WIP: OCPBUGS-85367: Set UserAgentSuffix for cert-recovery-controller

[tchap]

This makes it possible to check for this particular controller by UserAgent on the API server.

Blocked by openshift/library-go#2273

Summary by CodeRabbit

• Chores
  • Updated OpenShift API and client dependencies to newer versions
  • Configured cert-recovery-controller with an updated user-agent identifier

[openshift-ci-robot]

@tchap: This pull request references Jira Issue OCPBUGS-85367, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This makes it possible to check for this particular controller by UserAgent on the API server.

Blocked by openshift/library-go#2273

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR updates OpenShift dependency versions for API and client-go libraries, adds a module replacement directive to use a fork of library-go, and configures the cert-recovery controller to use "cert-recovery" as its user-agent suffix for outbound client calls.

Changes

Dependency and controller updates

Layer / File(s)	Summary
OpenShift dependency updates and module replacement go.mod	github.com/openshift/api and github.com/openshift/client-go versions are bumped to newer commits. A replace directive redirects github.com/openshift/library-go to github.com/tchap/library-go at a specified version.
Recovery controller user-agent configuration pkg/cmd/recoverycontroller/cmd.go	The cert-recovery controller command sets UserAgentSuffix to "cert-recovery" for its client calls.

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main changes: setting UserAgentSuffix for the cert-recovery-controller, which aligns with the primary objective of enabling API request identification.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo tests exist in this repository. The PR modifies go.mod and cmd.go files only, with no test definitions present.
Test Structure And Quality	✅ Passed	PR contains no test code changes. Changes are only to go.mod and pkg/cmd/recoverycontroller/cmd.go. Repository uses standard Go testing, not Ginkgo. Check is not applicable.
Microshift Test Compatibility	✅ Passed	PR does not add new Ginkgo e2e tests. Changes are only to go.mod dependencies and setting UserAgentSuffix in recovery controller command. Existing test files are not being modified.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR only updates dependencies and sets UserAgentSuffix for cert-recovery-controller in existing code.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no topology-incompatible scheduling constraints. Only adds UserAgentSuffix to cmd.go and updates dependencies. Manifests use tolerations suitable for all topologies.
Ote Binary Stdout Contract	✅ Passed	PR sets UserAgentSuffix field on controller config—a simple string assignment that affects HTTP headers, not stdout. No direct stdout writes in process-level code; change is purely config-level.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added. Changes involve go.mod updates and UserAgentSuffix configuration only.
No-Weak-Crypto	✅ Passed	PR does not introduce MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode usage, custom crypto, or non-constant-time secret comparisons. Changes only add UserAgentSuffix configuration and dependencies.
Container-Privileges	✅ Passed	PR introduces no privileged container settings (privileged: true, hostPID, hostIPC, SYS_ADMIN, allowPrivilegeEscalation: true) in new/modified manifests or containers.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data in logs. UserAgentSuffix set to "cert-recovery"; logging contains only generic status and feature gate info, no credentials or PII.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Command failed

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tchap]

/jira refresh

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign flavianmissi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@tchap: This pull request references Jira Issue OCPBUGS-85367, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@tchap: This pull request references Jira Issue OCPBUGS-85367, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

This makes it possible to check for this particular controller by UserAgent on the API server.

Blocked by openshift/library-go#2273

Summary by CodeRabbit

• Chores
• Updated OpenShift API and client dependencies to newer versions
• Configured cert-recovery-controller with an updated user-agent identifier

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 12-14: go.mod was updated with OpenShift module bumps
(github.com/openshift/api@v0.0.0-20260521125114-09730f85d883 and
github.com/openshift/client-go@v0.0.0-20260512113608-deb4dc54551a) but the PR
lacks supply-chain notes: update the PR description (or add a dedicated
CHANGELOG/SECURITY note) to state the license compatibility for each bumped
module and attach any required provenance/SBOM/signing evidence per prodsec
guidelines (e.g., link to upstream license files, verification of
hashes/signatures, SBOM or source provenance) so reviewers can validate
supply-chain compliance for those two dependencies.
- Line 137: The replace directive swapping github.com/openshift/library-go to
github.com/tchap/library-go at a specific pseudo-version is unguarded; update
the replace entry’s surrounding comment and repository governance by adding an
explicit temporary guardrail: state the reason (e.g., critical bug/security
fix), reference the upstream PR/commit that this fork is intended to be replaced
by (include the PR number or commit hash), set a clear removal condition or
timeline (e.g., "remove after upstream PR merged and vendor updated, target date
YYYY-MM-DD or within N weeks"), and add a verification note that the fork was
validated for provenance/license compatibility and that SBOM/Sigstore/cosign
signing will be applied to built artifacts; ensure this metadata is adjacent to
the replace directive in go.mod so future maintainers see the justification and
removal criteria for the library-go replacement.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7c4459c0-f84f-4533-af67-a7845818e24d

📥 Commits

Reviewing files that changed from the base of the PR and between 9d636ab and 170c032.

⛔ Files ignored due to path filters (87)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_image.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/types_console_plugin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/route/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/security/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrysources.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultauthentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultconfigmapreference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultsecretreference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/containerresource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metricsserverconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/monitoringpluginconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorbuddyinfoconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorcpufreqconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorethtoolconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorksmdconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectormountstatsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetclasscollectconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetclassconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetdevconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorprocessesconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsoftirqsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsystemdcollectconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsystemdconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectortcpstatconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/openshiftstatemetricsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatoradmissionwebhookconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/telemeterclientconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/awscsidriverconfigspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollertuningoptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/config/serving/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/state/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/events/recorder_in_memory.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/management/management_state.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/certsyncpod/certsync_cmd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/installerpod/cmd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/atomicdir/sync.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/fsutil/fsutil.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• pkg/cmd/recoverycontroller/cmd.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Read-only CVE checks against OSV for exact module@version pairs
curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
  "package": {"name": "github.com/openshift/api", "ecosystem": "Go"},
  "version": "v0.0.0-20260521125114-09730f85d883"
}' | jq .

curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
  "package": {"name": "github.com/openshift/client-go", "ecosystem": "Go"},
  "version": "v0.0.0-20260512113608-deb4dc54551a"
}' | jq .

Repository: openshift/cluster-kube-controller-manager-operator

Length of output: 100

---

Update go.mod supply-chain check for OpenShift bumps

OSV lookups for the exact bumped versions in go.mod (github.com/openshift/api@v0.0.0-20260521125114-09730f85d883 and github.com/openshift/client-go@v0.0.0-20260512113608-deb4dc54551a) return no vulnerability entries. License/provenance compatibility isn’t evidenced by go.mod alone—add PR notes with license compatibility (and any required provenance/SBOM/signing evidence per your prodsec guidelines).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 12 - 14, go.mod was updated with OpenShift module bumps
(github.com/openshift/api@v0.0.0-20260521125114-09730f85d883 and
github.com/openshift/client-go@v0.0.0-20260512113608-deb4dc54551a) but the PR
lacks supply-chain notes: update the PR description (or add a dedicated
CHANGELOG/SECURITY note) to state the license compatibility for each bumped
module and attach any required provenance/SBOM/signing evidence per prodsec
guidelines (e.g., link to upstream license files, verification of
hashes/signatures, SBOM or source provenance) so reviewers can validate
supply-chain compliance for those two dependencies.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid unguarded long-lived fork replacement for library-go in go.mod.

go.mod (line 137) replaces github.com/openshift/library-go with github.com/tchap/library-go v0.0.0-20260603115914-0690a6474e6d (pseudo-version pinned to a specific commit), but this introduces broader supply-chain/behavior risk across all transitive library-go imports. Add an explicit temporary guardrail/expiry (upstream PR/commit target + removal condition/timeline) and include the verification note expected by your guidelines for provenance/license compatibility and your SBOM/provenance + Sigstore/cosign signing expectations for the build artifacts.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 137, The replace directive swapping
github.com/openshift/library-go to github.com/tchap/library-go at a specific
pseudo-version is unguarded; update the replace entry’s surrounding comment and
repository governance by adding an explicit temporary guardrail: state the
reason (e.g., critical bug/security fix), reference the upstream PR/commit that
this fork is intended to be replaced by (include the PR number or commit hash),
set a clear removal condition or timeline (e.g., "remove after upstream PR
merged and vendor updated, target date YYYY-MM-DD or within N weeks"), and add a
verification note that the fork was validated for provenance/license
compatibility and that SBOM/Sigstore/cosign signing will be applied to built
artifacts; ensure this metadata is adjacent to the replace directive in go.mod
so future maintainers see the justification and removal criteria for the
library-go replacement.

[openshift-ci]

@tchap: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.