Update go modules (main) (patch)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/conforma/cli	v0.9.2 → v0.9.50
github.com/conforma/go-containerregistry	v0.20.7-0.20251103083939-3459088e4bae → v0.20.7
github.com/tektoncd/cli	v0.42.1 → v0.42.2
oras.land/oras	v1.3.0 → v1.3.2

---

Release Notes

conforma/cli (github.com/conforma/cli)

v0.9.50

Compare Source

v0.9.49

Compare Source

v0.9.48

Compare Source

v0.9.47

Compare Source

v0.9.46

Compare Source

v0.9.44

Compare Source

v0.9.43

Compare Source

v0.9.42

Compare Source

v0.9.41

Compare Source

v0.9.40

Compare Source

v0.9.39

Compare Source

v0.9.38

Compare Source

v0.9.37

Compare Source

v0.9.36

Compare Source

v0.9.35

Compare Source

v0.9.34

Compare Source

v0.9.33

Compare Source

v0.9.32

Compare Source

v0.9.31

Compare Source

v0.9.30

Compare Source

v0.9.29

Compare Source

v0.9.27

Compare Source

v0.9.26

Compare Source

v0.9.25

Compare Source

v0.9.24

Compare Source

v0.9.23

Compare Source

v0.9.22

Compare Source

v0.9.19

Compare Source

v0.9.17

Compare Source

v0.9.16

Compare Source

v0.9.14

Compare Source

v0.9.13

Compare Source

v0.9.9

Compare Source

conforma/go-containerregistry (github.com/conforma/go-containerregistry)

v0.20.7

Compare Source

tektoncd/cli (github.com/tektoncd/cli)

v0.42.2

Compare Source

v0.42.2 Release 🎉

This patch release addresses the following CVEs: CVE-2026-33186, CVE-2026-33810, CVE-2025-61729 and CVE-2025-61726.

Changelog

• 1e1782f New version v0.42.2

Full Changelog: tektoncd/cli@v0.42.1...v0.42.2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 112 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.3 -> 1.25.8
cloud.google.com/go	v0.121.6 -> v0.123.0
cloud.google.com/go/auth	v0.18.0 -> v0.18.2
cloud.google.com/go/storage	v1.57.1 -> v1.61.3
cuelang.org/go	v0.15.3 -> v0.16.0
github.com/CycloneDX/cyclonedx-go	v0.9.3 -> v0.10.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric	v0.54.0 -> v0.55.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping	v0.54.0 -> v0.55.0
github.com/anchore/go-struct-converter	v0.0.0-20230627203149-c72ef8859ca9 -> v0.1.0
github.com/aws/aws-sdk-go-v2	v1.41.0 -> v1.41.4
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.1 -> v1.7.7
github.com/aws/aws-sdk-go-v2/config	v1.32.5 -> v1.32.12
github.com/aws/aws-sdk-go-v2/credentials	v1.19.5 -> v1.19.12
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.16 -> v1.18.20
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.16 -> v1.4.20
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.16 -> v2.7.20
github.com/aws/aws-sdk-go-v2/internal/ini	v1.8.4 -> v1.8.6
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.9 -> v1.4.21
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.4 -> v1.13.7
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.8.9 -> v1.9.12
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.16 -> v1.13.20
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.19.9 -> v1.19.20
github.com/aws/aws-sdk-go-v2/service/s3	v1.88.3 -> v1.97.1
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.4 -> v1.0.8
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.7 -> v1.30.13
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.12 -> v1.35.17
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.5 -> v1.41.9
github.com/aws/smithy-go	v1.24.0 -> v1.24.2
github.com/cloudflare/circl	v1.6.1 -> v1.6.3
github.com/cncf/xds/go	v0.0.0-20251022180443-0feb69152e9f -> v0.0.0-20251210132809-ee656c7534f5
github.com/conforma/go-gather	v1.0.2 -> v1.1.0
github.com/containerd/containerd/v2	v2.2.0 -> v2.2.2
github.com/containerd/stargz-snapshotter/estargz	v0.18.1 -> v0.18.2
github.com/cyphar/filepath-securejoin	v0.4.1 -> v0.6.0
github.com/dgraph-io/badger/v4	v4.8.0 -> v4.9.1
github.com/docker/cli	v29.2.0+incompatible -> v29.3.1+incompatible
github.com/docker/docker-credential-helpers	v0.9.4 -> v0.9.5
github.com/emicklei/proto	v1.14.2 -> v1.14.3
github.com/envoyproxy/go-control-plane/envoy	v1.35.0 -> v1.36.0
github.com/envoyproxy/protoc-gen-validate	v1.2.1 -> v1.3.0
github.com/evanphx/json-patch/v5	v5.9.0 -> v5.9.11
github.com/go-git/go-billy/v5	v5.6.2 -> v5.8.0
github.com/go-git/go-git/v5	v5.16.5 -> v5.17.1
github.com/go-jose/go-jose/v4	v4.1.3 -> v4.1.4
github.com/go-openapi/analysis	v0.24.1 -> v0.24.3
github.com/go-openapi/errors	v0.22.6 -> v0.22.7
github.com/go-openapi/jsonpointer	v0.22.4 -> v0.22.5
github.com/go-openapi/jsonreference	v0.21.4 -> v0.21.5
github.com/go-openapi/loads	v0.23.2 -> v0.23.3
github.com/go-openapi/spec	v0.22.3 -> v0.22.4
github.com/go-openapi/strfmt	v0.25.0 -> v0.26.1
github.com/go-openapi/swag/conv	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/fileutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/jsonname	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/jsonutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/loading	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/mangling	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/stringutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/typeutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/yamlutils	v0.25.4 -> v0.25.5
github.com/go-openapi/validate	v0.25.1 -> v0.25.2
github.com/go-viper/mapstructure/v2	v2.4.0 -> v2.5.0
github.com/google/cel-go	v0.26.1 -> v0.27.0
github.com/google/go-containerregistry	v0.20.7 -> v0.21.0
github.com/google/go-jsonnet	v0.21.0 -> v0.22.0
github.com/googleapis/enterprise-certificate-proxy	v0.3.9 -> v0.3.14
github.com/googleapis/gax-go/v2	v2.16.0 -> v2.17.0
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.3 -> v2.27.7
github.com/hashicorp/aws-sdk-go-base/v2	v2.0.0-beta.65 -> v2.0.0-beta.72
github.com/hashicorp/go-getter	v1.8.3 -> v1.8.6
github.com/hashicorp/go-version	v1.7.0 -> v1.8.0
github.com/huandu/go-sqlbuilder	v1.38.1 -> v1.39.1
github.com/klauspost/compress	v1.18.2 -> v1.18.5
github.com/lestrrat-go/httprc/v3	v3.0.1 -> v3.0.2
github.com/lestrrat-go/jwx/v3	v3.0.12 -> v3.0.13
github.com/moby/buildkit	v0.26.3 -> v0.29.0
github.com/open-policy-agent/conftest	v0.66.0 -> v0.68.2
github.com/open-policy-agent/opa	v1.12.1 -> v1.15.2
github.com/protocolbuffers/txtpbfmt	v0.0.0-20251016062345-16587c79cd91 -> v0.0.0-20260217160748-a481f6a22f94
github.com/spdx/tools-golang	v0.5.5 -> v0.5.7
github.com/tektoncd/pipeline	v0.70.0 -> v1.9.2
github.com/theupdateframework/go-tuf/v2	v2.3.0 -> v2.4.1
github.com/valyala/fastjson	v1.6.4 -> v1.6.7
github.com/vektah/gqlparser/v2	v2.5.31 -> v2.5.32
go.opentelemetry.io/contrib/detectors/gcp	v1.38.0 -> v1.39.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.63.0 -> v0.65.0
go.opentelemetry.io/otel	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.38.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.38.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.38.0 -> v1.40.0
go.opentelemetry.io/otel/metric	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/sdk	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.39.0 -> v1.43.0
go.opentelemetry.io/proto/otlp	v1.7.1 -> v1.9.0
golang.org/x/crypto	v0.47.0 -> v0.49.0
golang.org/x/mod	v0.31.0 -> v0.33.0
golang.org/x/net	v0.49.0 -> v0.52.0
golang.org/x/oauth2	v0.34.0 -> v0.36.0
golang.org/x/sync	v0.19.0 -> v0.20.0
golang.org/x/sys	v0.40.0 -> v0.42.0
golang.org/x/term	v0.39.0 -> v0.41.0
golang.org/x/text	v0.33.0 -> v0.35.0
golang.org/x/time	v0.14.0 -> v0.15.0
golang.org/x/tools	v0.40.0 -> v0.42.0
gomodules.xyz/jsonpatch/v2	v2.4.0 -> v2.5.0
google.golang.org/api	v0.260.0 -> v0.271.0
google.golang.org/genproto	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/genproto/googleapis/api	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260203192932-546029d2fa20
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260226221140-a57be14db171
google.golang.org/grpc	v1.78.0 -> v1.79.3
k8s.io/apiextensions-apiserver	v0.34.2 -> v0.34.3
knative.dev/pkg	v0.0.0-20250117084104-c43477f0052b -> v0.0.0-20250415155312-ed3e2158b883

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 113 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.5 -> 1.26.2
github.com/open-policy-agent/conftest	v0.66.0 -> v0.68.2
cloud.google.com/go	v0.121.6 -> v0.123.0
cloud.google.com/go/auth	v0.18.0 -> v0.18.2
cloud.google.com/go/firestore	v1.20.0 -> v1.21.0
cloud.google.com/go/kms	v1.23.2 -> v1.25.0
cloud.google.com/go/longrunning	v0.7.0 -> v0.8.0
cloud.google.com/go/storage	v1.57.1 -> v1.61.3
cuelang.org/go	v0.15.3 -> v0.16.0
github.com/CycloneDX/cyclonedx-go	v0.9.3 -> v0.10.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	v1.30.0 -> v1.31.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric	v0.54.0 -> v0.55.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping	v0.54.0 -> v0.55.0
github.com/anchore/go-struct-converter	v0.0.0-20230627203149-c72ef8859ca9 -> v0.1.0
github.com/aws/aws-sdk-go-v2	v1.41.0 -> v1.41.4
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.2 -> v1.7.7
github.com/aws/aws-sdk-go-v2/config	v1.32.5 -> v1.32.12
github.com/aws/aws-sdk-go-v2/credentials	v1.19.5 -> v1.19.12
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.16 -> v1.18.20
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.16 -> v1.4.20
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.16 -> v2.7.20
github.com/aws/aws-sdk-go-v2/internal/ini	v1.8.4 -> v1.8.6
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.12 -> v1.4.21
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.4 -> v1.13.7
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.9.3 -> v1.9.12
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.16 -> v1.13.20
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.19.12 -> v1.19.20
github.com/aws/aws-sdk-go-v2/service/s3	v1.89.1 -> v1.97.1
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.4 -> v1.0.8
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.7 -> v1.30.13
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.12 -> v1.35.17
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.5 -> v1.41.9
github.com/aws/smithy-go	v1.24.0 -> v1.24.2
github.com/cloudflare/circl	v1.6.1 -> v1.6.3
github.com/cncf/xds/go	v0.0.0-20251022180443-0feb69152e9f -> v0.0.0-20251210132809-ee656c7534f5
github.com/conforma/go-gather	v1.0.2 -> v1.1.0
github.com/containerd/containerd/v2	v2.2.0 -> v2.2.2
github.com/containerd/stargz-snapshotter/estargz	v0.18.1 -> v0.18.2
github.com/cyphar/filepath-securejoin	v0.5.0 -> v0.6.0
github.com/dgraph-io/badger/v4	v4.8.0 -> v4.9.1
github.com/docker/cli	v29.0.3+incompatible -> v29.3.1+incompatible
github.com/docker/docker-credential-helpers	v0.9.4 -> v0.9.5
github.com/emicklei/proto	v1.14.2 -> v1.14.3
github.com/envoyproxy/go-control-plane/envoy	v1.35.0 -> v1.36.0
github.com/envoyproxy/protoc-gen-validate	v1.2.1 -> v1.3.0
github.com/evanphx/json-patch	v5.9.0+incompatible -> v5.9.11+incompatible
github.com/go-git/go-billy/v5	v5.6.2 -> v5.8.0
github.com/go-git/go-git/v5	v5.16.5 -> v5.17.1
github.com/go-jose/go-jose/v4	v4.1.3 -> v4.1.4
github.com/go-openapi/analysis	v0.24.1 -> v0.24.3
github.com/go-openapi/errors	v0.22.6 -> v0.22.7
github.com/go-openapi/jsonpointer	v0.22.4 -> v0.22.5
github.com/go-openapi/jsonreference	v0.21.4 -> v0.21.5
github.com/go-openapi/loads	v0.23.2 -> v0.23.3
github.com/go-openapi/spec	v0.22.3 -> v0.22.4
github.com/go-openapi/strfmt	v0.25.0 -> v0.26.1
github.com/go-openapi/swag/conv	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/fileutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/jsonname	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/jsonutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/loading	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/mangling	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/stringutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/typeutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/yamlutils	v0.25.4 -> v0.25.5
github.com/go-openapi/validate	v0.25.1 -> v0.25.2
github.com/go-viper/mapstructure/v2	v2.4.0 -> v2.5.0
github.com/google/cel-go	v0.26.1 -> v0.27.0
github.com/google/go-containerregistry	v0.20.7 -> v0.21.0
github.com/google/go-jsonnet	v0.21.0 -> v0.22.0
github.com/googleapis/enterprise-certificate-proxy	v0.3.9 -> v0.3.14
github.com/googleapis/gax-go/v2	v2.16.0 -> v2.17.0
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.3 -> v2.27.7
github.com/hashicorp/aws-sdk-go-base/v2	v2.0.0-beta.65 -> v2.0.0-beta.72
github.com/hashicorp/go-getter	v1.8.3 -> v1.8.6
github.com/hashicorp/go-version	v1.7.0 -> v1.8.0
github.com/huandu/go-sqlbuilder	v1.38.1 -> v1.39.1
github.com/klauspost/compress	v1.18.2 -> v1.18.5
github.com/lestrrat-go/httprc/v3	v3.0.1 -> v3.0.2
github.com/lestrrat-go/jwx/v3	v3.0.12 -> v3.0.13
github.com/moby/buildkit	v0.26.3 -> v0.29.0
github.com/morikuni/aec	v1.0.0 -> v1.1.0
github.com/open-policy-agent/opa	v1.12.1 -> v1.15.2
github.com/protocolbuffers/txtpbfmt	v0.0.0-20251016062345-16587c79cd91 -> v0.0.0-20260217160748-a481f6a22f94
github.com/spdx/tools-golang	v0.5.5 -> v0.5.7
github.com/tektoncd/pipeline	v1.3.1 -> v1.9.2
github.com/valyala/fastjson	v1.6.4 -> v1.6.7
github.com/vektah/gqlparser/v2	v2.5.31 -> v2.5.32
go.opentelemetry.io/contrib/detectors/gcp	v1.38.0 -> v1.39.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.63.0 -> v0.65.0
go.opentelemetry.io/otel	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.38.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.38.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.38.0 -> v1.40.0
go.opentelemetry.io/otel/metric	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/sdk	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.39.0 -> v1.43.0
golang.org/x/crypto	v0.47.0 -> v0.49.0
golang.org/x/mod	v0.31.0 -> v0.33.0
golang.org/x/net	v0.49.0 -> v0.52.0
golang.org/x/oauth2	v0.34.0 -> v0.36.0
golang.org/x/sync	v0.19.0 -> v0.20.0
golang.org/x/sys	v0.40.0 -> v0.42.0
golang.org/x/term	v0.39.0 -> v0.41.0
golang.org/x/text	v0.33.0 -> v0.35.0
golang.org/x/time	v0.14.0 -> v0.15.0
golang.org/x/tools	v0.40.0 -> v0.42.0
google.golang.org/api	v0.260.0 -> v0.271.0
google.golang.org/genproto	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/genproto/googleapis/api	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260203192932-546029d2fa20
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260226221140-a57be14db171
google.golang.org/grpc	v1.78.0 -> v1.80.0
k8s.io/apiextensions-apiserver	v0.34.2 -> v0.34.3

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[low] version-inconsistency

The acceptance module Go directive changes from go 1.25.3 (with toolchain go1.25.7) to go 1.25.8, while the root module uses go 1.25.5. Verify CI toolchain version is >= 1.25.8.

[fullsend-ai-review]

[low] large-version-jump

conforma/cli jumps from v0.9.2 to v0.9.42 (40 minor versions). While semver v0.x allows breaking changes at any minor bump, the Renovate label classifies this as patch. Any API breakage would surface at build time once go.sum is regenerated.

[fullsend-ai-review]

[info] CVE-remediation

The tektoncd/cli v0.42.2 update addresses CVE-2026-33186, CVE-2026-33810, CVE-2025-61729, and CVE-2025-61726. This is a positive security change.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:15 PM UTC · Completed 6:27 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:29 PM UTC · Completed 9:36 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

[low] api-contract

The conforma/cli dependency jumps from v0.9.2 to v0.9.44. The codebase uses blank imports of github.com/conforma/cli, github.com/conforma/cli/cmd/validate, and github.com/conforma/cli/cmd for side-effect registration. If any of these packages were removed or renamed, the build would fail. However, this is a Renovate-generated PR and build failures would be caught by CI.

Suggested fix: Verify that CI passes (build + acceptance tests) before merging.

[fullsend-ai-review]

[info] edge-case

The acceptance/go.mod changes from go 1.25.3 (toolchain go1.25.7) to go 1.25.8, while the root go.mod uses go 1.25.5. The acceptance module now requires a newer Go version than the root module. This is standard practice for multi-module Go repos.

[fullsend-ai-review]

[info] dependency-update

tektoncd/cli updated from v0.42.1 to v0.42.2, reportedly addressing CVE-2026-33186, CVE-2026-33810, CVE-2025-61729, and CVE-2025-61726. This is a positive security improvement.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:56 PM UTC · Completed 3:02 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:14 PM UTC · Completed 8:22 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:02 AM UTC · Completed 2:07 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:23 PM UTC · Completed 2:31 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

[low] version-consistency

The acceptance module will declare go 1.25.8 while the root go.mod remains at go 1.25.5. These are separate Go modules and Go 1.21+ automatically downloads the required toolchain version, so this will not cause build failures in practice.

[fullsend-ai-review]

[low] version-skew

Both modules update conforma/cli from v0.9.2 to v0.9.46 (a 44-patch-version jump). The versions are consistent across modules, but the large jump increases the surface area for behavioral changes.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 5:10 PM UTC · Completed 5:17 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:50 AM UTC · Completed 1:57 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

[low] api-contract

The go directive changes from go 1.25.3 (with toolchain go1.25.7) to go 1.25.8 (no separate toolchain line). This tightens the minimum Go version requirement for the acceptance tests from 1.25.3 to 1.25.8.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:22 PM UTC · Completed 1:31 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 4:02 PM UTC · Completed 4:09 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 4:36 PM UTC · Completed 4:41 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:54 AM UTC · Completed 3:02 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:35 PM UTC · Completed 2:44 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[low] dependency version skew

The acceptance module tektoncd/pipeline transitive dependency jumps from v0.70.0 to v1.12.0, while the root module has tektoncd/pipeline at v1.3.1. This version skew between separate Go modules is a normal consequence of independent dependency resolution and poses minimal practical risk.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 7:20 PM UTC · Completed 7:27 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:08 AM UTC · Completed 1:21 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[high] missing artifact

The PR updates direct dependencies in the root go.mod (conforma/cli v0.9.2 -> v0.9.50, tektoncd/cli v0.42.1 -> v0.42.2, oras.land/oras v1.3.0 -> v1.3.2) but does not include the root go.sum file in the changeset. When go.mod dependency versions change, go.sum must be regenerated to include the new checksums. The all-tests-and-checks CI check is currently failing, which corroborates this issue.

Suggested fix: Run go mod tidy in the repository root to regenerate go.sum and include it in the PR.

[fullsend-ai-review]

[medium] version inconsistency

The PR changes acceptance/go.mod Go version from 1.25.3 to 1.26.3 and removes the toolchain directive, while root go.mod remains at 1.25.5. This introduces Go minor version skew between modules and changes toolchain auto-download behavior.

[fullsend-ai-review]

[low] API contract risk

conforma/cli is bumped from v0.9.2 to v0.9.50, a jump of 48 minor versions. v0.9.x semver allows breaking changes (major version 0). Both repos appear maintained by the same organization, reducing risk, but the magnitude warrants verification.