feat: add private registry support to workspaces

[bennyz]

• and cosign verification
• and allowlist

Summary

Related Issues

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update
• CI/CD improvement
• Refactoring

Testing

• Unit tests pass (make test)
• Linter passes (make lint)
• Manifests are up to date (make manifests generate)
• Tested on OpenShift cluster (if applicable)

Summary by CodeRabbit

• New Features

  • Workspace image allowlist with exact and prefix-wildcard entries; toolchain image implicitly allowed
  • Optional operator-side image signature verification (supports modern and legacy sig formats)
  • Per-workspace imagePullSecrets with operator-level defaults; used for pulls and signature verification

• Validation

  • Verification key is required when image verification is enabled

• Docs

  • New workspace image security guide with signing and pull-secret examples

• Tests

  • Added tests covering allowlist, pull-secrets, key fetching, and verification flows

[coderabbitai]

Important

Review skipped

This PR was authored by the user configured for CodeRabbit reviews. CodeRabbit does not review PRs authored by this user. It's recommended to use a dedicated user account to post CodeRabbit review feedback.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d9d87969-fd9c-4000-aea9-6a5324be6f06

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds operator and per-workspace imagePullSecrets, AllowedImages allowlist, optional ImageVerify with ImageCosignKeyRef; adds FetchCosignPublicKey and KeychainFromPullSecrets, prefers cosign v3 OCI bundle verification with legacy fallback, enforces allowed-images at API/controller layers, updates deepcopy/docs, and adds tests.

Changes

Workspace Image Access Control and Verification

Layer / File(s)	Summary
Workspace image access control configuration api/v1alpha1/operatorconfig_types.go, api/v1alpha1/operatorconfig_types_test.go	WorkspacesConfig adds ImagePullSecrets, AllowedImages, ImageVerify, and ImageCosignKeyRef with XValidation. Adds GetImagePullSecrets() and IsImageAllowed(image) and TestIsImageAllowed covering nil/empty config, exact and prefix-glob matches, and toolchain-image allowance.
Workspace API and deepcopy support for image pull secrets api/v1alpha1/workspace_types.go, api/v1alpha1/zz_generated.deepcopy.go	Adds optional WorkspaceSpec.ImagePullSecrets and updates autogenerated deepcopy logic to deep-copy new slice and struct fields.
Documentation and examples docs/workspace-image-security.md	New guide describing allowedImages, cosign signing/verification, pull-secret configuration, and a full example.
Dependency updates go.mod	Bumps Go directive and many direct/indirect dependencies, notably switching github.com/sigstore/cosign to v3 and updating Kubernetes client libraries and other transitive modules.
Cosign v3 verification core & key fetch helper internal/common/bundleverify/verify.go	Adds FetchCosignPublicKey(ctx, client.Reader, *ConfigMapKeySelector, namespace) to read PEM from a ConfigMap and upgrades VerifyBundle to try cosign v3 OCI bundles first, falling back to legacy tag-based verification.
Keychain from image pull secrets internal/common/bundleverify/keychain.go	Implements KeychainFromPullSecrets to build a go-containerregistry authn.Keychain from referenced Kubernetes pull-secret(s) and configFileKeychain.Resolve to map Docker config entries to authn authenticators.
Keychain unit tests internal/common/bundleverify/keychain_test.go	Adds tests for defaulting, missing secret errors, non-Docker secrets ignored, Docker config JSON parsing and resolution, and unknown-registry fallback behavior.
Bundle verification and key fetch tests internal/common/bundleverify/verify_test.go, internal/buildapi/bundle_verify_test.go	Adds unit tests and fake-client helpers for FetchCosignPublicKey; updates build API bundle tests and adds verifyWorkspaceImage cases for skip/disabled/key-missing and ConfigMap/key-missing scenarios.
Build API image verification and allowed-images enforcement internal/buildapi/server.go, internal/buildapi/workspace.go	Handlers fetch cosign public key via FetchCosignPublicKey and map missing key to 400, verification failure to 403. Workspace creation enforces IsImageAllowed and returns 403 for disallowed images before verification.
Image build controller cosign refactor internal/controller/imagebuild/controller.go	Replaces inline ConfigMap reads with FetchCosignPublicKey for secure task bundle verification and surfaces key-unavailable vs verification-failed errors.
Workspace controller image handling and pod creation internal/controller/workspace/controller.go, internal/controller/workspace/controller_test.go	ensurePod computes effective image (spec → operator → default), enforces AllowedImages, optionally fetches cosign key and verifies the image using auth derived from WorkspaceSpec.ImagePullSecrets (or operator fallback), and buildPod wires PodSpec.ImagePullSecrets. Tests added for disallow and skip-verify cases.

Sequence Diagram

sequenceDiagram
  participant Client
  participant BuildAPI
  participant WorkspacesConfig
  participant Keychain
  participant BundleVerify
  Client->>BuildAPI: createWorkspace(image, spec)
  BuildAPI->>WorkspacesConfig: IsImageAllowed(image), GetImagePullSecrets()
  alt image disallowed
    WorkspacesConfig-->>BuildAPI: deny (403)
  else image allowed
    WorkspacesConfig->>Keychain: imagePullSecrets
    Keychain->>BundleVerify: authn.Keychain
    BundleVerify->>BuildAPI: verification result (200/403)
    BuildAPI->>Client: create pod / error
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• centos-automotive-suite/automotive-dev-operator#279: Adds cosign-based signature verification support and operator config extensions to the bundleverify area.

Suggested reviewers

• bkhizgiy

Poem

🐰 I nibble keys from ConfigMaps deep,
I guard the images before they leap,
Pull secrets flow from operator to pod,
Cosign hums and checks the bundle's nod,
Hooray — the workspace hops on safe and neat!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.24% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add private registry support to workspaces' accurately describes the main feature addition in this changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (3)

internal/common/bundleverify/verify.go (1)

27-31: ⚡ Quick win

Consider validating that the PEM key is not empty.

The function returns an empty byte slice if cm.Data[keyRef.Key] contains an empty string. While VerifyBundle will catch this downstream during PEM parsing, validating here would provide a clearer error message to users.

🛡️ Proposed validation

 	pubKeyPEM, ok := cm.Data[keyRef.Key]
 	if !ok {
 		return nil, fmt.Errorf("ConfigMap %q does not contain key %q", keyRef.Name, keyRef.Key)
 	}
+	if strings.TrimSpace(pubKeyPEM) == "" {
+		return nil, fmt.Errorf("ConfigMap %q key %q is empty", keyRef.Name, keyRef.Key)
+	}
 	return []byte(pubKeyPEM), nil

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/common/bundleverify/verify.go` around lines 27 - 31, The code
currently returns an empty byte slice when cm.Data[keyRef.Key] exists but is an
empty string (pubKeyPEM), which should be validated earlier; modify the function
that reads pubKeyPEM from the ConfigMap (the block using cm.Data[keyRef.Key] and
variables keyRef.Name/keyRef.Key) to check that pubKeyPEM != "" and return a
clear error (e.g. "ConfigMap %q key %q contains empty PEM") instead of returning
an empty slice so callers like VerifyBundle get a clearer, earlier error.

api/v1alpha1/zz_generated.deepcopy.go (1)

1393-1397: ⚡ Quick win

Exclude autogenerated deepcopy artifacts from the PR.

The deepcopy updates look correct, but this file is generated and should be omitted from source review/commit payload to keep PRs focused on handwritten changes.

Based on learnings: "Generated files that are not committed should be ignored in PRs. Specifically, do not include api/v1alpha1/zz_generated.deepcopy.go ... and ignore all config/crd/bases/*.yaml CRD manifests."

Also applies to: 1473-1487

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/zz_generated.deepcopy.go` around lines 1393 - 1397,
Revert/remove the autogenerated deepcopy file from the PR
(api/v1alpha1/zz_generated.deepcopy.go and the other generated block around
lines 1473-1487) and exclude it from future commits by adding its path to ignore
rules; specifically, undo the committed changes to zz_generated.deepcopy.go
(restore the handwritten state or remove the file from the commit), add the
pattern api/v1alpha1/zz_generated.deepcopy.go to .gitignore (and add
config/crd/bases/*.yaml to .gitignore as well) so generated CRD manifests are
not committed, and update the PR so only handwritten source changes remain.

internal/controller/workspace/controller_test.go (1)

406-457: ⚡ Quick win

Test setup is incomplete for verification skip scenario.

The OperatorConfig only sets ImageVerify=false but doesn't configure:

• AllowedImages — so the image allow-list check behavior is unclear
• ToolchainImage — so the default image fallback at controller.go line 232 may not work as expected

To properly validate that verification is skipped, set up a complete configuration including the allowed images list and toolchain image.

🧪 Suggested improvement to add complete configuration

 	// OperatorConfig with imageVerify=false — signature check should be skipped
 	oc := &automotivev1alpha1.OperatorConfig{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "config",
 			Namespace: "default",
 		},
 		Spec: automotivev1alpha1.OperatorConfigSpec{
 			Workspaces: &automotivev1alpha1.WorkspacesConfig{
-				ImageVerify: false,
+				ImageVerify:    false,
+				ToolchainImage: "quay.io/centos-automotive/toolchain:latest",
+				AllowedImages:  []string{"quay.io/centos-automotive/toolchain:*"},
 			},
 		},
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/workspace/controller_test.go` around lines 406 - 457, The
test TestEnsurePod_SkipsVerifyWhenDisabled leaves OperatorConfig incomplete so
controller fallback logic may still depend on missing fields; update the test's
oc.Spec.Workspaces to include a non-empty AllowedImages list and a
ToolchainImage value (i.e. populate WorkspacesConfig.AllowedImages and
WorkspacesConfig.ToolchainImage) so ensurePod runs with a fully-specified
OperatorConfig and correctly exercises skipping verification when ImageVerify is
false.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/buildapi/server.go`:
- Around line 1254-1269: Add unit tests for the verifyWorkspaceImage function
before modifying its implementation: create tests exercising
verifyWorkspaceImage covering (1) when ImageVerify is disabled (ensure it
returns success/no-op), (2) cosign key unavailable scenario by mocking the HTTP
client to return 400 and asserting the function returns the corresponding error,
(3) signature verification failure by mocking the HTTP client to return 403 and
asserting the appropriate error is returned, and (4) successful verification by
mocking a 200 response and asserting success; use the same test helpers/mocks
used elsewhere in the package to stub HTTP responses and reference
verifyWorkspaceImage and any config struct/field names (e.g., ImageVerify) to
locate the code under test.
- Line 1264: The verification currently runs in createWorkspace using only the
global WorkspacesConfig so per-workspace ImagePullSecrets are ignored; update
verifyWorkspaceImage to accept workspace-specific pull secrets (e.g., add an
imagePullSecrets parameter or include them on the request struct passed at line
where verifyWorkspaceImage is called) and change createWorkspace to pass the
Workspace spec's ImagePullSecrets (or delay verification until after the CR is
created and spec is available) so authn.DefaultKeychain can use those
credentials instead of the operator SA; also add failing tests in
workspace_test.go that exercise verifyWorkspaceImage with workspace-specific
ImagePullSecrets (assert that authn uses provided secret and signature
verification path differs from using only WorkspacesConfig) before implementing
the fix.

In `@internal/buildapi/workspace.go`:
- Around line 162-165: Add failing tests that exercise the image allowlist
validation before keeping the implementation: in
internal/buildapi/workspace_test.go add unit and HTTP tests that call
IsImageAllowed (or the handler that invokes it) with disallowed and allowed
image names, assert the function returns false for disallowed images and true
for allowed ones, verify that requests using disallowed images receive an HTTP
403 response and that the response body/error message matches the expected
rejection format; ensure tests run against the same handler functions (e.g., the
workspace image validation handler) used in production so the test fails until
the implementation is present.

In `@internal/common/bundleverify/verify.go`:
- Around line 17-32: Add unit tests in verify_test.go that exercise
FetchCosignPublicKey: create a test for a successful read where you build a fake
K8s client (controller-runtime fake client) with a ConfigMap containing the
expected key and PEM value and assert returned bytes match the PEM; add a test
that passes a nil ConfigMapKeySelector and asserts an error message about
configuration; add a test where the fake client has no ConfigMap (simulate
NotFound) and assert the error from FetchCosignPublicKey indicates failure to
read the ConfigMap; add a test where the ConfigMap exists but lacks the
requested key and assert the ConfigMap key-missing error; and add a test where
the ConfigMap key exists but the PEM value is empty and assert the function
returns an empty byte slice (or the expected error if you prefer) — reference
FetchCosignPublicKey, client.Reader, and verify_test.go when locating where to
add these cases.

In `@internal/controller/workspace/controller_test.go`:
- Around line 364-404: The test panics because OperatorConfig is missing so
wsConfig is nil and wsConfig.IsImageAllowed(image) is called; fix it by creating
and injecting an OperatorConfig with an AllowedImages entry into the test setup
before calling r.ensurePod (e.g., construct an OperatorConfig with the allowed
image list that does NOT include "quay.io/evil/rogue:latest" and add it to the
reconciler's fake client or test environment), ensuring ensurePod can load
wsConfig and perform the IsImageAllowed check instead of panicking.

In `@internal/controller/workspace/controller.go`:
- Around line 278-281: The code calls wsConfig.GetImagePullSecrets() without
ensuring wsConfig is non-nil, which can panic; update the imagePullSecrets
fallback logic to check wsConfig != nil before invoking GetImagePullSecrets
(e.g., when imagePullSecrets is empty, only call wsConfig.GetImagePullSecrets()
if wsConfig != nil) and otherwise leave imagePullSecrets empty or use a safe
default; refer to the variables imagePullSecrets, ws.Spec.ImagePullSecrets and
the method wsConfig.GetImagePullSecrets() to locate the change.
- Around line 226-236: The code dereferences wsConfig without nil checks; update
the workspace image logic in the function that uses wsConfig and ws (references:
wsConfig, operatorConfig, ws.Spec.Image, GetToolchainImage, IsImageAllowed) to
first handle a nil wsConfig (and nil operatorConfig.Spec.Workspaces) by either
using a safe default image or returning a clear error before calling
GetToolchainImage/IsImageAllowed; add explicit nil checks around wsConfig, use
ws.Spec.Image if present, otherwise only call wsConfig.GetToolchainImage when
wsConfig != nil, and guard the IsImageAllowed call similarly so no method is
invoked on a nil pointer.
- Around line 237-246: The verification uses authn.DefaultKeychain which ignores
workspace ImagePullSecrets; update the registry auth to use a keychain built
from the workspace ImagePullSecrets and pass that into
ociremote.WithRemoteOptions before calling bundleverify.VerifyBundle.
Specifically, replace the use of authn.DefaultKeychain in the registryOpts
assignment (currently
ociremote.WithRemoteOptions(remote.WithAuthFromKeychain(authn.DefaultKeychain)))
with a keychain constructed from the workspace image pull secrets (the same
ImagePullSecrets used for the pod), and ensure bundleverify.VerifyBundle(ctx,
image, pubKeyPEM, registryOpts) receives the new registryOpts so
private-registry images authenticated by the workspace secrets are verifiable.

---

Nitpick comments:
In `@api/v1alpha1/zz_generated.deepcopy.go`:
- Around line 1393-1397: Revert/remove the autogenerated deepcopy file from the
PR (api/v1alpha1/zz_generated.deepcopy.go and the other generated block around
lines 1473-1487) and exclude it from future commits by adding its path to ignore
rules; specifically, undo the committed changes to zz_generated.deepcopy.go
(restore the handwritten state or remove the file from the commit), add the
pattern api/v1alpha1/zz_generated.deepcopy.go to .gitignore (and add
config/crd/bases/*.yaml to .gitignore as well) so generated CRD manifests are
not committed, and update the PR so only handwritten source changes remain.

In `@internal/common/bundleverify/verify.go`:
- Around line 27-31: The code currently returns an empty byte slice when
cm.Data[keyRef.Key] exists but is an empty string (pubKeyPEM), which should be
validated earlier; modify the function that reads pubKeyPEM from the ConfigMap
(the block using cm.Data[keyRef.Key] and variables keyRef.Name/keyRef.Key) to
check that pubKeyPEM != "" and return a clear error (e.g. "ConfigMap %q key %q
contains empty PEM") instead of returning an empty slice so callers like
VerifyBundle get a clearer, earlier error.

In `@internal/controller/workspace/controller_test.go`:
- Around line 406-457: The test TestEnsurePod_SkipsVerifyWhenDisabled leaves
OperatorConfig incomplete so controller fallback logic may still depend on
missing fields; update the test's oc.Spec.Workspaces to include a non-empty
AllowedImages list and a ToolchainImage value (i.e. populate
WorkspacesConfig.AllowedImages and WorkspacesConfig.ToolchainImage) so ensurePod
runs with a fully-specified OperatorConfig and correctly exercises skipping
verification when ImageVerify is false.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2a5f2cb0-5cfb-4225-8831-cedcb00e9083

📥 Commits

Reviewing files that changed from the base of the PR and between 5b74656 and 9cf422a.

⛔ Files ignored due to path filters (2)

• config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml is excluded by !config/crd/bases/**
• config/crd/bases/automotive.sdv.cloud.redhat.com_workspaces.yaml is excluded by !config/crd/bases/**

📒 Files selected for processing (10)

• api/v1alpha1/operatorconfig_types.go
• api/v1alpha1/operatorconfig_types_test.go
• api/v1alpha1/workspace_types.go
• api/v1alpha1/zz_generated.deepcopy.go
• internal/buildapi/server.go
• internal/buildapi/workspace.go
• internal/common/bundleverify/verify.go
• internal/controller/imagebuild/controller.go
• internal/controller/workspace/controller.go
• internal/controller/workspace/controller_test.go

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 21-23: The go.mod lists mixed Kubernetes minor versions; update
the modules so they share the same minor release to avoid API skew—either bump
k8s.io/apiserver, k8s.io/apiextensions-apiserver, and k8s.io/component-base to
v0.35.3 to match k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, or revert
the latter three to v0.34.7 consistently; change the versions for the module
entries named "k8s.io/apiserver", "k8s.io/apiextensions-apiserver", and
"k8s.io/component-base" accordingly and run go mod tidy to ensure dependency
graph updates.

In `@internal/common/bundleverify/verify.go`:
- Around line 57-61: The new verification branching in verify.go (functions
verifyV3Bundles and verifyLegacy) lacks deterministic unit tests for the three
critical cases: v3 succeeds and short-circuits, v3 fails but legacy succeeds,
and both v3 and legacy fail; add focused failing-first tests under the package
(matching **/*.go test files) that mock or stub the verifier/registryOpts to
force each scenario and assert the expected return behavior for Verify (i.e.,
immediate nil on v3 success, fallback to legacy on v3 miss, and error when both
fail). Ensure tests reference the verifyV3Bundles and verifyLegacy paths (via
the public function that drives them) and use deterministic injected behavior
rather than network calls so they fail first and then guide implementation
changes.
- Around line 67-69: The current check in verify.go uses a single return
fmt.Errorf("no v3 bundles found: %w", err) when either err != nil or
len(bundles) == 0, which can wrap a nil error; split the branches so you return
a wrapped error only when err is non-nil (e.g., return fmt.Errorf("failed
listing bundles: %w", err) in the err != nil branch) and return a plain error
when bundles are empty (e.g., return errors.New("no v3 bundles found") for the
len(bundles) == 0 branch), updating the code around the err and bundles checks
in the same function in verify.go.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7f7cb118-cdd6-4935-8c47-ce222f94ca9f

📥 Commits

Reviewing files that changed from the base of the PR and between 9cf422a and 06123c0.

⛔ Files ignored due to path filters (287)

• config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml is excluded by !config/crd/bases/**
• config/crd/bases/automotive.sdv.cloud.redhat.com_workspaces.yaml is excluded by !config/crd/bases/**
• go.sum is excluded by !**/*.sum, !**go.sum
• vendor/github.com/containerd/stargz-snapshotter/estargz/estargz.go is excluded by !vendor/**
• vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !vendor/**
• vendor/github.com/docker/go-connections/tlsconfig/config.go is excluded by !vendor/**
• vendor/github.com/docker/go-connections/tlsconfig/config_client_ciphers.go is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/.git-blame-ignore-revs is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/.golangci.yml is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/README.md is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/charset/charset.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/json/parser.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/archive.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/audio.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/binary.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/database.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/document.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/font.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/ftyp.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/image.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/magic.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/meteo.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/ms_office.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/text.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/video.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/zip.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/markup/markup.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/scan/bytes.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/mime.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/mimetype.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/supported_mimes.md is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/tree.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/chi.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/content_charset.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/request_id.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/route_headers.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/strip.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/mux.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/path_value.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/path_value_fallback.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/tree.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/analyzer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/flatten.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/flatten_name.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/flatten_options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/go.work.sum is excluded by !**/*.sum, !vendor/**
• vendor/github.com/go-openapi/analysis/internal/debug/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/normalize/normalize.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/operations/operations.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/replace/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/replace/replace.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/schutils/flatten_schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/sortref/keys.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/sortref/sort_ref.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/mixin.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/api.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/auth.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/headers.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/middleware.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/parsing.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.cliff.toml is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/LICENSE is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/NOTICE is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/NOTICE is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/reference.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/.travis.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/loaders.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/NOTICE is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/bytestream.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/auth_info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/keepalive.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/opentelemetry.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/runtime.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_auth_info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_operation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_response.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/constants.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/csv.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/csv_options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/go.work.sum is excluded by !**/*.sum, !vendor/**
• vendor/github.com/go-openapi/runtime/headers.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/interfaces.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/json.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/context.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/router.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/server.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/util.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/not_implemented.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/operation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/parameter.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/rapidoc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/redoc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/router.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/swaggerui.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/ui_options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/untyped/api.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/validation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/security/authenticator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/security/authorizer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/statuses.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/text.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/values.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/xml.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/yamlpc/yaml.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/cache.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/contact_info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/expander.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/header.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/items.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/license.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/normalizer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/operation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/parameter.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/path_item.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/paths.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/properties.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/ref.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/resolver.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/response.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/responses.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/schema_loader.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/security_scheme.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/swagger.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/tag.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/validations.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/xml_object.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/.cliff.toml is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/bson.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/date.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/default.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/duration.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/format.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/go.work.sum is excluded by !**/*.sum, !vendor/**
• vendor/github.com/go-openapi/strfmt/ifaces.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/internal/bsonlite/codec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/internal/bsonlite/lite.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/mongo.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/time.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/ulid.go is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/BENCHMARK.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/context.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/default_validator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/example_validator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/formats.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/helpers.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/object_validator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/pools.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/result.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/rexp.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/schema_messages.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/schema_option.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/schema_props.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/slice_validator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/spec_messages.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/type.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/update-fixtures.sh is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/validator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/values.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/.golangci.yaml is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/README.md is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/baked_in.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/cache.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/country_codes.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/currency_codes.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/doc.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/regexes.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/util.go is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/.envrc is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/.gitignore is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/devenv.lock is excluded by !**/*.lock, !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/devenv.nix is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/devenv.yaml is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/flake.lock is excluded by !**/*.lock, !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/flake.nix is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/mapstructure.go is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/CHANGELOG.md is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/README.md is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/client/configpb/multilog.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/google/certificate-transparency-go/loglist3/logfilter.go is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/loglist3/loglist3.go is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/loglist3/logstatus_string.go is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/types.go is excluded by !vendor/**
• vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go is excluded by !vendor/**
• vendor/github.com/google/go-containerregistry/pkg/v1/hash.go is excluded by !vendor/**
• vendor/github.com/google/go-containerregistry/pkg/v1/layout/layoutpath.go is excluded by !vendor/**
• vendor/github.com/google/go-containerregistry/pkg/v1/mutate/mutate.go is excluded by !vendor/**

📒 Files selected for processing (13)

• api/v1alpha1/operatorconfig_types.go
• api/v1alpha1/operatorconfig_types_test.go
• api/v1alpha1/workspace_types.go
• api/v1alpha1/zz_generated.deepcopy.go
• go.mod
• internal/buildapi/bundle_verify_test.go
• internal/buildapi/server.go
• internal/buildapi/workspace.go
• internal/common/bundleverify/verify.go
• internal/common/bundleverify/verify_test.go
• internal/controller/imagebuild/controller.go
• internal/controller/workspace/controller.go
• internal/controller/workspace/controller_test.go

✅ Files skipped from review due to trivial changes (2)

• api/v1alpha1/operatorconfig_types_test.go
• api/v1alpha1/zz_generated.deepcopy.go

🚧 Files skipped from review as they are similar to previous changes (7)

• internal/buildapi/workspace.go
• api/v1alpha1/workspace_types.go
• internal/buildapi/server.go
• internal/controller/workspace/controller_test.go
• api/v1alpha1/operatorconfig_types.go
• internal/controller/imagebuild/controller.go
• internal/controller/workspace/controller.go

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

go.mod (1)

21-23: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Align all Kubernetes modules to the same minor version.

k8s.io/* is still split across v0.35.x and v0.34.x, which risks API/runtime skew. This was already flagged earlier and appears unresolved.

#!/bin/bash
# Verify current Kubernetes module minor alignment in go.mod
rg -n '^\s*k8s\.io/(api|apimachinery|client-go|apiserver|apiextensions-apiserver|component-base)\s+v' go.mod

Also applies to: 232-234

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 21 - 23, The go.mod lists Kubernetes modules with mixed
minor versions (k8s.io/apimachinery v0.35.3, k8s.io/apiserver v0.34.7,
k8s.io/client-go v0.35.3); update the mismatched module(s) so all k8s.io/*
entries use the same minor version (e.g., bump k8s.io/apiserver to v0.35.3) to
avoid API/runtime skew—ensure you adjust any other k8s.io/* modules
(apiextensions-apiserver, component-base, api, client-go, apimachinery,
apiserver) to the identical v0.35.x version and run `go mod tidy` to reconcile
dependencies.

🧹 Nitpick comments (2)

internal/common/bundleverify/keychain_test.go (1)

48-118: ⚡ Quick win

Add a test for the legacy .dockercfg secret path (corev1.DockerConfigKey).

The new implementation supports both Docker config keys, but current tests only exercise corev1.DockerConfigJsonKey. A focused test for corev1.DockerConfigKey would close the branch gap.

As per coding guidelines "**/*.go: Add failing tests before starting implementation".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/common/bundleverify/keychain_test.go` around lines 48 - 118, Add a
new unit test that mirrors TestKeychainFromPullSecrets_ResolvesDockerConfigJSON
but verifies the legacy .dockercfg path: create a secret with Type
corev1.SecretTypeDockercfg and Data keyed by corev1.DockerConfigKey containing a
dockercfg-formatted JSON (with registry.example.com username/password), call
KeychainFromPullSecrets with newFakeReader, resolve a
name.NewRegistry("registry.example.com") against the returned keychain and
assert the Authorization() returns the expected username/password; this ensures
the KeychainFromPullSecrets handling of corev1.DockerConfigKey is exercised.

internal/common/bundleverify/keychain.go (1)

33-38: ⚡ Quick win

Fail fast when an explicitly referenced pull secret is not a Docker auth secret.

Silently skipping referenced secrets without .dockerconfigjson/.dockercfg can hide config mistakes and lead to confusing downstream auth failures. Returning an error here gives immediate feedback.

Proposed change

 		data, ok := secret.Data[corev1.DockerConfigJsonKey]
 		if !ok {
 			data, ok = secret.Data[corev1.DockerConfigKey]
 			if !ok {
-				continue
+				return nil, fmt.Errorf("pull secret %q does not contain %q or %q", ref.Name, corev1.DockerConfigJsonKey, corev1.DockerConfigKey)
 			}
 		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/common/bundleverify/keychain.go` around lines 33 - 38, The loop
currently silently continues when a secret's Data lacks
corev1.DockerConfigJsonKey or corev1.DockerConfigKey; change this to fail fast
by returning an error (e.g., fmt.Errorf) indicating the secret name/namespace is
not a Docker auth secret so callers get immediate feedback. Locate the block
accessing secret.Data[corev1.DockerConfigJsonKey] / corev1.DockerConfigKey in
keychain.go (the variable secret in the loop) and replace the inner continue
with a returned error that includes secret.Name and secret.Namespace; ensure the
function signature and callers propagate the error.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 59: The go.mod currently pins github.com/docker/docker to v28.5.2 which
contains security fixes; update the dependency declaration for
github.com/docker/docker to v29.3.1 (or later) in go.mod, then run `go get
github.com/docker/docker@v29.3.1` (or the equivalent tool/command in your
workflow) and `go mod tidy`/`go mod download` to refresh go.sum and vendor
files, rebuild and run tests to ensure compatibility; reference the module name
"github.com/docker/docker" when locating the version entry to change.
- Line 202: The go.mod currently pins github.com/tektoncd/pipeline at v1.6.0
which is vulnerable; update the module requirement for
github.com/tektoncd/pipeline to a patched release (minimum v1.6.1, preferably
v1.11.1) in go.mod, then run go get github.com/tektoncd/pipeline@v1.11.1 (or
`@v1.6.1` if constrained), followed by go mod tidy (and go mod vendor if you
vendor) and run the test suite to ensure no regressions; search for any code
referencing github.com/tektoncd/pipeline types or imports to confirm
compatibility and adjust imports/usages if the newer API requires changes.

---

Duplicate comments:
In `@go.mod`:
- Around line 21-23: The go.mod lists Kubernetes modules with mixed minor
versions (k8s.io/apimachinery v0.35.3, k8s.io/apiserver v0.34.7,
k8s.io/client-go v0.35.3); update the mismatched module(s) so all k8s.io/*
entries use the same minor version (e.g., bump k8s.io/apiserver to v0.35.3) to
avoid API/runtime skew—ensure you adjust any other k8s.io/* modules
(apiextensions-apiserver, component-base, api, client-go, apimachinery,
apiserver) to the identical v0.35.x version and run `go mod tidy` to reconcile
dependencies.

---

Nitpick comments:
In `@internal/common/bundleverify/keychain_test.go`:
- Around line 48-118: Add a new unit test that mirrors
TestKeychainFromPullSecrets_ResolvesDockerConfigJSON but verifies the legacy
.dockercfg path: create a secret with Type corev1.SecretTypeDockercfg and Data
keyed by corev1.DockerConfigKey containing a dockercfg-formatted JSON (with
registry.example.com username/password), call KeychainFromPullSecrets with
newFakeReader, resolve a name.NewRegistry("registry.example.com") against the
returned keychain and assert the Authorization() returns the expected
username/password; this ensures the KeychainFromPullSecrets handling of
corev1.DockerConfigKey is exercised.

In `@internal/common/bundleverify/keychain.go`:
- Around line 33-38: The loop currently silently continues when a secret's Data
lacks corev1.DockerConfigJsonKey or corev1.DockerConfigKey; change this to fail
fast by returning an error (e.g., fmt.Errorf) indicating the secret
name/namespace is not a Docker auth secret so callers get immediate feedback.
Locate the block accessing secret.Data[corev1.DockerConfigJsonKey] /
corev1.DockerConfigKey in keychain.go (the variable secret in the loop) and
replace the inner continue with a returned error that includes secret.Name and
secret.Namespace; ensure the function signature and callers propagate the error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c032cd2f-d037-4a41-b1a6-d53d0c4e2390

📥 Commits

Reviewing files that changed from the base of the PR and between 06123c0 and 60f6cec.

