Skip to content
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ require (
github.com/go-openapi/swag/yamlutils v0.26.1 // indirect
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
github.com/golang-jwt/jwt/v5 v5.3.1 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] build integrity

The go.sum file was not updated alongside this go.mod change. go.sum still contains checksums for golang-jwt/jwt/v4 v4.5.2 but has no entries for golang-jwt/jwt/v5 v5.3.1. This means go mod tidy or go mod verify was not run, and any build will fail with a missing checksum error. For a Renovate bot PR, this strongly suggests the bot did not run go mod tidy as a post-update command, producing an inconsistent module state.

Suggested fix: Ensure the Renovate bot configuration includes a postUpdateOptions entry for gomodTidy (or equivalent), and regenerate the PR so both go.mod and go.sum are consistent.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic error

The diff replaces jwt/v4 with jwt/v5 in go.mod. In Go, /v4 and /v5 are entirely different module paths. While ghinstallation/v2 v2.18.0 migrated to jwt/v5 at v2.13.0, other transitive dependencies may still depend on jwt/v4. Without go.sum being updated, it is impossible to confirm from the PR alone that all transitive consumers have migrated.

Suggested fix: Run go mod tidy to verify no transitive dependency still requires jwt/v4. If tidy re-adds v4, both v4 and v5 may need to coexist in go.mod.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] dependency-security

Indirect dependency golang-jwt/jwt upgraded from v4.5.2 to v5.3.1. This is a positive security change: v5 removes the ParseUnverified footgun, enforces algorithm validation by default, and requires explicit WithLeeway for clock skew. Because this is an indirect dependency, actual exposure depends on whichever direct dependency pulls it in.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] dependency-management-consistency

The PR replaces the indirect dependency github.com/golang-jwt/jwt/v4 v4.5.2 with github.com/golang-jwt/jwt/v5 v5.3.1 in go.mod. In Go semantic import versioning, v4 and v5 are entirely different module paths. The go.sum file is not updated in this PR and still contains only v4 checksums, making the module graph inconsistent. Additionally, the transitive dependency github.com/google/go-github/v45 v45.2.0 (go.mod line 62) historically requires jwt/v4, which means jwt/v4 may need to remain in go.mod alongside jwt/v5. Without running go mod tidy and including the resulting go.sum changes, this PR will likely cause build failures.

Suggested fix: Run go mod tidy to reconcile the module graph. If go-github/v45 or other transitive dependencies still require jwt/v4, both v4 and v5 must coexist in go.mod. Include the updated go.sum in the PR and verify the build compiles.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] module-path-version-alignment

This is a major version bump from jwt/v4 to jwt/v5 for an indirect dependency. The parent dependency ghinstallation/v2 v2.18.0 needs to support jwt/v5 for this change to be valid.

Suggested fix: Verify that ghinstallation/v2 v2.18.0 supports jwt/v5 by checking its go.mod, or confirm via go mod tidy that the dependency graph resolves cleanly.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] api-contract

The go.mod change from jwt/v4 to jwt/v5 is a major version bump of an indirect dependency, but no direct dependency in go.mod appears to have been updated to one that transitively requires jwt/v5. In Go modules, v4 and v5 are separate module paths. The existing transitive consumer (ghinstallation/v2 v2.18.0) depends on jwt/v4. If no transitive dependency actually requires jwt/v5, this entry is orphaned and go mod tidy would either remove it or revert it. Additionally, go.sum contains only v4 checksums and must be regenerated.

Suggested fix: Run 'go mod tidy' to verify whether jwt/v5 is actually required by any transitive dependency. If it is not, the direct dependency that pulls in jwt (e.g., ghinstallation/v2) must be updated first to a version that depends on jwt/v5. Include the regenerated go.sum in the PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] api-contract

In Go modules, github.com/golang-jwt/jwt/v4 and github.com/golang-jwt/jwt/v5 are entirely different module paths. This PR replaces v4 with v5 in go.mod but go.sum was not updated -- it still contains checksums for jwt/v4 only (lines 135-136), with no jwt/v5 entries, so any build or test will fail checksum verification. Additionally, if ghinstallation/v2 v2.19.0 still imports jwt/v4 internally, this substitution is semantically invalid -- go mod tidy would restore jwt/v4. The missing go.sum update strongly suggests go mod tidy was not run after this change.

Suggested fix: Run go mod tidy to regenerate go.mod and go.sum from the actual dependency graph. If ghinstallation/v2 v2.19.0 has not migrated to jwt/v5, this change is invalid. If it has, go mod tidy will add the correct jwt/v5 entries to go.sum (and possibly retain jwt/v4 if other transitive deps still need it). Commit both go.mod and go.sum.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] dependency-upgrade

Upgrading golang-jwt from v4.5.2 to v5.3.1 is security-positive. jwt/v5 introduces stricter defaults: it requires explicit algorithm validation via parser options, enforces claims validation by default, and removes deprecated/unsafe APIs. Since this is an indirect dependency, the security surface is limited to transitive consumers.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] api-contract

The PR replaces the indirect dependency github.com/golang-jwt/jwt/v4 v4.5.2 with github.com/golang-jwt/jwt/v5 v5.3.1. In Go modules, v4 and v5 are distinct module paths. Both bradleyfalzon/ghinstallation/v2 v2.19.0 and openshift-pipelines/pipelines-as-code v0.46.0 explicitly require jwt/v4 v4.5.2 in their own go.mod files. Replacing the v4 entry with v5 means the v4 module is no longer declared but is still transitively required. Running go mod tidy will re-add v4 and the v5 entry will be removed as unused.

Suggested fix: Close this PR. The upgrade to jwt/v5 must come from upstream consumers (ghinstallation, pipelines-as-code) updating their own imports first. Configure Renovate to skip major version bumps on indirect Go module dependencies where the major version is part of the import path.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] dependency-integrity

go.sum contains entries only for github.com/golang-jwt/jwt/v4 v4.5.2 and has no entries for jwt/v5. The go.sum was not updated alongside the go.mod change. Running go mod tidy will revert the v4-to-v5 swap because transitive dependencies still require v4.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] authentication-library-upgrade

The upgrade from golang-jwt/jwt v4 to v5 is security-positive in principle (stricter alg header validation, enforced exp claim checking). However, since no transitive dependency in this project currently imports jwt/v5, the security benefits are unrealizable through this PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] logic-error

The PR changes go.mod to require github.com/golang-jwt/jwt/v5 v5.3.1 but does NOT update go.sum. In Go, jwt/v4 and jwt/v5 are entirely different module paths. The go.sum file contains only jwt/v4 checksums and zero entries for jwt/v5. Additionally, the transitive dependency ghinstallation/v2 v2.19.0 may still import jwt/v4 in its code. Simply swapping the line in go.mod without running go mod tidy will produce an inconsistent module state. If ghinstallation still requires jwt/v4, this change will break the build.

Suggested fix: Run go mod tidy to let Go resolve the actual transitive dependency graph. If ghinstallation still requires jwt/v4, the go.mod entry must remain jwt/v4. If a newer version of ghinstallation uses jwt/v5, update ghinstallation first, then run go mod tidy.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] scope-authorization

Major version upgrade (v4 to v5) of golang-jwt/jwt via Renovate automation. Since jwt is pulled in indirectly via ghinstallation/v2, compatibility depends on whether the intermediate dependency supports v5.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] dependency-upgrade

Indirect dependency golang-jwt/jwt upgraded from v4.5.2 to v5.3.1. This is a major version bump of a security-critical JWT library. The v4-to-v5 migration primarily introduced stricter validation defaults which are security-positive changes.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] logic-error

In Go semantic import versioning, github.com/golang-jwt/jwt/v4 and github.com/golang-jwt/jwt/v5 are distinct module paths. The indirect dependency on jwt/v4 exists because github.com/bradleyfalzon/ghinstallation/v2 v2.19.0 (line 33 of go.mod) transitively requires jwt/v4. Simply rewriting the module path from jwt/v4 to jwt/v5 in go.mod does not update the actual imports in that dependency. Running go mod tidy would either fail or silently re-add jwt/v4, and go build would break. Additionally, go.sum was not updated — it still only contains checksums for jwt/v4 v4.5.2, confirming the change was not validated with go mod tidy.

Suggested fix: Do not merge this PR. The upstream consumer (ghinstallation/v2) must first release a version that imports jwt/v5. Once that upstream release exists, update ghinstallation/v2 to that version, then run go mod tidy to let the dependency graph naturally pick up jwt/v5.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] dependency-security

The security motivation for this change is sound: golang-jwt/jwt/v4 has CVE-2024-51744 (CVSS 3.1, low severity — improper validation of the aud claim). However, the approach taken by this PR (rewriting the module path) is invalid due to Go semantic import versioning. The security fix cannot be applied this way until upstream dependencies migrate to jwt/v5.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] api-contract

The PR replaces github.com/golang-jwt/jwt/v4 with github.com/golang-jwt/jwt/v5 in go.mod, but go.sum is not included in the PR changeset. Without updated checksums, the build will fail. In Go modules, jwt/v4 and jwt/v5 are entirely different module paths — the module graph must be resolved via go mod tidy.

Suggested fix: Run go mod tidy to reconcile go.mod and go.sum. Commit both files together.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] edge-case

jwt/v5 contains breaking API changes compared to jwt/v4. While this repo has no direct imports, transitive dependencies must be compatible with v5.

Suggested fix: Verify the build compiles successfully after running go mod tidy.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] build breakage

go.sum is not updated to match the go.mod change. The current go.sum contains checksums only for golang-jwt/jwt/v4 v4.5.2 and has no entries for golang-jwt/jwt/v5 v5.3.1. If the PR truly only modifies go.mod (as the changed-files list indicates), then go mod verify and builds will fail because the required module jwt/v5 v5.3.1 lacks a checksum in go.sum.

Suggested fix: Run go mod tidy so that go.sum is regenerated with the correct entries for jwt/v5, and include the updated go.sum in the PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] dependency upgrade

Upgrading golang-jwt from v4 (v4.5.2) to v5 (v5.3.1) is a positive security change. jwt/v5 introduced stricter default validation behavior that reduces the attack surface for JWT-related vulnerabilities. Since this is an indirect dependency, the behavioral changes are governed by the transitive consumer.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] api-contract

In Go modules, github.com/golang-jwt/jwt/v4 and github.com/golang-jwt/jwt/v5 are distinct module paths. The indirect dependency github.com/bradleyfalzon/ghinstallation/v2 (v2.19.0) currently resolves against jwt/v4 (confirmed by go.sum containing only v4 entries). Simply swapping jwt/v4 for jwt/v5 in go.mod does not satisfy ghinstallation transitive requirement for jwt/v4. This change will either fail go mod tidy (re-adding jwt/v4) or cause a build failure.

Suggested fix: Do not manually swap jwt/v4 to jwt/v5 in go.mod. Instead, upgrade the direct or indirect dependency that actually imports jwt (e.g., ghinstallation/v2) to a version that has migrated to jwt/v5, then run go mod tidy to let Go resolve the correct transitive dependency. If no upstream consumer has migrated to jwt/v5, this change should be deferred.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] incomplete-change

go.sum is not updated by this PR. It still contains only entries for golang-jwt/jwt/v4 (v4.5.2) and has no entries for jwt/v5. After the go.mod change, go mod verify or any build will fail because the checksum database has no matching record.

Suggested fix: Run go mod tidy after any go.mod change to regenerate go.sum, then include the updated go.sum in the PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] incomplete-dependency-update

The PR updates golang-jwt/jwt from v4 to v5 in go.mod but does not include corresponding go.sum changes. The current go.sum contains only v4.5.2 checksums. In Go modules, v4 and v5 are distinct module paths, so the v4 checksums cannot satisfy the v5 requirement. Without updated go.sum, module verification and builds will fail. Additionally, ghinstallation/v2 v2.19.0 is a known transitive consumer of golang-jwt -- if it still imports jwt/v4, then removing v4 from go.mod and only declaring v5 will cause a build failure because the transitive v4 requirement would be unsatisfied.

Suggested fix: Run go mod tidy to regenerate both go.mod and go.sum consistently. If ghinstallation/v2 v2.19.0 still requires jwt/v4, the v4 entry will reappear in go.mod, indicating the upgrade is not yet possible. Include the resulting go.sum changes in the PR and verify with go build ./... before merging.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] major-version-upgrade-verification

This is a major version upgrade (v4 to v5) of golang-jwt/jwt, an indirect dependency. While v5 does include breaking API changes, this codebase does not directly import golang-jwt. The risk is limited to transitive compatibility, which would manifest as a build failure caught by CI.

Suggested fix: Verify that ghinstallation/v2 v2.19.0 supports jwt/v5 by checking its go.mod or release notes. If it does not, the go mod tidy step will surface the issue automatically.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] build integrity

The PR changes go.mod to replace golang-jwt/jwt/v4 with jwt/v5, but go.sum is not included in the diff. go.sum contains only v4 checksums and zero entries for v5. In Go modules, /v4 and /v5 are distinct module paths requiring separate checksum entries. Without updating go.sum, the build will fail because go mod verify will not find checksums for the v5 module. Additionally, since go mod tidy was not run, there is no proof the dependency graph is consistent.

Suggested fix: Run go mod tidy and include the updated go.sum (and any go.mod adjustments) in the PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] authentication library version

golang-jwt/jwt is a security-critical JWT parsing library. The bump from v4.5.2 to v5.3.1 is a major version change. This dependency is indirect and no Go source files directly import it. The upgrade is positive from a security standpoint provided the transitive consumer is compatible.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[critical] logic-error

In Go modules, v4 and v5 are distinct major versions with different module paths (github.com/golang-jwt/jwt/v4 vs github.com/golang-jwt/jwt/v5). They are not interchangeable. If any transitive dependency (such as github.com/bradleyfalzon/ghinstallation/v2 v2.19.0) still imports jwt/v4, removing jwt/v4 from go.mod will cause a build failure — go mod tidy would re-add jwt/v4 or error out. The go.sum file confirms only jwt/v4 checksums exist, meaning this change was not validated by go mod tidy.

Suggested fix: Do not manually replace jwt/v4 with jwt/v5 in go.mod. Run go mod tidy to validate whether the dependency graph actually allows this swap. If any transitive dependency still requires jwt/v4, the swap is invalid. To move to jwt/v5, all upstream consumers of jwt/v4 must first migrate.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] api-contract

The go.sum file is not updated in this PR. It still contains checksums only for jwt/v4 v4.5.2 and has no entries for jwt/v5 v5.3.1. The build will fail with a missing sum error because go.sum does not contain the expected hashes for jwt/v5.

Suggested fix: Any legitimate go.mod change must be accompanied by a corresponding go.sum update generated by go mod tidy.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] api-contract

The PR changes go.mod to require github.com/golang-jwt/jwt/v5 but the changed files list includes only go.mod -- go.sum is not updated. go.sum currently contains checksums only for jwt/v4 v4.5.2. Without the corresponding jwt/v5 v5.3.1 entries in go.sum, any build or go mod verify will fail because the required module checksums are missing.

Suggested fix: Run go mod tidy to regenerate go.sum with the correct checksums for jwt/v5 and include the updated go.sum in the PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] api-contract

This is a major version bump of an indirect dependency (jwt/v4 to jwt/v5). The transitive consumer is likely ghinstallation/v2 v2.19.0. If that package still imports jwt/v4, then replacing v4 with v5 in go.mod will fail at go mod tidy (v4 will reappear). The PR should verify that go mod tidy produces this exact go.mod with only v5 and no v4.

Suggested fix: Run go mod tidy and confirm the resulting go.mod matches. If v4 reappears, the upstream direct dependency has not yet migrated to jwt/v5 and this change is premature.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] api-contract

The PR replaces github.com/golang-jwt/jwt/v4 with github.com/golang-jwt/jwt/v5. In Go module semantics these are distinct module paths. However, this is likely a valid change: ghinstallation/v2 v2.19.0 (the transitive consumer) migrated from jwt/v4 to jwt/v5 around v2.12.0. The PR is incomplete because go.sum is not updated (it still references jwt/v4 only), meaning go mod verify will fail until go.sum is regenerated.

Suggested fix: Run go mod tidy to regenerate both go.mod and go.sum consistently and include the updated go.sum in the PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] incomplete-dependency-update

The go.sum file is not updated in this PR. It still contains checksums only for jwt/v4 v4.5.2 and has no entries for jwt/v5 v5.3.1. The build and go mod verify will fail until go.sum is regenerated with go mod tidy.

Suggested fix: Run go mod tidy to regenerate go.sum and include it in the PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] dependency-compatibility-risk

This is a major version bump of an indirect dependency (golang-jwt/jwt v4 to v5). The intermediate consumer, ghinstallation/v2 v2.19.0, does support jwt/v5 (it migrated around v2.12.0). No source files in this repository directly import golang-jwt, so there are no direct API compatibility concerns.

Suggested fix: Run the test suite to confirm no runtime breakage from the transitive dependency change.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] build-breakage

go.sum was not updated: it still contains only golang-jwt/jwt/v4 checksums and zero golang-jwt/jwt/v5 entries. With go.mod declaring a requirement on jwt/v5, any build or go mod download will fail because the required checksums are missing from go.sum.

Suggested fix: Run go mod tidy after changing go.mod so that go.sum is regenerated with the correct v5 checksums.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

The go.mod edit changes an indirect dependency from jwt/v4 to jwt/v5. In Go modules these are distinct module paths. However, bradleyfalzon/ghinstallation/v2 v2.19.0 (a direct dependency) migrated to jwt/v5 around v2.12.0, so the v5 requirement is likely correct. The stale go.sum is a workflow issue, not evidence of an invalid dependency. Running go mod tidy will confirm.

Suggested fix: Run go mod tidy to confirm the dependency graph resolves correctly. If go mod tidy produces jwt/v5, the change is valid.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] module-path-consistency

The import path changed from github.com/golang-jwt/jwt/v4 to github.com/golang-jwt/jwt/v5, which is a major version change in Go semantic import versioning. This dependency is marked indirect. The PR should verify which transitive dependency requires this upgrade.

Suggested fix: Run go mod why github.com/golang-jwt/jwt/v5 and go mod graph | grep golang-jwt to identify the dependency chain.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

The PR replaces jwt/v4 with jwt/v5 in go.mod but does not update go.sum. The go.sum file only contains entries for jwt/v4, not jwt/v5, which will cause integrity check failures. While ghinstallation/v2 v2.19.0 (present in this go.mod) likely migrated to jwt/v5 around v2.12.0, making the module path swap plausible, the missing go.sum update is a build-breaking omission.

Suggested fix: Run 'go mod tidy' to update both go.mod and go.sum consistently. Verify the resulting go.mod still lists jwt/v5 (confirming transitive deps have migrated) and that go.sum gains jwt/v5 entries.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] api-contract

The diff replaces github.com/golang-jwt/jwt/v4 with github.com/golang-jwt/jwt/v5 in go.mod, but go.sum still only contains entries for jwt/v4. In Go modules, v4 and v5 are distinct module paths. The go.sum file must be updated to include checksums for jwt/v5. Additionally, the transitive dependency that pulls in jwt (likely ghinstallation/v2 v2.19.0) must itself require jwt/v5 for this change to be valid. Without running go mod tidy, the dependency graph may be inconsistent.

Suggested fix: Run 'go mod tidy' and 'go build ./...' to validate the dependency graph. If go mod tidy re-adds jwt/v4 or fails, the upstream dependency (ghinstallation/v2) has not migrated to jwt/v5 yet and this change is premature.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] api-contract

The PR replaces golang-jwt/jwt/v4 with jwt/v5. The primary transitive consumer, ghinstallation/v2 v2.19.0, migrated to jwt/v5 starting around v2.12.0, so the upgrade is compatible. The absence of go.sum changes in the diff is expected for a Renovate bot PR where go.sum diffs are often omitted from the review view, not necessarily missing from the commit.

Suggested fix: Verify the CI pipeline passes (go mod tidy, go build ./..., go test ./...) before merging. This is standard practice and the draft status suggests it is still being validated.

github.com/google/btree v1.1.3 // indirect
github.com/google/cel-go v0.28.1 // indirect
github.com/google/gnostic-models v0.7.1 // indirect
Expand Down
Loading