Update google.golang.org/genproto/googleapis/rpc digest to 87f3d3e

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
google.golang.org/genproto/googleapis/rpc	indirect	digest	9d38bb4 → 87f3d3e

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux-kflux-prd-rh02]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260618152121-87f3d3e198d3
go: github.com/openshift-hyperfleet/hyperfleet-sentinel/internal/client imports
	github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi: cannot find module providing package github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ma-hill for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated an indirect dependency to a newer available version.

Walkthrough

go.mod line 140 updates the indirect dependency google.golang.org/genproto/googleapis/rpc from pseudo-version v0.0.0-20260401024825-9d38bb4040a9 to commit hash pseudo-version 87f3d3e198d3. No other files or dependencies are modified in this diff.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Supply chain flag — CWE-1395 / SLSA L0.

Commit hash pseudo-version 87f3d3e198d3 lacks signed tag or release attestation. Verify:

1. Upstream commit exists: Confirm 87f3d3e198d3 on canonical google.golang.org/genproto repository, not fork or mirror. Validate canonical branch membership.
2. go.sum lockfile: go.sum must be regenerated and committed in this PR. Absence of go.sum changes indicates lockfile drift — reject.
3. Transitive dependency chain: Run go mod graph | grep genproto/googleapis/rpc to identify which direct dependency pulled this in. Confirm that parent dependency was also intentionally updated.
4. Known vulnerabilities: Check NVD and security advisories for google.golang.org/genproto at commit 87f3d3e198d3. gRPC status/error types in this module have historical deserialization issues (CWE-502). Cross-reference google-cloud-go CVE records.
5. Pseudo-version integrity: Pseudo-version format 87f3d3e198d3 must match the actual commit hash length and format from upstream. Typos in commit SHAs bypass version control integrity.

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
No Pii Or Sensitive Data In Logs	⚠️ Warning	PR adds logging that exposes PII/sensitive data. The debug_config feature calls log.Infof with cfg.RedactedCopy() but RedactedCopy() doesn't redact BaseURL (may contain internal hostnames/credentia...	Implement proper redaction in RedactedCopy() to mask BaseURL and sanitize MessageData before debug logging, or disable debug config logging for sensitive fields.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating the google.golang.org/genproto/googleapis/rpc dependency digest to commit 87f3d3e.
Description check	✅ Passed	The description relates to the changeset, showing the package update with old and new digest values, though it contains a discrepancy with the actual commit hash in the title.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR modifies only go.mod (dependency version bump). No source code changed. Searched all non-test Go files for log statements with secrets/tokens/credentials—none found.
No Hardcoded Secrets	✅ Passed	The PR updates google.golang.org/genproto/googleapis/rpc dependency to commit hash 87f3d3e198d3, a public 12-character hex identifier. No hardcoded secrets, API keys, tokens, passwords, private key...
No Weak Cryptography	✅ Passed	No weak cryptographic primitives detected in PR. Dependency update affects only go.mod; no crypto/md5, crypto/des, crypto/rc4, crypto/sha1 imports, ECB mode, or non-constant-time comparisons present.
No Injection Vectors	✅ Passed	No CWE-89/CWE-78/CWE-79/CWE-502 injection vectors found. TSL query building escapes quotes; config uses viper.UnmarshalExact; no exec.Command, template.HTML, or unsafe sql patterns.
No Privileged Containers	✅ Passed	PR modifies only go.mod; no K8s/Helm/Dockerfile changes. Existing production manifests enforce non-root (UID 65532), read-only root FS, disabled privilege escalation, no privileged mode.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-rpc-digest

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/google.golang.org-genproto-googleapis-rpc-digest

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: updates to go.mod needed, disabled by -mod=readonly; to update it:\n\tgo mod tidy\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 140: The dependency entry for google.golang.org/genproto/googleapis/rpc
at line 140 in go.mod uses a malformed pseudo-version format with only a bare
commit hash instead of the required Go pseudo-version syntax. Replace the
current entry with the proper pseudo-version format that includes the version
prefix, timestamp, and commit hash in the format
v0.0.0-YYYYMMDDHHMMSS-commitHash. The corrected version should be
v0.0.0-20260610172136-7ab31c22f7ad to ensure the Go parser accepts the version
and the dependency resolves correctly for the gRPC error handling and pub/sub
functionality that depends on genproto RPC definitions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2ffc51cc-d471-485b-9867-2195d822e561

📥 Commits

Reviewing files that changed from the base of the PR and between 6cb186e and ff8f119.

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Validate go.mod syntax and fetch genproto commit details

# Test 1: Check if go.mod parses (should fail with current syntax)
echo "=== Testing go.mod syntax ==="
cd /tmp && git clone --depth 1 https://github.com/openshift-hyperfleet/hyperfleet-sentinel.git 2>/dev/null || true
if [ -f /tmp/hyperfleet-sentinel/go.mod ]; then
  cd /tmp/hyperfleet-sentinel && go mod tidy -e 2>&1 | head -20
fi

# Test 2: Find the correct pseudo-version format for commit 7ab31c22f7ad
echo "=== Fetching genproto commit metadata ==="
cd /tmp && git clone --depth 1 https://github.com/googleapis/go-genproto.git 2>/dev/null || true
if [ -d /tmp/go-genproto ]; then
  cd /tmp/go-genproto
  git log --oneline --all | grep -i "7ab31c2" || echo "Commit not found in shallow clone"
  # Get full metadata for the commit
  git log --format="%H %aI" | head -1 || echo "Unable to retrieve commit timestamp"
fi

# Test 3: Validate format against other genproto dependencies in the same file
echo "=== Comparing version formats in provided go.mod ==="
rg 'google.golang.org/genproto' 2>/dev/null | head -5

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 2143

---

🏁 Script executed:

#!/bin/bash
# Verify actual go.mod line 140 and surrounding context
echo "=== go.mod lines 135-145 ==="
sed -n '135,145p' go.mod

echo ""
echo "=== All google.golang.org/genproto entries ==="
grep -n 'google.golang.org/genproto' go.mod

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 881

---

🏁 Script executed (no clone):

#!/bin/bash
# Check Go module pseudo-version format specification
echo "=== Verify commit hash 7ab31c22f7ad format ==="
# A valid Go pseudo-version is: vX.Y.Z-prerelease.0.<timestamp>-<commit>
# But bare commit hashes are also valid in some contexts. Let's verify.
cat <<'EOF'
Go module versions can be:
1. Semantic version: v1.2.3
2. Pre-release: v1.2.3-beta.1
3. Pseudo-version: v0.0.0-20260610172136-7ab31c22f7ad (format: v0.0.0-<timestamp>-<commit>)
4. Bare commit hash in replace directives (but not in require/require)

The line shown in review (google.golang.org/genproto/googleapis/rpc 7ab31c22f7ad) 
appears to use bare commit hash syntax.

Checking Go 1.11+ module specification for validity...
EOF

Length of output: 506

---

🏁 Script executed:

#!/bin/bash
# Verify hyperfleet-broker's dependency on genproto and RPC status usage
echo "=== Checking broker/googlepubsub.go for gRPC status code usage ==="
grep -n "status\|codes\.NotFound\|codes\.AlreadyExists" broker/googlepubsub.go | head -20

echo ""
echo "=== Checking go.mod for genproto dependency ==="
grep -i 'genproto' go.mod

Repository: openshift-hyperfleet/hyperfleet-broker

Length of output: 729

---

🏁 Script executed:

#!/bin/bash
# Test if the bare commit hash causes actual build failure
echo "=== Attempting go build (should fail or show warnings) ==="
go build ./... 2>&1 | head -50

echo ""
echo "=== Check go mod graph for genproto/rpc version ==="
go mod graph | grep 'genproto/rpc' || echo "No match found"

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 3019

---

🏁 Script executed:

#!/bin/bash
# Check go.sum for the actual resolved version
echo "=== go.sum entries for genproto/googleapis/rpc ==="
grep 'genproto/googleapis/rpc' go.sum | head -5

echo ""
echo "=== Verify if Go accepts bare commit hash format ==="
# Check if the bare hash was normalized to a pseudo-version
go mod edit -json | jq '.Require[] | select(.Path | contains("genproto/googleapis/rpc"))'

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 634

---

Malformed pseudo-version at line 140 blocks build and prevents dependency update. [CWE-829]

Line 140 uses bare commit hash 7ab31c22f7ad instead of proper Go pseudo-version format. Go parser rejects this with error: version "7ab31c22f7ad" invalid: must be of the form v1.2.3. The intended update to google.golang.org/genproto/googleapis/rpc is blocked; go.sum still resolves to the old version v0.0.0-20260401024825-9d38bb4040a9.

Use proper pseudo-version format with timestamp: google.golang.org/genproto/googleapis/rpc v0.0.0-20260610172136-7ab31c22f7ad // indirect (based on commit 7ab31c22f7ad from 2026-06-10T17:21:36).

This matters because hyperfleet-broker depends on genproto RPC definitions for gRPC error handling in health checks (NotFound vs connectivity failures at lines 95–110) and pub/sub topic verification (AlreadyExists/NotFound checks at lines 140–170). The dependency version must resolve correctly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 140, The dependency entry for
google.golang.org/genproto/googleapis/rpc at line 140 in go.mod uses a malformed
pseudo-version format with only a bare commit hash instead of the required Go
pseudo-version syntax. Replace the current entry with the proper pseudo-version
format that includes the version prefix, timestamp, and commit hash in the
format v0.0.0-YYYYMMDDHHMMSS-commitHash. The corrected version should be
v0.0.0-20260610172136-7ab31c22f7ad to ensure the Go parser accepts the version
and the dependency resolves correctly for the gRPC error handling and pub/sub
functionality that depends on genproto RPC definitions.

Source: Coding guidelines

[coderabbitai]

♻️ Duplicate comments (1)

go.mod (1)

140-140: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Restore a valid Go pseudo-version.

87f3d3e198d3 is not a legal go.mod version token; this keeps the indirect dependency unresolved and can break module resolution/builds. Use a proper pseudo-version (v0.0.0-YYYYMMDDHHMMSS-<hash>) for google.golang.org/genproto/googleapis/rpc.

🔧 Proposed fix

-	google.golang.org/genproto/googleapis/rpc 87f3d3e198d3 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-YYYYMMDDHHMMSS-87f3d3e198d3 // indirect

Verification:

#!/bin/bash
set -euo pipefail
go mod edit -json >/tmp/go.mod.json
go list -m -json google.golang.org/genproto/googleapis/rpc

Expected: go mod edit -json succeeds and the module resolves to a valid v0.0.0-... pseudo-version.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 140, In the go.mod file, the
google.golang.org/genproto/googleapis/rpc dependency has an invalid
pseudo-version token `87f3d3e198d3` which is not a legal version format. Replace
this invalid token with a proper Go pseudo-version following the format
v0.0.0-YYYYMMDDHHMMSS-<hash>, where the hash is the commit hash (the
12-character hash can be the full commit identifier). This will resolve the
module properly and prevent build and module resolution issues.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@go.mod`:
- Line 140: In the go.mod file, the google.golang.org/genproto/googleapis/rpc
dependency has an invalid pseudo-version token `87f3d3e198d3` which is not a
legal version format. Replace this invalid token with a proper Go pseudo-version
following the format v0.0.0-YYYYMMDDHHMMSS-<hash>, where the hash is the commit
hash (the 12-character hash can be the full commit identifier). This will
resolve the module properly and prevent build and module resolution issues.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 20bf5ab3-21da-4bda-b078-50103d1474ef

📥 Commits

Reviewing files that changed from the base of the PR and between ff8f119 and ef467b0.

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)