Automated rebase to K8s 1.36.2 by dfarrell07 · Pull Request #305 · openshift/multus-cni

dfarrell07 · 2026-06-10T02:54:36Z

Generated by the new/WIP k8s-rebase Claude skill.

openshift-eng/ai-helpers@main...dfarrell07:ai-helpers:k8s-rebase-skill

Summary by CodeRabbit

Chores
- Upgraded Go toolchain to 1.26 across CI, release builds, and container images; advanced OpenShift-related build root image tags and Docker base images.
- Refreshed Go module dependencies (including Kubernetes libraries) for updated compatibility.
Bug Fixes / Improvements
- Improved event/warning message formatting for clearer diagnostics when CSRs are denied and when no network is detected.
Tests
- Disabled AtomicFIFO and WatchListClient feature flags during Go test runs to stabilize behavior.

openshift-ci · 2026-06-10T02:54:41Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

coderabbitai · 2026-06-10T02:54:51Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Repository-wide upgrade from Go 1.25 to 1.26: go.mod toolchain and dependencies updated, CI operator and GitHub Actions workflows shifted to 1.26, all container build-stage images bumped, Kubernetes feature gate environment flags added to test script, and import blocks reordered with Eventf message formatting adjusted.

Changes

Go Version 1.25 to 1.26 Upgrade

Layer / File(s)	Summary
Module toolchain and dependency updates `go.mod`	Go directive updated to 1.26.0; direct requires for pflag, golang.org/x modules, and Kubernetes core dependencies (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, k8s.io/kubelet) bumped to v0.36.2; indirect requires for OpenAPI tooling, Prometheus libraries, and golang.org modules refreshed; josharian/intern, mailru/easyjson, and yaml.v3 removed.
CI operator and build workflows `.ci-operator.yaml`, `.github/workflows/build.yml`, `.github/workflows/release.yml`, `.github/workflows/test.yml`	CI operator build_root_image.tag and GitHub Actions workflow go-version matrix entries updated from 1.25.x to 1.26.x; OpenShift version references in operator config bumped from 4.22 to 5.0.
Container build images `Dockerfile.microshift`, `Dockerfile.openshift`, `images/Dockerfile`, `images/Dockerfile.debug`, `images/Dockerfile.thick`	All build-stage base images and OpenShift builder image tags switched from golang 1.25 to 1.26; final-stage base image references bumped from ocp/4.22 to ocp/5.0.
Test environment configuration `hack/test-go.sh`	Exports KUBE_FEATURE_AtomicFIFO=false and KUBE_FEATURE_WatchListClient=false before test execution.
Code and import adjustments `cmd/cert-approver/main.go`, `pkg/k8sclient/k8sclient.go`	Kubernetes-related imports reordered in both files; denyCSR event message format string changed from "denied by: %s" to "denied by %s: %s"; NoNetworkFound Eventf call updated to pass errMsg as format argument instead of format string.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only configuration, Docker, and source files - no test files (*_test.go) were changed, so no test names exist to evaluate for stability.
Test Structure And Quality	✅ Passed	This PR does not modify any Ginkgo test files (*_test.go). Changes include dependency upgrades (go.mod), CI/build configuration, Dockerfiles, and source code refactoring, but no test code.
Microshift Test Compatibility	✅ Passed	No e2e tests added in this PR. All new test files are unit tests with fake/mock Kubernetes clients, not end-to-end tests that run against a real cluster.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; PR is a K8s/Go dependency upgrade with CI/Dockerfile config changes and vet error fixes.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR rebases to K8s 1.36 with only build/CI updates and dependency version bumps. No deployment manifests, operator code, or scheduling constraints were added or modified. Existing daemonsets us...
Ote Binary Stdout Contract	✅ Passed	This PR targets multus-cni, a CNI plugin project that uses standard Go testing, not the OpenShift OTE framework. The OTE Binary Stdout Contract check is not applicable to this project.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are limited to Go version updates, Dockerfile configurations, CI workflows, and dependency updates. The IPv6/disconnected network compatibility...
No-Weak-Crypto	✅ Passed	No weak cryptography detected. All crypto usage is appropriate (x509 parsing, SHA256 hashing, TLS); no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB found; no custom crypto implementations; proper dependencie...
Container-Privileges	✅ Passed	PR modifies Go version updates and CI configs, not K8s manifests or container security settings. No privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation settings were i...
No-Sensitive-Data-In-Logs	✅ Passed	All logging statements in the PR contain only technical metadata (CSR names, namespaces, network names) and validation errors. No passwords, tokens, API keys, PII, session IDs, or sensitive data ar...
Title check	✅ Passed	The title 'Automated rebase to K8s 1.36.2' clearly summarizes the main change—upgrading Kubernetes dependencies and related tooling—which is the central focus of this pull request across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands.}

openshift-ci · 2026-06-10T02:54:57Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dfarrell07
Once this PR has been reviewed and has the lgtm label, please assign bpickard22 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (7)

.github/workflows/release.yml (1)

10-26: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Pin GitHub Actions by full commit SHA and minimize GITHUB_TOKEN permissions.

This release workflow uses mutable action tags (@v4, @v5) instead of immutable commit SHAs (lines 11, 16, 21), creating supply chain risk. As per coding guidelines, pin actions by full SHA.

The workflow uses GITHUB_TOKEN (line 26) but does not declare explicit minimal permissions. Release workflows typically require contents: write to publish releases; declare this explicitly to follow least-privilege principles.
🔒 Recommended fixes

Pin actions by SHA
      - name: Checkout
-       uses: actions/checkout@v4
+       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
        with:
          fetch-depth: 0

      - name: Set up Go
-       uses: actions/setup-go@v5
+       uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2

      - name: Run GoReleaser
-       uses: goreleaser/goreleaser-action@v5
+       uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf  # v5.1.0
Add minimal permissions
 name: Release binaries
 on:
   push:
     tags:
       - 'v*'
+
+permissions:
+  contents: write
+
 jobs:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 10 - 26, Replace mutable action
tags with pinned immutable commit SHAs for the three steps named "Checkout",
"Set up Go", and "Run GoReleaser" (i.e., replace uses: actions/checkout@v4,
actions/setup-go@v5, goreleaser/goreleaser-action@v5 with their respective full
commit SHA refs) and add an explicit minimal permissions block for the workflow
granting only what release needs (e.g., permissions: contents: write) so the
GITHUB_TOKEN is least-privileged while still allowing the GoReleaser step to
publish artifacts.
Source: Coding guidelines

.github/workflows/test.yml (1)

11-46: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Pin GitHub Actions by full commit SHA and minimize GITHUB_TOKEN permissions.

This test workflow uses mutable action tags across multiple steps (lines 12, 17, 20, 35, 46) instead of immutable commit SHAs. As per coding guidelines, pin actions by full SHA to prevent supply chain attacks.

