Skip to content

Automated cherry pick of #1328 upstream release 1.33#1390

Closed
yue9944882 wants to merge 3 commits into
kubernetes:release-1.33from
yue9944882:automated-cherry-pick-of-#1328-upstream-release-1.33
Closed

Automated cherry pick of #1328 upstream release 1.33#1390
yue9944882 wants to merge 3 commits into
kubernetes:release-1.33from
yue9944882:automated-cherry-pick-of-#1328-upstream-release-1.33

Conversation

@yue9944882
Copy link
Copy Markdown
Member

@yue9944882 yue9944882 commented Apr 28, 2026

Cherry pick of #1328 on release-1.34.

#1328: Deregister elb targets before registering targets

For details on the cherry pick process, see the cherry pick requests page.

NONE

DanielCKennedy and others added 3 commits March 17, 2026 15:53
@DanielCKennedy
Deregister elb targets before registering targets
dc2617b
@yue9944882
fixes unit tests failure due to type cast
3e129ee 
Signed-off-by: Min Jin <minkimzz@amazon.com>
@mtulio @yue9944882
fix(ci): pin GitHub Actions to full-length commit SHAs
96afc72 
Pin all GitHub Actions to full-length commit SHAs to comply with
Kubernetes organization security policy that requires all actions
must be pinned to prevent supply chain attacks.

This change addresses the CI failures:
  "The actions actions/checkout@v4 and actions/dependency-review-action@v4
   are not allowed in kubernetes/cloud-provider-aws because all actions
   must be pinned to a full-length commit SHA."

Actions pinned with release verification:

- actions/checkout@v4 → @34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
```
Release: https://github.com/actions/checkout/releases/tag/v4.3.1
Commit: actions/checkout@34e1148
```

- actions/dependency-review-action@v4 → @2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
```
Release: https://github.com/actions/dependency-review-action/releases/tag/v4.9.0
Commit: actions/dependency-review-action@2031cfc
```

- golang/govulncheck-action@v1 → @31f7c5463448f83528bd771c2d978d940080c9fd # master (post-v1.0.4)
```
Commit: golang/govulncheck-action@31f7c54
Note: Using master HEAD instead of v1.0.4 because v1.0.4 contains unpinned
      transitive dependencies (actions/checkout@v4.1.1, actions/setup-go@v5.0.0).
      The master branch includes a fix from Feb 2026 that pins these dependencies.
      See: golang/govulncheck-action@31f7c54
```

- helm/chart-releaser-action@v1.7.0 → @a0d2dc62c5e491af8ef6ba64a2e02bcf3fb33aa1 # v1.7.0
```
Release: https://github.com/helm/chart-releaser-action/releases/tag/v1.7.0
Commit: helm/chart-releaser-action@a0d2dc6
```

- actions/github-script@v7 → @f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
```
Release: https://github.com/actions/github-script/releases/tag/v7.1.0
Commit: actions/github-script@f28e40c
```

Files modified:
- .github/workflows/deps.yml
- .github/workflows/tag.yml
- .github/workflows/helm_chart_release.yaml
- .github/workflows/kpromo-reminder.yaml

Justification:
Pinning actions to commit SHAs instead of mutable tags (v4, v1.7.0, etc.)
prevents potential security vulnerabilities where a tag could be moved to
point to malicious code. This is a required security practice in the
Kubernetes organization to ensure supply chain integrity and is enforced
by GitHub Actions policy for kubernetes/* repositories.

GitHub enforces that not only direct action dependencies must be pinned,
but also transitive dependencies (actions used within composite actions).
This is why govulncheck-action required using the master branch commit
instead of the latest release tag.

Each SHA has been verified against the official release tags to ensure
we're using the intended versions while meeting security requirements.

Reviewed-by: Claude Sonnet 4.5 <noreply@anthropic.com>
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 28, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Apr 28, 2026

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Apr 28, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kmala for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from JoelSpeed and kmala April 28, 2026 22:35
@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Apr 28, 2026
@yue9944882 yue9944882 changed the base branch from master to release-1.33 April 28, 2026 22:35
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Apr 28, 2026
@yue9944882 yue9944882 closed this Apr 28, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Apr 29, 2026

@yue9944882: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cloud-provider-aws-test 96afc72 link true /test pull-cloud-provider-aws-test
pull-cloud-provider-aws-e2e 96afc72 link true /test pull-cloud-provider-aws-e2e
pull-cloud-provider-aws-check 96afc72 link true /test pull-cloud-provider-aws-check
pull-cloud-provider-aws-e2e-kubetest2-quick 96afc72 link false /test pull-cloud-provider-aws-e2e-kubetest2-quick
pull-cloud-provider-aws-e2e-kubetest2 96afc72 link unknown /test pull-cloud-provider-aws-e2e-kubetest2

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JoelSpeed JoelSpeed Awaiting requested review from JoelSpeed

@kmala kmala Awaiting requested review from kmala

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yue9944882 @k8s-ci-robot @DanielCKennedy @mtulio