Skip to content

Update csi release tools to include updated GO version that addresses CVE-2026-24051#1393

Open
akankshapanse wants to merge 2 commits intokubernetes-csi:release-8.2from
akankshapanse:update-csi-release-tools
Open

Update csi release tools to include updated GO version that addresses CVE-2026-24051#1393
akankshapanse wants to merge 2 commits intokubernetes-csi:release-8.2from
akankshapanse:update-csi-release-tools

Conversation

@akankshapanse
Copy link
Copy Markdown

@akankshapanse akankshapanse commented Mar 13, 2026
edited by xing-yang
Loading

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
This PR pulls latest csi release tools to update GO version required to address CVE-2026-24051

Squashed 'release-tools/' changes from 90efb2ca5..119a53c3c
119a53c3c Merge pull request #294 from andyzhangx/patch-10
7c9aa9ba3 fix: upgrade to go1.25.7 to fix GHSA-j3gx-2473-5fp8
1e81e752e Merge pull request #293 from andyzhangx/patch-9
4dc185057 fix: upgrade to go1.25.7 to fix GHSA-5mh9-3jwc-rp59
b60b9a507 Merge pull request #292 from andyzhangx/patch-8
0e4e2ed0d Update Go version from 1.25.5 to 1.25.6 to fix CVE
707a99eca Merge pull request #291 from dfajmon/logcheck
a9d2b0fb3 Bump logcheck to v0.10.0
d6846630b Merge pull request #290 from dfajmon/go-1.25.5
55e527c49 Bump golang to 1.25.5
b12e407cc Merge pull request #289 from nixpanic/k8s-v1.34
bbe5e547e Use Kubernetes v1.34 and Kind v0.30 by default
4e9eb2c9e Merge pull request #288 from gnufied/add-gnufied-for-csi-approver
064e260d9 Add myself as csi approver
c852fa797 Merge pull request #287 from andyzhangx/patch-7
bce16c103 fix: upgrade to go1.24.11 to fix GHSA-5mh9-3jwc-rp59
8d1258cce Merge pull request #286 from kubernetes-csi/dependabot/github_actions/actions/checkout-6
91e35981a Bump actions/checkout from 5 to 6
294138155 Merge pull request #285 from andyzhangx/patch-6
fa8b339e9 fix: upgrade to go1.24.9 to fix CVEs
74502e544 Merge pull request #278 from liangyuanpeng/migrate_k8s_testimages
533443055 Merge pull request #281 from kubernetes-csi/dependabot/github_actions/actions/checkout-5
458ce146f Bump actions/checkout from 4 to 5
5f38a9075 Merge pull request #282 from rhrmo/update-go-1.24.6
579f62421 Update go to 1.24.6
5ec1a52b8 use gcr.io/k8s-staging-test-infra instead of gcr.io/k8s-testimages
74e066a82 Merge pull request #279 from Aishwarya-Hebbar/update-csi-prow-version
6f236be7d Update CSI prow driver version to v1.17.0
0ee55894b Merge pull request #280 from xing-yang/update_go_1.24.4
9af101534 update to go 1.24.4
f5fec3e36 Merge pull request #275 from chrishenzie/emeritus
c5d285db8 Remove chrishenzie from kubernetes-csi-reviewers
0a435bf98 Merge pull request #274 from andyzhangx/patch-5
cd7b4bba3 Bump golang to 1.24.2 to fix GHSA-g9pc-8g42-g6vq
701dc34bc Merge pull request #273 from andyzhangx/patch-4
aeebd30e8 Bump golang to 1.24.0
f277d561f Merge pull request #270 from carlory/update-kind-version
6dcb96a51 update default kind version to v0.25.0

git-subtree-dir: release-tools
git-subtree-split: 119a53c3cce0c04fd422514252ea62c6ff4e3548

Which issue(s) this PR fixes:

Fixes #1375
Also addresses #1383 (comment)

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Update csi release tools to include updated GO version that addresses CVE-2026-24051

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. labels Mar 13, 2026
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 13, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 13, 2026

Hi @akankshapanse. Thanks for your PR.

I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 13, 2026
@xing-yang
Copy link
Copy Markdown
Collaborator

xing-yang commented Mar 13, 2026

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 13, 2026
@xing-yang
Copy link
Copy Markdown
Collaborator

xing-yang commented Mar 13, 2026

Please copy the commit msg from this commit 2a7009b to the PR description area.

