build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.1 to 1.22.0 in the azure-github-dependencies group across 1 directory

[dependabot]

Bumps the azure-github-dependencies group with 1 update in the / directory: github.com/Azure/azure-sdk-for-go/sdk/azcore.

Updates github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.1 to 1.22.0

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/azcore's releases.

sdk/azcore/v1.22.0

1.22.0 (2026-06-04)

Features Added

• Added type datetime.RFC7231 for date/time values in RFC 1123 format with a fixed GMT timezone.

Other Changes

• Upgraded dependencies.

Commits

• a19f613 Prep azcore@v1.22.0 for release (#26926)
• 5803c0e Increment package version after release of storage/azblob (#26935) (#26943)
• 9a979ff [Automation] Regenerate SDK based on typespec-go branch main 【batch 6】 (#26939)
• 711094d eng/tools/generator: release v0.4.14 (#26934)
• 20bd677 Deprecate Change Analysis SDK (#26913)
• 92a31ec [Automation] Regenerate SDK based on typespec-go branch main 【batch 5】 (#26932)
• 768459d azcertificates: live recording for PlatformManaged + review fixes (follow-up ...
• e845f72 Update codeowners (#26918)
• 118bb35 eng/tools/internal/exports: handle untyped const with selector expr value (#2...
• 2b3767b Configurations: 'specification/containerservice/resource-manager/Microsoft.C...
• Additional commits viewable in compare view

Summary by CodeRabbit

• Chores
  • Updated Go module dependencies to newer versions.
  • These dependency bumps are limited to module metadata only; no changes to exported APIs or application behavior.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 80cb69ce-8f00-480b-80f3-19c59b3abf04

📥 Commits

Reviewing files that changed from the base of the PR and between 91d2cb6 and e055568.

⛔ Files ignored due to path filters (89)

• go.sum is excluded by !**/*.sum
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_bearer_token.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/html/parse.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/html/render.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/html/token.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/server_common.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/server_wrap.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/transport_common.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/writesched_common.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/readv_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/syscall_darwin.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/syscall_openbsd.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

---

📝 Walkthrough

Walkthrough

This PR updates three Go module dependencies in go.mod: github.com/Azure/azure-sdk-for-go/sdk/azcore from v1.21.1 to v1.22.0, golang.org/x/net from v0.54.0 to v0.55.0, and the indirect golang.org/x/sys from v0.44.0 to v0.45.0. No other module directives, code changes, or exported API modifications are present.

Suggested reviewers

• enxebre
• sjenning
• bryan-cox

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Container-Privileges	❌ Error	PR adds K8s manifests with privileged containers: kubelet-config-daemonset.yaml (privileged:true, hostPID:true, hostNetwork:true) and daemonset.yaml (privileged:true, allowPrivilegeEscalation:true).	Justify security requirements for privileged containers; restrict capabilities instead of using privileged:true; set allowPrivilegeEscalation:false unless essential.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	PR adds 25+ new Ginkgo e2e tests in test/e2e/v2/tests/ without visible IPv6/disconnected environment guards, risking failures on IPv6-only CI jobs.	Verify IPv6 compatibility using GetIPAddressFamily(), add [Skipped:Disconnected] for tests requiring external connectivity, use correctCIDRFamily() for IP/CIDR handling.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title is partially related to the changeset—it mentions the Azure SDK upgrade but omits the other two dependency updates (golang.org/x/net and golang.org/x/sys) that were also made in the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only updates go.mod/go.sum dependency versions with no changes to test code. The Ginkgo test stability check is not applicable to this PR.
Test Structure And Quality	✅ Passed	PR only updates Go module dependencies (go.mod/go.sum). No Ginkgo test code was modified, added, or created, making this check inapplicable to a dependency-only PR.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Go module dependencies in go.mod. No deployment manifests, operator code, or controllers are modified, making the topology-aware check inapplicable.
No-Weak-Crypto	✅ Passed	PR only updates go.mod/go.sum dependencies with no application code changes. No weak cryptography introduced in application source code by this dependency bump.
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates dependencies in go.mod/go.sum with auto-generated code and vendor files. No logging statements introduced that could expose sensitive data.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/azure-github-dependencies-4ae746bd53

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hypershift-jira-solve-ci]

I now have all the evidence needed. Here's the complete analysis:

Test Failure Analysis Complete

Job Information

• Prow Job: verify / Verify (GitHub Actions workflow)
• Build ID: 26982691294 (job 79625402532)
• PR: #8676 — bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.1 to 1.22.0
• Branch: dependabot/go_modules/azure-github-dependencies-4ae746bd53
• Failed Step: Run make generate update → Makefile target hypershift-api

Test Failure Analysis

Error

Error: load packages in root "/home/runner/_work/hypershift/hypershift/api": err: exit status 1:
stderr: go: inconsistent vendoring in /home/runner/_work/hypershift/hypershift/api:
    golang.org/x/net@v0.55.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
    golang.org/x/net@v0.54.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod

    To ignore the vendor directory, use -mod=readonly or -mod=mod.
    To sync the vendor directory, run:
        go mod vendor

make: *** [Makefile:252: hypershift-api] Error 1

Summary

The Dependabot PR bumped azcore v1.21.1→v1.22.0 in the root module, which pulled in a transitive dependency upgrade of golang.org/x/net from v0.54.0 to v0.55.0. Dependabot correctly updated the root go.mod, go.sum, and vendor/ directory, but it did not update the separate api/ sub-module that also depends on golang.org/x/net. The api/go.mod still requires golang.org/x/net@v0.54.0, and its api/vendor/modules.txt also still pins v0.54.0. When make generate update runs controller-gen against paths="./api/...", controller-gen loads the api/ module and Go detects that go.mod says v0.55.0 (resolved from the root) but vendor/modules.txt says v0.54.0 — an inconsistent vendor state that causes the build to fail.

Root Cause

The HyperShift repository uses a multi-module Go layout: the root go.mod at / and a separate api/go.mod at /api/. Both modules depend on golang.org/x/net.

Dependabot bumped azcore v1.21.1→v1.22.0 in the root module only. The new azcore v1.22.0 requires golang.org/x/net@v0.55.0 (up from v0.54.0), and Dependabot correctly updated:

• Root go.mod: golang.org/x/net v0.54.0 → v0.55.0
• Root go.sum: updated checksums for golang.org/x/net@v0.55.0
• Root vendor/modules.txt: updated to golang.org/x/net v0.55.0
• Root vendor/golang.org/x/net/...: updated vendored source files

However, Dependabot is unaware of the api/ sub-module. The api/ module was left untouched:

• api/go.mod still pins golang.org/x/net@v0.54.0
• api/vendor/modules.txt still references golang.org/x/net@v0.54.0

During make generate update, the Makefile target hypershift-api (line 252) runs:

controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./api/..."

controller-gen loads Go packages from the api/ directory. When Go resolves dependencies for the api/ module, it finds that the vendored golang.org/x/net files have been updated to v0.55.0 (by the root module changes), but api/vendor/modules.txt still declares v0.54.0. This mismatch triggers Go's go: inconsistent vendoring error and the build fails with exit code 1.

This is a known limitation of Dependabot with multi-module Go repositories — it only updates the module where the direct dependency is declared and does not cascade updates to sibling modules sharing transitive dependencies.

Recommendations

1. Manually sync the api/ module: Run the following commands to update api/'s dependencies and vendor directory:

   cd api/
   go get golang.org/x/net@v0.55.0
   go mod tidy
   go mod vendor

   Then commit the changes to api/go.mod, api/go.sum, and api/vendor/ alongside this PR.

2. Add CI validation for multi-module consistency: Consider adding a pre-check in the Verify workflow that runs go mod verify in all sub-modules before make generate update, to catch vendor inconsistencies earlier with a clearer error message.

3. Configure Dependabot for multi-module awareness: Update .github/dependabot.yml to include the api/ directory as a separate package ecosystem entry so Dependabot independently manages its dependencies:

   - package-ecosystem: "gomod"
     directory: "/api"
     schedule:
       interval: "weekly"

4. Consider a post-Dependabot hook or workflow: Add a GitHub Actions workflow that, on Dependabot PRs, automatically runs go mod tidy && go mod vendor in all sub-modules and pushes the fixup commit.

Evidence

Evidence	Detail
Error source	controller-gen loading packages from api/ directory (Makefile line 252: hypershift-api target)
Root go.mod	golang.org/x/net v0.55.0 (updated by Dependabot)
api/go.mod	golang.org/x/net v0.54.0 (NOT updated by Dependabot)
Root vendor/modules.txt	# golang.org/x/net v0.55.0 (updated)
api/vendor/modules.txt	# golang.org/x/net v0.54.0 (stale)
PR changed files	90 files modified — all under root go.mod, go.sum, vendor/; zero files under api/
Trigger	azcore v1.22.0 pulls in golang.org/x/net@v0.55.0 and golang.org/x/sys@v0.45.0 as transitive deps
Failed step	Run make generate update → make: *** [Makefile:252: hypershift-api] Error 1
Job logs	GitHub Actions job 79625402532

---

[openshift-ci]

@dependabot[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[muraee]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dependabot[bot], muraee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [muraee]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment