NO-ISSUE: Update github.com/openshift/cluster-api-provider-agent/api digest to 7e9b75f

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
github.com/openshift/cluster-api-provider-agent/api	require	digest	3ad4558 → 7e9b75f

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Summary by CodeRabbit

• Chores
  • Updated a dependency to a newer version to incorporate improvements and maintain compatibility.

[openshift-ci-robot]

@red-hat-konflux[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

This PR contains the following updates:

Package	Type	Update	Change
github.com/openshift/cluster-api-provider-agent/api	require	digest	3ad4558 → f46caad

---

[!WARNING]
Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updated the github.com/openshift/cluster-api-provider-agent/api dependency in go.mod from a pseudo-version dated 2025-12-02 to a newer pseudo-version dated 2026-06-16. All other module requirements and directives remain unchanged.

Changes

Dependency Update

Layer / File(s)	Summary
Agent API dependency update go.mod	The required version of github.com/openshift/cluster-api-provider-agent/api is bumped to incorporate upstream changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Tests violate single responsibility (32 assertions in one test), lack meaningful assertion messages (e.g., Expect(err).To(BeNil()) without context), and contain no timeout specifications on async...	Refactor multi-assertion tests into focused tests per behavior; add failure messages to assertions like `Expect(err).NotTo(HaveOccurred(), "failed to..."); add timeouts to Eventually/Consistently blocks for async operations.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	PR adds Ginkgo tests with hardcoded IPv4 addresses (192.186.126.10, 10.0.36.14, 1.2.3.4, etc.) that will fail in IPv6-only disconnected CI environments without IPv6 support.	Update test helpers in node_provider_id_controller_test.go and agentcluster_controller_test.go to use IPv6-compatible addresses (e.g., ::1 or fd00::1) or dynamically detect cluster IP family and adapt test data accordingly using availabl...

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating a dependency digest for github.com/openshift/cluster-api-provider-agent/api to a specific commit hash.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 47 Ginkgo test names in the added test files are stable and deterministic, containing no dynamic information, generated IDs, timestamps, pod/node names, or namespaces that change between test r...
Microshift Test Compatibility	✅ Passed	New Ginkgo tests added do not use MicroShift-incompatible APIs; they only use Hive, Assisted Service, CAPI, and standard Kubernetes APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates a module dependency digest in go.mod. The controller unit tests present are not new e2e tests that assume multi-node topologies—they use envtest (lightweight test harness) with...
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates a dependency version in go.mod (+1/-1 change). The custom check applies only when deployment manifests, operator code, or controllers are added or modified. No such changes are pres...
Ote Binary Stdout Contract	✅ Passed	PR is a dependency version bump (go.mod change) with no modifications to process-level code that writes stdout. Check not applicable.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) found. PR only updates a go.mod dependency version with no code changes.
Container-Privileges	✅ Passed	PR only modifies go.mod dependency digest; no container/K8s manifest changes. Existing manifests lack flagged privilege settings (privileged:true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPri...
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII) is exposed in logs. Logging statements reference secret names only, not their values. GitHub Actions correctly uses secret variables.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/master/github.com-openshift-cluster-api-provider-agent-api-digest

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign rccrdpccl for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 16: The go.mod shows a require for
github.com/openshift/cluster-api-provider-agent/api at
v0.0.0-20260528181349-f46caad1d728 but that is shadowed by the replace directive
"replace github.com/openshift/cluster-api-provider-agent/api => ./api"; confirm
intended supply-chain behavior by either (A) removing or gating the local
replace so CI/release builds resolve the upstream version, (B) updating the
dependency inside the ./api module itself so the bumped digest is reflected
where consumed, or (C) documenting and enforcing that the local replace is only
for local dev and that SBOM/provenance/CVE tooling target the resolved upstream
artifact for production; update go.mod (or CI/release config) and add a short
note in repository docs explaining which approach you chose.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 02e71a37-8306-4c79-bcd7-f24c7d95f6c5

📥 Commits

Reviewing files that changed from the base of the PR and between f46caad and b4ee6f5.

⛔ Files ignored due to path filters (1)

• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

go.mod digest bump is likely shadowed by local replace (supply-chain impact uncertain).

In go.mod, the require github.com/openshift/cluster-api-provider-agent/api v0.0.0-20260528181349-f46caad1d728 (line 16) is overridden by replace github.com/openshift/cluster-api-provider-agent/api => ./api (line 137). With a local replace, this upstream version update often won’t change the resolved/downloaded module inputs for this module’s builds—so SBOM/provenance and CVE remediation may not reflect the bumped digest.

Confirm the intended supply-chain outcome for release builds: update the dependency graph where it’s actually consumed (e.g., inside ./api) and ensure SBOM/provenance attestations/CVE checks target the resolved artifacts, or remove/conditionally apply the replace for production and document why the upstream digest bump must still be tracked.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 16, The go.mod shows a require for
github.com/openshift/cluster-api-provider-agent/api at
v0.0.0-20260528181349-f46caad1d728 but that is shadowed by the replace directive
"replace github.com/openshift/cluster-api-provider-agent/api => ./api"; confirm
intended supply-chain behavior by either (A) removing or gating the local
replace so CI/release builds resolve the upstream version, (B) updating the
dependency inside the ./api module itself so the bumped digest is reflected
where consumed, or (C) documenting and enforcing that the local replace is only
for local dev and that SBOM/provenance/CVE tooling target the resolved upstream
artifact for production; update go.mod (or CI/release config) and add a short
note in repository docs explaining which approach you chose.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 18: The dependency digest bump for
github.com/openshift/cluster-api-provider-agent/api at line 18 is being
overridden by the local replace directive (replace
github.com/openshift/cluster-api-provider-agent/api => ./api) which shadows the
updated upstream version and creates a supply-chain integrity issue. Choose one
of the recommended approaches: (A) remove or conditionally gate the replace
directive for production builds, (B) update the dependency version inside the
./api module itself, or (C) document the dev-only nature of the replace and
ensure SBOM/provenance tooling targets the resolved upstream artifact. After
selecting an approach, update the go.mod file accordingly and document the
chosen resolution in the repository to ensure the digest bump is actually
reflected in production builds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8fb6eace-3954-49e5-b3af-4a8652511cd7

📥 Commits

Reviewing files that changed from the base of the PR and between b4ee6f5 and 04de10c.

⛔ Files ignored due to path filters (1)

• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

⚠️ Digest bump is still shadowed by local replace directive—supply-chain integrity issue remains unresolved.

The bumped digest at line 18 will not be used in production builds because the replace github.com/openshift/cluster-api-provider-agent/api => ./api directive at line 139 overrides it. This means:

1. SBOM/provenance attestations won't reflect the updated upstream dependency version (violates supply-chain security guideline).
2. CVE remediation claimed by this digest bump won't be reflected in production artifacts.
3. The digest update may create a false sense of patched dependencies.

The previous review flagged this as a critical issue. To resolve it, choose one of these approaches:

Option A (recommended): Remove or conditionally gate the local replace directive for production/CI builds.
Option B: Update the dependency inside the ./api module itself so the bumped digest is reflected where consumed.
Option C: Document that the local replace is dev-only, and ensure SBOM/provenance/CVE tooling target the resolved upstream artifact for production.

Then update go.mod and document the chosen approach in the repository.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 18, The dependency digest bump for
github.com/openshift/cluster-api-provider-agent/api at line 18 is being
overridden by the local replace directive (replace
github.com/openshift/cluster-api-provider-agent/api => ./api) which shadows the
updated upstream version and creates a supply-chain integrity issue. Choose one
of the recommended approaches: (A) remove or conditionally gate the replace
directive for production builds, (B) update the dependency version inside the
./api module itself, or (C) document the dev-only nature of the replace and
ensure SBOM/provenance tooling targets the resolved upstream artifact. After
selecting an approach, update the go.mod file accordingly and document the
chosen resolution in the repository to ensure the digest bump is actually
reflected in production builds.

Source: Coding guidelines