Skip to content

Update go.opentelemetry.io/otel to v1.43.0 and go version to 1.25.9#1431

Merged
k8s-ci-robot merged 2 commits into
kubernetes:release-1.35from
kmala:release-1.35
May 7, 2026
Merged

Update go.opentelemetry.io/otel to v1.43.0 and go version to 1.25.9#1431
k8s-ci-robot merged 2 commits into
kubernetes:release-1.35from
kmala:release-1.35

Conversation

@kmala
Copy link
Copy Markdown
Member

@kmala kmala commented May 7, 2026
edited
Loading

What type of PR is this?

/kind dependency

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added the release-note-none Denotes a PR that doesn't merit a release note. label May 7, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 7, 2026

@kmala: The label(s) kind/dependency cannot be applied, because the repository doesn't have them.

Details

In response to this:

What type of PR is this?

/kind dependency

What this PR does / why we need it:

Update go.opentelemetry.io/otel to v1.43.0 to fix CVE's and go version to 1.25.9

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the needs-kind Indicates a PR lacks a `kind/foo` label and requires one. label May 7, 2026
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label May 7, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 7, 2026

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 7, 2026
@mtulio @kmala
fix(ci): pin GitHub Actions to full-length commit SHAs
158aa4f 
Pin all GitHub Actions to full-length commit SHAs to comply with
Kubernetes organization security policy that requires all actions
must be pinned to prevent supply chain attacks.

This change addresses the CI failures:
  "The actions actions/checkout@v4 and actions/dependency-review-action@v4
   are not allowed in kubernetes/cloud-provider-aws because all actions
   must be pinned to a full-length commit SHA."

Actions pinned with release verification:

- actions/checkout@v4 → @34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
```
Release: https://github.com/actions/checkout/releases/tag/v4.3.1
Commit: actions/checkout@34e1148
```

- actions/dependency-review-action@v4 → @2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
```
Release: https://github.com/actions/dependency-review-action/releases/tag/v4.9.0
Commit: actions/dependency-review-action@2031cfc
```

- golang/govulncheck-action@v1 → @31f7c5463448f83528bd771c2d978d940080c9fd # master (post-v1.0.4)
```
Commit: golang/govulncheck-action@31f7c54
Note: Using master HEAD instead of v1.0.4 because v1.0.4 contains unpinned
      transitive dependencies (actions/checkout@v4.1.1, actions/setup-go@v5.0.0).
      The master branch includes a fix from Feb 2026 that pins these dependencies.
      See: golang/govulncheck-action@31f7c54
```

- helm/chart-releaser-action@v1.7.0 → @a0d2dc62c5e491af8ef6ba64a2e02bcf3fb33aa1 # v1.7.0
```
Release: https://github.com/helm/chart-releaser-action/releases/tag/v1.7.0
Commit: helm/chart-releaser-action@a0d2dc6
```

- actions/github-script@v7 → @f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
```
Release: https://github.com/actions/github-script/releases/tag/v7.1.0
Commit: actions/github-script@f28e40c
```

Files modified:
- .github/workflows/deps.yml
- .github/workflows/tag.yml
- .github/workflows/helm_chart_release.yaml
- .github/workflows/kpromo-reminder.yaml

Justification:
Pinning actions to commit SHAs instead of mutable tags (v4, v1.7.0, etc.)
prevents potential security vulnerabilities where a tag could be moved to
point to malicious code. This is a required security practice in the
Kubernetes organization to ensure supply chain integrity and is enforced
by GitHub Actions policy for kubernetes/* repositories.

GitHub enforces that not only direct action dependencies must be pinned,
but also transitive dependencies (actions used within composite actions).
This is why govulncheck-action required using the master branch commit
instead of the latest release tag.

Each SHA has been verified against the official release tags to ensure
we're using the intended versions while meeting security requirements.

Reviewed-by: Claude Sonnet 4.5 <noreply@anthropic.com>
yue9944882
yue9944882 reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@yue9944882 yue9944882 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 7, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 7, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yue9944882

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 7, 2026
@k8s-ci-robot k8s-ci-robot merged commit e88ebc2 into kubernetes:release-1.35 May 7, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bridgetkromhout bridgetkromhout Awaiting requested review from bridgetkromhout

1 more reviewer

@yue9944882 yue9944882 yue9944882 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@yue9944882 yue9944882

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kmala @k8s-ci-robot @yue9944882 @mtulio