Skip to content

build(deps): to argocd v3.3.9, go-git v5.14.0 and go-billy v5.9.0#72

Merged
xcoulon merged 5 commits into
codeready-toolchain:masterfrom
xcoulon:upgrade-argocd-3.3.9
May 20, 2026
Merged

build(deps): to argocd v3.3.9, go-git v5.14.0 and go-billy v5.9.0#72
xcoulon merged 5 commits into
codeready-toolchain:masterfrom
xcoulon:upgrade-argocd-3.3.9

Conversation

@xcoulon

@xcoulon xcoulon commented May 18, 2026

Copy link
Copy Markdown
Collaborator

Also switch golangci-lint install to the
official URL (golangci-lint.run/install.sh).

Summary by CodeRabbit

  • Chores
    • Updated Go baseline to 1.25.5 with toolchain bumped to 1.25.10.
    • Upgraded many direct and transitive dependencies (notably Argo CD, Kubernetes modules to the 0.34.x line, Prometheus, gRPC, YAML tooling, and related libraries).
    • Aligned and simplified dependency replacements to the Argo CD baseline; removed older replacement block.
    • Updated lint installer URL to the newer golangci-lint endpoint.
    • Extended vuln suppression dates for two acknowledged Kubernetes CVEs.

@coderabbitai

coderabbitai Bot commented May 18, 2026

Copy link
Copy Markdown

Walkthrough

Advances Go directive/toolchain to 1.25.5 (toolchain go1.25.10), bumps direct and many indirect module versions (including k8s/io modules to v0.34.0 and k8s.io/kubernetes v1.34.2), updates replace directives, changes Taskfile lint installer URL, and extends govulncheck silence dates.

Changes

Dependency and tooling update

Layer / File(s) Summary
Go toolchain and primary dependencies
go.mod
Go directive/toolchain moved to 1.25.5 / toolchain go1.25.10; direct requires (Argo CD/gitops-engine, Prometheus client, cobra/pflag, k8s.io/*) bumped.
Early indirect dependency refresh
go.mod
Refreshes indirects such as Azure SDK/auth, semver/doublestar, casbin, and other transitive libraries.
Middle indirect and component updates
go.mod
Updates mid-list indirects (cbor, go-git components, go-openapi/gogo modules, Google library replacements).
Minor indirect pin bumps
go.mod
Pins small indirects: github.com/modern-go/reflect2, github.com/prometheus/common.
Later indirects and replace directives
go.mod
Advances golang.org/x/*, gRPC/protobuf/genproto, k8s.io/* to v0.34.0/v1.34.2, updates replace (pins golang.org/x/tools to v0.35.0, k8s replaces to 0.34.0) and removes older Argo CD–scoped replace block.
Build tooling & vuln config
taskfile.yaml, .govulncheck.yaml
lint task install URL switched to https://golangci-lint.run/install.sh; two govulncheck silence-until dates extended to 2026-06-18.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • alexeykazakov
  • rsoaresd
  • fbm3307

Suggested labels

dependencies

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title mentions specific versions (argocd v3.3.9, go-git v5.14.0, go-billy v5.9.0) but the actual changes show broader dependency updates including Go toolchain to 1.25.5/1.25.10, multiple Kubernetes modules to 0.34.0, and many indirect dependencies, making the title incomplete and partially misleading. Update the title to accurately reflect the full scope of dependency updates, such as 'build(deps): update Go toolchain and multiple dependencies including Argo CD v3.3.9' or similar.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot added the dependencies Pull requests that update a dependency file label May 18, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
go.mod (1)

15-17: ⚡ Quick win

Verify build and test suite passes with all dependency updates.

This PR updates a large number of dependencies simultaneously (primary, indirect, and transitive). While individual updates appear reasonable, the combined effect should be validated through comprehensive testing.

Ensure that:

  • The project builds successfully
  • All unit and integration tests pass
  • No unexpected behavioral changes are introduced

Also applies to: 23-172

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 15 - 17, The dependency updates in go.mod may introduce
build or test regressions; run a full verification by executing a clean
dependency refresh (go mod tidy && go mod download), then build and test the
codebase (go build ./... and go test ./... including integration suites),
inspect and fix any compile/test failures caused by changes to packages like
github.com/prometheus/client_golang, github.com/spf13/cobra, and
github.com/spf13/pflag, update go.sum accordingly, and if behavioral regressions
appear, bisect or revert the specific module updates until the test suite and
integration checks pass.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 63-64: Update the vulnerable module versions in go.mod: bump
github.com/go-git/go-git/v5 to v5.19.0 and github.com/go-git/go-billy/v5 to
v5.9.0 to pick up the security fixes; run `go get
github.com/go-git/go-git/v5@v5.19.0` and `go get
github.com/go-git/go-billy/v5@v5.9.0`, then run `go mod tidy` to update the
lockfile and verify the new versions are recorded, and finally run your test
suite and a vulnerability scan to confirm the issues are resolved.

In `@taskfile.yaml`:
- Line 13: Replace the unpinned installer command "curl -sSfL
https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin" with a pinned
install invocation that supplies a specific golangci-lint release (e.g., pass
the desired tag like v1.62.2 to the installer or use the versioned release URL)
so the build always installs that exact version; update the version token
(v1.62.2) to whichever golangci-lint version you require.

---

Nitpick comments:
In `@go.mod`:
- Around line 15-17: The dependency updates in go.mod may introduce build or
test regressions; run a full verification by executing a clean dependency
refresh (go mod tidy && go mod download), then build and test the codebase (go
build ./... and go test ./... including integration suites), inspect and fix any
compile/test failures caused by changes to packages like
github.com/prometheus/client_golang, github.com/spf13/cobra, and
github.com/spf13/pflag, update go.sum accordingly, and if behavioral regressions
appear, bisect or revert the specific module updates until the test suite and
integration checks pass.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: f4c7999d-eaeb-4b26-96a6-c81d0fb6b81d

📥 Commits

Reviewing files that changed from the base of the PR and between 5e64e82 and dc91da9.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (2)
  • go.mod
  • taskfile.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • taskfile.yaml
  • go.mod
🪛 OSV Scanner (2.3.8)
go.mod

[HIGH] 63-63: github.com/go-git/go-billy/v5 5.6.2: go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion

(GHSA-m3xc-h892-ggx6)


[HIGH] 63-63: github.com/go-git/go-billy/v5 5.6.2: go-billy has path traversal vulnerabilities

(GHSA-qw64-3x98-g7q2)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git

(GO-2026-4473)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git

(GO-2026-4909)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git

(GO-2026-4910)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git improperly verifies data integrity values for .idx and .pack files

(GHSA-37cx-329c-33x3)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

(GHSA-389r-gv7p-r3rp)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Credential leak via cross-host redirect in smart HTTP transport

(GHSA-3xc5-wrhm-f963)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git missing validation decoding Index v4 files leads to panic

(GHSA-gm2x-2g9h-ccm8)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Maliciously crafted idx file can cause asymmetric memory consumption

(GHSA-jhf3-xxhw-2wpp)

🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e

Findings

[::codeready-toolchain/api::]

  • Many Kubernetes API usages and go.sum entries reference k8s.io/apimachinery v0.33.4 (e.g. go.sum lines; imports in api/v1alpha1/) — repo currently tied to k8s v0.33.4.
    Evidence: api/v1alpha1/
    imports k8s.io/apimachinery/pkg/apis/meta/v1 and go.sum entries for v0.33.4.

[::codeready-toolchain/toolchain-common::]

  • go.mod pins k8s.io/apimachinery v0.33.4 and k8s.io/client-go v0.33.4; numerous source files import client-go / apimachinery APIs (pkg/, controllers/, etc.).
    Evidence: go.mod lines showing v0.33.4 and many files importing k8s.io/* APIs (e.g. pkg/client/ssa_client.go, controllers/*).

[::codeready-toolchain/host-operator::]

  • go.mod pins k8s.io/apimachinery v0.33.4 and k8s.io/client-go v0.33.4; many imports of apimachinery/client-go in controllers and pkg.
    Evidence: go.mod lines for v0.33.4 and many files (pkg/templates..., controllers/..., cmd/main.go) importing k8s.io/*.

[::codeready-toolchain/toolchain-e2e::]

  • go.mod pins k8s.io/apimachinery v0.33.4 and k8s.io/client-go v0.33.4; extensive use of client-go and apimachinery in tests/support.
    Evidence: go.mod lines and many tests/imports (testsupport/, test/e2e/).
  • Contains deployment manifests that reference Argo CD labels/roles (deploy/nstemplatetiers/...ns_env.yaml and ns_tenant.yaml): argocd.argoproj.io/managed-by: gitops-service-argocd and Role/RoleBinding names like additional-argocd-read. These manifest entries are consumers of Argo CD-managed resources (configuration/labels/roles).
    Evidence: deploy/nstemplatetiers/appstudio-env/ns_env.yaml lines with argocd.argoproj.io/managed-by and role names.

Summary assessment

  • None of the inspected repos import github.com/argoproj/argo-cd packages directly (no matches for argoproj/argo-cd in search results), so the PR's Argo CD library upgrade is unlikely to cause direct compile-time import-breaks in these repos.
  • However, all repos are pinned to Kubernetes client libraries at v0.33.4. The PR (argocd-mcp-server) updates k8s.io/* to v0.34.0 in go.mod — this divergence could surface at integration/build time if modules are combined or if shared libraries are consumed together (potential for module version skew / go.sum differences).
  • toolchain-e2e includes Argo CD-related manifests (labels/role names) that may be affected by any runtime/behavioral changes in Argo CD upgrades (not visible in code search; only manifests reference ArgoCD-managed metadata).

Conclusion: cross-repo context relevant (k8s version pinning across repos and runtime manifests referencing Argo CD).

🔇 Additional comments (5)
taskfile.yaml (1)

13-13: The installer URL is the official recommended method. The URL https://golangci-lint.run/install.sh is confirmed as the official installation endpoint for golangci-lint according to the project's documentation (https://golangci-lint.run/docs/welcome/install/local/).

go.mod (4)

175-219: LGTM!


3-3: No action required. Go version 1.25.5 is a valid, stable release and suitable for production use.


19-20: 🏗️ Heavy lift

The Kubernetes version upgrade is acceptable as written.

argocd-mcp-server is a standalone binary service (module github.com/codeready-toolchain/argocd-mcp-server with main.go), not a shared library consumed by other toolchain repositories. A cross-repository search confirms that none of the linked repositories (api, toolchain-common, host-operator, toolchain-e2e) import this module.

Since this service manages its own dependencies independently, upgrading to Kubernetes v0.34.0 does not create integration or build-time conflicts with other toolchain components that remain on v0.33.4. Each standalone service can maintain its own k8s version without triggering module resolution issues.


8-9: ⚡ Quick win

v3.3.9 is a security patch release with no breaking changes; update is appropriate.

Argo CD v3.3.9 is a patch release (not a major version jump) that addresses a critical security vulnerability (CVE-2026-43824) in the ServerSideDiff endpoint. Code inspection confirms that the MCP server does not use the affected pattern (IncludeMutationWebhook=true) or rely on vulnerable configurations.

If upgrading from v3.2.x or earlier, note that the v3.3.x series requires Server-Side Apply (SSA) with --force-conflicts flag for upgrade operations and uses a new cluster version format (vMajor.Minor.Patch). However, the code only imports Argo CD's Application API structs—it does not implement operator or upgrade logic—so these migration requirements do not apply to this codebase.

Comment thread go.mod Outdated
Comment on lines 63 to 64
github.com/go-git/go-billy/v5 v5.6.2 // indirect
github.com/go-git/go-git/v5 v5.14.0 // indirect

@coderabbitai coderabbitai Bot May 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for newer patched versions of go-git and go-billy

echo "=== Checking for security advisories and latest versions ==="

# Check go-git advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 20, ecosystem: GO, package: "github.com/go-git/go-git/v5") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

echo ""
echo "=== Checking go-billy advisories ==="

# Check go-billy advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 20, ecosystem: GO, package: "github.com/go-git/go-billy/v5") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 2982


🏁 Script executed:

#!/bin/bash
# Check the go.mod file for go-git and go-billy versions
cat go.mod | grep -A5 -B5 "go-git\|go-billy"

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 2214


Address critical and high-severity vulnerabilities in go-git dependencies.

Go-git v5.14.0 and go-billy v5.6.2 contain multiple critical and high-severity security vulnerabilities:

go-git v5.14.0 (requires upgrade to v5.19.0):

  • CRITICAL: Argument injection via URL field (patched in 5.13.0)
  • CRITICAL: Path traversal and RCE via maliciously crafted Git server replies (patched in 5.11.0)
  • HIGH: Improper parsing of crafted objects, leading to inconsistent interpretation vs upstream Git (patched in 5.19.0)
  • HIGH: DoS via maliciously crafted Git server replies (patched in 5.13.0)
  • MODERATE: Credential leak via cross-host redirect, improper data integrity verification for .idx/.pack files, and memory exhaustion via maliciously crafted idx files

go-billy v5.6.2 (requires upgrade to v5.9.0):

  • HIGH: Path traversal vulnerabilities (patched in 5.9.0)
  • MODERATE: Infinite loops and resource exhaustion from symlink resolution without depth/cycle detection (patched in 5.9.0)

These vulnerabilities pose significant security risks including argument injection, path traversal attacks, credential exposure, and denial of service. Upgrade go-git to v5.19.0 and go-billy to v5.9.0 to address all identified issues.

🧰 Tools
🪛 OSV Scanner (2.3.8)

[HIGH] 63-63: github.com/go-git/go-billy/v5 5.6.2: go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion

(GHSA-m3xc-h892-ggx6)


[HIGH] 63-63: github.com/go-git/go-billy/v5 5.6.2: go-billy has path traversal vulnerabilities

(GHSA-qw64-3x98-g7q2)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git

(GO-2026-4473)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git

(GO-2026-4909)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git

(GO-2026-4910)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git improperly verifies data integrity values for .idx and .pack files

(GHSA-37cx-329c-33x3)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

(GHSA-389r-gv7p-r3rp)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Credential leak via cross-host redirect in smart HTTP transport

(GHSA-3xc5-wrhm-f963)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git missing validation decoding Index v4 files leads to panic

(GHSA-gm2x-2g9h-ccm8)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Maliciously crafted idx file can cause asymmetric memory consumption

(GHSA-jhf3-xxhw-2wpp)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 63 - 64, Update the vulnerable module versions in
go.mod: bump github.com/go-git/go-git/v5 to v5.19.0 and
github.com/go-git/go-billy/v5 to v5.9.0 to pick up the security fixes; run `go
get github.com/go-git/go-git/v5@v5.19.0` and `go get
github.com/go-git/go-billy/v5@v5.9.0`, then run `go mod tidy` to update the
lockfile and verify the new versions are recorded, and finally run your test
suite and a vulnerability scan to confirm the issues are resolved.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done in 6272680

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
git show 6272680 --stat
echo "---"
git show 6272680 -- go.mod | grep -E "go-git|go-billy"

Repository: codeready-toolchain/argocd-mcp-server
Length of output: 2725


@xcoulon, thanks for the update! Looking at commit 6272680:

  • go-billy/v5 → bumped to v5.9.0 (path traversal and symlink vulnerabilities resolved)
  • go-git/v5 → still at v5.14.0 (needs v5.19.0 to address the remaining HIGH-severity issues)

The following vulnerabilities in go-git v5.14.0 are still open:

ID Summary Patched in
GHSA-389r-gv7p-r3rp Improper parsing leading to inconsistent interpretation vs upstream Git v5.19.0
GHSA-37cx-329c-33x3 / GO-2026-4473 Improper data integrity verification for .idx/.pack files v5.19.0
GO-2026-4909 Missing validation decoding Index v4 files → panic v5.19.0
GO-2026-4910 / GHSA-jhf3-xxhw-2wpp Asymmetric memory consumption via crafted .idx file v5.19.0
GHSA-gm2x-2g9h-ccm8 Missing index v4 validation leads to panic v5.19.0
GHSA-3xc5-wrhm-f963 Credential leak via cross-host redirect v5.13.0

Please run:

go get github.com/go-git/go-git/v5@v5.19.0
go mod tidy

Comment thread taskfile.yaml
lint:
cmds:
- curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $GOPATH/bin
- curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Pin golangci-lint to a specific version for reproducible builds.

Without version pinning, each installation pulls the latest version, which can introduce unexpected linting rule changes and break builds non-deterministically across different environments or time periods.

📌 Proposed fix to pin the version
-      - curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin
+      - curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin v1.62.2

Adjust v1.62.2 to match your desired golangci-lint version.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin
- curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin v1.62.2
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@taskfile.yaml` at line 13, Replace the unpinned installer command "curl -sSfL
https://golangci-lint.run/install.sh | sh -s -- -b $GOPATH/bin" with a pinned
install invocation that supplies a specific golangci-lint release (e.g., pass
the desired tag like v1.62.2 to the installer or use the versioned release URL)
so the build always installs that exact version; update the version token
(v1.62.2) to whichever golangci-lint version you require.

Also switch golangci-lint install to the
official URL (golangci-lint.run/install.sh).

Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
@xcoulon xcoulon force-pushed the upgrade-argocd-3.3.9 branch from dc91da9 to bfe383e Compare May 19, 2026 08:37
@xcoulon xcoulon changed the title upgrade argocd 3.3.9 build(deps): to argocd v3.3.9, go-git v5.14.0 and go-billy v5.9.0 May 19, 2026
Signed-off-by: Xavier Coulon <xcoulon@redhat.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
go.mod (1)

64-64: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Upgrade go-git to a patched release.

Line 64 still pins github.com/go-git/go-git/v5 to v5.14.0, which is flagged with multiple HIGH vulnerabilities in the provided scan output. Please bump to at least v5.19.0.

