⚠️ Potential issue | 🟠 Major | ⚡ Quick win

go.mod digest bump is likely shadowed by local replace (supply-chain impact uncertain).

In go.mod, the require github.com/openshift/cluster-api-provider-agent/api v0.0.0-20260528181349-f46caad1d728 (line 16) is overridden by replace github.com/openshift/cluster-api-provider-agent/api => ./api (line 137). With a local replace, this upstream version update often won’t change the resolved/downloaded module inputs for this module’s builds—so SBOM/provenance and CVE remediation may not reflect the bumped digest.

Confirm the intended supply-chain outcome for release builds: update the dependency graph where it’s actually consumed (e.g., inside ./api) and ensure SBOM/provenance attestations/CVE checks target the resolved artifacts, or remove/conditionally apply the replace for production and document why the upstream digest bump must still be tracked.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 16, The go.mod shows a require for
github.com/openshift/cluster-api-provider-agent/api at
v0.0.0-20260528181349-f46caad1d728 but that is shadowed by the replace directive
"replace github.com/openshift/cluster-api-provider-agent/api => ./api"; confirm
intended supply-chain behavior by either (A) removing or gating the local
replace so CI/release builds resolve the upstream version, (B) updating the
dependency inside the ./api module itself so the bumped digest is reflected
where consumed, or (C) documenting and enforcing that the local replace is only
for local dev and that SBOM/provenance/CVE tooling target the resolved upstream
artifact for production; update go.mod (or CI/release config) and add a short
note in repository docs explaining which approach you chose.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

⚠️ Digest bump is still shadowed by local replace directive—supply-chain integrity issue remains unresolved.

The bumped digest at line 18 will not be used in production builds because the replace github.com/openshift/cluster-api-provider-agent/api => ./api directive at line 139 overrides it. This means:

1. SBOM/provenance attestations won't reflect the updated upstream dependency version (violates supply-chain security guideline).
2. CVE remediation claimed by this digest bump won't be reflected in production artifacts.
3. The digest update may create a false sense of patched dependencies.

The previous review flagged this as a critical issue. To resolve it, choose one of these approaches:

Option A (recommended): Remove or conditionally gate the local replace directive for production/CI builds.
Option B: Update the dependency inside the ./api module itself so the bumped digest is reflected where consumed.
Option C: Document that the local replace is dev-only, and ensure SBOM/provenance/CVE tooling target the resolved upstream artifact for production.

Then update go.mod and document the chosen approach in the repository.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 18, The dependency digest bump for
github.com/openshift/cluster-api-provider-agent/api at line 18 is being
overridden by the local replace directive (replace
github.com/openshift/cluster-api-provider-agent/api => ./api) which shadows the
updated upstream version and creates a supply-chain integrity issue. Choose one
of the recommended approaches: (A) remove or conditionally gate the replace
directive for production builds, (B) update the dependency version inside the
./api module itself, or (C) document the dev-only nature of the replace and
ensure SBOM/provenance tooling targets the resolved upstream artifact. After
selecting an approach, update the go.mod file accordingly and document the
chosen resolution in the repository to ensure the digest bump is actually
reflected in production builds.

Source: Coding guidelines