Bump github.com/onsi/ginkgo/v2 from 2.22.2 to 2.29.0

[dependabot]

Bumps github.com/onsi/ginkgo/v2 from 2.22.2 to 2.29.0.

Release notes

Sourced from github.com/onsi/ginkgo/v2's releases.

v2.29.0

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

v2.28.3

2.28.3

Maintenance

Bump all dependencies

v2.28.2

2.28.2

• Add ArtifactDir() to support Go 1.26 testing.TB interface [f3a36b6]
• Implement shell completion [94151c8]
• Add asan CLI option mirroring msan implementation [4d21dbb]
• Bump uri from 1.0.3 to 1.0.4 in /docs (#1630) [c102161]
• fix aspect ratio [9619647]
• update logos [5779304]

v2.28.1

2.28.1

Update all dependencies. This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.

v2.28.0

2.28.0

Ginkgo's SemVer filter now supports filtering multiple components by SemVer version:

It("should work in a specific version range (1.0.0, 2.0.0) and third-party dependency redis in [8.0.0, ~)", SemVerConstraint(">= 3.2.0"), ComponentSemVerConstraint("redis", ">= 8.0.0") func() {
    // This test will only run when version is between 1.0.0 (exclusive) and 2.0.0 (exclusive) and redis version is >= 8.0.0
})

can be filtered in or out with an invocation like:

ginkgo --sem-ver-filter="2.1.1, redis=8.2.0"

Huge thanks to @​Icarus9913 for working on this!

v2.27.5

2.27.5

... (truncated)

Changelog

Sourced from github.com/onsi/ginkgo/v2's changelog.

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

2.28.3

Maintenance

Bump all dependencies

2.28.2

• Add ArtifactDir() to support Go 1.26 testing.TB interface [f3a36b6]
• Implement shell completion [94151c8]
• Add asan CLI option mirroring msan implementation [4d21dbb]
• Bump uri from 1.0.3 to 1.0.4 in /docs (#1630) [c102161]
• fix aspect ratio [9619647]
• update logos [5779304]

2.28.1

Update all dependencies. This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.

2.28.0

Ginkgo's SemVer filter now supports filtering multiple components by SemVer version:

It("should work in a specific version range (1.0.0, 2.0.0) and third-party dependency redis in [8.0.0, ~)", SemVerConstraint(">= 3.2.0"), ComponentSemVerConstraint("redis", ">= 8.0.0") func() {
    // This test will only run when version is between 1.0.0 (exclusive) and 2.0.0 (exclusive) and redis version is >= 8.0.0
})

can be filtered in or out with an invocation like:

ginkgo --sem-ver-filter="2.1.1, redis=8.2.0"

Huge thanks to @​Icarus9913 for working on this!

2.27.5

Fixes

Don't make a new formatter for each GinkgoT(); that's just silly and uses precious memory

2.27.4

Fixes

... (truncated)

Commits

• 04b5bcb v2.29.0
• 124232a docs: GinkgoHelperGo
• ad9cee8 feat: GinkgoHelperGo, with integration tests
• 9e56a0a chore: refactor devcontainer for better maintenance
• 3d235a9 chore: ignore internal/tmp_*/ integration suite temporary dirs
• 782666a feat: devcontainer configuration with local pkgsite and GH pages
• 009dd04 Support DescribeTableSubtree in ginkgo outline
• 5de9c15 v2.28.3
• 7e2fa19 bump dependencies
• 1a81912 v2.28.2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

Summary by CodeRabbit

Chores

• Updated Go toolchain to version 1.25.0
• Updated project dependencies to latest compatible versions for improved stability and compatibility

Walkthrough

This PR updates the project's Go module dependencies and toolchain version. The Go runtime is upgraded to 1.25.0, Ginkgo and Gomega test frameworks are bumped to newer minor versions, and a range of indirect dependencies (Google libraries, stdlib modules, and protocol packages) are updated to their latest compatible versions.

Changes

Dependency Update

Layer / File(s)	Summary
Go toolchain and test framework updates go.mod	Go toolchain upgraded from 1.24 to 1.25.0. Direct test dependencies Ginkgo/v2 and Gomega bumped to v2.29.0 and v1.40.0 respectively.
Indirect dependencies updates go.mod	Masterminds/semver/v3 added as new indirect dependency. Indirect dependencies updated: go-logr/logr (patch bump), google packages (go-cmp, pprof), stdlib extension modules (golang.org/x/net, x/sync, x/sys, x/term, x/text, x/tools, x/mod), go.yaml.in/yaml/v3, and google.golang.org/protobuf.

---

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: bumping a specific dependency from one version to another, which is the primary purpose of this PR.
Description check	✅ Passed	The description is related to the changeset, providing release notes, changelog details, and commit information for the ginkgo/v2 dependency bump from 2.22.2 to 2.29.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/github.com/onsi/ginkgo/v2-2.29.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign dustman9000 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 75: go.mod currently pulls golang.org/x/oauth2 v0.23.0 (indirect) which
has HIGH severity vulnerabilities; update the indirect dependency by bumping the
consumer module github.com/openshift-online/ocm-sdk-go to a release that
requires oauth2 v0.27.0 or later (or add an explicit require for
golang.org/x/oauth2 v0.27.0+ in go.mod if an ocm-sdk-go upgrade isn’t available
yet), then run go mod tidy and verify the resolved version (e.g., with go list
-m all) to ensure oauth2 is at v0.27.0 or newer and update go.sum accordingly.
- Around line 9-10: The ginkgo/gomega version bumps can break callback
signatures and dependency resolution: update code that assigns or references
Ginkgo callback functions (e.g., BeforeSuite, AfterSuite and other decorators)
to use the new variadic type args...any instead of args...interface{} and audit
places where callbacks are stored in custom variables or passed as typed
function values to adapt their signatures accordingly; also review go.mod for
ginkgo being pulled as an indirect dependency due to Gomega v1.40.0’s release
strategy and remove or tidy unnecessary indirect entries so the module graph
only contains the intended test deps (ensure ginkgo v2 is explicitly required
where used and run go mod tidy to refresh indirects).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 156fd667-0b37-41f6-8d01-57d9132a6f75

📥 Commits

Reviewing files that changed from the base of the PR and between 6275161 and c7ac62b.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What are the breaking changes in Ginkgo v2.29.0 compared to v2.22.2?

💡 Result:

Breaking changes from Ginkgo v2.22.2 to v2.29.0: 1) BeforeSuite/AfterSuite/SynchronizedBeforeSuite/SynchronizedAfterSuite/ReportAfterSuite callback method signature changed (args...interface{} -> args...any) when those decorators are used. - The changelog notes that the signature of these methods now includes a trailing args...any, and warns that if you were assigning one of these functions to a custom variable (or passing it around), you may need to change your code; for most users using the DSL this is transparent. [1] - This is an API-breaking change for code that directly references/passes these function values with the old interface{}-typed variadic parameter. [1] 2) Version/generator command output formatting change: “summarizes any spec failures at the end of the test run” command-line summary text wrapped onto a new line. - The changelog diff indicates a text formatting change in the Ginkgo summary output (“summarizes any spec failures that occurred at the end of the test run” becomes “summarizes any spec failures that occurred at end of the test run.”). This is typically not a compile-time breaking change, but it can break snapshot tests or consumers parsing exact CLI output strings. [1] What I could not confirm from authoritative sources in the time available: - No other explicit “breaking change” items between v2.22.2 and v2.29.0 are clearly labeled as such in the sources retrieved; most other changes in the interval appear to be new features/fixes/dependency bumps rather than hard API breaks. [2][3][4] If you want, I can also produce a “code migration checklist” specifically for likely affected integration points (custom callback assignments, CLI output parsing, etc.).

Citations:

• 1: onsi/ginkgo@v2.22.0...v2.28.0
• 2: https://github.com/onsi/ginkgo/releases
• 3: https://pkg.go.dev/github.com/onsi/ginkgo/v2
• 4: https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md

---

🌐 Web query:

What are the breaking changes in Gomega v1.40.0 compared to v1.36.2?

💡 Result:

The main breaking change between Gomega v1.36.2 and v1.40.0 is a change in the project’s release/process that affects go module dependencies (and therefore how your go.mod may resolve dependencies). 1) New release strategy that strips Gomega tests and uses a “master-lite” branch - Starting with v1.40.0, Gomega releases are built by stripping out all tests, tidying go.mod, and publishing the stripped-down version to a new master-lite branch; these versions get the vx.y.z git tag and are what the Go toolchain picks up.[1] - Rationale/impact described by Gomega: because of limitations in the go mod toolchain, “test subdependencies of your project’s direct dependencies get pulled in as indirect dependencies.” In the case of Gomega, this previously resulted in all of Ginkgo being pulled into your go.mod even if you only used Gomega (Gomega uses Ginkgo for its own tests).[1] - Gomega explicitly notes you should open an issue if this new release process causes unexpected changes for your projects.[1] 2) Go.mod dependency changes vs what you may have been getting previously - While v1.36.2 itself is characterized as maintenance-only (e.g., dependency bumps) in its changelog section, the key “breaking” behavioral contract change for consumers is the dependency-set change caused by the new stripped/test-less release strategy in v1.40.0.[1] What to check in your project when upgrading to 1.40.0 - Compare your resolved dependencies (e.g., what’s now required in go.mod/go.sum) before and after upgrading; specifically, verify whether Ginkgo is no longer pulled in as an indirect dependency purely due to Gomega’s own tests, per the v1.40.0 release note rationale.[1]

Citations:

• 1: https://github.com/onsi/gomega/releases

---

Review Ginkgo and Gomega breaking changes before updating.

Ginkgo v2.29.0 contains a callback signature change: BeforeSuite, AfterSuite, and related decorators now use args...any instead of args...interface{}. This breaks code that directly references or assigns these callback functions to custom variables. Audit your codebase for such assignments.

Gomega v1.40.0 introduces a new release strategy that strips tests from releases, which changes how dependencies are resolved in go.mod. Verify that Ginkgo is no longer unnecessarily pulled in as an indirect dependency and that your go.mod reflects the expected dependency structure.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 9 - 10, The ginkgo/gomega version bumps can break
callback signatures and dependency resolution: update code that assigns or
references Ginkgo callback functions (e.g., BeforeSuite, AfterSuite and other
decorators) to use the new variadic type args...any instead of
args...interface{} and audit places where callbacks are stored in custom
variables or passed as typed function values to adapt their signatures
accordingly; also review go.mod for ginkgo being pulled as an indirect
dependency due to Gomega v1.40.0’s release strategy and remove or tidy
unnecessary indirect entries so the module graph only contains the intended test
deps (ensure ginkgo v2 is explicitly required where used and run go mod tidy to
refresh indirects).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check dependency chain and available updates for oauth2

echo "=== Dependency chain for oauth2 ==="
go mod why golang.org/x/oauth2

echo -e "\n=== Check for available updates ==="
go list -m -u golang.org/x/oauth2

Repository: openshift-online/rosa-e2e

Length of output: 1582

---

🌐 Web query:

What is the patched version for golang.org/x/oauth2 vulnerabilities GO-2025-3488 and GHSA-6v2p-p543-phr9?

💡 Result:

Patched version for both vulnerabilities (golang.org/x/oauth2): 0.27.0. GO-2025-3488: affected “before v0.27.0”, so the patched version is v0.27.0 or later [1]. GHSA-6v2p-p543-phr9: “Fixed 0.27.0” and the affected range includes versions fixed starting at 0.27.0, so the patched version is v0.27.0 or later [2].

Citations:

• 1: https://pkg.go.dev/vuln/GO-2025-3488
• 2: https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9

---

Address HIGH severity vulnerabilities in golang.org/x/oauth2 v0.23.0.

Two HIGH severity vulnerabilities affect the current version:

• GO-2025-3488: Unexpected memory consumption during token parsing
• GHSA-6v2p-p543-phr9: Improper validation of syntactic correctness of input

Both are patched in golang.org/x/oauth2 v0.27.0 and later. Since oauth2 is an indirect dependency (pulled via github.com/openshift-online/ocm-sdk-go), upgrade ocm-sdk-go to a version that requires oauth2 v0.27.0 or later. Version v0.36.0 of oauth2 is available as an upgrade path.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 75-75: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 75-75: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 75, go.mod currently pulls golang.org/x/oauth2 v0.23.0
(indirect) which has HIGH severity vulnerabilities; update the indirect
dependency by bumping the consumer module github.com/openshift-online/ocm-sdk-go
to a release that requires oauth2 v0.27.0 or later (or add an explicit require
for golang.org/x/oauth2 v0.27.0+ in go.mod if an ocm-sdk-go upgrade isn’t
available yet), then run go mod tidy and verify the resolved version (e.g., with
go list -m all) to ensure oauth2 is at v0.27.0 or newer and update go.sum
accordingly.

[github-actions]

/retest

[github-actions]

/retest

[openshift-ci]

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit	c7ac62b	link	true	/test unit
ci/prow/lint	c7ac62b	link	true	/test lint
ci/prow/images	c7ac62b	link	true	/test images
ci/prow/periodics-images	c7ac62b	link	true	/test periodics-images
ci/prow/e2e-rosa-classic-smoke	c7ac62b	link	true	/test e2e-rosa-classic-smoke
ci/prow/e2e-rosa-hcp-smoke	c7ac62b	link	true	/test e2e-rosa-hcp-smoke

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.