updating dependiencies to support k8s 1.36

[acornett21]

No description provided.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 43c7ecd4-cb60-4f06-8b70-d2412655a94a

📥 Commits

Reviewing files that changed from the base of the PR and between 1adee00 and 46c94cd.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• Dockerfile
• Makefile
• api/v1alpha1/groupversion_info.go
• api/v1alpha1/operatorpipeline_types.go
• api/v1alpha1/zz_generated.deepcopy.go
• config/crd/bases/certification.redhat.com_operatorpipelines.yaml
• go.mod

✅ Files skipped from review due to trivial changes (2)

• Dockerfile
• api/v1alpha1/zz_generated.deepcopy.go

🚧 Files skipped from review as they are similar to previous changes (4)

• config/crd/bases/certification.redhat.com_operatorpipelines.yaml
• api/v1alpha1/operatorpipeline_types.go
• Makefile
• go.mod

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated Go toolchain from 1.25.3 to 1.26.3
  • Upgraded core dependencies including Kubernetes API libraries, Operator Framework, Tekton Pipeline, and controller-runtime to newer versions
  • Refreshed build tool versions: kustomize, controller-gen, and golangci-lint

Walkthrough

This PR upgrades the operator certification project to Go 1.26.3 with coordinated updates to controller-tools, key Kubernetes/OpenShift/Tekton libraries, and build tooling, while refactoring scheme registration to use runtime.NewSchemeBuilder() callbacks.

Changes

Go and Operator Framework Upgrades

Layer / File(s)	Summary
Go toolchain and dependency upgrades go.mod	go.mod updated to Go 1.26.3 with bumped direct dependencies (openshift/api, operator-framework/api, tektoncd/pipeline, k8s.io modules, controller-runtime) and refreshed indirect dependency graph.
Build image and development tools Dockerfile, Makefile	Dockerfile bumps Go builder image to 1.26; Makefile pins updated versions for kustomize, controller-gen, and golangci-lint tools.
Scheme registration refactoring api/v1alpha1/groupversion_info.go, api/v1alpha1/operatorpipeline_types.go	groupversion_info.go and operatorpipeline_types.go refactored to use runtime.NewSchemeBuilder() and callback-based scheme registration, removing controller-runtime scheme dependency.
Generated artifacts and deployment metadata api/v1alpha1/zz_generated.deepcopy.go, config/crd/bases/certification.redhat.com_operatorpipelines.yaml	Generated deepcopy imports adjusted, and CRD annotation updated to reflect new controller-gen version.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to evaluate whether any description content relates to the changeset.	Add a pull request description explaining the motivation, changes made, and any breaking changes or migration notes for reviewers.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main objective of the changeset: updating dependencies and Go/Kubernetes versions to support Kubernetes 1.36.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/manager/kustomization.yaml`:
- Around line 15-16: The kustomization override currently sets newName and
newTag to a personal image (newName and newTag) which replaces the default
controller image; update the kustomization.yaml to stop pointing at a personal
repository by either removing the newName/newTag entries or replacing them with
the official project image and tag used for releases (e.g., the canonical
controller image/tag), so the default deploy artifact remains the project's
supply-chain image instead of a personal namespace.

In `@Dockerfile`:
- Line 5: The Dockerfile uses a mutable base image tag in the FROM instruction
("FROM docker.io/library/golang:1.26 as builder"); replace this with the
corresponding immutable digest form (golang@sha256:<digest>) for the intended
target platform to ensure reproducible builds — obtain the correct sha256 digest
for go 1.26 on your platform (e.g., by pulling the image and inspecting its
repoDigests or checking the official registry manifest) and update the FROM line
to use that digest (you may keep the readable tag alongside the digest for
clarity).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 45f53d80-45e9-4826-b9f5-86910db5f39b

📥 Commits

Reviewing files that changed from the base of the PR and between b588b76 and 1adee00.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (8)

• Dockerfile
• Makefile
• api/v1alpha1/groupversion_info.go
• api/v1alpha1/operatorpipeline_types.go
• api/v1alpha1/zz_generated.deepcopy.go
• config/crd/bases/certification.redhat.com_operatorpipelines.yaml
• config/manager/kustomization.yaml
• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the current immutable digest for docker.io/library/golang:1.26, and does Docker recommend digest pinning for reproducible/supply-chain-safe builds?

💡 Result:

As of June 8, 2026, the docker.io/library/golang:1.26 tag is a mutable reference that points to multiple platform-specific images and variants (e.g., bookworm, alpine, windowsservercore) [1]. Because it is a tag rather than a specific version, it does not have a single immutable digest [2]. Instead, it resolves to different digests depending on the host architecture and the specific sub-tag or manifest currently being tracked as 1.26 [2]. For example, the latest minor release in the 1.26 series is Go 1.26.4 (released June 2, 2026) [3][4]. The specific digest for a golang:1.26 image depends on the OS/architecture and the specific build variant you pull [5][6]. To obtain the immutable digest for your specific environment, you can run: docker pull golang:1.26 docker inspect --format='{{index.RepoDigests 0}}' golang:1.26 Docker strongly recommends digest pinning for reproducible and supply-chain-safe builds [7][8][2]. Because tags are mutable—meaning they can be updated or overwritten to point to different image contents—relying on them can lead to non-deterministic builds [7][2]. Using a digest (e.g., golang@sha256:...) ensures that your build always uses the exact same, immutable image content [8][2]. Docker documentation explicitly states that pinning by digest guarantees consistency across development, staging, and production environments and is a standard practice for verifying the integrity of base images [7][2]. Note, however, that pinning prevents automatic security updates; if you pin to a specific digest, you must manually update the digest in your Dockerfile when you wish to move to a newer version of the image [8][9].

Citations:

• 1: https://github.com/docker-library/official-images/blob/master/library/golang
• 2: https://docs.docker.com/dhi/core-concepts/digests/
• 3: https://go.dev/doc/devel/release
• 4: https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw
• 5: https://hub.docker.com/r/library/golang/tags
• 6: https://hub.docker.com/_/golang/tags
• 7: https://docs.docker.com/build/policies/validate-images/
• 8: https://docs.docker.com/reference/cli/docker/image/pull/
• 9: https://man.archlinux.org/man/docker-image-pull.1.en.raw

---

Pin the Go builder base image to an immutable digest.

FROM docker.io/library/golang:1.26 as builder uses a mutable tag; Docker tag references can resolve to different image digests depending on platform/variant and may drift over time. Pin to golang@sha256:<digest> for the target platform (optionally keeping the tag for readability) to make builds reproducible and improve supply-chain safety.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 5, The Dockerfile uses a mutable base image tag in the
FROM instruction ("FROM docker.io/library/golang:1.26 as builder"); replace this
with the corresponding immutable digest form (golang@sha256:<digest>) for the
intended target platform to ensure reproducible builds — obtain the correct
sha256 digest for go 1.26 on your platform (e.g., by pulling the image and
inspecting its repoDigests or checking the official registry manifest) and
update the FROM line to use that digest (you may keep the readable tag alongside
the digest for clarity).

Source: Coding guidelines

[bcrochet]

/lgtm