build(deps): bump the k8s-dependencies group across 1 directory with 3 updates

[dependabot]

Bumps the k8s-dependencies group with 1 update in the / directory: k8s.io/apimachinery.

Updates k8s.io/apimachinery from 0.35.1 to 0.36.1

Commits

• 7af103a Update dependencies to v0.36.1 tag
• efb7f26 Merge remote-tracking branch 'origin/master' into release-1.36
• d966e56 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 79b3632 Merge pull request #137864 from yongruilin/dv-dra-mismatch
• a8822f7 Add slice and map union member support with tests
• 7dba2d0 Use IsZero instead of IsNil for union ratcheting check
• d95710f Fix union validation ratcheting when oldObj is nil
• 729062d Merge pull request #137849 from bryantbiggs/deps/update-kube-openapi
• 13b12e6 dependencies: bump kube-openapi to drop ginkgo/gomega indirect deps
• 27f4670 Merge pull request #136657 from Jefftree/sharding-test
• Additional commits viewable in compare view

Updates k8s.io/klog/v2 from 2.130.1 to 2.140.0

Release notes

Sourced from k8s.io/klog/v2's releases.

Prepare klog release for Kubernetes v1.36

What's Changed

• Add dependabot by @​lucacome in kubernetes/klog#410
• Use strconv.AppendQuote instead of strconv.Quote for message formatting by @​astef in kubernetes/klog#413
• de-duplication of key/value pairs by @​pohly in kubernetes/klog#415
• Fix: Ensure constant format strings in fmt and printf calls by @​mikelolasagasti in kubernetes/klog#417
• Remove old note on Go version requirements by @​guettli in kubernetes/klog#425
• test with 1.24 and 1.25 by @​pohly in kubernetes/klog#428
• ktesting: fix vmodule support by @​pohly in kubernetes/klog#431
• ktesting: support multi-line result from AnyToStringHook by @​pohly in kubernetes/klog#433
• textlogger: optionally turn off header by @​pohly in kubernetes/klog#430
• feat: fix stderrthreshold not honored when logtostderr is set (#212) + two new flags by @​pierluigilenoci in kubernetes/klog#432

New Contributors

• @​lucacome made their first contribution in kubernetes/klog#410
• @​astef made their first contribution in kubernetes/klog#413
• @​mikelolasagasti made their first contribution in kubernetes/klog#417
• @​guettli made their first contribution in kubernetes/klog#425
• @​pierluigilenoci made their first contribution in kubernetes/klog#432

Full Changelog: kubernetes/klog@v2.130.1...v2.140.0

Commits

• ef4b370 Merge pull request #432 from pierluigilenoci/fix/stderr-threshold-issue-212
• 39c4c76 refactor: address code review feedback from @​pohly
• 764a9a3 Merge pull request #430 from pohly/textlogger-optional-header
• 015c613 Update stderr_threshold_test.go
• 2f517bd Update klog.go
• 36bc4ff textlogger: optionally turn off header
• 5f1f303 Merge pull request #433 from pohly/textlogger-hook-result
• c469d41 Merge pull request #431 from pohly/ktesting-vmodule-fix
• 8509d6a ktesting: support multi-line result from AnyToStringHook
• 08e6e8b Fix stderrthreshold not honored when logtostderr is set
• Additional commits viewable in compare view

Updates k8s.io/utils from 0.0.0-20260108192941-914a6e750570 to 0.0.0-20260210185600-b8788abfbbc2

Commits

• See full diff in compare view

Summary by CodeRabbit

• Chores
  • Updated minimum Go version requirement to 1.26.0
  • Refreshed project dependencies for improved stability and compatibility

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5bcc4e79-7fd5-478f-a373-6686deb71c9e

📥 Commits

Reviewing files that changed from the base of the PR and between 93f03bc and fe3a8aa.

⛔ Files ignored due to path filters (88)

