Skip to content

Automated rebase to K8s 1.36.2#305

Open
dfarrell07 wants to merge 4 commits into
openshift:mainfrom
dfarrell07:bump1.36
Open

Automated rebase to K8s 1.36.2#305
dfarrell07 wants to merge 4 commits into
openshift:mainfrom
dfarrell07:bump1.36

Conversation

@dfarrell07

@dfarrell07 dfarrell07 commented Jun 10, 2026

Copy link
Copy Markdown

Generated by the new/WIP k8s-rebase Claude skill.

openshift-eng/ai-helpers@main...dfarrell07:ai-helpers:k8s-rebase-skill

Summary by CodeRabbit

  • Chores
    • Upgraded Go toolchain to 1.26 across CI, release builds, and container images; advanced OpenShift-related build root image tags and Docker base images.
    • Refreshed Go module dependencies (including Kubernetes libraries) for updated compatibility.
  • Bug Fixes / Improvements
    • Improved event/warning message formatting for clearer diagnostics when CSRs are denied and when no network is detected.
  • Tests
    • Disabled AtomicFIFO and WatchListClient feature flags during Go test runs to stabilize behavior.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 10, 2026
@openshift-ci

openshift-ci Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Repository-wide upgrade from Go 1.25 to 1.26: go.mod toolchain and dependencies updated, CI operator and GitHub Actions workflows shifted to 1.26, all container build-stage images bumped, Kubernetes feature gate environment flags added to test script, and import blocks reordered with Eventf message formatting adjusted.

Changes

Go Version 1.25 to 1.26 Upgrade

Layer / File(s) Summary
Module toolchain and dependency updates
go.mod
Go directive updated to 1.26.0; direct requires for pflag, golang.org/x modules, and Kubernetes core dependencies (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, k8s.io/kubelet) bumped to v0.36.2; indirect requires for OpenAPI tooling, Prometheus libraries, and golang.org modules refreshed; josharian/intern, mailru/easyjson, and yaml.v3 removed.
CI operator and build workflows
.ci-operator.yaml, .github/workflows/build.yml, .github/workflows/release.yml, .github/workflows/test.yml
CI operator build_root_image.tag and GitHub Actions workflow go-version matrix entries updated from 1.25.x to 1.26.x; OpenShift version references in operator config bumped from 4.22 to 5.0.
Container build images
Dockerfile.microshift, Dockerfile.openshift, images/Dockerfile, images/Dockerfile.debug, images/Dockerfile.thick
All build-stage base images and OpenShift builder image tags switched from golang 1.25 to 1.26; final-stage base image references bumped from ocp/4.22 to ocp/5.0.
Test environment configuration
hack/test-go.sh
Exports KUBE_FEATURE_AtomicFIFO=false and KUBE_FEATURE_WatchListClient=false before test execution.
Code and import adjustments
cmd/cert-approver/main.go, pkg/k8sclient/k8sclient.go
Kubernetes-related imports reordered in both files; denyCSR event message format string changed from "denied by: %s" to "denied by %s: %s"; NoNetworkFound Eventf call updated to pass errMsg as format argument instead of format string.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR modifies only configuration, Docker, and source files - no test files (*_test.go) were changed, so no test names exist to evaluate for stability.
Test Structure And Quality ✅ Passed This PR does not modify any Ginkgo test files (*_test.go). Changes include dependency upgrades (go.mod), CI/build configuration, Dockerfiles, and source code refactoring, but no test code.
Microshift Test Compatibility ✅ Passed No e2e tests added in this PR. All new test files are unit tests with fake/mock Kubernetes clients, not end-to-end tests that run against a real cluster.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests added; PR is a K8s/Go dependency upgrade with CI/Dockerfile config changes and vet error fixes.
Topology-Aware Scheduling Compatibility ✅ Passed This PR rebases to K8s 1.36 with only build/CI updates and dependency version bumps. No deployment manifests, operator code, or scheduling constraints were added or modified. Existing daemonsets us...
Ote Binary Stdout Contract ✅ Passed This PR targets multus-cni, a CNI plugin project that uses standard Go testing, not the OpenShift OTE framework. The OTE Binary Stdout Contract check is not applicable to this project.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests are added in this PR. Changes are limited to Go version updates, Dockerfile configurations, CI workflows, and dependency updates. The IPv6/disconnected network compatibility...
No-Weak-Crypto ✅ Passed No weak cryptography detected. All crypto usage is appropriate (x509 parsing, SHA256 hashing, TLS); no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB found; no custom crypto implementations; proper dependencie...
Container-Privileges ✅ Passed PR modifies Go version updates and CI configs, not K8s manifests or container security settings. No privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation settings were i...
No-Sensitive-Data-In-Logs ✅ Passed All logging statements in the PR contain only technical metadata (CSR names, namespaces, network names) and validation errors. No passwords, tokens, API keys, PII, session IDs, or sensitive data ar...
Title check ✅ Passed The title 'Automated rebase to K8s 1.36.2' clearly summarizes the main change—upgrading Kubernetes dependencies and related tooling—which is the central focus of this pull request across all modified files.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dfarrell07
Once this PR has been reviewed and has the lgtm label, please assign bpickard22 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (7)
.github/workflows/release.yml (1)

10-26: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Pin GitHub Actions by full commit SHA and minimize GITHUB_TOKEN permissions.

This release workflow uses mutable action tags (@v4, @v5) instead of immutable commit SHAs (lines 11, 16, 21), creating supply chain risk. As per coding guidelines, pin actions by full SHA.

The workflow uses GITHUB_TOKEN (line 26) but does not declare explicit minimal permissions. Release workflows typically require contents: write to publish releases; declare this explicitly to follow least-privilege principles.

🔒 Recommended fixes

Pin actions by SHA

      - name: Checkout
-       uses: actions/checkout@v4
+       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
        with:
          fetch-depth: 0

      - name: Set up Go
-       uses: actions/setup-go@v5
+       uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2

      - name: Run GoReleaser
-       uses: goreleaser/goreleaser-action@v5
+       uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf  # v5.1.0

Add minimal permissions

 name: Release binaries
 on:
   push:
     tags:
       - 'v*'
+
+permissions:
+  contents: write
+
 jobs:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 10 - 26, Replace mutable action
tags with pinned immutable commit SHAs for the three steps named "Checkout",
"Set up Go", and "Run GoReleaser" (i.e., replace uses: actions/checkout@v4,
actions/setup-go@v5, goreleaser/goreleaser-action@v5 with their respective full
commit SHA refs) and add an explicit minimal permissions block for the workflow
granting only what release needs (e.g., permissions: contents: write) so the
GITHUB_TOKEN is least-privileged while still allowing the GoReleaser step to
publish artifacts.

Source: Coding guidelines

.github/workflows/test.yml (1)

11-46: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Pin GitHub Actions by full commit SHA and minimize GITHUB_TOKEN permissions.

This test workflow uses mutable action tags across multiple steps (lines 12, 17, 20, 35, 46) instead of immutable commit SHAs. As per coding guidelines, pin actions by full SHA to prevent supply chain attacks.

The workflow does not declare explicit minimal permissions for GITHUB_TOKEN. Test workflows typically need only contents: read (and possibly checks: write for coverage uploads).

🔒 Recommended fixes

Pin actions by SHA (examples for key actions)

    - name: Install Go
-     uses: actions/setup-go@v5
+     uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2

    - name: Checkout code
-     uses: actions/checkout@v4
+     uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

    - name: Send coverage
-     uses: shogo82148/actions-goveralls@v1
+     uses: shogo82148/actions-goveralls@6c05178f6b7d2f4bf2433c0132b0c4c6d87ac607  # v1.9.0

Add minimal permissions

 on: [push, pull_request]
 name: Test
+
+permissions:
+  contents: read
+
 jobs:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml around lines 11 - 46, The workflow uses mutable
action tags (setup-go@v5, actions/checkout@v4, morphy/revive-action:v2,
shogo82148/actions-goveralls@v1) and missing minimal GITHUB_TOKEN permissions;
update each uses: reference to an immutable full commit SHA (or docker image
digest for the docker:// morphy/revive-action) instead of the floating tags in
the steps named "Install Go", "Checkout code", "Run Revive Action by pulling
pre-built image" and the goveralls steps, and add a top-level permissions block
(e.g., contents: read and checks: write only if needed for coverage upload) so
the jobs like Test and finish run with minimal GITHUB_TOKEN scope.

Source: Coding guidelines

images/Dockerfile.debug (1)

11-22: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive or use distroless nonroot variant.

The final stage (lines 11-22) does not specify a USER directive, defaulting to root. As per coding guidelines, containers should never run as root.

Consider using gcr.io/distroless/base-debian12:debug-nonroot to combine debugging capabilities with non-root execution, or add an explicit USER directive.

🔒 Recommended fixes

Option 1: Use distroless debug-nonroot variant (preferred)

-FROM gcr.io/distroless/base-debian12:debug
+FROM gcr.io/distroless/base-debian12:debug-nonroot
 LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multus-cni

Option 2: Add explicit USER directive

 FROM gcr.io/distroless/base-debian12:debug
 LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multus-cni
 COPY --from=build /usr/src/multus-cni/bin /usr/src/multus-cni/bin
 COPY --from=build /usr/src/multus-cni/LICENSE /usr/src/multus-cni/LICENSE
 WORKDIR /

 COPY --from=build /usr/src/multus-cni/bin/install_multus /
 COPY --from=build /usr/src/multus-cni/bin/thin_entrypoint /
 COPY --from=build /usr/src/multus-cni/bin/kubeconfig_generator /
 COPY --from=build /usr/src/multus-cni/bin/cert-approver /

+USER 65532:65532
+
 ENTRYPOINT ["/thin_entrypoint"]
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.debug` around lines 11 - 22, The final debug image uses
root by default; update the final stage to run non-root by either switching the
base image FROM gcr.io/distroless/base-debian12:debug to
gcr.io/distroless/base-debian12:debug-nonroot (preferred) or adding an explicit
USER directive in the final stage (after the COPY lines and before ENTRYPOINT
["/thin_entrypoint"]) to a non-root uid/gid consistent with your runtime files;
ensure the chosen user has permission to execute /thin_entrypoint and access the
copied binaries (install_multus, thin_entrypoint, kubeconfig_generator,
cert-approver).

Source: Coding guidelines

Dockerfile.openshift (1)

34-54: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive to run container as non-root.

The final stage (lines 34-54) does not specify a USER directive, defaulting to root. As per coding guidelines, containers should never run as root. Declare an explicit non-root user.

🔒 Recommended fix
 LABEL io.k8s.display-name="Multus CNI" \
       io.k8s.description="This is a component of OpenShift Container Platform and provides a meta CNI plugin." \
       io.openshift.tags="openshift" \
       maintainer="Doug Smith <dosmith@redhat.com>"

+USER 65532:65532
+
 ENTRYPOINT ["/entrypoint.sh"]
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.openshift` around lines 34 - 54, The final image runs as root; add
a non-root runtime user and switch to it with a USER directive after the files
are copied and permissions set: create or ensure a dedicated user/group (e.g.,
multus or a numeric UID/GID) and chown/chmod the runtime assets (/entrypoint.sh
and /usr/src/multus-cni/*) so the non-root user can execute the entrypoint and
read/write as needed, then add USER <user> (or USER <uid>:<gid>) just before the
existing ENTRYPOINT ["/entrypoint.sh"] to ensure the container does not run as
root.

Source: Coding guidelines

images/Dockerfile (1)

11-22: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive or use distroless nonroot variant.

The final stage (lines 11-22) does not specify a USER directive, defaulting to root. As per coding guidelines, containers should never run as root.

Since you're using distroless, consider switching to the nonroot variant (gcr.io/distroless/base-debian12:nonroot) which pre-configures a non-root user, or explicitly add a USER directive.

🔒 Recommended fixes

Option 1: Use distroless nonroot variant (preferred)

-FROM gcr.io/distroless/base-debian12:latest
+FROM gcr.io/distroless/base-debian12:nonroot
 LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multus-cni

Option 2: Add explicit USER directive

 FROM gcr.io/distroless/base-debian12:latest
 LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multus-cni
 COPY --from=build /usr/src/multus-cni/bin /usr/src/multus-cni/bin
 COPY --from=build /usr/src/multus-cni/LICENSE /usr/src/multus-cni/LICENSE
 WORKDIR /

 COPY --from=build /usr/src/multus-cni/bin/install_multus /
 COPY --from=build /usr/src/multus-cni/bin/thin_entrypoint /
 COPY --from=build /usr/src/multus-cni/bin/kubeconfig_generator /
 COPY --from=build /usr/src/multus-cni/bin/cert-approver /

+USER 65532:65532
+
 ENTRYPOINT ["/thin_entrypoint"]
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile` around lines 11 - 22, The final Dockerfile stage runs as
root because there is no USER set; update the FROM line to the nonroot
distroless image (e.g., change FROM gcr.io/distroless/base-debian12:latest to
the nonroot variant) or add an explicit USER directive after the COPY lines to a
non-root UID/GID, and ensure the installed artifacts copied by COPY (the
/thin_entrypoint and binaries referenced by ENTRYPOINT) have appropriate
ownership and permissions for that non-root user so the container can execute
ENTRYPOINT without root privileges.

Source: Coding guidelines

.github/workflows/build.yml (1)

13-18: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Pin GitHub Actions by full commit SHA, not by tag.

Lines 13 and 18 reference actions by mutable tags (@v5, @v4) instead of immutable commit SHAs. Tags can be moved to point at malicious code, creating a supply chain risk. As per coding guidelines, pin actions by full SHA.

Additionally, this workflow does not declare explicit permissions to minimize GITHUB_TOKEN scope. The CI/CD security guidelines require least-privilege token permissions.

🔒 Recommended fixes

Example: Pin actions by SHA

    - name: Install Go
-     uses: actions/setup-go@v5
+     uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
      with:
        go-version: ${{ matrix.go-version }}

    - name: Checkout code
-     uses: actions/checkout@v4
+     uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

Add minimal permissions block

 on: [push, pull_request]
 name: Build
+
+permissions:
+  contents: read
+
 jobs:
   build:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 13 - 18, Replace the mutable action
tags in the workflow (actions/setup-go@v5 and actions/checkout@v4) with their
corresponding immutable full commit SHAs and update any related matrix entries
so the workflow references those SHAs instead of tags; additionally add an
explicit minimal permissions block to the workflow root to restrict GITHUB_TOKEN
(e.g., only grant the precise read/write scopes your jobs need such as contents:
read and any other narrowly required scopes) so the CI follows least-privilege
principles.

Source: Coding guidelines

Dockerfile.microshift (1)

11-24: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive to run container as non-root.

The final stage (lines 11-24) does not specify a USER directive, meaning the container runs as root by default. As per coding guidelines, containers should never run as root. Even if OpenShift enforces non-root via SecurityContextConstraints, the Dockerfile should declare the intent explicitly.

🔒 Recommended fix
 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 RUN dnf install -y util-linux && dnf clean all && \
     mkdir -p /usr/src/multus-cni/bin
 COPY --from=rhel9 \
   /usr/src/multus-cni/bin/thin_entrypoint \
   /usr/src/multus-cni/bin/multus \
   /usr/src/multus-cni/bin

 LABEL io.k8s.display-name="Multus CNI for MicroShift" \
       io.k8s.description="This is an optional component of MicroShift and provides a meta CNI plugin." \
       io.openshift.tags="microshift" \
       maintainer="Doug Smith <dosmith@redhat.com>"

+USER 65532:65532
+
 ENTRYPOINT ["/usr/src/multus-cni/bin/thin_entrypoint"]
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.microshift` around lines 11 - 24, The final image runs as root;
add a non-root user and switch to it in the final stage: create a user (e.g.,
group/user "multus" or UID 1001) after installing files and chown
/usr/src/multus-cni/bin so thin_entrypoint and multus remain executable, then
add a USER instruction before the existing ENTRYPOINT
["/usr/src/multus-cni/bin/thin_entrypoint"]; ensure permissions allow execution
by that non-root account so ENTRYPOINT and /usr/src/multus-cni/bin/* work
correctly.

Source: Coding guidelines

🧹 Nitpick comments (1)
hack/test-go.sh (1)

2-7: ⚡ Quick win

Consider adding a comment explaining why these feature flags are disabled.

The feature flags are being explicitly disabled for test isolation, but it's not clear from the code why these specific flags were chosen or what issues they prevent. A brief comment would help future maintainers understand the intent.

📝 Suggested documentation
 #!/usr/bin/env bash
+# Disable K8s 1.36 feature flags that may cause test instability or are not
+# relevant to multus-cni's test scenarios. These ensure consistent test behavior
+# across different K8s versions and environments.
 export KUBE_FEATURE_StaleControllerConsistencyJob=false
 export KUBE_FEATURE_StaleControllerConsistencyReplicaSet=false
 export KUBE_FEATURE_StaleControllerConsistencyStatefulSet=false
 export KUBE_FEATURE_StaleControllerConsistencyDaemonSet=false
 export KUBE_FEATURE_AtomicFIFO=false
 export KUBE_FEATURE_WatchListClient=false
 set -e
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/test-go.sh` around lines 2 - 7, The script sets several KUBE_FEATURE_*
environment flags to false without context; add a brief inline comment above
these exports explaining why each (or the group) is disabled for tests (e.g., to
avoid flaky behavior, isolate controller reconciliation, or disable experimental
features that interfere with deterministic test outcomes). Reference the exact
symbols in the comment (KUBE_FEATURE_StaleControllerConsistencyJob,
KUBE_FEATURE_StaleControllerConsistencyReplicaSet,
KUBE_FEATURE_StaleControllerConsistencyStatefulSet,
KUBE_FEATURE_StaleControllerConsistencyDaemonSet, KUBE_FEATURE_AtomicFIFO,
KUBE_FEATURE_WatchListClient) and state the rationale and any linked issue/PR or
test name that motivated disabling them.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/Dockerfile.thick`:
- Line 2: The FROM line "FROM --platform=$BUILDPLATFORM golang:1.26 as build"
uses a floating tag; replace it with the immutable digest form "FROM
--platform=$BUILDPLATFORM golang:1.26@sha256:<digest> as build" (insert the
correct sha256 for the golang:1.26 image) and update the same pattern in the
other Dockerfiles that use "golang:1.26" so all builder images are pinned to
their digests for supply-chain security.

---

Outside diff comments:
In @.github/workflows/build.yml:
- Around line 13-18: Replace the mutable action tags in the workflow
(actions/setup-go@v5 and actions/checkout@v4) with their corresponding immutable
full commit SHAs and update any related matrix entries so the workflow
references those SHAs instead of tags; additionally add an explicit minimal
permissions block to the workflow root to restrict GITHUB_TOKEN (e.g., only
grant the precise read/write scopes your jobs need such as contents: read and
any other narrowly required scopes) so the CI follows least-privilege
principles.

In @.github/workflows/release.yml:
- Around line 10-26: Replace mutable action tags with pinned immutable commit
SHAs for the three steps named "Checkout", "Set up Go", and "Run GoReleaser"
(i.e., replace uses: actions/checkout@v4, actions/setup-go@v5,
goreleaser/goreleaser-action@v5 with their respective full commit SHA refs) and
add an explicit minimal permissions block for the workflow granting only what
release needs (e.g., permissions: contents: write) so the GITHUB_TOKEN is
least-privileged while still allowing the GoReleaser step to publish artifacts.

In @.github/workflows/test.yml:
- Around line 11-46: The workflow uses mutable action tags (setup-go@v5,
actions/checkout@v4, morphy/revive-action:v2, shogo82148/actions-goveralls@v1)
and missing minimal GITHUB_TOKEN permissions; update each uses: reference to an
immutable full commit SHA (or docker image digest for the docker://
morphy/revive-action) instead of the floating tags in the steps named "Install
Go", "Checkout code", "Run Revive Action by pulling pre-built image" and the
goveralls steps, and add a top-level permissions block (e.g., contents: read and
checks: write only if needed for coverage upload) so the jobs like Test and
finish run with minimal GITHUB_TOKEN scope.

In `@Dockerfile.microshift`:
- Around line 11-24: The final image runs as root; add a non-root user and
switch to it in the final stage: create a user (e.g., group/user "multus" or UID
1001) after installing files and chown /usr/src/multus-cni/bin so
thin_entrypoint and multus remain executable, then add a USER instruction before
the existing ENTRYPOINT ["/usr/src/multus-cni/bin/thin_entrypoint"]; ensure
permissions allow execution by that non-root account so ENTRYPOINT and
/usr/src/multus-cni/bin/* work correctly.

In `@Dockerfile.openshift`:
- Around line 34-54: The final image runs as root; add a non-root runtime user
and switch to it with a USER directive after the files are copied and
permissions set: create or ensure a dedicated user/group (e.g., multus or a
numeric UID/GID) and chown/chmod the runtime assets (/entrypoint.sh and
/usr/src/multus-cni/*) so the non-root user can execute the entrypoint and
read/write as needed, then add USER <user> (or USER <uid>:<gid>) just before the
existing ENTRYPOINT ["/entrypoint.sh"] to ensure the container does not run as
root.

In `@images/Dockerfile`:
- Around line 11-22: The final Dockerfile stage runs as root because there is no
USER set; update the FROM line to the nonroot distroless image (e.g., change
FROM gcr.io/distroless/base-debian12:latest to the nonroot variant) or add an
explicit USER directive after the COPY lines to a non-root UID/GID, and ensure
the installed artifacts copied by COPY (the /thin_entrypoint and binaries
referenced by ENTRYPOINT) have appropriate ownership and permissions for that
non-root user so the container can execute ENTRYPOINT without root privileges.

In `@images/Dockerfile.debug`:
- Around line 11-22: The final debug image uses root by default; update the
final stage to run non-root by either switching the base image FROM
gcr.io/distroless/base-debian12:debug to
gcr.io/distroless/base-debian12:debug-nonroot (preferred) or adding an explicit
USER directive in the final stage (after the COPY lines and before ENTRYPOINT
["/thin_entrypoint"]) to a non-root uid/gid consistent with your runtime files;
ensure the chosen user has permission to execute /thin_entrypoint and access the
copied binaries (install_multus, thin_entrypoint, kubeconfig_generator,
cert-approver).

---

Nitpick comments:
In `@hack/test-go.sh`:
- Around line 2-7: The script sets several KUBE_FEATURE_* environment flags to
false without context; add a brief inline comment above these exports explaining
why each (or the group) is disabled for tests (e.g., to avoid flaky behavior,
isolate controller reconciliation, or disable experimental features that
interfere with deterministic test outcomes). Reference the exact symbols in the
comment (KUBE_FEATURE_StaleControllerConsistencyJob,
KUBE_FEATURE_StaleControllerConsistencyReplicaSet,
KUBE_FEATURE_StaleControllerConsistencyStatefulSet,
KUBE_FEATURE_StaleControllerConsistencyDaemonSet, KUBE_FEATURE_AtomicFIFO,
KUBE_FEATURE_WatchListClient) and state the rationale and any linked issue/PR or
test name that motivated disabling them.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ba33db6f-4ff7-4ed6-affc-b6ea2ebb7a54

📥 Commits

Reviewing files that changed from the base of the PR and between b4ec7d8 and 888acd0.

⛔ Files ignored due to path filters (287)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/file.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/net.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/split.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yaml.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/josharian/intern/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/josharian/intern/intern.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/josharian/intern/license.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/buffer/pool.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/bytestostr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/error.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/lexer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jwriter/writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/text_create.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/text_parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/Makefile.common is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/arp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/buddyinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cmdline.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_armx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_mipsx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_others.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_ppcx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_riscvx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_x86.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/crypto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fs_statfs_type.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fscache.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/fs/fs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/readfile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/sysreadfile_compat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/valueparser.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/ipvs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/kernel_hung.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/kernel_random.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/loadavg.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/mdstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/meminfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/mountinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/mountstats.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_conntrackstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_dev.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_dev_snmp6.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_ip_socket.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_protocols.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_route.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_sockstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_softnet.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_tls_stat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_udp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_wireless.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_xfrm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/netstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/nfnetlink_queue.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_cgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_cgroups.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_environ.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_fdinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_interrupts.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_io.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_limits.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_maps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_netstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_ns.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_psi.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_snmp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_snmp6.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_stat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_statm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_status.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_sys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/schedstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/slab.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/softirqs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/stat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/swaps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/thread.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/vm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/zoneinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/spf13/pflag/flag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/nodetype_string.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/time/rate/rate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/time/rate/sometimes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/descfmt/stringer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/NOTICE is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/apic.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/emitterc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/encode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/parserc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/readerc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/resolve.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/scannerc.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (13)
  • .ci-operator.yaml
  • .github/workflows/build.yml
  • .github/workflows/release.yml
  • .github/workflows/test.yml
  • Dockerfile.microshift
  • Dockerfile.openshift
  • cmd/cert-approver/main.go
  • go.mod
  • hack/test-go.sh
  • images/Dockerfile
  • images/Dockerfile.debug
  • images/Dockerfile.thick
  • pkg/k8sclient/k8sclient.go

Comment thread images/Dockerfile.thick
@@ -1,5 +1,5 @@
# This Dockerfile is used to build the image available on DockerHub
FROM --platform=$BUILDPLATFORM golang:1.25 as build
FROM --platform=$BUILDPLATFORM golang:1.26 as build

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Fetch the SHA256 digest for golang:1.26 to enable digest pinning

# Get the manifest digest for golang:1.26
docker pull golang:1.26 >/dev/null 2>&1
docker inspect golang:1.26 --format='{{index .RepoDigests 0}}'

Repository: openshift/multus-cni

Length of output: 111


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the exact contents around the relevant Dockerfile line(s)
echo "=== images/Dockerfile.thick (first 80 lines) ==="
nl -ba images/Dockerfile.thick | sed -n '1,120p'

# Find all occurrences of golang:1.26 (and similar patterns)
echo
echo "=== Search for golang:1.26 in Dockerfiles ==="
rg -n --hidden -S "golang:1\.26" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true

# Check whether any Dockerfiles already pin images by digest
echo
echo "=== Search for `@sha256`: usage in Dockerfiles ==="
rg -n --hidden -S "`@sha256`:" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true

# Check for HEALTHCHECK and USER directives across Dockerfiles/Containerfiles
echo
echo "=== Search for HEALTHCHECK in Dockerfiles ==="
rg -n --hidden -S "^\s*HEALTHCHECK" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true

echo
echo "=== Search for USER in Dockerfiles ==="
rg -n --hidden -S "^\s*USER\s+" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true

