NO-JIRA: ci(deps): bump google-github-actions/auth from 2.1.13 to 3.0.0

[dependabot]

Bumps google-github-actions/auth from 2.1.13 to 3.0.0.

Release notes

Sourced from google-github-actions/auth's releases.

v3.0.0

What's Changed

• Bump to Node 24 and remove old parameters by @​sethvargo in google-github-actions/auth#508
• Remove hacky script by @​sethvargo in google-github-actions/auth#509
• Release: v3.0.0 by @​google-github-actions-bot in google-github-actions/auth#510

Full Changelog: google-github-actions/auth@v2...v3.0.0

Commits

• 7c6bc77 Release: v3.0.0 (#510)
• 42e4997 Remove hacky script (#509)
• 5ea4dc1 Bump to Node 24 and remove old parameters (#508)
• See full diff in compare view

Summary by CodeRabbit

No user-facing changes in this release.

• Chores
  • Updated internal CI/CD infrastructure configuration.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

The PR updates the google-github-actions/auth action from v2 to v3.0.0 in the address-review-comments GitHub Actions workflow by replacing the pinned commit reference. No other workflow logic or configuration was modified.

Possibly related PRs

• openshift/hypershift#8621: Modifies the same address-review-comments.yaml workflow file's GCP Workload Identity Federation authentication step.
• openshift/hypershift#8588: Adds a GitHub Actions workflow that performs GCP Workload Identity Federation authentication via google-github-actions/auth.

Suggested reviewers

• Nirshal

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: bumping the google-github-actions/auth dependency from v2.1.13 to v3.0.0, which aligns with the changeset that updates the workflow to use the newer version.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only a GitHub Actions workflow YAML file, not Go test files. Ginkgo test check is not applicable to workflow configuration.
Test Structure And Quality	✅ Passed	This PR updates a GitHub Actions workflow file, not Ginkgo test code. The check for Ginkgo test structure and quality is not applicable as there are no test files modified.
Topology-Aware Scheduling Compatibility	✅ Passed	PR updates a GitHub Actions workflow, not Kubernetes manifests or operator code. No deployment, scheduling constraints, or topology-related changes—only a CI dependency version bump.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies GitHub Actions workflow for GCP authentication, not test files. Custom check for IPv6/disconnected network compatibility applies only to new Ginkgo e2e tests.
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in the PR changes or affected files.
Container-Privileges	✅ Passed	The check for container privileges is not applicable. The modified file is a GitHub Actions workflow, not a Kubernetes manifest, and contains no privileged container settings.
No-Sensitive-Data-In-Logs	✅ Passed	The workflow has no logging that exposes tokens, passwords, API keys, or PII. Secrets are used safely in headers and env variables without being echoed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/google-github-actions/auth-3.0.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

rebase

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hypershift-jira-solve-ci]

Now I have the full picture. Let me compile the report.

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-images
• Build ID: 2060393367254077440
• Target: images (hypershift-tests, hypershift-operator, hypershift-cli, hypershift)
• Failed Step: Build image hypershift-tests from the repository (hypershift-tests-amd64)

Test Failure Analysis

Error

the build hypershift-tests-amd64 failed after 5m40s with reason DockerBuildFailed: Dockerfile build strategy has failed.

Root cause (from PR #8638 analysis):
nothing provides python3.12 needed by azure-cli-2.86.0-1.el9.x86_64 from packages-microsoft-com-prod

Summary

The hypershift-tests-amd64 Docker image build fails during dnf install -y azure-cli in Dockerfile.e2e. This is caused by an upstream infrastructure change (openshift/release#79773, merged May 28) that switched CI RHEL 9 repos from mirror2.openshift.com (GA content) to cdn.redhat.com E4S/EUS endpoints. The latest azure-cli (≥2.73.0) requires python3.12, which is not available in E4S/EUS repos — only python3.9 is. Since Dockerfile.e2e installs azure-cli without a version pin, dnf attempts to install the latest version (2.86.0) and fails on the missing python3.12 dependency. This failure is not caused by PR #8630 (which only changes a GitHub Actions workflow file); it is a pre-existing infrastructure issue affecting all PRs that build the hypershift-tests image. The fix is already available in PR #8638, which pins azure-cli to version 2.72.0 (the last version requiring only python3.9).

Root Cause

The failure chain is:

1. Trigger: openshift/release#79773 (merged 2026-05-28T07:49Z) switched CI RHEL 9 builder image repos from mirror2.openshift.com (GA content with python3.12) to cdn.redhat.com E4S/EUS endpoints (which only have python3.9).

2. Dependency conflict: Dockerfile.e2e runs dnf install -y azure-cli without a version pin. The Microsoft packages-microsoft-prod repo offers azure-cli-2.86.0, which requires python3.12. Since python3.12 is no longer available in the E4S/EUS base repos, dnf cannot resolve the dependency and the install fails.

3. Version boundary: azure-cli <= 2.72.0 depends on python3.9 (available in E4S). azure-cli >= 2.73.0 depends on python3.12 (not available in E4S).

4. Impact: 100% failure rate on all PRs building the hypershift-tests image since the repo change was merged. The other images (hypershift, hypershift-operator, hypershift-cli) are unaffected because they do not install azure-cli.

5. PR NO-JIRA: ci(deps): bump google-github-actions/auth from 2.1.13 to 3.0.0 #8630 innocence: This PR only changes .github/workflows/address-review-comments.yaml (a GitHub Actions workflow file). It has zero effect on Docker image builds. The failure is a coincidence of timing — the infrastructure change broke all hypershift-tests builds.

Recommendations

1. Immediate fix: Merge PR #8638 which pins azure-cli to version 2.72.0 in Dockerfile.e2e, then retest PR NO-JIRA: ci(deps): bump google-github-actions/auth from 2.1.13 to 3.0.0 #8630.

2. Retest PR NO-JIRA: ci(deps): bump google-github-actions/auth from 2.1.13 to 3.0.0 #8630: After PR OCPBUGS-86774: Pin azure-cli to 2.72.0 in e2e Dockerfile #8638 is merged, run /retest on PR NO-JIRA: ci(deps): bump google-github-actions/auth from 2.1.13 to 3.0.0 #8630. The failure is unrelated to the PR's changes.

3. Long-term: Consider adding a version pin comment in Dockerfile.e2e explaining the python3.12 dependency boundary, so future updates are done intentionally rather than accidentally pulling a breaking version.

Evidence

Evidence	Detail
Failed build	hypershift-tests-amd64 — DockerBuildFailed after 5m40s
Failing Dockerfile step	dnf install -y azure-cli in Dockerfile.e2e (unpinned version)
Infrastructure change	openshift/release#79773 merged 2026-05-28T07:49Z — switched RHEL 9 repos to E4S/EUS
Dependency conflict	azure-cli >= 2.73.0 requires python3.12, unavailable in E4S/EUS repos
Fix PR	PR #8638 — pins azure-cli-2.72.0 (last version needing python3.9)
Fix PR images job	SUCCESS — confirms the pin resolves the build failure
PR #8630 change scope	Only modifies .github/workflows/address-review-comments.yaml — no Docker build impact
Other affected PRs	PRs #8640, #8633, #8624 also fail on ci/prow/images with the same root cause
Unaffected images	hypershift-amd64, hypershift-operator-amd64, hypershift-cli-amd64 — all succeeded (no azure-cli dependency)
Build log gap	hypershift-tests-amd64.log was not captured in artifacts — BUILD_LOGLEVEL=0 and build failure prevented log upload

---

[cblecker]

/lgtm
/approve
/verified bypass

[openshift-ci-robot]

@cblecker: The verified label has been added.

Details

In response to this:

/lgtm
/approve
/verified bypass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cblecker]

/retitle NO-JIRA: ci(deps): bump google-github-actions/auth from 2.1.13 to 3.0.0

[openshift-ci-robot]

@dependabot[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

Bumps google-github-actions/auth from 2.1.13 to 3.0.0.

Release notes

Sourced from google-github-actions/auth's releases.

v3.0.0

What's Changed

• Bump to Node 24 and remove old parameters by @​sethvargo in google-github-actions/auth#508
• Remove hacky script by @​sethvargo in google-github-actions/auth#509
• Release: v3.0.0 by @​google-github-actions-bot in google-github-actions/auth#510

Full Changelog: google-github-actions/auth@v2...v3.0.0

Commits

• 7c6bc77 Release: v3.0.0 (#510)
• 42e4997 Remove hacky script (#509)
• 5ea4dc1 Bump to Node 24 and remove old parameters (#508)
• See full diff in compare view

Summary by CodeRabbit

No user-facing changes in this release.

• Chores
• Updated internal CI/CD infrastructure configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

• The changed files don't match any pipeline_run_if_changed patterns
• All files match pipeline_skip_if_only_changed patterns
• No pipeline-controlled jobs are defined for the main branch

Use /test ? to see all available tests.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cblecker, dependabot[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [cblecker]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 5c01c96 and 2 for PR HEAD 5c07b11 in total

[openshift-ci]

@dependabot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.