HYPERFLEET-1264 - chore: batch Konflux dependency updates

[ciaranRoche]

What

Consolidates safe, non-breaking Konflux (MintMaker/Renovate) dependency update PRs into a single tested PR.

JIRA: HYPERFLEET-1264

Changes

Build image

• go-toolset: 1.26.2-1779959429 → 1.26.3-1781757851 (patch rebuild, same Go 1.26.x compiler)

PostgreSQL (same major version, security patches)

• postgres: 14.2 → 14.23 across all references:
  • charts/values.yaml (Helm default)
  • Makefile (local make db/setup)
  • pkg/db/db_session/testcontainer.go (integration tests)
  • charts/README.md (regenerated via make helm-docs)

Go dependencies (minor/patch only)

Package	From	To
squirrel	1.1.0	1.5.4
gorilla/handlers	1.4.2	1.5.2
gorilla/mux	1.8.0	1.8.1
lib/pq	1.10.9	1.12.3
gormigrate	2.0.0	2.1.6
validator	10.20.0	10.30.3
oapi-codegen/runtime	1.2.0	1.4.2
gomega	1.27.1	1.42.0
cobra	1.8.1	1.10.2
gorm	1.30.0	1.31.1

Plus transitive dependency updates (golang.org/x/crypto, net, sys, text, time).

Verification

• make verify-all passes (vet + fmt + lint + 1209 unit tests)
• No API or behavioral changes — all updates are backward-compatible

Supersedes Konflux PRs

• chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker tag to v1.26.3-1781757851 #220 (go-toolset bump)
• chore(deps): update docker.io/library/postgres docker tag to v14.23 #221 (postgres 14.23)
• fix(deps): update go module minor/patch updates #222 (Go module minor/patch batch)
• chore(deps): update github.com/lufia/plan9stats digest to c963978 #230 (lufia/plan9stats digest)

PRs NOT included (separate or closed)

PR	Reason
#229	Tekton pipeline digests — separate PR
#231	Renovate bug — downgrades pre-commit-hooks v6.0.0 to v3.4.0
#233	Postgres 18.4 — 4 major version jump, breaks data directories
#234, #235	backoff v6 — major version, API-breaking, cross-repo sentinel conflict
#236	protobuf_extensions v2 — major version, unverified release
#218, #219	genproto digests — Renovate produced malformed go.mod (bare hashes)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7db3e842-2d8f-4c27-9104-01dbb85ff8ca

📥 Commits

Reviewing files that changed from the base of the PR and between 3231429 and d66f39a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum, !**/go.sum

📒 Files selected for processing (6)

• Dockerfile
• Makefile
• charts/README.md
• charts/values.yaml
• go.mod
• pkg/db/db_session/testcontainer.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

✅ Files skipped from review due to trivial changes (1)

• charts/README.md

🚧 Files skipped from review as they are similar to previous changes (5)

• charts/values.yaml
• Dockerfile
• Makefile
• pkg/db/db_session/testcontainer.go
• go.mod

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated the Go build toolchain and refreshed the Go module dependencies.
  • Upgraded the default PostgreSQL container image tag used for builds and integration tests.
• Documentation
  • Updated Helm chart values documentation and defaults to use the newer PostgreSQL image tag.

Walkthrough

The Dockerfile builder stage is rebased onto ubi9/go-toolset:1.26.3-1781757851. Multiple direct and indirect Go dependencies in go.mod are upgraded, including gorilla/mux, gorilla/handlers, lib/pq, gorm.io/gorm, golang.org/x/crypto, golang.org/x/net, and others; the go directive is set to 1.25.0. Separately, the PostgreSQL container image tag is bumped from 14.2 to 14.23 uniformly across Makefile, charts/values.yaml, charts/README.md, and the testcontainer initialization in pkg/db/db_session/testcontainer.go.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Supply chain surface — flag for review:

• Dockerfile base image (range_7e0c95027392): New digest 1781757851 is unverified here. Red Hat UBI images should be pinned by SHA256 digest (CWE-494: Download of Code Without Integrity Check). Confirm digest matches the Red Hat registry manifest before merge.

• go.mod (range_b1007b25ba0e, range_bda45eae39b9, range_d9f11ae4fe5d, range_a1bdf46563f6, range_50d833296780): golang.org/x/crypto, golang.org/x/net, and golang.org/x/sys are being bumped — these have had historical CVEs (e.g., CVE-2023-44487 via x/net, CVE-2022-27191 via x/crypto). Verify the new versions are not themselves affected by open CVEs. gorm.io/gorm v1.31.1 and lib/pq bumps touch the DB layer directly — audit changelogs for SQL-injection-adjacent fixes (CWE-89).

• PostgreSQL 14.23 image (range_72d5f8a6faeb, range_43b1b46b9aed, range_e27c1b48a0b7): postgres:14.23 is referenced by mutable tag across Makefile, Helm values, and testcontainer. No digest pin. An image swap at the registry level would go undetected (CWE-494). Pin to digest in production Helm values.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main objective: batching Konflux dependency updates. It is concise, clear, and directly maps to the changeset's primary purpose.
Description check	✅ Passed	The description provides detailed justification for the changes, lists all affected files and versions, explains verification steps, and documents excluded PRs with security rationale. Directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No secrets found in log statements. testcontainer.go line 91 logs connection strings via redactPassword() which redacts passwords before logging; postgres.WithPassword() is never logged.
No Hardcoded Secrets	✅ Passed	PR contains only version/image tag updates to public registries and public Go dependencies; no new hardcoded secrets, embedded credentials, or sensitive values introduced.
No Weak Cryptography	✅ Passed	No weak cryptographic primitives detected. PR contains only safe dependency/version updates: golang.org/x/crypto v0.52.0 (security-patched SSH fixes), golang-jwt/jwt v5.3.1 (RS256), and PostgreSQL...
No Injection Vectors	✅ Passed	PR contains only version/dependency bumps. Pre-existing SQL fmt.Sprintf in testcontainer.go uses hardcoded table names (trusted input, test code). No new injection vectors (CWE-89, CWE-78, CWE-79,...
No Privileged Containers	✅ Passed	No privileged containers detected. Dockerfile runs as UID 65532 (non-root); Helm/K8s manifests enforce: allowPrivilegeEscalation=false, runAsNonRoot=true, runAsUser=65532, capabilities drop ALL, re...
No Pii Or Sensitive Data In Logs	✅ Passed	PR only updates dependencies (Go, PostgreSQL, build image). Code change in testcontainer.go logs connection string via redactPassword() which strips credentials; masking middleware handles HTTP hea...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch HYPERFLEET-1264-batch-konflux-deps

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch HYPERFLEET-1264-batch-konflux-deps

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[hyperfleet-ci-bot]

Risk Score: 3 — risk/medium

Signal	Detail	Points
PR size	251 lines (>200)	+1
Sensitive paths	none	+0
Test coverage	No _test.go files in diff	+2

_{Computed by hyperfleet-risk-scorer}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 3: Both base images in the Dockerfile use mutable tag references which
create supply chain security vulnerabilities. Replace the builder image
reference `registry.access.redhat.com/ubi9/go-toolset:1.26.3-1781757851` on line
3 with its immutable digest format using `@sha256:...` instead of the tag
suffix. Similarly, replace the runtime image reference
`registry.access.redhat.com/ubi9-micro:latest` on line 39 with its immutable
digest format. Obtain the correct sha256 digests from the Red Hat registry for
both images and update the FROM statements accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e3794eb3-5b4d-401a-b1fa-4ce9a9850423

📥 Commits

Reviewing files that changed from the base of the PR and between 24ec42b and 3231429.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum, !**/go.sum

📒 Files selected for processing (6)

• Dockerfile
• Makefile
• charts/README.md
• charts/values.yaml
• go.mod
• pkg/db/db_session/testcontainer.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[rh-amarin]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rh-amarin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rh-amarin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment