fix: update opm build toolchain and fulcio#2034
Conversation
|
Hi @russell-parks. Thanks for your PR. I'm waiting for a operator-framework member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Pull request overview
This pull request updates the Operator Registry’s build toolchain and Go module dependencies to pick up security fixes (patched Go stdlib and a Fulcio CVE fix), aligning the Docker-based upstream builder path and the module’s Go version used by CI/GoReleaser.
Changes:
- Bumped the module Go version to Go 1.26.5 (CI uses
go-version-file: go.mod, so this propagates to GitHub Actions). - Pinned
upstream-builder.Dockerfileto golang:1.26.5-alpine for the upstream builder path. - Updated
github.com/sigstore/fulcioto v1.8.6 and incorporated the minimalgo mod tidy-driven dependency checksum updates.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| upstream-builder.Dockerfile | Pins the upstream builder image to Go 1.26.5 to ensure patched stdlib in that build path. |
| go.mod | Updates the module Go version and bumps Fulcio (plus associated indirect deps) to pick up security fixes. |
| go.sum | Updates dependency checksums consistent with the go.mod bumps / tidy result. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2034 +/- ##
=======================================
Coverage 58.81% 58.81%
=======================================
Files 141 141
Lines 13434 13434
=======================================
Hits 7901 7901
Misses 4323 4323
Partials 1210 1210 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
The only failing check is The rest of CI is passing. Could a maintainer please add the |
|
/hold |
Summary
Trivy evidence
Before, quay.io/operator-framework/opm:master at sha256:a9f84574354fb46686fd0958b0ab5f6f49d6b2736c5c99f10e05d6d92cca10ea failed Trivy 0.70.0 with HIGH findings in usr/bin/opm:
After, I built a local linux/arm64 release-shaped image using Go 1.26.5, distroless static, /bin/opm, /bin/grpc_health_probe, nsswitch.conf, user 1001, and the opm entrypoint. The image ID was sha256:7a7598e588808493efb14e9b9398939e6d836509983b9cca4cfcc1197dc10a37.
Trivy command run locally, adapted only for the OrbStack Docker socket path:
Result:
Verification
No vulnerability suppressions, ignores, or scan weakening were added.