The workflow does not declare explicit minimal permissions for GITHUB_TOKEN. Test workflows typically need only contents: read (and possibly checks: write for coverage uploads).
🔒 Recommended fixes

Pin actions by SHA (examples for key actions)
    - name: Install Go
-     uses: actions/setup-go@v5
+     uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2

    - name: Checkout code
-     uses: actions/checkout@v4
+     uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

    - name: Send coverage
-     uses: shogo82148/actions-goveralls@v1
+     uses: shogo82148/actions-goveralls@6c05178f6b7d2f4bf2433c0132b0c4c6d87ac607  # v1.9.0
Add minimal permissions
 on: [push, pull_request]
 name: Test
+
+permissions:
+  contents: read
+
 jobs:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml around lines 11 - 46, The workflow uses mutable
action tags (setup-go@v5, actions/checkout@v4, morphy/revive-action:v2,
shogo82148/actions-goveralls@v1) and missing minimal GITHUB_TOKEN permissions;
update each uses: reference to an immutable full commit SHA (or docker image
digest for the docker:// morphy/revive-action) instead of the floating tags in
the steps named "Install Go", "Checkout code", "Run Revive Action by pulling
pre-built image" and the goveralls steps, and add a top-level permissions block
(e.g., contents: read and checks: write only if needed for coverage upload) so
the jobs like Test and finish run with minimal GITHUB_TOKEN scope.
Source: Coding guidelines

images/Dockerfile.debug (1)

11-22: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive or use distroless nonroot variant.

The final stage (lines 11-22) does not specify a USER directive, defaulting to root. As per coding guidelines, containers should never run as root.

Consider using gcr.io/distroless/base-debian12:debug-nonroot to combine debugging capabilities with non-root execution, or add an explicit USER directive.

🔒 Recommended fixes

Option 1: Use distroless debug-nonroot variant (preferred)

-FROM gcr.io/distroless/base-debian12:debug
+FROM gcr.io/distroless/base-debian12:debug-nonroot
 LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multus-cni

Option 2: Add explicit USER directive

 FROM gcr.io/distroless/base-debian12:debug
 LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multus-cni
 COPY --from=build /usr/src/multus-cni/bin /usr/src/multus-cni/bin
 COPY --from=build /usr/src/multus-cni/LICENSE /usr/src/multus-cni/LICENSE
 WORKDIR /

 COPY --from=build /usr/src/multus-cni/bin/install_multus /
 COPY --from=build /usr/src/multus-cni/bin/thin_entrypoint /
 COPY --from=build /usr/src/multus-cni/bin/kubeconfig_generator /
 COPY --from=build /usr/src/multus-cni/bin/cert-approver /

+USER 65532:65532
+
 ENTRYPOINT ["/thin_entrypoint"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.debug` around lines 11 - 22, The final debug image uses
root by default; update the final stage to run non-root by either switching the
base image FROM gcr.io/distroless/base-debian12:debug to
gcr.io/distroless/base-debian12:debug-nonroot (preferred) or adding an explicit
USER directive in the final stage (after the COPY lines and before ENTRYPOINT
["/thin_entrypoint"]) to a non-root uid/gid consistent with your runtime files;
ensure the chosen user has permission to execute /thin_entrypoint and access the
copied binaries (install_multus, thin_entrypoint, kubeconfig_generator,
cert-approver).

Source: Coding guidelines

Dockerfile.openshift (1)

34-54: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive to run container as non-root.

The final stage (lines 34-54) does not specify a USER directive, defaulting to root. As per coding guidelines, containers should never run as root. Declare an explicit non-root user.

🔒 Recommended fix

 LABEL io.k8s.display-name="Multus CNI" \
       io.k8s.description="This is a component of OpenShift Container Platform and provides a meta CNI plugin." \
       io.openshift.tags="openshift" \
       maintainer="Doug Smith <dosmith@redhat.com>"

+USER 65532:65532
+
 ENTRYPOINT ["/entrypoint.sh"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.openshift` around lines 34 - 54, The final image runs as root; add
a non-root runtime user and switch to it with a USER directive after the files
are copied and permissions set: create or ensure a dedicated user/group (e.g.,
multus or a numeric UID/GID) and chown/chmod the runtime assets (/entrypoint.sh
and /usr/src/multus-cni/*) so the non-root user can execute the entrypoint and
read/write as needed, then add USER <user> (or USER <uid>:<gid>) just before the
existing ENTRYPOINT ["/entrypoint.sh"] to ensure the container does not run as
root.

Source: Coding guidelines

images/Dockerfile (1)

11-22: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive or use distroless nonroot variant.

The final stage (lines 11-22) does not specify a USER directive, defaulting to root. As per coding guidelines, containers should never run as root.

Since you're using distroless, consider switching to the nonroot variant (gcr.io/distroless/base-debian12:nonroot) which pre-configures a non-root user, or explicitly add a USER directive.

🔒 Recommended fixes

Option 1: Use distroless nonroot variant (preferred)

-FROM gcr.io/distroless/base-debian12:latest
+FROM gcr.io/distroless/base-debian12:nonroot
 LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multus-cni

Option 2: Add explicit USER directive

 FROM gcr.io/distroless/base-debian12:latest
 LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multus-cni
 COPY --from=build /usr/src/multus-cni/bin /usr/src/multus-cni/bin
 COPY --from=build /usr/src/multus-cni/LICENSE /usr/src/multus-cni/LICENSE
 WORKDIR /

 COPY --from=build /usr/src/multus-cni/bin/install_multus /
 COPY --from=build /usr/src/multus-cni/bin/thin_entrypoint /
 COPY --from=build /usr/src/multus-cni/bin/kubeconfig_generator /
 COPY --from=build /usr/src/multus-cni/bin/cert-approver /

+USER 65532:65532
+
 ENTRYPOINT ["/thin_entrypoint"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile` around lines 11 - 22, The final Dockerfile stage runs as
root because there is no USER set; update the FROM line to the nonroot
distroless image (e.g., change FROM gcr.io/distroless/base-debian12:latest to
the nonroot variant) or add an explicit USER directive after the COPY lines to a
non-root UID/GID, and ensure the installed artifacts copied by COPY (the
/thin_entrypoint and binaries referenced by ENTRYPOINT) have appropriate
ownership and permissions for that non-root user so the container can execute
ENTRYPOINT without root privileges.

Source: Coding guidelines

.github/workflows/build.yml (1)

13-18: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Pin GitHub Actions by full commit SHA, not by tag.

Lines 13 and 18 reference actions by mutable tags (@v5, @v4) instead of immutable commit SHAs. Tags can be moved to point at malicious code, creating a supply chain risk. As per coding guidelines, pin actions by full SHA.

Additionally, this workflow does not declare explicit permissions to minimize GITHUB_TOKEN scope. The CI/CD security guidelines require least-privilege token permissions.
🔒 Recommended fixes

Example: Pin actions by SHA
    - name: Install Go
-     uses: actions/setup-go@v5
+     uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
      with:
        go-version: ${{ matrix.go-version }}

    - name: Checkout code
-     uses: actions/checkout@v4
+     uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
Add minimal permissions block
 on: [push, pull_request]
 name: Build
+
+permissions:
+  contents: read
+
 jobs:
   build:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 13 - 18, Replace the mutable action
tags in the workflow (actions/setup-go@v5 and actions/checkout@v4) with their
corresponding immutable full commit SHAs and update any related matrix entries
so the workflow references those SHAs instead of tags; additionally add an
explicit minimal permissions block to the workflow root to restrict GITHUB_TOKEN
(e.g., only grant the precise read/write scopes your jobs need such as contents:
read and any other narrowly required scopes) so the CI follows least-privilege
principles.
Source: Coding guidelines

Dockerfile.microshift (1)

11-24: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive to run container as non-root.

The final stage (lines 11-24) does not specify a USER directive, meaning the container runs as root by default. As per coding guidelines, containers should never run as root. Even if OpenShift enforces non-root via SecurityContextConstraints, the Dockerfile should declare the intent explicitly.

🔒 Recommended fix

 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 RUN dnf install -y util-linux && dnf clean all && \
     mkdir -p /usr/src/multus-cni/bin
 COPY --from=rhel9 \
   /usr/src/multus-cni/bin/thin_entrypoint \
   /usr/src/multus-cni/bin/multus \
   /usr/src/multus-cni/bin

 LABEL io.k8s.display-name="Multus CNI for MicroShift" \
       io.k8s.description="This is an optional component of MicroShift and provides a meta CNI plugin." \
       io.openshift.tags="microshift" \
       maintainer="Doug Smith <dosmith@redhat.com>"

+USER 65532:65532
+
 ENTRYPOINT ["/usr/src/multus-cni/bin/thin_entrypoint"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.microshift` around lines 11 - 24, The final image runs as root;
add a non-root user and switch to it in the final stage: create a user (e.g.,
group/user "multus" or UID 1001) after installing files and chown
/usr/src/multus-cni/bin so thin_entrypoint and multus remain executable, then
add a USER instruction before the existing ENTRYPOINT
["/usr/src/multus-cni/bin/thin_entrypoint"]; ensure permissions allow execution
by that non-root account so ENTRYPOINT and /usr/src/multus-cni/bin/* work
correctly.

Source: Coding guidelines

🧹 Nitpick comments (1)

hack/test-go.sh (1)

2-7: ⚡ Quick win

Consider adding a comment explaining why these feature flags are disabled.

The feature flags are being explicitly disabled for test isolation, but it's not clear from the code why these specific flags were chosen or what issues they prevent. A brief comment would help future maintainers understand the intent.

📝 Suggested documentation

 #!/usr/bin/env bash
+# Disable K8s 1.36 feature flags that may cause test instability or are not
+# relevant to multus-cni's test scenarios. These ensure consistent test behavior
+# across different K8s versions and environments.
 export KUBE_FEATURE_StaleControllerConsistencyJob=false
 export KUBE_FEATURE_StaleControllerConsistencyReplicaSet=false
 export KUBE_FEATURE_StaleControllerConsistencyStatefulSet=false
 export KUBE_FEATURE_StaleControllerConsistencyDaemonSet=false
 export KUBE_FEATURE_AtomicFIFO=false
 export KUBE_FEATURE_WatchListClient=false
 set -e

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/test-go.sh` around lines 2 - 7, The script sets several KUBE_FEATURE_*
environment flags to false without context; add a brief inline comment above
these exports explaining why each (or the group) is disabled for tests (e.g., to
avoid flaky behavior, isolate controller reconciliation, or disable experimental
features that interfere with deterministic test outcomes). Reference the exact
symbols in the comment (KUBE_FEATURE_StaleControllerConsistencyJob,
KUBE_FEATURE_StaleControllerConsistencyReplicaSet,
KUBE_FEATURE_StaleControllerConsistencyStatefulSet,
KUBE_FEATURE_StaleControllerConsistencyDaemonSet, KUBE_FEATURE_AtomicFIFO,
KUBE_FEATURE_WatchListClient) and state the rationale and any linked issue/PR or
test name that motivated disabling them.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/Dockerfile.thick`:
- Line 2: The FROM line "FROM --platform=$BUILDPLATFORM golang:1.26 as build"
uses a floating tag; replace it with the immutable digest form "FROM
--platform=$BUILDPLATFORM golang:1.26@sha256:<digest> as build" (insert the
correct sha256 for the golang:1.26 image) and update the same pattern in the
other Dockerfiles that use "golang:1.26" so all builder images are pinned to
their digests for supply-chain security.

---

Outside diff comments:
In @.github/workflows/build.yml:
- Around line 13-18: Replace the mutable action tags in the workflow
(actions/setup-go@v5 and actions/checkout@v4) with their corresponding immutable
full commit SHAs and update any related matrix entries so the workflow
references those SHAs instead of tags; additionally add an explicit minimal
permissions block to the workflow root to restrict GITHUB_TOKEN (e.g., only
grant the precise read/write scopes your jobs need such as contents: read and
any other narrowly required scopes) so the CI follows least-privilege
principles.

In @.github/workflows/release.yml:
- Around line 10-26: Replace mutable action tags with pinned immutable commit
SHAs for the three steps named "Checkout", "Set up Go", and "Run GoReleaser"
(i.e., replace uses: actions/checkout@v4, actions/setup-go@v5,
goreleaser/goreleaser-action@v5 with their respective full commit SHA refs) and
add an explicit minimal permissions block for the workflow granting only what
release needs (e.g., permissions: contents: write) so the GITHUB_TOKEN is
least-privileged while still allowing the GoReleaser step to publish artifacts.

In @.github/workflows/test.yml:
- Around line 11-46: The workflow uses mutable action tags (setup-go@v5,
actions/checkout@v4, morphy/revive-action:v2, shogo82148/actions-goveralls@v1)
and missing minimal GITHUB_TOKEN permissions; update each uses: reference to an
immutable full commit SHA (or docker image digest for the docker://
morphy/revive-action) instead of the floating tags in the steps named "Install
Go", "Checkout code", "Run Revive Action by pulling pre-built image" and the
goveralls steps, and add a top-level permissions block (e.g., contents: read and
checks: write only if needed for coverage upload) so the jobs like Test and
finish run with minimal GITHUB_TOKEN scope.

In `@Dockerfile.microshift`:
- Around line 11-24: The final image runs as root; add a non-root user and
switch to it in the final stage: create a user (e.g., group/user "multus" or UID
1001) after installing files and chown /usr/src/multus-cni/bin so
thin_entrypoint and multus remain executable, then add a USER instruction before
the existing ENTRYPOINT ["/usr/src/multus-cni/bin/thin_entrypoint"]; ensure
permissions allow execution by that non-root account so ENTRYPOINT and
/usr/src/multus-cni/bin/* work correctly.

In `@Dockerfile.openshift`:
- Around line 34-54: The final image runs as root; add a non-root runtime user
and switch to it with a USER directive after the files are copied and
permissions set: create or ensure a dedicated user/group (e.g., multus or a
numeric UID/GID) and chown/chmod the runtime assets (/entrypoint.sh and
/usr/src/multus-cni/*) so the non-root user can execute the entrypoint and
read/write as needed, then add USER <user> (or USER <uid>:<gid>) just before the
existing ENTRYPOINT ["/entrypoint.sh"] to ensure the container does not run as
root.

In `@images/Dockerfile`:
- Around line 11-22: The final Dockerfile stage runs as root because there is no
USER set; update the FROM line to the nonroot distroless image (e.g., change
FROM gcr.io/distroless/base-debian12:latest to the nonroot variant) or add an
explicit USER directive after the COPY lines to a non-root UID/GID, and ensure
the installed artifacts copied by COPY (the /thin_entrypoint and binaries
referenced by ENTRYPOINT) have appropriate ownership and permissions for that
non-root user so the container can execute ENTRYPOINT without root privileges.

In `@images/Dockerfile.debug`:
- Around line 11-22: The final debug image uses root by default; update the
final stage to run non-root by either switching the base image FROM
gcr.io/distroless/base-debian12:debug to
gcr.io/distroless/base-debian12:debug-nonroot (preferred) or adding an explicit
USER directive in the final stage (after the COPY lines and before ENTRYPOINT
["/thin_entrypoint"]) to a non-root uid/gid consistent with your runtime files;
ensure the chosen user has permission to execute /thin_entrypoint and access the
copied binaries (install_multus, thin_entrypoint, kubeconfig_generator,
cert-approver).

---

Nitpick comments:
In `@hack/test-go.sh`:
- Around line 2-7: The script sets several KUBE_FEATURE_* environment flags to
false without context; add a brief inline comment above these exports explaining
why each (or the group) is disabled for tests (e.g., to avoid flaky behavior,
isolate controller reconciliation, or disable experimental features that
interfere with deterministic test outcomes). Reference the exact symbols in the
comment (KUBE_FEATURE_StaleControllerConsistencyJob,
KUBE_FEATURE_StaleControllerConsistencyReplicaSet,
KUBE_FEATURE_StaleControllerConsistencyStatefulSet,
KUBE_FEATURE_StaleControllerConsistencyDaemonSet, KUBE_FEATURE_AtomicFIFO,
KUBE_FEATURE_WatchListClient) and state the rationale and any linked issue/PR or
test name that motivated disabling them.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ba33db6f-4ff7-4ed6-affc-b6ea2ebb7a54

📥 Commits

Reviewing files that changed from the base of the PR and between b4ec7d8 and 888acd0.

⛔ Files ignored due to path filters (287)

go.sum is excluded by !**/*.sum
vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/net.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/split.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yaml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/josharian/intern/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/josharian/intern/intern.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/josharian/intern/license.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/buffer/pool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/bytestostr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jwriter/writer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/text_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/text_parse.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/Makefile.common is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/arp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/buddyinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cmdline.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_armx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_mipsx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_others.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_ppcx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_riscvx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_s390x.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_x86.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/crypto.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs_statfs_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fscache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/fs/fs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/readfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/sysreadfile_compat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/valueparser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/ipvs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/kernel_hung.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/kernel_random.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/loadavg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/mdstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/meminfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/mountinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/mountstats.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_conntrackstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_dev.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_dev_snmp6.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_ip_socket.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_protocols.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_route.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_sockstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_softnet.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_tls_stat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_udp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_wireless.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_xfrm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/netstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/nfnetlink_queue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_cgroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_cgroups.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_environ.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_fdinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_interrupts.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_io.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_limits.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_maps.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_netstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_ns.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_psi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_snmp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_snmp6.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_stat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_statm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_status.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_sys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/schedstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/slab.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/softirqs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/stat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/swaps.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/thread.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/vm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/zoneinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/flag.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/node.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/nodetype_string.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/time/rate/rate.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/time/rate/sometimes.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/descfmt/stringer.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/README.md is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/apic.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/emitterc.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/parserc.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/readerc.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/resolve.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/scannerc.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (13)

.ci-operator.yaml
.github/workflows/build.yml
.github/workflows/release.yml
.github/workflows/test.yml
Dockerfile.microshift
Dockerfile.openshift
cmd/cert-approver/main.go
go.mod
hack/test-go.sh
images/Dockerfile
images/Dockerfile.debug
images/Dockerfile.thick
pkg/k8sclient/k8sclient.go

coderabbitai · 2026-06-10T03:05:19Z

@@ -1,5 +1,5 @@
 # This Dockerfile is used to build the image available on DockerHub
-FROM --platform=$BUILDPLATFORM golang:1.25 as build
+FROM --platform=$BUILDPLATFORM golang:1.26 as build


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Description: Fetch the SHA256 digest for golang:1.26 to enable digest pinning # Get the manifest digest for golang:1.26 docker pull golang:1.26 >/dev/null 2>&1 docker inspect golang:1.26 --format='{{index .RepoDigests 0}}'

Repository: openshift/multus-cni

Length of output: 111

🏁 Script executed:

#!/bin/bash set -euo pipefail # Show the exact contents around the relevant Dockerfile line(s) echo "=== images/Dockerfile.thick (first 80 lines) ===" nl -ba images/Dockerfile.thick | sed -n '1,120p' # Find all occurrences of golang:1.26 (and similar patterns) echo echo "=== Search for golang:1.26 in Dockerfiles ===" rg -n --hidden -S "golang:1\.26" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true # Check whether any Dockerfiles already pin images by digest echo echo "=== Search for `@sha256`: usage in Dockerfiles ===" rg -n --hidden -S "`@sha256`:" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true # Check for HEALTHCHECK and USER directives across Dockerfiles/Containerfiles echo echo "=== Search for HEALTHCHECK in Dockerfiles ===" rg -n --hidden -S "^\s*HEALTHCHECK" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true echo echo "=== Search for USER in Dockerfiles ===" rg -n --hidden -S "^\s*USER\s+" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true

Repository: openshift/multus-cni

Length of output: 174

🏁 Script executed:

#!/bin/bash set -euo pipefail # Basic tool availability echo "=== command -v outputs ===" for c in awk cat rg fd find; do command -v "$c" >/dev/null 2>&1 && echo "$c: yes" || echo "$c: no" done echo echo "=== images/Dockerfile.thick (first 120 lines, with line numbers via awk) ===" if [ -f "images/Dockerfile.thick" ]; then awk '{printf "%6d\t%s\n", NR, $0}' images/Dockerfile.thick | head -n 120 else echo "Missing file: images/Dockerfile.thick" fi echo echo "=== Search for golang:1.26 in Dockerfiles/Containerfiles ===" rg -n --hidden -S "golang:1\.26" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true echo echo "=== Search for `@sha256`: usage in Dockerfiles/Containerfiles ===" rg -n --hidden -S "`@sha256`:" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true echo echo "=== Search for HEALTHCHECK directives ===" rg -n --hidden -S "^[[:space:]]*HEALTHCHECK" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true echo echo "=== Search for USER directives ===" rg -n --hidden -S "^[[:space:]]*USER[[:space:]]+" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true

Repository: openshift/multus-cni

Length of output: 1392

Pin the golang builder image by digest for supply chain security.

images/Dockerfile.thick uses a floating non-Red Hat base tag (FROM --platform=$BUILDPLATFORM golang:1.26 as build). Per the container security guidelines, replace it with FROM --platform=$BUILDPLATFORM golang:1.26@sha256:<digest> as build (using the immutable digest for the intended image). The same floating golang:1.26 pattern exists in images/Dockerfile and images/Dockerfile.debug; pin consistently.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/Dockerfile.thick` at line 2, The FROM line "FROM --platform=$BUILDPLATFORM golang:1.26 as build" uses a floating tag; replace it with the immutable digest form "FROM --platform=$BUILDPLATFORM golang:1.26@sha256:<digest> as build" (insert the correct sha256 for the golang:1.26 image) and update the same pattern in the other Dockerfiles that use "golang:1.26" so all builder images are pinned to their digests for supply-chain security.

Source: Coding guidelines

coderabbitai

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

Dockerfile.microshift (2)
11-11: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing USER directive violates container security guidelines.

The final stage does not specify a USER directive, so the container will run as root. Per coding guidelines, containers must run as non-root.
🔒 Proposed fix to add non-root user
 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
+RUN useradd -u 1001 -r -g 0 -s /sbin/nologin multus-user
 RUN dnf install -y util-linux && dnf clean all && \
     mkdir -p /usr/src/multus-cni/bin
 COPY --from=rhel9 \
   /usr/src/multus-cni/bin/thin_entrypoint \
   /usr/src/multus-cni/bin/multus \
   /usr/src/multus-cni/bin
+RUN chown -R 1001:0 /usr/src/multus-cni && \
+    chmod -R g=u /usr/src/multus-cni
+USER 1001
As per coding guidelines: "USER non-root; never run as root" from Container security (prodsec-skills) section.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.microshift` at line 11, The Dockerfile final stage currently
starts from "FROM registry.ci.openshift.org/ocp/4.22:base-rhel9" but lacks a
USER directive and will run as root; add a non-root user and set USER in the
final stage (create a dedicated user/group, ensure any necessary directories are
chowned to that user, and then add a USER <non-root-user> line) so the container
runs non-root per the container security guidelines.
Source: Coding guidelines

24-25: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Missing HEALTHCHECK violates container security guidelines.

The Dockerfile does not define a HEALTHCHECK directive. Container orchestrators rely on health checks to detect and recover from unhealthy containers.

Consider adding a HEALTHCHECK that validates the multus CNI plugin's operational state. The specific health check command will depend on how Multus exposes its health status.

As per coding guidelines: "HEALTHCHECK defined" from Container security (prodsec-skills) section.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.microshift` around lines 24 - 25, Add a HEALTHCHECK instruction to
the Dockerfile to satisfy the "HEALTHCHECK defined" guideline and let
orchestrators detect unhealthy containers; implement a command that probes
Multus's runtime (for example, a small script or command that verifies the
multus CNI process or API is responding) and return appropriate exit codes, and
place the HEALTHCHECK near the existing ENTRYPOINT
["/usr/src/multus-cni/bin/thin_entrypoint"] so it exercises the running
container; ensure the check uses a short interval/retries and a sensible timeout
to avoid false positives.
Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.microshift`:
- Line 2: The Dockerfile.microshift uses CI registry base images
("registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0" and
"registry.ci.openshift.org/ocp/4.22:base-rhel9"); replace both FROM lines to use
the approved Red Hat catalog images (e.g., catalog.redhat.com UBI minimal or an
appropriate distroless image) so they comply with container security guidelines,
updating tags to the matching RHEL/Go versions and verifying the resulting image
works with the existing build steps in Dockerfile.microshift.

---

Outside diff comments:
In `@Dockerfile.microshift`:
- Line 11: The Dockerfile final stage currently starts from "FROM
registry.ci.openshift.org/ocp/4.22:base-rhel9" but lacks a USER directive and
will run as root; add a non-root user and set USER in the final stage (create a
dedicated user/group, ensure any necessary directories are chowned to that user,
and then add a USER <non-root-user> line) so the container runs non-root per the
container security guidelines.
- Around line 24-25: Add a HEALTHCHECK instruction to the Dockerfile to satisfy
the "HEALTHCHECK defined" guideline and let orchestrators detect unhealthy
containers; implement a command that probes Multus's runtime (for example, a
small script or command that verifies the multus CNI process or API is
responding) and return appropriate exit codes, and place the HEALTHCHECK near
the existing ENTRYPOINT ["/usr/src/multus-cni/bin/thin_entrypoint"] so it
exercises the running container; ensure the check uses a short interval/retries
and a sensible timeout to avoid false positives.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ec8f6478-0f52-40ca-83e2-06be4c828feb

📥 Commits

Reviewing files that changed from the base of the PR and between f80527a and 0b7b9bf.

⛔ Files ignored due to path filters (287)

go.sum is excluded by !**/*.sum
vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/net.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/split.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yaml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/josharian/intern/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/josharian/intern/intern.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/josharian/intern/license.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/buffer/pool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/bytestostr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jwriter/writer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/text_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/text_parse.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/Makefile.common is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/arp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/buddyinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cmdline.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_armx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_mipsx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_others.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_ppcx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_riscvx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_s390x.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_x86.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/crypto.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs_statfs_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fscache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/fs/fs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/readfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/sysreadfile_compat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/valueparser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/ipvs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/kernel_hung.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/kernel_random.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/loadavg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/mdstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/meminfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/mountinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/mountstats.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_conntrackstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_dev.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_dev_snmp6.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_ip_socket.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_protocols.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_route.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_sockstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_softnet.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_tls_stat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_udp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_wireless.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_xfrm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/netstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/nfnetlink_queue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_cgroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_cgroups.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_environ.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_fdinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_interrupts.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_io.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_limits.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_maps.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_netstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_ns.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_psi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_snmp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_snmp6.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_stat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_statm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_status.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_sys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/schedstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/slab.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/softirqs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/stat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/swaps.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/thread.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/vm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/zoneinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/flag.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/node.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/nodetype_string.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/time/rate/rate.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/time/rate/sometimes.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/descfmt/stringer.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/README.md is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/apic.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/emitterc.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/parserc.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/readerc.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/resolve.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/scannerc.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (13)

.ci-operator.yaml
.github/workflows/build.yml
.github/workflows/release.yml
.github/workflows/test.yml
Dockerfile.microshift
Dockerfile.openshift
cmd/cert-approver/main.go
go.mod
hack/test-go.sh
images/Dockerfile
images/Dockerfile.debug
images/Dockerfile.thick
pkg/k8sclient/k8sclient.go

✅ Files skipped from review due to trivial changes (3)

.github/workflows/test.yml
images/Dockerfile.thick
.ci-operator.yaml

🚧 Files skipped from review as they are similar to previous changes (9)

.github/workflows/release.yml
images/Dockerfile
images/Dockerfile.debug
Dockerfile.openshift
.github/workflows/build.yml
cmd/cert-approver/main.go
hack/test-go.sh
go.mod
pkg/k8sclient/k8sclient.go

coderabbitai · 2026-06-11T05:54:41Z

@@ -1,5 +1,5 @@
 # This dockerfile is specific to building Multus for MicroShift
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS rhel9
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS rhel9


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Description: Search for other Dockerfiles to check if registry.ci.openshift.org is a standard pattern in this repository # Check all Dockerfiles for base image registries echo "=== Checking base image registries in all Dockerfiles ===" rg -n "^FROM " -g "Dockerfile*" -C 1

Repository: openshift/multus-cni

Length of output: 2548

🏁 Script executed:

#!/bin/bash set -euo pipefail # Show FROM lines with context for Dockerfile.microshift echo "=== Dockerfile.microshift FROM lines ===" nl -ba Dockerfile.microshift | sed -n '1,160p' | rg -n "^( *[0-9]+\\s+)FROM|^( *[0-9]+\\s+)ARG|^( *[0-9]+\\s+)HEALTHCHECK|^( *[0-9]+\\s+)USER" || true echo echo "=== All Dockerfile.* FROM lines (repo-local) ===" for f in $(fd -t f 'Dockerfile*' .); do if rg -q '^FROM ' "$f"; then echo "--- $f ---" nl -ba "$f" | rg 'FROM ' | head -n 5 fi done | head -n 200

Repository: openshift/multus-cni

Length of output: 288

🏁 Script executed:

#!/bin/bash set -euo pipefail # Show FROM lines with context for Dockerfile.microshift echo "=== Dockerfile.microshift FROM lines ===" nl -ba Dockerfile.microshift | sed -n '1,160p' | rg -n "^( *[0-9]+\\s+)FROM|^( *[0-9]+\\s+)ARG|^( *[0-9]+\\s+)HEALTHCHECK|^( *[0-9]+\\s+)USER" || true echo echo "=== All Dockerfile* FROM lines (first few matches) ===" fd -t f 'Dockerfile*' . | while read -r f; do if rg -q '^FROM ' "$f"; then echo "--- $f ---" nl -ba "$f" | rg 'FROM ' | head -n 8 fi done | head -n 250

Repository: openshift/multus-cni

Length of output: 294

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Dockerfile.microshift (lines 1-80) ===" cat -n Dockerfile.microshift | sed -n '1,80p' | sed -n '/^\\s*[0-9]\\+\\s\\+FROM/p' || true echo echo "=== Dockerfile.microshift: all FROM lines (with numbers) ===" cat -n Dockerfile.microshift | rg '^[[:space:]]*[0-9]+[[:space:]]+FROM ' || true echo echo "=== Base image registries across Dockerfile* (FROM lines only, first 20 matches each) ===" fd -t f 'Dockerfile*' . | while read -r f; do if rg -q '^FROM ' "$f"; then echo "--- $f ---" rg '^FROM ' "$f" | head -n 20 fi done | head -n 250

Repository: openshift/multus-cni

Length of output: 1279

🌐 Web query:

prodsec-skills base image catalog.redhat.com registry.ci.openshift.org exempt OpenShift CI

💡 Result:

The terms in your query relate to distinct components of the Red Hat and OpenShift ecosystems. There is no singular documented "prodsec-skills base image catalog" that ties all these components together. Instead, they function as follows: 1. prodsec-skills: This refers to a repository by Red Hat Product Security designed for AI coding assistants and agentic systems, focusing on security skills for AI [1]. It is not a base image registry. 2. catalog.redhat.com: This is the official Red Hat Ecosystem Catalog, which serves as the authoritative source for certified container images, operators, and other software [https://catalog.redhat.com]. 3. registry.ci.openshift.org: This is a CI-specific internal image registry used by the OpenShift CI system (often referred to as 'app.ci'). It hosts images required for CI build and test processes, including "builder" images used for compiling components [2][3]. Images here are typically mirrored from authorized sources and are not intended for general production use by external consumers [3]. 4. Exemption in OpenShift CI: OpenShift CI utilizes configuration files (e.g., in the openshift/release repository) to manage image mirroring and CI operations [4][3]. There is no standard "exemption" mechanism for bypassing security policies in the CI registry itself in the way one might exempt a workload from a runtime policy (like UDS/Kyverno) [5]. If an image is needed in CI that is not currently present, the standard process is to mirror it to the central CI registry (QCI) by submitting a configuration change to the openshift/release repository [4][3]. If you are attempting to secure a build process or integrate AI agent skills, the recommended approach is to use certified base images from catalog.redhat.com and follow the official OpenShift CI documentation for image management, rather than seeking a cross-platform exemption [2][4].

Citations:

1: https://www.awesomeskills.dev/en/skill/redhatproductsecurity-prodsec-skills

2: https://docs.ci.openshift.org/architecture/images/

3: https://docs.ci.openshift.org/how-tos/use-registries-in-build-farm/

4: https://docs.ci.openshift.org/how-tos/external-images/

5: https://docs.defenseunicorns.com/core/v1-4/how-to-guides/policy-and-compliance/create-policy-exemptions/

Fix base image registry compliance in Dockerfile.microshift.

Container security guidelines require base images to come from catalog.redhat.com (UBI minimal or distroless). Dockerfile.microshift instead uses registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 (line 2) and registry.ci.openshift.org/ocp/4.22:base-rhel9 (line 11). There’s no documented exemption for using the OpenShift CI registry for this requirement.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Dockerfile.microshift` at line 2, The Dockerfile.microshift uses CI registry base images ("registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0" and "registry.ci.openshift.org/ocp/4.22:base-rhel9"); replace both FROM lines to use the approved Red Hat catalog images (e.g., catalog.redhat.com UBI minimal or an appropriate distroless image) so they comply with container security guidelines, updating tags to the matching RHEL/Go versions and verifying the resulting image works with the existing build steps in Dockerfile.microshift.

Source: Coding guidelines

coderabbitai

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

images/Dockerfile.thick (1)

11-18: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Add USER directive and HEALTHCHECK per security guidelines.

The final image stage is missing:

A USER directive to run as non-root (guideline requires never running as root)
A HEALTHCHECK directive to enable container health monitoring

Per container security guidelines, both are required.

🔒 Proposed fix to add USER and HEALTHCHECK

 FROM debian:stable-slim
 LABEL org.opencontainers.image.source=https://github.com/k8snetworkplumbingwg/multus-cni
+RUN useradd -u 1000 -m multus
 COPY --from=build /usr/src/multus-cni/bin /usr/src/multus-cni/bin
 COPY --from=build /usr/src/multus-cni/LICENSE /usr/src/multus-cni/LICENSE
 COPY --from=build /usr/src/multus-cni/bin/cert-approver /
+USER multus
 WORKDIR /
-
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD ["/usr/src/multus-cni/bin/multus-daemon", "--health-check"] || exit 1
 ENTRYPOINT [ "/usr/src/multus-cni/bin/multus-daemon" ]

Note: Verify that multus-daemon supports a --health-check flag or adjust the HEALTHCHECK command accordingly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.thick` around lines 11 - 18, Add a non-root user and a
HEALTHCHECK to the final image: create a dedicated user/group (e.g., multus) and
ensure ownership of the runtime binary(s) under /usr/src/multus-cni/bin
(referencing the multus-daemon binary copied in the final stage), then add a
USER directive to run the container as that non-root user; add a HEALTHCHECK
that invokes an appropriate check against the multus-daemon binary (e.g., run
the binary with its health flag or probe an HTTP/UNIX endpoint if supported) and
ensure the command and interval/retries are reasonable—adjust the HEALTHCHECK
command if multus-daemon uses a different flag or endpoint.

Source: Coding guidelines

🧹 Nitpick comments (1)

images/Dockerfile.thick (1)
5-5: ⚖️ Poor tradeoff

Use COPY with specific files instead of ADD with entire context.

Line 5 copies the entire build context (ADD . /usr/src/multus-cni). Per container security guidelines, COPY specific files rather than the entire context to minimize the attack surface and reduce image size.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.thick` at line 5, The Dockerfile currently uses "ADD .
/usr/src/multus-cni" which copies the entire build context; replace this with
explicit COPY instructions that only copy the required files and directories
(e.g., COPY Dockerfile, COPY go.mod go.sum, COPY cmd/ pkg/ scripts/ etc.) and
ensure a .dockerignore is present to exclude unnecessary files; specifically
remove or replace the "ADD . /usr/src/multus-cni" line with targeted COPY
entries and update .dockerignore to omit secrets, docs, tests, and local config
to minimize image size and attack surface.
Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/test-go.sh`:
- Around line 2-3: Add an explanatory comment above the KUBE_FEATURE_AtomicFIFO
and KUBE_FEATURE_WatchListClient exports in hack/test-go.sh that documents why
each feature gate is being disabled for tests, whether the change is temporary
or permanent, the observed failure or risk prompting the disable, and clear
steps/conditions required to re-enable them (e.g., linked issue/PR, failing test
names, version constraints). Reference the exact symbols KUBE_FEATURE_AtomicFIFO
and KUBE_FEATURE_WatchListClient in the comment and include a pointer to any
tracking issue or test logs so future maintainers can follow up.

---

Outside diff comments:
In `@images/Dockerfile.thick`:
- Around line 11-18: Add a non-root user and a HEALTHCHECK to the final image:
create a dedicated user/group (e.g., multus) and ensure ownership of the runtime
binary(s) under /usr/src/multus-cni/bin (referencing the multus-daemon binary
copied in the final stage), then add a USER directive to run the container as
that non-root user; add a HEALTHCHECK that invokes an appropriate check against
the multus-daemon binary (e.g., run the binary with its health flag or probe an
HTTP/UNIX endpoint if supported) and ensure the command and interval/retries are
reasonable—adjust the HEALTHCHECK command if multus-daemon uses a different flag
or endpoint.

---

Nitpick comments:
In `@images/Dockerfile.thick`:
- Line 5: The Dockerfile currently uses "ADD . /usr/src/multus-cni" which copies
the entire build context; replace this with explicit COPY instructions that only
copy the required files and directories (e.g., COPY Dockerfile, COPY go.mod
go.sum, COPY cmd/ pkg/ scripts/ etc.) and ensure a .dockerignore is present to
exclude unnecessary files; specifically remove or replace the "ADD .
/usr/src/multus-cni" line with targeted COPY entries and update .dockerignore to
omit secrets, docs, tests, and local config to minimize image size and attack
surface.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9fd12e8a-e163-4087-b53c-1391a26f0b0b

📥 Commits

Reviewing files that changed from the base of the PR and between 0b7b9bf and c739d61.

⛔ Files ignored due to path filters (287)

go.sum is excluded by !**/*.sum
vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/net.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/split.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yaml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/josharian/intern/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/josharian/intern/intern.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/josharian/intern/license.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/buffer/pool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/bytestostr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jlexer/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mailru/easyjson/jwriter/writer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/text_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/text_parse.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/Makefile.common is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/arp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/buddyinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cmdline.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_armx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_mipsx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_others.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_ppcx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_riscvx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_s390x.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/cpuinfo_x86.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/crypto.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs_statfs_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fscache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/fs/fs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/readfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/sysreadfile_compat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/valueparser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/ipvs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/kernel_hung.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/kernel_random.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/loadavg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/mdstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/meminfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/mountinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/mountstats.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_conntrackstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_dev.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_dev_snmp6.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_ip_socket.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_protocols.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_route.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_sockstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_softnet.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_tls_stat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_udp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_wireless.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_xfrm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/netstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/nfnetlink_queue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_cgroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_cgroups.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_environ.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_fdinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_interrupts.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_io.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_limits.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_maps.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_netstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_ns.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_psi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_snmp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_snmp6.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_stat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_statm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_status.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_sys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/schedstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/slab.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/softirqs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/stat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/swaps.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/thread.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/vm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/zoneinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/flag.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/node.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/nodetype_string.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/time/rate/rate.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/time/rate/sometimes.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/descfmt/stringer.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/README.md is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/apic.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/emitterc.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/parserc.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/readerc.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/resolve.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v3/scannerc.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (13)

.ci-operator.yaml
.github/workflows/build.yml
.github/workflows/release.yml
.github/workflows/test.yml
Dockerfile.microshift
Dockerfile.openshift
cmd/cert-approver/main.go
go.mod
hack/test-go.sh
images/Dockerfile
images/Dockerfile.debug
images/Dockerfile.thick
pkg/k8sclient/k8sclient.go

✅ Files skipped from review due to trivial changes (5)

images/Dockerfile.debug
.github/workflows/test.yml
.ci-operator.yaml
.github/workflows/release.yml
.github/workflows/build.yml

🚧 Files skipped from review as they are similar to previous changes (6)

images/Dockerfile
Dockerfile.microshift
cmd/cert-approver/main.go
Dockerfile.openshift
pkg/k8sclient/k8sclient.go
go.mod

coderabbitai · 2026-06-11T16:13:16Z

+export KUBE_FEATURE_AtomicFIFO=false
+export KUBE_FEATURE_WatchListClient=false


⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Search for documentation or issues related to these feature gate changes echo "=== Searching for AtomicFIFO references ===" rg -i "atomicfifo" --type md --type go -C 2 || echo "No matches found" echo "" echo "=== Searching for WatchListClient references ===" rg -i "watchlistclient" --type md --type go -C 2 || echo "No matches found" echo "" echo "=== Checking for TODO or FIXME comments related to feature gates ===" rg -i "(todo|fixme).*feature.*(gate|flag)" --type sh --type go -C 2 || echo "No matches found"

Repository: openshift/multus-cni

Length of output: 6449

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== hack/test-go.sh (top lines) ===" if [ -f hack/test-go.sh ]; then nl -ba hack/test-go.sh | sed -n '1,80p' else echo "Missing file: hack/test-go.sh" fi echo echo "=== Searching for env var names in repo (excluding vendor) ===" rg -n "KUBE_FEATURE_AtomicFIFO" --glob '!vendor/**' || true rg -n "KUBE_FEATURE_WatchListClient" --glob '!vendor/**' || true echo echo "=== Searching for feature gate disable patterns in non-vendor ===" rg -n "KUBE_FEATURE_.*(AtomicFIFO|WatchListClient).*false" --glob '!vendor/**' || true

Repository: openshift/multus-cni

Length of output: 161

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== hack/test-go.sh existence + top ===" ls -l hack/test-go.sh || true sed -n '1,120p' hack/test-go.sh 2>/dev/null || true echo echo "=== Searching for env var names in repo (excluding vendor) ===" rg -n "KUBE_FEATURE_AtomicFIFO" --glob '!vendor/**' || true rg -n "KUBE_FEATURE_WatchListClient" --glob '!vendor/**' || true echo echo "=== Searching for disable patterns in non-vendor ===" rg -n "KUBE_FEATURE_.*AtomicFIFO.*false|KUBE_FEATURE_.*WatchListClient.*false" --glob '!vendor/**' || true echo echo "=== Searching for any mention in hack/ scripts ===" rg -n "(AtomicFIFO|WatchListClient).*false|(false).*(AtomicFIFO|WatchListClient)" --glob 'hack/**' || true

Repository: openshift/multus-cni

Length of output: 1539

Document why KUBE_FEATURE_AtomicFIFO and KUBE_FEATURE_WatchListClient are disabled in tests

hack/test-go.sh disables KUBE_FEATURE_AtomicFIFO and KUBE_FEATURE_WatchListClient without any explanation of the rationale, whether it’s temporary, or what’s needed to re-enable them. The repo has no other non-vendor references to these gates, so future maintainers have no context.

📝 Proposed fix to add documentation

#!/usr/bin/env bash +# Disable AtomicFIFO and WatchListClient features during K8s 1.36 transition +# TODO: Re-enable once compatibility issues are resolved (track in issue `#XXX`) export KUBE_FEATURE_AtomicFIFO=false export KUBE_FEATURE_WatchListClient=false set -e

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

export KUBE_FEATURE_AtomicFIFO=false

export KUBE_FEATURE_WatchListClient=false

#!/usr/bin/env bash

# Disable AtomicFIFO and WatchListClient features during K8s 1.36 transition

# TODO: Re-enable once compatibility issues are resolved (track in issue `#XXX`)

export KUBE_FEATURE_AtomicFIFO=false

export KUBE_FEATURE_WatchListClient=false

set -e

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@hack/test-go.sh` around lines 2 - 3, Add an explanatory comment above the KUBE_FEATURE_AtomicFIFO and KUBE_FEATURE_WatchListClient exports in hack/test-go.sh that documents why each feature gate is being disabled for tests, whether the change is temporary or permanent, the observed failure or risk prompting the disable, and clear steps/conditions required to re-enable them (e.g., linked issue/PR, failing test names, version constraints). Reference the exact symbols KUBE_FEATURE_AtomicFIFO and KUBE_FEATURE_WatchListClient in the comment and include a pointer to any tracking issue or test logs so future maintainers can follow up.

go get k8s.io/api@v0.36.2 go get k8s.io/apimachinery@v0.36.2 go get k8s.io/client-go@v0.36.2 go get k8s.io/kubelet@v0.36.2 go get k8s.io/klog go get k8s.io/klog/v2 go get k8s.io/kube-openapi go get k8s.io/utils go get sigs.k8s.io/json go get sigs.k8s.io/randfill go get sigs.k8s.io/structured-merge-diff/v6 go get sigs.k8s.io/yaml go mod tidy Signed-off-by: Daniel Farrell <dfarrell@redhat.com> Assisted-by: Claude Code <noreply@anthropic.com>

./.ci-operator.yaml ./.github/workflows/build.yml ./.github/workflows/release.yml ./.github/workflows/test.yml ./Dockerfile.microshift ./Dockerfile.openshift ./images/Dockerfile ./images/Dockerfile.debug ./images/Dockerfile.thick .ci-operator.yaml Dockerfile.microshift Dockerfile.openshift Signed-off-by: Daniel Farrell <dfarrell@redhat.com> Assisted-by: Claude Code <noreply@anthropic.com>

Fix two go vet errors exposed by k8s 1.36 rebase: - cert-approver: Eventf format string had 2 verbs but 3 args - k8sclient: Eventf used non-constant format string Signed-off-by: Daniel Farrell <dfarrell@redhat.com> Assisted-by: Claude Code <noreply@anthropic.com>

Signed-off-by: Daniel Farrell <dfarrell@redhat.com> Assisted-by: Claude Code <noreply@anthropic.com>

openshift-ci · 2026-06-28T19:16:11Z

@dfarrell07: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-upgrade	`8f9a283`	link	true	`/test e2e-aws-upgrade`
ci/prow/security	`8f9a283`	link	false	`/test security`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 10, 2026

coderabbitai Bot reviewed Jun 10, 2026

View reviewed changes

dfarrell07 force-pushed the bump1.36 branch 2 times, most recently from f80527a to 0b7b9bf Compare June 11, 2026 05:48

coderabbitai Bot reviewed Jun 11, 2026

View reviewed changes

dfarrell07 force-pushed the bump1.36 branch from 0b7b9bf to c739d61 Compare June 11, 2026 16:02

dfarrell07 marked this pull request as ready for review June 11, 2026 16:02

openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 11, 2026

openshift-ci Bot requested review from dougbtv and s1061123 June 11, 2026 16:03

coderabbitai Bot reviewed Jun 11, 2026

View reviewed changes

dfarrell07 changed the title ~~Automated rebase to K8s 1.36.0~~ Automated rebase to K8s 1.36.1 Jun 11, 2026

dfarrell07 force-pushed the bump1.36 branch from c739d61 to 76572ef Compare June 16, 2026 23:21

dfarrell07 changed the title ~~Automated rebase to K8s 1.36.1~~ Automated rebase to K8s 1.36.2 Jun 16, 2026

dfarrell07 force-pushed the bump1.36 branch from 76572ef to b88f041 Compare June 26, 2026 02:17

dfarrell07 added 4 commits June 28, 2026 05:40

Disable new default-true feature gates for k8s 1.36

8f9a283

Signed-off-by: Daniel Farrell <dfarrell@redhat.com> Assisted-by: Claude Code <noreply@anthropic.com>

dfarrell07 force-pushed the bump1.36 branch from b88f041 to 8f9a283 Compare June 28, 2026 14:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Automated rebase to K8s 1.36.2#305

Automated rebase to K8s 1.36.2#305
dfarrell07 wants to merge 4 commits into
openshift:mainfrom
dfarrell07:bump1.36

dfarrell07 commented Jun 10, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

openshift-ci Bot commented Jun 10, 2026

Uh oh!

coderabbitai Bot commented Jun 10, 2026 •

edited

Loading

Reviews paused

❌ Failed checks (1 warning)

Uh oh!

openshift-ci Bot commented Jun 10, 2026

Uh oh!

coderabbitai Bot left a comment

Uh oh!

coderabbitai Bot Jun 10, 2026

Uh oh!

coderabbitai Bot left a comment

Uh oh!

coderabbitai Bot Jun 11, 2026

Uh oh!

coderabbitai Bot left a comment

Uh oh!

coderabbitai Bot Jun 11, 2026

Uh oh!

openshift-ci Bot commented Jun 28, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

		export KUBE_FEATURE_AtomicFIFO=false
		export KUBE_FEATURE_WatchListClient=false

Uh oh!

Conversation

dfarrell07 commented Jun 10, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

openshift-ci Bot commented Jun 10, 2026

Uh oh!

coderabbitai Bot commented Jun 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Estimated code review effort

❌ Failed checks (1 warning)

Uh oh!

openshift-ci Bot commented Jun 10, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jun 10, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jun 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jun 11, 2026

Choose a reason for hiding this comment

Uh oh!

openshift-ci Bot commented Jun 28, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dfarrell07 commented Jun 10, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 10, 2026 •

edited

Loading