OCPBUGS-80948: update velero replace to track oadp-dev branch

[jparrill]

What this PR does / why we need it

Updates the go.mod replace directive for Velero from a stale pseudo-version on the oadp-1.5 branch to the latest commit on the oadp-dev branch, which is the correct upstream branch for main.

Before:

replace github.com/vmware-tanzu/velero => github.com/openshift/velero v0.10.2-0.20250514165055-8fbcf3a8da11

After:

replace github.com/vmware-tanzu/velero => github.com/openshift/velero v0.10.2-0.20260323170432-5ef912f438f6

This fixes two problems:

• Renovate/MintMaker failures: automated dependency updates resolved to incompatible upstream Velero versions (e.g. v1.2.0) that remove the v2alpha1 APIs the plugin depends on. See chore(deps): update non-k8s-go-dependencies (major) #215 and chore(deps): update non-k8s-go-dependencies (major) #216.
• Missing CVE/bug fixes: the stale oadp-1.5 replace was ~10 months behind, missing CVE and bug fixes available on the oadp-dev branch.

Branch alignment strategy

Each branch of hypershift-oadp-plugin should track the corresponding openshift/velero branch:

• main → oadp-dev (this PR)
• oadp-1.6 → oadp-1.6 (follow-up)
• oadp-1.5 → oadp-1.5 (follow-up)

Which issue(s) this PR fixes

Fixes https://redhat.atlassian.net/browse/OCPBUGS-80948
Fixes #223

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code via /jira:solve OCPBUGS-80948

[openshift-ci-robot]

@jparrill: This pull request references Jira Issue OCPBUGS-80948, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it

Updates the go.mod replace directive for Velero from a stale pseudo-version on the oadp-1.5 branch to the latest commit on the oadp-1.6 branch.

Before:

replace github.com/vmware-tanzu/velero => github.com/openshift/velero v0.10.2-0.20250514165055-8fbcf3a8da11

After:

replace github.com/vmware-tanzu/velero => github.com/openshift/velero v0.10.2-0.20260323191807-216dd62a1caf

This fixes two problems:

• Renovate/MintMaker failures: automated dependency updates resolved to incompatible upstream Velero versions (e.g. v1.2.0) that remove the v2alpha1 APIs the plugin depends on. See chore(deps): update non-k8s-go-dependencies (major) #215 and chore(deps): update non-k8s-go-dependencies (major) #216.
• Missing CVE/bug fixes: the stale oadp-1.5 replace was ~10 months behind, missing CVE and bug fixes available on the oadp-1.6 branch.

Which issue(s) this PR fixes

Fixes https://redhat.atlassian.net/browse/OCPBUGS-80948
Fixes #223

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code via /jira:solve OCPBUGS-80948

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

go.mod updated: Go toolchain bumped (1.25.3 → 1.25.7), Velero replace directive updated to a newer openshift/velero pseudo-version, github.com/kubernetes-csi/external-snapshotter/client/v7 indirect entry removed, and google.golang.org/grpc / google.golang.org/genproto indirect versions updated.

Changes

Cohort / File(s)	Summary
Go module go.mod	Updated Go toolchain directive (1.25.3 → 1.25.7); removed github.com/kubernetes-csi/external-snapshotter/client/v7 indirect entry; bumped indirect google.golang.org/grpc and google.golang.org/genproto versions; updated replace github.com/vmware-tanzu/velero to a newer github.com/openshift/velero pseudo-version (updated commit).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Update Velero replace directive from stale pseudo-version to track the correct branch [#223]	✅
Ensure velero/pkg/apis/velero/v2alpha1 exists in the updated Velero commit [#223]	❓	No verification in the diff that the updated pseudo-version contains the v2alpha1 API package or that imports compile against it.

Out-of-scope changes

Code Change	Explanation
gRPC and genproto indirect version updates (go.mod)	Indirect dependency bumps are not part of issue #223; likely collateral from go mod tidy.
Removal of github.com/kubernetes-csi/external-snapshotter/client/v7 indirect entry (go.mod)	Not requested by #223; unrelated to updating the Velero replace directive.
Go toolchain version bump from 1.25.3 to 1.25.7 (go.mod)	Toolchain directive change is outside the stated objective in #223 and appears incidental to dependency changes.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jparrill]

/retest

[jparrill]

/jira refresh

[openshift-ci-robot]

@jparrill: This pull request references Jira Issue OCPBUGS-80948, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 80-81: The go.mod currently pins google.golang.org/grpc at v1.77.0
which has a critical CVE; update the module requirement to
google.golang.org/grpc v1.79.3 (or later) in go.mod, then run the Go tooling to
apply the change (e.g., go get google.golang.org/grpc@v1.79.3 and go mod tidy)
and rebuild/run tests to ensure no breakage; verify any uses of grpc
server/interceptor setup (e.g., where grpc.NewServer or grpc.Dial are invoked)
still work with the upgraded version and update import or API usage if the minor
bump requires it.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 960c5621-b9f9-46da-82d0-43d10783c4ff

📥 Commits

Reviewing files that changed from the base of the PR and between 601cc2a and 135c73f.

⛔ Files ignored due to path filters (135)

• go.sum is excluded by !**/*.sum
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v7/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v7/apis/volumesnapshot/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/file_store.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/getter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/local.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/secret_store.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/resource_policies.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_filter_data.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_resources.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_resources_validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_types_conditions.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/backup_repository_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/backup_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/backupstoragelocation_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/labels_annotations.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/pod_volume_backup_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/pod_volume_restore_type.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/restore_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v2alpha1/data_download_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v2alpha1/data_upload_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/client/dynamic.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/client/factory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/cmd/server/config/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/constant/constant.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/kuberesource/kuberesource.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/label/label.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backup_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backup_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backup_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backupitemaction/v2/backup_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backupitemaction/v2/backup_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backupitemaction/v2/backup_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/common/plugin_config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/delete_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/delete_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/delete_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/itemblockaction/v1/item_block_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/itemblockaction/v1/item_block_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/itemblockaction/v1/item_block_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/object_store.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/object_store_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/object_store_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/plugin_lister.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restore_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restore_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restore_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restoreitemaction/v2/restore_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restoreitemaction/v2/restore_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restoreitemaction/v2/restore_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/volume_snapshotter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/volume_snapshotter_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/volume_snapshotter_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/types/node_agent.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/types/repo_maintenance.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/uploader/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/collections/includes_excludes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/event.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/pod.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/predicate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/priority_class.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/pvc_pv.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/resource_requirements.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/security_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/wildcard/expand.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/context/context.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/preloader.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stats/handlers.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for grpc vulnerability details and available patches

echo "=== Checking gRPC vulnerability GHSA-p77j-4mvh-x3m3 ==="
gh api graphql -f query='
{
  securityVulnerability(ghsaId: "GHSA-p77j-4mvh-x3m3") {
    advisory {
      summary
      severity
      publishedAt
      withdrawnAt
    }
    vulnerableVersionRange
    firstPatchedVersion {
      identifier
    }
  }
}'

echo -e "\n=== Checking for patched versions ==="
curl -s https://proxy.golang.org/google.golang.org/grpc/@v/list | tail -5

echo -e "\n=== Checking if project uses gRPC server functionality ==="
rg -l "grpc\\.NewServer|grpc\\.Server" --type go

Repository: openshift/hypershift-oadp-plugin

Length of output: 2332

---

🌐 Web query:

GHSA-p77j-4mvh-x3m3 gRPC vulnerability

💡 Result:

GHSA-p77j-4mvh-x3m3 is a critical authorization bypass vulnerability (CVE-2026-33186) in gRPC-Go, the Go implementation of gRPC. It affects versions prior to 1.79.3. Vulnerability details: The gRPC-Go server accepts HTTP/2 requests where the :path pseudo-header omits the mandatory leading slash (e.g., "Service/Method" instead of "/Service/Method"). The server routes these to the correct handler, but authorization interceptors (like google.golang.org/grpc/authz or custom ones using info.FullMethod) see the non-canonical path. This causes "deny" rules for canonical paths (with "/") to fail matching, bypassing authorization if there's a fallback "allow" rule. Impacted servers: Those using path-based authorization interceptors with specific deny rules for canonical paths and a default allow. Exploitation: Attacker sends raw HTTP/2 frames with malformed :path directly to the server (requires network access, ability to craft HTTP/2). Severity: CVSS 3.1: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) - Critical. Fix: Upgrade to v1.79.3 or later, released March 17, 2026. The patch rejects requests without leading slash in :path with codes.Unimplemented before reaching interceptors/handlers. Mitigations (if upgrade not immediate): - Add validating unary/stream interceptor to reject if !strings.HasPrefix(info.FullMethod, "/"). - Use reverse proxy/load balancer to normalize :path (add leading slash). - Harden policy: deny all unspecified paths (no fallback allow). Published: March 17-18, 2026. Official advisory confirms patch in 1.79.3.

Citations:

• 1: https://test.osv.dev/vulnerability/GHSA-p77j-4mvh-x3m3
• 2: GHSA-p77j-4mvh-x3m3
• 3: https://www.resolvedsecurity.com/vulnerability-catalog/GHSA-p77j-4mvh-x3m3
• 4: https://advisories.gitlab.com/pkg/golang/google.golang.org/grpc/CVE-2026-33186/
• 5: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
• 6: https://github.com/grpc/grpc-go/tags

---

🌐 Web query:

gRPC v1.77.0 security vulnerability authorization bypass :path

💡 Result:

Yes, there is a critical security vulnerability CVE-2026-33186 in gRPC-Go (google.golang.org/grpc) versions before 1.79.3, including v1.77.0. It is an authorization bypass caused by improper validation of the HTTP/2 :path pseudo-header. The server accepts requests missing the leading slash in :path (e.g., "Service/Method" instead of "/Service/Method"), routes them correctly, but authorization interceptors like grpc/authz fail to match "deny" rules defined for canonical paths, allowing bypass if there's a fallback "allow". Impact: High if using path-based auth with specific deny rules and default allow. CVSS 9.1 (Critical). Exploitable by sending raw HTTP/2 frames with malformed :path. Fix: Upgrade to v1.79.3 or later. The patch rejects non-canonical paths with codes.Unimplemented. Workarounds: Add validating interceptor checking FullMethod starts with '/', use reverse proxy to enforce leading slash, or switch to default-deny policy. No such vulnerability found specifically for gRPC C++ or other implementations at v1.77.0; this affects gRPC-Go.

Citations:

• 1: GHSA-p77j-4mvh-x3m3
• 2: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGRPCGRPCGO-15691171
• 3: https://securityonline.info/grpc-go-authorization-bypass-missing-slash-cve-2026-33186/
• 4: https://advisories.gitlab.com/pkg/golang/google.golang.org/grpc/CVE-2026-33186/
• 5: https://newreleases.io/project/github/grpc/grpc-go/release/v1.77.0
• 6: https://github.com/grpc/grpc-go/releases
• 7: https://github.com/grpc/grpc-go/releases/tag/v1.79.3

---

🏁 Script executed:

# Check actual gRPC server usage in project source (not vendor)
find . -name "*.go" -not -path "./vendor/*" -type f -exec grep -l "grpc\\.NewServer\|grpc\\.Serve\|Server{" {} \; 2>/dev/null | head -20

Repository: openshift/hypershift-oadp-plugin

Length of output: 58

---

Critical security vulnerability in google.golang.org/grpc 1.77.0 requires immediate upgrade.

A confirmed critical authorization bypass vulnerability (GHSA-p77j-4mvh-x3m3 / CVE-2026-33186, CVSS 9.1) affects google.golang.org/grpc@1.77.0. The vulnerability allows attackers to bypass authorization interceptors by omitting the leading slash in HTTP/2 :path headers, causing path-based deny rules to fail to match.

Upgrade to google.golang.org/grpc@v1.79.3 or later, released March 17, 2026. The patch validates and rejects requests with malformed :path before reaching authorization interceptors.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[CRITICAL] 81-81: google.golang.org/grpc 1.77.0: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 80 - 81, The go.mod currently pins
google.golang.org/grpc at v1.77.0 which has a critical CVE; update the module
requirement to google.golang.org/grpc v1.79.3 (or later) in go.mod, then run the
Go tooling to apply the change (e.g., go get google.golang.org/grpc@v1.79.3 and
go mod tidy) and rebuild/run tests to ensure no breakage; verify any uses of
grpc server/interceptor setup (e.g., where grpc.NewServer or grpc.Dial are
invoked) still work with the upgraded version and update import or API usage if
the minor bump requires it.

[kaovilai]

this lines with oadp-1.6, should main be that? or just the oadp-1.6 branch.

[kaovilai]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jparrill, kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jparrill,kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

♻️ Duplicate comments (1)

go.mod (1)

80-81: ⚠️ Potential issue | 🔴 Critical

Upgrade google.golang.org/grpc from vulnerable v1.77.0.

Line 81 is still pinned to a version flagged with GHSA-p77j-4mvh-x3m3 (critical authz bypass). Please bump to a patched version (>= v1.79.3) and re-run module resolution (go mod tidy / vendor refresh) to lock a non-vulnerable graph.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 80 - 81, The go.mod currently pins
google.golang.org/grpc to the vulnerable v1.77.0; update the module requirement
for google.golang.org/grpc to a patched release (>= v1.79.3), then run go mod
tidy (and refresh your vendor directory if used) to resolve and lock the updated
dependency graph so the vulnerable version is removed; ensure the updated
version appears in go.sum and any vendor manifests.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@go.mod`:
- Around line 80-81: The go.mod currently pins google.golang.org/grpc to the
vulnerable v1.77.0; update the module requirement for google.golang.org/grpc to
a patched release (>= v1.79.3), then run go mod tidy (and refresh your vendor
directory if used) to resolve and lock the updated dependency graph so the
vulnerable version is removed; ensure the updated version appears in go.sum and
any vendor manifests.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: af3a9d9e-7fcf-408d-9a6c-00a93b3be893

📥 Commits

Reviewing files that changed from the base of the PR and between 135c73f and 33a88f1.

⛔ Files ignored due to path filters (136)

• go.sum is excluded by !**/*.sum
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v7/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v7/apis/volumesnapshot/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/file_store.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/getter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/local.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/secret_store.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/resource_policies.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_filter_data.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_resources.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_resources_validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_types_conditions.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/backup_repository_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/backup_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/backupstoragelocation_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/labels_annotations.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/pod_volume_backup_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/pod_volume_restore_type.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/restore_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v2alpha1/data_download_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v2alpha1/data_upload_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/client/dynamic.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/client/factory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/cmd/server/config/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/constant/constant.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/kuberesource/kuberesource.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/label/label.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backup_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backup_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backup_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backupitemaction/v2/backup_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backupitemaction/v2/backup_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backupitemaction/v2/backup_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/common/plugin_config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/delete_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/delete_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/delete_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/itemblockaction/v1/item_block_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/itemblockaction/v1/item_block_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/itemblockaction/v1/item_block_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/object_store.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/object_store_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/object_store_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/plugin_lister.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restore_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restore_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restore_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restoreitemaction/v2/restore_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restoreitemaction/v2/restore_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restoreitemaction/v2/restore_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/volume_snapshotter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/volume_snapshotter_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/volume_snapshotter_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/types/node_agent.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/types/repo_maintenance.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/uploader/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/collections/includes_excludes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/event.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/node.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/pod.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/predicate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/priority_class.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/pvc_pv.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/resource_requirements.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/security_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/wildcard/expand.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/context/context.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/preloader.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stats/handlers.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

♻️ Duplicate comments (1)

go.mod (1)

79-80: ⚠️ Potential issue | 🔴 Critical

Upgrade google.golang.org/grpc from vulnerable v1.77.0.

Line 80 pins a version affected by GHSA-p77j-4mvh-x3m3 (critical). Please bump to v1.79.3+ and re-tidy modules.

#!/bin/bash
set -euo pipefail

echo "1) Confirm current grpc pin in go.mod"
rg -n '^\s*google\.golang\.org/grpc\s+v' go.mod

echo
echo "2) Query OSV for GHSA-p77j-4mvh-x3m3 affected range"
python - <<'PY'
import json, urllib.request
payload = {
  "query": {
    "package": {"ecosystem": "Go", "name": "google.golang.org/grpc"},
    "id": "GHSA-p77j-4mvh-x3m3"
  }
}
req = urllib.request.Request(
    "https://api.osv.dev/v1/query",
    data=json.dumps(payload).encode(),
    headers={"Content-Type": "application/json"},
)
with urllib.request.urlopen(req, timeout=20) as r:
    data = json.loads(r.read().decode())
print(json.dumps(data, indent=2))
PY

echo
echo "Expected: go.mod shows grpc < v1.79.3 (currently v1.77.0), and OSV response lists affected range covering that version."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 79 - 80, go.mod currently pins google.golang.org/grpc at
the vulnerable v1.77.0; update the dependency by changing the grpc module
version to v1.79.3 or newer (target >= v1.79.3) for the module
"google.golang.org/grpc" and then run module cleanup (go get
google.golang.org/grpc@v1.79.3-or-newer and go mod tidy) to ensure the new
version is recorded and transitive deps are fixed; afterward run the test/CI to
verify no breakages.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@go.mod`:
- Around line 79-80: go.mod currently pins google.golang.org/grpc at the
vulnerable v1.77.0; update the dependency by changing the grpc module version to
v1.79.3 or newer (target >= v1.79.3) for the module "google.golang.org/grpc" and
then run module cleanup (go get google.golang.org/grpc@v1.79.3-or-newer and go
mod tidy) to ensure the new version is recorded and transitive deps are fixed;
afterward run the test/CI to verify no breakages.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a3e1fedf-9937-4e8b-b642-0b413dd8ed0e

📥 Commits

Reviewing files that changed from the base of the PR and between 33a88f1 and f7d50e5.

⛔ Files ignored due to path filters (134)

• go.sum is excluded by !**/*.sum
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v7/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v7/apis/volumesnapshot/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/file_store.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/getter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/local.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/credentials/secret_store.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/resource_policies.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_filter_data.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_resources.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_resources_validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/internal/resourcepolicies/volume_types_conditions.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/backup_repository_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/backup_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/backupstoragelocation_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/labels_annotations.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/pod_volume_backup_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/pod_volume_restore_type.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/restore_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v2alpha1/data_download_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/apis/velero/v2alpha1/data_upload_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/client/dynamic.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/client/factory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/cmd/server/config/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/constant/constant.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/kuberesource/kuberesource.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/label/label.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backup_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backup_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backup_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backupitemaction/v2/backup_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backupitemaction/v2/backup_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/backupitemaction/v2/backup_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/common/plugin_config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/delete_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/delete_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/delete_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/itemblockaction/v1/item_block_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/itemblockaction/v1/item_block_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/itemblockaction/v1/item_block_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/object_store.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/object_store_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/object_store_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/plugin_lister.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restore_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restore_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restore_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restoreitemaction/v2/restore_item_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restoreitemaction/v2/restore_item_action_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/restoreitemaction/v2/restore_item_action_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/volume_snapshotter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/volume_snapshotter_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/plugin/framework/volume_snapshotter_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/types/node_agent.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/types/repo_maintenance.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/uploader/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/collections/includes_excludes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/event.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/node.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/pod.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/predicate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/priority_class.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/pvc_pv.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/resource_requirements.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/security_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/kube/utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/vmware-tanzu/velero/pkg/util/wildcard/expand.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/context/context.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/health/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/preloader.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stats/handlers.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

[openshift-ci]

@jparrill: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kaovilai]

/lgtm

[openshift-ci-robot]

@jparrill: Jira Issue OCPBUGS-80948: All pull requests linked via external trackers have merged:

• openshift/hypershift-oadp-plugin#224

Jira Issue OCPBUGS-80948 has been moved to the MODIFIED state.

Details

In response to this:

What this PR does / why we need it

Updates the go.mod replace directive for Velero from a stale pseudo-version on the oadp-1.5 branch to the latest commit on the oadp-dev branch, which is the correct upstream branch for main.

Before:

replace github.com/vmware-tanzu/velero => github.com/openshift/velero v0.10.2-0.20250514165055-8fbcf3a8da11

After:

replace github.com/vmware-tanzu/velero => github.com/openshift/velero v0.10.2-0.20260323170432-5ef912f438f6

This fixes two problems:

• Renovate/MintMaker failures: automated dependency updates resolved to incompatible upstream Velero versions (e.g. v1.2.0) that remove the v2alpha1 APIs the plugin depends on. See chore(deps): update non-k8s-go-dependencies (major) #215 and chore(deps): update non-k8s-go-dependencies (major) #216.
• Missing CVE/bug fixes: the stale oadp-1.5 replace was ~10 months behind, missing CVE and bug fixes available on the oadp-dev branch.

Branch alignment strategy

Each branch of hypershift-oadp-plugin should track the corresponding openshift/velero branch:

• main → oadp-dev (this PR)
• oadp-1.6 → oadp-1.6 (follow-up)
• oadp-1.5 → oadp-1.5 (follow-up)

Which issue(s) this PR fixes

Fixes https://redhat.atlassian.net/browse/OCPBUGS-80948
Fixes #223

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code via /jira:solve OCPBUGS-80948

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.