NO-JIRA: chore(deps): weekly dependabot consolidation

[hypershift-jira-solve-ci]

Summary

Weekly consolidation of dependabot dependency updates.

Consolidated PRs

• build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.1 to 1.22.0 in the azure-github-dependencies group across 1 directory #8676: build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.1 to 1.22.0 in the azure-github-dependencies group across 1 directory
• fix(deps): bump urllib3 from 2.6.3 to 2.7.0 in /hypershift-ci-python #8482: fix(deps): bump urllib3 from 2.6.3 to 2.7.0 in /hypershift-ci-python

Commits

1. chore(deps): update root module dependencies
2. chore(deps): update vendored dependencies
3. chore(deps): update API module dependencies
4. chore(deps): update API vendored dependencies

---

Assisted-by: Claude (via Claude Code)

---

Note: This PR was auto-generated by the dependabot-triage periodic CI job. See the full report for token usage, cost breakdown, and detailed output.

Summary by CodeRabbit

• Chores
  • Updated project dependencies to enhance stability, security, and performance.
  • Updated network and system libraries for improved compatibility.
  • Updated cloud SDK to the latest patch release for improved reliability.

[openshift-ci-robot]

@hypershift-jira-solve-ci[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

Weekly consolidation of dependabot dependency updates.

Consolidated PRs

• build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.1 to 1.22.0 in the azure-github-dependencies group across 1 directory #8676: build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.1 to 1.22.0 in the azure-github-dependencies group across 1 directory
• fix(deps): bump urllib3 from 2.6.3 to 2.7.0 in /hypershift-ci-python #8482: fix(deps): bump urllib3 from 2.6.3 to 2.7.0 in /hypershift-ci-python

Commits

1. chore(deps): update root module dependencies
2. chore(deps): update vendored dependencies
3. chore(deps): update API module dependencies
4. chore(deps): update API vendored dependencies

---

Assisted-by: Claude (via Claude Code)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: efb27d35-20b2-4028-9b6d-cc5c5d60e513

📥 Commits

Reviewing files that changed from the base of the PR and between a699745 and 586b1e8.

⛔ Files ignored due to path filters (98)

• api/go.sum is excluded by !**/*.sum
• api/vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**
• api/vendor/golang.org/x/net/http2/server_common.go is excluded by !**/vendor/**
• api/vendor/golang.org/x/net/http2/server_wrap.go is excluded by !**/vendor/**
• api/vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**
• api/vendor/golang.org/x/net/http2/transport_common.go is excluded by !**/vendor/**
• api/vendor/golang.org/x/net/http2/writesched_common.go is excluded by !**/vendor/**
• api/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**
• api/vendor/modules.txt is excluded by !**/vendor/**
• go.sum is excluded by !**/*.sum
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_bearer_token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/server_common.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/server_wrap.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport_common.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_common.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/readv_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_openbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• api/go.mod
• go.mod

✅ Files skipped from review due to trivial changes (1)

• api/go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

---

Walkthrough

This PR updates Go module dependencies: go.mod bumps github.com/Azure/azure-sdk-for-go/sdk/azcore (v1.21.1 → v1.22.0), golang.org/x/net (v0.54.0 → v0.55.0), and golang.org/x/sys (v0.44.0 → v0.45.0). api/go.mod also updates golang.org/x/net to v0.55.0.

Changes

Dependency version bumps

Layer / File(s)	Summary
Bump dependency versions in go.mod and api/go.mod go.mod, api/go.mod	Repository go.mod: github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1→v1.22.0, golang.org/x/net v0.54.0→v0.55.0, golang.org/x/sys v0.44.0→v0.45.0 (indirect). api/go.mod: golang.org/x/net v0.54.0→v0.55.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/hypershift#8410: Updates golang.org/x/net module version in api/go.mod and go.mod.
• openshift/hypershift#8395: Modifies go.mod dependency pins including golang.org/x/sys.

