Updating openshift-enterprise-cli-container image to be consistent with ART for 4.22#2238
Conversation
openshift-bot
force-pushed
the
art-consistency-openshift-4.22-openshift-enterprise-cli
branch
from
b1856ac to
a9a2ebc
Compare
|
Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/scheduled-builds/job/sync-ci-images/49694 |
openshift-bot
added
jira/valid-bug
WalkthroughThis pull request updates the Go runtime version from 1.24 to 1.25 across CI/CD configuration files. Two files are modified: the CI operator configuration and a Dockerfile for the CLI image builder stage. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: openshift-bot The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.ci-operator.yaml:
- Line 4: The CI config was bumped to Go 1.25 (tag in .ci-operator.yaml) but
Dockerfiles still reference go1.24; update the
images/cli-artifacts/Dockerfile.rhel and images/tools/Dockerfile to use the same
Go base (golang-1.25) or pin an exact patched release (e.g., 1.25.x) to match
.ci-operator.yaml, or instead upgrade all three to 1.26 if security policy
requires; also identify and record the exact patch-level you choose (1.25.N or
1.26.N), confirm it addresses the CVEs mentioned, and run CI/build to verify no
regressions.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 59a5d3df-dbc2-40da-b648-218de9d97b39
📒 Files selected for processing (2)
.ci-operator.yamlimages/cli/Dockerfile.rhel
| name: release | ||
| namespace: openshift | ||
| tag: rhel-9-release-golang-1.24-openshift-4.22 | ||
| tag: rhel-9-release-golang-1.25-openshift-4.22 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify Go 1.25 exists and check for security advisories
# Check latest Go versions from official site
echo "=== Checking Go versions ==="
curl -s https://go.dev/dl/?mode=json | jq -r '.[].version' | head -10
# Check for security advisories
echo ""
echo "=== Checking for Go security advisories ==="
gh api graphql -f query='
{
securityVulnerabilities(first: 5, ecosystem: GOLANG) {
nodes {
advisory {
summary
severity
publishedAt
}
package {
name
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'Repository: openshift/oc
Length of output: 308
🌐 Web query:
Go 1.25 security advisories vulnerabilities
💡 Result:
Latest Go 1.25.x security advisories (and the vulnerabilities they fixed), per upstream announcements/release notes:
- go1.25.8 (released 2026-03-05) — fixes 5 CVEs: CVE-2026-27137 (crypto/x509), CVE-2026-27138 (crypto/x509), CVE-2026-27142 (html/template), CVE-2026-25679 (net/url), CVE-2026-27139 (os). [1][7][9][10][11][12]
- go1.25.7 (released 2026-02-04) — CVE-2025-61732 (cmd/cgo) + update/fix for CVE-2025-68121 (crypto/tls session resumption). [1][6]
- go1.25.6 (released 2026-01-15) — 6 CVEs: CVE-2025-61728 (archive/zip), CVE-2025-61726 (net/http), CVE-2025-68121 (crypto/tls), CVE-2025-61731 (cmd/go), CVE-2025-68119 (cmd/go), CVE-2025-61730 (crypto/tls). [1][5]
- go1.25.5 (released 2025-12-02) — CVE-2025-61729 (crypto/x509) and CVE-2025-61727 (crypto/x509). [1][4]
- go1.25.2 (released 2025-10-07) — 10 CVEs: CVE-2025-61725 (net/mail), CVE-2025-58187 (crypto/x509), CVE-2025-58189 (crypto/tls), CVE-2025-61723 (encoding/pem), CVE-2025-47912 (net/url), CVE-2025-58185 (encoding/asn1), CVE-2025-58186 (net/http), CVE-2025-58188 (crypto/x509), CVE-2025-58183 (archive/tar), CVE-2025-61724 (net/textproto). [1][3]
- go1.25.1 (released 2025-09-03) — CVE-2025-47910 (net/http CrossOriginProtection bypass). [1][2]
Action: if you’re on Go 1.25, upgrade to go1.25.8 (or newer major, e.g. Go 1.26.1). [1][7]
References:
[1] https://go.dev/doc/devel/release
[2] https://groups.google.com/g/golang-announce/c/PtW9VW21NPs
[3] https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI
[4] https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
[5] https://seclists.org/oss-sec/2026/q1/68
[6] https://seclists.org/oss-sec/2026/q1/147
[7] https://seclists.org/oss-sec/2026/q1/262
[9] https://osv.dev/vulnerability/GO-2026-4599
[10] https://osv.dev/vulnerability/GO-2026-4600
[11] https://osv.dev/vulnerability/GO-2026-4603
[12] https://osv.dev/vulnerability/GO-2026-4601
[13] https://osv.dev/vulnerability/GO-2026-4602
🏁 Script executed:
# Examine the .ci-operator.yaml context and look for Dockerfile references
cat -n .ci-operator.yaml | head -20Repository: openshift/oc
Length of output: 189
🏁 Script executed:
# Find Dockerfile to verify consistency mentioned in the review
find . -name "Dockerfile*" -type f | head -10Repository: openshift/oc
Length of output: 400
🏁 Script executed:
# Check for Go version references in Dockerfile files
for f in ./images/cli-artifacts/Dockerfile.rhel ./images/cli/Dockerfile.rhel ./images/deployer/Dockerfile.rhel ./images/recycler/Dockerfile.rhel ./images/tools/Dockerfile; do
echo "=== $f ==="
grep -i "golang\|go version" "$f" 2>/dev/null || echo "No Go version references found"
doneRepository: openshift/oc
Length of output: 678
🏁 Script executed:
# Also check the git history to see if there was a Go 1.24 -> 1.25 change
git log --oneline -10 -- .ci-operator.yaml 2>/dev/null | head -5Repository: openshift/oc
Length of output: 293
Address inconsistent Go version updates and verify security considerations.
The .ci-operator.yaml change to Go 1.25 is present, but several Dockerfiles remain on Go 1.24:
images/cli/Dockerfile.rheluses golang-1.25 ✓images/cli-artifacts/Dockerfile.rheluses golang-1.24 ✗images/tools/Dockerfileuses golang-1.24 ✗
Additionally, Go 1.25 has multiple known security advisories across patch versions (1.25.1–1.25.8 contain 27+ CVEs). Verify the specific patch version being used and whether it requires a newer version or 1.26.x for security compliance.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.ci-operator.yaml at line 4, The CI config was bumped to Go 1.25 (tag in
.ci-operator.yaml) but Dockerfiles still reference go1.24; update the
images/cli-artifacts/Dockerfile.rhel and images/tools/Dockerfile to use the same
Go base (golang-1.25) or pin an exact patched release (e.g., 1.25.x) to match
.ci-operator.yaml, or instead upgrade all three to 1.26 if security policy
requires; also identify and record the exact patch-level you choose (1.25.N or
1.26.N), confirm it addresses the CVEs mentioned, and run CI/build to verify no
regressions.
|
@openshift-bot: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/close |
|
@ardaguclu: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
2 participants
Updating openshift-enterprise-cli-container image to be consistent with ART for 4.22
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.
The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-cli.yml.
Detail:
This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.
Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.
PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.
Roles & Responsibilities:
tests OR that necessary metadata changes are reported to the ART team:
@release-artistsin
#forum-ocp-arton Slack. If necessary, the changes required by this pull request can beintroduced with a separate PR opened by the component team. Once the repository is aligned,
this PR will be closed automatically.
verify-depsis complaining. In that case, please opena new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
any required labels to ensure the PR merges once tests are passing. In cases where ART config is
canonical, downstream builds are already being built with these changes, and merging this PR
only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
a grace period for the component team to align their CI with ART's configuration before it becomes
canonical in product builds.
ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:
Change behavior of future PRs:
set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
To do so, open a PR to set the
auto_labelattribute in the image configuration. ExampleUPSTREAM: <carry>:. An example.If you have any questions about this pull request, please reach out to
@release-artistsin the#forum-ocp-artcoreos slack channel.