🔧 Proposed minimal fix
-	github.com/go-git/go-git/v5 v5.14.0 // indirect
+	github.com/go-git/go-git/v5 v5.19.0 // indirect
#!/bin/bash
# Verify currently published advisories and patched version metadata for go-git.
# Read-only; does not modify repository state.

gh api graphql -f query='
{
  securityVulnerabilities(first: 50, ecosystem: GO, package: "github.com/go-git/go-git/v5") {
    nodes {
      advisory {
        ghsaId
        summary
        severity
      }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}'

As per coding guidelines, “Focus on major issues impacting performance, readability, maintainability and security.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 64, Update the pinned module version for
github.com/go-git/go-git/v5 in go.mod from v5.14.0 to at least v5.19.0 to pick
up the security fixes; after changing the version string for the module entry,
run your Go module update workflow (e.g., module download/resolve and tidy) and
re-run build/tests to ensure nothing breaks and the new version is recorded in
go.sum.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@go.mod`:
- Line 64: Update the pinned module version for github.com/go-git/go-git/v5 in
go.mod from v5.14.0 to at least v5.19.0 to pick up the security fixes; after
changing the version string for the module entry, run your Go module update
workflow (e.g., module download/resolve and tidy) and re-run build/tests to
ensure nothing breaks and the new version is recorded in go.sum.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 10fc45a6-cb55-4eb0-be61-6c51628c7f6d

📥 Commits

Reviewing files that changed from the base of the PR and between dc91da9 and 6272680.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (2)
  • go.mod
  • taskfile.yaml
✅ Files skipped from review due to trivial changes (1)
  • taskfile.yaml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Test
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • go.mod
🪛 OSV Scanner (2.3.8)
go.mod

[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git

(GO-2026-4473)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git

(GO-2026-4909)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git

(GO-2026-4910)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git improperly verifies data integrity values for .idx and .pack files

(GHSA-37cx-329c-33x3)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

(GHSA-389r-gv7p-r3rp)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Credential leak via cross-host redirect in smart HTTP transport

(GHSA-3xc5-wrhm-f963)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git missing validation decoding Index v4 files leads to panic

(GHSA-gm2x-2g9h-ccm8)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Maliciously crafted idx file can cause asymmetric memory consumption

(GHSA-jhf3-xxhw-2wpp)

🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e

Findings

[::codeready-toolchain/api::]

  • go.mod pins Kubernetes libs to v0.33.4 (k8s.io/api, k8s.io/apimachinery). Evidence: go.mod lines showing v0.33.4. ([::codeready-toolchain/api::])

[::codeready-toolchain/toolchain-common::]

  • go.mod pins Kubernetes libs to v0.33.4 (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go). Evidence: go.mod lines showing v0.33.4. ([::codeready-toolchain/toolchain-common::])

[::codeready-toolchain/host-operator::]

  • go.mod pins Kubernetes libs to v0.33.4 (k8s.io/api, k8s.io/apiextensions-apiserver, k8s.io/apimachinery, k8s.io/client-go). Evidence: go.mod lines showing v0.33.4. ([::codeready-toolchain/host-operator::])

[::codeready-toolchain/toolchain-e2e::]

  • go.mod pins Kubernetes libs to v0.33.4 (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go). Evidence: go.mod lines showing v0.33.4. ([::codeready-toolchain/toolchain-e2e::])
  • Contains Argo CD-related manifest labels and Role/RoleBinding names that reference Argo CD-managed resources:
    • deploy/nstemplatetiers/appstudio-env/ns_env.yaml: argocd.argoproj.io/managed-by: gitops-service-argocd (and multiple occurrences of Role name additional-argocd-read).
    • deploy/nstemplatetiers/appstudio/ns_tenant.yaml: argocd.argoproj.io/managed-by: gitops-service-argocd.
    • testsupport/tiers/checks.go: code waits for label "argocd.argoproj.io/managed-by" and asserts Role/RoleBinding named "additional-argocd-read" (lines shown in search output).
      Evidence: search hits listed (files and lines) in the repo. ([::codeready-toolchain/toolchain-e2e::])

Cross-repo implication

  • The PR upgrades Argo CD and also moves k8s.io/* deps to v0.34.0 in the argocd-mcp-server repo. None of these repos import argoproj/argo-cd directly, so no direct compile-time import break is evident. However, all inspected repos are pinned to k8s.io v0.33.4 while the PR moves to v0.34.0 — potential for module version skew or integration issues when these modules interact or are built together. Also, toolchain-e2e contains manifests/tests that reference Argo CD-managed labels/roles which could be impacted by behavioral/runtime changes in Argo CD. (All evidence above from the repo searches.)

Signed-off-by: Xavier Coulon <xcoulon@redhat.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 8: Update the Argo CD module version pinned in go.mod from
"github.com/argoproj/argo-cd/v3 v3.3.9" to "v3.3.10" to address the GHSA
vulnerabilities; after editing the "github.com/argoproj/argo-cd/v3" line run go
mod tidy and go get github.com/argoproj/argo-cd/v3@v3.3.10 (or your project's
dependency tooling) and re-run your dependency/security checks to confirm the
vulnerabilities are resolved.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: e4793164-1282-4836-b55d-56f979065740

📥 Commits

Reviewing files that changed from the base of the PR and between 6272680 and e1aa663.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: Lint
  • GitHub Check: Test
  • GitHub Check: Build Image
  • GitHub Check: govulncheck
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • go.mod
🪛 OSV Scanner (2.3.8)
go.mod

[HIGH] 8-8: github.com/argoproj/argo-cd/v3 3.3.9: Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

(GHSA-h98r-wv3h-fr38)


[HIGH] 8-8: github.com/argoproj/argo-cd/v3 3.3.9: Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations

(GHSA-rg3g-4rw9-gqrp)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git

(GO-2026-4473)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git

(GO-2026-4909)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git

(GO-2026-4910)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git improperly verifies data integrity values for .idx and .pack files

(GHSA-37cx-329c-33x3)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

(GHSA-389r-gv7p-r3rp)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Credential leak via cross-host redirect in smart HTTP transport

(GHSA-3xc5-wrhm-f963)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Crafted repositories may modify main and submodule .git directories

(GHSA-crhj-59gh-8x96)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git missing validation decoding Index v4 files leads to panic

(GHSA-gm2x-2g9h-ccm8)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Maliciously crafted idx file can cause asymmetric memory consumption

(GHSA-jhf3-xxhw-2wpp)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.14.0: go-git: Improper single-quote escaping in go-git SSH transport

(GHSA-m7cr-m3pv-hgrp)

🔀 Multi-repo context codeready-toolchain/toolchain-e2e, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator

Findings

[::codeready-toolchain/toolchain-e2e::]

  • Manifests and tests reference Argo CD managed label and Role/RoleBinding names:
    • deploy/nstemplatetiers/appstudio-env/ns_env.yaml: contains label argocd.argoproj.io/managed-by: gitops-service-argocd and multiple Role name additional-argocd-read. (lines shown in search results)
    • deploy/nstemplatetiers/appstudio/ns_tenant.yaml: contains label argocd.argoproj.io/managed-by: gitops-service-argocd.
    • testsupport/tiers/checks.go: waits for label argocd.argoproj.io/managed-by and asserts Role/RoleBinding named additional-argocd-read. (lines shown in search results)

[::codeready-toolchain/toolchain-common::]

  • go.mod/go.sum contain indirect dependency entries for github.com/google/go-github/v52 and github.com/migueleliasweb/go-github-mock (evidence in search output).

[::codeready-toolchain/host-operator::]

  • go.mod/go.sum contain indirect entries for github.com/google/go-github/v52, github.com/migueleliasweb/go-github-mock and github.com/monochromegane/go-gitignore (evidence in search output).

Cross-repo implication

  • The PR upgrades Argo CD (and moves k8s.io deps to v0.34.0 in argocd-mcp-server). toolchain-e2e contains runtime/tests and manifests that reference Argo CD-managed labels/roles and may be affected by behavioral/runtime changes in Argo CD. Additionally, prior inspection showed other repos are pinned to Kubernetes libs v0.33.4, so the argocd-mcp-server move to v0.34.0 could introduce module version skew or integration/runtime incompatibilities when these components interact. (See earlier repo go.mod version findings in the provided context.)
🔇 Additional comments (1)
go.mod (1)

64-64: go-git v5.14.0 still appears vulnerable and was already flagged in earlier review threads.

This remains unresolved from prior comments; please confirm it is moved to a patched version in this PR branch.
As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

#!/bin/bash
# Re-check current go-git pin and associated advisories.

set -euo pipefail

echo "Pinned go-git version in go.mod:"
rg -n 'github.com/go-git/go-git/v5' go.mod

echo
echo "GitHub advisory lookup (GO ecosystem):"
gh api graphql -f query='
{
  securityVulnerabilities(first: 30, ecosystem: GO, package: "github.com/go-git/go-git/v5") {
    nodes {
      advisory { ghsaId summary severity publishedAt }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}' | jq -r '.data.securityVulnerabilities.nodes[] |
  [.advisory.ghsaId, .advisory.severity, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "none")] | `@tsv`'

Comment thread go.mod Outdated
xcoulon added 2 commits May 19, 2026 17:54
Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
Signed-off-by: Xavier Coulon <xcoulon@redhat.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
go.mod (1)

64-64: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Upgrade github.com/go-git/go-git/v5 beyond v5.17.1 before merge.

v5.17.1 is still flagged with HIGH-severity advisories; this leaves known security risk in the dependency graph. Please bump to a patched release line (at least v5.19.0, or newer if available) and re-run vuln scanning.

#!/bin/bash
set -euo pipefail

echo "Current go-git pin in go.mod:"
rg -n 'github.com/go-git/go-git/v5' go.mod

echo
echo "Known advisories for github.com/go-git/go-git/v5:"
gh api graphql -f query='
{
  securityVulnerabilities(first: 30, ecosystem: GO, package: "github.com/go-git/go-git/v5") {
    nodes {
      advisory { ghsaId summary severity publishedAt }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}' | jq -r '.data.securityVulnerabilities.nodes[] |
  [.advisory.ghsaId, .advisory.severity, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "none")] | `@tsv`'

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 64, The go.mod currently pins github.com/go-git/go-git/v5 to
v5.17.1 which has known HIGH-severity advisories; update the module entry for
github.com/go-git/go-git/v5 to at least v5.19.0 (or a newer patched release) and
run the project's vulnerability scan commands (the provided gh/api jq snippet or
your existing vuln scanner) to verify the advisories are resolved; ensure the
updated version is committed to go.mod and go.sum and confirm builds/tests pass.
🧹 Nitpick comments (1)
go.mod (1)

19-20: Validate cross-repo Kubernetes version skew in integration before merge.

This PR moves this repo to k8s.io/* v0.34.0, while linked toolchain repos are reported at v0.33.4; please confirm no API/behavior mismatch in shared flows by running coordinated integration/e2e checks across repos.

Check release notes and compatibility guidance for Kubernetes client-go/apimachinery v0.34.0 vs v0.33.4, and identify any breaking API/behavior changes that could affect cross-repo integrations.

Also applies to: 153-164, 187-218

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 19 - 20, The PR bumps k8s.io/apimachinery and
k8s.io/client-go to v0.34.0 in go.mod; validate cross-repo Kubernetes version
skew by running coordinated integration/e2e tests across all related repos that
still reference v0.33.4, review the v0.34.0 vs v0.33.4 release notes and
client-go/apimachinery compatibility guidance for breaking API/behavior changes,
and either align versions across repos or add explicit compatibility
shims/compat checks; specifically verify code paths referencing
k8s.io/apimachinery and k8s.io/client-go types/clients and update callsites or
dependency versions to eliminate any runtime/integration failures.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@go.mod`:
- Line 64: The go.mod currently pins github.com/go-git/go-git/v5 to v5.17.1
which has known HIGH-severity advisories; update the module entry for
github.com/go-git/go-git/v5 to at least v5.19.0 (or a newer patched release) and
run the project's vulnerability scan commands (the provided gh/api jq snippet or
your existing vuln scanner) to verify the advisories are resolved; ensure the
updated version is committed to go.mod and go.sum and confirm builds/tests pass.

---

Nitpick comments:
In `@go.mod`:
- Around line 19-20: The PR bumps k8s.io/apimachinery and k8s.io/client-go to
v0.34.0 in go.mod; validate cross-repo Kubernetes version skew by running
coordinated integration/e2e tests across all related repos that still reference
v0.33.4, review the v0.34.0 vs v0.33.4 release notes and client-go/apimachinery
compatibility guidance for breaking API/behavior changes, and either align
versions across repos or add explicit compatibility shims/compat checks;
specifically verify code paths referencing k8s.io/apimachinery and
k8s.io/client-go types/clients and update callsites or dependency versions to
eliminate any runtime/integration failures.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 252b71aa-224a-48a1-9d93-317726ada098

📥 Commits

Reviewing files that changed from the base of the PR and between e1aa663 and 0781214.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (2)
  • .govulncheck.yaml
  • go.mod
✅ Files skipped from review due to trivial changes (1)
  • .govulncheck.yaml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Test
  • GitHub Check: Lint
  • GitHub Check: Build Image
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • go.mod
🪛 OSV Scanner (2.3.8)
go.mod

[HIGH] 64-64: github.com/go-git/go-git/v5 5.17.1: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

(GHSA-389r-gv7p-r3rp)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.17.1: go-git: Credential leak via cross-host redirect in smart HTTP transport

(GHSA-3xc5-wrhm-f963)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.17.1: go-git: Crafted repositories may modify main and submodule .git directories

(GHSA-crhj-59gh-8x96)


[HIGH] 64-64: github.com/go-git/go-git/v5 5.17.1: go-git: Improper single-quote escaping in go-git SSH transport

(GHSA-m7cr-m3pv-hgrp)

🔀 Multi-repo context codeready-toolchain/toolchain-e2e, codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator

Findings

High-level

  • The PR upgrades Argo CD and advances many Kubernetes modules to v0.34.0 in the argocd-mcp-server repo. Relevant consumers and shared contracts are listed below.

codeready-toolchain/toolchain-e2e

  • Tests and manifests assert/expect Argo CD managed label and Role/RoleBinding names:
    • testsupport/tiers/checks.go:1493 — waits for label "argocd.argoproj.io/managed-by" == "gitops-service-argocd". [::codeready-toolchain/toolchain-e2e::testsupport/tiers/checks.go:1493]
    • deploy/nstemplatetiers/appstudio-env/ns_env.yaml:15 — contains label "argocd.argoproj.io/managed-by: gitops-service-argocd". [::codeready-toolchain/toolchain-e2e::deploy/nstemplatetiers/appstudio-env/ns_env.yaml:15]
    • deploy/nstemplatetiers/appstudio/ns_tenant.yaml:15 — contains same label. [::codeready-toolchain/toolchain-e2e::deploy/nstemplatetiers/appstudio/ns_tenant.yaml:15]
    • testsupport/tiers/checks.go:1855-1870 — asserts Role/RoleBinding named "additional-argocd-read". [::codeready-toolchain/toolchain-e2e::testsupport/tiers/checks.go:1855-1870]

Implication: behavioral/runtime changes in Argo CD (or label/role naming semantics) could affect these e2e checks and manifests.

codeready-toolchain/api

  • Uses Kubernetes libraries (k8s.io/apimachinery) pinned to v0.33.4 in go.mod and many API types import metav1/runtime types (numerous files under api/v1alpha1). [::codeready-toolchain/api::go.mod:12]
  • Multiple generated files and CRD-related code rely on k8s types (e.g., api/v1alpha1/zz_generated.openapi.go). [::codeready-toolchain/api::api/v1alpha1/zz_generated.openapi.go]

Implication: advancing k8s modules in one repo while others remain at v0.33.4 may produce module version skew; ensure compatibility of shared CRD/types.

codeready-toolchain/toolchain-common

  • go.mod pins k8s.io/apimachinery and k8s.io/client-go to v0.33.4. [::codeready-toolchain/toolchain-common::go.mod:23]
  • Many packages import k8s apimachinery/client-go types (extensive file list). [::codeready-toolchain/toolchain-common::pkg/... files]

Implication: toolchain-common remains on k8s v0.33.x; upgrading argocd-mcp-server to k8s v0.34 may require verifying cross-module compatibility.

codeready-toolchain/host-operator

  • go.mod shows indirect github dependencies; k8s libraries widely used; go.mod pins k8s.io/* at v0.33.4. [::codeready-toolchain/host-operator::go.mod:26-27]
  • Numerous controllers/tests import k8s types (many files). [::codeready-toolchain/host-operator::controllers/... files]

Implication: same module-version mismatch risk.

go-git / go-billy

  • The search did not find direct usages of upgraded go-git/go-billy libraries across these repos (no consumer files referencing "go-git" or "go-billy" were found). Evidence: no matches in repo searches. [::codeready-toolchain/api::][::codeready-toolchain/toolchain-common::][::codeready-toolchain/host-operator::][::codeready-toolchain/toolchain-e2e::]

Summary of action items / risks to check

  • Verify Argo CD behavioral changes between current and target versions do not break toolchain-e2e manifests/tests that rely on argocd-managed labels and Role/RoleBinding naming. [::codeready-toolchain/toolchain-e2e::testsupport/tiers/checks.go]
  • Check module version skew/compatibility where argocd-mcp-server will use k8s.io v0.34.0 while api, toolchain-common, host-operator, and e2e remain on v0.33.4 — especially around CRD types, generated code, and client-go APIs. [::codeready-toolchain/api::go.mod:12][::codeready-toolchain/toolchain-common::go.mod:23][::codeready-toolchain/host-operator::go.mod:26][::codeready-toolchain/toolchain-e2e::go.mod:27]
  • If argocd-mcp-server upgrade is merged, plan to run integration/e2e tests (toolchain-e2e) and build/compile with the new deps to detect API or compile-time breaks.

[tag]

@xcoulon xcoulon merged commit 9e576fc into codeready-toolchain:master May 20, 2026
7 checks passed
@xcoulon xcoulon deleted the upgrade-argocd-3.3.9 branch May 20, 2026 06:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants