Merge https://github.com/kubernetes-sigs/cluster-api-provider-azure:v1.24.0 (f69aa53) into main

[cloud-team-rebase-bot]

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to 1.25 and Kubernetes support to version 1.35.4
  • Bumped Azure Service Operator to v2.16.0 and controller-gen to v0.20.0
  • Enhanced GitHub Actions security with updated dependencies
  • Added Azure CLI availability check for local development workflows
  • Refreshed numerous Go module dependencies for compatibility

[coderabbitai]

Walkthrough

This PR performs a major dependency and version upgrade across the cluster-api-provider-azure codebase. Changes include upgrading Go toolchain and core Kubernetes dependencies (k8s.io, controller-runtime), bumping Azure Service Operator to v2.16.0 and migrating hosted Azure API versions (2024-09-01 → 2025-08-01), modernizing Kubernetes client patterns to server-side apply, updating webhook validator signatures, and refreshing CI/CD workflow action versions. CRDs, RBAC rules, configuration files, and documentation are regenerated to reflect these upgrades.

Changes

CI/CD and GitHub Workflow Updates

Layer / File(s)	Summary
Workflow Action Pinning .github/workflows/codeql.yml, .github/workflows/dependency-review.yml, .github/workflows/scorecards.yml	Security and build action versions bumped: step-security/harden-runner v2.16.0 → v2.19.1, github/codeql-action v4.34.1 → v4.35.3, actions/upload-artifact v7.0.0 → v7.0.1.
Workflow Go Tooling .github/workflows/pr-golangci-lint.yaml, .github/workflows/dependabot-code-gen.yml	actions/setup-go and actions/cache updated to newer pinned commits (v6.4.0 and v5.0.5 respectively).
Release Branch Management .github/workflows/weekly-security-scan.yaml	branch matrix changed from [main, release-1.22, release-1.21] to [main, release-1.23, release-1.22]; actions/setup-go upgraded to v6.4.0.

Go Dependencies and Tooling Version Management

Layer / File(s)	Summary
Go Module and Toolchain go.mod, hack/tools/go.mod	Go toolchain updated to 1.25.9; core Kubernetes dependencies bumped to v0.35.4; sigs.k8s.io/cluster-api to v1.13.1; sigs.k8s.io/controller-runtime and transitive dependencies refreshed across entire ecosystem (Azure SDK, OpenTelemetry, gRPC, protobuf).
Build Tool Versions Makefile	Kubernetes envtest version 1.34.0 → 1.35.0; controller-gen v0.19.0 → v0.20.0; conversion-gen v0.34.0 → v0.35.0; kubectl v1.33.6 → v1.35.4; setup-envtest release-0.22 → release-0.23; kpromo v4.0.5 → latest commit hash; CAAPH deployment image v0.6.1 → v0.6.2.
Local Dev Environment Tiltfile, hack/create-dev-cluster.sh, AGENTS.md, docs/book/src/developers/development.md, docs/book/src/developers/getting-started-with-capi-operator.md, docs/book/src/managed/managedcluster.md	Default Kubernetes version updated from v1.33.6 to v1.35.4 across all deployment examples; CAPI capi_version v1.12.7 → v1.13.1 and caaph_version v0.6.1 → v0.6.2 in Tiltfile; Go version requirement docs updated to 1.25+; Azure CLI (az) availability check added as prerequisite for tilt-up with warning/VERBOSE output options.

Azure Service Operator API Migration

Layer / File(s)	Summary
Storage API Version Bump azure/converters/managedagentpool.go, azure/converters/managedagentpool_test.go, azure/services/agentpools/spec.go, azure/services/managedclusters/managedclusters.go	Hub storage API package updated from v1api20240901/storage to v1api20250801/storage across managed agent pool and managed cluster converters/services; new Azure SDK type fields added to ManagedClusterAgentPoolProfile (GatewayProfile, GpuProfile, MessageOfTheDay, PodIPAllocationMode, VirtualMachineNodesStatus, VirtualMachinesProfile).
Preview API Version Bump azure/services/agentpools/agentpools_test.go, azure/services/agentpools/spec_test.go, azure/services/managedclusters/managedclusters_test.go, azure/services/managedclusters/spec.go, controllers/azuremanagedmachinepool_reconciler.go	Preview API package updated from v1api20231102preview to v1api20240402preview across agent pool and managed cluster services and tests.
Dependent Reconciler Updates azure/services/privateendpoints/spec_test.go	Test fixture fakeASOPrivateEndpointsStatus updated to use fully-typed asonetworkv1.PrivateEndpoint_STATUS value.
ASO Component Version config/aso/kustomization.yaml	Azure Service Operator release manifest bumped from v2.13.0 to v2.16.0; probe configuration patches for controller-manager removed (no longer needed).

Kubernetes Client Pattern Modernization

Layer / File(s)	Summary
Server-Side Apply Pattern controllers/azureasomanagedcontrolplane_controller.go, controllers/resource_reconciler.go	Controllers migrated from Patch-based to Apply-based resource updates using client.ApplyConfigurationFromUnstructured(...); typed secrets converted to unstructured maps; field ownership set to capz-manager with ForceOwnership during reconciliation.
Webhook Validator Modernization exp/api/v1beta1/azuremachinepool_webhook.go, exp/api/v1beta1/azuremachinepoolmachine_webhook.go	Webhook validator method signatures changed from runtime.Object parameters with type assertions to typed *AzureMachinePool / *AzureMachinePoolMachine parameters; webhook registration simplified using ctrl.NewWebhookManagedBy(mgr, &Type{}) and WithValidator(...).Complete(); runtime error handling eliminated in favor of direct typed method calls.
Test Refactoring controllers/azureasomanagedcontrolplane_controller_test.go, controllers/resource_reconciler_test.go, exp/api/v1beta1/azuremachinepool_webhook_test.go	Tests refactored from custom FakeClient with patch/apply hooks to controller-runtime standard fakeclient.ClientBuilder; post-reconciliation assertions replaced by direct re-fetches and field validation; UUID validation test updated to use guuid.Validate(...) instead of parse-based check.

Configuration, RBAC, and Generated Code Updates

Layer / File(s)	Summary
CRD Generator Annotation config/crd/bases/infrastructure.cluster.x-k8s.io_*.yaml (19 files)	All generated CRD manifests updated with controller-gen.kubebuilder.io/version annotation from v0.19.0 to v0.20.0 (reflecting controller-gen version bump); no schema or served/storage behavior changes.
RBAC and Webhook Rules config/rbac/role.yaml, controllers/azuremanagedcontrolplane_controller.go	ClusterRole extended to grant containerservice.azure.com permissions for maintenanceconfigurations and maintenanceconfigurations/status resources; controller RBAC annotations updated accordingly.
ASO Visualization and Configuration config/aso/patches/visualizer_label_in_maintenanceconfigurations.yaml, config/aso/kustomization.yaml	New CRD patch added for maintenanceconfigurations.containerservice.azure.com with visualizer labels; kustomization references new patch file.
Webhook Manifest Reordering config/webhook/manifests.yaml	Mutating and validating webhook entries reordered in MutatingWebhookConfiguration and ValidatingWebhookConfiguration to match updated webhook routing; no functional rule changes, only webhook entry sequence reorganization.
Linter Configuration .golangci.yml, .codespellignore	Added staticcheck exclusion for GetEventRecorderFor deprecation warnings; added ist to code spell ignore list.

Documentation and Changelog

Layer / File(s)	Summary
Release Notes CHANGELOG/v1.22.2.md, CHANGELOG/v1.22.4.md, CHANGELOG/v1.23.1.md, CHANGELOG/v1.24.0.md	Comprehensive changelog entries documenting CAPI version bumps, dependency additions/changes/removals, and new features (Azure CLI availability check); v1.24.0 includes feature documentation for make check-az-cli and VERBOSE output.
Developer Documentation docs/book/src/developers/releasing.md, docs/book/src/topics/aso.md	Release process updated with Google Artifact Registry links (replacing Google Container Registry); ASO upgrade instructions clarified with link to continue CAPZ upgrade after ADDITIONAL_ASO_CRDS export.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main purpose of the pull request: merging a specific version (v1.24.0) from the upstream repository into the main branch.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names are stable and deterministic. No dynamic values found in test titles. Test names are static descriptive strings.
Test Structure And Quality	✅ Passed	Custom check requires reviewing Ginkgo test code. No Ginkgo tests were modified in this PR; all modified test files use traditional Go testing.T. Check not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are being added in this PR. This is a v1.24.0 dependency update with no test/e2e file modifications. The check only applies to new test additions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added to this PR. The custom check for SNO compatibility only applies to new e2e test additions.
Topology-Aware Scheduling Compatibility	✅ Passed	No topology-unfriendly scheduling constraints introduced. Manager deployment is topology-safe with replicas:1, control-plane tolerations, no required affinity.
Ote Binary Stdout Contract	✅ Passed	PR contains no OTE Binary Stdout Contract violations. klog defaults to stderr output, BeforeSuite/AfterSuite use Ginkgo's output writer, and test fmt.Print calls are inside test blocks (allowed).
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests in this PR. Repository uses only Go unit tests with gomega and GoMock. Custom check for IPv6/disconnected network compatibility is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @cloud-team-rebase-bot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign damdo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

.golangci.yml (1)

343-346: ⚡ Quick win

Narrow this SA1019 exclusion by path to improve clarity.

The text-only exemption is global and broader than comparable nearby exclusions (see lines 336–342). Since all GetEventRecorderFor calls are confined to main.go and test files, adding a path filter would prevent accidental masking of unrelated deprecations. Also escape the dot in the regex pattern.

♻️ Suggested config tightening

      - linters:
          - staticcheck
+       path: '^(main\.go|controllers/.*_test\.go|exp/controllers/.*_test\.go)$'
-       text: 'SA1019: (env|mgr|testEnv).GetEventRecorderFor is deprecated'
+       text: 'SA1019: (env|mgr|testEnv)\.GetEventRecorderFor is deprecated'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.golangci.yml around lines 343 - 346, The current global SA1019 exemption
entry in .golangci.yml should be narrowed by adding a path filter and escaping
the dot in the regex: update the SA1019 lint exception (the entry that currently
has text: 'SA1019: (env|mgr|testEnv).GetEventRecorderFor is deprecated') to
include a path: that matches only main.go and test files (e.g., a regex matching
^(main\.go|.*_test\.go)$) and escape the literal dot in GetEventRecorderFor
pattern; keep the same text message but add the path restriction so only calls
in main.go and *_test.go are excluded.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-code-gen.yml:
- Around line 26-28: The "Get Go version" step (id: vars, using make go-version)
runs before the repository is checked out and writes to an unquoted
$GITHUB_OUTPUT; fix by moving the actions/checkout step to run before the "Get
Go version" step so the Makefile is available, and quote the variable when
appending output (use "$GITHUB_OUTPUT") to eliminate the shellcheck SC2086
warning — update the step that calls make go-version and the surrounding job
ordering accordingly.

In `@controllers/resource_reconciler_test.go`:
- Around line 90-91: The tests in controllers/resource_reconciler_test.go
currently instantiate controller-runtime fake clients via
fakeClientBuilder().Build(); replace those with GoMock-based mocks from the
repo’s generated mock packages (use gomock.NewController and the appropriate
mock client interfaces under /azure/services/*/mock_*/ e.g.,
mock_kubernetes.NewMockClient) and inject the mock where the test currently sets
the Client field; set expectations on methods used by the code under test (List,
Get, Create, Update, Delete, etc.) for each subtest instance, and update all
occurrences referenced (around the Client: fakeClientBuilder().Build() sites and
the other noted occurrences at the given ranges) to use the gomock mocks instead
of the fake client so tests conform to the repository mocking guideline.

In `@controllers/resource_reconciler.go`:
- Around line 106-109: The error message is stale: in the Apply call using
r.Apply(ctx, client.ApplyConfigurationFromUnstructured(spec),
client.FieldOwner("capz-manager")) you should update the returned error text to
reflect an apply operation. Replace the string "failed to patch resource" with
"failed to apply resource" (or equivalent) in the error returned when
client.IgnoreNotFound(err) != nil so it matches the r.Apply code path and the
reconcile messaging elsewhere.

In `@docs/book/src/managed/managedcluster.md`:
- Line 43: Update all stale Kubernetes version strings: replace every "v1.21.2"
occurrence in the spec walkthrough with "v1.35.4" to match the bumped clusterctl
example (the export KUBERNETES_VERSION value) and the Security Profile YAML;
search for the literal "v1.21.2" in the managedcluster.md content (the spec
walkthrough blocks and the Security Profile section) and update them to
"v1.35.4" so all examples are consistent and use a supported version.

In `@docs/book/src/topics/aso.md`:
- Line 71: Replace the vague link text in the sentence containing "continue with
the upgrade of CAPZ as specified
[here](https://cluster-api.sigs.k8s.io/tasks/upgrading-cluster-api-versions.html?highlight=upgrade#when-to-upgrade)"
with a descriptive phrase (for example "as specified in the Cluster API upgrade
documentation") so the link text conveys destination meaning and satisfies
MD059; update the anchor text only, keeping the existing URL unchanged.

In `@Makefile`:
- Line 835: The Makefile currently checks VERBOSE with '-n "$(VERBOSE)"' which
treats VERBOSE=0 as enabled; update the conditional to match the documented
contract by testing explicitly for the value "1" (for example use 'if [
"$(VERBOSE)" = "1" ]; then \') so only VERBOSE=1 enables verbose behavior;
modify the condition where '-n "$(VERBOSE)"' appears and ensure surrounding
branches that reference VERBOSE behavior remain consistent.

---

Nitpick comments:
In @.golangci.yml:
- Around line 343-346: The current global SA1019 exemption entry in
.golangci.yml should be narrowed by adding a path filter and escaping the dot in
the regex: update the SA1019 lint exception (the entry that currently has text:
'SA1019: (env|mgr|testEnv).GetEventRecorderFor is deprecated') to include a
path: that matches only main.go and test files (e.g., a regex matching
^(main\.go|.*_test\.go)$) and escape the literal dot in GetEventRecorderFor
pattern; keep the same text message but add the path restriction so only calls
in main.go and *_test.go are excluded.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b4fbcf16-611a-43a5-b1cc-62c019d0ce1b

📥 Commits

Reviewing files that changed from the base of the PR and between efa8be1 and 133dcee.

⛔ Files ignored due to path filters (166)

• go.sum is excluded by !**/*.sum
• hack/tools/go.sum is excluded by !**/*.sum
• hack/tools/vendor/github.com/gogo/protobuf/AUTHORS is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/LICENSE is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/text.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !**/vendor/**
• hack/tools/vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/http2/hpack/tables.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/http2/writesched_random.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**
• hack/tools/vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/types.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.proto is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.conversion.go is excluded by !**/vendor/**, !**/zz_generated*
• hack/tools/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !**/zz_generated*
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/resource/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/resource/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/resource/quantity.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/resource/zz_generated.model_name.go is excluded by !**/vendor/**, !**/zz_generated*
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/validate/constraints/constraints.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/validate/content/decimal_int.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/validate/content/dns.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/validate/content/errors.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/validate/content/identifier.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/api/validate/content/kube.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !**/zz_generated*
• hack/tools/vendor/k8s.io/apimachinery/pkg/labels/selector.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/runtime/doc.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/runtime/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/runtime/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/runtime/scheme.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/runtime/types_proto.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/runtime/zz_generated.model_name.go is excluded by !**/vendor/**, !**/zz_generated*
• hack/tools/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/util/intstr/intstr.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/util/intstr/zz_generated.model_name.go is excluded by !**/vendor/**, !**/zz_generated*
• hack/tools/vendor/k8s.io/apimachinery/pkg/util/sets/set.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/util/validation/field/error_matcher.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/util/validation/field/errors.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/apimachinery/pkg/util/validation/validation.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/kube-openapi/LICENSE is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/kube-openapi/pkg/util/trie.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/kube-openapi/pkg/util/util.go is excluded by !**/vendor/**
• hack/tools/vendor/k8s.io/utils/net/multi_listen.go is excluded by !**/vendor/**
• hack/tools/vendor/modules.txt is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/controller-tools/pkg/crd/markers/crd.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/controller-tools/pkg/crd/markers/register.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/controller-tools/pkg/crd/markers/topology.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/controller-tools/pkg/crd/markers/validation.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/controller-tools/pkg/crd/markers/zz_generated.markerhelp.go is excluded by !**/vendor/**, !**/zz_generated*
• hack/tools/vendor/sigs.k8s.io/controller-tools/pkg/markers/collect.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/controller-tools/pkg/markers/parse.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/controller-tools/pkg/markers/reg.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/json/internal/golang/encoding/json/decode.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/json/internal/golang/encoding/json/encode.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/json/internal/golang/encoding/json/stream.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/structured-merge-diff/v6/value/allocator.go is excluded by !**/vendor/**
• hack/tools/vendor/sigs.k8s.io/structured-merge-diff/v6/value/jsontagutil.go is excluded by !**/vendor/**
• openshift/tools/go.sum is excluded by !**/*.sum
• openshift/tools/vendor/github.com/openshift/cluster-capi-operator/manifests-gen/kustomization.yaml is excluded by !**/vendor/**
• openshift/tools/vendor/github.com/openshift/cluster-capi-operator/manifests-gen/webhook-namespace-selector.yaml is excluded by !**/vendor/**
• openshift/tools/vendor/modules.txt is excluded by !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/response_error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_logging.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/diag/diag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/diag/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo/errorinfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/exported/exported.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/log/doc.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (134)

• .codespellignore
• .github/workflows/codeql.yml
• .github/workflows/dependabot-code-gen.yml
• .github/workflows/dependency-review.yml
• .github/workflows/pr-golangci-lint.yaml
• .github/workflows/scorecards.yml
• .github/workflows/weekly-security-scan.yaml
• .golangci.yml
• AGENTS.md
• CHANGELOG/v1.22.2.md
• CHANGELOG/v1.22.4.md
• CHANGELOG/v1.23.1.md
• CHANGELOG/v1.24.0.md
• Makefile
• Tiltfile
• azure/converters/managedagentpool.go
• azure/converters/managedagentpool_test.go
• azure/services/agentpools/agentpools.go
• azure/services/agentpools/agentpools_test.go
• azure/services/agentpools/spec.go
• azure/services/agentpools/spec_test.go
• azure/services/managedclusters/managedclusters.go
• azure/services/managedclusters/managedclusters_test.go
• azure/services/managedclusters/spec.go
• azure/services/managedclusters/spec_test.go
• azure/services/privateendpoints/spec_test.go
• config/aso/crds.yaml
• config/aso/kustomization.yaml
• config/aso/patches/visualizer_label_in_maintenanceconfigurations.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azureasomanagedclusters.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azureasomanagedclustertemplates.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azureasomanagedcontrolplanes.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azureasomanagedcontrolplanetemplates.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azureasomanagedmachinepools.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azureasomanagedmachinepooltemplates.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azureclustertemplates.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepoolmachines.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedclusters.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedclustertemplates.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanetemplates.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml
• config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepooltemplates.yaml
• config/rbac/role.yaml
• config/webhook/manifests.yaml
• controllers/azureasomanagedcontrolplane_controller.go
• controllers/azureasomanagedcontrolplane_controller_test.go
• controllers/azuremanagedcontrolplane_controller.go
• controllers/azuremanagedmachinepool_reconciler.go
• controllers/resource_reconciler.go
• controllers/resource_reconciler_test.go
• docs/book/src/developers/development.md
• docs/book/src/developers/getting-started-with-capi-operator.md
• docs/book/src/developers/releasing.md
• docs/book/src/managed/managedcluster.md
• docs/book/src/topics/aso.md
• exp/api/v1beta1/azuremachinepool_webhook.go
• exp/api/v1beta1/azuremachinepool_webhook_test.go
• exp/api/v1beta1/azuremachinepoolmachine_webhook.go
• go.mod
• hack/create-dev-cluster.sh
• hack/tools/go.mod
• hack/version.sh
• internal/api/v1beta1/azuremachine_default_test.go
• internal/webhooks/azureasomanagedcluster_webhook.go
• internal/webhooks/azureasomanagedcontrolplane_webhook.go
• internal/webhooks/azureasomanagedmachinepool_webhook.go
• internal/webhooks/azurecluster_webhook.go
• internal/webhooks/azureclusteridentity_webhook.go
• internal/webhooks/azureclustertemplate_webhook.go
• internal/webhooks/azuremachine_validation.go
• internal/webhooks/azuremachine_validation_test.go
• internal/webhooks/azuremachine_webhook.go
• internal/webhooks/azuremachinetemplate_webhook.go
• internal/webhooks/azuremanagedcluster_webhook.go
• internal/webhooks/azuremanagedclustertemplate_webhook.go
• internal/webhooks/azuremanagedcontrolplane_webhook.go
• internal/webhooks/azuremanagedcontrolplanetemplate_webhook.go
• internal/webhooks/azuremanagedmachinepool_webhook.go
• internal/webhooks/azuremanagedmachinepooltemplate_webhook.go
• main.go
• metadata.yaml
• openshift/capi-operator-manifests/default/manifests.yaml
• openshift/capi-operator-manifests/default/metadata.yaml
• openshift/provider-version.mk
• openshift/tools/go.mod
• pkg/mutators/azureasomanagedcontrolplane.go
• pkg/mutators/azureasomanagedcontrolplane_test.go
• templates/cluster-template-aks-aso-maintenance.yaml
• templates/flavors/README.md
• templates/flavors/aks-aso-maintenance/kustomization.yaml
• templates/test/ci/cluster-template-prow-ci-version-dra.yaml
• templates/test/ci/cluster-template-prow-ci-version-md-and-mp.yaml
• templates/test/ci/cluster-template-prow-dalec-custom-builds.yaml
• templates/test/ci/cluster-template-prow-machine-pool-ci-version-multi-zone.yaml
• templates/test/ci/patches/alpha-beta-feature-gates-kubeadmcontrolplane.yaml
• templates/test/ci/patches/dra-kubeadmconfig.yaml
• templates/test/ci/patches/dra-kubeadmconfigtemplate.yaml
• templates/test/ci/patches/dra-kubeadmcontrolplane.yaml
• templates/test/ci/prow-ci-version-md-and-mp/kustomization.yaml
• templates/test/ci/prow-dalec-custom-builds/patches/azl3-machine-deployment.yaml
• templates/test/ci/prow-dalec-custom-builds/patches/control-plane-custom-builds.yaml
• templates/test/ci/prow-dalec-custom-builds/patches/kubeadm-bootstrap-custom-builds.yaml
• templates/test/ci/prow-machine-pool-ci-version-multi-zone/kustomization.yaml
• templates/test/ci/prow-machine-pool-ci-version-multi-zone/patches/machine-pool-multi-zone.yaml
• templates/test/dev/cluster-template-custom-builds-dra.yaml
• templates/test/dev/cluster-template-custom-builds-load-dra.yaml
• templates/test/dev/cluster-template-custom-builds-load.yaml
• templates/test/dev/cluster-template-custom-builds-machine-pool-load-dra.yaml
• templates/test/dev/cluster-template-custom-builds.yaml
• templates/test/dev/custom-builds/kustomization.yaml
• templates/test/dev/custom-builds/patches/kubeadm-controlplane-bootstrap.yaml
• test/e2e/aks_maintenance_configuration.go
• test/e2e/aks_patches.go
• test/e2e/azure_clusterproxy.go
• test/e2e/azure_kuberay.go
• test/e2e/azure_test.go
• test/e2e/capi_test.go
• test/e2e/config/azure-dev.yaml
• test/e2e/data/infrastructure-azure/v1.22.2/cluster-template-aks.yaml
• test/e2e/data/infrastructure-azure/v1.22.2/cluster-template-prow-machine-and-machine-pool.yaml
• test/e2e/data/infrastructure-azure/v1.22.2/cluster-template-prow.yaml
• test/e2e/data/infrastructure-azure/v1.23.0/cluster-template-aks.yaml
• test/e2e/data/infrastructure-azure/v1.23.0/cluster-template-prow-machine-and-machine-pool.yaml
• test/e2e/data/infrastructure-azure/v1.23.0/cluster-template-prow.yaml
• test/e2e/data/infrastructure-azure/v1beta1/cluster-template-md-taints/kcp-taints.yaml
• test/e2e/data/infrastructure-azure/v1beta1/cluster-template-md-taints/kustomization.yaml
• test/e2e/data/shared/v1beta1/metadata.yaml
• test/e2e/data/shared/v1beta1_provider/metadata.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote $GITHUB_OUTPUT to fix the shellcheck SC2086 warning, and move checkout before make go-version.

Two issues in this block:

1. SC2086 (line 28): $GITHUB_OUTPUT is unquoted, triggering shellcheck's word-splitting warning.
2. Step ordering (pre-existing): make go-version is invoked on line 28 before actions/checkout on line 34–35. Without the repository checked out, the Makefile is not present and this step will fail. Compare with the correct ordering in pr-golangci-lint.yaml (checkout → get-go-version → setup-go).

🐛 Proposed fix

-    - name: Get Go version
-      id: vars
-      run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
-    - name: Set up Go
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-      with:
-        go-version: ${{ steps.vars.outputs.go_version }}
-      id: go
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Get Go version
+      id: vars
+      run: echo "go_version=$(make go-version)" >> "$GITHUB_OUTPUT"
+    - name: Set up Go
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+      id: go

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Get Go version
	id: vars
	run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
	- name: Check out code into the Go module directory
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Get Go version
	id: vars
	run: echo "go_version=$(make go-version)" >> "$GITHUB_OUTPUT"
	- name: Set up Go
	uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
	with:
	go-version: ${{ steps.vars.outputs.go_version }}
	id: go

🧰 Tools

🪛 actionlint (1.7.12)

[error] 28-28: shellcheck reported issue in this script: SC2086:info:1:41: Double quote to prevent globbing and word splitting

(shellcheck)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-code-gen.yml around lines 26 - 28, The "Get Go
version" step (id: vars, using make go-version) runs before the repository is
checked out and writes to an unquoted $GITHUB_OUTPUT; fix by moving the
actions/checkout step to run before the "Get Go version" step so the Makefile is
available, and quote the variable when appending output (use "$GITHUB_OUTPUT")
to eliminate the shellcheck SC2086 warning — update the step that calls make
go-version and the surrounding job ordering accordingly.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | 🏗️ Heavy lift

Use GoMock-based unit-test doubles instead of fakeclient.ClientBuilder in this test file.

These subtests now use controller-runtime fake clients directly, which conflicts with the repository’s _test.go mocking requirement. Please migrate these unit tests to GoMock-backed mocks from the expected mock directories.

As per coding guidelines **/*_test.go: Unit tests must test individual functions/methods with mocks generated by GoMock in /azure/services/*/mock_*/ directories.

Also applies to: 138-139, 246-248, 360-362, 467-469, 498-499

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/resource_reconciler_test.go` around lines 90 - 91, The tests in
controllers/resource_reconciler_test.go currently instantiate controller-runtime
fake clients via fakeClientBuilder().Build(); replace those with GoMock-based
mocks from the repo’s generated mock packages (use gomock.NewController and the
appropriate mock client interfaces under /azure/services/*/mock_*/ e.g.,
mock_kubernetes.NewMockClient) and inject the mock where the test currently sets
the Client field; set expectations on methods used by the code under test (List,
Get, Create, Update, Delete, etc.) for each subtest instance, and update all
occurrences referenced (around the Client: fakeClientBuilder().Build() sites and
the other noted occurrences at the given ranges) to use the gomock mocks instead
of the fake client so tests conform to the repository mocking guideline.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Stale error message after switching from Patch to Apply.

Line 108 still says "failed to patch resource" but the operation is now r.Apply. This should read "failed to apply resource" to match the reconcile path on line 162.

🔧 Proposed fix

-		if client.IgnoreNotFound(err) != nil {
-			return fmt.Errorf("failed to patch resource: %w", err)
-		}
+		if client.IgnoreNotFound(err) != nil {
+			return fmt.Errorf("failed to apply resource: %w", err)
+		}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	err := r.Apply(ctx, client.ApplyConfigurationFromUnstructured(spec), client.FieldOwner("capz-manager"))
	if client.IgnoreNotFound(err) != nil {
	return fmt.Errorf("failed to patch resource: %w", err)
	}
	err := r.Apply(ctx, client.ApplyConfigurationFromUnstructured(spec), client.FieldOwner("capz-manager"))
	if client.IgnoreNotFound(err) != nil {
	return fmt.Errorf("failed to apply resource: %w", err)
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/resource_reconciler.go` around lines 106 - 109, The error message
is stale: in the Apply call using r.Apply(ctx,
client.ApplyConfigurationFromUnstructured(spec),
client.FieldOwner("capz-manager")) you should update the returned error text to
reflect an apply operation. Replace the string "failed to patch resource" with
"failed to apply resource" (or equivalent) in the error returned when
client.IgnoreNotFound(err) != nil so it matches the r.Apply code path and the
reconcile messaging elsewhere.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Stale v1.21.2 references in the spec walkthrough create an inconsistency.

The PR bumped the clusterctl example (Line 43) and the Security Profile YAML (Line 360) to v1.35.4, but the specification walkthrough further down still has four v1.21.2 references at Lines 135, 166, 192, and 242. v1.21.2 is end-of-life, and a user copy-pasting that section will apply an unsupported Kubernetes version.

📝 Proposed fix – update spec walkthrough version references

Apply to Lines 135, 166, 192, and 242:

-      version: v1.21.2
+      version: v1.35.4

Also applies to: 360-360

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/book/src/managed/managedcluster.md` at line 43, Update all stale
Kubernetes version strings: replace every "v1.21.2" occurrence in the spec
walkthrough with "v1.35.4" to match the bumped clusterctl example (the export
KUBERNETES_VERSION value) and the Security Profile YAML; search for the literal
"v1.21.2" in the managedcluster.md content (the spec walkthrough blocks and the
Security Profile section) and update them to "v1.35.4" so all examples are
consistent and use a supported version.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use descriptive link text to address the MD059 warning.

The link text "here" is flagged by markdownlint (MD059). Embedding the link in a meaningful phrase fixes this with no behavior change.

📝 Proposed fix

-- continue with the upgrade of CAPZ as specified [here](https://cluster-api.sigs.k8s.io/tasks/upgrading-cluster-api-versions.html?highlight=upgrade#when-to-upgrade)
+- continue with [upgrading CAPZ via the Cluster API upgrade guide](https://cluster-api.sigs.k8s.io/tasks/upgrading-cluster-api-versions.html?highlight=upgrade#when-to-upgrade)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- continue with the upgrade of CAPZ as specified [here](https://cluster-api.sigs.k8s.io/tasks/upgrading-cluster-api-versions.html?highlight=upgrade#when-to-upgrade)
	- continue with [upgrading CAPZ via the Cluster API upgrade guide](https://cluster-api.sigs.k8s.io/tasks/upgrading-cluster-api-versions.html?highlight=upgrade#when-to-upgrade)

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 71-71: Link text should be descriptive

(MD059, descriptive-link-text)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/book/src/topics/aso.md` at line 71, Replace the vague link text in the
sentence containing "continue with the upgrade of CAPZ as specified
[here](https://cluster-api.sigs.k8s.io/tasks/upgrading-cluster-api-versions.html?highlight=upgrade#when-to-upgrade)"
with a descriptive phrase (for example "as specified in the Cluster API upgrade
documentation") so the link text conveys destination meaning and satisfies
MD059; update the anchor text only, keeping the existing URL unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Match the documented VERBOSE=1 contract exactly.

At Line 835, -n "$(VERBOSE)" treats VERBOSE=0 as enabled, which conflicts with the target help text (VERBOSE=1).

Proposed fix

-	elif [ -n "$(VERBOSE)" ]; then \
+	elif [ "$(VERBOSE)" = "1" ]; then \

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	elif [ -n "$(VERBOSE)" ]; then \
	elif [ "$(VERBOSE)" = "1" ]; then \

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` at line 835, The Makefile currently checks VERBOSE with '-n
"$(VERBOSE)"' which treats VERBOSE=0 as enabled; update the conditional to match
the documented contract by testing explicitly for the value "1" (for example use
'if [ "$(VERBOSE)" = "1" ]; then \') so only VERBOSE=1 enables verbose behavior;
modify the condition where '-n "$(VERBOSE)"' appears and ensure surrounding
branches that reference VERBOSE behavior remain consistent.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.