• go.sum is excluded by !**/*.sum
• vendor/github.com/mxk/go-flowrate/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/flowrate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/io.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/descfmt/stringer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/equality/semantic.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/resource/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**, !**/*.pb.go
• vendor/k8s.io/apimachinery/pkg/api/validate/content/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validate/content/path.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validate/discriminator.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validate/limits.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validate/strfmt.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validate/union.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/api/validation/path/name.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/conversion.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/zz_generated.conversion.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/fieldsv1.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/fieldsv1_byte.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/fieldsv1_string.go is excluded by !vendor/**, !**/vendor/**, !**/*_string.go
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**, !**/*.pb.go
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto is excluded by !vendor/**, !**/vendor/**, !**/generated.proto
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**, !**/*.pb.go
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/meta.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_fuzz.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time_fuzz.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**, !**/types_swagger_doc_generated.go
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.conversion.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*
• vendor/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**, !**/*.pb.go
• vendor/k8s.io/apimachinery/pkg/runtime/serializer/cbor/internal/modes/decode.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/runtime/serializer/cbor/raw.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/diff/diff.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/diff/legacy_diff.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/dump/dump.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/httpstream/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/spdy.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/wsstream.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/intstr/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**, !**/*.pb.go
• vendor/k8s.io/apimachinery/pkg/util/intstr/instr_fuzz.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/managedfields/extract.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/managedfields/internal/fields.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/mergepatch/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/net/http.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/net/interface.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/proxy/dial.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/proxy/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/strategicpatch/patch.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/validation/field/error_matcher.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/validation/field/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/pkg/util/validation/ip.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/third_party/forked/golang/netutil/addr.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/apimachinery/third_party/forked/golang/reflect/deep_equal.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/internal/serialize/keyvalues.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/internal/serialize/keyvalues_no_slog.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/internal/serialize/keyvalues_slog.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/klog.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/klogr.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/klogr_slog.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/textlogger/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/klog/v2/textlogger/textlogger.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/httpstream.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/spdy/connection.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/spdy/roundtripper.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/spdy/upgrade.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/wsstream/conn.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/wsstream/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/httpstream/wsstream/stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/streaming/pkg/runtime/runtime.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/utils/dump/dump.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

---

📝 Walkthrough

Walkthrough

This PR updates the Go module dependencies for the HyperShift project. The Go toolchain requirement is bumped from 1.25.7 to 1.26.0. Kubernetes-related direct dependencies including k8s.io/apimachinery, k8s.io/klog/v2, and k8s.io/utils are refreshed with newer versions. Indirect dependencies are adjusted: the unused github.com/mxk/go-flowrate package is removed, google.golang.org/protobuf is bumped to a newer pseudo-version, and several Kubernetes indirect module versions including k8s.io/kube-openapi and k8s.io/streaming are updated.

Possibly related PRs

• openshift/hypershift#8683: Overlapping go.mod dependency adjustments for the Kubernetes 1.36 rebase, including k8s.io/* module refreshes.

Suggested reviewers

• enxebre
• sjenning
• bryan-cox

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	PR adds test/envtest/generator.go with Ginkgo test using fmt.Sprintf in test name (line 230), violating the stable test names requirement.	Replace fmt.Sprintf test name with static string; move dynamic feature set value to test body instead of test title.
Test Structure And Quality	⚠️ Warning	37 Ginkgo test assertions lack meaningful failure messages across 4 files, with backup_restore_test.go having 34 violations against the custom check requirement.	Add failure messages to all assertions: change Expect(x).NotTo(BeNil()) to Expect(x).NotTo(BeNil(), "descriptive failure message")
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	PR adds 64 e2e tests with hardcoded IPv4 subnets (192.168.66.x) and external registry dependencies (quay.io, registry.access.redhat.com) incompatible with IPv6-only disconnected environments.	Run periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv6. Use dynamic IP family detection, IPv6 CIDRs (fd01::/48), internal registries, and add [Skipped:Disconnected] tags to externally-dependent tests.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping k8s-related dependencies in go.mod with specific version updates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Topology-Aware Scheduling Compatibility	✅ Passed	PR is a dependency-only update (go.mod/vendor bump) with no new/modified deployment manifests or controller scheduling logic; the check applies to manifest/operator code changes.
No-Weak-Crypto	✅ Passed	PR only updates go.mod dependencies (k8s.io modules, Go 1.26.0) with no code changes that introduce weak crypto (MD5, SHA1, DES, RC4, etc.) or custom crypto implementations.
Container-Privileges	✅ Passed	PR contains only Go module dependency updates with no K8s manifest files introducing privileged containers, hostPID/Network/IPC, SYS_ADMIN capabilities, or allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates Go module dependencies (versions in go.mod/go.sum) with no new source code additions, logging statements, or application logic changes.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/k8s-dependencies-5db5cf7de5

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign jparrill for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

rebase

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	fe3a8aa	link	true	/test images
ci/prow/okd-scos-images	fe3a8aa	link	true	/test okd-scos-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

I now have all the evidence needed. Every single failure traces back to the same root cause. Here is the report:

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-images
• Build ID: 2063027153540222976
• Target: images
• PR: build(deps): bump the k8s-dependencies group across 1 directory with 3 updates #8677 — build(deps): bump the k8s-dependencies group across 1 directory with 3 updates
• Additional failing jobs: pull-ci-openshift-hypershift-main-okd-scos-images (2063027156895666176), lint, verify, hypershift-operator-main-on-pull-request, hypershift-release-mce-50-on-pull-request, hypershift-cli-mce-50-on-pull-request

Test Failure Analysis

Error

go: go.mod requires go >= 1.26.0 (running go 1.25.8; GOTOOLCHAIN=local)
make: *** [Makefile:207: control-plane-operator] Error 1

Summary

All 7 failures share a single root cause: the PR bumps k8s.io/apimachinery from v0.35.1 to v0.36.1, which transitively requires Go 1.26.0. This forced the go directive in go.mod from go 1.25.7 to go 1.26.0. However, every CI build environment — Prow builder images (rhel-9-golang-1.25-openshift-4.23), GitHub Actions runners, and Konflux pipelines — only provides Go 1.25.x with GOTOOLCHAIN=local, which prevents automatic toolchain download. The builds therefore refuse to compile and exit immediately.

Root Cause

The dependency bump in this PR introduces an incompatible Go version requirement across the entire build matrix:

1. Dependency chain: k8s.io/apimachinery v0.36.1 requires go 1.26. When Dependabot updated go.mod, it correctly raised the go directive from go 1.25.7 → go 1.26.0 to satisfy this requirement.

2. Builder image mismatch (Prow jobs): Both pull-ci-openshift-hypershift-main-images and pull-ci-openshift-hypershift-main-okd-scos-images use Dockerfiles (Dockerfile and Dockerfile.control-plane) that reference registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.23 or registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.25-openshift-4.23. These builder images ship Go 1.25.8. The GOTOOLCHAIN=local setting in the Makefile prevents the Go toolchain from auto-downloading a newer version, so go build fails immediately with: go: go.mod requires go >= 1.26.0 (running go 1.25.8; GOTOOLCHAIN=local).

3. mockgen tool incompatibility (lint/verify jobs): On GitHub Actions, the runners download Go 1.26.0 for the main module, but hack/tools/go.mod still declares go 1.25.7. The mockgen tool is built from hack/tools with Go 1.25, and when it tries to process source files from the main module (which now requires go 1.26), it fails: package requires newer Go version go1.26 (application built with go1.25). This causes make generate to fail, which is a prerequisite for both make lint and make verify.

4. Konflux pipeline failures: All three Konflux pipelines (hypershift-operator-main, hypershift-release-mce-50, hypershift-cli-mce-50) fail at the build-images task with exit status 2 from make targets, for the same Go version mismatch.

The fundamental issue is that k8s.io/apimachinery v0.36.1 is a major version jump from v0.35.1 — it crosses from the Go 1.25 to the Go 1.26 requirement boundary — while the entire CI infrastructure (builder images, tool modules, and Dockerfiles) is pinned to Go 1.25.x.

Recommendations

1. Do not merge this PR as-is. The Go 1.26 requirement is incompatible with the current CI infrastructure (Go 1.25-based builder images, tool modules, Dockerfiles, and Konflux pipelines).

2. Option A — Downgrade the dependency: Pin k8s.io/apimachinery to the latest v0.35.x release (e.g., v0.35.2 if available) which maintains the Go 1.25 compatibility. This is the lowest-risk fix.

3. Option B — Upgrade the entire toolchain (coordinated effort):

   • Update all Dockerfiles (Dockerfile, Dockerfile.control-plane) to use Go 1.26-based builder images (e.g., rhel-9-golang-1.26-openshift-4.24 when available)
   • Update hack/tools/go.mod to go 1.26.0 so mockgen and other tools are built with Go 1.26
   • Coordinate with the CI infrastructure team to ensure Go 1.26 builder images exist in the OpenShift CI registry
   • Update Konflux pipeline configurations to use Go 1.26-capable builders

4. Update hack/tools/go.mod — Regardless of which option is chosen, the hack/tools module's go directive must match or exceed the main module's go directive to prevent mockgen failures.

5. Consider configuring Dependabot to exclude k8s.io/apimachinery from the k8s-dependencies group until the CI infrastructure supports Go 1.26, to prevent this class of failure from recurring.

Evidence

Evidence	Detail
go.mod change	go 1.25.7 → go 1.26.0 (forced by k8s.io/apimachinery v0.36.1)
k8s.io/apimachinery bump	v0.35.1 → v0.36.1 (requires Go 1.26)
Prow builder image	rhel-9-golang-1.25-openshift-4.23 provides Go 1.25.8
Prow build error	go: go.mod requires go >= 1.26.0 (running go 1.25.8; GOTOOLCHAIN=local)
Dockerfile.control-plane	Uses registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.23
Dockerfile	Uses registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.25-openshift-4.23
hack/tools/go.mod	Still declares go 1.25.7 — tool version mismatch with main module
Lint/Verify error	package requires newer Go version go1.26 (application built with go1.25) — mockgen built with Go 1.25 cannot process Go 1.26 packages
Konflux operator failure	build-images task failed: STEP "RUN make hypershift && make hypershift-no-cgo && ..." exit status 2
Konflux release-mce failure	build-images task failed: same make targets, exit status 2
Konflux cli-mce failure	build-images task failed: STEP "RUN make product-cli-release && ..." exit status 2
GOTOOLCHAIN=local	Makefile sets GOFLAGS=-mod=vendor and env uses GOTOOLCHAIN=local, blocking auto-download

---