Updating Go toolset 1.26

[diakovnec]

We have PRs raised by the bot failing and require updating the Go toolset to version 1.26. Kube dependencies to v0.36.1, which pulled in go >= 1.26.0

After checking, I can see that it was released today https://catalog.redhat.com/en/software/containers/rhel9/go-toolset/61df08166d9a1b7b2aab2344#overview

Summary by CodeRabbit

• Chores
  • Updated build tooling base image to latest version for improved compatibility and performance.

[coderabbitai]

Warning

Review limit reached

@diakovnec, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 47 minutes and 24 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 93ae4c5a-38fd-49ef-8cc8-d6b5cad513bf

📥 Commits

Reviewing files that changed from the base of the PR and between a7ced44 and 369a3ef.

📒 Files selected for processing (3)

• .tekton/managed-cluster-validating-webhooks-pull-request.yaml
• .tekton/managed-cluster-validating-webhooks-push.yaml
• build/Dockerfile

Walkthrough

This PR updates the Go builder base image in the Dockerfile from ubi9/go-toolset version 1.25.9 to version 1.26. The change is isolated to a single line in the BASE_IMAGE argument.

Changes

Go toolset base image update

Layer / File(s)	Summary
Base image version bump build/Dockerfile	The BASE_IMAGE build argument is updated to a newer ubi9/go-toolset tag, bumping from version 1.25.9-1777043046 to 1.26-1780490420.

---

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 12 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	New Ginkgo e2e tests use APIs unavailable on MicroShift (configv1, quotav1, monitoringv1) without protection mechanisms.	Add [apigroup:...] tags for config.openshift.io, quota.openshift.io, and monitoring.coreos.com APIs, or use [Skipped:MicroShift] labels or runtime MicroShift checks.
Topology-Aware Scheduling Compatibility	⚠️ Warning	PR adds DaemonSet with required affinity for master nodes, breaking on HyperShift where control-plane nodes don't exist in-cluster.	Use preferredDuringSchedulingIgnoredDuringExecution instead of required affinity, or detect External topology and apply topology-aware constraints.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New e2e test pulls from external registries (quay.io, registry.access.redhat.com), which will fail in disconnected IPv6-only CI environments.	Use cluster-internal image streams, add [Skipped:Disconnected] tag, or detect and skip in disconnected environments.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating the Go toolset base image from version 1.25.9 to 1.26 in the Dockerfile.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR are static and deterministic. No dynamic content found in test titles (It, Describe, Entry, etc.). Dynamic values are properly confined to test setup code.
Test Structure And Quality	✅ Passed	PR only modifies build/Dockerfile (1 line changed). Repository does not use Ginkgo framework; tests use standard Go testing package. Custom check for Ginkgo test quality is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	New Ginkgo e2e tests added are OSDE2E tests (//go:build osde2e), designed for OpenShift Dedicated multi-node clusters, not SNO. SNO compatibility check not applicable.
Ote Binary Stdout Contract	✅ Passed	PR only modifies Dockerfile base image tag; no code changes that could violate OTE Binary Stdout Contract.
No-Weak-Crypto	✅ Passed	PR only updates Go toolset base image version; no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom implementations, or insecure comparisons found in codebase.
Container-Privileges	✅ Passed	PR only updates Dockerfile Go base image; no privileged configs, hostPID/Network/IPC, SYS_ADMIN caps, root execution, or allowPrivilegeEscalation found.
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates Go toolset base image reference in Dockerfile (public registry URL); no new logging introduced and no sensitive data exposed.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

build/Dockerfile (1)

1-38: ⚡ Quick win

Add HEALTHCHECK instruction per security guidelines.

The Dockerfile lacks a HEALTHCHECK instruction, which is required by the coding guidelines for container security. A health check enables orchestrators to monitor container health and restart unhealthy instances.

➕ Suggested HEALTHCHECK addition

Add after line 25 (before LABEL):

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD ["/usr/local/bin/webhooks", "--health-check"] || exit 1

Note: Adjust the health check command based on the actual health endpoint provided by your webhook service. If the service exposes an HTTP health endpoint, use:

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:8080/healthz || exit 1

As per coding guidelines: "HEALTHCHECK defined".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` around lines 1 - 38, Dockerfile is missing a required
HEALTHCHECK instruction; add a HEALTHCHECK before the LABEL block that probes
the running webhooks process. Implement a healthcheck that matches how the
service exposes health (either invoke the binary at /usr/local/bin/webhooks with
a --health-check flag or curl an HTTP endpoint like
http://localhost:8080/healthz), e.g. use HEALTHCHECK with sensible
--interval/--timeout/--start-period/--retries values and a CMD that returns
non-zero on failure so the orchestrator can detect and restart unhealthy
containers; place it after the ENTRYPOINT/User directives and before the LABELs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@build/Dockerfile`:
- Line 1: The BASE_IMAGE ARG is pinned to a specific build via the suffix
"-1780490420"; update the ARG BASE_IMAGE value used in the Dockerfile (the ARG
named BASE_IMAGE) to use the floating Red Hat tag ":1.26" instead of the pinned
":1.26-1780490420" so the build follows the guideline to let Red Hat manage
updates.
- Line 1: Update the pipeline and Dockerfile so Tekton uses Go 1.26 and harden
the image: change the pipeline build-args in
.tekton/managed-cluster-validating-webhooks-pull-request.yaml and
.tekton/managed-cluster-validating-webhooks-push.yaml to set BASE_IMAGE to the
Go 1.26 builder (matching the Dockerfile), change ARG BASE_IMAGE in
build/Dockerfile to use the floating Red Hat tag (e.g.,
registry.access.redhat.com/ubi9/go-toolset:1.26) instead of the build-suffix
pin, add a HEALTHCHECK instruction in build/Dockerfile to probe the
service/container health, and replace the broad COPY . . ./ with explicit COPY
lines that only copy the required source and artifact files (avoid copying the
entire build context).

---

Nitpick comments:
In `@build/Dockerfile`:
- Around line 1-38: Dockerfile is missing a required HEALTHCHECK instruction;
add a HEALTHCHECK before the LABEL block that probes the running webhooks
process. Implement a healthcheck that matches how the service exposes health
(either invoke the binary at /usr/local/bin/webhooks with a --health-check flag
or curl an HTTP endpoint like http://localhost:8080/healthz), e.g. use
HEALTHCHECK with sensible --interval/--timeout/--start-period/--retries values
and a CMD that returns non-zero on failure so the orchestrator can detect and
restart unhealthy containers; place it after the ENTRYPOINT/User directives and
before the LABELs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 57b45ff3-a060-4ee8-8e23-1a9be8cd2cb8

📥 Commits

Reviewing files that changed from the base of the PR and between 93e9294 and a7ced44.

📒 Files selected for processing (1)

• build/Dockerfile

[openshift-ci]

@diakovnec: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[feichashao]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: diakovnec, feichashao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [diakovnec,feichashao]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment