OCPBUGS-83520: Merge https://github.com/kubernetes-sigs/cloud-provider-azure:master (1fb8674) into main

[cloud-team-rebase-bot]

No description provided.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updated pinned GitHub Action revisions; bumped Go builder images and added GOEXPERIMENT build arg; Makefiles and CI changed to prefer podman with conditional buildx flags; multiple Go module version bumps; added a .agents skills catalog with docs and several Python automation scripts; Helm chart and index updated.

Changes

Cohort / File(s)	Summary
GitHub workflows \.github/workflows/... cleanupcache.yaml, codeql-azclient.yml, dependency-review.yml, go-mod-consistency.yaml, lint-azclient.yaml, release-azclient-trace.yml, release-azclient.yml, release-cache.yml, release-configloader.yml, scorecards.yml, update-trivy-db.yaml, update-vendor-license.yml	Updated pinned uses: commit SHAs for step-security/harden-runner (v2.15.1→v2.16.0) across workflows; several additional action pins updated (actions/setup-go, CodeQL/upload-sarif, cache/save) where noted. No other workflow inputs or control flow changes.
Dockerfiles Dockerfile, cloud-node-manager.Dockerfile, e2e.Dockerfile	Bumped Go base image tags/digests to 1.25.8-bookworm; added ARG GOEXPERIMENT and ENV GOEXPERIMENT=${GOEXPERIMENT} in builder stages where applicable.
Top-level Makefile Makefile	Removed GOTOOLCHAIN default/export and related override; introduced podman-first CONTAINER_CLI/CONTAINER_BUILDX selection and conditional buildx/manifest flags; added --build-arg GOEXPERIMENT="$(GOEXPERIMENT)" to Linux builds; switched image build/push commands to $(CONTAINER_CLI)/$(CONTAINER_BUILDX).
Other Makefiles & build targets health-probe-proxy/Makefile, kubetest2-aks/Makefile, .../Makefile	Made podman-first container CLI detection, adapted buildx-setup, build/push targets, and parameterized buildx/manifest flags; suppressed which() stderr where applied.
Pipelines .pipelines/ccm-image.yml, .pipelines/cnm-image.yml	Replaced hardcoded docker login with $CONTAINER_CLI login ... (podman-first detection); credential usage unchanged.
.agents docs & templates .agents/agents.md, .agents/skills/*, AGENTS.md, CLAUDE.md	Added .agents catalog, authoring guidance, README, templates, and .gitkeep placeholders; updated references from ai/agents.md to .agents/agents.md.
New agent skills (docs) .agents/skills/cherry-pick-pr/SKILL.md, .agents/skills/create-release-note-doc-pr/SKILL.md, .agents/skills/create-release-tags/SKILL.md, .agents/skills/release/SKILL.md, .agents/skills/fix-image-cves/SKILL.md	Added skill documentation describing workflows for cherry-picking PRs, creating release-note doc PRs, creating release tags, release orchestration, and fixing image CVEs.
New agent scripts (automation) .agents/skills/cherry-pick-pr/scripts/cherry_pick_pr.py, .agents/skills/create-release-note-doc-pr/scripts/create_release_note_doc_pr.py, .agents/skills/create-release-tags/scripts/create_release_tags.py, .agents/skills/release/scripts/release.py, .agents/skills/fix-image-cves/scripts/fix_image_cves.py	Added several large executable Python CLI tools implementing the documented workflows; each introduces CLI entrypoints, state file handling, error types (e.g., CommandError/GitError), and substantial new logic.
Go module bumps (various) go.mod, pkg/azclient/.../go.mod, pkg/azclient/cache/go.mod, pkg/azclient/configloader/go.mod, pkg/azclient/trace/go.mod, kubetest2-aks/go.mod, pkg/azclient/go.mod, tests/go.mod	Bumped numerous dependency versions (OpenTelemetry, golang.org/x/, k8s.io/, grpc/genproto, cel.dev/expr, oauth2, and internal azclient versions). Changes limited to go.mod files.
Helm chart & index helm/cloud-provider-azure/Chart.yaml, helm/cloud-provider-azure/templates/..., helm/repo/index.yaml	Bumped chart version to 1.35.1, updated provider-version mappings for new Kubernetes minors, and added a 1.35.1 entry to the repo index with an updated generated timestamp.
Provider code & tests pkg/provider/storage/azure_storageaccount.go, pkg/provider/storage/azure_storageaccount_test.go	Added AccountOptions.AllowCrossTenantReplication *bool, updated matching/creation logic to honor the option, and added unit tests exercising the new comparison behavior.
Misc small changes .github/workflows/update-trivy-db.yaml, .pipelines/..., various Makefile adjustments, AGENTS.md/CLAUDE.md path updates	One cache action pin bumped, Docker build-arg propagation added, podman detection adjusted in pipelines/Makefiles, and small docs/path string updates.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @cloud-team-rebase-bot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign damdo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/azclient/trace/go.mod`:
- Line 9: The go.mod bump to sigs.k8s.io/cloud-provider-azure/pkg/azclient
v0.15.2 pulls in Azure SDK major changes (v6→v9) and VNet API version updates;
audit and adapt any code that imports or calls Azure SDK interfaces (search for
uses of types/functions from sigs.k8s.io/cloud-provider-azure/pkg/azclient and
Azure VNet clients), update affected import paths/signatures to match v9, run
`go list -m all`/`go mod tidy` and full unit/integration tests to surface
breaking changes, and update call sites (methods in your azclient wrappers) to
the new method names/parameter types or add compatibility adapters if necessary.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: db31cca9-ca89-49b3-a644-18c674b428a6

📥 Commits

Reviewing files that changed from the base of the PR and between 4c7a764 and 83ec174.

⛔ Files ignored due to path filters (36)

• pkg/azclient/go.sum is excluded by !**/*.sum
• pkg/azclient/trace/go.sum is excluded by !**/*.sum
• pkg/azclient/trace/vendor/modules.txt is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/writesched_random.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/asm_darwin_arm64_gc.s is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/cpu_darwin_arm64.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/cpu_darwin_arm64_other.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/cpu_other_arm64.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/syscall_darwin_arm64_gc.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/windows/aliases.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**
• pkg/azclient/vendor/modules.txt is excluded by !**/vendor/**

📒 Files selected for processing (18)

• .github/workflows/cleanupcache.yaml
• .github/workflows/codeql-azclient.yml
• .github/workflows/dependency-review.yml
• .github/workflows/go-mod-consistency.yaml
• .github/workflows/lint-azclient.yaml
• .github/workflows/release-azclient-trace.yml
• .github/workflows/release-azclient.yml
• .github/workflows/release-cache.yml
• .github/workflows/release-configloader.yml
• .github/workflows/scorecards.yml
• .github/workflows/update-trivy-db.yaml
• .github/workflows/update-vendor-license.yml
• Dockerfile
• Makefile
• cloud-node-manager.Dockerfile
• e2e.Dockerfile
• pkg/azclient/go.mod
• pkg/azclient/trace/go.mod

💤 Files with no reviewable changes (1)

• Makefile

[openshift-ci-robot]

@cloud-team-rebase-bot[bot]: This pull request references Jira Issue OCPBUGS-83520, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rissh]

/retest

[damdo]

@rissh this now points to the latest upstream main which already has go 1.26 (as they are developing release-1.36/release-1.37 upstream already). We need to manually open a PR to temporarily carry the fix until our builder switch to go 1.26 and we can start syncing back again.

cc. @theobarberbany

[openshift-ci]

@cloud-team-rebase-bot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn	c046e17	link	true	/test e2e-azure-ovn
ci/prow/e2e-azurestack-ipi	c046e17	link	true	/test e2e-azurestack-ipi
ci/prow/verify	c046e17	link	true	/test verify
ci/prow/images	c046e17	link	true	/test images
ci/prow/unit	c046e17	link	true	/test unit
ci/prow/verify-deps	c046e17	link	true	/test verify-deps
ci/prow/regression-clusterinfra-azure-ipi-ccm	c046e17	link	false	/test regression-clusterinfra-azure-ipi-ccm
ci/prow/e2e-azure-ovn-upgrade	c046e17	link	true	/test e2e-azure-ovn-upgrade
ci/prow/okd-scos-images	c046e17	link	true	/test okd-scos-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rissh]

@damdo Thanks for the context. I’m seeing a similar situation across a few other components and repositories as well. As discussed, we’ve already started updating the PRs on the 4.21 release branch, and we’ll be continuing with the remaining ones too.

If you have time, feel free to review them as well—no rush of course, since our first priority is to get this fixed correctly.

[damdo]

Thanks @rissh we have #184 up for main. Let's get that in that way for now