang.org/genproto/googleapis/api' go.sum
fi

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 676

---

🏁 Script executed:

#!/bin/bash
# Check hyperfleet-broker go.mod and go.sum for genproto
echo "=== hyperfleet-broker go.mod ==="
if [ -f go.mod ]; then
  grep -n 'genproto' go.mod || echo "No genproto found"
fi

echo -e "\n=== hyperfleet-broker go.sum ==="
if [ -f go.sum ]; then
  grep 'google.golang.org/genproto/googleapis/api' go.sum
fi

Repository: openshift-hyperfleet/hyperfleet-broker

Length of output: 673

---

Malformed genproto version string in go.mod — CWE-829 (supply chain integrity).

Line 139 contains a truncated/malformed version: 7ab31c22f7ad lacks the required v prefix and pseudo-version format (go.sum shows the correct version as v0.0.0-20260401024825-9d38bb4040a9). This will fail Go's module validation.

Beyond the syntax error, genproto versions differ across the workspace:

• hyperfleet-sentinel/api: v0.0.0-20260401024825-9d38bb4040a9
• hyperfleet-adapter: v0.0.0-20260526163538-3dc84a4a5aaa
• hyperfleet-broker: v0.0.0-20260209200024-4cfbd4190f57

The pseudo-version dates span February–May 2026. hyperfleet-broker actively constructs Google Cloud Pub/Sub protobuf messages (Topic, Subscription, ExpirationPolicy, RetryPolicy, DeadLetterPolicy). Misaligned genproto versions across the dependency chain (adapter → broker v1.1.0) risk protobuf message type incompatibilities during gRPC interface marshaling.

Fix the malformed version string and synchronize genproto versions across hyperfleet-api, hyperfleet-adapter, and hyperfleet-broker.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 139, The google.golang.org/genproto/googleapis/api dependency
on line 139 of go.mod has a malformed version string (7ab31c22f7ad) that lacks
the required v prefix and pseudo-version format (should be
v0.0.0-20260401024825-9d38bb4040a9 per go.sum). Fix this by replacing the
truncated hash with the complete pseudo-version string. Additionally,
synchronize the genproto version across all affected modules in the workspace
(hyperfleet-api, hyperfleet-adapter, and hyperfleet-broker) to use a consistent
version to prevent protobuf message type incompatibilities during gRPC interface
marshaling, particularly for the Pub/Sub message types constructed in
hyperfleet-broker.

Source: Linked repositories

---

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the correct Go pseudo-version format for a module versioned by git commit hash?

💡 Result:

The Go pseudo-version format for a module versioned by a git commit hash follows the structure [1][2]: baseVersionPrefix-timestamp-revisionIdentifier This format consists of three parts separated by dashes [1][2]: 1. baseVersionPrefix: A value derived from either the latest semantic version tag preceding the commit (e.g., vX.Y.Z-0 or vX.Y.Z-pre.0) or vX.0.0 if no such tag exists [1][3][2]. 2. timestamp: The UTC time the revision was created, in the format yyyymmddhhmmss (based on the Git commit time, not author time) [1][3][2]. 3. revisionIdentifier: A 12-character prefix of the git commit hash [1][2]. For example, a pseudo-version might appear as v0.0.0-20191109021931-daa7c04131f5 [3][2]. It is considered a best practice to allow Go tools to generate these versions automatically rather than creating them manually [4]. The go command automatically converts revision identifiers into this canonical format when necessary [3].

Citations:

• 1: https://tip.golang.org/doc/modules/version-numbers
• 2: https://go.dev/ref/mod
• 3: https://tip.golang.org/ref/mod
• 4: https://go.dev/doc/modules/version-numbers

---

🏁 Script executed:

#!/bin/bash
# Read the go.mod file around line 139 to verify the claimed syntax error
sed -n '135,145p' go.mod

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 559

---

🏁 Script executed:

#!/bin/bash
# Check if the go.mod file is syntactically valid by attempting to parse it
# and verify the module line format more broadly
head -20 go.mod && echo "---" && tail -5 go.mod && echo "---" && wc -l go.mod

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 1134

---

🏁 Script executed:

#!/bin/bash
# Check if go.mod can be parsed and verify the syntax validity
# The file appears valid structurally, but let's check if the version string is acceptable
# by looking at the actual format more carefully and checking go.sum for corresponding entry

echo "=== Line 139 from go.mod ===" && sed -n '139p' go.mod
echo "=== Checking go.sum for this module ===" && grep "google.golang.org/genproto/googleapis/api" go.sum | head -3
echo "=== Module format check ===" && grep -n "google.golang.org/genproto" go.mod

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 751

---

Malformed version string in go.mod — go.mod/go.sum mismatch violates Go module format (CWE-829).

Line 139 declares google.golang.org/genproto/googleapis/api 7ab31c22f7ad, a bare commit hash without version prefix. Go module syntax requires v0.0.0-<yyyymmddhhmmss>-<hash>.

The go.sum file declares the same module as v0.0.0-20260401024825-9d38bb4040a9 — a different, properly formatted version. This mismatch will cause go mod tidy to fail or auto-correct unpredictably. Fix go.mod line 139 to match go.sum's version:

google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect

This is a supply chain integrity issue: mismatched versions between go.mod and go.sum can lead to different dependencies being resolved during builds, creating type incompatibilities with hyperfleet-broker's Pub/Sub protobuf usage (cloud.google.com/go/pubsub transitively depends on genproto API structures).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 139, The google.golang.org/genproto/googleapis/api module
declaration uses a bare commit hash instead of the Go module version format.
Replace the bare commit hash with the properly formatted version string that
matches the entry in go.sum, which should follow the
v0.0.0-<yyyymmddhhmmss>-<hash> format to ensure consistency between go.mod and
go.sum and allow go mod tidy to work correctly.

Source: Coding guidelines