build(deps): bump the k8s group across 1 directory with 4 updates

[dependabot]

Bumps the k8s group with 3 updates in the / directory: k8s.io/api, k8s.io/client-go and k8s.io/kubectl.

Updates k8s.io/api from 0.33.4 to 0.35.3

Commits

• 3897036 Update dependencies to v0.35.3 tag
• bbcbaa8 Merge remote-tracking branch 'origin/master' into release-1.35
• 5bced61 Bump golang.org/x/crypto to v0.45.0
• 39e2e26 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• c22b4a1 vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• e3b1f3d Resolve lint restriction on BeTrue by introducing Succeed() with contextual e...
• 3da327c Update vendored dependencies
• c764b44 Merge pull request #132919 from ndixita/pod-level-in-place-pod-resize
• aced136 Generated files from API changes
• 02d790d Adding Resources and AllocatedResoures fields to the list of expected fields ...
• Additional commits viewable in compare view

Updates k8s.io/apimachinery from 0.33.4 to 0.35.3

Commits

• 72d71ea Merge remote-tracking branch 'origin/master' into release-1.35
• e2a2dbc Bump golang.org/x/crypto to v0.45.0
• 2e9c228 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• f274aac vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• 9445443 Resolve lint restriction on BeTrue by introducing Succeed() with contextual e...
• 52154f7 Update vendored dependencies
• 5a348c5 KEP-5471: Extend tolerations operators (#134665)
• 6f89492 Merge pull request #133648 from richabanker/merged-discovery
• c77dde2 util/sort: Add MergePreservingRelativeOrder for topological sorting
• 729c13d Merge pull request #134624 from yt2985/podcertificates-beta
• Additional commits viewable in compare view

Updates k8s.io/client-go from 0.33.4 to 0.35.3

Commits

• 4f1f0a2 Update dependencies to v0.35.3 tag
• f80003c Merge pull request #136903pohly/automated-cherry-pick-of-#136455
• 8b41556 fake client-go: un-deprecate NewSimpleClientset
• 2d83546 Merge remote-tracking branch 'origin/master' into release-1.35
• 56b4af2 Merge pull request #135591 from p0lyn0mial/upstream-watchlist-reflector-log-f...
• 891f94c Merge remote-tracking branch 'origin/master' into release-1.35
• 65ffe04 Merge pull request #135580 from serathius/client-go-transformer
• 2fe4ac2 downgrade reflector watchlist fallback log to V(4)
• 97256a6 Bump golang.org/x/crypto to v0.45.0
• 46360b5 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• Additional commits viewable in compare view

Updates k8s.io/kubectl from 0.33.4 to 0.35.3

Commits

• ba77272 Update dependencies to v0.35.3 tag
• 093dc66 Merge pull request #136280 from seekskyworld/automated-cherry-pick-of-#135918...
• 6b218dd kubectl: Fix panic in exec terminal size queue
• 817cfc8 Merge remote-tracking branch 'origin/master' into release-1.35
• aeaf9d6 Bump golang.org/x/crypto to v0.45.0
• a319be8 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• e39563a vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• 579bcf1 Resolve lint restriction on BeTrue by introducing Succeed() with contextual e...
• d13f830 Update vendored dependencies
• 9f47edd Merge pull request #134870 from pmengelbert/pmengelbert/kuberc/4
• Additional commits viewable in compare view

[coderabbitai]

Walkthrough

Go toolchain upgraded from version 1.24.3 to 1.25.0. Multiple direct and transitive dependencies updated, including golang.org/x/crypto and golang.org/x/term packages, Kubernetes core modules (api, apimachinery, client-go, kubectl), and various transitive dependencies like golang.org/x/net and sigs.k8s.io/kustomize packages. Some transitive requirements removed while others added.

Changes

Cohort / File(s)

Summary

Go Module Dependency Update go.mod

Go toolchain version upgraded from 1.24.3 to 1.25.0. Direct dependency upgrades: golang.org/x/crypto (v0.41.0 → v0.44.0), golang.org/x/term (v0.34.0 → v0.37.0), Kubernetes modules (v0.33.4 → v0.35.3). Transitive dependency version updates across multiple packages including golang.org/x/net, golang.org/x/text, github.com/fxamacker/cbor/v2, sigs.k8s.io/kustomize, and others. Some transitive requirements removed and modernized.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/k8s-4374b97ac0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[aguidirh]

/ok-to-test

[openshift-ci-robot]

@dependabot[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

Bumps the k8s group with 4 updates: k8s.io/api, k8s.io/apimachinery, k8s.io/client-go and k8s.io/kubectl.

Updates k8s.io/api from 0.33.4 to 0.35.3

Commits

• 3897036 Update dependencies to v0.35.3 tag
• bbcbaa8 Merge remote-tracking branch 'origin/master' into release-1.35
• 5bced61 Bump golang.org/x/crypto to v0.45.0
• 39e2e26 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• c22b4a1 vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• e3b1f3d Resolve lint restriction on BeTrue by introducing Succeed() with contextual e...
• 3da327c Update vendored dependencies
• c764b44 Merge pull request #132919 from ndixita/pod-level-in-place-pod-resize
• aced136 Generated files from API changes
• 02d790d Adding Resources and AllocatedResoures fields to the list of expected fields ...
• Additional commits viewable in compare view

Updates k8s.io/apimachinery from 0.33.4 to 0.35.3

Commits

• 72d71ea Merge remote-tracking branch 'origin/master' into release-1.35
• e2a2dbc Bump golang.org/x/crypto to v0.45.0
• 2e9c228 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• f274aac vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• 9445443 Resolve lint restriction on BeTrue by introducing Succeed() with contextual e...
• 52154f7 Update vendored dependencies
• 5a348c5 KEP-5471: Extend tolerations operators (#134665)
• 6f89492 Merge pull request #133648 from richabanker/merged-discovery
• c77dde2 util/sort: Add MergePreservingRelativeOrder for topological sorting
• 729c13d Merge pull request #134624 from yt2985/podcertificates-beta
• Additional commits viewable in compare view

Updates k8s.io/client-go from 0.33.4 to 0.35.3

Commits

• 4f1f0a2 Update dependencies to v0.35.3 tag
• f80003c Merge pull request #136903pohly/automated-cherry-pick-of-#136455
• 8b41556 fake client-go: un-deprecate NewSimpleClientset
• 2d83546 Merge remote-tracking branch 'origin/master' into release-1.35
• 56b4af2 Merge pull request #135591 from p0lyn0mial/upstream-watchlist-reflector-log-f...
• 891f94c Merge remote-tracking branch 'origin/master' into release-1.35
• 65ffe04 Merge pull request #135580 from serathius/client-go-transformer
• 2fe4ac2 downgrade reflector watchlist fallback log to V(4)
• 97256a6 Bump golang.org/x/crypto to v0.45.0
• 46360b5 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• Additional commits viewable in compare view

Updates k8s.io/kubectl from 0.33.4 to 0.35.3

Commits

• ba77272 Update dependencies to v0.35.3 tag
• 093dc66 Merge pull request #136280 from seekskyworld/automated-cherry-pick-of-#135918...
• 6b218dd kubectl: Fix panic in exec terminal size queue
• 817cfc8 Merge remote-tracking branch 'origin/master' into release-1.35
• aeaf9d6 Bump golang.org/x/crypto to v0.45.0
• a319be8 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• e39563a vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• 579bcf1 Resolve lint restriction on BeTrue by introducing Succeed() with contextual e...
• d13f830 Update vendored dependencies
• 9f47edd Merge pull request #134870 from pmengelbert/pmengelbert/kuberc/4
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[r4f4]

/lgtm

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please ask for approval from r4f4. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 199-210: The go.mod pins google.golang.org/grpc to v1.73.0 which
contains a known authorization-bypass vulnerability; update the
google.golang.org/grpc module reference to a patched release (e.g., the latest
v1.73.x+ or v1.74.0+ that contains the fix), run go get
google.golang.org/grpc@<patched-version> (or update the version string in
go.mod), then run go mod tidy to refresh go.sum and ensure no other indirect
dependencies regress; verify builds and tests pass after the upgrade.
- Line 3: The Dockerfile's GO_VERSION variable is pinned to go1.23.5 and must be
updated to match go.mod's "go 1.25.0"; open the project's root Dockerfile, find
the GO_VERSION definition (symbol: GO_VERSION) and change its value to go1.25.0
(or an appropriate 1.25.x patch) so the build environment aligns with go.mod's
Go version and avoids skew with the other images that already use golang-1.25.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: accade0a-6f99-4c14-92a4-ab2279f9d0ce

📥 Commits

Reviewing files that changed from the base of the PR and between 18c646f and 004bb41.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Go directive in go.mod:"
rg -n '^\s*go\s+[0-9]+\.[0-9]+(\.[0-9]+)?' go.mod

echo
echo "Potential pinned Go versions in repo configs/images:"
rg -n --iglob '*Dockerfile*' --iglob '*.yaml' --iglob '*.yml' --iglob '*.md' \
  'GO_VERSION|golang:|go[ ="]1\.[0-9]+(\.[0-9]+)?'

Repository: openshift/oc-mirror

Length of output: 344

---

🏁 Script executed:

# Search for GitHub Actions and other CI workflow files with Go version pins
fd -e yaml -e yml . .github 2>/dev/null | head -20

# Also check for any other build-related configs
rg -n 'go[_-]?version|golang' --iglob '*.json' --iglob '*.yaml' --iglob '*.yml' -t yaml -t json

Repository: openshift/oc-mirror

Length of output: 50376

---

🏁 Script executed:

# Search for GitHub Actions workflows with Go versions
find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) 2>/dev/null | while read file; do
  echo "=== $file ==="
  rg -n 'go-version|go:' "$file" 2>/dev/null || echo "No Go version found"
done

# Also search for any remaining Go 1.23.5 references
echo
echo "=== All references to Go 1.23.5 ==="
rg -r 'go.*1\.23\.5|1\.23\.5' --max-count 20

Repository: openshift/oc-mirror

Length of output: 513

---

🏁 Script executed:

# Search for all Go version references correctly
echo "=== GitHub Actions workflows with Go versions ==="
find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) 2>/dev/null | head -5

echo
echo "=== References to Go 1.23.5 ==="
rg '1\.23\.5' -n

echo
echo "=== References to Go 1.25 ==="
rg '1\.25' -n

echo
echo "=== Any go-version references in CI/workflows ==="
rg 'go.version|go-version|GO_VERSION' -n --max-count 20

Repository: openshift/oc-mirror

Length of output: 2266

---

Update Dockerfile to use Go 1.25.0 to match go.mod requirement

The root Dockerfile pins GO_VERSION=go1.23.5 (line 28), which creates environment skew with the go.mod requirement of go 1.25.0. This will cause build failures when the PR is merged. Update the Dockerfile to use go1.25.0 or the appropriate 1.25.x patch version.

Note: The other Dockerfiles in images/cli/ (Dockerfile.ci, Dockerfile.art, Dockerfile.test) already reference golang-1.25 from their base builder images and do not have this issue.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, The Dockerfile's GO_VERSION variable is pinned to go1.23.5
and must be updated to match go.mod's "go 1.25.0"; open the project's root
Dockerfile, find the GO_VERSION definition (symbol: GO_VERSION) and change its
value to go1.25.0 (or an appropriate 1.25.x patch) so the build environment
aligns with go.mod's Go version and avoids skew with the other images that
already use golang-1.25.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Confirm pinned grpc version in go.mod"
rg -n '^\s*google\.golang\.org/grpc\s+v' go.mod

echo
echo "2) Query OSV for this exact version"
curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
  "package": { "ecosystem": "Go", "name": "google.golang.org/grpc" },
  "version": "1.73.0"
}' | jq -r '
  if (.vulns|length)==0 then "No vulns returned by OSV for 1.73.0"
  else .vulns[] | "\(.id): \(.summary // "no summary")"
  end
'

Repository: openshift/oc-mirror

Length of output: 387

---

Bump google.golang.org/grpc to a patched version—the current pinned v1.73.0 has critical authorization-bypass vulnerabilities (GHSA-p77j-4mvh-x3m3 / GO-2026-4762 via missing leading slash in :path header validation).

🧰 Tools

🪛 OSV Scanner (2.3.5)

[CRITICAL] 208-208: google.golang.org/grpc 1.73.0: Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

(GO-2026-4762)

---

[CRITICAL] 208-208: google.golang.org/grpc 1.73.0: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 199 - 210, The go.mod pins google.golang.org/grpc to
v1.73.0 which contains a known authorization-bypass vulnerability; update the
google.golang.org/grpc module reference to a patched release (e.g., the latest
v1.73.x+ or v1.74.0+ that contains the fix), run go get
google.golang.org/grpc@<patched-version> (or update the version string in
go.mod), then run go mod tidy to refresh go.sum and ensure no other indirect
dependencies regress; verify builds and tests pass after the upgrade.

[openshift-ci]

@dependabot[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/integration	004bb41	link	true	/test integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[aguidirh]

/test integration