Bump the kubernetes group across 1 directory with 4 updates

[dependabot]

Bumps the kubernetes group with 2 updates in the / directory: k8s.io/api and k8s.io/client-go.

Updates k8s.io/api from 0.32.1 to 0.36.1

Commits

• 25001c8 Update dependencies to v0.36.1 tag
• 879d396 Merge remote-tracking branch 'origin/master' into release-1.36
• 030d81f Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• aef6eb6 Add granular authorization for DRA ResourceClaim status updates
• 91061ea Merge pull request #136589 from tosi3k/preemption-mode
• e6b81e2 Add Workload-Aware Preemption fields to Workload and PodGroup APIs
• f8fce2e Merge pull request #136989 from nojnhuh/podgroup-resourceclaim
• b928f5e Workload API: PodGroup ResourceClaims (KEP-5729)
• 61bd78e Merge pull request #137190 from everpeace/KEP-5491-alpha
• 6bf46eb Merge pull request #137028 from nmn3m/feature/dra-resource-pool-status
• Additional commits viewable in compare view

Updates k8s.io/apimachinery from 0.32.1 to 0.36.1

Commits

• 7af103a Update dependencies to v0.36.1 tag
• efb7f26 Merge remote-tracking branch 'origin/master' into release-1.36
• d966e56 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 79b3632 Merge pull request #137864 from yongruilin/dv-dra-mismatch
• a8822f7 Add slice and map union member support with tests
• 7dba2d0 Use IsZero instead of IsNil for union ratcheting check
• d95710f Fix union validation ratcheting when oldObj is nil
• 729062d Merge pull request #137849 from bryantbiggs/deps/update-kube-openapi
• 13b12e6 dependencies: bump kube-openapi to drop ginkgo/gomega indirect deps
• 27f4670 Merge pull request #136657 from Jefftree/sharding-test
• Additional commits viewable in compare view

Updates k8s.io/client-go from 0.32.1 to 0.36.1

Commits

• 55ef15a Update dependencies to v0.36.1 tag
• f22a53e Merge remote-tracking branch 'origin/master' into release-1.36
• a948641 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 7e44ffc Add Workload-Aware Preemption fields to Workload and PodGroup APIs
• df2d882 Merge pull request #136989 from nojnhuh/podgroup-resourceclaim
• 4eece52 Workload API: PodGroup ResourceClaims (KEP-5729)
• 3d35c51 Merge pull request #137190 from everpeace/KEP-5491-alpha
• 0434117 Merge pull request #137028 from nmn3m/feature/dra-resource-pool-status
• ba785be Drop CSR analogy, mark ObjectMeta +required,reduce limits (maxItems=500, maxL...
• 4a9c878 Add ResourcePoolStatusRequest API types and generated code
• Additional commits viewable in compare view

Updates k8s.io/utils from 0.0.0-20241104100929-3ea5e8cea738 to 0.0.0-20260210185600-b8788abfbbc2

Commits

• See full diff in compare view

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign ravitri for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: f409d447-44e7-48af-a066-8d2d296e6230

📥 Commits

Reviewing files that changed from the base of the PR and between a2c3b68 and 2cec764.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

---

Summary by CodeRabbit

• Chores
  • Updated Go toolchain and dependencies to enhance stability and ensure compatibility.

Walkthrough

Updates the Go directive from 1.24 to 1.26.0 and refreshes direct Kubernetes modules plus many indirect/transitive dependencies in go.mod.

Changes

Go Toolchain and Dependency Upgrade

Layer / File(s)	Summary
Go directive update go.mod	Go directive changed to go 1.26.0.
Direct Kubernetes dependency bumps go.mod	Direct Kubernetes modules (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, k8s.io/utils) updated to newer versions (e.g., v0.36.1).
Indirect and transitive dependency refresh go.mod	Multiple indirects and transitive libraries refreshed, including github.com/emicklei/go-restful/v3, github.com/fxamacker/cbor/v2, github.com/go-openapi/*, golang.org/x/*, google.golang.org/protobuf, sigs.k8s.io/structured-merge-diff (v6), and sigs.k8s.io/yaml.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: bumping Kubernetes group dependencies. It mentions the directory count and update count, aligning with the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed information about the four Kubernetes module updates with commit histories and version changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/kubernetes-cb17614c17

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 45-46: The go.mod currently pins vulnerable indirect deps; add
explicit require entries for github.com/golang-jwt/jwt/v4 at v4.5.2 and
github.com/golang/glog at v1.2.4 (or update the parent modules that pull them)
so the module graph resolves to the patched versions; update go.sum by running
go get github.com/golang-jwt/jwt/v4@v4.5.2 and go get
github.com/golang/glog@v1.2.4 (or equivalent) and run go mod tidy to ensure the
new versions are recorded.
- Line 3: The repository's go.mod now sets "go 1.26.0" which conflicts with CI
pinning to "tag: golang-1.24" in your CI configs and missing Go setup in GitHub
Actions; update the CI configurations to use Go 1.26.x by changing the
ci-operator tag from "golang-1.24" to a matching golang-1.26 image and add
explicit Go setup steps in any GitHub Actions workflows (use actions/setup-go or
equivalent) so the runner installs Go 1.26 before builds and tests run.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 5b8ccdcd-26fa-4195-83a1-1f3a3549df04

📥 Commits

Reviewing files that changed from the base of the PR and between 956a903 and a2c3b68.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Inspect workflow/tooling files for pinned Go versions.
fd -i 'workflow|workflows|dockerfile|makefile|go-version|tool-versions|readme' . \
  | xargs -r rg -n -C2 'go-version|setup-go|golang:|GO_VERSION|go 1\.[0-9]+'

Repository: openshift-online/rosa-e2e

Length of output: 53

---

🏁 Script executed:

# First, let's see what workflow and CI-related files exist in the repository
find . -type f \( -name "*.yml" -o -name "*.yaml" -o -name "Dockerfile" -o -name "Makefile" -o -name ".go-version" -o -name ".tool-versions" \) | head -20

Repository: openshift-online/rosa-e2e

Length of output: 403

---

🏁 Script executed:

# Search for go version references in common locations
rg -i "go.*1\.[0-9]+\.[0-9]+" --max-count=20

Repository: openshift-online/rosa-e2e

Length of output: 3299

---

🏁 Script executed:

# Check CI/workflow directory structure
ls -la . | grep -E "workflow|github|ci|\.github"
find .github -type f 2>/dev/null | head -20

Repository: openshift-online/rosa-e2e

Length of output: 416

---

🏁 Script executed:

# Check the GitHub Actions workflows for Go version setup
cat .github/workflows/branch-protection-check.yml
cat .github/workflows/dependabot-auto-merge.yml

Repository: openshift-online/rosa-e2e

Length of output: 11788

---

🏁 Script executed:

# Check the Makefile for Go version configuration
cat Makefile | head -50

Repository: openshift-online/rosa-e2e

Length of output: 1137

---

🏁 Script executed:

# Check the ci-operator configuration
cat ./ci-operator/openshift-online-rosa-e2e-main.yaml | grep -i "go\|golang" -A 2 -B 2

Repository: openshift-online/rosa-e2e

Length of output: 142

---

CI pipeline will break with Go 1.26.0 — ci-operator is pinned to golang-1.24.

The go.mod change to go 1.26.0 conflicts with the ci-operator configuration at ci-operator/openshift-online-rosa-e2e-main.yaml, which specifies tag: golang-1.24. GitHub Actions workflows also lack explicit Go version setup. Update ci-operator and workflows to target Go 1.26.x before merging.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, The repository's go.mod now sets "go 1.26.0" which
conflicts with CI pinning to "tag: golang-1.24" in your CI configs and missing
Go setup in GitHub Actions; update the CI configurations to use Go 1.26.x by
changing the ci-operator tag from "golang-1.24" to a matching golang-1.26 image
and add explicit Go setup steps in any GitHub Actions workflows (use
actions/setup-go or equivalent) so the runner installs Go 1.26 before builds and
tests run.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

`What are the first patched versions for:

• GO-2024-3250 and GO-2025-3553 in github.com/golang-jwt/jwt/v4
• GO-2025-3372 in github.com/golang/glog
  Please include official sources (Go vulnerability database or GHSA pages).`

💡 Result:

GO-2024-3250 in github.com/golang-jwt/jwt/v4: v4.5.1 [1][2][3] GO-2025-3553 in github.com/golang-jwt/jwt/v4: v4.5.2 [4][5] GO-2025-3372 in github.com/golang/glog: v1.2.4 [6][7][8][9]

Citations:

• 1: https://pkg.go.dev/vuln/GO-2024-3250
• 2: GHSA-29wx-vh33-7x7r
• 3: https://github.com/golang-jwt/jwt/releases/tag/v4.5.1
• 4: https://pkg.go.dev/vuln/GO-2025-3553
• 5: golang-jwt/jwt@v4.5.0...v4.5.2
• 6: https://pkg.go.dev/vuln/GO-2025-3372
• 7: fix(backend): glog updated to 1.2.4 to fix CVE GO-2025-3372 kubeflow/pipelines#11583
• 8: GHSA-6wxm-mpqj-6jpf
• 9: https://github.com/golang/glog

---

🏁 Script executed:

#!/bin/bash
# Verify where these vulnerable modules are currently constrained.
rg -n -C2 'github.com/golang-jwt/jwt/v4|github.com/golang/glog' go.mod go.sum

# Check whether any replace directives already pin safer versions.
rg -n -C2 '^\s*replace\s+' go.mod

Repository: openshift-online/rosa-e2e

Length of output: 1395

---

Upgrade indirect dependencies to patch known high-severity vulnerabilities.

Lines 45–46 pin vulnerable versions:

• github.com/golang-jwt/jwt/v4 v4.4.1 is affected by GO-2024-3250 and GO-2025-3553; upgrade to v4.5.2
• github.com/golang/glog v1.0.0 is affected by GO-2025-3372; upgrade to v1.2.4

Since these are indirect dependencies, either add direct require statements with the patched versions or bump the parent modules that depend on them.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 45-45: github.com/golang-jwt/jwt/v4 4.4.1: Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt

(GO-2024-3250)

---

[HIGH] 45-45: github.com/golang-jwt/jwt/v4 4.4.1: Excessive memory allocation during header parsing in github.com/golang-jwt/jwt

(GO-2025-3553)

---

[HIGH] 45-45: github.com/golang-jwt/jwt/v4 4.4.1: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations

(GHSA-29wx-vh33-7x7r)

---

[HIGH] 45-45: github.com/golang-jwt/jwt/v4 4.4.1: jwt-go allows excessive memory allocation during header parsing

(GHSA-mh63-6h87-95cp)

---

[HIGH] 46-46: github.com/golang/glog 1.0.0: Vulnerability when creating log files in github.com/golang/glog

(GO-2025-3372)

---

[HIGH] 46-46: github.com/golang/glog 1.0.0: Insecure Temporary File usage in github.com/golang/glog

(GHSA-6wxm-mpqj-6jpf)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 45 - 46, The go.mod currently pins vulnerable indirect
deps; add explicit require entries for github.com/golang-jwt/jwt/v4 at v4.5.2
and github.com/golang/glog at v1.2.4 (or update the parent modules that pull
them) so the module graph resolves to the patched versions; update go.sum by
running go get github.com/golang-jwt/jwt/v4@v4.5.2 and go get
github.com/golang/glog@v1.2.4 (or equivalent) and run go mod tidy to ensure the
new versions are recorded.

[github-actions]

/retest

[github-actions]

/retest

[openshift-ci]

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/periodics-images	2cec764	link	true	/test periodics-images
ci/prow/unit	2cec764	link	true	/test unit
ci/prow/lint	2cec764	link	true	/test lint
ci/prow/images	2cec764	link	true	/test images
ci/prow/e2e-rosa-classic-smoke	2cec764	link	true	/test e2e-rosa-classic-smoke
ci/prow/e2e-rosa-hcp-smoke	2cec764	link	true	/test e2e-rosa-hcp-smoke

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.