Fix CVE-2026-29181: bump OpenTelemetry-Go to v1.41.0

[sheltoncyril]

Summary

• Bumps go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace from v1.39.0 → v1.41.0
• Fixes CVE-2026-29181 (HIGH): multi-value baggage header extraction causes excessive allocations, enabling remote DoS amplification
• Resolves Trivy security scan failure blocking PR Fix: ServiceMonitor conflict and TLS issues #726

Test plan

• go build ./... passes
• CI Trivy scan passes with updated dependency

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Updated OpenTelemetry dependencies to v1.41.0.
  • Set GITHUB_TOKEN as an environment variable for a CI workflow step.

• Tests

  • Relaxed two integration test assertions to allow broader error-progress message matching.

[openshift-ci-robot]

@sheltoncyril: No Jira issue with key CVE-2026 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Summary

• Bumps go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace from v1.39.0 → v1.41.0
• Fixes CVE-2026-29181 (HIGH): multi-value baggage header extraction causes excessive allocations, enabling remote DoS amplification
• Resolves Trivy security scan failure blocking PR Fix: ServiceMonitor conflict and TLS issues #726

Test plan

• go build ./... passes
• CI Trivy scan passes with updated dependency

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates: OpenTelemetry Go modules bumped v1.39.0→v1.41.0; GitHub Actions smoke workflow adds step-level GITHUB_TOKEN; two driver tests loosen exact progress-message assertions to check count and prefix.

Changes

Repository small updates

Layer / File(s)	Summary
Dependency Version Bump go.mod	OpenTelemetry Go modules (go.opentelemetry.io/otel, otel/metric, otel/trace) updated from v1.39.0 to v1.41.0.
CI Step Environment .github/workflows/smoke.yaml	Adds env.GITHUB_TOKEN (from secrets.GITHUB_TOKEN) to the “Install kustomize” step.
Tests: driver assertions controllers/lmes/driver/driver_test.go	Two tests (Test_DetectDeviceError, Test_DownloadAssetsS3Error) now assert a single progress message exists and that it contains the expected error-prefix substring rather than matching a full exact message.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A tiny hop, a careful tweak,
Versions nudged and tokens peek,
Tests relaxed, the build can prance,
A gentle patch, a joyful dance. 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: bumping OpenTelemetry-Go to v1.41.0 to fix CVE-2026-29181, which aligns with the primary change in go.mod.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cve-2026-29181-otel-bump

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@sheltoncyril: No Jira issue with key CVE-2026 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Summary

• Bumps go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace from v1.39.0 → v1.41.0
• Fixes CVE-2026-29181 (HIGH): multi-value baggage header extraction causes excessive allocations, enabling remote DoS amplification
• Resolves Trivy security scan failure blocking PR Fix: ServiceMonitor conflict and TLS issues #726

Test plan

• go build ./... passes
• CI Trivy scan passes with updated dependency

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sheltoncyril: No Jira issue with key CVE-2026 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Summary

• Bumps go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace from v1.39.0 → v1.41.0
• Fixes CVE-2026-29181 (HIGH): multi-value baggage header extraction causes excessive allocations, enabling remote DoS amplification
• Resolves Trivy security scan failure blocking PR Fix: ServiceMonitor conflict and TLS issues #726

Test plan

• go build ./... passes
• CI Trivy scan passes with updated dependency

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
• Updated OpenTelemetry dependencies to version 1.41.0.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sheltoncyril: No Jira issue with key CVE-2026 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Summary

• Bumps go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace from v1.39.0 → v1.41.0
• Fixes CVE-2026-29181 (HIGH): multi-value baggage header extraction causes excessive allocations, enabling remote DoS amplification
• Resolves Trivy security scan failure blocking PR Fix: ServiceMonitor conflict and TLS issues #726

Test plan

• go build ./... passes
• CI Trivy scan passes with updated dependency

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

• Updated OpenTelemetry dependencies to v1.41.0.

• Set GITHUB_TOKEN as an environment variable for a CI workflow step.

• Tests

• Relaxed two integration test assertions to allow broader error-progress message matching.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/smoke.yaml:
- Around line 41-45: The workflow step currently sets env: GITHUB_TOKEN for the
step that executes a remote "curl ... | bash" install (the block with env:
GITHUB_TOKEN and run piping raw.githubusercontent.com into bash), which exposes
the token to an untrusted script; remove GITHUB_TOKEN from that step (delete or
move the env entry) or replace the inline curl|bash install with a safer
approach such as using a pinned GitHub Action (e.g., actions that install
kustomize) or downloading a pinned release artifact and verifying its checksum
before moving it to /usr/local/bin to eliminate the token exposure risk.

In `@controllers/lmes/driver/driver_test.go`:
- Around line 235-236: The test uses testify assertions but must follow the
controller-test rule (Ginkgo v2 + Gomega); replace assert.Len(t, msgs, 1) and
assert.Contains(t, msgs[0], "...") with Gomega expectations (e.g., g :=
NewWithT(t); g.Expect(msgs).To(HaveLen(1)) and
g.Expect(msgs[0]).To(ContainSubstring("failed to detect available
device(s):"))), remove the testify/assert import, and apply the same
replacements for the other occurrences around the second spot (lines referenced
as 262-263).
- Around line 235-236: The test currently uses assert.Len(t, msgs, 1) before
indexing msgs[0], which is non-fatal and can lead to a panic; replace
assert.Len(t, msgs, 1) with require.Len(t, msgs, 1) (and similarly replace the
second assert.Len usage that precedes msgs[0] at the later check) so the test
fails immediately on length mismatch — ensure the require package is imported
(testing/require) if not already and update the assertions that reference msgs
to use require.Len before any indexed access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c7dc02ea-b49d-4b80-a5db-1c185183fc8a

📥 Commits

Reviewing files that changed from the base of the PR and between 094101e and 8efa279.

📒 Files selected for processing (2)

• .github/workflows/smoke.yaml
• controllers/lmes/driver/driver_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Controller test assertions in changed lines should follow project test framework rules

These updated assertions still use testify/assert, but this path is governed by the controller-test rule requiring Ginkgo v2 + Gomega + envtest.

As per coding guidelines, "Use Ginkgo v2 with Gomega assertions and controller-runtime envtest for all controller tests".

Also applies to: 262-263

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/lmes/driver/driver_test.go` around lines 235 - 236, The test uses
testify assertions but must follow the controller-test rule (Ginkgo v2 +
Gomega); replace assert.Len(t, msgs, 1) and assert.Contains(t, msgs[0], "...")
with Gomega expectations (e.g., g := NewWithT(t); g.Expect(msgs).To(HaveLen(1))
and g.Expect(msgs[0]).To(ContainSubstring("failed to detect available
device(s):"))), remove the testify/assert import, and apply the same
replacements for the other occurrences around the second spot (lines referenced
as 262-263).

---

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify risky pattern: non-fatal assert.Len followed by indexed access.
rg -nP -C2 'assert\.Len\(t,\s*msgs,\s*1\)\s*\n\s*assert\.Contains\(t,\s*msgs\[0\],' controllers/lmes/driver/driver_test.go

Repository: trustyai-explainability/trustyai-service-operator

Length of output: 75

---

🏁 Script executed:

cat -n controllers/lmes/driver/driver_test.go | sed -n '230,270p'

Repository: trustyai-explainability/trustyai-service-operator

Length of output: 1653

---

🏁 Script executed:

head -20 controllers/lmes/driver/driver_test.go

Repository: trustyai-explainability/trustyai-service-operator

Length of output: 677

---

🏁 Script executed:

sed -n '18,50p' controllers/lmes/driver/driver_test.go

Repository: trustyai-explainability/trustyai-service-operator

Length of output: 678

---

🏁 Script executed:

# Final verification: confirm non-fatal vs fatal assertion behavior in testify
rg -A3 'assert.Len.*msgs.*1' controllers/lmes/driver/driver_test.go | head -20

Repository: trustyai-explainability/trustyai-service-operator

Length of output: 351

---

Replace non-fatal assert.Len with require.Len before indexed access

assert.Len(...) does not halt execution. If the length check fails, indexing msgs[0] on line 236 and line 263 can panic, obscuring the actual failure. Use require.Len(...) instead to fail fast and maintain test clarity.

Suggested fix

import (
	"context"
	"flag"
	"fmt"
	"math/rand"
	"os"
	"path/filepath"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
	"github.com/trustyai-explainability/trustyai-service-operator/api/lmes/v1alpha1"
	ctrl "sigs.k8s.io/controller-runtime"
	"sigs.k8s.io/controller-runtime/pkg/log"
	"sigs.k8s.io/controller-runtime/pkg/log/zap"
)
@@
-	assert.Len(t, msgs, 1)
+	require.Len(t, msgs, 1)
 	assert.Contains(t, msgs[0], "failed to detect available device(s):")
@@
-	assert.Len(t, msgs, 1)
+	require.Len(t, msgs, 1)
 	assert.Contains(t, msgs[0], "failed to download assets from S3:")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	assert.Len(t, msgs, 1)
	assert.Contains(t, msgs[0], "failed to detect available device(s):")
	require.Len(t, msgs, 1)
	assert.Contains(t, msgs[0], "failed to detect available device(s):")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/lmes/driver/driver_test.go` around lines 235 - 236, The test
currently uses assert.Len(t, msgs, 1) before indexing msgs[0], which is
non-fatal and can lead to a panic; replace assert.Len(t, msgs, 1) with
require.Len(t, msgs, 1) (and similarly replace the second assert.Len usage that
precedes msgs[0] at the later check) so the test fails immediately on length
mismatch — ensure the require package is imported (testing/require) if not
already and update the assertions that reference msgs to use require.Len before
any indexed access.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: RobGeada

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@sheltoncyril: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	b7c66af	link	true	/test images
ci/prow/trustyai-service-operator-e2e	b7c66af	link	true	/test trustyai-service-operator-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.