[release-4.12] OCPBUGS-86876: Bump google.golang.org/grpc

[rhdmalone]

Background
google.golang.org/grpc versions before v1.64.1 are vulnerable to CVE-2026-33186 (authorization bypass). For older OpenShift release branches where a direct version bump is not possible, the fix uses a patched sustaining fork: github.com/openshift-sustaining/grpc-go v1.64.1-sec.1.

Changes
Replace google.golang.org/grpc with github.com/openshift-sustaining/grpc-go v1.64.1-sec.1 via a replace directive in go.mod

Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace* to v1.24.0 and go.opentelemetry.io/otel/sdk to v1.24.0 to resolve a module restructuring incompatibility

Remove the obsolete go.opentelemetry.io/otel/exporters/otlp/internal/retry module entry (merged into the exporter at v1.24.0)

Update tracing/tracing.go semconv import to v1.24.0 to avoid OTel schema URL conflicts at runtime

Pin go.uber.org/goleak to v1.2.0 — v1.3.0 uses errors.Join/strings.CutPrefix (Go 1.20+) but this branch builds with Go 1.19

Steps to reproduce
Add the grpc replace directive:
go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/grpc-go@v1.64.1-sec.1

Pre-fetch the sustaining fork: go mod download github.com/openshift-sustaining/grpc-go@v1.64.1-sec.1
Run go mod tidy -e (the -e flag tolerates OTel internal package restructuring warnings)

Manually update go.mod:
Bump otlptrace, otlptracegrpc, otlptracehttp from v1.11.2 → v1.24.0
Bump go.opentelemetry.io/otel/sdk from v1.22.0 → v1.24.0

Remove go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.2

Add replace go.uber.org/goleak => go.uber.org/goleak v1.2.0

Update tracing/tracing.go: change semconv import from v1.12.0 to v1.24.0

Finalize: go mod download go.uber.org/goleak@v1.2.0 && go mod tidy -e && go mod vendor
Commit: git add go.mod go.sum vendor/ tracing/tracing.go && git commit
Verification

grep "Version" vendor/google.golang.org/grpc/version.go
Expected: const Version = "1.64.1"

grep "go.uber.org/goleak" vendor/modules.txt
Expected: # go.uber.org/goleak v1.3.0 => go.uber.org/goleak v1.2.0

[openshift-ci-robot]

@rhdmalone: No Jira issue with key OCPBUGS-86876 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Background
google.golang.org/grpc versions before v1.64.1 are vulnerable to CVE-2026-33186 (authorization bypass). For older OpenShift release branches where a direct version bump is not possible, the fix uses a patched sustaining fork: github.com/openshift-sustaining/grpc-go v1.64.1-sec.1.

Changes
Replace google.golang.org/grpc with github.com/openshift-sustaining/grpc-go v1.64.1-sec.1 via a replace directive in go.mod

Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace* to v1.24.0 and go.opentelemetry.io/otel/sdk to v1.24.0 to resolve a module restructuring incompatibility

Remove the obsolete go.opentelemetry.io/otel/exporters/otlp/internal/retry module entry (merged into the exporter at v1.24.0)

Update tracing/tracing.go semconv import to v1.24.0 to avoid OTel schema URL conflicts at runtime

Pin go.uber.org/goleak to v1.2.0 — v1.3.0 uses errors.Join/strings.CutPrefix (Go 1.20+) but this branch builds with Go 1.19

Steps to reproduce
Add the grpc replace directive:
go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/grpc-go@v1.64.1-sec.1

Pre-fetch the sustaining fork: go mod download github.com/openshift-sustaining/grpc-go@v1.64.1-sec.1
Run go mod tidy -e (the -e flag tolerates OTel internal package restructuring warnings)

Manually update go.mod:
Bump otlptrace, otlptracegrpc, otlptracehttp from v1.11.2 → v1.24.0
Bump go.opentelemetry.io/otel/sdk from v1.22.0 → v1.24.0

Remove go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.2

Add replace go.uber.org/goleak => go.uber.org/goleak v1.2.0

Update tracing/tracing.go: change semconv import from v1.12.0 to v1.24.0

Finalize: go mod download go.uber.org/goleak@v1.2.0 && go mod tidy -e && go mod vendor
Commit: git add go.mod go.sum vendor/ tracing/tracing.go && git commit
Verification

grep "Version" vendor/google.golang.org/grpc/version.go

Expected: const Version = "1.64.1"

grep "go.uber.org/goleak" vendor/modules.txt

Expected: # go.uber.org/goleak v1.3.0 => go.uber.org/goleak v1.2.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0a331ca9-ada0-4b12-bc00-71050af253ea

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@rhdmalone: No Jira issue with key OCPBUGS-86876 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Background
google.golang.org/grpc versions before v1.64.1 are vulnerable to CVE-2026-33186 (authorization bypass). For older OpenShift release branches where a direct version bump is not possible, the fix uses a patched sustaining fork: github.com/openshift-sustaining/grpc-go v1.64.1-sec.1.

Changes
Replace google.golang.org/grpc with github.com/openshift-sustaining/grpc-go v1.64.1-sec.1 via a replace directive in go.mod

Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace* to v1.24.0 and go.opentelemetry.io/otel/sdk to v1.24.0 to resolve a module restructuring incompatibility

Remove the obsolete go.opentelemetry.io/otel/exporters/otlp/internal/retry module entry (merged into the exporter at v1.24.0)

Update tracing/tracing.go semconv import to v1.24.0 to avoid OTel schema URL conflicts at runtime

Pin go.uber.org/goleak to v1.2.0 — v1.3.0 uses errors.Join/strings.CutPrefix (Go 1.20+) but this branch builds with Go 1.19

Steps to reproduce
Add the grpc replace directive:
go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/grpc-go@v1.64.1-sec.1

Pre-fetch the sustaining fork: go mod download github.com/openshift-sustaining/grpc-go@v1.64.1-sec.1
Run go mod tidy -e (the -e flag tolerates OTel internal package restructuring warnings)

Manually update go.mod:
Bump otlptrace, otlptracegrpc, otlptracehttp from v1.11.2 → v1.24.0
Bump go.opentelemetry.io/otel/sdk from v1.22.0 → v1.24.0

Remove go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.2

Add replace go.uber.org/goleak => go.uber.org/goleak v1.2.0

Update tracing/tracing.go: change semconv import from v1.12.0 to v1.24.0

Finalize: go mod download go.uber.org/goleak@v1.2.0 && go mod tidy -e && go mod vendor
Commit: git add go.mod go.sum vendor/ tracing/tracing.go && git commit
Verification

grep "Version" vendor/google.golang.org/grpc/version.go
Expected: const Version = "1.64.1"

grep "go.uber.org/goleak" vendor/modules.txt
Expected: # go.uber.org/goleak v1.3.0 => go.uber.org/goleak v1.2.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[simonpasquier]

/label backport-risk-assessed
/approve

[simonpasquier]

/jira refresh

[openshift-ci-robot]

@simonpasquier: This pull request references Jira Issue OCPBUGS-86876, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-86876 to depend on a bug targeting a version in 4.13.0, 4.13.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[simonpasquier]

/jira refresh

[openshift-ci-robot]

@simonpasquier: This pull request references Jira Issue OCPBUGS-86876, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected dependent Jira Issue OCPBUGS-86877 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[simonpasquier]

/jira refresh

[openshift-ci-robot]

@simonpasquier: This pull request references Jira Issue OCPBUGS-86876, which is invalid:

• expected dependent Jira Issue OCPBUGS-86877 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rhdmalone]

/test e2e-agnostic-cmo

[rhdmalone]

/test e2e-aws-ovn-upgrade

[simonpasquier]

/lgtm
/verified by @simonpasquier

[openshift-ci-robot]

@simonpasquier: This PR has been marked as verified by @simonpasquier.

Details

In response to this:

/lgtm
/verified by @simonpasquier

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhdmalone, simonpasquier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [simonpasquier]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhdmalone]

/test e2e-agnostic-cmo

[openshift-ci]

@rhdmalone: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.