Update google.golang.org/genproto digest to 7ab31c2

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
google.golang.org/genproto	indirect	digest	4cfbd41 → 7ab31c2

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux-kflux-prd-rh02]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading cloud.google.com/go/pubsub/v2 v2.5.1
go: downloading google.golang.org/grpc v1.81.1
go: downloading golang.org/x/sys v0.44.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260526163538-3dc84a4a5aaa
go: downloading golang.org/x/text v0.37.0
go: downloading google.golang.org/genproto v0.0.0-20260610212136-7ab31c22f7ad
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260526163538-3dc84a4a5aaa
go: downloading github.com/googleapis/gax-go/v2 v2.21.0
go: downloading golang.org/x/sync v0.20.0
go: downloading google.golang.org/api v0.274.0
go: downloading golang.org/x/net v0.54.0
go: downloading golang.org/x/oauth2 v0.36.0
go: downloading cloud.google.com/go/iam v1.11.0
go: downloading cloud.google.com/go/auth v0.18.2
go: downloading golang.org/x/exp v0.0.0-20240823005443-9b4947da3948
go: downloading golang.org/x/time v0.15.0
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.14
go: downloading golang.org/x/crypto v0.51.0
go: github.com/openshift-hyperfleet/hyperfleet-sentinel/internal/client imports
	github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi: cannot find module providing package github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tirthct for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated project dependencies to maintain compatibility with external libraries and ensure system stability.

Walkthrough

go.mod updates the indirect dependency google.golang.org/genproto from its previous pseudo-version to v0.0.0-...-7ab31c22f7ad. No exported declarations, interfaces, or application logic are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Supply chain flag — CWE-1357 (Reliance on Insufficiently Trustworthy Component).

google.golang.org/genproto is an indirect dependency resolved to a pseudo-version (commit hash 7ab31c22f7ad), not a tagged release. Pseudo-versions pin a specific upstream commit but bypass semantic versioning guarantees and changelogs.

Verify before merging:

1. Confirm the commit hash is from the canonical upstream repo. go mod download -json google.golang.org/genproto@<version> and cross-check the hash against https://github.com/googleapis/go-genproto.
2. Check go.sum integrity. Ensure go.sum was updated atomically with this go.mod change and the new hash is covered by the checksum database (sum.golang.org).
3. Identify what forced this bump. Indirect dependency changes are typically transitive. Run go mod why google.golang.org/genproto to confirm the dependency path and audit whether the direct dependency that requires it was itself intentionally bumped elsewhere.
4. No go.sum diff is visible in this PR. If go.sum was not updated, the build is broken. If it was updated but not included in the diff, that is a review gap — the new checksum line must be scrutinized (CVE relevance: any tampered go.sum entry is a direct supply chain vector).

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately summarizes the main change: updating google.golang.org/genproto dependency digest.
Description check	✅ Passed	Description is directly related to the changeset, providing dependency update details via a table format and configuration context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR contains only go.mod dependency update; no source code changes; no log statements added; no secrets in log output found.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets, API keys, tokens, passwords, private keys, or suspicious credentials found. The bare commit hash on line 138 is a versioning syntax error (CWE-829), not a secret.
No Weak Cryptography	✅ Passed	PR updates google.golang.org/genproto dependency only. No usage of banned cryptographic primitives (crypto/md5, crypto/des, crypto/rc4, SHA1 for security) or ECB mode detected in codebase.
No Injection Vectors	✅ Passed	No injection vectors detected. fmt.Sprintf uses are for logging/filters with proper escaping, not SQL. No exec.Command, template.HTML, or unsafe yaml.Unmarshal patterns found.
No Privileged Containers	✅ Passed	PR only modifies go.mod (dependency update); no Kubernetes manifests, Helm templates, or Dockerfiles were changed. Check not applicable.
No Pii Or Sensitive Data In Logs	✅ Passed	PR only updates google.golang.org/genproto dependency version in go.mod with no source code changes or logging statements added/modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/google.golang.org-genproto-digest

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/google.golang.org-genproto-digest

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: updates to go.mod needed, disabled by -mod=readonly; to update it:\n\tgo mod tidy\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 138-140: The google.golang.org/genproto module on line 138 uses a
bare commit hash format (7ab31c22f7ad) which is invalid Go module syntax and
lacks checksum verification. Replace the bare commit hash with a proper
pseudoversion format matching the submodule versions on lines 139-140
(v0.0.0-20260401024825-9d38bb4040a9), or revert to the previous stable version
v0.0.0-20260209200024-4cfbd4190f57 to restore supply chain integrity and ensure
go.sum validation is applied across all dependencies.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7485b438-a262-4ffe-aaf9-61d5b614b3e7

📥 Commits

Reviewing files that changed from the base of the PR and between 6cb186e and af8acb7.

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the go.mod version string format and go.sum consistency

# Check if line 138 is truncated or genuinely malformed
echo "=== Line 138 from go.mod ==="
sed -n '138p' go.mod

# Check go.sum for entries matching the new version
echo "=== go.sum entries for 7ab31c22f7ad ==="
grep -i '7ab31c22f7ad' go.sum || echo "NOT FOUND in go.sum"

# Check go.sum for genproto entries (all)
echo "=== All genproto entries in go.sum ==="
grep 'google.golang.org/genproto' go.sum | head -20

# Attempt to validate module syntax (requires go command)
echo "=== Module integrity check ==="
if command -v go &> /dev/null; then
  go mod verify 2>&1 || echo "Module verification failed"
else
  echo "Go toolchain unavailable; cannot run go mod verify"
fi

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 1409

---

🏁 Script executed:

#!/bin/bash
# Check the full go.mod context around lines 138-140
echo "=== Context: lines 135-145 from go.mod ==="
sed -n '135,145p' go.mod

# Check if 7ab31c22f7ad appears elsewhere in go.mod or go.sum
echo "=== All occurrences of 7ab31c22f7ad ==="
grep -r '7ab31c22f7ad' . 2>/dev/null || echo "NOT FOUND anywhere"

# Verify git history: has this hash been used before in dependencies?
echo "=== Check git log for 7ab31c22f7ad ==="
git log --oneline --all | grep -i '7ab31c22f7ad' | head -5 || echo "No matching commits in log"

# Decode pseudoversion: what date does 20260401024825 represent?
echo "=== Timestamp analysis ==="
python3 <<'PY'
import datetime
timestamp_str = "20260401024825"
try:
    dt = datetime.datetime.strptime(timestamp_str, "%Y%m%d%H%M%S")
    print(f"Timestamp {timestamp_str} → {dt.isoformat()}")
except ValueError as e:
    print(f"Invalid timestamp: {e}")
PY

# Check if the parent genproto module MUST match submodule versions
echo "=== Checking go.mod for genproto module dependency tree ==="
grep -A2 -B2 'google.golang.org/genproto' go.mod | head -20

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 1286

---

CWE-829: Line 138 uses bare commit hash without checksum verification — supply chain integrity violation.

google.golang.org/genproto 7ab31c22f7ad // indirect is invalid Go module syntax. Valid pseudoversions require v0.0.0-<timestamp>-<hash> format. The bare commit hash 7ab31c22f7ad:

• Has NO entry in go.sum (checksum validation bypassed for parent module)
• Mismatches submodule versions pinned at v0.0.0-20260401024825-9d38bb4040a9 (lines 139–140)
• Cannot be resolved as a valid go.mod reference

This breaks the integrity chain: submodules are cryptographically verified via go.sum; the parent module is unverified. The orphaned reference violates Go module versioning guarantees and creates a supply chain attack surface. Correct line 138 to use the proper pseudoversion matching lines 139–140, or revert to the previous stable version v0.0.0-20260209200024-4cfbd4190f57.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 138 - 140, The google.golang.org/genproto module on line
138 uses a bare commit hash format (7ab31c22f7ad) which is invalid Go module
syntax and lacks checksum verification. Replace the bare commit hash with a
proper pseudoversion format matching the submodule versions on lines 139-140
(v0.0.0-20260401024825-9d38bb4040a9), or revert to the previous stable version
v0.0.0-20260209200024-4cfbd4190f57 to restore supply chain integrity and ensure
go.sum validation is applied across all dependencies.

Source: Coding guidelines