OAPE-521: V1.42.1 Rebase openshift/main with upstream v1.42.1

[mytreya-rh]

Description of the change:
Rebase this repo's main branch with upstream https://github.com/operator-framework/ansible-operator-plugins/releases/tag/v1.42.1 tag.

Changes done:

1. Trigger rebase using openshift/hack/rebase_upstream.sh
2. The above script took care of the rebase and updating vendor files.
3. There was no change in ansible collections with openshift/hack/rebase_upstream.sh
4. make -f openshift/Makefile generate-requirements failed initially and below changes had to be made:
5. Update openshift/Dockerfile.requirements to exclude google-auth to prevent pip from pulling in cryptography (and its # Rust/maturin build chain) as a transitive dependency during pip download.
6. As a result the below two dependencies got removed from the generated openshift/requirements-build.txt
   • setuptools-rust==1.12.0, and semantic-version==2.10.0.
   • But dependency chain is cffi==2.0.0 --> setuptools-rust==1.12.0 --> semantic-version==2.10.0 and cffi is installed via the python3.12-cryptography RPM
7. Lastly, golang builder and ci buildroot image was updated

Motivation for the change:
Obtain fix for CVE-2026-21441, CVE-2025-66471, and CVE-2025-66418 from urllib bump upstream
In addition also includes fix for CVE-2026-24049 as the wheel package got bumped to 0.46.3 while regenerating the requirements.

Summary by CodeRabbit

• Chores
  • Bumped application/image version to v1.42.1.
  • Updated Go toolchain and many Go dependencies for stability and security.
  • Upgraded CI workflows and GitHub Action versions (checkout and several build/release actions).
  • Updated base container images across Dockerfiles.
  • Updated Python dependency pins (including urllib3) and OpenShift requirement files.
  • Minor build/release tooling and metadata adjustments.

[openshift-ci-robot]

@mytreya-rh: This pull request references OAPE-521 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Description of the change:
Rebase this repo's main branch with upstream https://github.com/operator-framework/ansible-operator-plugins/releases/tag/v1.42.1 tag.

Motivation for the change:
Obtain fix for CVE-2026-21441, CVE-2025-66471, and CVE-2025-66418 from urllib bump upstream

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mytreya-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [mytreya-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Bumps CI action versions and base container images, upgrades Go toolchain and many Go modules, updates Python/OpenShift dependency pins and Pipfile entries, and increments image/version strings to v1.42.1. No behavioral or control-flow changes introduced.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows \.github/workflows/release.yml, \.github/workflows/test-ansible.yml, \.github/workflows/test-sanity.yml, \.github/workflows/unit.yml	Updated action versions (e.g., actions/checkout v5→v6 across workflows). release.yml also updates docker/setup-qemu-action v3→v4, docker/setup-buildx-action v3→v4, docker/build-push-action v6→v7, docker/login-action v3→v4, crazy-max/ghaction-github-runtime v3→v4. No step ordering or control-flow changes.
Version Strings & Makefiles Makefile, internal/version/version.go, testdata/memcached-molecule-operator/Makefile	Bumped image/operator version v1.42.0→v1.42.1; updated embedded ImageVersion and related download URL.
Go Toolchain & Modules go.mod	Go toolchain bumped 1.24.6→1.25.7 and many direct/indirect dependency upgrades (ginkgo/gomega/counterfeiter, logrus, cobra, k8s.io/, golang.org/x/, OpenTelemetry, grpc/protobuf, etc.).
Ansible Operator Images & Pipfile images/ansible-operator/Dockerfile, images/ansible-operator/pipfile.Dockerfile, images/ansible-operator/Pipfile	Base image tags updated ubi-minimal:9.6→ubi-minimal:9.7 in Dockerfiles; urllib3 pin updated ~=2.5.0→~=2.6.3.
OpenShift Requirements & Build Files openshift/requirements-build.txt, openshift/requirements-build1.txt, openshift/requirements-pre-build.txt, openshift/requirements.txt	Multiple Python dependency version bumps (cython, docutils, packaging, pathspec, wheel, setuptools, trove-classifiers, certifi, cryptography, urllib3, ansible-core, ansible-runner, etc.) and minor comment/ordering tweaks.
OpenShift Dockerfiles & Release Images openshift/Dockerfile.requirements, openshift/release/ansible/Dockerfile.collections, openshift/Dockerfile	Base image tag updates (OCP 4.21→4.22) and builder image Go toolchain bump (golang-1.24→golang-1.25). Dockerfile.requirements adds temporary comment/uncomment handling for google-auth during build.
Container image build support images/ansible-operator/..., openshift/...	Several Dockerfiles updated only for base image tag bumps; build steps and runtime configuration remain unchanged.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main objective of the PR: rebasing the openshift/main branch with upstream v1.42.1, which encompasses version bumps and dependency updates across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This PR is a version rebase that modifies only configuration files, build artifacts, and CI/CD workflows. No Ginkgo test files (_test.go or _suite_test.go) were modified.
Test Structure And Quality	✅ Passed	This PR does not modify any Ginkgo test files (*_test.go); all 18 changed files are configuration, workflow, or manifest files.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@mytreya-rh: This pull request references OAPE-521 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Description of the change:
Rebase this repo's main branch with upstream https://github.com/operator-framework/ansible-operator-plugins/releases/tag/v1.42.1 tag.

Motivation for the change:
Obtain fix for CVE-2026-21441, CVE-2025-66471, and CVE-2025-66418 from urllib bump upstream

Summary by CodeRabbit

• Chores
• Bumped application version to v1.42.1.
• Updated Go toolchain and multiple dependencies for stability and security improvements.
• Upgraded base container images and build tools to latest supported versions.
• Updated GitHub Actions workflow configurations to use latest action versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/unit.yml (1)

10-10: Pin GitHub Actions to commit SHAs instead of floating major version tags.

Using @v6 leaves supply-chain exposure to upstream tag movement or deletion. Pin to immutable commit SHAs with a tag comment for reference.

Two instances in this file need updating:

• Line 10: actions/checkout@v6
• Line 13: actions/setup-go@v6

Suggested pattern

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@<full_40_char_commit_sha> # actions/checkout@v6

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/unit.yml at line 10, Replace floating action tags with
immutable commit SHAs: locate the two usages "actions/checkout@v6" and
"actions/setup-go@v6" in the workflow and replace each tag with the
corresponding pinned commit SHA; add a trailing comment that includes the
original tag (e.g., // actions/checkout@v6) for human reference. Ensure the new
strings use the full SHA (not a short ref) so the workflow is pinned to a
specific commit and update both occurrences consistently.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@openshift/requirements.txt`:
- Around line 20-23: The pip-compile header in openshift/requirements.txt
references a missing requirements.in which breaks reproducibility; fix by either
restoring an openshift/requirements.in and re-running pip-compile to regenerate
requirements.txt (so the commented “# via -r requirements.in” annotations and
pinned hashes are accurate) or remove the pip-compile header from
openshift/requirements.txt and replace it with a short comment explaining how
the lockfile is managed (and update/remove the “# via -r requirements.in”
annotations like those next to cffi, cryptography, pycparser to reflect the
chosen approach).

---

Nitpick comments:
In @.github/workflows/unit.yml:
- Line 10: Replace floating action tags with immutable commit SHAs: locate the
two usages "actions/checkout@v6" and "actions/setup-go@v6" in the workflow and
replace each tag with the corresponding pinned commit SHA; add a trailing
comment that includes the original tag (e.g., // actions/checkout@v6) for human
reference. Ensure the new strings use the full SHA (not a short ref) so the
workflow is pinned to a specific commit and update both occurrences
consistently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b39280da-e5b7-44e3-97ce-102a441e08b6

📥 Commits

Reviewing files that changed from the base of the PR and between d85e7f6 and 022e0d4.

⛔ Files ignored due to path filters (284)

• go.sum is excluded by !**/*.sum
• images/ansible-operator/Pipfile.lock is excluded by !**/*.lock
• vendor/github.com/google/pprof/profile/profile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/pprof/profile/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/core_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/focus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/group.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/node.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/suite.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/format/format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/appveyor.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/entry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/hooks.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/logger.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/logrus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/terminal_check_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/terminal_check_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/terminal_check_wasi.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/terminal_check_wasip1.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/text_formatter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/cobra/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/cobra/command.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/instruments.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/noop/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/syncfloat64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/syncint64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/env/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/snapshot.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/error_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/exception.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/otelconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/schema.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/module/module.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/semver/semver.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/escape.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_go125.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_go126.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/websocket/hybi.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/fdset.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkall.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_netbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/message/catalog/catalog.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/message/catalog/dict.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/message/catalog/go19.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/message/catalog/gopre19.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/astutil/imports.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/visit.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/imports/forward.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/imports/fix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/imports/sortimports.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/modindex/index.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/modindex/lookup.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/modindex/symbols.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/element.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/fx.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/isnamed.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/qualifier.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/varkind.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/varkind_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/k8s.io/client-go/util/cert/cert.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (15)

• .github/workflows/release.yml
• .github/workflows/test-ansible.yml
• .github/workflows/test-sanity.yml
• .github/workflows/unit.yml
• Makefile
• go.mod
• images/ansible-operator/Dockerfile
• images/ansible-operator/Pipfile
• images/ansible-operator/pipfile.Dockerfile
• internal/version/version.go
• openshift/requirements-build.txt
• openshift/requirements-build1.txt
• openshift/requirements-pre-build.txt
• openshift/requirements.txt
• testdata/memcached-molecule-operator/Makefile

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check source input declarations =="
if [ -f openshift/requirements.in ]; then
  rg -n '^\s*(#\s*)?(cffi|cryptography|pycparser)\b' openshift/requirements.in || true
else
  echo "openshift/requirements.in not found"
fi

echo
echo "== Check commented pins in generated requirements files =="
rg -n '^\s*#\s*(cffi|cryptography|pycparser)==|^\s*#(cffi|cryptography|pycparser)==' openshift/requirements*.txt || true

echo
echo "== Check active pins in generated requirements files =="
rg -n '^\s*(cffi|cryptography|pycparser)==' openshift/requirements*.txt || true

Repository: openshift/ansible-operator-plugins

Length of output: 509

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Find all .in files in repository =="
find . -name "*.in" -type f | head -20

echo
echo "== Check openshift directory structure =="
ls -la openshift/ 2>/dev/null || echo "openshift directory not found"

echo
echo "== Show context around line 20 in requirements.txt =="
sed -n '15,28p' openshift/requirements.txt

echo
echo "== Show context around line 70 in requirements.txt =="
sed -n '65,78p' openshift/requirements.txt

echo
echo "== Check if requirements.txt has pip-compile header =="
head -20 openshift/requirements.txt

Repository: openshift/ansible-operator-plugins

Length of output: 2518

---

Lockfile references non-existent requirements.in, breaking reproducibility.

The openshift/requirements.txt file declares itself as pip-compile autogenerated output (header: pip-compile --output-file=./requirements.txt --strip-extras ./requirements.in) but references a requirements.in file that does not exist in the repository. The commented pins for cffi (line 12), cryptography (line 20), and pycparser (line 70) all include # via -r requirements.in annotations, indicating they were resolved from a missing source file.

This breaks the reproducibility guarantee of pip-compile. Either restore the openshift/requirements.in file and regenerate the lockfile, or remove the pip-compile header and explicitly document how the lockfile is managed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@openshift/requirements.txt` around lines 20 - 23, The pip-compile header in
openshift/requirements.txt references a missing requirements.in which breaks
reproducibility; fix by either restoring an openshift/requirements.in and
re-running pip-compile to regenerate requirements.txt (so the commented “# via
-r requirements.in” annotations and pinned hashes are accurate) or remove the
pip-compile header from openshift/requirements.txt and replace it with a short
comment explaining how the lockfile is managed (and update/remove the “# via -r
requirements.in” annotations like those next to cffi, cryptography, pycparser to
reflect the chosen approach).

[openshift-ci-robot]

@mytreya-rh: This pull request references OAPE-521 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Description of the change:
Rebase this repo's main branch with upstream https://github.com/operator-framework/ansible-operator-plugins/releases/tag/v1.42.1 tag.

Motivation for the change:
Obtain fix for CVE-2026-21441, CVE-2025-66471, and CVE-2025-66418 from urllib bump upstream

Summary by CodeRabbit

• Chores
• Bumped application/image version to v1.42.1.
• Updated Go toolchain and numerous dependencies for stability/security.
• Upgraded base container images and Python dependency pins.
• Updated CI workflows to use newer action versions and tooling.
• Adjusted build metadata and release-related configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mytreya-rh: This pull request references OAPE-521 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Description of the change:
Rebase this repo's main branch with upstream https://github.com/operator-framework/ansible-operator-plugins/releases/tag/v1.42.1 tag.

Motivation for the change:
Obtain fix for CVE-2026-21441, CVE-2025-66471, and CVE-2025-66418 from urllib bump upstream

Summary by CodeRabbit

• Chores
• Bumped application/image version to v1.42.1.
• Updated Go toolchain and many Go dependencies for stability and security.
• Upgraded CI workflows to newer action/tool versions.
• Updated base container images and Python dependency pins across build artifacts.
• Adjusted build/release metadata and related tooling configurations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

openshift/Dockerfile.requirements (1)

104-105: ⚠️ Potential issue | 🟠 Major

Run the image as non-root (USER missing).

The container currently defaults to root. Please switch to a non-root user before ENTRYPOINT.

Proposed diff

 VOLUME /tmp/requirements
+RUN mkdir -p /tmp/requirements && chown -R 1001:0 /tmp/requirements && chmod -R g=u /tmp/requirements
+USER 1001
 ENTRYPOINT ["cp", "./requirements.txt", "./requirements-build.txt",  "./requirements-build1.txt", "./requirements-pre-build.txt", "/tmp/requirements/"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@openshift/Dockerfile.requirements` around lines 104 - 105, The Dockerfile
currently leaves the container running as root (VOLUME /tmp/requirements and
ENTRYPOINT [...]) — create a non-root user and switch to it before ENTRYPOINT:
add steps to create a user/group (e.g., appuser/appgroup), chown the target
directory (/tmp/requirements) and any copied files to that user, set appropriate
permissions, and add USER appuser (or the chosen name) before the existing
ENTRYPOINT so the container runs non-root while preserving the VOLUME and
ENTRYPOINT behavior.

🧹 Nitpick comments (1)

openshift/Dockerfile.requirements (1)

54-56: Fail fast when toggling google-auth lines.

These sed commands are silent on no-match. If upstream pinning changes, this step can silently drift. Add guards so the build fails when expected lines are missing.

Proposed diff

-  && sed -i '/^google-auth==/s/^/#/g' ./requirements.txt \
+  && grep -q '^google-auth==' ./requirements.txt \
+  && sed -i '/^google-auth==/s/^/#/g' ./requirements.txt \
@@
-  && sed -i '/^#google-auth==/s/^#//g' ./requirements.txt \
+  && grep -q '^#google-auth==' ./requirements.txt \
+  && sed -i '/^#google-auth==/s/^#//g' ./requirements.txt \

Also applies to: 71-71

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@openshift/Dockerfile.requirements` around lines 54 - 56, The sed substitution
that comments out google-auth lines (sed -i '/^google-auth==/s/^/#/g'
./requirements.txt) is silent when there is no match and can drift; change the
Dockerfile.requirements step to first verify the expected lines exist (e.g.,
grep -q '^google-auth==' ./requirements.txt) and fail the build if not found,
then run the sed; apply the same guard for the similar sed command later (the
other sed targeting google-auth lines) so the build errors out when upstream
pinning changes instead of silently doing nothing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@openshift/Dockerfile.requirements`:
- Around line 104-105: The Dockerfile currently leaves the container running as
root (VOLUME /tmp/requirements and ENTRYPOINT [...]) — create a non-root user
and switch to it before ENTRYPOINT: add steps to create a user/group (e.g.,
appuser/appgroup), chown the target directory (/tmp/requirements) and any copied
files to that user, set appropriate permissions, and add USER appuser (or the
chosen name) before the existing ENTRYPOINT so the container runs non-root while
preserving the VOLUME and ENTRYPOINT behavior.

---

Nitpick comments:
In `@openshift/Dockerfile.requirements`:
- Around line 54-56: The sed substitution that comments out google-auth lines
(sed -i '/^google-auth==/s/^/#/g' ./requirements.txt) is silent when there is no
match and can drift; change the Dockerfile.requirements step to first verify the
expected lines exist (e.g., grep -q '^google-auth==' ./requirements.txt) and
fail the build if not found, then run the sed; apply the same guard for the
similar sed command later (the other sed targeting google-auth lines) so the
build errors out when upstream pinning changes instead of silently doing
nothing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 730ffa34-a3ac-4e54-a7b3-4942a60816dc

📥 Commits

Reviewing files that changed from the base of the PR and between df6d0c4 and 8e3b2b1.

📒 Files selected for processing (1)

• openshift/Dockerfile.requirements

[openshift-ci-robot]

@mytreya-rh: This pull request references OAPE-521 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Description of the change:
Rebase this repo's main branch with upstream https://github.com/operator-framework/ansible-operator-plugins/releases/tag/v1.42.1 tag.

Motivation for the change:
Obtain fix for CVE-2026-21441, CVE-2025-66471, and CVE-2025-66418 from urllib bump upstream

Summary by CodeRabbit

• Chores
• Bumped application/image version to v1.42.1.
• Updated Go toolchain and numerous Go dependencies for stability and security.
• Upgraded CI workflows and action/tool versions.
• Updated base container images and Python dependency pins across build artifacts.
• Adjusted build/release metadata and related tooling configurations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@openshift/Dockerfile.requirements`:
- Line 1: The Dockerfile currently uses "FROM
registry.ci.openshift.org/ocp/4.22:base-rhel9" and never switches away from
root; add a non-root user and switch USER before ENTRYPOINT to minimize blast
radius: create a dedicated group/user (choose a fixed UID/GID), ensure runtime
dirs (e.g., app, config, log paths used by the image) are owned or writable by
that user (chown/chmod during image build), and add a USER <nonroot> instruction
immediately before ENTRYPOINT so the container runs unprivileged; ensure any
startup steps that require root are done earlier in the Dockerfile.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1b5f42e0-ac1f-49bf-b4e9-5a083136bcb2

📥 Commits

Reviewing files that changed from the base of the PR and between 8e3b2b1 and 083c99f.

📒 Files selected for processing (2)

• openshift/Dockerfile.requirements
• openshift/requirements-build.txt

🚧 Files skipped from review as they are similar to previous changes (1)

• openshift/requirements-build.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Checking for USER directives in openshift/Dockerfile.requirements"
rg -n '^\s*(FROM|USER|ENTRYPOINT|VOLUME)\b' openshift/Dockerfile.requirements
if ! rg -n '^\s*USER\b' openshift/Dockerfile.requirements; then
  echo "RESULT: no USER directive found (container runs as root by default)."
fi

Repository: openshift/ansible-operator-plugins

Length of output: 450

---

Run the final container as non-root.

Line 1 uses a base image that defaults to root, and this file never sets USER. Add a non-root user before ENTRYPOINT to reduce blast radius if the container is compromised.

Suggested hardening patch

 VOLUME /tmp/requirements
+USER 1001
 ENTRYPOINT ["cp", "./requirements.txt", "./requirements-build.txt",  "./requirements-build1.txt", "./requirements-pre-build.txt", "/tmp/requirements/"]

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@openshift/Dockerfile.requirements` at line 1, The Dockerfile currently uses
"FROM registry.ci.openshift.org/ocp/4.22:base-rhel9" and never switches away
from root; add a non-root user and switch USER before ENTRYPOINT to minimize
blast radius: create a dedicated group/user (choose a fixed UID/GID), ensure
runtime dirs (e.g., app, config, log paths used by the image) are owned or
writable by that user (chown/chmod during image build), and add a USER <nonroot>
instruction immediately before ENTRYPOINT so the container runs unprivileged;
ensure any startup steps that require root are done earlier in the Dockerfile.

[openshift-ci-robot]

@mytreya-rh: This pull request references OAPE-521 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Description of the change:
Rebase this repo's main branch with upstream https://github.com/operator-framework/ansible-operator-plugins/releases/tag/v1.42.1 tag.

Motivation for the change:
Obtain fix for CVE-2026-21441, CVE-2025-66471, and CVE-2025-66418 from urllib bump upstream

Summary by CodeRabbit

• Chores
• Bumped application/image version to v1.42.1.
• Updated Go toolchain and many Go dependencies for stability and security.
• Upgraded CI workflows and GitHub Action versions (checkout and several build/release actions).
• Updated base container images across Dockerfiles.
• Updated Python dependency pins (including urllib3) and OpenShift requirement files.
• Minor build/release tooling and metadata adjustments.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@mytreya-rh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@mytreya-rh: This pull request references OAPE-521 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Description of the change:
Rebase this repo's main branch with upstream https://github.com/operator-framework/ansible-operator-plugins/releases/tag/v1.42.1 tag.

Changes done:

1. Trigger rebase using openshift/hack/rebase_upstream.sh
2. The above script took care of the rebase and updating vendor files.
3. There was no change in ansible collections with openshift/hack/rebase_upstream.sh
4. make -f openshift/Makefile generate-requirements failed initially and below changes had to be made:
5. Update openshift/Dockerfile.requirements to exclude google-auth to prevent pip from pulling in cryptography (and its # Rust/maturin build chain) as a transitive dependency during pip download.
6. As a result the below two dependencies got removed from the generated openshift/requirements-build.txt
   • setuptools-rust==1.12.0, and semantic-version==2.10.0.
   • But dependency chain is cffi==2.0.0 --> setuptools-rust==1.12.0 --> semantic-version==2.10.0 and cffi is installed via the python3.12-cryptography RPM
7. Lastly, golang builder and ci buildroot image was updated

Motivation for the change:
Obtain fix for CVE-2026-21441, CVE-2025-66471, and CVE-2025-66418 from urllib bump upstream
In addition also includes fix for CVE-2026-24049 as the wheel package got bumped to 0.46.3 while regenerating the requirements.

Summary by CodeRabbit

• Chores
• Bumped application/image version to v1.42.1.
• Updated Go toolchain and many Go dependencies for stability and security.
• Upgraded CI workflows and GitHub Action versions (checkout and several build/release actions).
• Updated base container images across Dockerfiles.
• Updated Python dependency pins (including urllib3) and OpenShift requirement files.
• Minor build/release tooling and metadata adjustments.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.