⛔ Files ignored due to path filters (285)

• config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml is excluded by !config/crd/bases/**
• config/crd/bases/automotive.sdv.cloud.redhat.com_workspaces.yaml is excluded by !config/crd/bases/**
• go.sum is excluded by !**/*.sum, !**go.sum
• vendor/github.com/containerd/stargz-snapshotter/estargz/estargz.go is excluded by !vendor/**
• vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !vendor/**
• vendor/github.com/docker/go-connections/tlsconfig/config.go is excluded by !vendor/**
• vendor/github.com/docker/go-connections/tlsconfig/config_client_ciphers.go is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/.git-blame-ignore-revs is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/.golangci.yml is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/README.md is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/charset/charset.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/json/parser.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/archive.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/audio.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/binary.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/database.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/document.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/font.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/ftyp.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/image.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/magic.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/meteo.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/ms_office.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/text.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/video.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/zip.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/markup/markup.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/scan/bytes.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/mime.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/mimetype.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/supported_mimes.md is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/tree.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/chi.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/content_charset.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/request_id.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/route_headers.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/strip.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/mux.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/path_value.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/path_value_fallback.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/tree.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/analyzer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/flatten.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/flatten_name.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/flatten_options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/go.work.sum is excluded by !**/*.sum, !vendor/**
• vendor/github.com/go-openapi/analysis/internal/debug/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/normalize/normalize.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/operations/operations.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/replace/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/replace/replace.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/schutils/flatten_schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/sortref/keys.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/sortref/sort_ref.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/mixin.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/api.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/auth.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/headers.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/middleware.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/parsing.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.cliff.toml is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/LICENSE is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/NOTICE is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/NOTICE is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/reference.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/.travis.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/loaders.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/NOTICE is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/bytestream.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/auth_info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/keepalive.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/opentelemetry.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/runtime.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_auth_info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_operation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_response.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/constants.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/csv.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/csv_options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/go.work.sum is excluded by !**/*.sum, !vendor/**
• vendor/github.com/go-openapi/runtime/headers.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/interfaces.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/json.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/context.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/router.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/server.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/util.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/not_implemented.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/operation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/parameter.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/rapidoc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/redoc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/router.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/swaggerui.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/ui_options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/untyped/api.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/validation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/security/authenticator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/security/authorizer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/statuses.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/text.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/values.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/xml.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/yamlpc/yaml.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/cache.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/contact_info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/expander.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/header.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/items.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/license.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/normalizer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/operation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/parameter.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/path_item.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/paths.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/properties.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/ref.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/resolver.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/response.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/responses.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/schema_loader.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/security_scheme.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/swagger.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/tag.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/validations.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/xml_object.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/.cliff.toml is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/bson.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/date.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/default.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/duration.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/format.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/go.work.sum is excluded by !**/*.sum, !vendor/**
• vendor/github.com/go-openapi/strfmt/ifaces.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/internal/bsonlite/codec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/internal/bsonlite/lite.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/mongo.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/time.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/ulid.go is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/BENCHMARK.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/context.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/default_validator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/example_validator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/formats.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/helpers.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/object_validator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/pools.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/result.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/rexp.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/schema_messages.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/schema_option.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/schema_props.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/slice_validator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/spec_messages.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/type.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/update-fixtures.sh is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/validator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/values.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/.golangci.yaml is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/README.md is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/baked_in.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/cache.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/country_codes.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/currency_codes.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/doc.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/regexes.go is excluded by !vendor/**
• vendor/github.com/go-playground/validator/v10/util.go is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/.envrc is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/.gitignore is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/devenv.lock is excluded by !**/*.lock, !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/devenv.nix is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/devenv.yaml is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/flake.lock is excluded by !**/*.lock, !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/flake.nix is excluded by !vendor/**
• vendor/github.com/go-viper/mapstructure/v2/mapstructure.go is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/CHANGELOG.md is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/README.md is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/client/configpb/multilog.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/google/certificate-transparency-go/loglist3/logfilter.go is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/loglist3/loglist3.go is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/loglist3/logstatus_string.go is excluded by !vendor/**
• vendor/github.com/google/certificate-transparency-go/types.go is excluded by !vendor/**
• vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go is excluded by !vendor/**
• vendor/github.com/google/go-containerregistry/pkg/v1/hash.go is excluded by !vendor/**

📒 Files selected for processing (15)

• api/v1alpha1/operatorconfig_types.go
• api/v1alpha1/operatorconfig_types_test.go
• api/v1alpha1/workspace_types.go
• api/v1alpha1/zz_generated.deepcopy.go
• go.mod
• internal/buildapi/bundle_verify_test.go
• internal/buildapi/server.go
• internal/buildapi/workspace.go
• internal/common/bundleverify/keychain.go
• internal/common/bundleverify/keychain_test.go
• internal/common/bundleverify/verify.go
• internal/common/bundleverify/verify_test.go
• internal/controller/imagebuild/controller.go
• internal/controller/workspace/controller.go
• internal/controller/workspace/controller_test.go

✅ Files skipped from review due to trivial changes (1)

• api/v1alpha1/zz_generated.deepcopy.go

🚧 Files skipped from review as they are similar to previous changes (11)

• internal/controller/workspace/controller_test.go
• internal/buildapi/workspace.go
• internal/buildapi/bundle_verify_test.go
• api/v1alpha1/workspace_types.go
• api/v1alpha1/operatorconfig_types_test.go
• internal/controller/workspace/controller.go
• internal/common/bundleverify/verify_test.go
• internal/buildapi/server.go
• api/v1alpha1/operatorconfig_types.go
• internal/controller/imagebuild/controller.go
• internal/common/bundleverify/verify.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Query OSV for vulnerabilities on current Docker module version
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"ecosystem":"Go","name":"github.com/docker/docker"},"version":"28.5.2+incompatible"}' | jq

Repository: centos-automotive-suite/automotive-dev-operator

Length of output: 16566

---

Bump github.com/docker/docker to v29.3.1 or later to patch HIGH and MODERATE severity vulnerabilities.

The current version (v28.5.2) is affected by two advisories:

• GHSA-x744-4wpc-v9h2 (HIGH): AuthZ plugin bypass when provided oversized request bodies
• GHSA-pxq6-2prw-chj9 (MODERATE): Off-by-one error in plugin privilege validation

Both are fixed in v29.3.1. Even if used indirectly, upgrading reduces supply-chain risk.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 59-59: github.com/docker/docker 28.5.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker

(GO-2026-4883)

---

[HIGH] 59-59: github.com/docker/docker 28.5.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker

(GO-2026-4887)

---

[HIGH] 59-59: github.com/docker/docker 28.5.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation

(GHSA-pxq6-2prw-chj9)

---

[HIGH] 59-59: github.com/docker/docker 28.5.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies

(GHSA-x744-4wpc-v9h2)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 59, The go.mod currently pins github.com/docker/docker to
v28.5.2 which contains security fixes; update the dependency declaration for
github.com/docker/docker to v29.3.1 (or later) in go.mod, then run `go get
github.com/docker/docker@v29.3.1` (or the equivalent tool/command in your
workflow) and `go mod tidy`/`go mod download` to refresh go.sum and vendor
files, rebuild and run tests to ensure compatibility; reference the module name
"github.com/docker/docker" when locating the version entry to change.

[bennyz]

@ambient-code please review

[bennyz]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 208: Update the vulnerable dependency entry in go.mod from
go.opentelemetry.io/otel/sdk v1.42.0 to v1.43.0 and then run go get
go.opentelemetry.io/otel/sdk@v1.43.0 followed by go mod tidy to remove any
transitive references to the old version; additionally inspect host_id.go where
the kenv invocation is used and change the bare "kenv" call to an absolute path
or a safe lookup (ensure the symbol/name host_id.go and any function calling
kenv are updated) so PATH hijacking is avoided before re-running go mod tidy and
tests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ffdbfe51-5ef6-4c36-9193-720e079c1d24

📥 Commits

Reviewing files that changed from the base of the PR and between 60f6cec and 9522816.

⛔ Files ignored due to path filters (284)

• config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml is excluded by !config/crd/bases/**
• config/crd/bases/automotive.sdv.cloud.redhat.com_workspaces.yaml is excluded by !config/crd/bases/**
• go.sum is excluded by !**/*.sum, !**go.sum
• vendor/contrib.go.opencensus.io/exporter/ocagent/.gitignore is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/.travis.yml is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/CONTRIBUTING.md is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/README.md is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/common.go is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/connection.go is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/nodeinfo.go is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/ocagent.go is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/options.go is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/span_config.go is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/transform_spans.go is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/transform_stats_to_metrics.go is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/ocagent/version.go is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/prometheus/.gitignore is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/prometheus/.golangci.yml is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/prometheus/.travis.yml is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/prometheus/Makefile is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/prometheus/README.md is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/prometheus/prometheus.go is excluded by !vendor/**
• vendor/contrib.go.opencensus.io/exporter/prometheus/sanitize.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/.gitignore is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/LICENSE is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/README.md is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/config.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/core.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/encoder.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/http.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/label.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/logger.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/operation.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/report.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/service.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/source.go is excluded by !vendor/**
• vendor/github.com/blendle/zapdriver/trace.go is excluded by !vendor/**
• vendor/github.com/census-instrumentation/opencensus-proto/AUTHORS is excluded by !vendor/**
• vendor/github.com/census-instrumentation/opencensus-proto/gen-go/agent/common/v1/common.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/census-instrumentation/opencensus-proto/gen-go/agent/metrics/v1/metrics_service.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/census-instrumentation/opencensus-proto/gen-go/agent/trace/v1/trace_service.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/census-instrumentation/opencensus-proto/gen-go/agent/trace/v1/trace_service.pb.gw.go is excluded by !**/*.pb.gw.go, !vendor/**
• vendor/github.com/census-instrumentation/opencensus-proto/gen-go/metrics/v1/metrics.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/census-instrumentation/opencensus-proto/gen-go/resource/v1/resource.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/census-instrumentation/opencensus-proto/gen-go/trace/v1/trace.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/census-instrumentation/opencensus-proto/gen-go/trace/v1/trace_config.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/containerd/stargz-snapshotter/estargz/estargz.go is excluded by !vendor/**
• vendor/github.com/docker/cli/AUTHORS is excluded by !vendor/**
• vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !vendor/**
• vendor/github.com/docker/cli/cli/config/credentials/file_store.go is excluded by !vendor/**
• vendor/github.com/docker/cli/cli/config/memorystore/store.go is excluded by !vendor/**
• vendor/github.com/docker/distribution/registry/client/auth/challenge/addr.go is excluded by !vendor/**
• vendor/github.com/docker/go-connections/tlsconfig/config.go is excluded by !vendor/**
• vendor/github.com/docker/go-connections/tlsconfig/config_client_ciphers.go is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !vendor/**
• vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/.git-blame-ignore-revs is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/.golangci.yml is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/README.md is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/charset/charset.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/json/parser.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/archive.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/audio.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/binary.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/database.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/document.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/font.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/ftyp.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/image.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/magic.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/meteo.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/ms_office.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/text.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/video.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/magic/zip.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/markup/markup.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/internal/scan/bytes.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/mime.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/mimetype.go is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/supported_mimes.md is excluded by !vendor/**
• vendor/github.com/gabriel-vasile/mimetype/tree.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/chi.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/content_charset.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/request_id.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/route_headers.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/middleware/strip.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/mux.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/path_value.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/path_value_fallback.go is excluded by !vendor/**
• vendor/github.com/go-chi/chi/v5/tree.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/analyzer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/flatten.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/flatten_name.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/flatten_options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/go.work.sum is excluded by !**/*.sum, !vendor/**
• vendor/github.com/go-openapi/analysis/internal/debug/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/normalize/normalize.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/operations/operations.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/replace/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/replace/replace.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/schutils/flatten_schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/sortref/keys.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/sortref/sort_ref.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/mixin.go is excluded by !vendor/**
• vendor/github.com/go-openapi/analysis/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/api.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/auth.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/headers.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/middleware.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/parsing.go is excluded by !vendor/**
• vendor/github.com/go-openapi/errors/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.cliff.toml is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/LICENSE is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/NOTICE is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/.editorconfig is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/NOTICE is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go is excluded by !vendor/**
• vendor/github.com/go-openapi/jsonreference/reference.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/.travis.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/loaders.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/loads/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/NOTICE is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/bytestream.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/auth_info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/keepalive.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/opentelemetry.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client/runtime.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_auth_info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_operation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/client_response.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/constants.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/csv.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/csv_options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/go.work.sum is excluded by !**/*.sum, !vendor/**
• vendor/github.com/go-openapi/runtime/headers.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/interfaces.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/json.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/context.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/router.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/server.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/denco/util.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/not_implemented.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/operation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/parameter.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/rapidoc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/redoc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/router.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/swaggerui.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/ui_options.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/untyped/api.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/middleware/validation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/request.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/security/authenticator.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/security/authorizer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/statuses.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/text.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/values.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/xml.go is excluded by !vendor/**
• vendor/github.com/go-openapi/runtime/yamlpc/yaml.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/cache.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/contact_info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/debug.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/expander.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/header.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/info.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/items.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/license.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/normalizer.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/operation.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/parameter.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/path_item.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/paths.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/properties.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/ref.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/resolver.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/response.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/responses.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/schema.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/schema_loader.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/security_scheme.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/spec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/swagger.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/tag.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/validations.go is excluded by !vendor/**
• vendor/github.com/go-openapi/spec/xml_object.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/.cliff.toml is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/bson.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/date.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/default.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/doc.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/duration.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/errors.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/format.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/go.work.sum is excluded by !**/*.sum, !vendor/**
• vendor/github.com/go-openapi/strfmt/ifaces.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/internal/bsonlite/codec.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/internal/bsonlite/lite.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/mongo.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/time.go is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/ulid.go is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/.golangci.yml is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/BENCHMARK.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/CODE_OF_CONDUCT.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/SECURITY.md is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/context.go is excluded by !vendor/**
• vendor/github.com/go-openapi/validate/debug.go is excluded by !vendor/**

📒 Files selected for processing (16)

• api/v1alpha1/operatorconfig_types.go
• api/v1alpha1/operatorconfig_types_test.go
• api/v1alpha1/workspace_types.go
• api/v1alpha1/zz_generated.deepcopy.go
• docs/workspace-image-security.md
• go.mod
• internal/buildapi/bundle_verify_test.go
• internal/buildapi/server.go
• internal/buildapi/workspace.go
• internal/common/bundleverify/keychain.go
• internal/common/bundleverify/keychain_test.go
• internal/common/bundleverify/verify.go
• internal/common/bundleverify/verify_test.go
• internal/controller/imagebuild/controller.go
• internal/controller/workspace/controller.go
• internal/controller/workspace/controller_test.go

✅ Files skipped from review due to trivial changes (5)

• docs/workspace-image-security.md
• internal/common/bundleverify/verify_test.go
• api/v1alpha1/zz_generated.deepcopy.go
• internal/controller/workspace/controller_test.go
• internal/common/bundleverify/keychain_test.go

🚧 Files skipped from review as they are similar to previous changes (10)

• internal/buildapi/workspace.go
• api/v1alpha1/operatorconfig_types_test.go
• internal/common/bundleverify/verify.go
• internal/buildapi/bundle_verify_test.go
• internal/controller/workspace/controller.go
• api/v1alpha1/operatorconfig_types.go
• internal/common/bundleverify/keychain.go
• api/v1alpha1/workspace_types.go
• internal/controller/imagebuild/controller.go
• internal/buildapi/server.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify advisories and fixed versions for the currently pinned otel/sdk.
set -euo pipefail

echo "Current pinned version:"
rg -n '^\s*go\.opentelemetry\.io/otel/sdk\s+v' go.mod

echo
echo "OSV advisory lookup for v1.42.0:"
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"ecosystem":"Go","name":"go.opentelemetry.io/otel/sdk"},"version":"1.42.0"}' | jq

echo
echo "After bump, confirm go.mod no longer pins vulnerable version:"
rg -n '^\s*go\.opentelemetry\.io/otel/sdk\s+v1\.42\.0\b' go.mod || true

Repository: centos-automotive-suite/automotive-dev-operator

Length of output: 4097

---

Upgrade go.opentelemetry.io/otel/sdk from v1.42.0 to v1.43.0 due to HIGH-severity PATH hijacking advisory GHSA-hfvc-g4fc-pqhx.

The kenv command in host_id.go uses a bare name instead of an absolute path, enabling PATH hijacking on BSD and Solaris platforms. Bump to v1.43.0 and re-tidy go.mod to ensure the vulnerable version is not retained transitively.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 208, Update the vulnerable dependency entry in go.mod from
go.opentelemetry.io/otel/sdk v1.42.0 to v1.43.0 and then run go get
go.opentelemetry.io/otel/sdk@v1.43.0 followed by go mod tidy to remove any
transitive references to the old version; additionally inspect host_id.go where
the kenv invocation is used and change the bare "kenv" call to an absolute path
or a safe lookup (ensure the symbol/name host_id.go and any function calling
kenv are updated) so PATH hijacking is avoided before re-running go mod tidy and
tests.

[ambient-code]

Overall this is a well-structured PR — the image allowlist, cosign verification, and private registry pull secret support are cleanly layered. The refactoring of FetchCosignPublicKey into a shared utility and the cosign v2→v3 upgrade with v3 bundle fallback are solid improvements. Tests are thorough.

A few things worth looking at below.

[ambient-code]

The nil check for c comes after calling c.GetToolchainImage() on line 484. While GetToolchainImage() happens to handle nil receivers, the ordering is misleading — a reader would expect the nil guard to come first.

Consider reordering:

Suggested change

	for _, pattern := range c.AllowedImages {
	func (c *WorkspacesConfig) IsImageAllowed(image string) bool {
	if c == nil {
	return image == DefaultToolchainImage
	}
	if image == c.GetToolchainImage() {
	return true
	}
	if len(c.AllowedImages) == 0 {
	return false
	}

[ambient-code]

The image resolution logic here (lines 232-238) duplicates what buildPod does (lines 284-289). If they drift, the image verified by cosign could differ from the one actually used in the pod.

Consider extracting a shared helper (e.g. resolveWorkspaceImage(ws, wsConfig) string) and calling it from both places, or passing the resolved image into buildPod.

[ambient-code]

nit: This always passes the global wsConfig.GetImagePullSecrets() for cosign verification. If a future version of the workspace create request accepts per-workspace imagePullSecrets, this would need updating to match the controller's fallback logic (per-workspace first, then global). Fine for now since the API request doesn't expose that field.