build(deps): bump the k8s-dependencies group across 1 directory with 4 updates

[dependabot]

Bumps the k8s-dependencies group with 2 updates in the / directory: k8s.io/apimachinery and k8s.io/autoscaler/vertical-pod-autoscaler.

Updates k8s.io/apimachinery from 0.35.1 to 0.36.0

Commits

• debe1eb Update dependencies to v0.36.0 tag
• efb7f26 Merge remote-tracking branch 'origin/master' into release-1.36
• d966e56 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 79b3632 Merge pull request #137864 from yongruilin/dv-dra-mismatch
• a8822f7 Add slice and map union member support with tests
• 7dba2d0 Use IsZero instead of IsNil for union ratcheting check
• d95710f Fix union validation ratcheting when oldObj is nil
• 729062d Merge pull request #137849 from bryantbiggs/deps/update-kube-openapi
• 13b12e6 dependencies: bump kube-openapi to drop ginkgo/gomega indirect deps
• 27f4670 Merge pull request #136657 from Jefftree/sharding-test
• Additional commits viewable in compare view

Updates k8s.io/autoscaler/vertical-pod-autoscaler from 1.3.0 to 1.6.0

Release notes

Sourced from k8s.io/autoscaler/vertical-pod-autoscaler's releases.

vertical-pod-autoscaler-1.6.0

Changes by Kind

API Change

• Correctly mark the VPA UpdateMode "Auto" as deprecated, that was deprecated in VPA 1.5 (#9073, @​adrianmoisey)

Feature

• Adds --in-place-skip-disruption-budget flag that skips disruption budget checks for in-place pod updates when all containers have NotRequired resize policy (#8987, @​omerap12)
• Promote InPlaceOrRecreate feature to GA, defaulted to enabled (#9082, @​adrianmoisey)

Bug or Regression

• Avoid returning error when annotation patch for InPlaceOrResize fails, that would cause Pods to get unnecessarily evicted after resize (#9115, @​adrianmoisey)
• Optimize memory usage in VPA components by scoping informers to configured namespaces. (#9122, @​adrianmoisey)
• Vertical-pod-autoscaler: Fix the version of the k8s.io/client-go module. (#8579, @​ialidzhikov)
• Vpa-updater and vpa-admission-controller no longer excessively log fail to get pod controller: (...) last error node is not a valid owner (#8611, @​adrianmoisey)
• VPA: Fix recommender race conditions for vpa Conditions and Recommendations (#8967, @​jkyros)

Other (Cleanup or Flake)

• Update Kubernetes libraries to v1.35.0 (#8955, @​adrianmoisey)

vertical-pod-autoscaler-1.5.1

What's Changed

• Update VPA default version to 1.5.0 by @​kamarabbas99 in kubernetes/autoscaler#8553
• [vpa-release-1.5] vertical-pod-autoscaler: Fix the k8s.io/client-go version by @​k8s-infra-cherrypick-robot in kubernetes/autoscaler#8581
• Update VPA defaults to 1.5.1 in the vpa-release-1.5 branch by @​adrianmoisey in kubernetes/autoscaler#8592
• Update VPA default to 1.5.1 in the vpa-release-1.5 branch by @​adrianmoisey in kubernetes/autoscaler#8612

Full Changelog: kubernetes/autoscaler@vertical-pod-autoscaler-1.5.0...vertical-pod-autoscaler-1.5.1

vertical-pod-autoscaler-1.5.0

What's Changed

• Fix typos in the metric name for VPA In-Place update by @​toVersus in kubernetes/autoscaler#8122
• Update VPA release instructions with correct tag command by @​raywainman in kubernetes/autoscaler#8120
• migrate claimReservedForPod to use upstream IsReservedForPod by @​omerap12 in kubernetes/autoscaler#7798
• Add metric for failed in-place update attempt by @​omerap12 in kubernetes/autoscaler#8136
• Make VPA and Checkpoint updates concurrent by @​voelzmo in kubernetes/autoscaler#7992
• updating the script to handle multi-line flag descriptions by @​aman4433 in kubernetes/autoscaler#8144
• migrate os.Exit(255) to klog.FlushAndExit by @​bedsteye in kubernetes/autoscaler#8159
• Add tag script for VPA to make release easier and less error-prone by @​raywainman in kubernetes/autoscaler#8163
• Set correct k8s/client-go version in go.mod by @​nickytd in kubernetes/autoscaler#8165
• e2e: Use correct version of k8s.io/client-go by @​ialidzhikov in kubernetes/autoscaler#8172
• Add admission controller service to kustomization by @​laoj2 in kubernetes/autoscaler#8179
• migrate ClaimOwningPod to use upstream IsForPod by @​omerap12 in kubernetes/autoscaler#7852
• fix: add missing 'admission-controller-service' resource to 'hack/vpa-process-yamls.sh print' by @​marcdavoli in kubernetes/autoscaler#8210
• Fix(VPA): updater in-place metrics initialization by @​yalosev in kubernetes/autoscaler#8253

... (truncated)

Commits

• 9196162 Update VPA default version to 1.6.0
• 9e62173 Merge pull request #9206 from walidghallab/target-size
• 19477c7 Merge pull request #9210 from adrianmoisey/vpa-deps
• 4de27b2 Bump VPA deps to 1.35.1
• bd02f22 Merge pull request #9180 from adrianmoisey/adrian-skip-minreplicas
• a060930 Update target size calculation for GCE.
• 81327e3 Merge pull request #9198 from Choraden/ca_e2e_presubmit_conf
• d525c8f Merge pull request #9204 from Hargeek/fix/no-provider-id-for-huaweicloud
• d5249cb Return nil for missing provider ID instead of error
• b474ff4 Merge pull request #9203 from kubernetes/dependabot/docker/vertical-pod-autos...
• Additional commits viewable in compare view

Updates k8s.io/klog/v2 from 2.130.1 to 2.140.0

Release notes

Sourced from k8s.io/klog/v2's releases.

Prepare klog release for Kubernetes v1.36

What's Changed

• Add dependabot by @​lucacome in kubernetes/klog#410
• Use strconv.AppendQuote instead of strconv.Quote for message formatting by @​astef in kubernetes/klog#413
• de-duplication of key/value pairs by @​pohly in kubernetes/klog#415
• Fix: Ensure constant format strings in fmt and printf calls by @​mikelolasagasti in kubernetes/klog#417
• Remove old note on Go version requirements by @​guettli in kubernetes/klog#425
• test with 1.24 and 1.25 by @​pohly in kubernetes/klog#428
• ktesting: fix vmodule support by @​pohly in kubernetes/klog#431
• ktesting: support multi-line result from AnyToStringHook by @​pohly in kubernetes/klog#433
• textlogger: optionally turn off header by @​pohly in kubernetes/klog#430
• feat: fix stderrthreshold not honored when logtostderr is set (#212) + two new flags by @​pierluigilenoci in kubernetes/klog#432

New Contributors

• @​lucacome made their first contribution in kubernetes/klog#410
• @​astef made their first contribution in kubernetes/klog#413
• @​mikelolasagasti made their first contribution in kubernetes/klog#417
• @​guettli made their first contribution in kubernetes/klog#425
• @​pierluigilenoci made their first contribution in kubernetes/klog#432

Full Changelog: kubernetes/klog@v2.130.1...v2.140.0

Commits

• ef4b370 Merge pull request #432 from pierluigilenoci/fix/stderr-threshold-issue-212
• 39c4c76 refactor: address code review feedback from @​pohly
• 764a9a3 Merge pull request #430 from pohly/textlogger-optional-header
• 015c613 Update stderr_threshold_test.go
• 2f517bd Update klog.go
• 36bc4ff textlogger: optionally turn off header
• 5f1f303 Merge pull request #433 from pohly/textlogger-hook-result
• c469d41 Merge pull request #431 from pohly/ktesting-vmodule-fix
• 8509d6a ktesting: support multi-line result from AnyToStringHook
• 08e6e8b Fix stderrthreshold not honored when logtostderr is set
• Additional commits viewable in compare view

Updates k8s.io/utils from 0.0.0-20260108192941-914a6e750570 to 0.0.0-20260210185600-b8788abfbbc2

Commits

• See full diff in compare view

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to version 1.26.0
  • Updated Kubernetes and related dependencies to latest compatible versions
  • Updated internal dependencies for enhanced compatibility and stability

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates Go module dependencies and the Go toolchain directive from 1.25.7 to 1.26.0. Direct dependency bumps include k8s.io/apimachinery to v0.36.0, k8s.io/autoscaler/vertical-pod-autoscaler to v1.6.0, k8s.io/klog/v2 to v2.140.0, sigs.k8s.io/structured-merge-diff/v6 to v6.3.2, and k8s.io/utils to a newer pseudo-version. Indirect dependency changes add k8s.io/streaming v0.36.0, remove github.com/mxk/go-flowrate, and update google.golang.org/protobuf and k8s.io/kube-openapi.

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: a Kubernetes dependencies group update across the repository root with specific version bumps to four k8s modules.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR is a pure dependency update modifying only go.mod and go.sum files with no test modifications, making the Ginkgo test check not applicable.
Test Structure And Quality	✅ Passed	The PR contains standard Go tests with Gomega assertions, not Ginkgo tests, making the Ginkgo-specific check criteria inapplicable.
Microshift Test Compatibility	✅ Passed	PR modifies only go.mod file updating Go toolchain and dependencies; no Ginkgo e2e test code added, so MicroShift Test Compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR is a dependency update with no new Ginkgo e2e tests added. The custom check applies only to new test additions, making it not applicable here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies go.mod for dependency updates; no deployment manifests, operator code, or controllers are changed.
Ote Binary Stdout Contract	✅ Passed	PR contains only dependency version updates with no process-level source code changes, preventing any stdout contract violations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only modifies go.mod and vendored Kubernetes library files with dependency updates. No new Ginkgo e2e tests are introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/k8s-dependencies-48cadf8bf4

---

_{Review rate limit: 5/10 reviews remaining, refill in 28 minutes and 55 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign sjenning for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 104-106: The go.mod contains mixed Kubernetes minor versions:
update the module entries for k8s.io/apimachinery and k8s.io/streaming
(currently pinned at v0.36.0) to v0.35.1 so they match the rest of the
Kubernetes modules (e.g., k8s.io/api, k8s.io/client-go, k8s.io/apiserver), then
run go mod tidy (or go get ./... followed by go mod tidy) to ensure the
dependency graph and go.sum are consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ea34366d-fa9c-453f-867d-963a32e05baf

📥 Commits

Reviewing files that changed from the base of the PR and between 15b9f13 and 7f56334.

⛔ Files ignored due to path filters (100)

• go.sum is excluded by !**/*.sum
• vendor/github.com/moby/spdystream/NOTICE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/spdystream/connection.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/spdystream/spdy/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/spdystream/spdy/PATENTS is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/spdystream/spdy/dictionary.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/spdystream/spdy/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/spdystream/spdy/read.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/spdystream/spdy/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/spdystream/spdy/write.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/flowrate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/io.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/descfmt/stringer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/equality/semantic.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/resource/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**, !**/*.pb.go
• vendor/k8s.io/apimachinery/pkg/api/validate/content/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validate/content/path.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validate/discriminator.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validate/limits.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validate/strfmt.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validate/union.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validation/path/name.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/conversion.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/zz_generated.conversion.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/fieldsv1.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/fieldsv1_byte.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/fieldsv1_string.go is excluded by !vendor/**, !**/vendor/**, !**/*_string.go
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**, !**/*.pb.go
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto is excluded by !vendor/**, !**/vendor/**, !**/generated.proto
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**, !**/*.pb.go
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/meta.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_fuzz.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time_fuzz.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**, !**/types_swagger_doc_generated.go
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.conversion.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**, !**/*.pb.go
• vendor/k8s.io/apimachinery/pkg/runtime/serializer/cbor/internal/modes/decode.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/runtime/serializer/cbor/raw.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/diff/diff.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/diff/legacy_diff.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/dump/dump.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/httpstream/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/spdy.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/wsstream.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/intstr/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**, !**/*.pb.go
• vendor/k8s.io/apimachinery/pkg/util/intstr/instr_fuzz.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/managedfields/extract.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/managedfields/internal/fields.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/mergepatch/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/net/http.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/net/interface.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/proxy/dial.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/proxy/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/strategicpatch/patch.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/validation/field/error_matcher.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/validation/field/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/validation/ip.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/third_party/forked/golang/netutil/addr.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/third_party/forked/golang/reflect/deep_equal.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*
• vendor/k8s.io/klog/v2/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/internal/serialize/keyvalues.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/internal/serialize/keyvalues_no_slog.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/internal/serialize/keyvalues_slog.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/klog.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/klogr.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/klogr_slog.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/textlogger/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/textlogger/textlogger.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/httpstream.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/spdy/connection.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/spdy/roundtripper.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/spdy/upgrade.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/wsstream/conn.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/wsstream/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/wsstream/stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/runtime/runtime.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/utils/dump/dump.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**
• vendor/sigs.k8s.io/structured-merge-diff/v6/value/reflectcache.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Print all k8s.io module versions from require blocks
awk '
  $1=="require" && $2=="(" {inreq=1; next}
  inreq && $1==")" {inreq=0; next}
  inreq && $1 ~ /^k8s\.io\// {print NR ": " $1 " " $2}
' go.mod

Repository: openshift/hypershift

Length of output: 849

---

🏁 Script executed:

sed -n '128,130p' go.mod

Repository: openshift/hypershift

Length of output: 179

---

Avoid mixed Kubernetes minor versions in this dependency set.

k8s.io/apimachinery at line 104 and k8s.io/streaming at line 305 are pinned to 0.36.0, while most core Kubernetes peers in the same file remain at 0.35.1 (including k8s.io/api, k8s.io/client-go, and k8s.io/apiserver). This minor-version skew is a common source of compile/runtime incompatibilities in Kubernetes stacks. Align these two modules to 0.35.1 to match the rest of the dependency set.

Suggested fix

-	k8s.io/apimachinery v0.36.0
+	k8s.io/apimachinery v0.35.1
...
-	k8s.io/streaming v0.36.0 // indirect
+	k8s.io/streaming v0.35.1 // indirect

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 104 - 106, The go.mod contains mixed Kubernetes minor
versions: update the module entries for k8s.io/apimachinery and k8s.io/streaming
(currently pinned at v0.36.0) to v0.35.1 so they match the rest of the
Kubernetes modules (e.g., k8s.io/api, k8s.io/client-go, k8s.io/apiserver), then
run go mod tidy (or go get ./... followed by go mod tidy) to ensure the
dependency graph and go.sum are consistent.

[cblecker]

/uncc

[coderabbitai]

♻️ Duplicate comments (1)

go.mod (1)

104-106: ⚠️ Potential issue | 🔴 Critical

Kubernetes version skew remains unresolved.

The version skew issue previously identified has not been addressed. k8s.io/apimachinery (line 104) and k8s.io/streaming (line 305) are at v0.36.0, while other core Kubernetes modules like k8s.io/api, k8s.io/client-go, and k8s.io/apiserver remain at v0.35.1. This minor-version mismatch can cause compatibility issues in the Kubernetes dependency stack.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 104 - 106, The go.mod contains a Kubernetes
minor-version skew: k8s.io/apimachinery and k8s.io/streaming are at v0.36.0
while k8s.io/api, k8s.io/client-go and k8s.io/apiserver remain at v0.35.1; fix
by aligning all core k8s modules to the same minor version (choose v0.36.0 or
v0.35.1) — update the versions for k8s.io/api, k8s.io/client-go,
k8s.io/apiserver (or downgrade apimachinery/streaming) so all share the same
minor, then refresh modules (tidy) and run build/tests to verify compatibility.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@go.mod`:
- Around line 104-106: The go.mod contains a Kubernetes minor-version skew:
k8s.io/apimachinery and k8s.io/streaming are at v0.36.0 while k8s.io/api,
k8s.io/client-go and k8s.io/apiserver remain at v0.35.1; fix by aligning all
core k8s modules to the same minor version (choose v0.36.0 or v0.35.1) — update
the versions for k8s.io/api, k8s.io/client-go, k8s.io/apiserver (or downgrade
apimachinery/streaming) so all share the same minor, then refresh modules (tidy)
and run build/tests to verify compatibility.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 760ba0b1-ffdc-425a-a9c9-1332c0fc5320

📥 Commits

Reviewing files that changed from the base of the PR and between 7f56334 and 81e0fae.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[openshift-ci]

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	81e0fae	link	true	/test images
ci/prow/okd-scos-images	81e0fae	link	true	/test okd-scos-images
ci/prow/verify-deps	81e0fae	link	true	/test verify-deps

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

I now have complete information on all failures. Let me compile the final report.

Test Failure Analysis Complete

Job Information

• PR: build(deps): bump the k8s-dependencies group across 1 directory with 4 updates #8378 — build(deps): bump the k8s-dependencies group across 1 directory with 4 updates
• Failed Jobs: 9 total (3 Prow, 3 Konflux, 3 GitHub Actions)
• Build IDs: 2050020537857478656 (verify-deps), 2050020537735843840 (images), 2050020537802952704 (okd-scos-images)

Job	Platform	Error
verify-deps	Prow	go.mod requires go >= 1.26.0 (running go 1.25.8)
images	Prow	go.mod requires go >= 1.26.0 (running go 1.25.8)
okd-scos-images	Prow	go.mod requires go >= 1.26.0 (running go 1.25.8)
hypershift-operator-main-on-pull-request	Konflux	Go 1.26 not available in builder
hypershift-release-mce-50-on-pull-request	Konflux	Go 1.26 not available in builder
hypershift-cli-mce-50-on-pull-request	Konflux	Go 1.26 not available in builder
lint / Lint	GitHub Actions	mockgen built with go1.25 cannot load go1.26 packages
verify / Verify	GitHub Actions	mockgen built with go1.25 cannot load go1.26 packages
gitlint / Gitlint	GitHub Actions	Commit message line exceeds 140 chars (224>140)

Test Failure Analysis

Error

go: go.mod requires go >= 1.26.0 (running go 1.25.8; GOTOOLCHAIN=local)

Summary

All 9 failures stem from a single root cause: Dependabot bumped k8s.io/apimachinery from v0.35.1 to v0.36.0, which requires Go 1.26 as its minimum version. This forced the project's go.mod directive from go 1.25.7 to go 1.26.0. However, the entire CI infrastructure — Prow builder images (rhel-9-release-golang-1.25-openshift-4.23), Konflux pipelines, and GitHub Actions tooling (mockgen compiled against Go 1.25) — only provides Go 1.25.8. With GOTOOLCHAIN=local set, Go refuses to auto-download a newer toolchain, causing all build, verify, lint, and image jobs to fail. The gitlint failure is a secondary issue caused by Dependabot's auto-generated commit message exceeding the 140-character line length limit.

Root Cause

The root cause is a Go toolchain version incompatibility introduced by the dependency bump.

Dependency chain:

1. Dependabot PR build(deps): bump the k8s-dependencies group across 1 directory with 4 updates #8378 bumps 4 packages in the k8s-dependencies group
2. k8s.io/apimachinery v0.36.0 declares go 1.26 in its own go.mod
3. Go module resolution takes the maximum go directive across all dependencies, forcing go.mod from go 1.25.7 → go 1.26.0
4. All CI builder images ship Go 1.25.8 with GOTOOLCHAIN=local, which prevents auto-downloading Go 1.26

Three distinct failure modes, one root cause:

Failure Mode	Affected Jobs	Mechanism
go build / go mod tidy refuses to run	Prow (verify-deps, images, okd-scos-images), Konflux (all 3)	Go 1.25.8 sees go 1.26.0 in go.mod and exits immediately
mockgen source processing fails	GitHub Actions (lint, verify)	mockgen was compiled with Go 1.25 source-processing packages; cannot parse packages declaring go 1.26
Commit message too long	GitHub Actions (gitlint)	Dependabot's auto-generated body line is 224 chars, exceeding the 140-char B1 rule

This PR cannot merge until the CI infrastructure is updated to Go 1.26+, or the dependency bump is constrained to a version that does not require Go 1.26.

Recommendations

1. Do not merge this PR as-is. The k8s.io/apimachinery v0.36.0 dependency requires Go 1.26, which is not yet available in any CI builder image (Prow, Konflux, or GitHub Actions tooling).

2. Option A — Wait for Go 1.26 CI infrastructure: Coordinate with the OpenShift CI/build-cop team to update the builder images (rhel-9-release-golang-1.25-openshift-4.23 → a Go 1.26 variant) before retrying this bump. Update Konflux pipeline builder images and rebuild hack/tools/bin/mockgen against Go 1.26.

3. Option B — Constrain the bump: Pin k8s.io/apimachinery to v0.35.x (the latest version that still supports Go 1.25) and accept the other 3 dependency updates. This allows the non-breaking bumps to land now while deferring the apimachinery bump until CI is ready.

4. Fix gitlint separately: If proceeding, amend the commit message to wrap the long Dependabot-generated line to under 140 characters, or configure a gitlint exception for dependabot commits.

5. Rebuild mockgen: When Go 1.26 builder images are available, rebuild hack/tools/bin/mockgen so it is compiled against Go 1.26's source-processing packages.

Evidence

Evidence	Detail
go.mod change	go 1.25.7 → go 1.26.0
Triggering dependency	k8s.io/apimachinery v0.35.1 → v0.36.0 (requires Go 1.26)
Prow builder image	rhel-9-release-golang-1.25-openshift-4.23 (Go 1.25.8)
GOTOOLCHAIN setting	GOTOOLCHAIN=local (prevents auto-download of newer Go)
Prow error (all 3 jobs)	go: go.mod requires go >= 1.26.0 (running go 1.25.8; GOTOOLCHAIN=local)
Lint/Verify error	package requires newer Go version go1.26 (application built with go1.25) — mockgen fails
mockgen path	hack/tools/bin/mockgen compiled with Go 1.25 source-processing packages
Gitlint error	B1 Line exceeds max length (224>140) on Dependabot commit body
Other bumped deps	k8s.io/klog/v2 v2.130.1→v2.140.0, k8s.io/utils 20260108→20260210, k8s.io/autoscaler/vertical-pod-autoscaler v1.3.0→v1.6.0

---