build(deps): to argocd v3.3.9, go-git v5.14.0 and go-billy v5.9.0#72
Conversation
WalkthroughAdvances Go directive/toolchain to 1.25.5 (toolchain go1.25.10), bumps direct and many indirect module versions (including k8s/io modules to v0.34.0 and k8s.io/kubernetes v1.34.2), updates replace directives, changes Taskfile lint installer URL, and extends govulncheck silence dates. ChangesDependency and tooling update
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Suggested labelsdependencies 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
go.mod (1)
15-17: ⚡ Quick winVerify build and test suite passes with all dependency updates.
This PR updates a large number of dependencies simultaneously (primary, indirect, and transitive). While individual updates appear reasonable, the combined effect should be validated through comprehensive testing.
Ensure that:
- The project builds successfully
- All unit and integration tests pass
- No unexpected behavioral changes are introduced
Also applies to: 23-172
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` around lines 15 - 17, The dependency updates in go.mod may introduce build or test regressions; run a full verification by executing a clean dependency refresh (go mod tidy && go mod download), then build and test the codebase (go build ./... and go test ./... including integration suites), inspect and fix any compile/test failures caused by changes to packages like github.com/prometheus/client_golang, github.com/spf13/cobra, and github.com/spf13/pflag, update go.sum accordingly, and if behavioral regressions appear, bisect or revert the specific module updates until the test suite and integration checks pass.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Around line 63-64: Update the vulnerable module versions in go.mod: bump
github.com/go-git/go-git/v5 to v5.19.0 and github.com/go-git/go-billy/v5 to
v5.9.0 to pick up the security fixes; run `go get
github.com/go-git/go-git/v5@v5.19.0` and `go get
github.com/go-git/go-billy/v5@v5.9.0`, then run `go mod tidy` to update the
lockfile and verify the new versions are recorded, and finally run your test
suite and a vulnerability scan to confirm the issues are resolved.
In `@taskfile.yaml`:
- Line 13: Replace the unpinned installer command "curl -sSfL
https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin" with a pinned
install invocation that supplies a specific golangci-lint release (e.g., pass
the desired tag like v1.62.2 to the installer or use the versioned release URL)
so the build always installs that exact version; update the version token
(v1.62.2) to whichever golangci-lint version you require.
---
Nitpick comments:
In `@go.mod`:
- Around line 15-17: The dependency updates in go.mod may introduce build or
test regressions; run a full verification by executing a clean dependency
refresh (go mod tidy && go mod download), then build and test the codebase (go
build ./... and go test ./... including integration suites), inspect and fix any
compile/test failures caused by changes to packages like
github.com/prometheus/client_golang, github.com/spf13/cobra, and
github.com/spf13/pflag, update go.sum accordingly, and if behavioral regressions
appear, bisect or revert the specific module updates until the test suite and
integration checks pass.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: f4c7999d-eaeb-4b26-96a6-c81d0fb6b81d
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (2)
go.modtaskfile.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
**
⚙️ CodeRabbit configuration file
-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.
Files:
taskfile.yamlgo.mod
🪛 OSV Scanner (2.3.8)
go.mod
[HIGH] 63-63: github.com/go-git/go-billy/v5 5.6.2: go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
[HIGH] 63-63: github.com/go-git/go-billy/v5 5.6.2: go-billy has path traversal vulnerabilities
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git
(GO-2026-4473)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git
(GO-2026-4909)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git
(GO-2026-4910)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git improperly verifies data integrity values for .idx and .pack files
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Credential leak via cross-host redirect in smart HTTP transport
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git missing validation decoding Index v4 files leads to panic
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Maliciously crafted idx file can cause asymmetric memory consumption
🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e
Findings
[::codeready-toolchain/api::]
- Many Kubernetes API usages and go.sum entries reference k8s.io/apimachinery v0.33.4 (e.g. go.sum lines; imports in api/v1alpha1/) — repo currently tied to k8s v0.33.4.
Evidence: api/v1alpha1/ imports k8s.io/apimachinery/pkg/apis/meta/v1 and go.sum entries for v0.33.4.
[::codeready-toolchain/toolchain-common::]
- go.mod pins k8s.io/apimachinery v0.33.4 and k8s.io/client-go v0.33.4; numerous source files import client-go / apimachinery APIs (pkg/, controllers/, etc.).
Evidence: go.mod lines showing v0.33.4 and many files importing k8s.io/* APIs (e.g. pkg/client/ssa_client.go, controllers/*).
[::codeready-toolchain/host-operator::]
- go.mod pins k8s.io/apimachinery v0.33.4 and k8s.io/client-go v0.33.4; many imports of apimachinery/client-go in controllers and pkg.
Evidence: go.mod lines for v0.33.4 and many files (pkg/templates..., controllers/..., cmd/main.go) importing k8s.io/*.
[::codeready-toolchain/toolchain-e2e::]
- go.mod pins k8s.io/apimachinery v0.33.4 and k8s.io/client-go v0.33.4; extensive use of client-go and apimachinery in tests/support.
Evidence: go.mod lines and many tests/imports (testsupport/, test/e2e/). - Contains deployment manifests that reference Argo CD labels/roles (deploy/nstemplatetiers/...ns_env.yaml and ns_tenant.yaml): argocd.argoproj.io/managed-by: gitops-service-argocd and Role/RoleBinding names like additional-argocd-read. These manifest entries are consumers of Argo CD-managed resources (configuration/labels/roles).
Evidence: deploy/nstemplatetiers/appstudio-env/ns_env.yaml lines with argocd.argoproj.io/managed-by and role names.
Summary assessment
- None of the inspected repos import github.com/argoproj/argo-cd packages directly (no matches for argoproj/argo-cd in search results), so the PR's Argo CD library upgrade is unlikely to cause direct compile-time import-breaks in these repos.
- However, all repos are pinned to Kubernetes client libraries at v0.33.4. The PR (argocd-mcp-server) updates k8s.io/* to v0.34.0 in go.mod — this divergence could surface at integration/build time if modules are combined or if shared libraries are consumed together (potential for module version skew / go.sum differences).
- toolchain-e2e includes Argo CD-related manifests (labels/role names) that may be affected by any runtime/behavioral changes in Argo CD upgrades (not visible in code search; only manifests reference ArgoCD-managed metadata).
Conclusion: cross-repo context relevant (k8s version pinning across repos and runtime manifests referencing Argo CD).
🔇 Additional comments (5)
taskfile.yaml (1)
13-13: The installer URL is the official recommended method. The URLhttps://golangci-lint.run/install.shis confirmed as the official installation endpoint for golangci-lint according to the project's documentation (https://golangci-lint.run/docs/welcome/install/local/).go.mod (4)
175-219: LGTM!
3-3: No action required. Go version 1.25.5 is a valid, stable release and suitable for production use.
19-20: 🏗️ Heavy liftThe Kubernetes version upgrade is acceptable as written.
argocd-mcp-serveris a standalone binary service (modulegithub.com/codeready-toolchain/argocd-mcp-serverwithmain.go), not a shared library consumed by other toolchain repositories. A cross-repository search confirms that none of the linked repositories (api,toolchain-common,host-operator,toolchain-e2e) import this module.Since this service manages its own dependencies independently, upgrading to Kubernetes v0.34.0 does not create integration or build-time conflicts with other toolchain components that remain on v0.33.4. Each standalone service can maintain its own k8s version without triggering module resolution issues.
8-9: ⚡ Quick winv3.3.9 is a security patch release with no breaking changes; update is appropriate.
Argo CD v3.3.9 is a patch release (not a major version jump) that addresses a critical security vulnerability (CVE-2026-43824) in the ServerSideDiff endpoint. Code inspection confirms that the MCP server does not use the affected pattern (
IncludeMutationWebhook=true) or rely on vulnerable configurations.If upgrading from v3.2.x or earlier, note that the v3.3.x series requires Server-Side Apply (SSA) with
--force-conflictsflag for upgrade operations and uses a new cluster version format (vMajor.Minor.Patch). However, the code only imports Argo CD's Application API structs—it does not implement operator or upgrade logic—so these migration requirements do not apply to this codebase.
| github.com/go-git/go-billy/v5 v5.6.2 // indirect | ||
| github.com/go-git/go-git/v5 v5.14.0 // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check for newer patched versions of go-git and go-billy
echo "=== Checking for security advisories and latest versions ==="
# Check go-git advisories
gh api graphql -f query='
{
securityVulnerabilities(first: 20, ecosystem: GO, package: "github.com/go-git/go-git/v5") {
nodes {
advisory {
summary
severity
publishedAt
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'
echo ""
echo "=== Checking go-billy advisories ==="
# Check go-billy advisories
gh api graphql -f query='
{
securityVulnerabilities(first: 20, ecosystem: GO, package: "github.com/go-git/go-billy/v5") {
nodes {
advisory {
summary
severity
publishedAt
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'Repository: codeready-toolchain/argocd-mcp-server
Length of output: 2982
🏁 Script executed:
#!/bin/bash
# Check the go.mod file for go-git and go-billy versions
cat go.mod | grep -A5 -B5 "go-git\|go-billy"Repository: codeready-toolchain/argocd-mcp-server
Length of output: 2214
Address critical and high-severity vulnerabilities in go-git dependencies.
Go-git v5.14.0 and go-billy v5.6.2 contain multiple critical and high-severity security vulnerabilities:
go-git v5.14.0 (requires upgrade to v5.19.0):
- CRITICAL: Argument injection via URL field (patched in 5.13.0)
- CRITICAL: Path traversal and RCE via maliciously crafted Git server replies (patched in 5.11.0)
- HIGH: Improper parsing of crafted objects, leading to inconsistent interpretation vs upstream Git (patched in 5.19.0)
- HIGH: DoS via maliciously crafted Git server replies (patched in 5.13.0)
- MODERATE: Credential leak via cross-host redirect, improper data integrity verification for .idx/.pack files, and memory exhaustion via maliciously crafted idx files
go-billy v5.6.2 (requires upgrade to v5.9.0):
- HIGH: Path traversal vulnerabilities (patched in 5.9.0)
- MODERATE: Infinite loops and resource exhaustion from symlink resolution without depth/cycle detection (patched in 5.9.0)
These vulnerabilities pose significant security risks including argument injection, path traversal attacks, credential exposure, and denial of service. Upgrade go-git to v5.19.0 and go-billy to v5.9.0 to address all identified issues.
🧰 Tools
🪛 OSV Scanner (2.3.8)
[HIGH] 63-63: github.com/go-git/go-billy/v5 5.6.2: go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
[HIGH] 63-63: github.com/go-git/go-billy/v5 5.6.2: go-billy has path traversal vulnerabilities
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git
(GO-2026-4473)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git
(GO-2026-4909)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git
(GO-2026-4910)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git improperly verifies data integrity values for .idx and .pack files
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Credential leak via cross-host redirect in smart HTTP transport
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git missing validation decoding Index v4 files leads to panic
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Maliciously crafted idx file can cause asymmetric memory consumption
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` around lines 63 - 64, Update the vulnerable module versions in
go.mod: bump github.com/go-git/go-git/v5 to v5.19.0 and
github.com/go-git/go-billy/v5 to v5.9.0 to pick up the security fixes; run `go
get github.com/go-git/go-git/v5@v5.19.0` and `go get
github.com/go-git/go-billy/v5@v5.9.0`, then run `go mod tidy` to update the
lockfile and verify the new versions are recorded, and finally run your test
suite and a vulnerability scan to confirm the issues are resolved.
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
git show 6272680 --stat
echo "---"
git show 6272680 -- go.mod | grep -E "go-git|go-billy"
Repository: codeready-toolchain/argocd-mcp-server
Length of output: 2725
@xcoulon, thanks for the update! Looking at commit 6272680:
- ✅
go-billy/v5→ bumped tov5.9.0(path traversal and symlink vulnerabilities resolved) - ❌
go-git/v5→ still atv5.14.0(needsv5.19.0to address the remaining HIGH-severity issues)
The following vulnerabilities in go-git v5.14.0 are still open:
| ID | Summary | Patched in |
|---|---|---|
| GHSA-389r-gv7p-r3rp | Improper parsing leading to inconsistent interpretation vs upstream Git | v5.19.0 |
| GHSA-37cx-329c-33x3 / GO-2026-4473 | Improper data integrity verification for .idx/.pack files |
v5.19.0 |
| GO-2026-4909 | Missing validation decoding Index v4 files → panic | v5.19.0 |
| GO-2026-4910 / GHSA-jhf3-xxhw-2wpp | Asymmetric memory consumption via crafted .idx file |
v5.19.0 |
| GHSA-gm2x-2g9h-ccm8 | Missing index v4 validation leads to panic | v5.19.0 |
| GHSA-3xc5-wrhm-f963 | Credential leak via cross-host redirect | v5.13.0 |
Please run:
go get github.com/go-git/go-git/v5@v5.19.0
go mod tidy| lint: | ||
| cmds: | ||
| - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $GOPATH/bin | ||
| - curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win
Pin golangci-lint to a specific version for reproducible builds.
Without version pinning, each installation pulls the latest version, which can introduce unexpected linting rule changes and break builds non-deterministically across different environments or time periods.
📌 Proposed fix to pin the version
- - curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin
+ - curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin v1.62.2Adjust v1.62.2 to match your desired golangci-lint version.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin | |
| - curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin v1.62.2 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@taskfile.yaml` at line 13, Replace the unpinned installer command "curl -sSfL
https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin" with a pinned
install invocation that supplies a specific golangci-lint release (e.g., pass
the desired tag like v1.62.2 to the installer or use the versioned release URL)
so the build always installs that exact version; update the version token
(v1.62.2) to whichever golangci-lint version you require.
Also switch golangci-lint install to the official URL (golangci-lint.run/install.sh). Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
dc91da9 to
bfe383e
Compare
Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
There was a problem hiding this comment.
♻️ Duplicate comments (1)
go.mod (1)
64-64:⚠️ Potential issue | 🟠 Major | ⚡ Quick winUpgrade
go-gitto a patched release.Line 64 still pins
github.com/go-git/go-git/v5tov5.14.0, which is flagged with multiple HIGH vulnerabilities in the provided scan output. Please bump to at leastv5.19.0.🔧 Proposed minimal fix
- github.com/go-git/go-git/v5 v5.14.0 // indirect + github.com/go-git/go-git/v5 v5.19.0 // indirect#!/bin/bash # Verify currently published advisories and patched version metadata for go-git. # Read-only; does not modify repository state. gh api graphql -f query=' { securityVulnerabilities(first: 50, ecosystem: GO, package: "github.com/go-git/go-git/v5") { nodes { advisory { ghsaId summary severity } vulnerableVersionRange firstPatchedVersion { identifier } } } }'As per coding guidelines, “Focus on major issues impacting performance, readability, maintainability and security.”
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` at line 64, Update the pinned module version for github.com/go-git/go-git/v5 in go.mod from v5.14.0 to at least v5.19.0 to pick up the security fixes; after changing the version string for the module entry, run your Go module update workflow (e.g., module download/resolve and tidy) and re-run build/tests to ensure nothing breaks and the new version is recorded in go.sum.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@go.mod`:
- Line 64: Update the pinned module version for github.com/go-git/go-git/v5 in
go.mod from v5.14.0 to at least v5.19.0 to pick up the security fixes; after
changing the version string for the module entry, run your Go module update
workflow (e.g., module download/resolve and tidy) and re-run build/tests to
ensure nothing breaks and the new version is recorded in go.sum.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 10fc45a6-cb55-4eb0-be61-6c51628c7f6d
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (2)
go.modtaskfile.yaml
✅ Files skipped from review due to trivial changes (1)
- taskfile.yaml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Test
🧰 Additional context used
📓 Path-based instructions (1)
**
⚙️ CodeRabbit configuration file
-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.
Files:
go.mod
🪛 OSV Scanner (2.3.8)
go.mod
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git
(GO-2026-4473)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git
(GO-2026-4909)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git
(GO-2026-4910)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git improperly verifies data integrity values for .idx and .pack files
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Credential leak via cross-host redirect in smart HTTP transport
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git missing validation decoding Index v4 files leads to panic
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Maliciously crafted idx file can cause asymmetric memory consumption
🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e
Findings
[::codeready-toolchain/api::]
- go.mod pins Kubernetes libs to v0.33.4 (k8s.io/api, k8s.io/apimachinery). Evidence: go.mod lines showing v0.33.4. ([::codeready-toolchain/api::])
[::codeready-toolchain/toolchain-common::]
- go.mod pins Kubernetes libs to v0.33.4 (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go). Evidence: go.mod lines showing v0.33.4. ([::codeready-toolchain/toolchain-common::])
[::codeready-toolchain/host-operator::]
- go.mod pins Kubernetes libs to v0.33.4 (k8s.io/api, k8s.io/apiextensions-apiserver, k8s.io/apimachinery, k8s.io/client-go). Evidence: go.mod lines showing v0.33.4. ([::codeready-toolchain/host-operator::])
[::codeready-toolchain/toolchain-e2e::]
- go.mod pins Kubernetes libs to v0.33.4 (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go). Evidence: go.mod lines showing v0.33.4. ([::codeready-toolchain/toolchain-e2e::])
- Contains Argo CD-related manifest labels and Role/RoleBinding names that reference Argo CD-managed resources:
- deploy/nstemplatetiers/appstudio-env/ns_env.yaml: argocd.argoproj.io/managed-by: gitops-service-argocd (and multiple occurrences of Role name additional-argocd-read).
- deploy/nstemplatetiers/appstudio/ns_tenant.yaml: argocd.argoproj.io/managed-by: gitops-service-argocd.
- testsupport/tiers/checks.go: code waits for label "argocd.argoproj.io/managed-by" and asserts Role/RoleBinding named "additional-argocd-read" (lines shown in search output).
Evidence: search hits listed (files and lines) in the repo. ([::codeready-toolchain/toolchain-e2e::])
Cross-repo implication
- The PR upgrades Argo CD and also moves k8s.io/* deps to v0.34.0 in the argocd-mcp-server repo. None of these repos import argoproj/argo-cd directly, so no direct compile-time import break is evident. However, all inspected repos are pinned to k8s.io v0.33.4 while the PR moves to v0.34.0 — potential for module version skew or integration issues when these modules interact or are built together. Also, toolchain-e2e contains manifests/tests that reference Argo CD-managed labels/roles which could be impacted by behavioral/runtime changes in Argo CD. (All evidence above from the repo searches.)
Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 8: Update the Argo CD module version pinned in go.mod from
"github.com/argoproj/argo-cd/v3 v3.3.9" to "v3.3.10" to address the GHSA
vulnerabilities; after editing the "github.com/argoproj/argo-cd/v3" line run go
mod tidy and go get github.com/argoproj/argo-cd/v3@v3.3.10 (or your project's
dependency tooling) and re-run your dependency/security checks to confirm the
vulnerabilities are resolved.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: e4793164-1282-4836-b55d-56f979065740
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
- GitHub Check: Lint
- GitHub Check: Test
- GitHub Check: Build Image
- GitHub Check: govulncheck
🧰 Additional context used
📓 Path-based instructions (1)
**
⚙️ CodeRabbit configuration file
-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.
Files:
go.mod
🪛 OSV Scanner (2.3.8)
go.mod
[HIGH] 8-8: github.com/argoproj/argo-cd/v3 3.3.9: Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
[HIGH] 8-8: github.com/argoproj/argo-cd/v3 3.3.9: Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git
(GO-2026-4473)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git
(GO-2026-4909)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git
(GO-2026-4910)
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git improperly verifies data integrity values for .idx and .pack files
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Credential leak via cross-host redirect in smart HTTP transport
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Crafted repositories may modify main and submodule .git directories
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git missing validation decoding Index v4 files leads to panic
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Maliciously crafted idx file can cause asymmetric memory consumption
[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Improper single-quote escaping in go-git SSH transport
🔀 Multi-repo context codeready-toolchain/toolchain-e2e, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator
Findings
[::codeready-toolchain/toolchain-e2e::]
- Manifests and tests reference Argo CD managed label and Role/RoleBinding names:
- deploy/nstemplatetiers/appstudio-env/ns_env.yaml: contains label
argocd.argoproj.io/managed-by: gitops-service-argocdand multiple Role nameadditional-argocd-read. (lines shown in search results) - deploy/nstemplatetiers/appstudio/ns_tenant.yaml: contains label
argocd.argoproj.io/managed-by: gitops-service-argocd. - testsupport/tiers/checks.go: waits for label
argocd.argoproj.io/managed-byand asserts Role/RoleBinding namedadditional-argocd-read. (lines shown in search results)
- deploy/nstemplatetiers/appstudio-env/ns_env.yaml: contains label
[::codeready-toolchain/toolchain-common::]
- go.mod/go.sum contain indirect dependency entries for
github.com/google/go-github/v52andgithub.com/migueleliasweb/go-github-mock(evidence in search output).
[::codeready-toolchain/host-operator::]
- go.mod/go.sum contain indirect entries for
github.com/google/go-github/v52,github.com/migueleliasweb/go-github-mockandgithub.com/monochromegane/go-gitignore(evidence in search output).
Cross-repo implication
- The PR upgrades Argo CD (and moves k8s.io deps to v0.34.0 in argocd-mcp-server). toolchain-e2e contains runtime/tests and manifests that reference Argo CD-managed labels/roles and may be affected by behavioral/runtime changes in Argo CD. Additionally, prior inspection showed other repos are pinned to Kubernetes libs v0.33.4, so the argocd-mcp-server move to v0.34.0 could introduce module version skew or integration/runtime incompatibilities when these components interact. (See earlier repo go.mod version findings in the provided context.)
🔇 Additional comments (1)
go.mod (1)
64-64:go-git v5.14.0still appears vulnerable and was already flagged in earlier review threads.This remains unresolved from prior comments; please confirm it is moved to a patched version in this PR branch.
As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."#!/bin/bash # Re-check current go-git pin and associated advisories. set -euo pipefail echo "Pinned go-git version in go.mod:" rg -n 'github.com/go-git/go-git/v5' go.mod echo echo "GitHub advisory lookup (GO ecosystem):" gh api graphql -f query=' { securityVulnerabilities(first: 30, ecosystem: GO, package: "github.com/go-git/go-git/v5") { nodes { advisory { ghsaId summary severity publishedAt } vulnerableVersionRange firstPatchedVersion { identifier } } } }' | jq -r '.data.securityVulnerabilities.nodes[] | [.advisory.ghsaId, .advisory.severity, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "none")] | `@tsv`'
Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
There was a problem hiding this comment.
♻️ Duplicate comments (1)
go.mod (1)
64-64:⚠️ Potential issue | 🟠 Major | ⚡ Quick winUpgrade
github.com/go-git/go-git/v5beyondv5.17.1before merge.
v5.17.1is still flagged with HIGH-severity advisories; this leaves known security risk in the dependency graph. Please bump to a patched release line (at leastv5.19.0, or newer if available) and re-run vuln scanning.#!/bin/bash set -euo pipefail echo "Current go-git pin in go.mod:" rg -n 'github.com/go-git/go-git/v5' go.mod echo echo "Known advisories for github.com/go-git/go-git/v5:" gh api graphql -f query=' { securityVulnerabilities(first: 30, ecosystem: GO, package: "github.com/go-git/go-git/v5") { nodes { advisory { ghsaId summary severity publishedAt } vulnerableVersionRange firstPatchedVersion { identifier } } } }' | jq -r '.data.securityVulnerabilities.nodes[] | [.advisory.ghsaId, .advisory.severity, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "none")] | `@tsv`'As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` at line 64, The go.mod currently pins github.com/go-git/go-git/v5 to v5.17.1 which has known HIGH-severity advisories; update the module entry for github.com/go-git/go-git/v5 to at least v5.19.0 (or a newer patched release) and run the project's vulnerability scan commands (the provided gh/api jq snippet or your existing vuln scanner) to verify the advisories are resolved; ensure the updated version is committed to go.mod and go.sum and confirm builds/tests pass.
🧹 Nitpick comments (1)
go.mod (1)
19-20: Validate cross-repo Kubernetes version skew in integration before merge.This PR moves this repo to
k8s.io/* v0.34.0, while linked toolchain repos are reported atv0.33.4; please confirm no API/behavior mismatch in shared flows by running coordinated integration/e2e checks across repos.Check release notes and compatibility guidance for Kubernetes client-go/apimachinery v0.34.0 vs v0.33.4, and identify any breaking API/behavior changes that could affect cross-repo integrations.Also applies to: 153-164, 187-218
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` around lines 19 - 20, The PR bumps k8s.io/apimachinery and k8s.io/client-go to v0.34.0 in go.mod; validate cross-repo Kubernetes version skew by running coordinated integration/e2e tests across all related repos that still reference v0.33.4, review the v0.34.0 vs v0.33.4 release notes and client-go/apimachinery compatibility guidance for breaking API/behavior changes, and either align versions across repos or add explicit compatibility shims/compat checks; specifically verify code paths referencing k8s.io/apimachinery and k8s.io/client-go types/clients and update callsites or dependency versions to eliminate any runtime/integration failures.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@go.mod`:
- Line 64: The go.mod currently pins github.com/go-git/go-git/v5 to v5.17.1
which has known HIGH-severity advisories; update the module entry for
github.com/go-git/go-git/v5 to at least v5.19.0 (or a newer patched release) and
run the project's vulnerability scan commands (the provided gh/api jq snippet or
your existing vuln scanner) to verify the advisories are resolved; ensure the
updated version is committed to go.mod and go.sum and confirm builds/tests pass.
---
Nitpick comments:
In `@go.mod`:
- Around line 19-20: The PR bumps k8s.io/apimachinery and k8s.io/client-go to
v0.34.0 in go.mod; validate cross-repo Kubernetes version skew by running
coordinated integration/e2e tests across all related repos that still reference
v0.33.4, review the v0.34.0 vs v0.33.4 release notes and client-go/apimachinery
compatibility guidance for breaking API/behavior changes, and either align
versions across repos or add explicit compatibility shims/compat checks;
specifically verify code paths referencing k8s.io/apimachinery and
k8s.io/client-go types/clients and update callsites or dependency versions to
eliminate any runtime/integration failures.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 252b71aa-224a-48a1-9d93-317726ada098
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (2)
.govulncheck.yamlgo.mod
✅ Files skipped from review due to trivial changes (1)
- .govulncheck.yaml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Test
- GitHub Check: Lint
- GitHub Check: Build Image
🧰 Additional context used
📓 Path-based instructions (1)
**
⚙️ CodeRabbit configuration file
-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.
Files:
go.mod
🪛 OSV Scanner (2.3.8)
go.mod
[HIGH] 64-64: github.com/go-git/go-git/v5 5.17.1: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
[HIGH] 64-64: github.com/go-git/go-git/v5 5.17.1: go-git: Credential leak via cross-host redirect in smart HTTP transport
[HIGH] 64-64: github.com/go-git/go-git/v5 5.17.1: go-git: Crafted repositories may modify main and submodule .git directories
[HIGH] 64-64: github.com/go-git/go-git/v5 5.17.1: go-git: Improper single-quote escaping in go-git SSH transport
🔀 Multi-repo context codeready-toolchain/toolchain-e2e, codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator
Findings
High-level
- The PR upgrades Argo CD and advances many Kubernetes modules to v0.34.0 in the argocd-mcp-server repo. Relevant consumers and shared contracts are listed below.
codeready-toolchain/toolchain-e2e
- Tests and manifests assert/expect Argo CD managed label and Role/RoleBinding names:
- testsupport/tiers/checks.go:1493 — waits for label "argocd.argoproj.io/managed-by" == "gitops-service-argocd". [::codeready-toolchain/toolchain-e2e::testsupport/tiers/checks.go:1493]
- deploy/nstemplatetiers/appstudio-env/ns_env.yaml:15 — contains label "argocd.argoproj.io/managed-by: gitops-service-argocd". [::codeready-toolchain/toolchain-e2e::deploy/nstemplatetiers/appstudio-env/ns_env.yaml:15]
- deploy/nstemplatetiers/appstudio/ns_tenant.yaml:15 — contains same label. [::codeready-toolchain/toolchain-e2e::deploy/nstemplatetiers/appstudio/ns_tenant.yaml:15]
- testsupport/tiers/checks.go:1855-1870 — asserts Role/RoleBinding named "additional-argocd-read". [::codeready-toolchain/toolchain-e2e::testsupport/tiers/checks.go:1855-1870]
Implication: behavioral/runtime changes in Argo CD (or label/role naming semantics) could affect these e2e checks and manifests.
codeready-toolchain/api
- Uses Kubernetes libraries (k8s.io/apimachinery) pinned to v0.33.4 in go.mod and many API types import metav1/runtime types (numerous files under api/v1alpha1). [::codeready-toolchain/api::go.mod:12]
- Multiple generated files and CRD-related code rely on k8s types (e.g., api/v1alpha1/zz_generated.openapi.go). [::codeready-toolchain/api::api/v1alpha1/zz_generated.openapi.go]
Implication: advancing k8s modules in one repo while others remain at v0.33.4 may produce module version skew; ensure compatibility of shared CRD/types.
codeready-toolchain/toolchain-common
- go.mod pins k8s.io/apimachinery and k8s.io/client-go to v0.33.4. [::codeready-toolchain/toolchain-common::go.mod:23]
- Many packages import k8s apimachinery/client-go types (extensive file list). [::codeready-toolchain/toolchain-common::pkg/... files]
Implication: toolchain-common remains on k8s v0.33.x; upgrading argocd-mcp-server to k8s v0.34 may require verifying cross-module compatibility.
codeready-toolchain/host-operator
- go.mod shows indirect github dependencies; k8s libraries widely used; go.mod pins k8s.io/* at v0.33.4. [::codeready-toolchain/host-operator::go.mod:26-27]
- Numerous controllers/tests import k8s types (many files). [::codeready-toolchain/host-operator::controllers/... files]
Implication: same module-version mismatch risk.
go-git / go-billy
- The search did not find direct usages of upgraded go-git/go-billy libraries across these repos (no consumer files referencing "go-git" or "go-billy" were found). Evidence: no matches in repo searches. [::codeready-toolchain/api::][::codeready-toolchain/toolchain-common::][::codeready-toolchain/host-operator::][::codeready-toolchain/toolchain-e2e::]
Summary of action items / risks to check
- Verify Argo CD behavioral changes between current and target versions do not break toolchain-e2e manifests/tests that rely on argocd-managed labels and Role/RoleBinding naming. [::codeready-toolchain/toolchain-e2e::testsupport/tiers/checks.go]
- Check module version skew/compatibility where argocd-mcp-server will use k8s.io v0.34.0 while api, toolchain-common, host-operator, and e2e remain on v0.33.4 — especially around CRD types, generated code, and client-go APIs. [::codeready-toolchain/api::go.mod:12][::codeready-toolchain/toolchain-common::go.mod:23][::codeready-toolchain/host-operator::go.mod:26][::codeready-toolchain/toolchain-e2e::go.mod:27]
- If argocd-mcp-server upgrade is merged, plan to run integration/e2e tests (toolchain-e2e) and build/compile with the new deps to detect API or compile-time breaks.
[tag]
Also switch golangci-lint install to the
official URL (golangci-lint.run/install.sh).
Summary by CodeRabbit