Repository: openshift/multus-cni

Length of output: 174


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Basic tool availability
echo "=== command -v outputs ==="
for c in awk cat rg fd find; do
  command -v "$c" >/dev/null 2>&1 && echo "$c: yes" || echo "$c: no"
done

echo
echo "=== images/Dockerfile.thick (first 120 lines, with line numbers via awk) ==="
if [ -f "images/Dockerfile.thick" ]; then
  awk '{printf "%6d\t%s\n", NR, $0}' images/Dockerfile.thick | head -n 120
else
  echo "Missing file: images/Dockerfile.thick"
fi

echo
echo "=== Search for golang:1.26 in Dockerfiles/Containerfiles ==="
rg -n --hidden -S "golang:1\.26" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true

echo
echo "=== Search for `@sha256`: usage in Dockerfiles/Containerfiles ==="
rg -n --hidden -S "`@sha256`:" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true

echo
echo "=== Search for HEALTHCHECK directives ==="
rg -n --hidden -S "^[[:space:]]*HEALTHCHECK" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true

echo
echo "=== Search for USER directives ==="
rg -n --hidden -S "^[[:space:]]*USER[[:space:]]+" --glob '**/*Dockerfile*' --glob '**/*Containerfile*' || true

Repository: openshift/multus-cni

Length of output: 1392


Pin the golang builder image by digest for supply chain security.

images/Dockerfile.thick uses a floating non-Red Hat base tag (FROM --platform=$BUILDPLATFORM golang:1.26 as build). Per the container security guidelines, replace it with FROM --platform=$BUILDPLATFORM golang:1.26@sha256:<digest> as build (using the immutable digest for the intended image). The same floating golang:1.26 pattern exists in images/Dockerfile and images/Dockerfile.debug; pin consistently.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.thick` at line 2, The FROM line "FROM
--platform=$BUILDPLATFORM golang:1.26 as build" uses a floating tag; replace it
with the immutable digest form "FROM --platform=$BUILDPLATFORM
golang:1.26@sha256:<digest> as build" (insert the correct sha256 for the
golang:1.26 image) and update the same pattern in the other Dockerfiles that use
"golang:1.26" so all builder images are pinned to their digests for supply-chain
security.

Source: Coding guidelines

@dfarrell07 dfarrell07 force-pushed the bump1.36 branch 2 times, most recently from f80527a to 0b7b9bf Compare June 11, 2026 05:48

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
Dockerfile.microshift (2)

11-11: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing USER directive violates container security guidelines.

The final stage does not specify a USER directive, so the container will run as root. Per coding guidelines, containers must run as non-root.

🔒 Proposed fix to add non-root user
 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
+RUN useradd -u 1001 -r -g 0 -s /sbin/nologin multus-user
 RUN dnf install -y util-linux && dnf clean all && \
     mkdir -p /usr/src/multus-cni/bin
 COPY --from=rhel9 \
   /usr/src/multus-cni/bin/thin_entrypoint \
   /usr/src/multus-cni/bin/multus \
   /usr/src/multus-cni/bin
+RUN chown -R 1001:0 /usr/src/multus-cni && \
+    chmod -R g=u /usr/src/multus-cni
+USER 1001

As per coding guidelines: "USER non-root; never run as root" from Container security (prodsec-skills) section.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.microshift` at line 11, The Dockerfile final stage currently
starts from "FROM registry.ci.openshift.org/ocp/4.22:base-rhel9" but lacks a
USER directive and will run as root; add a non-root user and set USER in the
final stage (create a dedicated user/group, ensure any necessary directories are
chowned to that user, and then add a USER <non-root-user> line) so the container
runs non-root per the container security guidelines.

Source: Coding guidelines


24-25: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Missing HEALTHCHECK violates container security guidelines.

The Dockerfile does not define a HEALTHCHECK directive. Container orchestrators rely on health checks to detect and recover from unhealthy containers.

Consider adding a HEALTHCHECK that validates the multus CNI plugin's operational state. The specific health check command will depend on how Multus exposes its health status.

As per coding guidelines: "HEALTHCHECK defined" from Container security (prodsec-skills) section.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.microshift` around lines 24 - 25, Add a HEALTHCHECK instruction to
the Dockerfile to satisfy the "HEALTHCHECK defined" guideline and let
orchestrators detect unhealthy containers; implement a command that probes
Multus's runtime (for example, a small script or command that verifies the
multus CNI process or API is responding) and return appropriate exit codes, and
place the HEALTHCHECK near the existing ENTRYPOINT
["/usr/src/multus-cni/bin/thin_entrypoint"] so it exercises the running
container; ensure the check uses a short interval/retries and a sensible timeout
to avoid false positives.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.microshift`:
- Line 2: The Dockerfile.microshift uses CI registry base images
("registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0" and
"registry.ci.openshift.org/ocp/4.22:base-rhel9"); replace both FROM lines to use
the approved Red Hat catalog images (e.g., catalog.redhat.com UBI minimal or an
appropriate distroless image) so they comply with container security guidelines,
updating tags to the matching RHEL/Go versions and verifying the resulting image
works with the existing build steps in Dockerfile.microshift.

---

Outside diff comments:
In `@Dockerfile.microshift`:
- Line 11: The Dockerfile final stage currently starts from "FROM
registry.ci.openshift.org/ocp/4.22:base-rhel9" but lacks a USER directive and
will run as root; add a non-root user and set USER in the final stage (create a
dedicated user/group, ensure any necessary directories are chowned to that user,
and then add a USER <non-root-user> line) so the container runs non-root per the
container security guidelines.
- Around line 24-25: Add a HEALTHCHECK instruction to the Dockerfile to satisfy
the "HEALTHCHECK defined" guideline and let orchestrators detect unhealthy
containers; implement a command that probes Multus's runtime (for example, a
small script or command that verifies the multus CNI process or API is
responding) and return appropriate exit codes, and place the HEALTHCHECK near
the existing ENTRYPOINT ["/usr/src/multus-cni/bin/thin_entrypoint"] so it
exercises the running container; ensure the check uses a short interval/retries
and a sensible timeout to avoid false positives.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ec8f6478-0f52-40ca-83e2-06be4c828feb

📥 Commits

Reviewing files that changed from the base of the PR and between f80527a and 0b7b9bf.

⛔ Files ignored due to path filters (287)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/file.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/net.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/split.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yaml.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/josharian/intern/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/josharian/intern/intern.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/josharian/intern/license.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/buffer/pool.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/bytestostr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/error.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/lexer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jwriter/writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/text_create.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/text_parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/Makefile.common is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/arp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/buddyinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cmdline.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_armx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_mipsx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_others.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_ppcx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_riscvx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_x86.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/crypto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fs_statfs_type.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fscache.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/fs/fs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/readfile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/sysreadfile_compat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/valueparser.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/ipvs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/kernel_hung.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/kernel_random.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/loadavg.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/mdstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/meminfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/mountinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/mountstats.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_conntrackstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_dev.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_dev_snmp6.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_ip_socket.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_protocols.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_route.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_sockstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_softnet.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_tls_stat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_udp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_wireless.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_xfrm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/netstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/nfnetlink_queue.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_cgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_cgroups.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_environ.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_fdinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_interrupts.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_io.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_limits.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_maps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_netstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_ns.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_psi.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_snmp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_snmp6.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_stat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_statm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_status.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_sys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/schedstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/slab.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/softirqs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/stat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/swaps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/thread.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/vm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/zoneinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/spf13/pflag/flag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/nodetype_string.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/time/rate/rate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/time/rate/sometimes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/descfmt/stringer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/NOTICE is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/apic.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/emitterc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/encode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/parserc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/readerc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/resolve.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/scannerc.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (13)
  • .ci-operator.yaml
  • .github/workflows/build.yml
  • .github/workflows/release.yml
  • .github/workflows/test.yml
  • Dockerfile.microshift
  • Dockerfile.openshift
  • cmd/cert-approver/main.go
  • go.mod
  • hack/test-go.sh
  • images/Dockerfile
  • images/Dockerfile.debug
  • images/Dockerfile.thick
  • pkg/k8sclient/k8sclient.go
✅ Files skipped from review due to trivial changes (3)
  • .github/workflows/test.yml
  • images/Dockerfile.thick
  • .ci-operator.yaml
🚧 Files skipped from review as they are similar to previous changes (9)
  • .github/workflows/release.yml
  • images/Dockerfile
  • images/Dockerfile.debug
  • Dockerfile.openshift
  • .github/workflows/build.yml
  • cmd/cert-approver/main.go
  • hack/test-go.sh
  • go.mod
  • pkg/k8sclient/k8sclient.go

Comment thread Dockerfile.microshift
@@ -1,5 +1,5 @@
# This dockerfile is specific to building Multus for MicroShift
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS rhel9
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS rhel9

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Search for other Dockerfiles to check if registry.ci.openshift.org is a standard pattern in this repository

# Check all Dockerfiles for base image registries
echo "=== Checking base image registries in all Dockerfiles ==="
rg -n "^FROM " -g "Dockerfile*" -C 1

Repository: openshift/multus-cni

Length of output: 2548


🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Show FROM lines with context for Dockerfile.microshift
echo "=== Dockerfile.microshift FROM lines ==="
nl -ba Dockerfile.microshift | sed -n '1,160p' | rg -n "^( *[0-9]+\\s+)FROM|^( *[0-9]+\\s+)ARG|^( *[0-9]+\\s+)HEALTHCHECK|^( *[0-9]+\\s+)USER" || true

echo
echo "=== All Dockerfile.* FROM lines (repo-local) ==="
for f in $(fd -t f 'Dockerfile*' .); do
  if rg -q '^FROM ' "$f"; then
    echo "--- $f ---"
    nl -ba "$f" | rg 'FROM ' | head -n 5
  fi
done | head -n 200

Repository: openshift/multus-cni

Length of output: 288


🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Show FROM lines with context for Dockerfile.microshift
echo "=== Dockerfile.microshift FROM lines ==="
nl -ba Dockerfile.microshift | sed -n '1,160p' | rg -n "^( *[0-9]+\\s+)FROM|^( *[0-9]+\\s+)ARG|^( *[0-9]+\\s+)HEALTHCHECK|^( *[0-9]+\\s+)USER" || true

echo
echo "=== All Dockerfile* FROM lines (first few matches) ==="
fd -t f 'Dockerfile*' . | while read -r f; do
  if rg -q '^FROM ' "$f"; then
    echo "--- $f ---"
    nl -ba "$f" | rg 'FROM ' | head -n 8
  fi
done | head -n 250

Repository: openshift/multus-cni

Length of output: 294


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Dockerfile.microshift (lines 1-80) ==="
cat -n Dockerfile.microshift | sed -n '1,80p' | sed -n '/^\\s*[0-9]\\+\\s\\+FROM/p' || true
echo
echo "=== Dockerfile.microshift: all FROM lines (with numbers) ==="
cat -n Dockerfile.microshift | rg '^[[:space:]]*[0-9]+[[:space:]]+FROM ' || true

echo
echo "=== Base image registries across Dockerfile* (FROM lines only, first 20 matches each) ==="
fd -t f 'Dockerfile*' . | while read -r f; do
  if rg -q '^FROM ' "$f"; then
    echo "--- $f ---"
    rg '^FROM ' "$f" | head -n 20
  fi
done | head -n 250

Repository: openshift/multus-cni

Length of output: 1279


🌐 Web query:

prodsec-skills base image catalog.redhat.com registry.ci.openshift.org exempt OpenShift CI

💡 Result:

The terms in your query relate to distinct components of the Red Hat and OpenShift ecosystems. There is no singular documented "prodsec-skills base image catalog" that ties all these components together. Instead, they function as follows: 1. prodsec-skills: This refers to a repository by Red Hat Product Security designed for AI coding assistants and agentic systems, focusing on security skills for AI [1]. It is not a base image registry. 2. catalog.redhat.com: This is the official Red Hat Ecosystem Catalog, which serves as the authoritative source for certified container images, operators, and other software [https://catalog.redhat.com]. 3. registry.ci.openshift.org: This is a CI-specific internal image registry used by the OpenShift CI system (often referred to as 'app.ci'). It hosts images required for CI build and test processes, including "builder" images used for compiling components [2][3]. Images here are typically mirrored from authorized sources and are not intended for general production use by external consumers [3]. 4. Exemption in OpenShift CI: OpenShift CI utilizes configuration files (e.g., in the openshift/release repository) to manage image mirroring and CI operations [4][3]. There is no standard "exemption" mechanism for bypassing security policies in the CI registry itself in the way one might exempt a workload from a runtime policy (like UDS/Kyverno) [5]. If an image is needed in CI that is not currently present, the standard process is to mirror it to the central CI registry (QCI) by submitting a configuration change to the openshift/release repository [4][3]. If you are attempting to secure a build process or integrate AI agent skills, the recommended approach is to use certified base images from catalog.redhat.com and follow the official OpenShift CI documentation for image management, rather than seeking a cross-platform exemption [2][4].

Citations:


Fix base image registry compliance in Dockerfile.microshift.

Container security guidelines require base images to come from catalog.redhat.com (UBI minimal or distroless). Dockerfile.microshift instead uses registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 (line 2) and registry.ci.openshift.org/ocp/4.22:base-rhel9 (line 11). There’s no documented exemption for using the OpenShift CI registry for this requirement.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.microshift` at line 2, The Dockerfile.microshift uses CI registry
base images
("registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0" and
"registry.ci.openshift.org/ocp/4.22:base-rhel9"); replace both FROM lines to use
the approved Red Hat catalog images (e.g., catalog.redhat.com UBI minimal or an
appropriate distroless image) so they comply with container security guidelines,
updating tags to the matching RHEL/Go versions and verifying the resulting image
works with the existing build steps in Dockerfile.microshift.

Source: Coding guidelines

@dfarrell07 dfarrell07 marked this pull request as ready for review June 11, 2026 16:02
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 11, 2026
@openshift-ci openshift-ci Bot requested review from dougbtv and s1061123 June 11, 2026 16:03

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
images/Dockerfile.thick (1)

11-18: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Add USER directive and HEALTHCHECK per security guidelines.

The final image stage is missing:

  1. A USER directive to run as non-root (guideline requires never running as root)
  2. A HEALTHCHECK directive to enable container health monitoring

Per container security guidelines, both are required.

🔒 Proposed fix to add USER and HEALTHCHECK
 FROM debian:stable-slim
 LABEL org.opencontainers.image.source=https://github.com/k8snetworkplumbingwg/multus-cni
+RUN useradd -u 1000 -m multus
 COPY --from=build /usr/src/multus-cni/bin /usr/src/multus-cni/bin
 COPY --from=build /usr/src/multus-cni/LICENSE /usr/src/multus-cni/LICENSE
 COPY --from=build /usr/src/multus-cni/bin/cert-approver /
+USER multus
 WORKDIR /
-
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD ["/usr/src/multus-cni/bin/multus-daemon", "--health-check"] || exit 1
 ENTRYPOINT [ "/usr/src/multus-cni/bin/multus-daemon" ]

Note: Verify that multus-daemon supports a --health-check flag or adjust the HEALTHCHECK command accordingly.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.thick` around lines 11 - 18, Add a non-root user and a
HEALTHCHECK to the final image: create a dedicated user/group (e.g., multus) and
ensure ownership of the runtime binary(s) under /usr/src/multus-cni/bin
(referencing the multus-daemon binary copied in the final stage), then add a
USER directive to run the container as that non-root user; add a HEALTHCHECK
that invokes an appropriate check against the multus-daemon binary (e.g., run
the binary with its health flag or probe an HTTP/UNIX endpoint if supported) and
ensure the command and interval/retries are reasonable—adjust the HEALTHCHECK
command if multus-daemon uses a different flag or endpoint.

Source: Coding guidelines

🧹 Nitpick comments (1)
images/Dockerfile.thick (1)

5-5: ⚖️ Poor tradeoff

Use COPY with specific files instead of ADD with entire context.

Line 5 copies the entire build context (ADD . /usr/src/multus-cni). Per container security guidelines, COPY specific files rather than the entire context to minimize the attack surface and reduce image size.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.thick` at line 5, The Dockerfile currently uses "ADD .
/usr/src/multus-cni" which copies the entire build context; replace this with
explicit COPY instructions that only copy the required files and directories
(e.g., COPY Dockerfile, COPY go.mod go.sum, COPY cmd/ pkg/ scripts/ etc.) and
ensure a .dockerignore is present to exclude unnecessary files; specifically
remove or replace the "ADD . /usr/src/multus-cni" line with targeted COPY
entries and update .dockerignore to omit secrets, docs, tests, and local config
to minimize image size and attack surface.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/test-go.sh`:
- Around line 2-3: Add an explanatory comment above the KUBE_FEATURE_AtomicFIFO
and KUBE_FEATURE_WatchListClient exports in hack/test-go.sh that documents why
each feature gate is being disabled for tests, whether the change is temporary
or permanent, the observed failure or risk prompting the disable, and clear
steps/conditions required to re-enable them (e.g., linked issue/PR, failing test
names, version constraints). Reference the exact symbols KUBE_FEATURE_AtomicFIFO
and KUBE_FEATURE_WatchListClient in the comment and include a pointer to any
tracking issue or test logs so future maintainers can follow up.

---

Outside diff comments:
In `@images/Dockerfile.thick`:
- Around line 11-18: Add a non-root user and a HEALTHCHECK to the final image:
create a dedicated user/group (e.g., multus) and ensure ownership of the runtime
binary(s) under /usr/src/multus-cni/bin (referencing the multus-daemon binary
copied in the final stage), then add a USER directive to run the container as
that non-root user; add a HEALTHCHECK that invokes an appropriate check against
the multus-daemon binary (e.g., run the binary with its health flag or probe an
HTTP/UNIX endpoint if supported) and ensure the command and interval/retries are
reasonable—adjust the HEALTHCHECK command if multus-daemon uses a different flag
or endpoint.

---

Nitpick comments:
In `@images/Dockerfile.thick`:
- Line 5: The Dockerfile currently uses "ADD . /usr/src/multus-cni" which copies
the entire build context; replace this with explicit COPY instructions that only
copy the required files and directories (e.g., COPY Dockerfile, COPY go.mod
go.sum, COPY cmd/ pkg/ scripts/ etc.) and ensure a .dockerignore is present to
exclude unnecessary files; specifically remove or replace the "ADD .
/usr/src/multus-cni" line with targeted COPY entries and update .dockerignore to
omit secrets, docs, tests, and local config to minimize image size and attack
surface.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9fd12e8a-e163-4087-b53c-1391a26f0b0b

📥 Commits

Reviewing files that changed from the base of the PR and between 0b7b9bf and c739d61.

⛔ Files ignored due to path filters (287)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/file.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/net.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/split.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yaml.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/josharian/intern/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/josharian/intern/intern.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/josharian/intern/license.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/buffer/pool.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/bytestostr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/error.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jlexer/lexer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/mailru/easyjson/jwriter/writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/text_create.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/common/expfmt/text_parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/Makefile.common is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/arp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/buddyinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cmdline.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_armx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_mipsx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_others.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_ppcx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_riscvx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/cpuinfo_x86.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/crypto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fs_statfs_type.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/fscache.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/fs/fs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/readfile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/sysreadfile_compat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/internal/util/valueparser.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/ipvs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/kernel_hung.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/kernel_random.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/loadavg.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/mdstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/meminfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/mountinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/mountstats.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_conntrackstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_dev.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_dev_snmp6.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_ip_socket.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_protocols.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_route.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_sockstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_softnet.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_tls_stat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_udp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_wireless.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/net_xfrm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/netstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/nfnetlink_queue.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_cgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_cgroups.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_environ.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_fdinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_interrupts.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_io.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_limits.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_maps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_netstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_ns.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_psi.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_snmp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_snmp6.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_stat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_statm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_status.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/proc_sys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/schedstat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/slab.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/softirqs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/stat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/swaps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/thread.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/vm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/prometheus/procfs/zoneinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/spf13/pflag/flag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/nodetype_string.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/time/rate/rate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/time/rate/sometimes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/descfmt/stringer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/NOTICE is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/apic.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/emitterc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/encode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/parserc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/readerc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/resolve.go is excluded by !**/vendor/**, !vendor/**
  • vendor/gopkg.in/yaml.v3/scannerc.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (13)
  • .ci-operator.yaml
  • .github/workflows/build.yml
  • .github/workflows/release.yml
  • .github/workflows/test.yml
  • Dockerfile.microshift
  • Dockerfile.openshift
  • cmd/cert-approver/main.go
  • go.mod
  • hack/test-go.sh
  • images/Dockerfile
  • images/Dockerfile.debug
  • images/Dockerfile.thick
  • pkg/k8sclient/k8sclient.go
✅ Files skipped from review due to trivial changes (5)
  • images/Dockerfile.debug
  • .github/workflows/test.yml
  • .ci-operator.yaml
  • .github/workflows/release.yml
  • .github/workflows/build.yml
🚧 Files skipped from review as they are similar to previous changes (6)
  • images/Dockerfile
  • Dockerfile.microshift
  • cmd/cert-approver/main.go
  • Dockerfile.openshift
  • pkg/k8sclient/k8sclient.go
  • go.mod

