Fix critical CVEs by upgrading Go 1.17 to 1.25 and all dependencies#266
Merged
Ramal Abeysekera (ramalabeysekera) merged 3 commits intomainfrom Apr 13, 2026
Merged
Fix critical CVEs by upgrading Go 1.17 to 1.25 and all dependencies#266Ramal Abeysekera (ramalabeysekera) merged 3 commits intomainfrom
Ramal Abeysekera (ramalabeysekera) merged 3 commits intomainfrom
Conversation
Ramal Abeysekera (ramalabeysekera)
requested a review
from a team
as a code owner
Copilot started reviewing on behalf of
Ramal Abeysekera (ramalabeysekera)
April 13, 2026 10:36
View session
There was a problem hiding this comment.
Pull request overview
Upgrades the project’s Go toolchain and core dependency tree (controller-runtime/Kubernetes libs/cert-manager/Ginkgo/AWS SDK) to remediate critical CVEs identified by Trivy, along with the required controller/runtime API updates, regenerated manifests, and CI/tooling bumps.
Changes:
- Bump Go version and modernize the dependency graph (controller-runtime, k8s.io/*, cert-manager, Ginkgo v2, AWS SDK v2).
- Update controller wiring and tests for upstream API changes (metrics/webhook options, fake client builder, cert-manager import paths, CSR helper).
- Refresh generated assets and tooling/CI configs (CRDs/RBAC, helm-docs output, golangci-lint v2, GitHub Actions).
Reviewed changes
Copilot reviewed 30 out of 36 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Markdown table formatting adjustments. |
| pkg/signer/suite_test.go | Migrate test suite to Ginkgo v2 APIs. |
| pkg/signer/kmssigner_test.go | Update Ginkgo imports to v2. |
| pkg/kmsmock/suite_test.go | Migrate test suite to Ginkgo v2 APIs. |
| pkg/kmsmock/kmsmock.go | Update embedded RSA test keys to 2048-bit for newer Go constraints. |
| pkg/kmsmock/kmsmock_test.go | Update Ginkgo imports to v2. |
| pkg/kmsca/suite_test.go | Migrate test suite to Ginkgo v2 APIs. |
| pkg/kmsca/kmsca_test.go | Update Ginkgo imports to v2. |
| Makefile | Update envtest/kustomize/controller-tools versions. |
| main.go | Update controller-runtime manager options for metrics/webhook API changes. |
| hack/boilerplate.go.txt | Boilerplate formatting tweak. |
| go.mod | Upgrade Go directive and dependency versions across the project. |
| Dockerfile | Build image updated to Go 1.25 base. |
| ct.yaml | Formatting-only change. |
| controllers/certmanager/suite_test.go | Update cert-manager imports + Ginkgo v2 suite changes. |
| controllers/certmanager/kmskey_controller_test.go | Update Ginkgo imports to v2. |
| controllers/certmanager/kmsissuer_controller_test.go | Update Ginkgo imports to v2. |
| controllers/certmanager/finalizer_test.go | Update Ginkgo imports to v2. |
| controllers/certmanager/certificaterequest_controller.go | Update cert-manager imports and renamed PKI util call. |
| controllers/certmanager/certificaterequest_controller_test.go | Replace removed cert-manager e2e helper with local CSR helper; fake client builder updates. |
| config/rbac/role.yaml | Regenerated RBAC output (deduped/cleaned rules). |
| config/crd/bases/cert-manager.skyscanner.net_kmskeys.yaml | Regenerated CRD with newer controller-gen output. |
| config/crd/bases/cert-manager.skyscanner.net_kmsissuers.yaml | Regenerated CRD with newer controller-gen output. |
| charts/kms-issuer/README.md.gotmpl | Helm-docs template formatting change. |
| charts/kms-issuer/README.md | Regenerated helm-docs output formatting. |
| charts/kms-issuer/crds/cert-manager.skyscanner.net_kmskeys.yaml | Regenerated chart CRD copy. |
| charts/kms-issuer/crds/cert-manager.skyscanner.net_kmsissuers.yaml | Regenerated chart CRD copy. |
| apis/certmanager/v1alpha1/zz_generated.deepcopy.go | Remove legacy // +build tag (Go 1.17+ build constraints). |
| .pre-commit-config.yaml | Bump golangci-lint hook; exclude charts from YAML checks. |
| .golangci.yml | Migrate to golangci-lint v2 config format and formatter settings. |
| .gitignore | Formatting-only change. |
| .github/workflows/test-build.yml | Bump checkout/setup-go; move CI to Go 1.25. |
| .github/workflows/release.yml | YAML formatting fix. |
| .github/workflows/e2e.yaml | Bump actions/kind/cert-manager; fix deprecated set-output usage. |
| .github/workflows/code-quality.yml | Bump actions; update CodeQL and golangci-lint action versions; move to Go 1.25. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dd50bfb31d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "Codex (@codex) review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".
Contributor
Author
|
Codex (@codex) review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7c23a9d2e6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "Codex (@codex) review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".
Nathaniel Emerson (Wyldern)
previously approved these changes
Apr 13, 2026
Nathaniel Emerson (Wyldern)
approved these changes
Apr 13, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Trivy scan found 6 critical vulnerabilities in the manager binary, all stem from Go 1.17 and dependencies pinned to 2022. Since the k8s libraries, controller-runtime, and cert-manager all have strict version compatibility chains, fixing any single CVE requires upgrading the entire dependency tree together.
CVEs Fixed
This pull request updates the project to support newer versions of Go, cert-manager, and related tooling, while also cleaning up and modernizing configuration files. The changes ensure compatibility with the latest development environments, improve code quality tooling, and update documentation to reflect these upgrades.
Dependency and Toolchain Upgrades:
Dockerfile, GitHub Actions workflows, and local development (Makefile). [1] [2] [3] [4]cert-managerreferences and tested version to v1.17.2 in the documentation, e2e workflow, and README. [1] [2] [3]Makefilefor compatibility with recent Kubernetes releases.CI/CD and Linting Improvements:
golangci-lintand its configuration in.golangci.ymland.pre-commit-config.yamlfor improved linting and code formatting, including support for new linters and formatter settings. [1] [2]Documentation and Metadata Updates:
Configuration Cleanup:
.github/release-drafter.yml,.github/workflows/release-drafter.yml) [1] [2]Minor Code and Metadata Fixes:
These updates collectively modernize the project, improve maintainability, and ensure it remains compatible with current tooling and Kubernetes ecosystem standards.