@akankshapanse
Copy link
Copy Markdown
Author

akankshapanse commented Mar 16, 2026

Trivy scanner failed pointing some additional CVEs to be fixed in csi-snapshotter. However this PR targets updating Go version in release-tools, following which we need to fix some CVEs https://github.com/kubernetes-csi/external-snapshotter/pull/1383/changes, where we can take up any additional CVE fixes if needed.

@xing-yang xing-yang mentioned this pull request Mar 19, 2026
Open
@akankshapanse akankshapanse force-pushed the update-csi-release-tools branch from bab6832 to e79d813 Compare March 20, 2026 09:39
@xing-yang
Copy link
Copy Markdown
Collaborator

xing-yang commented Mar 20, 2026

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Mar 20, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 23, 2026

New changes are detected. LGTM label has been removed.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 23, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: akankshapanse, xing-yang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 23, 2026
@akankshapanse
Squashed 'release-tools/' changes from 90efb2ca5..119a53c3c
849b149 
119a53c3c Merge pull request kubernetes-csi#294 from andyzhangx/patch-10
7c9aa9ba3 fix: upgrade to go1.25.7 to fix CVE-2026-25679
1e81e752e Merge pull request kubernetes-csi#293 from andyzhangx/patch-9
4dc185057 fix: upgrade to go1.25.7 to fix CVE-2025-61727
b60b9a507 Merge pull request kubernetes-csi#292 from andyzhangx/patch-8
0e4e2ed0d Update Go version from 1.25.5 to 1.25.6 to fix CVE
707a99eca Merge pull request kubernetes-csi#291 from dfajmon/logcheck
a9d2b0fb3 Bump logcheck to v0.10.0
d6846630b Merge pull request kubernetes-csi#290 from dfajmon/go-1.25.5
55e527c49 Bump golang to 1.25.5
b12e407cc Merge pull request kubernetes-csi#289 from nixpanic/k8s-v1.34
bbe5e547e Use Kubernetes v1.34 and Kind v0.30 by default
4e9eb2c9e Merge pull request kubernetes-csi#288 from gnufied/add-gnufied-for-csi-approver
064e260d9 Add myself as csi approver
c852fa797 Merge pull request kubernetes-csi#287 from andyzhangx/patch-7
bce16c103 fix: upgrade to go1.24.11 to fix CVE-2025-61727
8d1258cce Merge pull request kubernetes-csi#286 from kubernetes-csi/dependabot/github_actions/actions/checkout-6
91e35981a Bump actions/checkout from 5 to 6
294138155 Merge pull request kubernetes-csi#285 from andyzhangx/patch-6
fa8b339e9 fix: upgrade to go1.24.9 to fix CVEs
74502e544 Merge pull request kubernetes-csi#278 from liangyuanpeng/migrate_k8s_testimages
533443055 Merge pull request kubernetes-csi#281 from kubernetes-csi/dependabot/github_actions/actions/checkout-5
458ce146f Bump actions/checkout from 4 to 5
5f38a9075 Merge pull request kubernetes-csi#282 from rhrmo/update-go-1.24.6
579f62421 Update go to 1.24.6
5ec1a52b8 use gcr.io/k8s-staging-test-infra instead of gcr.io/k8s-testimages
74e066a82 Merge pull request kubernetes-csi#279 from Aishwarya-Hebbar/update-csi-prow-version
6f236be7d Update CSI prow driver version to v1.17.0
0ee55894b Merge pull request kubernetes-csi#280 from xing-yang/update_go_1.24.4
9af101534 update to go 1.24.4
f5fec3e36 Merge pull request kubernetes-csi#275 from chrishenzie/emeritus
c5d285db8 Remove chrishenzie from kubernetes-csi-reviewers
0a435bf98 Merge pull request kubernetes-csi#274 from andyzhangx/patch-5
cd7b4bba3 Bump golang to 1.24.2 to fix CVE-2025-22871
701dc34bc Merge pull request kubernetes-csi#273 from andyzhangx/patch-4
aeebd30e8 Bump golang to 1.24.0
f277d561f Merge pull request kubernetes-csi#270 from carlory/update-kind-version
6dcb96a51 update default kind version to v0.25.0

git-subtree-dir: release-tools
git-subtree-split: 119a53c3cce0c04fd422514252ea62c6ff4e3548
@akankshapanse
Update GO version in go.mod to match version used by release-tools, u…
50bbe78 
…pdate go.mod to include remaining CVE fixes
@akankshapanse akankshapanse force-pushed the update-csi-release-tools branch from f819f0a to 50bbe78 Compare March 24, 2026 05:24
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 24, 2026
edited
Loading

@akankshapanse: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-csi-external-snapshotter-unit 50bbe78 link true /test pull-kubernetes-csi-external-snapshotter-unit

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@akankshapanse
Copy link
Copy Markdown
Author

akankshapanse commented Mar 24, 2026

After adding changes to fix GOVersion and CVE fixes to get successful Trivy run, now facing issue in patching csi-release-tools changes from master branch

./release-tools/verify-subtree.sh release-tools
Directory 'release-tools' contains non-upstream changes:

commit 849b14922a33ab9bd16e0b12aa4b49ee953e8beb
Author: Akanksha Panse <akanksha.panse@broadcom.com>
Date:   Thu Mar 12 16:01:35 2026 +0530

    Squashed 'release-tools/' changes from 90efb2ca5..119a53c3c
    
    119a53c3c Merge pull request #294 from andyzhangx/patch-10
    7c9aa9ba3 fix: upgrade to go1.25.7 to fix CVE-2026-25679
    1e81e752e Merge pull request #293 from andyzhangx/patch-9
    4dc185057 fix: upgrade to go1.25.7 to fix CVE-2025-61727
    b60b9a507 Merge pull request #292 from andyzhangx/patch-8
    0e4e2ed0d Update Go version from 1.25.5 to 1.25.6 to fix CVE
    707a99eca Merge pull request #291 from dfajmon/logcheck
    a9d2b0fb3 Bump logcheck to v0.10.0
    d6846630b Merge pull request #290 from dfajmon/go-1.25.5
    55e527c49 Bump golang to 1.25.5
    b12e407cc Merge pull request #289 from nixpanic/k8s-v1.34
    bbe5e547e Use Kubernetes v1.34 and Kind v0.30 by default
    4e9eb2c9e Merge pull request #288 from gnufied/add-gnufied-for-csi-approver
    064e260d9 Add myself as csi approver
    c852fa797 Merge pull request #287 from andyzhangx/patch-7
    bce16c103 fix: upgrade to go1.24.11 to fix CVE-2025-61727
    8d1258cce Merge pull request #286 from kubernetes-csi/dependabot/github_actions/actions/checkout-6
    91e35981a Bump actions/checkout from 5 to 6
    294138155 Merge pull request #285 from andyzhangx/patch-6
    fa8b339e9 fix: upgrade to go1.24.9 to fix CVEs
    74502e544 Merge pull request #278 from liangyuanpeng/migrate_k8s_testimages
    533443055 Merge pull request #281 from kubernetes-csi/dependabot/github_actions/actions/checkout-5
    458ce146f Bump actions/checkout from 4 to 5
    5f38a9075 Merge pull request #282 from rhrmo/update-go-1.24.6
    579f62421 Update go to 1.24.6
    5ec1a52b8 use gcr.io/k8s-staging-test-infra instead of gcr.io/k8s-testimages
    74e066a82 Merge pull request #279 from Aishwarya-Hebbar/update-csi-prow-version
    6f236be7d Update CSI prow driver version to v1.17.0
    0ee55894b Merge pull request #280 from xing-yang/update_go_1.24.4
    9af101534 update to go 1.24.4
    f5fec3e36 Merge pull request #275 from chrishenzie/emeritus
    c5d285db8 Remove chrishenzie from kubernetes-csi-reviewers
    0a435bf98 Merge pull request #274 from andyzhangx/patch-5
    cd7b4bba3 Bump golang to 1.24.2 to fix CVE-2025-22871
    701dc34bc Merge pull request #273 from andyzhangx/patch-4
    aeebd30e8 Bump golang to 1.24.0
    f277d561f Merge pull request #270 from carlory/update-kind-version
    6dcb96a51 update default kind version to v0.25.0
    
    git-subtree-dir: release-tools
    git-subtree-split: 119a53c3cce0c04fd422514252ea62c6ff4e3548
make: *** [release-tools/build.make:286: test-subtree] Error 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carlory carlory Awaiting requested review from carlory

@jingxu97 jingxu97 Awaiting requested review from jingxu97

Assignees

@xing-yang xing-yang

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@akankshapanse @k8s-ci-robot @xing-yang