Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"github.com/devfile/library/v2/pkg/util"
tektonutils "github.com/konflux-ci/release-service/tekton/utils"
tektonv1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
"go.yaml.in/yaml/v2"
"go.yaml.in/yaml/v3"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] Dependency Management & API Consistency

The upgrade from go.yaml.in/yaml/v2 to v3 is a major version change. The yaml package is used only once in the codebase (line 237, debug output in a failure handler). While yaml.Marshal has the same function signature in both v2 and v3, this is the sole consumer of the yaml dependency.

Suggested fix: If desired, replace yaml.Marshal with json.Marshal to eliminate the yaml dependency entirely from this test file. However, the current change is functionally safe since yaml.Marshal has an identical signature in v3 and is only used for non-functional debug output.


releaseApi "github.com/konflux-ci/release-service/api/v1alpha1"
"github.com/konflux-ci/release-service/e2e-tests/pkg/constants"
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ require (
github.com/onsi/gomega v1.42.1
github.com/operator-framework/operator-lib v0.19.0
github.com/tektoncd/pipeline v1.13.1
go.yaml.in/yaml/v2 v2.4.4
go.yaml.in/yaml/v3 v3.0.4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] missing-authorization

This PR upgrades go.yaml.in/yaml from v2 to v3, a major version change. The PR is authored by red-hat-konflux[bot], an automated dependency management bot. While major version upgrades can introduce behavioral differences, the yaml library is used in exactly one location (e2e test error logging via yaml.Marshal), and the yaml.Marshal API is compatible between v2 and v3 for this use case.

Suggested fix: Verify that the yaml.Marshal call at final_pipeline_finalizer_removed.go:237 produces acceptable output with v3.

k8s.io/api v0.35.6
k8s.io/apimachinery v0.36.2
k8s.io/client-go v11.0.0+incompatible
Expand Down Expand Up @@ -101,7 +101,7 @@ require (
go.opentelemetry.io/otel/sdk/metric v1.44.0 // indirect
go.opentelemetry.io/otel/trace v1.44.0 // indirect
go.opentelemetry.io/proto/otlp v1.10.0 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
go.yaml.in/yaml/v2 v2.4.4 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] architectural-alignment

After the upgrade, both yaml/v2 (indirect) and yaml/v3 (direct) will coexist in the dependency tree. This dual-version state suggests a transitive dependency still requires v2. The upgrade path appears intentional: the project is migrating its direct usage to v3 while accommodating dependencies that have not yet migrated from v2.

Suggested fix: Verify via go mod why go.yaml.in/yaml/v2 which dependency requires v2, and track whether that dependency has a v3-compatible version available for future cleanup.

golang.org/x/crypto v0.53.0 // indirect
golang.org/x/exp v0.0.0-20260611194520-c48552f49976 // indirect
golang.org/x/mod v0.37.0 // indirect
Expand Down
Loading