chore: update dependencies

[Despire]

Updates from dependabot PRs.

Summary by CodeRabbit

• Chores
  • Upgraded CI workflows, build tooling, Go version, many dependency pins, and base container images; updated packaged component image tags.
• Bug Fixes / Reliability
  • Improved event reporting to include richer, formatted failure details for provisioning flows.
• Refactor
  • Simplified webhook/validation wiring to use typed validators and clearer event recorder integration.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Bumps CI action major versions, upgrades Go toolchain to 1.26.x and many Go/Python deps, updates Alpine/base images in Dockerfiles, switches GCP credential construction to explicit service-account type, and adjusts Kubernetes event/validator APIs and image tags.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/CI-pipeline.yml, .github/workflows/automatic-docs-update.yml, .github/workflows/release-docs.yml, .github/workflows/release.yml	Bumped action major versions (e.g., actions/checkout v4→v6, setup-go/setup-python v5→v6, Docker actions v3→v4, imranismail/setup-kustomize v2→v3). Minor whitespace/format fixes.
Go module manifest go.mod	Raised Go version to 1.26 and updated many direct/indirect dependency versions; adjusted Kubernetes replace pins and structured-merge-diff path.
Python deps requirements.txt	Updated pinned versions for multiple Python/doc tooling packages.
Service Dockerfiles services/ansibler/Dockerfile, services/*/Dockerfile (e.g., services/autoscaler-adapter/Dockerfile, services/claudie-operator/Dockerfile, services/kube-eleven/Dockerfile, services/kuber/Dockerfile, services/manager/Dockerfile, services/terraformer/Dockerfile, services/testing-framework/Dockerfile)	Updated Go build images to golang:1.26.2 (from 1.25.5) and runtime images to alpine:3.23 (from 3.22) where applicable; updated OCI base label in ansibler.
GCP credential construction internal/nodes/arch_resolver.go, services/autoscaler-adapter/node_manager/cache.go	Switched from google.CredentialsFromJSON to google.CredentialsFromJSONWithType(..., google.ServiceAccount) when creating GCP credentials.
Kubernetes event recording API services/claudie-operator/main.go, services/claudie-operator/pkg/controller/controller.go, services/claudie-operator/pkg/controller/controller_types.go	Replaced GetEventRecorderFor with GetEventRecorder; changed reconciler Recorder type from record.EventRecorder → events.EventRecorder; several Recorder.Event calls converted to Recorder.Eventf with formatted details. Review places where event-type and formatting changed.
Webhook validator typing services/claudie-operator/pkg/controller/validator.go	Switched to typed webhook registration admission.WithValidator[*v1beta.InputManifest](...); validator methods now accept *v1beta.InputManifest instead of runtime.Object, removing runtime assertions—update callers/signatures accordingly.
Kustomize image tags manifests/claudie/kustomization.yaml, manifests/testing-framework/kustomization.yaml	Bumped image newTag values for multiple ghcr.io/berops/claudie/* components to the new commit tag.

Possibly related PRs

• chore: update dependencies #2020: Broad dependency/tooling upgrades and overlapping changes to go.mod, Dockerfiles, and internal/nodes/arch_resolver.go.
• chore: update repository dependencies #1803: Related CI/workflow and dependency/version bumps (updates to .github/workflows and requirements.txt/kustomization entries).
• Fix/docker issue #1886: Related changes to services/ansibler/Dockerfile (base/Alpine version and OCI label updates).

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: update dependencies' accurately summarizes the main change—the PR comprehensively updates GitHub Actions, Go toolchain, base images, direct and indirect dependencies, and manifests across the entire codebase.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-dependabot-dependencies

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

services/testing-framework/Dockerfile (1)

27-43: ⚠️ Potential issue | 🟠 Major

Run the final image as a non-root user.

The runtime stage still defaults to root, which is unnecessary risk for an image that executes tests and talks to the cluster. Please add a dedicated USER and ensure the copied binaries remain executable under that account.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@services/testing-framework/Dockerfile` around lines 27 - 43, The image
currently runs as root; create a non-root user and switch to it at runtime: add
steps after copying the binaries to create a dedicated user/group (e.g.,
claudie), ensure ownership of the copied binaries (/usr/local/bin/kubectl and
/go/services/testing-framework/testing-framework.test) and any working
directories is changed to that user, keep the executables bit (the existing
chmod on /usr/local/bin/kubectl should remain or be applied before chown), and
set USER to that account before ENTRYPOINT so the testing-framework binary and
kubectl run as the non-root user; update any WORKDIR ownership as needed so the
process can write to it.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@services/testing-framework/Dockerfile`:
- Around line 27-43: The image currently runs as root; create a non-root user
and switch to it at runtime: add steps after copying the binaries to create a
dedicated user/group (e.g., claudie), ensure ownership of the copied binaries
(/usr/local/bin/kubectl and
/go/services/testing-framework/testing-framework.test) and any working
directories is changed to that user, keep the executables bit (the existing
chmod on /usr/local/bin/kubectl should remain or be applied before chown), and
set USER to that account before ENTRYPOINT so the testing-framework binary and
kubectl run as the non-root user; update any WORKDIR ownership as needed so the
process can write to it.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e05d9441-967c-4a67-b640-47658b26d72d

📥 Commits

Reviewing files that changed from the base of the PR and between 7f4ad94 and 570ce2a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (14)

• .github/workflows/CI-pipeline.yml
• .github/workflows/automatic-docs-update.yml
• .github/workflows/release-docs.yml
• .github/workflows/release.yml
• go.mod
• requirements.txt
• services/ansibler/Dockerfile
• services/autoscaler-adapter/Dockerfile
• services/claudie-operator/Dockerfile
• services/kube-eleven/Dockerfile
• services/kuber/Dockerfile
• services/manager/Dockerfile
• services/terraformer/Dockerfile
• services/testing-framework/Dockerfile

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@services/claudie-operator/pkg/controller/controller.go`:
- Line 68: The Eventf call is passing dynamic text directly (e.g.,
r.Recorder.Eventf(inputManifest, nil, corev1.EventTypeWarning, "SecretNotFound",
"FetchingSecrets", msg)), which treats the last argument as a format string and
can break on % characters; update each Eventf call in this file (including the
shown call and the other sites referenced around buildProvisioningError,
err.Error, and similar uses) to pass dynamic values via format specifiers (e.g.,
use "%s" or "%v" before the dynamic argument) so the message is treated as a
value rather than a format string; search for r.Recorder.Eventf and replace
occurrences like msg, err.Error(), or buildProvisioningError(...).Error() with
"%s", msg or "%v", err accordingly.

In `@services/claudie-operator/pkg/controller/validator.go`:
- Around line 38-41: The generic parameter to admission.WithValidator should be
the concrete Kubernetes type so replace
admission.WithValidator[runtime.Object](...) with
admission.WithValidator[*v1beta.InputManifest](...) to restore type-safe
decoding; update the call site that constructs validator :=
admission.WithValidator[...](...) and ensure InputManifestValidator is still
passed (InputManifestValidator{log, kc}) and that the v1beta package is imported
where needed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5c9f050a-4801-435c-a2fc-b65744cbab73

📥 Commits

Reviewing files that changed from the base of the PR and between 570ce2a and dd48eb7.

📒 Files selected for processing (6)

• internal/nodes/arch_resolver.go
• services/autoscaler-adapter/node_manager/cache.go
• services/claudie-operator/main.go
• services/claudie-operator/pkg/controller/controller.go
• services/claudie-operator/pkg/controller/controller_types.go
• services/claudie-operator/pkg/controller/validator.go