Suggested labels

area/dependency, lgtm, verified

Suggested reviewers

• sjenning
• enxebre
• bryan-cox

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New Ginkgo tests assume multi-node without SNO protection: autoscaling scales 1→3 nodes, lifecycle tests rolling upgrades, node communication tests tunneling.	Add [Skipped:SingleReplicaTopology] labels or guard with SingleReplicaTopologyMode checks in nodepool_autoscaling, nodepool_lifecycle, and hosted_cluster_node_communication tests.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: a weekly consolidation of dependabot dependency updates across multiple modules (root, vendored, API, and API vendored dependencies).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR only updates Go module dependencies in go.mod and api/go.mod files. No test files or source code with Ginkgo test names were modified, so the check does not apply.
Test Structure And Quality	✅ Passed	PR contains only Go module dependency version updates with no test code changes; custom check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. This is a dependency management PR that only updates Go and Python package versions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only Go module dependency version updates; no deployment manifests, operator code, or scheduling constraints were modified, so the topology-aware scheduling check does not apply.
Ote Binary Stdout Contract	✅ Passed	PR contains only dependency version updates to go.mod/go.sum files with no code changes to stdout-writing process-level code, making the OTE Binary Stdout Contract check inapplicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only updates Go dependencies in go.mod and api/go.mod files; it adds no new Ginkgo e2e tests, so the IPv6/disconnected network test check does not apply.
No-Weak-Crypto	✅ Passed	PR only updates dependency versions (go.mod); no application code changes. No weak crypto algorithms, custom implementations, or insecure comparisons detected.
Container-Privileges	✅ Passed	PR contains only Go dependency version updates; no container/K8s manifests with privileged configurations found.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains only dependency version updates in go.mod files with no new logging code added; comprehensive search found zero logging statements exposing sensitive data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.43%. Comparing base (f13c62d) to head (586b1e8).
⚠️ Report is 10 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8684   +/-   ##
=======================================
  Coverage   41.43%   41.43%           
=======================================
  Files         756      756           
  Lines       93647    93647           
=======================================
  Hits        38802    38802           
  Misses      52124    52124           
  Partials     2721     2721           

Flag	Coverage Δ
cmd-support	34.87% <ø> (ø)
cpo-hostedcontrolplane	43.50% <ø> (ø)
cpo-other	42.74% <ø> (ø)
hypershift-operator	51.57% <ø> (ø)
other	31.64% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[devguyio]

/pipeline required

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aks | Build: 2063943836148699136 | Cost: $2.6704139999999996 | Failed step: hypershift-azure-run-e2e-self-managed

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-06-08T11:19:03Z
• View Job
• View Job History

e2e-aks

• Status: ❌ FAIL
• Started: 2026-06-11T16:46:19Z
• View Job
• View Job History

[JoelSpeed]

/approve for API

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hypershift-jira-solve-ci[bot], JoelSpeed
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS
• api/OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryan-cox]

/retest

[bryan-cox]

/retest

[bryan-cox]

/test e2e-aks

[openshift-ci]

@hypershift-jira-solve-ci[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aks	586b1e8	link	true	/test e2e-aks

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

I now have all the evidence needed. The failure is clear: this is a CI infrastructure issue, not a code problem. The job failed during release payload import — before any test code ever ran — because specific container images referenced by the OCP 4.20 and 4.21 CI release payloads had been garbage-collected from the registry.

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-aks
• Build ID: 2065113366954774528
• Target: e2e-aks
• Failed Steps: 2 (release payload imports: n2minor, n3minor)

Test Failure Analysis

Error

step [release:n3minor] failed: failed to import release 4.20.0-0.ci-2026-06-07-204143 to tag release:n3minor:
  failed to reimport the tag ci-op-pgprzvfk/stable-n3minor:hypershift: unable to import tag
  ci-op-pgprzvfk/stable-n3minor:hypershift with message Internal error occurred:
  [dockerimage.image.openshift.io "quay.io/openshift/ci@sha256:ef1b3047fb..." not found,
   dockerimage.image.openshift.io "quay-proxy.ci.openshift.org/openshift/ci@sha256:ef1b3047fb..." not found]
  on the image stream even after (6) imports: timed out waiting for the condition

step [release:n2minor] failed: failed to import release 4.21.0-0.ci-2026-06-08-003009 to tag release:n2minor:
  failed to reimport the tag ci-op-pgprzvfk/stable-n2minor:agent-installer-ui: unable to import tag
  ci-op-pgprzvfk/stable-n2minor:agent-installer-ui with message Internal error occurred:
  [dockerimage.image.openshift.io "quay.io/openshift/ci@sha256:abea17a3a1..." not found,
   dockerimage.image.openshift.io "quay-proxy.ci.openshift.org/openshift/ci@sha256:abea17a3a1..." not found]
  on the image stream even after (6) imports: timed out waiting for the condition

Summary

The e2e-aks job failed before any test code executed. The failure occurred during CI infrastructure setup when ci-operator attempted to import OCP release payloads for the N-2 and N-3 minor version streams (4.21 and 4.20). Specific container images referenced by these release payloads — hypershift in 4.20.0-0.ci-2026-06-07-204143 and agent-installer-ui in 4.21.0-0.ci-2026-06-08-003009 — had been garbage-collected from the quay.io/openshift/ci and quay-proxy.ci.openshift.org/openshift/ci registries. Despite 6 retry attempts per image, the imports timed out. This is a CI infrastructure / image registry issue entirely unrelated to PR #8684's dependency update changes.

Root Cause

The root cause is stale CI release payload references pointing to garbage-collected container images in the Quay.io registry.

Detailed chain of events:

1. The e2e-aks job configuration requires importing multiple OCP release payloads for cross-version testing: initial (5.0), n1minor (4.22), n2minor (4.21), n3minor (4.20), and n4minor (4.19).

2. At job start (2026-06-11T16:46:22Z), ci-operator resolved the release payloads to the "latest" nightly builds from each stream:

   • n3minor → 4.20.0-0.ci-2026-06-07-204143 (created 4 days earlier on June 7)
   • n2minor → 4.21.0-0.ci-2026-06-08-003009 (created 3 days earlier on June 8)

3. These release payloads contain manifest lists referencing individual component images by digest. Two of those referenced digests had been garbage-collected from the Quay.io CI image mirror:

   • sha256:ef1b3047fb8915cf4bfd3e7a08ed90a1312b8399a152d8acf69767055a2a446d (the hypershift component in 4.20 stream)
   • sha256:abea17a3a199d668f82fba64afa060764126d780008ed9641ddcd5e8fd7c0a67 (the agent-installer-ui component in 4.21 stream)

4. The OpenShift CI registry (quay.io/openshift/ci) has a retention policy for CI images. These nightly CI payload images were 3-4 days old, and some constituent images had already been purged.

5. ci-operator attempted to import each tag 6 times (with retries) across both quay.io/openshift/ci and the quay-proxy.ci.openshift.org/openshift/ci proxy — all attempts failed with "not found."

6. Because the release imports are prerequisites in the step graph, the actual e2e-aks test step was never scheduled. No PR code was compiled, deployed, or tested.

This failure is unrelated to PR #8684 (dependabot consolidation). The same failure would occur for any PR run against this job at the same time, since the release payloads are resolved dynamically and the garbage collection is a registry-side event.

Recommendations

1. Retry the job — This is a transient CI infrastructure issue. Re-triggering the job will cause ci-operator to resolve fresh "latest" release payloads from each stream, which should reference currently-available images. A simple /retest comment on the PR should suffice.

2. No code changes needed — This failure has no connection to the dependency updates in PR NO-JIRA: chore(deps): weekly dependabot consolidation #8684. The job failed before any code from the PR was ever tested.

3. If retries continue to fail — File a CI infrastructure issue against the OpenShift CI team (#forum-ocp-crt or #announce-testplatform on Slack) noting that release payloads for 4.20 and 4.21 CI streams contain references to garbage-collected images. The CI team may need to trigger new nightly payload builds for those streams.

4. For ongoing flakiness — The n2minor/n3minor streams (4.20, 4.21) may have stalled nightly builds. If the "latest" release in a stream hasn't been rebuilt recently, its images are more likely to be garbage-collected. Check https://amd64.ocp.releases.ci.openshift.org for the freshness of these streams.

Evidence

Evidence	Detail
Failure reason	executing_graph:step_failed:importing_release (from ci-operator state report)
Failed step 1	[release:n3minor] — import of release 4.20.0-0.ci-2026-06-07-204143
Missing image 1	quay.io/openshift/ci@sha256:ef1b3047fb... (hypershift component, 4.20 stream)
Failed step 2	[release:n2minor] — import of release 4.21.0-0.ci-2026-06-08-003009
Missing image 2	quay.io/openshift/ci@sha256:abea17a3a1... (agent-installer-ui component, 4.21 stream)
Retry attempts	6 per image (both quay.io and quay-proxy.ci.openshift.org) — all "not found"
Payload age	n3minor: 4 days old (June 7), n2minor: 3 days old (June 8), job ran June 11
Successful imports	initial (5.0), n1minor (4.22), n4minor (4.19) all imported successfully
Test execution	None — the e2e-aks step was never reached; failure was in prerequisite graph
JUnit failures	2 of 26 test cases in junit_operator.xml (both release import steps)
PR relation	None — infrastructure-only failure, no PR code was built/deployed/tested

---