Dep bump v0.7

[Elijah-Destigni]

https://redhat.atlassian.net/browse/SECURESIGN-4030
https://redhat.atlassian.net/browse/SECURESIGN-4078
https://redhat.atlassian.net/browse/SECURESIGN-3984
https://redhat.atlassian.net/browse/SECURESIGN-3982

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fa086f14-26ea-4339-93b6-0656dc8d69ea

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Dependency bump to v0.7 with build tags and Go version update

✨ Enhancement

Walkthroughs

Description

• Added build tags to benchmark packages for conditional compilation
• Updated Go version from 1.25.3 to 1.25.5 across all modules
• Bumped multiple dependencies to latest versions
• Increased unit test timeout from 1s to 5s in Makefile

Diagram

flowchart LR
  A["Build Tags Added"] --> B["Benchmark Packages"]
  C["Go Version"] --> D["1.25.3 → 1.25.5"]
  E["Dependencies Updated"] --> F["Multiple Packages"]
  G["Test Configuration"] --> H["Timeout: 1s → 5s"]
  B --> I["PR v0.7"]
  D --> I
  F --> I
  H --> I

Loading

File Changes

1. benchmark/internal/suite/closer.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/internal/suite/closer.go

---

2. benchmark/internal/registry/registry.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/internal/registry/registry.go

---

3. benchmark/internal/suite/suite.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/internal/suite/suite.go

---

View more (20)

4. benchmark/internal/untar/untar.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/internal/untar/untar.go

---

5. benchmark/offliner/offliner_test.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/offliner/offliner_test.go

---

6. benchmark/offliner/referrers.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/offliner/referrers.go

---

7. benchmark/offliner/base_images.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/offliner/base_images.go

---

8. benchmark/offliner/nab.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/offliner/nab.go

---

9. benchmark/offliner/offliner.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/offliner/offliner.go

---

10. benchmark/offliner/refs.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/offliner/refs.go

---

11. benchmark/offliner/related.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/offliner/related.go

---

12. benchmark/offliner/scans.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/offliner/scans.go

---

13. benchmark/offliner/subjects.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/offliner/subjects.go

---

14. benchmark/simple/simple.go ⚙️ Configuration changes +2/-0

Added benchmark build tag directive

benchmark/simple/simple.go

---

15. go.mod Dependencies +150/-115

Updated Go version and bumped dependencies

go.mod

---

16. Dockerfile.dist Dependencies +1/-1

Updated Go toolset version to 1.25.5

Dockerfile.dist

---

17. Makefile ⚙️ Configuration changes +1/-1

Increased unit test timeout to 5 seconds

Makefile

---

18. Dockerfile Dependencies +1/-1

Updated Go base image to 1.25.5

Dockerfile

---

19. tools/go.mod Dependencies +1/-1

Updated Go version to 1.25.5

tools/go.mod

---

20. acceptance/go.mod Dependencies +1/-1

Updated Go version to 1.25.5

acceptance/go.mod

---

21. tools/kubectl/go.mod Dependencies +1/-1

Updated Go version to 1.25.5

tools/kubectl/go.mod

---

22. .tool-versions ⚙️ Configuration changes +1/-1

Updated golang version to 1.25.5

.tool-versions

---

23. go.sum Additional files +388/-1326

...

go.sum

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (0)   📎 Requirement gaps (0)   🎨 UX Issues (0)

🐞\ ≡ Correctness (1)

1. Benchmarks won't run 🐞 ≡

Description

All benchmark binaries are now guarded by the benchmark build tag, but the Makefile still executes
benchmarks via go run . without passing -tags=benchmark, so make benchmark_* will fail to
build/run.

Code

benchmark/simple/simple.go[R1-2]

+//go:build benchmark
+

Evidence

benchmark/* entrypoints now require the benchmark build tag, but the Makefile's benchmark target
invokes go run . without any build tags, so there will be no buildable Go files for the go run
invocation.

benchmark/simple/simple.go[1-24]
benchmark/offliner/offliner.go[1-20]
Makefile[169-172]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Benchmark programs under `benchmark/` are now protected by `//go:build benchmark`, but `make benchmark_*` runs them using `go run .` without `-tags=benchmark`, which will fail because no files match the default build constraints.
### Issue Context
The benchmark directories contain `package main` programs, but they now require the `benchmark` build tag to compile.
### Fix Focus Areas
- Makefile[169-172]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Inconsistent Go patch versions ☑ 🐞 ⚙

Description

The root module declares go 1.25.8 while Dockerfiles and .tool-versions pin Go 1.25.5 (and other
repo modules also declare 1.25.5), creating inconsistent toolchain declarations across build inputs.

Code

go.mod[3]

+go 1.25.8

Evidence

The repo pins different Go patch versions in different places: the root go.mod requires 1.25.8,
but dev/build tooling references 1.25.5. This makes it unclear which Go version is expected for
consistent builds.

go.mod[1-4]
.tool-versions[1-1]
Dockerfile[17-34]
Dockerfile.dist[17-34]
acceptance/go.mod[1-4]
tools/go.mod[1-4]
tools/kubectl/go.mod[1-4]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The repo currently declares multiple Go patch versions across `go.mod`, Dockerfiles, and `.tool-versions`. This inconsistency makes it ambiguous which toolchain version the project intends to support.
### Issue Context
- Root module uses a different patch version than Docker build images and asdf tool version pin.
- Submodules under `acceptance/` and `tools/` declare yet another (currently 1.25.5).
### Fix Focus Areas
- go.mod[1-4]
- .tool-versions[1-1]
- Dockerfile[17-20]
- Dockerfile.dist[17-20]
- acceptance/go.mod[1-4]
- tools/go.mod[1-4]
- tools/kubectl/go.mod[1-4]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-code-review]

1. Benchmarks won't run 🐞 Bug ≡ Correctness

All benchmark binaries are now guarded by the benchmark build tag, but the Makefile still executes
benchmarks via go run . without passing -tags=benchmark, so make benchmark_* will fail to
build/run.

Agent Prompt

### Issue description
Benchmark programs under `benchmark/` are now protected by `//go:build benchmark`, but `make benchmark_*` runs them using `go run .` without `-tags=benchmark`, which will fail because no files match the default build constraints.

### Issue Context
The benchmark directories contain `package main` programs, but they now require the `benchmark` build tag to compile.

### Fix Focus Areas
- Makefile[169-172]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[tommyd450]

/ok-to-test

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
generative	74.09% <ø> (+4.54%)	⬆️
integration	74.09% <ø> (+4.54%)	⬆️
unit	74.09% <ø> (+4.54%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[simonbaird]

Retriggering the tests just in case the acceptance failure was a flake.

[tommyd450]

It seems a snapshot is expecting a different output. We figured running make generate may help clear up that issue but seemingly not. @simonbaird this pr has sort of grown legs, would we be better off binning this one and opening fresh?

[st3penta]

hi @tommyd450, don't worry about this PR size, most of it is just go.sum noise.

You can run this command to update the snapshot: UPDATE_SNAPS=clean make acceptance

[simonbaird]

I think we have to pay close attention to the snapshot change. Do we know what changed and why?