Update dependencies

[erpel]

Just trying to keep dependencies updated to keep CVE scanners quiet.

[openshift-ci]

Hi @erpel. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jcantrill]

/ok-to-test

[jcantrill]

This should require a Dockerfile update https://github.com/openshift/eventrouter/blob/master/Dockerfile#L1 and I am uncertain if our product tooling has this image available. cc @xperimental

[erpel]

Pushed with updated builder image, but had to do this blindly as that registry is not browsable for me.
If 1.24 is absolutely not available, I could try to update deps to versions that work with 1.23 but getting it to work with 1.24 seems better for the long term.

[erpel]

@jcantrill I could change the builder image to a plain upstream FROM golang AS builder - it does build without issue in our pipelines.
Would that be an option?

[jcantrill]

This PR will not pass until openshift/release#70571 merges

[xperimental]

I think the question about availability of a Go 1.24 image is solved already, but I had a comment on another part of the PR.

[jcantrill]

registry.access.redhat.com/ubi9/go-toolset:9.6

[xperimental]

IMO we should be using public images in the open-source Dockerfiles, so I think it's fine to switch to the "upstream Go image". We can choose to build with a different image in the CI, but having the public image in the public Dockerfiles makes it much easier for the public to build the software / contribute fixes.

I would pin the image to a specific Go version though, to have an indication of what we expect to build with. In this case this would be the latest 1.24:

Suggested change

	FROM golang AS builder
	FROM docker.io/library/golang:1.24.9 AS builder

[jcantrill]

The image I suggested is publicly available. If we wish to use the "library" version then we will need to make an additional change to the openshift CI to substitute it correctly

[xperimental]

I wasn't sure if that image is available without authentication. But if it is, then that's also a possibilty. I think I would use the Go version as tag though and not the RHEL version.

[jcantrill]

/retest

[jcantrill]

/hold

[jcantrill]

Adding hold pending our 6.4 release to reduce churn

[jcantrill]

/approve
/lgtm

[erpel]

Adding hold pending our 6.4 release to reduce churn

Hi @jcantrill does this refer to OpenShift Logging? Since this was released earlier in November, does this mean this can go forward now?

[1it]

Hey folks,
Any chance this PR is going to be merged?

[openshift-ci]

@erpel: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jcantrill]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erpel, jcantrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jcantrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[erpel]

Is there anything else to do before the hold label can be removed?
I'm happy to do another run of updates but don't want to reset everything again.

[xperimental]

@jcantrill Do you want to pull this into 6.5.0 as well?

I have not looked at the build configuration yet ... probably needs a bump for 1.25 as well...

[jcantrill]

@xperimental this can go into 6.5 but given we are in code freeze I believe it can wait for a z-stream