Skip to content

Updating openshift-enterprise-cli-container image to be consistent with ART for 4.22 #2238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
openshift-bot wants to merge 1 commit into from
Closed

Updating openshift-enterprise-cli-container image to be consistent with ART for 4.22 #2238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .ci-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
build_root_image:
name: release
namespace: openshift
tag: rhel-9-release-golang-1.24-openshift-4.22
tag: rhel-9-release-golang-1.25-openshift-4.22
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify Go 1.25 exists and check for security advisories

# Check latest Go versions from official site
echo "=== Checking Go versions ==="
curl -s https://go.dev/dl/?mode=json | jq -r '.[].version' | head -10

# Check for security advisories
echo ""
echo "=== Checking for Go security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GOLANG) {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      package {
        name
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift/oc

Length of output: 308

🌐 Web query:

Go 1.25 security advisories vulnerabilities

💡 Result:

Latest Go 1.25.x security advisories (and the vulnerabilities they fixed), per upstream announcements/release notes:

Action: if you’re on Go 1.25, upgrade to go1.25.8 (or newer major, e.g. Go 1.26.1). [1][7]

References:
[1] https://go.dev/doc/devel/release
[2] https://groups.google.com/g/golang-announce/c/PtW9VW21NPs
[3] https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI
[4] https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
[5] https://seclists.org/oss-sec/2026/q1/68
[6] https://seclists.org/oss-sec/2026/q1/147
[7] https://seclists.org/oss-sec/2026/q1/262
[9] https://osv.dev/vulnerability/GO-2026-4599
[10] https://osv.dev/vulnerability/GO-2026-4600
[11] https://osv.dev/vulnerability/GO-2026-4603
[12] https://osv.dev/vulnerability/GO-2026-4601
[13] https://osv.dev/vulnerability/GO-2026-4602

🏁 Script executed:

# Examine the .ci-operator.yaml context and look for Dockerfile references
cat -n .ci-operator.yaml | head -20

Repository: openshift/oc

Length of output: 189

🏁 Script executed:

# Find Dockerfile to verify consistency mentioned in the review
find . -name "Dockerfile*" -type f | head -10

Repository: openshift/oc

Length of output: 400

🏁 Script executed:

# Check for Go version references in Dockerfile files
for f in ./images/cli-artifacts/Dockerfile.rhel ./images/cli/Dockerfile.rhel ./images/deployer/Dockerfile.rhel ./images/recycler/Dockerfile.rhel ./images/tools/Dockerfile; do
  echo "=== $f ==="
  grep -i "golang\|go version" "$f" 2>/dev/null || echo "No Go version references found"
done

Repository: openshift/oc

Length of output: 678

🏁 Script executed:

# Also check the git history to see if there was a Go 1.24 -> 1.25 change
git log --oneline -10 -- .ci-operator.yaml 2>/dev/null | head -5

Repository: openshift/oc

Length of output: 293

Address inconsistent Go version updates and verify security considerations.

The .ci-operator.yaml change to Go 1.25 is present, but several Dockerfiles remain on Go 1.24:

  • images/cli/Dockerfile.rhel uses golang-1.25 ✓
  • images/cli-artifacts/Dockerfile.rhel uses golang-1.24 ✗
  • images/tools/Dockerfile uses golang-1.24 ✗

Additionally, Go 1.25 has multiple known security advisories across patch versions (1.25.1–1.25.8 contain 27+ CVEs). Verify the specific patch version being used and whether it requires a newer version or 1.26.x for security compliance.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.ci-operator.yaml at line 4, The CI config was bumped to Go 1.25 (tag in
.ci-operator.yaml) but Dockerfiles still reference go1.24; update the
images/cli-artifacts/Dockerfile.rhel and images/tools/Dockerfile to use the same
Go base (golang-1.25) or pin an exact patched release (e.g., 1.25.x) to match
.ci-operator.yaml, or instead upgrade all three to 1.26 if security policy
requires; also identify and record the exact patch-level you choose (1.25.N or
1.26.N), confirm it addresses the CVEs mentioned, and run CI/build to verify no
regressions.

2 changes: 1 addition & 1 deletion images/cli/Dockerfile.rhel
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22 AS builder
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
WORKDIR /go/src/github.com/openshift/oc
COPY . .
RUN make build --warn-undefined-variables \
Expand Down