Comment thread hack/test-go.sh
Comment on lines +2 to +3
export KUBE_FEATURE_AtomicFIFO=false
export KUBE_FEATURE_WatchListClient=false

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for documentation or issues related to these feature gate changes

echo "=== Searching for AtomicFIFO references ==="
rg -i "atomicfifo" --type md --type go -C 2 || echo "No matches found"

echo ""
echo "=== Searching for WatchListClient references ==="
rg -i "watchlistclient" --type md --type go -C 2 || echo "No matches found"

echo ""
echo "=== Checking for TODO or FIXME comments related to feature gates ==="
rg -i "(todo|fixme).*feature.*(gate|flag)" --type sh --type go -C 2 || echo "No matches found"

Repository: openshift/multus-cni

Length of output: 6449


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== hack/test-go.sh (top lines) ==="
if [ -f hack/test-go.sh ]; then
  nl -ba hack/test-go.sh | sed -n '1,80p'
else
  echo "Missing file: hack/test-go.sh"
fi

echo
echo "=== Searching for env var names in repo (excluding vendor) ==="
rg -n "KUBE_FEATURE_AtomicFIFO" --glob '!vendor/**' || true
rg -n "KUBE_FEATURE_WatchListClient" --glob '!vendor/**' || true

echo
echo "=== Searching for feature gate disable patterns in non-vendor ==="
rg -n "KUBE_FEATURE_.*(AtomicFIFO|WatchListClient).*false" --glob '!vendor/**' || true

Repository: openshift/multus-cni

Length of output: 161


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== hack/test-go.sh existence + top ==="
ls -l hack/test-go.sh || true
sed -n '1,120p' hack/test-go.sh 2>/dev/null || true

echo
echo "=== Searching for env var names in repo (excluding vendor) ==="
rg -n "KUBE_FEATURE_AtomicFIFO" --glob '!vendor/**' || true
rg -n "KUBE_FEATURE_WatchListClient" --glob '!vendor/**' || true

echo
echo "=== Searching for disable patterns in non-vendor ==="
rg -n "KUBE_FEATURE_.*AtomicFIFO.*false|KUBE_FEATURE_.*WatchListClient.*false" --glob '!vendor/**' || true

echo
echo "=== Searching for any mention in hack/ scripts ==="
rg -n "(AtomicFIFO|WatchListClient).*false|(false).*(AtomicFIFO|WatchListClient)" --glob 'hack/**' || true

Repository: openshift/multus-cni

Length of output: 1539


Document why KUBE_FEATURE_AtomicFIFO and KUBE_FEATURE_WatchListClient are disabled in tests

hack/test-go.sh disables KUBE_FEATURE_AtomicFIFO and KUBE_FEATURE_WatchListClient without any explanation of the rationale, whether it’s temporary, or what’s needed to re-enable them. The repo has no other non-vendor references to these gates, so future maintainers have no context.

📝 Proposed fix to add documentation
 #!/usr/bin/env bash
+# Disable AtomicFIFO and WatchListClient features during K8s 1.36 transition
+# TODO: Re-enable once compatibility issues are resolved (track in issue `#XXX`)
 export KUBE_FEATURE_AtomicFIFO=false
 export KUBE_FEATURE_WatchListClient=false
 set -e
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
export KUBE_FEATURE_AtomicFIFO=false
export KUBE_FEATURE_WatchListClient=false
#!/usr/bin/env bash
# Disable AtomicFIFO and WatchListClient features during K8s 1.36 transition
# TODO: Re-enable once compatibility issues are resolved (track in issue `#XXX`)
export KUBE_FEATURE_AtomicFIFO=false
export KUBE_FEATURE_WatchListClient=false
set -e
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/test-go.sh` around lines 2 - 3, Add an explanatory comment above the
KUBE_FEATURE_AtomicFIFO and KUBE_FEATURE_WatchListClient exports in
hack/test-go.sh that documents why each feature gate is being disabled for
tests, whether the change is temporary or permanent, the observed failure or
risk prompting the disable, and clear steps/conditions required to re-enable
them (e.g., linked issue/PR, failing test names, version constraints). Reference
the exact symbols KUBE_FEATURE_AtomicFIFO and KUBE_FEATURE_WatchListClient in
the comment and include a pointer to any tracking issue or test logs so future
maintainers can follow up.

@dfarrell07 dfarrell07 changed the title Automated rebase to K8s 1.36.0 Automated rebase to K8s 1.36.1 Jun 11, 2026
@dfarrell07 dfarrell07 changed the title Automated rebase to K8s 1.36.1 Automated rebase to K8s 1.36.2 Jun 16, 2026
go get k8s.io/api@v0.36.2
go get k8s.io/apimachinery@v0.36.2
go get k8s.io/client-go@v0.36.2
go get k8s.io/kubelet@v0.36.2
go get k8s.io/klog
go get k8s.io/klog/v2
go get k8s.io/kube-openapi
go get k8s.io/utils
go get sigs.k8s.io/json
go get sigs.k8s.io/randfill
go get sigs.k8s.io/structured-merge-diff/v6
go get sigs.k8s.io/yaml
go mod tidy

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
./.ci-operator.yaml
./.github/workflows/build.yml
./.github/workflows/release.yml
./.github/workflows/test.yml
./Dockerfile.microshift
./Dockerfile.openshift
./images/Dockerfile
./images/Dockerfile.debug
./images/Dockerfile.thick
.ci-operator.yaml
Dockerfile.microshift
Dockerfile.openshift

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Fix two go vet errors exposed by k8s 1.36 rebase:
- cert-approver: Eventf format string had 2 verbs but 3 args
- k8sclient: Eventf used non-constant format string

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
@openshift-ci

openshift-ci Bot commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

@dfarrell07: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-upgrade 8f9a283 link true /test e2e-aws-upgrade
ci/prow/security 8f9a283 link false /test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant