Bump k8s.io/client-go from 0.32.1 to 0.36.0

[dependabot]

Bumps k8s.io/client-go from 0.32.1 to 0.36.0.

Commits

• 1d95f02 Update dependencies to v0.36.0 tag
• f22a53e Merge remote-tracking branch 'origin/master' into release-1.36
• a948641 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 7e44ffc Add Workload-Aware Preemption fields to Workload and PodGroup APIs
• df2d882 Merge pull request #136989 from nojnhuh/podgroup-resourceclaim
• 4eece52 Workload API: PodGroup ResourceClaims (KEP-5729)
• 3d35c51 Merge pull request #137190 from everpeace/KEP-5491-alpha
• 0434117 Merge pull request #137028 from nmn3m/feature/dra-resource-pool-status
• ba785be Drop CSR analogy, mark ObjectMeta +required,reduce limits (maxItems=500, maxL...
• 4a9c878 Add ResourcePoolStatusRequest API types and generated code
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated Go toolchain requirement from 1.24 to 1.26.0
  • Upgraded core Kubernetes dependencies to v0.36.0 for improved compatibility and performance
  • Refreshed indirect dependencies to ensure stability and compatibility with the latest ecosystem

Walkthrough

The pull request updates the Go module dependencies, including bumping the Go toolchain requirement from 1.24 to 1.26.0 and upgrading core Kubernetes packages from v0.32.1 to v0.36.0. Multiple indirect dependencies are refreshed, with some removed and new ones introduced to maintain compatibility.

Changes

Cohort / File(s)

Summary

Go Module Dependency Update go.mod

Bumped Go toolchain from 1.24 to 1.26.0; upgraded Kubernetes API packages (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, k8s.io/utils) from v0.32.1 to v0.36.0; refreshed indirect dependencies including go-restful, go-logr, gnostic-models, and golang.org/x/* packages; removed packages like github.com/gogo/protobuf, google/gofuzz, github.com/pkg/errors; added go.yaml.in/yaml/v2 and v3; updated k8s.io/klog/v2, k8s.io/kube-openapi, and sigs.k8s.io/* modules.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: upgrading k8s.io/client-go from version 0.32.1 to 0.36.0, which aligns with the primary change in the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing details about the k8s.io/client-go upgrade from 0.32.1 to 0.36.0 with relevant commit information.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/k8s.io/client-go-0.36.0

---

_{Review rate limit: 5/10 reviews remaining, refill in 29 minutes and 49 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign tiwillia for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

go.mod (1)

19-86: ⚠️ Potential issue | 🟠 Major

Upgrade vulnerable transitive dependencies: jwt/v4 to v4.5.2 and glog to v1.2.4.

This go.mod refresh includes indirect dependencies with known Go vulnerabilities:

• github.com/golang-jwt/jwt/v4 v4.4.1 (Lines 45) is vulnerable to GO-2024-3250 and GO-2025-3553; upgrade to v4.5.2
• github.com/golang/glog v1.0.0 (Line 46) is vulnerable to GO-2025-3372; upgrade to v1.2.4

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 19 - 86, Update the vulnerable indirect modules in
go.mod by bumping github.com/golang-jwt/jwt/v4 from v4.4.1 to v4.5.2 and
github.com/golang/glog from v1.0.0 to v1.2.4; after editing the require entries
for these module paths, run the appropriate Go tooling (e.g., go get
github.com/golang-jwt/jwt/v4@v4.5.2 and go get github.com/golang/glog@v1.2.4,
then go mod tidy) to refresh go.sum and ensure the transitive graph is updated.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 3: The go.mod change to "go 1.26.0" breaks CI because the pipeline and
build image are still pinned to Go 1.24; update the CI and container build to
match or revert the go.mod bump. Specifically, either revert the go.mod entry
"go 1.26.0" back to 1.24, or update the CI pipeline reference `golang-1.24` and
the Containerfile base image `rhel-9-golang-1.24-openshift-4.22` to the
corresponding Go 1.26 variants so the build environment and go.mod are
consistent before merging.

---

Outside diff comments:
In `@go.mod`:
- Around line 19-86: Update the vulnerable indirect modules in go.mod by bumping
github.com/golang-jwt/jwt/v4 from v4.4.1 to v4.5.2 and github.com/golang/glog
from v1.0.0 to v1.2.4; after editing the require entries for these module paths,
run the appropriate Go tooling (e.g., go get github.com/golang-jwt/jwt/v4@v4.5.2
and go get github.com/golang/glog@v1.2.4, then go mod tidy) to refresh go.sum
and ensure the transitive graph is updated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 8e01c0c2-cde4-4685-8d08-a559e1be8a00

📥 Commits

Reviewing files that changed from the base of the PR and between 7ba1335 and 9e0c45a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go directive =="
rg -n '^\s*go\s+[0-9]+\.[0-9]+(\.[0-9]+)?\s*$' go.mod

echo
echo "== CI/workflow Go version pins =="
rg -n --iglob '*.yml' --iglob '*.yaml' 'setup-go|go-version|GO_VERSION|golang:' .github

Repository: openshift-online/rosa-e2e

Length of output: 135

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== CI Workflows (all locations) ==="
find . -type f \( -name "*.yml" -o -name "*.yaml" \) | grep -E "(workflow|ci|test|build)" | head -20

echo
echo "=== All files in .github ==="
find .github -type f 2>/dev/null | head -20

echo
echo "=== Docker/Container specs ==="
find . -type f \( -name "Dockerfile*" -o -name "docker-compose*.yml" \) | head -10

echo
echo "=== Toolchain files ==="
find . -type f \( -name ".tool-versions" -o -name "setup.sh" -o -name "Makefile" \) | head -10

echo
echo "=== Go version in any workflow files (broader search) ==="
rg -i "go.version|go-version|golang:" --type yml --type yaml 2>/dev/null | head -20

Repository: openshift-online/rosa-e2e

Length of output: 448

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== ci-operator/openshift-online-rosa-e2e-main.yaml ==="
cat ./ci-operator/openshift-online-rosa-e2e-main.yaml

echo
echo "=== Makefile (first 100 lines) ==="
head -100 ./Makefile

Repository: openshift-online/rosa-e2e

Length of output: 1760

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Containerfile ==="
cat ./Containerfile

Repository: openshift-online/rosa-e2e

Length of output: 504

---

Go 1.26.0 bump requires CI infrastructure updates—builds will fail immediately.

The go.mod change to Go 1.26.0 (line 3) conflicts with pinned Go 1.24 in the CI pipeline:

• ci-operator/openshift-online-rosa-e2e-main.yaml specifies golang-1.24
• Containerfile uses rhel-9-golang-1.24-openshift-4.22

Update both files to Go 1.26 before merging, or revert the go.mod version change.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, The go.mod change to "go 1.26.0" breaks CI because the
pipeline and build image are still pinned to Go 1.24; update the CI and
container build to match or revert the go.mod bump. Specifically, either revert
the go.mod entry "go 1.26.0" back to 1.24, or update the CI pipeline reference
`golang-1.24` and the Containerfile base image
`rhel-9-golang-1.24-openshift-4.22` to the corresponding Go 1.26 variants so the
build environment and go.mod are consistent before merging.

[dependabot]

Superseded by #45.