update vendor with https://github.com/openshift/library-go/pull/2001

[lance5890]

replace #899

related to openshift/library-go#2001

Summary by CodeRabbit

• Chores
  • Updated OpenShift module dependencies to newer versions and configured a module redirect for enhanced compatibility.

[coderabbitai]

Walkthrough

The pull request updates the Go module dependencies in go.mod. OpenShift API and client-go modules are bumped to newer versions, and a new replace directive redirects the library-go module to a forked version at github.com/lance5890/library-go.

Changes

Dependency versions and replacements

Layer / File(s)	Summary
Go module dependency updates go.mod	Updated require entries for github.com/openshift/api and github.com/openshift/client-go to newer versions, and added a replace directive for github.com/openshift/library-go pointing to github.com/lance5890/library-go.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: updating vendor dependencies with changes from a specific OpenShift library-go pull request, which matches the go.mod modifications shown in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR are stable and deterministic. Direct test titles use static literal strings; parameterized tests use static struct field names without dynamic generation.
Test Structure And Quality	✅ Passed	This PR updates go.mod/go.sum for dependency versioning changes. No Ginkgo test code is being modified, making the test structure quality check inapplicable to this PR.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR; it only updates go.mod dependencies. The MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR adds Ginkgo tests that test operator components, NetworkPolicies, and service account token signer without making multi-node assumptions; all tests are SNO-compatible.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR is a dependency update (go.mod/go.sum changes and vendor updates). No deployment manifests, operator code, or controllers that would introduce new scheduling constraints were modified.
Ote Binary Stdout Contract	✅ Passed	No stdout violations found. Codebase uses klog v2 which writes to stderr by default. No fmt.Print calls in process-level code. Cobra routes command output correctly.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. The PR only updates dependencies (go.mod, go.sum) and vendored libraries, containing no *_test.go files. The check does not apply.
No-Weak-Crypto	✅ Passed	PR contains only dependency version updates in go.mod/go.sum with no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto, or non-constant-time secret comparisons introduced.
Container-Privileges	✅ Passed	PR only modifies go.mod (dependency versions); no K8s manifests or container configs are present or changed. No privileged container settings found.
No-Sensitive-Data-In-Logs	✅ Passed	The PR contains no logging statements that expose sensitive data like passwords, tokens, API keys, or PII. Test logging only references secret resource names, not their contents.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @lance5890. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ardaguclu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lance5890]

@tchap

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 137: The PR replaces module github.com/openshift/library-go with the fork
github.com/lance5890/library-go (v0.0.0-20260605001424-f7fd773c8ec4) in go.mod
but lacks supply-chain evidence; update the PR with a brief fork justification
(why upstream wasn’t used), the fork maintainer identity, license compatibility
check against the original module, and links to provenance artifacts (SBOM,
build/release provenance or attestation) for the forked release; also include
any Sigstore/cosign signing details or verification steps for published
artifacts and call out the exact replace statement in go.mod and the required
version github.com/openshift/library-go v0.0.0-20260409165127-c57da2bf5720 so
reviewers can verify the changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fcf29fde-d777-4a6a-b326-eae39885764a

📥 Commits

Reviewing files that changed from the base of the PR and between 9d636ab and 234e58c.

⛔ Files ignored due to path filters (88)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_image.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/types_console_plugin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/route/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/security/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrysources.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultauthentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultconfigmapreference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultsecretreference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/containerresource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metricsserverconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/monitoringpluginconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorbuddyinfoconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorcpufreqconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorethtoolconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorksmdconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectormountstatsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetclasscollectconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetclassconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetdevconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorprocessesconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsoftirqsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsystemdcollectconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsystemdconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectortcpstatconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/openshiftstatemetricsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatoradmissionwebhookconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/telemeterclientconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/awscsidriverconfigspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollertuningoptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/config/serving/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/state/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/events/recorder_in_memory.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/management/management_state.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/installer/manifests/installer-pod.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/prune/manifests/pruner-pod.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/installerpod/cmd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/atomicdir/sync.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/fsutil/fsutil.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Show the replacement in go.mod"
rg -n '^replace github.com/openshift/library-go' go.mod

echo
echo "2) Inspect the replaced module checksums in go.sum (hash pinning evidence)"
rg -n 'github.com/lance5890/library-go|github.com/openshift/library-go' go.sum

echo
echo "3) Query OSV for known vulns on both module names"
curl -s https://api.osv.dev/v1/query -d '{"package":{"ecosystem":"Go","name":"github.com/openshift/library-go"}}' | jq .
curl -s https://api.osv.dev/v1/query -d '{"package":{"ecosystem":"Go","name":"github.com/lance5890/library-go"}}' | jq .

echo
echo "4) Capture fork module metadata (license/provenance pointers) from GitHub API"
curl -s https://api.github.com/repos/lance5890/library-go | jq '{full_name,private,fork,default_branch,license,parent,html_url,created_at,updated_at,pushed_at}'

echo
echo "5) Check for Sigstore/cosign-related release artifacts or attestations (if any)"
curl -s https://api.github.com/repos/lance5890/library-go/releases | jq '.[0:5] | map({tag_name,created_at,published_at,assets: [.assets[]?.name]})'

Repository: openshift/cluster-kube-controller-manager-operator

Length of output: 1063

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== GitHub API repo metadata (first 1k chars) =="
resp_repo="$(curl -sS https://api.github.com/repos/lance5890/library-go)"
echo "$resp_repo" | head -c 1000
echo
echo "== Parsed keys present =="
echo "$resp_repo" | jq 'keys'
echo
echo

echo "== GitHub API releases endpoint (first 1k chars) =="
resp_releases="$(curl -sS https://api.github.com/repos/lance5890/library-go/releases)"
echo "$resp_releases" | head -c 1000
echo
echo "== Parsed top-level type =="
echo "$resp_releases" | jq 'type'
echo
echo

echo "== OSV query raw (openshift path) =="
curl -sS https://api.osv.dev/v1/query \
  -d '{"package":{"ecosystem":"Go","name":"github.com/openshift/library-go"}}' | head -c 500
echo
echo "== OSV parsed (openshift path) =="
curl -sS https://api.osv.dev/v1/query \
  -d '{"package":{"ecosystem":"Go","name":"github.com/openshift/library-go"}}' | jq .
echo

echo
echo "== OSV query raw (lance fork path) =="
curl -sS https://api.osv.dev/v1/query \
  -d '{"package":{"ecosystem":"Go","name":"github.com/lance5890/library-go"}}' | head -c 500
echo
echo "== OSV parsed (lance fork path) =="
curl -sS https://api.osv.dev/v1/query \
  -d '{"package":{"ecosystem":"Go","name":"github.com/lance5890/library-go"}}' | jq .

Repository: openshift/cluster-kube-controller-manager-operator

Length of output: 1022

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod around line 137 =="
sed -n '120,155p' go.mod | cat -n

echo
echo "== go.sum entries for the forked module =="
rg -n 'github.com/(openshift/library-go|lance5890/library-go)\s+v0\.0\.0-20260605001424-f7fd773c8ec4' go.sum || true

echo
echo "== Count of replace directives touching openshift/library-go =="
rg -n '^replace .*openshift/library-go' go.mod || true

Repository: openshift/cluster-kube-controller-manager-operator

Length of output: 1779

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Replacement in go.mod"
rg -n '^replace github.com/openshift/library-go' go.mod

echo
echo "2) Hash pins in go.sum"
rg -n 'github.com/(lance5890/library-go|openshift/library-go)\s+v0\.0\.0-20260605001424-f7fd773c8ec4' go.sum

echo
echo "3) OSV query (by module name)"
curl -sS https://api.osv.dev/v1/query \
  -d '{"package":{"ecosystem":"Go","name":"github.com/openshift/library-go"}}' | jq .
curl -sS https://api.osv.dev/v1/query \
  -d '{"package":{"ecosystem":"Go","name":"github.com/lance5890/library-go"}}' | jq .

echo
echo "4) Fork metadata + license/provenance pointers (use token to avoid rate limits if needed)"
AUTH=""
if [ -n "${GITHUB_TOKEN:-}" ]; then
  AUTH="Authorization: Bearer ${GITHUB_TOKEN}"
fi
curl -sS ${AUTH:+-H "$AUTH"} https://api.github.com/repos/lance5890/library-go | jq '{full_name,private,fork,default_branch,license,parent,html_url,created_at,updated_at,pushed_at}'

echo
echo "5) Releases/artifacts (check for signing/attestations if any)"
releases="$(curl -sS ${AUTH:+-H "$AUTH"} https://api.github.com/repos/lance5890/library-go/releases)"
echo "$releases" | jq 'if type=="array" then .[0:5] | map({tag_name,created_at,published_at,assets:[.assets[]?.name]}) else . end'

Repository: openshift/cluster-kube-controller-manager-operator

Length of output: 706

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n 'library-go|lance5890' go.mod

Repository: openshift/cluster-kube-controller-manager-operator

Length of output: 279

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Replacement (go.mod):"
rg -n '^replace github.com/openshift/library-go' go.mod

echo
echo "Hashes for replacement version (go.sum):"
rg -n 'github.com/(openshift/library-go|lance5890/library-go)\s+v0\.0\.0-20260605001424-f7fd773c8ec4' go.sum

echo
echo "OSV (openshift):"
curl -sS https://api.osv.dev/v1/query -d '{"package":{"ecosystem":"Go","name":"github.com/openshift/library-go"}}' | jq .

echo
echo "OSV (lance):"
curl -sS https://api.osv.dev/v1/query -d '{"package":{"ecosystem":"Go","name":"github.com/lance5890/library-go"}}' | jq .

Repository: openshift/cluster-kube-controller-manager-operator

Length of output: 555

---

Add supply-chain evidence for the github.com/openshift/library-go fork replacement (go.mod line 137)

• go.mod replaces github.com/openshift/library-go with github.com/lance5890/library-go v0.0.0-20260605001424-f7fd773c8ec4, changing the upstream source of a widely used dependency.
• The module is also explicitly required at github.com/openshift/library-go v0.0.0-20260409165127-c57da2bf5720, so the trust anchor is altered by this replace.
• go.sum includes hash pins for the replaced fork version, and OSV lookups for both module names returned no vulnerability records ({}), but the PR still lacks required supply-chain evidence: fork justification, license compatibility, provenance/SBOM/provenance-attestation info, and any Sigstore/cosign signing details for produced artifacts.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 137, The PR replaces module github.com/openshift/library-go
with the fork github.com/lance5890/library-go
(v0.0.0-20260605001424-f7fd773c8ec4) in go.mod but lacks supply-chain evidence;
update the PR with a brief fork justification (why upstream wasn’t used), the
fork maintainer identity, license compatibility check against the original
module, and links to provenance artifacts (SBOM, build/release provenance or
attestation) for the forked release; also include any Sigstore/cosign signing
details or verification steps for published artifacts and call out the exact
replace statement in go.mod and the required version
github.com/openshift/library-go v0.0.0-20260409165127-c57da2bf5720 so reviewers
can verify the changes.

[tchap]

There was IMO no need to replace the previous testing PR, but doesn't matter.

/ok-to-test

[openshift-ci]

@lance5890: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	234e58c	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.