Update google.golang.org/genproto/googleapis/api digest to 7ab31c2

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
google.golang.org/genproto/googleapis/api	indirect	digest	3dc84a4 → 7ab31c2

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux-kflux-prd-rh02]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260523011958-0a33c5d7ca68 -> v0.0.0-20260526163538-3dc84a4a5aaa

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign aredenba-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated Google Protocol Buffer module dependencies to newer versions.

Walkthrough

go.mod updates two indirect dependency pseudo-versions under google.golang.org/genproto: googleapis/api is bumped to a newer pseudo-version, and googleapis/rpc receives the pseudo-version that api previously held. No Go source files are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Supply chain surface — flag for verification:

• CWE-1357 (Reliance on Insufficiently Trustworthy Component): Pseudo-version bumps in go.mod without a corresponding go.sum diff shown are not self-evidently safe. Confirm go.sum entries for both new pseudo-versions are present and unmodified.
• The "swap" pattern (api gets rpc's old version, rpc gets api's old version) is atypical and warrants a deliberate go mod tidy audit rather than a manual edit — manual edits to go.mod are a known supply chain tampering vector.
• Verify both pseudo-versions resolve to commits in the canonical google.golang.org/genproto upstream; pseudo-versions referencing attacker-controlled forks are indistinguishable in go.mod alone.
• No CVE is directly associated with these specific versions, but confirm neither pseudo-version predates a known fix in the genproto module history.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title specifically identifies the package and digest being updated, directly matching the go.mod change documented in the PR.
Description check	✅ Passed	Description includes update table showing google.golang.org/genproto/googleapis/api digest change from 3dc84a4 to 7ab31c2, matching the raw_summary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No log statements (slog, log, logr, zap, fmt.Print*) in non-test Go files contain tokens, passwords, credentials, or secrets as fields or interpolated strings.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets detected. go.mod changes only update dependency pseudo-versions (hashes). All base64 strings are go.sum checksums, test fixtures use placeholders (CHANGE_ME, abc123), and Tekto...
No Weak Cryptography	✅ Passed	PR only updates google.golang.org/genproto transitive dependencies; no weak cryptography, custom crypto implementations, or insecure comparisons present in codebase. Legitimate crypto/tls, crypto/x...
No Injection Vectors	✅ Passed	No injection vectors found. exec.Command usage limited to test code with #nosec annotations. yaml.Unmarshal unmarshals trusted sources only (rendered templates, config files, test data). No SQL/tem...
No Privileged Containers	✅ Passed	PR modifies only go.mod dependencies; contains no Kubernetes manifests, Helm templates, or Dockerfiles. Existing security configs show containers run as UID 65532, allowPrivilegeEscalation: false,...
No Pii Or Sensitive Data In Logs	✅ Passed	PR only updates go.mod dependencies (google.golang.org/genproto versions); no logging statements added. Existing structured logging uses WithFields pattern safely without exposing PII, credentials,...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 177-178: The `google.golang.org/genproto/googleapis/api` and
`google.golang.org/genproto/googleapis/rpc` versions in go.mod diverge from
versions used in other microservices (hyperfleet-api and hyperfleet-sentinel),
which causes transitive-dependency version drift that breaks gRPC wire-format
compatibility and OpenTelemetry trace propagation across the platform. Update
both `google.golang.org/genproto/googleapis/api` and
`google.golang.org/genproto/googleapis/rpc` to the pseudo-version
`20260401024825-9d38bb4040a9` to align with hyperfleet-api and
hyperfleet-sentinel.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c34fc35a-a54d-4152-8142-c1e7aaa498ec

📥 Commits

Reviewing files that changed from the base of the PR and between 7f49e34 and 4fca53b.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum, !**/go.sum

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Cross-repository version mismatch: google.golang.org/genproto divergence breaks HyperFleet consistency.

Lines 177–178 update googleapis/api to pseudo-version 20260610 and googleapis/rpc to 20260526. Linked repository findings show:

• hyperfleet-api & hyperfleet-sentinel: 20260401 (‑9 weeks vs. this change)
• hyperfleet-broker: 20260209 (‑16 weeks)
• This PR (hyperfleet-adapter): 20260610 (‑9 weeks ahead of api/sentinel)

These are indirect transitive dependencies pulled by OpenTelemetry gRPC exporters and Google Cloud client libraries—both used in cross-service communication. Version drift among microservices on the same transitive dependency creates:

1. gRPC wire-format incompatibility (proto messages may have divergent encoding/decoding)
2. OpenTelemetry exporter inconsistency (trace context propagation failures, incompatible proto definitions)
3. Google Cloud Pub/Sub client drift (used by broker & sentinel; adapter advancing ahead breaks compatibility guarantees)

Action: Align hyperfleet-adapter to the same pseudo-versions as hyperfleet-api and hyperfleet-sentinel (20260401024825-9d38bb4040a9 for both googleapis/api and googleapis/rpc) to maintain transitive-dependency consistency across the platform.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 177 - 178, The
`google.golang.org/genproto/googleapis/api` and
`google.golang.org/genproto/googleapis/rpc` versions in go.mod diverge from
versions used in other microservices (hyperfleet-api and hyperfleet-sentinel),
which causes transitive-dependency version drift that breaks gRPC wire-format
compatibility and OpenTelemetry trace propagation across the platform. Update
both `google.golang.org/genproto/googleapis/api` and
`google.golang.org/genproto/googleapis/rpc` to the pseudo-version
`20260401024825-9d38bb4040a9` to align with hyperfleet-api and
hyperfleet-sentinel.

Source: Linked repositories