chore(deps): update module go.uber.org/zap to v1.28.0

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
go.uber.org/zap	v1.27.1 → v1.28.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

uber-go/zap (go.uber.org/zap)

v1.28.0

Compare Source

Enhancements:

• #​1534: Add zapcore.CheckPreWriteHook and CheckedEntry.Before method for transforming entries before they are written to any Cores.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign danielezonca for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a opendatahub-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Cannot approve the pull request: Error: openshift-ci[bot] is not included in the approvers role in the OWNERS file

[mwaykole]

PR Review: chore(deps): update module go.uber.org/zap to v1.28.0

Reviewer: @mwaykole | Risk Level: 🟢 LOW | Recommendation: APPROVE with notes

---

Summary

This is an automated MintMaker (Renovate) dependency bump PR targeting the dockerfile-test branch, upgrading go.uber.org/zap from v1.27.1 → v1.28.0. The change is minimal, safe, and all CI checks pass.

---

✅ What I Verified

1. Diff Analysis (Files Changed: 2)

File	Change	Risk
go.mod	Single line version bump v1.27.1 → v1.28.0 (indirect dep)	🟢 None
go.sum	Hash update for new version	🟢 None

The change is purely a version string + checksum update. No source code modifications.

2. Dependency Type

go.uber.org/zap is marked as // indirect in this branch's go.mod. It is pulled in transitively via github.com/go-logr/zapr v1.3.0, which acts as a logr-to-zap bridge adapter. No code in this repo directly imports zap APIs.

3. v1.28.0 Release — No Breaking Changes

From upstream CHANGELOG:

Enhancements only: Adds zapcore.CheckPreWriteHook and CheckedEntry.Before() for transforming log entries before writing to Cores.

This is a purely additive API change. No existing APIs were removed or modified. Fully backwards compatible — go-logr/zapr v1.3.0 will continue to function identically.

4. Security Scan

• OSV database check for go.uber.org/zap at both v1.27.1 and v1.28.0: 0 known CVEs ✅
• No hardcoded secrets, tokens, or credentials introduced ✅
• No RBAC, webhook, or deployment manifest changes ✅

5. go.sum Hash Integrity

Cross-validated the h1: hash against the Go sum transparency log:

go.uber.org/zap v1.28.0 h1:IZzaP1Fv73/T/pBMLk4VutPl36uNC+OSUh3JLG3FIjo=  ✅ VERIFIED

The hash in this PR exactly matches sum.golang.org's record. No supply-chain tampering risk.

6. CI Status — All Green ✅

Check	Result
Konflux / llm-d-scheduler-odh-test-on-pull-request	✅ pass
execute	✅ pass
typos	✅ pass

---

⚠️ Observations & Notes (Non-Blocking)

1. Target Branch: dockerfile-test (not main)

This PR targets the dockerfile-test experimental branch, not main. This branch is currently:

• 755 commits BEHIND main
• 10 commits AHEAD of main (all MintMaker dep bumps)
• Status: DIVERGED

This is a long-running experimental branch accumulating dependency bumps independently from main. There is no corresponding zap upgrade PR targeting main, where go.uber.org/zap is a direct dependency at v1.27.1.

Suggestion: Consider whether the dockerfile-test branch should be periodically rebased onto main, or whether a separate MintMaker update for main is planned. The growing divergence (755 commits behind) increases merge complexity over time and risks a version skew where main lags behind the dependency versions in dockerfile-test.

2. Version Divergence Between Branches

Branch	zap version	dep type
main	v1.27.1	direct
dockerfile-test (this PR)	v1.28.0	indirect

Note the dependency classification differs: main imports zap directly, but dockerfile-test only uses it via go-logr/zapr. This suggests the branches have different module graphs. When this branch is eventually merged or the dependencies reconciled, this difference should be resolved explicitly.

3. Batch of ~20 MintMaker PRs Open Against dockerfile-test

There are approximately 20 other open MintMaker bump PRs against this same branch (e.g., prometheus, ginkgo, opentelemetry, envoyproxy, redis, cobra, etc.). It may be more efficient to batch-approve and merge these together, or to close them and run a single go get -u ./... + go mod tidy sweep on the branch to avoid serial merge conflicts.

---

Risk Assessment

Dimension	Rating	Reasoning
API Breaking Changes	🟢 None	v1.28.0 is additive-only
Security Risk	🟢 None	0 CVEs, hash verified against transparency log
Upgrade Impact	🟢 None	Indirect dep, no reconciler/controller changes
Cross-repo Impact	🟢 None	zap is self-contained, no CRD/API surface changes
Test Coverage	🟢 N/A	Dependency bump; existing tests validate behavior
CI Signal	🟢 Green	All 3 checks pass

---

Verdict

The change is safe to merge. The go.uber.org/zap bump from v1.27.1 to v1.28.0 introduces no breaking changes, no security risk, and has a clean CI signal. The go.sum hashes are verified against the Go transparency log.

The main process concern (non-blocking) is the growing divergence of the dockerfile-test branch from main — worth tracking at the team level to avoid a painful reconciliation later.

Approved ✅ — pending team's standard merge process for MintMaker bot PRs.

[github-actions]

This PR is marked as stale after 21d of inactivity. After an additional 14d of inactivity (7d to become rotten, then 7d more), it will be closed. To prevent this PR from being closed, add a comment or remove the lifecycle/stale label.