Skip to content

fix: update opm build toolchain and fulcio#2034

Open
russell-parks wants to merge 1 commit into
operator-framework:masterfrom
russell-parks:fix/opm-trivy-toolchain-fulcio
Open

fix: update opm build toolchain and fulcio#2034
russell-parks wants to merge 1 commit into
operator-framework:masterfrom
russell-parks:fix/opm-trivy-toolchain-fulcio

Conversation

@russell-parks

Copy link
Copy Markdown

Summary

  • update the module Go version from 1.26.3 to 1.26.5 so GitHub Actions and GoReleaser build opm with a patched Go stdlib
  • pin upstream-builder.Dockerfile to golang:1.26.5-alpine for the direct upstream builder path
  • bump github.com/sigstore/fulcio from v1.8.5 to v1.8.6 and keep the minimal go mod tidy result required by that bump

Trivy evidence

Before, quay.io/operator-framework/opm:master at sha256:a9f84574354fb46686fd0958b0ab5f6f49d6b2736c5c99f10e05d6d92cca10ea failed Trivy 0.70.0 with HIGH findings in usr/bin/opm:

After, I built a local linux/arm64 release-shaped image using Go 1.26.5, distroless static, /bin/opm, /bin/grpc_health_probe, nsswitch.conf, user 1001, and the opm entrypoint. The image ID was sha256:7a7598e588808493efb14e9b9398939e6d836509983b9cca4cfcc1197dc10a37.

Trivy command run locally, adapted only for the OrbStack Docker socket path:

docker run --rm -v /Users/russell/.orbstack/run/docker.sock:/var/run/docker.sock aquasec/trivy:0.70.0 image --ignore-unfixed --severity CRITICAL,HIGH --exit-code 1 opm-trivy-test:go1.26.5-fulcio1.8.6

Result:

Report Summary

Target                                                Type      Vulnerabilities
opm-trivy-test:go1.26.5-fulcio1.8.6 (debian 13.6)  debian    0
usr/bin/grpc_health_probe                             gobinary  0
usr/bin/opm                                           gobinary  0

Verification

  • GOCACHE=/tmp/opreg-go-build-cache GOMODCACHE=/tmp/opreg-go-mod-cache GOTOOLCHAIN=auto go mod tidy
  • GOCACHE=/tmp/opreg-go-build-cache GOMODCACHE=/tmp/opreg-go-mod-cache GOTOOLCHAIN=auto go mod verify
  • GOCACHE=/tmp/opreg-go-build-cache GOMODCACHE=/tmp/opreg-go-mod-cache GOTOOLCHAIN=auto make bin/opm
  • GOMODCACHE=/tmp/opreg-go-mod-cache GOTOOLCHAIN=auto go version -m bin/opm
    • reported go1.26.5
    • included github.com/sigstore/fulcio v1.8.6
  • GOCACHE=/tmp/opreg-go-build-cache GOMODCACHE=/tmp/opreg-go-mod-cache GOTOOLCHAIN=auto make unit
    • first sandboxed run failed only because localhost binds were denied
    • rerun with local socket permissions passed
  • docker buildx build --platform linux/arm64 -f /private/tmp/opm-release-trivy.Dockerfile -t opm-trivy-test:go1.26.5-fulcio1.8.6 --load .
  • Trivy command above

No vulnerability suppressions, ignores, or scan weakening were added.

Copilot AI review requested due to automatic review settings July 15, 2026 06:05
@openshift-ci openshift-ci Bot requested review from pedjak and rashmigottipati July 15, 2026 06:05
@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 15, 2026
@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Hi @russell-parks. Thanks for your PR.

I'm waiting for a operator-framework member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kevinrizza for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request updates the Operator Registry’s build toolchain and Go module dependencies to pick up security fixes (patched Go stdlib and a Fulcio CVE fix), aligning the Docker-based upstream builder path and the module’s Go version used by CI/GoReleaser.

Changes:

  • Bumped the module Go version to Go 1.26.5 (CI uses go-version-file: go.mod, so this propagates to GitHub Actions).
  • Pinned upstream-builder.Dockerfile to golang:1.26.5-alpine for the upstream builder path.
  • Updated github.com/sigstore/fulcio to v1.8.6 and incorporated the minimal go mod tidy-driven dependency checksum updates.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
upstream-builder.Dockerfile Pins the upstream builder image to Go 1.26.5 to ensure patched stdlib in that build path.
go.mod Updates the module Go version and bumps Fulcio (plus associated indirect deps) to pick up security fixes.
go.sum Updates dependency checksums consistent with the go.mod bumps / tidy result.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codecov

codecov Bot commented Jul 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.81%. Comparing base (6a6d882) to head (62c07bd).

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #2034   +/-   ##
=======================================
  Coverage   58.81%   58.81%           
=======================================
  Files         141      141           
  Lines       13434    13434           
=======================================
  Hits         7901     7901           
  Misses       4323     4323           
  Partials     1210     1210           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@russell-parks

Copy link
Copy Markdown
Author

The only failing check is go-verdiff, and it is failing because this PR intentionally updates the root go.mod Go version from 1.26.3 to 1.26.5:

Found golang version: 1.26.5
./go.mod: 1.26.5: Updated ROOT golang version from 1.26.3
No go-verdiff-override label found, failing the job.

The rest of CI is passing. Could a maintainer please add the go-verdiff-override label for this intentional security/toolchain bump?

@tmshort

tmshort commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

/hold
We can't move beyond golang 1.26.3

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants