Update go.opentelemetry.io/otel to v1.43.0 and go version to 1.25.9#1434
Conversation
Pin all GitHub Actions to full-length commit SHAs to comply with Kubernetes organization security policy that requires all actions must be pinned to prevent supply chain attacks. This change addresses the CI failures: "The actions actions/checkout@v4 and actions/dependency-review-action@v4 are not allowed in kubernetes/cloud-provider-aws because all actions must be pinned to a full-length commit SHA." Actions pinned with release verification: - actions/checkout@v4 → @34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 ``` Release: https://github.com/actions/checkout/releases/tag/v4.3.1 Commit: actions/checkout@34e1148 ``` - actions/dependency-review-action@v4 → @2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 ``` Release: https://github.com/actions/dependency-review-action/releases/tag/v4.9.0 Commit: actions/dependency-review-action@2031cfc ``` - golang/govulncheck-action@v1 → @31f7c5463448f83528bd771c2d978d940080c9fd # master (post-v1.0.4) ``` Commit: golang/govulncheck-action@31f7c54 Note: Using master HEAD instead of v1.0.4 because v1.0.4 contains unpinned transitive dependencies (actions/checkout@v4.1.1, actions/setup-go@v5.0.0). The master branch includes a fix from Feb 2026 that pins these dependencies. See: golang/govulncheck-action@31f7c54 ``` - helm/chart-releaser-action@v1.7.0 → @a0d2dc62c5e491af8ef6ba64a2e02bcf3fb33aa1 # v1.7.0 ``` Release: https://github.com/helm/chart-releaser-action/releases/tag/v1.7.0 Commit: helm/chart-releaser-action@a0d2dc6 ``` - actions/github-script@v7 → @f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 ``` Release: https://github.com/actions/github-script/releases/tag/v7.1.0 Commit: actions/github-script@f28e40c ``` Files modified: - .github/workflows/deps.yml - .github/workflows/tag.yml - .github/workflows/helm_chart_release.yaml - .github/workflows/kpromo-reminder.yaml Justification: Pinning actions to commit SHAs instead of mutable tags (v4, v1.7.0, etc.) prevents potential security vulnerabilities where a tag could be moved to point to malicious code. This is a required security practice in the Kubernetes organization to ensure supply chain integrity and is enforced by GitHub Actions policy for kubernetes/* repositories. GitHub enforces that not only direct action dependencies must be pinned, but also transitive dependencies (actions used within composite actions). This is why govulncheck-action required using the master branch commit instead of the latest release tag. Each SHA has been verified against the official release tags to ensure we're using the intended versions while meeting security requirements. Reviewed-by: Claude Sonnet 4.5 <noreply@anthropic.com>
k8s-ci-robot
added
the
release-note-none
|
@kmala: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
needs-kind
|
This issue is currently awaiting triage. If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the The DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-triage
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: yue9944882 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
4 participants
What type of PR is this?
/kind dependency
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: