Skip to content

Update go-openapi packages #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
red-hat-konflux-kflux-prd-rh02 wants to merge 1 commit into from
+2 −2
Closed

Update go-openapi packages #148

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,8 @@ require (
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-openapi/jsonpointer v0.23.1 // indirect
github.com/go-openapi/swag v0.26.0 // indirect
Comment on lines +82 to +83
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check lines 82-83 and surrounding context in go.mod
echo "=== hyperfleet-api go.mod lines 80-85 ==="
sed -n '80,85p' go.mod

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 434

🏁 Script executed:

#!/bin/bash
# Check the .bingo/oapi-codegen.sum file for go-openapi versions
echo "=== hyperfleet-sentinel .bingo/oapi-codegen.sum ==="
cat .bingo/oapi-codegen.sum 2>/dev/null | head -20 || echo "File not found"

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 2125

🏁 Script executed:

#!/bin/bash
# Check go.mod for comparison
echo "=== hyperfleet-adapter go.mod go-openapi entries ==="
grep -n "go-openapi" go.mod || echo "No go-openapi found"

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 305

🏁 Script executed:

#!/bin/bash
# Check if oapi-codegen is used and where generated code lives
echo "=== Searching for oapi-codegen usage in hyperfleet-api ==="
find . -name "*.mod" -o -name "*.sum" -o -name "*.toml" | xargs grep -l "oapi-codegen" 2>/dev/null || echo "No oapi-codegen found"

echo ""
echo "=== Searching for OpenAPI spec files ==="
find . -name "*.yaml" -o -name "*.yml" -o -name "*.json" | grep -i "openapi\|swagger" | head -10 || echo "No OpenAPI specs found"

echo ""
echo "=== Checking if go-openapi deps are direct or transitive ==="
head -100 go.mod | grep -A5 "require ("

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 1175

🏁 Script executed:

#!/bin/bash
# Check oapi-codegen bingo tooling and its purpose
echo "=== hyperfleet-sentinel .bingo directory ==="
ls -la .bingo/ 2>/dev/null || echo ".bingo not found"

echo ""
echo "=== Checking go.mod for oapi-codegen ==="
grep -n "oapi-codegen" go.mod 2>/dev/null || echo "oapi-codegen not in go.mod"

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 925

🏁 Script executed:

#!/bin/bash
# Check if hyperfleet-adapter uses generated code or oapi-codegen
echo "=== Searching for oapi-codegen references ==="
find . -type f \( -name "*.mod" -o -name "*.sum" -o -name "Makefile" -o -name "*.sh" \) | xargs grep -l "oapi-codegen" 2>/dev/null || echo "No oapi-codegen references"

echo ""
echo "=== Check go.mod require section ==="
head -80 go.mod | tail -30

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 1768

🏁 Script executed:

#!/bin/bash
# Check what oapi-codegen tool itself pins for go-openapi versions
echo "=== hyperfleet-api .bingo/oapi-codegen.mod ==="
cat .bingo/oapi-codegen.mod

echo ""
echo "=== hyperfleet-api .bingo/oapi-codegen.sum (go-openapi entries) ==="
grep "go-openapi" .bingo/oapi-codegen.sum | head -10

echo ""
echo "=== Check direct vs indirect in main go.mod ==="
echo "Direct requires:"
sed -n '/^require (/,/^)/p' go.mod | grep -i "go-openapi" || echo "None in direct requires"

echo ""
echo "=== Check if swag/jsonpointer come from another direct dependency ==="
grep -n "^require (" go.mod
head -40 go.mod

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 2598

🏁 Script executed:

#!/bin/bash
# Check if openapi.yaml or oapi-codegen.yaml were changed
echo "=== Check OpenAPI spec files ==="
cat openapi/openapi.yaml | head -20

echo ""
echo "=== Check oapi-codegen.yaml config ==="
cat openapi/oapi-codegen.yaml 2>/dev/null || echo "File not found"

echo ""
echo "=== Check if any generated code exists and needs regeneration ==="
find . -type f -name "*.go" -path "*/openapi*" -o -name "*oapi*.go" | head -20

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 1321

🏁 Script executed:

#!/bin/bash
# Check if hyperfleet-sentinel generates code from specs
echo "=== Check if sentinel uses generated openapi code ==="
find . -type f -name "*.go" | xargs grep -l "github.com/oapi-codegen" 2>/dev/null | head -5 || echo "No oapi-codegen usage in generated code found"

echo ""
echo "=== Check .bingo/oapi-codegen.sum vs main go.mod ==="
echo "Codegen tool versions:"
grep "go-openapi" .bingo/oapi-codegen.sum | grep -E "^github" | sort -u

echo ""
echo "Main go.mod versions:"
grep "go-openapi" go.mod || echo "None in main go.mod"

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 618

🏁 Script executed:

#!/bin/bash
# Check what go-openapi versions oapi-codegen/v2 v2.6.0 actually requires
echo "=== What is in .bingo/oapi-codegen.sum (full go-openapi lines) ==="
grep "go-openapi" .bingo/oapi-codegen.sum

echo ""
echo "=== Check kin-openapi v0.133.0 to understand transitive chain ==="
grep "getkin/kin-openapi" go.sum | head -3

echo ""
echo "=== Full go.sum entries for go-openapi (what was resolved) ==="
grep "go-openapi" go.sum | sort -u

echo ""
echo "=== Which direct dependency brings in go-openapi to main go.mod ==="
# getkin/kin-openapi v0.133.0 likely brings in go-openapi
echo "Checking if generated openapi.gen.go exists and matches current config..."
ls -la pkg/api/openapi/openapi.gen.go 2>/dev/null && echo "Generated code file exists" || echo "Generated code not found"

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 1346

🏁 Script executed:

#!/bin/bash
# Critical check: verify go.mod vs go.sum consistency for these specific packages
echo "=== Go.mod lines 82-83 (as claimed in PR) ==="
sed -n '82,83p' go.mod

echo ""
echo "=== Actual corresponding entries in go.sum ==="
grep "github.com/go-openapi/jsonpointer\|github.com/go-openapi/swag" go.sum

echo ""
echo "=== Check if go.mod has been edited but go.sum not synced ==="
wc -l go.mod go.sum

echo ""
echo "=== Full context: lines 80-95 of go.mod to see the pattern ==="
sed -n '80,95p' go.mod

echo ""
echo "=== Is there a go.mod.backup or recent git history? ==="
git log --oneline -5 go.mod go.sum 2>/dev/null || echo "Git history not available"
</parameter>

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 1869

🏁 Script executed:

#!/bin/bash
# Verify the go.mod/go.sum mismatch is real
echo "=== Check for ALL go-openapi entries in go.sum ==="
grep "go-openapi" go.sum | wc -l
echo "Total entries:"
grep "go-openapi" go.sum

echo ""
echo "=== Check for ALL go-openapi entries in go.mod ==="
grep "go-openapi" go.mod

echo ""
echo "=== Verify this is actually lines 82-83 and not a different location ==="
grep -n "go-openapi" go.mod

echo ""
echo "=== Is the go.sum corrupted or incomplete? Run validation ==="
go mod tidy --dry-run 2>&1 | head -20 || echo "Go command not available"

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 1058

🏁 Script executed:

#!/bin/bash
# Critical discovery: go.mod declares versions not in go.sum
# Let's verify the git history to understand what happened

echo "=== Recent git log for go.mod and go.sum ==="
git log --oneline -10 go.mod go.sum 2>/dev/null || echo "Git not available"

echo ""
echo "=== Check the last commit that touched these files ==="
git log -1 --format="%H %s" -- go.mod 2>/dev/null || echo "Git history unavailable"

echo ""
echo "=== Check if go.sum has entries for v0.23.1 or v0.26.0 anywhere ==="
grep -E "v0.23.1|v0.26.0" go.sum || echo "No v0.23.1 or v0.26.0 found in go.sum"

echo ""
echo "=== What's the git diff status ==="
git status --short go.mod go.sum 2>/dev/null || echo "Git status unavailable"

echo ""
echo "=== Try to see if go.mod changes are staged but uncommitted ==="
git diff go.mod 2>/dev/null | head -30 || echo "No uncommitted changes"
</parameter>

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 662

🏁 Script executed:

#!/bin/bash
# This is critical - go.mod declares versions not in go.sum
# This breaks the build. Let's verify the actual state

echo "=== Git show the actual commit content ==="
git show 887d96c:go.mod 2>/dev/null | sed -n '82,83p' || echo "Cannot access commit"

echo ""
echo "=== Git show go.sum from that commit ==="
git show 887d96c:go.sum 2>/dev/null | grep "go-openapi" || echo "Cannot access go.sum from commit"

echo ""
echo "=== What version of Go is being used? ==="
head -3 go.mod

echo ""
echo "=== Are there any indirect dependencies that would pull these versions? ==="
grep -A2 -B2 "getkin/kin-openapi\|oapi-codegen" go.mod

echo ""
echo "=== Final check: will this build? Test go mod verify ==="
go mod verify 2>&1 || echo "Go mod verify failed - likely indicates sync issue"

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 1313

🏁 Script executed:

#!/bin/bash
# The critical discovery: go.mod declares versions NOT in go.sum
# But go mod verify passes. Let's understand what's actually happening

echo "=== Check go.mod line 82-83 once more ==="
sed -n '82,83p' go.mod

echo ""
echo "=== Now check if kin-openapi v0.133.0 actually REQUIRES these newer versions ==="
# Search upstream to see what kin-openapi depends on
echo "Checking what getkin/kin-openapi v0.133.0 depends on..."
grep -A10 "getkin/kin-openapi v0.133.0" go.sum || echo "Cannot infer from go.sum"

echo ""
echo "=== The real question: are lines 82-83 correct or stale/manual edits? ==="
echo "If go.sum has v0.21.0/v0.23.0 but go.mod declares v0.23.1/v0.26.0,"
echo "this indicates incomplete dependency update (go.mod manually edited without go mod tidy)"

echo ""
echo "=== Verify: what does go mod graph show for these packages? ==="
go mod graph 2>/dev/null | grep "go-openapi" | head -5 || echo "go mod graph unavailable"

echo ""
echo "=== List all indirect requires marked in go.mod ==="
grep "// indirect" go.mod | wc -l
echo "Total indirect: shown above"
</parameter>

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 2327

go.mod declares versions not present in go.sum — module integrity broken.

Lines 82-83 explicitly require jsonpointer v0.23.1 and swag v0.26.0, but go.sum contains only v0.21.0 and v0.23.0 (transitive from getkin/kin-openapi v0.133.0). This creates a dependency mismatch that breaks reproducible builds. Either run go mod tidy to update go.sum with the new versions, or revert lines 82-83 if the version bump was unintended. Additionally, verify why you're explicitly forcing versions beyond what upstream dependencies require — this introduces unnecessary compatibility risk across HyperFleet repos (sentinel, adapter) that may not expect these newer versions.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 82 - 83, go.mod lists github.com/go-openapi/jsonpointer
v0.23.1 and github.com/go-openapi/swag v0.26.0 but those versions are not
present in go.sum, breaking module integrity; either run `go mod tidy` to update
go.sum (so jsonpointer@v0.23.1 and swag@v0.26.0 are recorded) or revert/remove
the explicit requirements for github.com/go-openapi/jsonpointer and
github.com/go-openapi/swag if the bump was accidental, and while fixing, verify
why these explicit version pins were added (check for compatibility across
consumers like sentinel/adapter) to avoid forcing newer transitive versions
unnecessarily.

github.com/go-playground/locales v0.14.1 // indirect
github.com/go-playground/universal-translator v0.18.1 // indirect
github.com/go-sql-driver/mysql v1.8.1 // indirect
Expand Down