Skip to content

DFBUGS-8415: [release-4.21] Bump go (stdlib) from 1.24.10 to 1.24.12#4015

Open
df-build-team wants to merge 1 commit into
release-4.21from
fix-release-4.21-8cd106d1
Open

DFBUGS-8415: [release-4.21] Bump go (stdlib) from 1.24.10 to 1.24.12#4015
df-build-team wants to merge 1 commit into
release-4.21from
fix-release-4.21-8cd106d1

Conversation

@df-build-team

Copy link
Copy Markdown

Changes

  • go (stdlib): 1.24.101.24.12 (in metrics/go.mod)
  • go (stdlib): 1.24.101.24.12 (in services/provider/api/go.mod)
  • go (stdlib): 1.24.101.24.12 (in api/go.mod)
  • go (stdlib): 1.24.101.24.12 (in go.mod)

Updated the following modules:
- go (stdlib): 1.24.10 -> 1.24.12 (metrics/go.mod)
- go (stdlib): 1.24.10 -> 1.24.12 (services/provider/api/go.mod)
- go (stdlib): 1.24.10 -> 1.24.12 (api/go.mod)
- go (stdlib): 1.24.10 -> 1.24.12 (go.mod)

Signed-off-by: DF Build Team <df-build-team@redhat.com>
@df-build-team df-build-team added automated Pull requests that are created via an automation dependencies Pull requests that updates a dependency file labels Jul 7, 2026
@df-build-team
df-build-team requested a review from a team July 7, 2026 08:29
@df-build-team df-build-team added dependencies Pull requests that updates a dependency file automated Pull requests that are created via an automation labels Jul 7, 2026
@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: df-build-team
Once this PR has been reviewed and has the lgtm label, please assign malayparida2000 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@df-build-team df-build-team changed the title [release-4.21] Bump go (stdlib) from 1.24.10 to 1.24.12 DFBUGS-8415: [release-4.21] Bump go (stdlib) from 1.24.10 to 1.24.12 Jul 9, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-important jira/valid-reference Indicates that this PR references a valid jira ticket of any type jira/invalid-bug Indicates that the referenced jira bug is invalid for the branch this PR is targeting labels Jul 9, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 9, 2026

Copy link
Copy Markdown

@df-build-team: This pull request references [Jira Issue DFBUGS-8415](https://redhat.atlassian.net/browse/DFBUGS-8415), which is invalid:

  • expected the vulnerability to target the "odf-4.21.9" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Changes

  • go (stdlib): 1.24.101.24.12 (in metrics/go.mod)
  • go (stdlib): 1.24.101.24.12 (in services/provider/api/go.mod)
  • go (stdlib): 1.24.101.24.12 (in api/go.mod)
  • go (stdlib): 1.24.101.24.12 (in go.mod)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@malayparida2000

Copy link
Copy Markdown
Contributor

@nik-redhat Similar to 4.20 here also only toolchain is getting updated, whereas we would want the actual version to be updated

@Nikhil-Ladha

Copy link
Copy Markdown
Member

@nik-redhat Similar to 4.20 here also only toolchain is getting updated, whereas we would want the actual version to be updated

It's expected to have toolchain updated only since the toolchain directive is mentioned.
Why would you want to update the actual version specifically?

@malayparida2000

Copy link
Copy Markdown
Contributor

@nik-redhat Similar to 4.20 here also only toolchain is getting updated, whereas we would want the actual version to be updated

It's expected to have toolchain updated only since the toolchain directive is mentioned. Why would you want to update the actual version specifically?

For clarity/consistency basically. For other relases we are bumping the go versions too. So better to bump the go version on 4.20 & 4.21 as well to latest availble builder versions if there are no harm

@Nikhil-Ladha

Copy link
Copy Markdown
Member

@nik-redhat Similar to 4.20 here also only toolchain is getting updated, whereas we would want the actual version to be updated

It's expected to have toolchain updated only since the toolchain directive is mentioned. Why would you want to update the actual version specifically?

For clarity/consistency basically. For other relases we are bumping the go versions too. So better to bump the go version on 4.20 & 4.21 as well to latest availble builder versions if there are no harm

Toolchain is basically the maximum allowed go version in the code, so if we bump the toolchain version it keeps the code at the toolchain version which includes the fix of any affected CVE.
Also, it is best to use toolchain wherever applicable.
And, if ocs-operator needs to avoid toolchain update then please don't add toolchain directive in the code at the first place, I think the reason toolchain was added to keep the flexibility in go versions and now when the toolchain is updated to align with the flexibility the ask is to update the go version directly which contradicts the initial goal of having toolchain.

@malayparida2000

Copy link
Copy Markdown
Contributor

@nik-redhat Similar to 4.20 here also only toolchain is getting updated, whereas we would want the actual version to be updated

It's expected to have toolchain updated only since the toolchain directive is mentioned. Why would you want to update the actual version specifically?

For clarity/consistency basically. For other relases we are bumping the go versions too. So better to bump the go version on 4.20 & 4.21 as well to latest availble builder versions if there are no harm

Toolchain is basically the maximum allowed go version in the code, so if we bump the toolchain version it keeps the code at the toolchain version which includes the fix of any affected CVE. Also, it is best to use toolchain wherever applicable. And, if ocs-operator needs to avoid toolchain update then please don't add toolchain directive in the code at the first place, I think the reason toolchain was added to keep the flexibility in go versions and now when the toolchain is updated to align with the flexibility the ask is to update the go version directly which contradicts the initial goal of having toolchain.

Ack, let's stick to toolchain updated then if it's better

@Nikhil-Ladha

Copy link
Copy Markdown
Member

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated Pull requests that are created via an automation dependencies Pull requests that updates a dependency file jira/invalid-bug Indicates that the referenced jira bug is invalid for the branch this PR is targeting jira/severity-important jira/valid-reference Indicates that this PR references a valid jira ticket of any type

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants