Update go version and dependencies.

[bergmannf]

This should fix recent CVEs in the libraries & stdlib in use by the CLI.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bergmannf
Once this PR has been reviewed and has the lgtm label, please assign rcampos2029 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Updated Go module dependencies in go.mod, bumping many direct and indirect packages (cloud.google.com/go, googleapis, Kubernetes clients, AWS SDK v2, OpenTelemetry, gRPC, etc.), adding and replacing numerous transitive modules. No changes to exported/public code or functionality.

Changes

Cohort / File(s)

Summary

Go module and dependency manifest go.mod

Broad version upgrades and replacements for many direct and indirect modules: cloud.google.com/go (iam, storage), googleapis/, google.golang.org/, k8s.io/, AWS SDK v2 components, OpenTelemetry libs, gRPC/protobuf-related packages, spf13/cobra/pflag, MicahParks/jwkset, hashicorp/go-version, go-uber.org/mock, and numerous golang.org/x/ modules. Adjusted require blocks, added/changed replacements, and reshaped transitive dependency graph.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify compatibility for Kubernetes client, gRPC/protobuf, and OpenTelemetry version changes.
• Confirm no build or go mod tidy resolution conflicts from transitive replacements.
• Check replacement mappings for correctness (package path/name changes) and potential API surface breakage.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: updating Go version and dependencies, which matches the primary purpose of the changeset.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of the dependency updates as a fix for recent CVEs in libraries and stdlib.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between ee1e4cb and 4f72045.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Red Hat Konflux / ocm-cli-on-pull-request
• GitHub Check: Test (ubuntu-latest)
• GitHub Check: Test (macos-latest)
• GitHub Check: Test (windows-latest)
• GitHub Check: Lint

🔇 Additional comments (1)

go.mod (1)

1-166: The go.mod and go.sum updates are properly synced and committed.

Both files are present and properly committed. go mod tidy completes successfully with no additional changes needed, confirming the module graph is synchronized. The only minor note is one deprecated transitive dependency (github.com/golang/protobuf v1.5.4), which is a known issue but does not block this PR.

Likely an incorrect or invalid review comment.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 3c4b5c1 and ee1e4cb.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (1 hunks)

🔇 Additional comments (2)

go.mod (2)

3-3: Go version 1.24.6 is valid and includes security fixes.

Go 1.24.6 includes security fixes to the database/sql and os/exec packages, aligning with the PR objective to fix recent CVEs. This is a reasonable update for addressing security vulnerabilities in the Go standard library.

---

5-34: Dependency updates are safe to proceed—no deprecated APIs are used in the codebase.

While the flagged dependency versions (cobra v1.10.2, grpc v1.77.0, k8s.io/apimachinery v0.34.3) contain documented breaking changes, verification confirms the codebase does not invoke any of the affected APIs:

• No grpc.Dial/DialContext calls
• No ParseErrorsWhitelist usage
• No problematic JSON int operations
• All dependencies resolve cleanly

The build succeeds and integration tests can proceed without concern for these specific breaking changes.