Update golang.org/x/exp digest to c48552f

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Type	Update	Change
golang.org/x/exp	indirect	digest	9b4947d → c48552f

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux-kflux-prd-rh02]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading github.com/openshift-hyperfleet/hyperfleet-broker v1.1.1
go: downloading github.com/prometheus/client_golang v1.23.2
go: downloading github.com/spf13/cobra v1.8.0
go: downloading github.com/spf13/pflag v1.0.10
go: downloading go.opentelemetry.io/otel/sdk v1.43.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading go.opentelemetry.io/otel v1.43.0
go: downloading github.com/spf13/viper v1.21.0
go: downloading github.com/cenkalti/backoff/v5 v5.0.3
go: downloading github.com/google/cel-go v0.27.0
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
go: downloading github.com/cloudevents/sdk-go/v2 v2.16.2
go: downloading github.com/google/uuid v1.6.0
go: downloading go.opentelemetry.io/contrib/propagators/autoprop v0.68.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0
go: downloading go.opentelemetry.io/otel/trace v1.43.0
go: downloading cloud.google.com/go/pubsub/v2 v2.4.0
go: downloading cloud.google.com/go v0.123.0
go: downloading github.com/ThreeDotsLabs/watermill v1.5.1
go: downloading github.com/ThreeDotsLabs/watermill-amqp/v3 v3.0.2
go: downloading github.com/ThreeDotsLabs/watermill-googlecloud/v2 v2.0.0
go: downloading google.golang.org/grpc v1.80.0
go: downloading google.golang.org/protobuf v1.36.11
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading github.com/prometheus/client_model v0.6.2
go: downloading github.com/prometheus/common v0.66.1
go: downloading github.com/prometheus/procfs v0.17.0
go: downloading golang.org/x/sys v0.42.0
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/fsnotify/fsnotify v1.9.0
go: downloading github.com/go-viper/mapstructure/v2 v2.5.0
go: downloading github.com/sagikazarmark/locafero v0.12.0
go: downloading github.com/spf13/afero v1.15.0
go: downloading github.com/spf13/cast v1.10.0
go: downloading cel.dev/expr v0.25.1
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading go.opentelemetry.io/otel/metric v1.43.0
go: downloading google.golang.org/genproto v0.0.0-20260209200024-4cfbd4190f57
go: downloading golang.org/x/text v0.35.0
go: downloading github.com/go-logr/logr v1.4.3
go: downloading github.com/kylelemons/godebug v1.1.0
go: downloading go.opentelemetry.io/contrib/propagators/aws v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/b3 v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/jaeger v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/ot v1.43.0
go: downloading go.opentelemetry.io/proto/otlp v1.10.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9
go: downloading github.com/googleapis/gax-go/v2 v2.17.0
go: downloading go.opencensus.io v0.24.0
go: downloading golang.org/x/sync v0.21.0
go: downloading google.golang.org/api v0.266.0
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading github.com/cenkalti/backoff/v3 v3.2.2
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/rabbitmq/amqp091-go v1.10.0
go: downloading github.com/lithammer/shortuuid/v3 v3.0.7
go: downloading github.com/oklog/ulid v1.3.1
go: downloading github.com/sony/gobreaker v1.0.0
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading go.yaml.in/yaml/v2 v2.4.2
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/pelletier/go-toml/v2 v2.2.4
go: downloading go.yaml.in/yaml/v3 v3.0.4
go: downloading github.com/antlr4-go/antlr/v4 v4.13.1
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading go.opentelemetry.io/auto/sdk v1.2.1
go: downloading go.uber.org/multierr v1.11.0
go: downloading go.uber.org/zap v1.27.1
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0
go: downloading golang.org/x/net v0.52.0
go: downloading golang.org/x/oauth2 v0.35.0
go: downloading cloud.google.com/go/iam v1.5.3
go: downloading cloud.google.com/go/auth v0.18.1
go: downloading github.com/hashicorp/errwrap v1.1.0
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading golang.org/x/exp v0.0.0-20260611194520-c48552f49976
go: downloading cloud.google.com/go/compute/metadata v0.9.0
go: downloading cloud.google.com/go/auth/oauth2adapt v0.2.8
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0
go: downloading golang.org/x/time v0.14.0
go: downloading github.com/google/s2a-go v0.1.9
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.12
go: downloading golang.org/x/crypto v0.49.0
go: github.com/openshift-hyperfleet/hyperfleet-sentinel/internal/client imports
	github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi: cannot find module providing package github.com/openshift-hyperfleet/hyperfleet-sentinel/pkg/api/openapi

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign crizzo71 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated project dependencies to latest available versions for improved stability and security.

Walkthrough

go.mod replaces the golang.org/x/exp indirect dependency pseudo-version v0.0.0-20240823005443-9b4947da3948 with a raw commit hash c48552f49976. No other dependencies, directives, or module declarations are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Supply chain flags (CWE-1395, CWE-829):

• c48552f49976 is a raw commit hash, not a tagged semver release. Raw commit references bypass go mod verify reproducibility guarantees and make CVE triage against a version string impossible.
• Confirm this hash appears verbatim in go.sum with a valid module hash. Missing or mismatched go.sum entries are a direct injection vector.
• golang.org/x/exp is indirect — identify which direct dependency pulled this in and whether that transitive path is audited.
• No CVE is currently associated with the prior pseudo-version, but the upgrade rationale must be documented. Undocumented dependency bumps on a K8s Sentinel platform match the pattern of CWE-1357 (reliance on insufficiently trustworthy component).

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the changeset, which updates golang.org/x/exp to a specific commit digest.
Description check	✅ Passed	The description is related to the changeset, containing the dependency update details and configuration information.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	Comprehensive search of all non-test .go files found no log statements (slog, log, logr, zap, fmt.Print*) containing passwords, tokens, credentials, or secrets as fields or interpolated strings. PR...
No Hardcoded Secrets	✅ Passed	PR updates golang.org/x/exp dependency digest; contains only Go module version identifiers (hex commit hash and semantic pseudo-version), no API keys, tokens, passwords, base64 strings >32 chars, e...
No Weak Cryptography	✅ Passed	No banned cryptographic primitives (MD5, DES, RC4, SHA1 for security, ECB mode) or weak crypto patterns detected in PR changes or codebase.
No Injection Vectors	✅ Passed	PR is a dependency version update to go.mod only. Codebase contains no SQL injection (fmt.Sprintf in queries), command injection (exec.Command), template injection (template.HTML), or YAML deserial...
No Privileged Containers	✅ Passed	Custom check not applicable: PR only modifies go.mod dependency version; no Kubernetes manifests, Helm templates, or Dockerfiles were changed.
No Pii Or Sensitive Data In Logs	✅ Passed	PR changes only go.mod dependency version; introduces zero logging statements or code that could expose PII/sensitive data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/golang.org-x-exp-digest

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/golang.org-x-exp-digest

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: updates to go.mod needed, disabled by -mod=readonly; to update it:\n\tgo mod tidy\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 35: The golang.org/x/exp dependency in go.mod at line 35 is using a bare
commit hash instead of a valid pseudo-version, which violates Go module syntax
requirements. Replace the bare commit hash `c48552f49976` with the proper
pseudo-version format `v0.0.0-20240823005443-c48552f49976` for the
golang.org/x/exp entry. After fixing go.mod, run `go mod tidy` to synchronize
go.sum and ensure the dependency lock state is valid.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: da724fe1-2d2a-4d25-bf45-cb2804bbef6c

📥 Commits

Reviewing files that changed from the base of the PR and between 6cb186e and c7930c1.

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the correct pseudo-version format for golang.org/x/exp commit hash c48552f49976?

💡 Result:

Correct pseudo-version format for golang.org/x/exp commit hash c48552f49976 (using the required 12-hex revision prefix) is: v0.0.0-YYYYMMDDHHMMSS-c48552f49976 Explanation (based on Go’s pseudo-version rules): a pseudo-version has the form baseVersionPrefix-timestamp-revisionIdentifier [1], where baseVersionPrefix is vX.0.0 (or vX.Y.Z-0 if applicable) derived from tags; if there is no known tagged base version, v0.0.0 is used [1][2]. The timestamp is the UTC time the commit was created, formatted as yyyymmddhhmmss [1][2]. The revisionIdentifier is a 12-character prefix of the commit hash [1][2]. Note: Go’s docs recommend letting Go tools generate the exact pseudo-version (including the precise timestamp) rather than manually composing it [1].

Citations:

• 1: https://go.dev/doc/modules/version-numbers
• 2: https://go.dev/ref/mod

---

🏁 Script executed:

#!/bin/bash
# Check the actual go.mod file, specifically around line 35
echo "=== go.mod content around line 35 ==="
sed -n '30,40p' go.mod

echo ""
echo "=== Full golang.org/x/exp entry in go.mod ==="
rg "golang.org/x/exp" go.mod

echo ""
echo "=== Check go.sum for golang.org/x/exp entries ==="
rg "golang.org/x/exp" go.sum || echo "No entries found"

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 1030

---

Invalid go.mod syntax: golang.org/x/exp entry is a bare commit hash, not a valid pseudo-version.

Line 35 lists golang.org/x/exp c48552f49976 // indirect without the required version prefix. Go modules must use semantic versions (v1.2.3) or pseudo-versions (v0.0.0-YYYYMMDDHHMMSS-<12-char-hash>). A bare commit hash violates the go.mod specification and will cause go mod tidy and builds to fail.

The entry should be:

golang.org/x/exp v0.0.0-20240823005443-c48552f49976 // indirect

CWE-829 supply chain integrity: go.mod and go.sum are now desynchronized. The go.mod file has an unresolvable entry while go.sum still references the prior version (v0.0.0-20240823005443-9b4947da3948). This breaks dependency lock state and propagates build failures across all HyperFleet projects consuming this package.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 35, The golang.org/x/exp dependency in go.mod at line 35 is
using a bare commit hash instead of a valid pseudo-version, which violates Go
module syntax requirements. Replace the bare commit hash `c48552f49976` with the
proper pseudo-version format `v0.0.0-20240823005443-c48552f49976` for the
golang.org/x/exp entry. After fixing go.mod, run `go mod tidy` to synchronize
go.sum and ensure the dependency lock state is valid.