Update google.golang.org/genproto/googleapis/api digest to 87f3d3e

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
google.golang.org/genproto/googleapis/api	indirect	digest	9d38bb4 → 87f3d3e

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux-kflux-prd-rh02]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260618152121-87f3d3e198d3
go: downloading golang.org/x/text v0.35.0
go: downloading google.golang.org/genproto v0.0.0-20260209200024-4cfbd4190f57
go: downloading golang.org/x/sys v0.42.0
go: downloading cloud.google.com/go/pubsub/v2 v2.4.0
go: downloading google.golang.org/grpc v1.80.0
go: downloading github.com/googleapis/gax-go/v2 v2.17.0
go: downloading google.golang.org/api v0.266.0
go: downloading golang.org/x/net v0.52.0
go: downloading golang.org/x/oauth2 v0.35.0
go: downloading cloud.google.com/go/iam v1.5.3
go: downloading cloud.google.com/go/auth v0.18.1
go: downloading golang.org/x/time v0.14.0
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.12
go: downloading golang.org/x/crypto v0.49.0
go: github.com/openshift-hyperfleet/hyperfleet-sentinel/internal/client imports
	github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi: cannot find module providing package github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign vkareh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated internal dependencies for maintenance and compatibility.

Walkthrough

go.mod updates a single indirect dependency: google.golang.org/genproto/googleapis/api from pseudo-version v0.0.0-20260401024825-9d38bb4040a9 to commit hash 87f3d3e198d3. No other module entries, Go version declarations, or replace/exclude directives are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Supply chain flag (CWE-1357 / CWE-829): 87f3d3e198d3 is a raw commit hash, not a tagged release. Verify this hash exists in the canonical googleapis/go-genproto upstream repository and matches an expected, reviewed commit. Untagged hashes in go.mod expand the attack surface for dependency confusion and commit substitution. Confirm go.sum reflects the corresponding hash digest and that no replace directive silently redirects this module to a fork.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title directly reflects the main change: updating a specific dependency digest hash. Clear and specific about which package and what version was updated.
Description check	✅ Passed	Description is related to the changeset, providing dependency update details in table format with package name, type, and digest change. Includes relevant context about the automated workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	Comprehensive search of all non-test Go files in the PR found no log statements (slog, logr, zap, fmt.Print*, or custom logger) containing passwords, tokens, credentials, or secrets.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets found. The changed value (87f3d3e198d3) is a public Git commit hash used as a dependency version identifier, not an API key, token, password, or credential.
No Weak Cryptography	✅ Passed	No banned cryptographic primitives (MD5, DES, RC4, SHA1 for security, ECB mode) or insecure constant-time comparisons found. Genproto update is a code generator dependency, not cryptographic implem...
No Injection Vectors	✅ Passed	No injection vectors detected: no SQL queries, exec.Command calls, template.HTML misuse, or unsafe yaml.Unmarshal. TSL query building properly escapes user input. Config loading uses strict viper.U...
No Privileged Containers	✅ Passed	PR only modifies go.mod; no Kubernetes/Helm manifests, Dockerfiles, or container configurations changed that could introduce privileged containers.
No Pii Or Sensitive Data In Logs	✅ Passed	No PII or sensitive customer data exposed in production logging. Test code logs AMQP URL with test credentials only, behind //go:build integration tag, excluded from production builds.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digest

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: updates to go.mod needed, disabled by -mod=readonly; to update it:\n\tgo mod tidy\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 139: The google.golang.org/genproto/googleapis/api dependency on line 139
of go.mod has a malformed version string (7ab31c22f7ad) that lacks the required
v prefix and pseudo-version format (should be v0.0.0-20260401024825-9d38bb4040a9
per go.sum). Fix this by replacing the truncated hash with the complete
pseudo-version string. Additionally, synchronize the genproto version across all
affected modules in the workspace (hyperfleet-api, hyperfleet-adapter, and
hyperfleet-broker) to use a consistent version to prevent protobuf message type
incompatibilities during gRPC interface marshaling, particularly for the Pub/Sub
message types constructed in hyperfleet-broker.
- Line 139: The google.golang.org/genproto/googleapis/api module declaration
uses a bare commit hash instead of the Go module version format. Replace the
bare commit hash with the properly formatted version string that matches the
entry in go.sum, which should follow the v0.0.0-<yyyymmddhhmmss>-<hash> format
to ensure consistency between go.mod and go.sum and allow go mod tidy to work
correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 497f1dc5-fadd-4c19-8dfc-2f8682a29c04

📥 Commits

Reviewing files that changed from the base of the PR and between 6cb186e and 46af341.

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify genproto version alignment across hyperfleet repositories
# Check go.sum files to confirm actual resolved versions

# List all genproto-related entries across workspace
fd -e 'go.sum' --exec grep 'google.golang.org/genproto' {} + | sort -u

# Extract unique versions
fd -e 'go.sum' --exec grep 'google.golang.org/genproto/googleapis/api' {} + | awk '{print $NF}' | sort -u

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 66

---

🏁 Script executed:

#!/bin/bash
# Check go.mod and go.sum directly for genproto entries
echo "=== hyperfleet-sentinel go.mod ==="
if [ -f go.mod ]; then
  cat -n go.mod | grep -A2 -B2 'genproto' || echo "No genproto found in go.mod"
else
  echo "go.mod not found"
fi

echo -e "\n=== hyperfleet-sentinel go.sum ==="
if [ -f go.sum ]; then
  grep 'google.golang.org/genproto' go.sum | head -20 || echo "No genproto found in go.sum"
else
  echo "go.sum not found"
fi

echo -e "\n=== Full go.mod content (first 150 lines) ==="
if [ -f go.mod ]; then
  head -150 go.mod | cat -n
fi

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 9655

---

🏁 Script executed:

#!/bin/bash
# Check hyperfleet-api go.mod and go.sum for genproto
echo "=== hyperfleet-api go.mod ==="
if [ -f go.mod ]; then
  grep -n 'genproto' go.mod || echo "No genproto found"
fi

echo -e "\n=== hyperfleet-api go.sum ==="
if [ -f go.sum ]; then
  grep 'google.golang.org/genproto/googleapis/api' go.sum
fi

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 585

---

🏁 Script executed:

#!/bin/bash
# Check hyperfleet-adapter go.mod and go.sum for genproto
echo "=== hyperfleet-adapter go.mod ==="
if [ -f go.mod ]; then
  grep -n 'genproto' go.mod || echo "No genproto found"
fi

echo -e "\n=== hyperfleet-adapter go.sum ==="
if [ -f go.sum ]; then
  grep 'google.golang.org/genproto/googleapis/api' go.sum
fi

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 676

---

🏁 Script executed:

#!/bin/bash
# Check hyperfleet-broker go.mod and go.sum for genproto
echo "=== hyperfleet-broker go.mod ==="
if [ -f go.mod ]; then
  grep -n 'genproto' go.mod || echo "No genproto found"
fi

echo -e "\n=== hyperfleet-broker go.sum ==="
if [ -f go.sum ]; then
  grep 'google.golang.org/genproto/googleapis/api' go.sum
fi

Repository: openshift-hyperfleet/hyperfleet-broker

Length of output: 673

---

Malformed genproto version string in go.mod — CWE-829 (supply chain integrity).

Line 139 contains a truncated/malformed version: 7ab31c22f7ad lacks the required v prefix and pseudo-version format (go.sum shows the correct version as v0.0.0-20260401024825-9d38bb4040a9). This will fail Go's module validation.

Beyond the syntax error, genproto versions differ across the workspace:

• hyperfleet-sentinel/api: v0.0.0-20260401024825-9d38bb4040a9
• hyperfleet-adapter: v0.0.0-20260526163538-3dc84a4a5aaa
• hyperfleet-broker: v0.0.0-20260209200024-4cfbd4190f57

The pseudo-version dates span February–May 2026. hyperfleet-broker actively constructs Google Cloud Pub/Sub protobuf messages (Topic, Subscription, ExpirationPolicy, RetryPolicy, DeadLetterPolicy). Misaligned genproto versions across the dependency chain (adapter → broker v1.1.0) risk protobuf message type incompatibilities during gRPC interface marshaling.

Fix the malformed version string and synchronize genproto versions across hyperfleet-api, hyperfleet-adapter, and hyperfleet-broker.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 139, The google.golang.org/genproto/googleapis/api dependency
on line 139 of go.mod has a malformed version string (7ab31c22f7ad) that lacks
the required v prefix and pseudo-version format (should be
v0.0.0-20260401024825-9d38bb4040a9 per go.sum). Fix this by replacing the
truncated hash with the complete pseudo-version string. Additionally,
synchronize the genproto version across all affected modules in the workspace
(hyperfleet-api, hyperfleet-adapter, and hyperfleet-broker) to use a consistent
version to prevent protobuf message type incompatibilities during gRPC interface
marshaling, particularly for the Pub/Sub message types constructed in
hyperfleet-broker.

Source: Linked repositories

---

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the correct Go pseudo-version format for a module versioned by git commit hash?

💡 Result:

The Go pseudo-version format for a module versioned by a git commit hash follows the structure [1][2]: baseVersionPrefix-timestamp-revisionIdentifier This format consists of three parts separated by dashes [1][2]: 1. baseVersionPrefix: A value derived from either the latest semantic version tag preceding the commit (e.g., vX.Y.Z-0 or vX.Y.Z-pre.0) or vX.0.0 if no such tag exists [1][3][2]. 2. timestamp: The UTC time the revision was created, in the format yyyymmddhhmmss (based on the Git commit time, not author time) [1][3][2]. 3. revisionIdentifier: A 12-character prefix of the git commit hash [1][2]. For example, a pseudo-version might appear as v0.0.0-20191109021931-daa7c04131f5 [3][2]. It is considered a best practice to allow Go tools to generate these versions automatically rather than creating them manually [4]. The go command automatically converts revision identifiers into this canonical format when necessary [3].

Citations:

• 1: https://tip.golang.org/doc/modules/version-numbers
• 2: https://go.dev/ref/mod
• 3: https://tip.golang.org/ref/mod
• 4: https://go.dev/doc/modules/version-numbers

---

🏁 Script executed:

#!/bin/bash
# Read the go.mod file around line 139 to verify the claimed syntax error
sed -n '135,145p' go.mod

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 559

---

🏁 Script executed:

#!/bin/bash
# Check if the go.mod file is syntactically valid by attempting to parse it
# and verify the module line format more broadly
head -20 go.mod && echo "---" && tail -5 go.mod && echo "---" && wc -l go.mod

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 1134

---

🏁 Script executed:

#!/bin/bash
# Check if go.mod can be parsed and verify the syntax validity
# The file appears valid structurally, but let's check if the version string is acceptable
# by looking at the actual format more carefully and checking go.sum for corresponding entry

echo "=== Line 139 from go.mod ===" && sed -n '139p' go.mod
echo "=== Checking go.sum for this module ===" && grep "google.golang.org/genproto/googleapis/api" go.sum | head -3
echo "=== Module format check ===" && grep -n "google.golang.org/genproto" go.mod

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 751

---

Malformed version string in go.mod — go.mod/go.sum mismatch violates Go module format (CWE-829).

Line 139 declares google.golang.org/genproto/googleapis/api 7ab31c22f7ad, a bare commit hash without version prefix. Go module syntax requires v0.0.0-<yyyymmddhhmmss>-<hash>.

The go.sum file declares the same module as v0.0.0-20260401024825-9d38bb4040a9 — a different, properly formatted version. This mismatch will cause go mod tidy to fail or auto-correct unpredictably. Fix go.mod line 139 to match go.sum's version:

google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect

This is a supply chain integrity issue: mismatched versions between go.mod and go.sum can lead to different dependencies being resolved during builds, creating type incompatibilities with hyperfleet-broker's Pub/Sub protobuf usage (cloud.google.com/go/pubsub transitively depends on genproto API structures).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 139, The google.golang.org/genproto/googleapis/api module
declaration uses a bare commit hash instead of the Go module version format.
Replace the bare commit hash with the properly formatted version string that
matches the entry in go.sum, which should follow the
v0.0.0-<yyyymmddhhmmss>-<hash> format to ensure consistency between go.mod and
go.sum and allow go mod tidy to work correctly.

Source: Coding guidelines

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 139: The version string for google.golang.org/genproto/googleapis/api on
line 139 uses a bare 12-character commit hash (87f3d3e198d3) which violates Go
module format requirements. Replace this bare hash with a proper pseudo-version
format following the pattern v0.0.0-<yyyymmddhhmmss>-<hash> (similar to the
v0.0.0-20260401024825-9d38bb4040a9 format already present in go.sum for this
module). Alternatively, run go mod tidy locally to automatically correct the
malformed version string, then verify the corrected version is consistent across
all related hyperfleet repositories (hyperfleet-api, hyperfleet-adapter, and
hyperfleet-broker).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 895b66e0-900b-48b3-b503-a55e9f5d29f3

📥 Commits

Reviewing files that changed from the base of the PR and between 46af341 and d21f870.

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Malformed version string violates Go module format and supply chain integrity (CWE-829).

Line 139 declares google.golang.org/genproto/googleapis/api 87f3d3e198d3, a bare 12-character commit hash. Go module syntax requires a proper pseudo-version: v0.0.0-<yyyymmddhhmmss>-<hash>. The go.sum file (lines 385–386) already specifies the correct format for the prior version: v0.0.0-20260401024825-9d38bb4040a9. A bare hash will cause go mod tidy to fail or auto-correct unpredictably, defeating the PR intent and violating go.mod/go.sum consistency (RFC at go.dev/ref/mod).

Supply chain risk: Malformed versions obscure dependency resolution and can mask integrity attacks. Misaligned genproto versions across hyperfleet-api, hyperfleet-adapter, and hyperfleet-broker (per linked repos) will trigger protobuf type incompatibilities when hyperfleet-broker's Pub/Sub integration (broker/googlepubsub.go) marshals messages with mismatched ExpirationPolicy, RetryPolicy, and DeadLetterPolicy field layouts.

Fix: Either (a) replace 87f3d3e198d3 with the proper pseudo-version format for that commit (check upstream genproto tags), or (b) run go mod tidy locally to auto-correct, then verify the new version aligns across all three hyperfleet repos.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 139, The version string for
google.golang.org/genproto/googleapis/api on line 139 uses a bare 12-character
commit hash (87f3d3e198d3) which violates Go module format requirements. Replace
this bare hash with a proper pseudo-version format following the pattern
v0.0.0-<yyyymmddhhmmss>-<hash> (similar to the
v0.0.0-20260401024825-9d38bb4040a9 format already present in go.sum for this
module). Alternatively, run go mod tidy locally to automatically correct the
malformed version string, then verify the corrected version is consistent across
all related hyperfleet repositories (hyperfleet-api, hyperfleet-adapter, and
hyperfleet-broker).

Source: Coding guidelines