Skip to content

[CI] Merge self-upgrade-main into main#435

Merged
cert-manager-prow[bot] merged 2 commits into
mainfrom
self-upgrade-main
Mar 28, 2026
Merged

[CI] Merge self-upgrade-main into main#435
cert-manager-prow[bot] merged 2 commits into
mainfrom
self-upgrade-main

Conversation

@octo-sts

@octo-sts octo-sts Bot commented Mar 11, 2026

Copy link
Copy Markdown
Contributor
  • Identify golangci-lint upgraded from v2.10.1 to v2.11.3 in this PR
  • Research new violations in v2.11.3 from similar cert-manager PR #8604
  • Discover verify-golangci-lint runs in ALL go.mod directories, including internal/versionchecker/test/testdata/
  • Find G703 (path traversal taint analysis) violations in fetch.go triggered by improved gosec v2.24.x in golangci-lint v2.11.3
  • Fix by adding // #nosec G703 comments to the two affected os.ReadFile/os.WriteFile calls
  • Verified both go module directories pass with 0 issues

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@octo-sts octo-sts Bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. ok-to-test release-note-none Denotes a PR that doesn't merit a release note. skip-review Indicates a PR is trusted, used by tide for auto-merging PRs. labels Mar 11, 2026
@cert-manager-prow cert-manager-prow Bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Mar 11, 2026
@cert-manager-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign inteon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow

Copy link
Copy Markdown
Contributor

Hi @octo-sts[bot]. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-prow cert-manager-prow Bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 11, 2026
@octo-sts octo-sts Bot force-pushed the self-upgrade-main branch from d575d03 to b13617a Compare March 12, 2026 00:26
@cert-manager-prow cert-manager-prow Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 12, 2026
@octo-sts octo-sts Bot force-pushed the self-upgrade-main branch 7 times, most recently from 8d38402 to e9547db Compare March 19, 2026 00:33
@octo-sts octo-sts Bot force-pushed the self-upgrade-main branch 7 times, most recently from 040985e to 8905f2f Compare March 26, 2026 00:34
@octo-sts octo-sts Bot force-pushed the self-upgrade-main branch from 8905f2f to 6e360b4 Compare March 27, 2026 00:34
@octo-sts octo-sts Bot force-pushed the self-upgrade-main branch from 6e360b4 to b51354f Compare March 28, 2026 00:32
@erikgb

erikgb commented Mar 28, 2026

Copy link
Copy Markdown
Member

@copilot, please suggest fixes to the new golang-ci lint violation causing CI to fail on this PR.

@cert-manager-prow cert-manager-prow Bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. and removed dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Mar 28, 2026

Copilot AI commented Mar 28, 2026

Copy link
Copy Markdown
Contributor

@copilot, please suggest fixes to the new golang-ci lint violation causing CI to fail on this PR.

Fixed in commit d137fa7.

The new violation is G703 (path traversal via taint analysis) in internal/versionchecker/test/testdata/fetch.go. The verify-golangci-lint Make target runs golangci-lint in all go.mod directories, including this testdata subdirectory. The improved gosec taint analysis in v2.24.x (bundled in golangci-lint v2.11.3) now flags os.ReadFile and os.WriteFile calls where manifestsPath originates from os.Args[1].

Since this is a developer tool where the path is always developer-controlled, these are false positives. Added // #nosec G703 comments to suppress them.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • dl.google.com
    • Triggering command: /home/REDACTED/go/bin/go1.26.1 /home/REDACTED/go/bin/go1.26.1 download -quiet -dumpdir /tmp/go-build1182166176/b154// -dumpbase _cgo_.c -dumpbase-ext .c -m64 -mtune=generic -march=x86-64 imag�� cgo -f -tmpfiles kg_.a elemetry.io/cont-W pkg/mod/golang.o-I (dns block)
  • golangci-lint.run
    • Triggering command: /home/REDACTED/go/bin/golangci-lint /home/REDACTED/go/bin/golangci-lint config verify ux-amd64/pkg/tool/linux_amd64/asm ortc�� /opt/hostedtoolcache/go/1.24.13/x64/src/runtime/-- x64/src/mime/multipart/formdata.go ux-amd64/bin/go --gdwarf-5 --64 -o ache/go/1.24.13/x64/pkg/tool/linGOCACHE 2166�� epOnly,Imports,ImportMap,TestImports,XTestImpor ache/go/1.24.13/x64/src/crypto/rsa/fips.go 0.1-go1.25.0.linux-amd64/bin/go . g/x/net/http/htt--norc --64 rg/toolchain@v0.0.1-go1.25.0.linux-amd64/pkg/tooc (dns block)
  • https://storage.googleapis.com/cert-manager-prow-artifacts/pr-logs/pull/cert-manager_cmctl/435/pull-cert-manager-cmctl-verify/2037689282948239360/artifacts/build-log.txt
    • Triggering command: /usr/bin/curl curl -s --max-time 10 REDACTED ngci-lint/v2@v2.10.1/pkg/golinters/godot/godot.go -trimpath 0.1-go1.25.0.linux-amd64/bin/go s/v1alpha2/grpcr/home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.8.linux-amd64/pkg/tool/linux_amd64/asm NL/-nFH1u3d4uaKa-V=full igFiles,SwigCXXFiles,SysoFiles,T--noprofile 63a1a1092febc97e9d1af7f4e0296bba01cd7037a4146871-d -o g_.a -trimpath herFiles,CFiles,CgoFiles,CXXFiles,MFiles,HFiles,FFiles,SFiles,SwigFiles,SwigCXXFiles,SysoFiles,T--noprofile -p t/v2/pkg/golinteenv l/linux_amd64/co-json pkg/mod/golang.oGOMOD (http block)
  • https://storage.googleapis.com/cert-manager-prow-artifacts/pr-logs/pull/cert-manager_cmctl/435/pull-cert-manager-cmctl-verify/2037689282948239360/build-log.txt
    • Triggering command: /usr/bin/curl curl -s REDACTED -z -o 0bcYffjof om/golang/protob-nolocalimports pkg/mod/golang.o-importcfg -p g/grpc/balancer/-plugin mpile portcfg -o ue/issue.go expr@v0.24.0/eva-plugin-opt=-pass-through=-lgcc_s ux-amd64/bin/go -p -base/tracing mpile 0.1-go1.25.8.lin--eh-frame-hdr (http block)
    • Triggering command: /usr/bin/curl curl -s --max-time 15 REDACTED -x ed.markerhelp.go ux-amd64/pkg/tool/linux_amd64/compile - -fPIC t ux-amd64/pkg/tool/linux_amd64/compile --no�� --noprofile t (http block)
  • prow.infra.cert-manager.io
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • staticcheck.dev
    • Triggering command: /usr/bin/curl curl -s REDACTED 01.o --gd�� ache/go/1.24.13/./... TH6o/rUDMhHVvCLzCGNGwTH6o CgoFiles,CXXFiles,MFiles,HFiles,FFiles,SFiles,SwigFiles,SwigCXXFiles,SysoFiles,TestGoFiles,XTestGoFiles,CompiledGoFiles,Export,DepOnly,Imports,ImportMap,TestImports,XTestImpor /tmp/ccX2fNbG.s GOAMD64_v1 -o 2166176/b061/_x0GOMOD 2166�� /opt/hostedtoolcache/go/1.24.13/x64/src/runtime/- ache/go/1.24.13/x64/src/math/rand/v2/chacha8.go ux-amd64/bin/go 2166176/b154/ --64 ctor rg/toolchain@v0.-f (dns block)
    • Triggering command: /usr/bin/curl curl -s REDACTED 0.1-go1.25.0.lin-f s-th�� ache/go/1.24.13/-- --gdwarf-5 ux-amd64/pkg/tool/linux_amd64/cgo -o /dev/null igFiles,SwigCXXF-x ux-amd64/pkg/tooc -I x86-64.so.2 2166176/b154/ as --gdwarf-5 --64 FFiles,SFiles,Sw-json /usr/bin/ld (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from erikgb March 28, 2026 12:49
cert-manager-bot and others added 2 commits March 28, 2026 13:49
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
@erikgb erikgb force-pushed the self-upgrade-main branch from d137fa7 to 49ee34c Compare March 28, 2026 12:50
@cert-manager-prow cert-manager-prow Bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Mar 28, 2026
@cert-manager-prow cert-manager-prow Bot merged commit cdac2ba into main Mar 28, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. ok-to-test release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. skip-review Indicates a PR is trusted, used by tide for auto-merging PRs.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants