chore(deps): update tools

[renovate]

This PR contains the following updates:

Package	Update	Change	Age	Adoption	Passing	Confidence
Azure/azure-workload-identity	minor	v1.5.1 → v1.6.0
github.com/cli/cli/v2	minor	v2.93.0 → v2.94.0
golang.org/x/tools	minor	v0.45.0 → v0.46.0
protocolbuffers/protobuf	minor	v35.0 → v35.1
redhat-openshift-ecosystem/openshift-preflight	patch	1.19.0 → 1.19.1

---

Release Notes

Azure/azure-workload-identity (Azure/azure-workload-identity)

v1.6.0

Compare Source

v1.6.0 - 2026-06-11

⚠️ Breaking change: projected token path moved (#​1720)

The projected service account token mount path changed:

	Before	After
Mount path	/var/run/secrets/azure/tokens	/var/run/secrets/azure/wi/token
Full token path	/var/run/secrets/azure/tokens/azure-identity-token	/var/run/secrets/azure/wi/token/azure-identity-token

[!IMPORTANT]
Never hardcode the token file path. Always read AZURE_FEDERATED_TOKEN_FILE — the webhook owns this path and it may change again in future releases.

AZURE_FEDERATED_TOKEN_FILE is updated by the webhook to point at the new path. Applications using DefaultAzureCredential / WorkloadIdentityCredential (or reading AZURE_FEDERATED_TOKEN_FILE directly) work without changes:

tokenFilePath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE")

Workaround for apps that hardcode the old path — add an init container that symlinks old → new:

initContainers:
- name: symlink-token
  image: busybox:latest
  command: ["sh", "-c", "mkdir -p /var/run/secrets/azure/tokens && ln -sf /var/run/secrets/azure/wi/token/azure-identity-token /var/run/secrets/azure/tokens/azure-identity-token"]
  volumeMounts:
  - { name: azure-tokens-compat, mountPath: /var/run/secrets/azure/tokens }
containers:
- name: your-app
  image: your-image
  volumeMounts:
  - { name: azure-tokens-compat, mountPath: /var/run/secrets/azure/tokens, readOnly: true }
volumes:
- name: azure-tokens-compat
  emptyDir: {}

Changelog

Bug Fixes 🐞

• 806062f fix: update Go version, remove K8s version table, bump kind versions (#​1722)

Build 🏭

• a7bab3c build: run go builder on $BUILDPLATFORM for cross-arch images (#​1734)

Code Refactoring 💎

• 89ee981 refactor: migrate proxy from MSAL to azidentity SDK with LRU credential cache (#​1721)
• bdb8258 refactor: use sets.Set instead of map[string]struct{} (#​1616)

Continuous Integration 💜

• a444192 ci: migrate az login to workload identity federation (#​1733)
• 23314d0 ci: update macos runner to macos-latest (#​1691)
• 2eaac6d ci: fix copa patch workflow (#​1682)
• 6aafb45 ci: add @​stlaz to CODEOWNERS (#​1647)
• 69b7641 ci: rm dependsOn in nightly pipeline (#​1630)
• fabb122 ci: rm verify deploy yaml nightly job (#​1627)

Documentation 📘

• 360876a docs: Update docs to reflect actual proxy sidecar behavior (#​1643)
• 4716a8d docs: use azure storge static web serving rather than public access (#​1635)

Features 🌈

• 3045cd0 feat: allow extraEnv/extraVolumes/extraVolumeMounts in webhook chart (#​1732)
• d878231 feat: support custom token endpoint injection for workload identity (#​1720)
• 533d7f5 feat: add --version flag for webhook and proxy (#​1629)

Maintenance 🔧

• 981e839 chore: remove dependsOn from upgrade pipeline (#​1724)
• 2a577d5 chore: update to go 1.25.9, grpc v1.79.3 and fix dependabot config (#​1719)
• 1ad3204 chore: update to go 1.25.8, bump otel sdk, and harden workflows (#​1717)
• 10fd199 chore: update to go 1.25.6 and distroless-iptables to v0.8.7 (#​1699)
• c926cd0 chore: bump the k8s group with 3 updates (#​1678)
• 5f5f3a4 chore: update distroless-iptables to v0.8.6 (#​1690)
• fc01ee3 chore: update to go 1.24.10 (#​1683)
• 08df826 chore: bump golang.org/x/crypto from 0.37.0 to 0.45.0 in /test/e2e (#​1681)
• a29b978 chore: bump golang.org/x/crypto from 0.37.0 to 0.45.0 (#​1680)
• dab95df chore: bump the k8s group with 3 updates (#​1666)
• a687ba7 chore: update distroless-iptables to v0.8.2 (#​1672)
• 489fd2b chore: bump the k8s group with 3 updates (#​1631)
• a49f8f9 chore: update controller-gen to v0.14.0 and kustomize to v4.2.0 (#​1657)
• 44deb3d chore: update to go 1.24.6 (#​1645)
• cb2954e chore: bump github.com/spf13/pflag from 1.0.6 to 1.0.7 (#​1641)
• 9e86054 chore: bump golang.org/x/oauth2 from 0.21.0 to 0.27.0 (#​1639)

cli/cli (github.com/cli/cli/v2)

v2.94.0: GitHub CLI 2.94.0

Compare Source

Issue types, sub-issues, and relationships in gh issue

This release brings GitHub's advanced issue features to gh issue create, edit, view, and list. You can set and view an issue's type, organize work with sub-issues, and track blocked-by and blocking relationships without leaving the command line:

# Set an issue's type
gh issue create --type Bug
gh issue edit 123 --type Bug

# Organize work with sub-issues
gh issue create --parent 100
gh issue edit 100 --add-sub-issue 123

# Track blocked-by and blocking relationships
gh issue create --blocked-by 200
gh issue edit 123 --add-blocking 300

Issue types and sub-issues are available on GitHub.com and GHES 3.17+; relationships require GHES 3.19+.

Manage discussions with gh discussion

This release introduces the discussion command set for working with GitHub Discussions in gh:

# List discussions
gh discussion list

# View a discussion, its comments, or replies to a comment
gh discussion view 123 --comments

# Create a discussion
gh discussion create

# Edit a discussion
gh discussion edit 123

# Comment on a discussion
gh discussion comment 123

# Reply to a comment using its URL
gh discussion comment <url>

Run gh discussion --help for more information.

[!NOTE]
The discussion command set is in preview and is subject to change without notice.

Equip your agents with new gh features

Teach your agents how to leverage new GitHub CLI features on release day by installing the gh skill:

# Install
gh skill install cli/cli gh --scope user

# Or update
gh skill update gh

What's Changed

✨ Features

• Add gh discussion command set (list, view, create, edit) as a preview by @​babakks and @​maxbeizer in #​13541
• Add gh discussion comment to comment on and reply to discussions by @​babakks in #​13620
• Add Issues 2.0 support: issue types, sub-issues, and relationships by @​BagToad in #​13057
• Add gh skill list to inventory installed agent skills by @​tommaso-moro in #​13418
• Add --all flag to gh skill install to install every skill in a repository by @​tommaso-moro in #​13471
• Skip skills without metadata when running gh skill update --all by @​tommaso-moro in #​13469
• Alias gh extension uninstall to gh extension remove by @​BagToad in #​13599
• Auto-install official extensions in CI by @​BagToad in #​13581

🐛 Fixes

• fix(skill): support skill discovery in nested directories by @​tommaso-moro in #​13459

📚 Docs & Chores

• Bump Go to 1.26.4 by @​github-actions[bot] in #​13578
• Clean up deferred issue update helper by @​BagToad in #​13584
• Add terminal-mockup canvas extension for marketing screenshots by @​BagToad in #​13612
• Add gh discussion and Issues 2.0 reference to the gh skill, plus a README note by @​BagToad in #​13631

Dependencies

• chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @​dependabot in #​13521
• chore(deps): bump github.com/gdamore/tcell/v2 from 2.13.9 to 2.13.10 by @​dependabot in #​13520
• chore(deps): bump github.com/mattn/go-colorable from 0.1.14 to 0.1.15 by @​dependabot in #​13572
• chore(deps): bump charm.land/bubbletea/v2 from 2.0.6 to 2.0.7 by @​dependabot in #​13595
• chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 by @​dependabot in #​13596
• chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @​dependabot in #​13597

Full Changelog: cli/cli@v2.93.0...v2.94.0

protocolbuffers/protobuf (protocolbuffers/protobuf)

v35.1: Protocol Buffers v35.1

Compare Source

Announcements

• Protobuf News may include additional announcements or pre-announcements for upcoming changes.

Bazel

• Bazel 9 tests for csharp, hpb, objc, php, python, rust and upb (#​27598) (4469e38)
• Break protobuf dependency on Bazel's proto fragment. Only respect the Starlark versions of --proto_toolchain_for*. This is a breaking change from 35.0, but matches the behavior in 34.x. (1f99c52)

C++

• Add cord setters to repeated string fields. (6efa174)

UPB (Python/PHP/Ruby C-Extension)

• Avoid UB in upb by switching to the XCT section, which will run our constructors before the compiler-generated initializers. (c35b977)

redhat-openshift-ecosystem/openshift-preflight (redhat-openshift-ecosystem/openshift-preflight)

v1.19.1

Compare Source

What's Changed

• test: redirect stdout/stderr through injectable writers and route log… by @​bcrochet in #​1472
• test: convert remaining standard Go tests to Ginkgo by @​bcrochet in #​1473
• build(deps): bump docker/login-action from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​1475
• build(deps): bump docker/setup-qemu-action from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​1474
• updating go to 1.26.3 by @​acornett21 in #​1476
• build(deps): bump the prod-dependencies group across 1 directory with 7 updates by @​dependabot[bot] in #​1477
• add support for OCP 4.22 GA by @​acornett21 in #​1478

Full Changelog: redhat-openshift-ecosystem/openshift-preflight@1.19.0...1.19.1

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jakexks for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment