OCPBUGS-67673: bump logrus to v1.9.3

[cheesesashimi]

- What I did

Updated our dependency upon https://github.com/sirupsen/logrus.

- How to verify it

There should be no behavior changes within the MCO. Other than that, proving that this is fixed should be fairly straightforward:

1. Clone this PR.
2. Run podman run -it --rm -v "$PWD:/go/src/github.com/openshift/machine-config-operator:z" -w /go/src/github.com/openshift/machine-config-operator registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.19-openshift-4.13 make binaries. This will build the MCO binaries using the Go toolchain for this OCP release.
3. Run for gobin in _output/linux/amd64/*; do echo "$gobin:"; go version -m "$gobin" | grep -i 'logrus'; done in order to view which binaries the MCO was built with. The output should resemble the following:

$ for gobin in _output/linux/amd64/*; do echo "$gobin:"; go version -m "$gobin" | grep -i 'logrus'; done
_output/linux/amd64/apiserver-watcher:
_output/linux/amd64/machine-config-controller:
        dep     github.com/sirupsen/logrus      v1.9.3
_output/linux/amd64/machine-config-daemon:
        dep     github.com/sirupsen/logrus      v1.9.3
_output/linux/amd64/machine-config-operator:
_output/linux/amd64/machine-config-server:

(Note: It is OK for components such as the apiserver-watcher, machine-config-operator, machine-config-server to not return anything. This just means that logrus is not within their dependency chain.)

- Description for the changelog
Update logrus to v1.9.3.

[openshift-ci-robot]

@cheesesashimi: This pull request references Jira Issue OCPBUGS-67673, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-67673 to depend on a bug targeting a version in 4.14.0, 4.14.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

- What I did

Updated our dependency upon https://github.com/sirupsen/logrus to address CVE-2025-65637.

- How to verify it

There should be no behavior changes within the MCO. Other than that, proving that this is fixed should be fairly straightforward:

1. Clone this PR.
2. Run podman run -it --rm -v "$PWD:/go/src/github.com/openshift/machine-config-operator:z" -w /go/src/github.com/openshift/machine-config-operator registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.19-openshift-4.13 make binaries. This will build the MCO binaries using the Go toolchain for this OCP release.
3. Run for gobin in _output/linux/amd64/*; do echo "$gobin:"; go version -m "$gobin" | grep -i 'logrus'; done in order to view which binaries the MCO was built with. The output should resemble the following:

$ for gobin in _output/linux/amd64/*; do echo "$gobin:"; go version -m "$gobin" | grep -i 'logrus'; done
_output/linux/amd64/apiserver-watcher:
_output/linux/amd64/machine-config-controller:
       dep     github.com/sirupsen/logrus      v1.9.3
_output/linux/amd64/machine-config-daemon:
       dep     github.com/sirupsen/logrus      v1.9.3
_output/linux/amd64/machine-config-operator:
_output/linux/amd64/machine-config-server:

(Note: It is OK for components such as the apiserver-watcher, machine-config-operator, machine-config-server to not return anything. This just means that logrus is not within their dependency chain.)

- Description for the changelog
Update logrus to v1.9.3 to address CVE-2025-65637

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cheesesashimi]

/jira refresh

[openshift-ci-robot]

@cheesesashimi: This pull request references Jira Issue OCPBUGS-67673, which is invalid:

• expected Jira Issue OCPBUGS-67673 to depend on a bug targeting a version in 4.14.0, 4.14.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[yuqi-zhang]

/lgtm

It's a bit annoying to track the backport all the way through, since it'll expect dependant bugs from previous versions. Perhaps we can ask for an override from someone

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheesesashimi, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [cheesesashimi,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cheesesashimi]

/retest-required

[cheesesashimi]

/jira refresh

[openshift-ci-robot]

@cheesesashimi: This pull request references Jira Issue OCPBUGS-67673, which is invalid:

• expected Jira Issue OCPBUGS-67673 to depend on a bug targeting a version in 4.14.0, 4.14.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@cheesesashimi: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• jira/invalid-bug

Only the following failed contexts/checkruns were expected:

• ci/prow/bootstrap-unit
• ci/prow/e2e-aws-ovn
• ci/prow/e2e-aws-ovn-upgrade
• ci/prow/e2e-gcp-op
• ci/prow/images
• ci/prow/okd-scos-e2e-aws-ovn
• ci/prow/okd-scos-e2e-gcp-op
• ci/prow/okd-scos-e2e-gcp-ovn-upgrade
• ci/prow/okd-scos-images
• ci/prow/unit
• ci/prow/verify
• pull-ci-openshift-machine-config-operator-main-bootstrap-unit
• pull-ci-openshift-machine-config-operator-main-e2e-aws-ovn
• pull-ci-openshift-machine-config-operator-main-e2e-aws-ovn-upgrade
• pull-ci-openshift-machine-config-operator-main-e2e-gcp-op
• pull-ci-openshift-machine-config-operator-main-images
• pull-ci-openshift-machine-config-operator-main-okd-scos-e2e-aws-ovn
• pull-ci-openshift-machine-config-operator-main-okd-scos-images
• pull-ci-openshift-machine-config-operator-main-unit
• pull-ci-openshift-machine-config-operator-main-verify
• pull-ci-openshift-machine-config-operator-release-4.12-okd-scos-e2e-gcp-op
• pull-ci-openshift-machine-config-operator-release-4.12-okd-scos-e2e-gcp-ovn-upgrade
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override jira/invalid-bug

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cheesesashimi]

/label jira/valid-bug

[cheesesashimi]

/remove-label jira/invalid-bug

[openshift-ci]

@cheesesashimi: The label(s) /remove-label jira/invalid-bug cannot be applied. These labels are supported: acknowledge-critical-fixes-only, platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, ux-approved, no-qe, downstream-change-needed, rebase/manual, cluster-config-api-changed, run-integration-tests, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, ok-to-test, stability-fix-approved, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

Details

In response to this:

/remove-label jira/invalid-bug

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@cheesesashimi: Can not set label jira/valid-bug: Must be member in one of these teams: [openshift-patch-managers openshift-staff-engineers openshift-release-oversight openshift-sustaining-engineers]

Details

In response to this:

/label jira/valid-bug

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@cheesesashimi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-gcp-op	09b1627	link	false	/test okd-scos-e2e-gcp-op
ci/prow/okd-scos-e2e-aws-ovn	09b1627	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/okd-scos-e2e-gcp-ovn-upgrade	09b1627	link	false	/test okd-scos-e2e-gcp-ovn-upgrade
ci/prow/e2e-gcp-op	09b1627	link	true	/test e2e-gcp-op

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.