Bump the go_modules group across 2 directories with 11 updates

[dependabot]

Bumps the go_modules group with 7 updates in the /tests/e2e directory:

Package	From	To
github.com/cloudflare/circl	1.6.0	1.6.3
github.com/go-jose/go-jose/v4	4.1.1	4.1.4
github.com/microsoft/kiota-http-go	1.5.2	1.5.5
github.com/moby/spdystream	0.5.0	0.5.1
go.opentelemetry.io/otel	1.37.0	1.41.0
go.opentelemetry.io/otel/sdk	1.37.0	1.43.0
google.golang.org/grpc	1.75.1	1.79.3

Bumps the go_modules group with 4 updates in the /tests/integration directory: go.opentelemetry.io/otel/sdk, github.com/distribution/distribution/v3, github.com/containerd/containerd and github.com/go-git/go-git/v5.

Updates github.com/cloudflare/circl from 1.6.0 to 1.6.3

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

• sign/mldsa: Check opts for nil value by @​armfazh in cloudflare/circl#582
• ecc/p384: Point addition must handle point doubling case. by @​armfazh in cloudflare/circl#583
• Release CIRCL v1.6.3 by @​armfazh in cloudflare/circl#584

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

CIRCL v1.6.2

• New SLH-DSA, improvements in ML-DSA for arm64.
• Tested compilation on WASM.

What's Changed

• Optimize pairing product computation by moving exponentiations to G1. by @​dfaranha in cloudflare/circl#547
• sign: Adding SLH-DSA signature by @​armfazh in cloudflare/circl#512
• Update code generators to CIRCL v1.6.1. by @​armfazh in cloudflare/circl#548
• ML-DSA: Add preliminary Wycheproof test vectors by @​bwesterb in cloudflare/circl#552
• go fmt by @​bwesterb in cloudflare/circl#554
• gz-compressing test vectors, use of HexBytes and ReadGzip functions. by @​armfazh in cloudflare/circl#555
• group: Removes use of elliptic Marshal and Unmarshal functions. by @​armfazh in cloudflare/circl#556
• Support encoding/decoding ML-DSA private keys (as long as they contain seeds) by @​bwesterb in cloudflare/circl#559
• Update to golangci-lint v2 by @​bwesterb in cloudflare/circl#560
• Preparation for ARM64 Implementation of poly operations for dilithium package. by @​elementrics in cloudflare/circl#562
• prepare power2Round for custom implementations in assembly by @​elementrics in cloudflare/circl#564
• ARM64 implementation for poly.PackLe16 by @​elementrics in cloudflare/circl#563
• add arm64 version of polyMulBy2toD by @​elementrics in cloudflare/circl#565
• add arm64 version of polySub by @​elementrics in cloudflare/circl#566
• group: add byteLen method for short groups and RandomScalar uses rand.Int by @​armfazh in cloudflare/circl#568
• add arm64 version of poly.Add/Sub by @​elementrics in cloudflare/circl#572
• group: Adding cryptobyte marshaling to scalars by @​armfazh in cloudflare/circl#569
• Bumping up to Go1.25 by @​armfazh in cloudflare/circl#574
• ci: Including WASM compilation. by @​armfazh in cloudflare/circl#577
• Revert to using package-declared HPKE errors for shortkem instead of standard library errors by @​harshiniwho in cloudflare/circl#578
• Release v1.6.2 by @​armfazh in cloudflare/circl#579

New Contributors

• @​dfaranha made their first contribution in cloudflare/circl#547
• @​elementrics made their first contribution in cloudflare/circl#562
• @​harshiniwho made their first contribution in cloudflare/circl#578

Full Changelog: cloudflare/circl@v1.6.1...v1.6.2

CIRCL v1.6.1

• Fixes some point checks on the FourQ curve.
• Hybrid KEM fails on low-order points.

... (truncated)

Commits

• 24ae53c Release CIRCL v1.6.3
• 581020b Rename method to oddMultiplesProjective.
• 12209a4 Removing unused cmov for jacobian points.
• fcba359 ecc/p384: use of complete projective formulas for scalar multiplication.
• 5e1bae8 ecc/p384: handle point doubling in point addition with Jacobian coordinates.
• 3416046 Check opts for nil value.
• a763d47 Release CIRCL v1.6.2
• 3c70bf9 Bump x/crypto x/sys dependencies.
• 3f0f15b Revert to using package-declared HPKE errors for shortkem instead of standard...
• 23491bd Adding generic Power2Round method.
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.1.1 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

v4.1.3

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

• Remove Go 1.23 support by @​mcpherrinm in go-jose/go-jose#205
• Reject JWS with an unprotected critical b64 header by @​mcpherrinm in go-jose/go-jose#210

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

• Update go-jose documentation by @​mcpherrinm in go-jose/go-jose#198
• Remove dependency on testify by @​wardviaene in go-jose/go-jose#197
• Improve error message for invalid private keys by @​ProjectMutilation in go-jose/go-jose#195
• JWK unsupported error when unmarshalling by @​fprojetto in go-jose/go-jose#191
• Add JSONWebKey type to makeJWERecipient by @​alvarolivie in go-jose/go-jose#200
• testutils/assert: remove True, Nil, NotNil by @​jsha in go-jose/go-jose#202

New Contributors

• @​wardviaene made their first contribution in go-jose/go-jose#197
• @​fprojetto made their first contribution in go-jose/go-jose#191
• @​alvarolivie made their first contribution in go-jose/go-jose#200

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

Commits

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• 5348b9a Reject JWS with an unprotected critical b64 header (#210)
• 9153a5e Bump actions/setup-python from 5 to 6 (#208)
• 2126e17 Bump actions/setup-go from 5 to 6 (#209)
• 9860c65 Bump actions/checkout from 4 to 5 (#206)
• 14239fd Remove Go 1.23 support (#205)
• a16e158 Update CI to run on Go 1.24 and 1.25 (#204)
• a1565a4 testutils/assert: remove True, Nil, NotNil (#202)
• 3a80e13 jwe: accept non-pointer JSONWebKey in Recipient (#200)
• Additional commits viewable in compare view

Updates github.com/microsoft/kiota-http-go from 1.5.2 to 1.5.5

Release notes

Sourced from github.com/microsoft/kiota-http-go's releases.

v1.5.5

1.5.5 (2026-03-02)

Bug Fixes

• adding senstive headers scrub function (fba6ba4)
• adding senstive headers scrub function (39fa46c)
• adding senstive headers scrub function (ce4f0dc)
• adding senstive headers scrub function (e68b9e1)

v1.5.4

1.5.4 (2025-06-06)

Bug Fixes

• retry handler exponential backoff (#205) (2f2a350)

v1.5.3

1.5.3 (2025-04-03)

Bug Fixes

• adding middleware with options errors with "unsupported option type" (beeb32d)

Changelog

Sourced from github.com/microsoft/kiota-http-go's changelog.

1.5.5 (2026-03-02)

Bug Fixes

• adding senstive headers scrub function (fba6ba4)
• adding senstive headers scrub function (39fa46c)
• adding senstive headers scrub function (ce4f0dc)
• adding senstive headers scrub function (e68b9e1)

1.5.4 (2025-06-06)

Bug Fixes

• retry handler exponential backoff (#205) (2f2a350)

1.5.3 (2025-04-03)

Bug Fixes

• adding middleware with options errors with "unsupported option type" (beeb32d)

Commits

• c6133fe Merge pull request #223 from microsoft/release-please--branches--main--compon...
• cb68231 chore(main): release 1.5.5
• fba6ba4 Merge pull request #221 from microsoft/cobando/fix-redirect-vulnerability
• 39fa46c updating scrub func to use 2 instead of 3 params
• ce4f0dc adding port condition
• e68b9e1 adding senstive headers scrub function
• f950250 Merge pull request #220 from microsoft/ci/release-please-dispatch
• 849a4ee ci: adds workflow dispatch to release please
• 7bdff1c Merge pull request #218 from microsoft/dependabot/github_actions/dependabot/f...
• 85d1657 chore(deps): bump dependabot/fetch-metadata from 2.4.0 to 2.5.0
• Additional commits viewable in compare view

Updates github.com/moby/spdystream from 0.5.0 to 0.5.1

Release notes

Sourced from github.com/moby/spdystream's releases.

v0.5.1

What's Changed

Security

Fix memory amplification in SPDY frame parsing leads to denial of service (CVE-2026-35469 / GHSA-pc3f-x583-g7j2)

Changes

• spdy: fix duplicate license headers, add LICENSE, PATENTS, and update NOTICE moby/spdystream#106
• ci: update actions and test against latest Go versions moby/spdystream#107
• use ioutil.Discard for go1.13 compatibility moby/spdystream#109

Full Changelog: moby/spdystream@v0.5.0...v0.5.1

Commits

• c59e5d7 Merge pull request #109 from thaJeztah/use_ioutil
• 2fd0155 use ioutil.Discard for go1.13 compatibility
• ef6121f Merge commit from fork
• 241cec9 compare with signed Int for 32-bit Arm
• 21c3864 Add options to customize limits
• acf9b45 spdy: update godoc for MaxDataLength
• eb63605 spdy: limit header-size and header-count
• 2f21da4 spdy: fix header block byte accounting
• 5976b66 spdy: enforce 24-bit frame length limits
• cf0ec5d Guard against oversized SPDY frames
• Additional commits viewable in compare view

Updates go.opentelemetry.io/otel from 1.37.0 to 1.41.0

Changelog

Sourced from go.opentelemetry.io/otel's changelog.

[1.41.0/0.63.0/0.17.0/0.0.15] 2026-03-02

This release is the last to support [Go 1.24]. The next release will require at least [Go 1.25].

Added

• Support testing of [Go 1.26]. (#7902)

Fixed

• Update Baggage in go.opentelemetry.io/otel/propagation and Parse and New in go.opentelemetry.io/otel/baggage to comply with W3C Baggage specification limits. New and Parse now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#7880)
• Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#7914)
• Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#7914)
• Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#7914)

[1.40.0/0.62.0/0.16.0] 2026-02-02

Added

• Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#7724)
• Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#7763)
• Add go.opentelemetry.io/otel/semconv/v1.39.0 package. The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#7783, #7789)

Changed

• Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#7443)
• Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#7447)
• Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7474)
• Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#7478)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#7492)
• Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#7688)
• Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7702)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

Fixed

• Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#7662)
• Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#7662)
• Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#7662)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#7794)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#7818)

... (truncated)

Commits

• 4575a97 Release 1.41.0/0.63.0/0.17.0/0.0.15 (#7977)
• 66fc10d fix: add error handling for insecure HTTP endpoints with TLS client configura...
• 76e6eec chore(deps): update github/codeql-action action to v4.32.5 (#7980)
• 0d50f90 Revert "Generate semconv/v1.40.0" (#7978)
• c38a4a5 Generate semconv/v1.40.0 (#7929)
• 0f1a224 chore(deps): update module github.com/securego/gosec/v2 to v2.23.0 (#7899)
• c79ebf4 chore(deps): update module github.com/daixiang0/gci to v0.14.0 (#7973)
• f758157 chore(deps): update module github.com/sonatard/noctx to v0.5.0 (#7968)
• 92a1164 fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to d566b...
• 3cd7c27 chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 (#7969)
• Additional commits viewable in compare view

Updates go.opentelemetry.io/otel/sdk from 1.37.0 to 1.43.0

Changelog

Sourced from go.opentelemetry.io/otel/sdk's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)
• Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)
• Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

• Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)
• Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)
• Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)
• Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

• Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

• Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)
• Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06

Added

• Add go.opentelemetry.io/otel/semconv/v1.40.0 package. The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#7985)

... (truncated)

Commits

• 9276201 Release v1.43.0 / v0.65.0 / v0.19.0 (#8128)
• 61b8c94 chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 (#8131)
• 97a086e chore(deps): update github.com/golangci/dupl digest to c99c5cf (#8122)
• 5e363de limit response body size for OTLP HTTP exporters (#8108)
• 35214b6 Use an absolute path when calling bsd kenv (#8113)
• 290024c fix(deps): update module google.golang.org/grpc to v1.80.0 (#8121)
• e70658e fix: support getBody in otelploghttp (#8096)
• 4afe468 fix(deps): update googleapis to 9d38bb4 (#8117)
• b9ca729 chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 (#8115)
• 69472ec chore(deps): update fossas/fossa-action action to v1.9.0 (#8118)
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.75.1 to 1.79.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#8981)

Release 1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)

Release 1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (grpc/grpc-go#8902)

Release 1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#8806)
  • Special Thanks: @​vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#8650)
  • Special Thanks: @​marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#8726)
  • Special Thanks: @​Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#8765)
  • Special Thanks: @​sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#8769)
  • Special Thanks: @​joybestourous
• server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#8754)
  • Special Thanks: @​joybestourous

Performance Improvements

• credentials/alts: Optimize read buffer alignment to reduce copies. (#8791)
• mem: Optimize pooling and creation of buffer objects. (#8784)
• transport: Reduce slice re-allocations by reserving slice capacity. (#8797)

... (truncated)

Commits

• dda86db Change version to 1.79.3 (#8983)
• 72186f1 grpc: enforce strict path checking for incoming requests on the server (#8981)
• 97ca352 Changing version to 1.79.3-dev (#8954)
• 8902ab6 Change the version to release 1.79.2 (#8947)
• a928670 Cherry-pick #8874 to v1.79.x (#8904)
• 06df363 Change version to 1.79.2-dev (#8903)
• 782f2de Change version to 1.79.1 (#8902)
• 850eccb Change version to 1.79.1-dev (#8851)
• 765ff05 Change version to 1.79.0 (#8850)
• 68804be Cherry pick #8864 to v1.79.x (#8896)
• Additional commits viewable in compare view

Updates go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0

Changelog

Sourced from go.opentelemetry.io/otel/sdk's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)
• Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)
• Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

• Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)
• Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)
• Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)
• Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

• Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

• Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)
• Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06

Added

• Add go.opentelemetry.io/otel/semconv/v1.40.0 package. The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#7985)

... (truncated)

Commits

• 9276201 Release v1.43.0 / v0.65.0 / v0.19.0 (#8128)
• 61b8c94 chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 (#8131)
• 97a086e chore(deps): update github.com/golangci/dupl digest to c99c5cf (#8122)
• 5e363de limit response body size for OTLP HTTP exporters (#8108)
• 35214b6 Use an absolute path when calling bsd kenv (#8113)
• 290024c fix(deps): update module google.golang.org/grpc to v1.80.0 (#8121)
• e70658e fix: support getBody in otelploghttp (#8096)
• 4afe468 fix(deps): update googleapis to 9d38bb4 (#8117)
• b9ca729 chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 (

[coderabbitai]

Walkthrough

Two test module files were updated with Go version 1.25.0 and refreshed dependency versions, including OpenTelemetry, gRPC, protobuf, cloud provider libraries, and infrastructure components across e2e and integration test suites.

Changes

Test Infrastructure Dependency Updates

Layer / File(s)	Summary
E2E test Go module version refresh tests/e2e/go.mod	Go toolchain bumped from 1.24.6 to 1.25.0; 60+ indirect and direct dependencies updated, including OpenTelemetry suite (1.37.0 → 1.43.0), gRPC, protobuf, Envoy, cloud compute metadata, and cryptography libraries. github.com/openshift/api changed from direct to indirect requirement.
Integration test Go module version refresh tests/integration/go.mod	60+ indirect dependencies updated including distribution, containerd, go-git, OpenTelemetry suite (1.42.0 → 1.43.0), gRPC (1.79.3 → 1.81.0), and system/crypto packages. All changes maintain existing direct/indirect requirement status.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the changeset: it updates Go module dependencies across 2 directories (tests/e2e and tests/integration) with multiple version bumps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies Go module dependencies (go.mod/go.sum files). No test code or test names are changed. The check is not applicable since there are no Ginkgo test name modifications in this PR.
Test Structure And Quality	✅ Passed	This PR only updates Go module dependencies (go.mod/go.sum files). No Ginkgo test code was modified. The custom check for Ginkgo test quality is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	This PR only updates Go module dependencies in tests/e2e/go.mod and tests/integration/go.mod. No new Ginkgo e2e tests were added, so the MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates Go module dependencies in tests/e2e/go.mod and tests/integration/go.mod. No new Ginkgo e2e test code is added. The SNO compatibility check applies only when new tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR updates only Go module versions in test go.mod files. Custom check requires deployment manifest or operator code changes, which are absent.
Ote Binary Stdout Contract	✅ Passed	PR only updates Go module versions; no source code changes. OTE Binary Stdout Contract check applies to code modifications. Not applicable to dependency updates.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only updates Go module dependencies in tests/e2e/go.mod and tests/integration/go.mod. No new Ginkgo e2e tests are added, so IPv6/disconnected network compatibility check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/tests/e2e/go_modules-dbaa0a7a74

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign aguidirh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/e2e/go.mod`:
- Line 3: Align all Go module and Docker base image versions to 1.25: update the
root go.mod "go" directive to 1.25 (matching the tests/e2e change), and update
the Go version tags in the project Dockerfile and Dockerfile.tests-extension to
the 1.25 base images; also bump the go directives in v1/go.mod and
tests/integration/image-builders/release/go.mod to 1.25, run go mod tidy in each
module and rebuild the test images to ensure no version mismatches remain with
the CI golang-1.25 environment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3d173e49-8907-4506-a25b-029b7fd6f1e5

📥 Commits

Reviewing files that changed from the base of the PR and between 4db3221 and 2d5a8e7.

⛔ Files ignored due to path filters (2)

• tests/e2e/go.sum is excluded by !**/*.sum
• tests/integration/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• tests/e2e/go.mod
• tests/integration/go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: find Go version pins/usages in repo config and docs.
set -euo pipefail

echo "== Files likely to pin Go versions =="
fd -HI '(^|/)(go\.mod|go\.work|\.tool-versions|\.go-version|Dockerfile|Dockerfile\..*|Makefile|README\.md|.*\.ya?ml)$'

echo
echo "== go.mod/go.work directives =="
rg -nP '^\s*go\s+[0-9]+\.[0-9]+(\.[0-9]+)?\s*$|^\s*toolchain\s+go[0-9]+\.[0-9]+(\.[0-9]+)?\s*$' --iglob 'go.mod' --iglob 'go.work'

echo
echo "== GitHub Actions setup-go pins =="
rg -nP 'setup-go|go-version|golang:' --iglob '*.yml' --iglob '*.yaml'

echo
echo "== Docker/Makefile/version strings referencing Go =="
rg -nP 'go1\.[0-9]+|golang:1\.[0-9]+|GO_VERSION|GOVERSION' --iglob 'Dockerfile*' --iglob 'Makefile' --iglob '*.mk' --iglob '*.yml' --iglob '*.yaml' --iglob '*.sh'

Repository: openshift/oc-mirror

Length of output: 22883

---

🏁 Script executed:

# Check GitHub Actions workflows
find .github/workflows -name '*.yml' -o -name '*.yaml' 2>/dev/null | head -20

Repository: openshift/oc-mirror

Length of output: 45

---

🏁 Script executed:

# Search for any go-version references in CI files
rg 'go-version|go_version|GOVERSION|GO_VERSION' --iglob '*.yml' --iglob '*.yaml' -A 2 -B 2

Repository: openshift/oc-mirror

Length of output: 45

---

🏁 Script executed:

# Check Dockerfiles for Go version pins
rg 'golang:|FROM.*go|GO_VERSION' --iglob 'Dockerfile*' -B 1 -A 1

Repository: openshift/oc-mirror

Length of output: 2165

---

🏁 Script executed:

# Check Makefile for Go-related targets
rg -n 'GO|go.*version' Makefile --iglob 'Makefile' --iglob '*.mk'

Repository: openshift/oc-mirror

Length of output: 2669

---

🏁 Script executed:

# List .github/workflows files
find .github/workflows -type f 2>/dev/null

Repository: openshift/oc-mirror

Length of output: 45

---

🏁 Script executed:

# Check if any workflow references tests/e2e or coordinates multi-module builds
rg 'tests/e2e|tests/integration|working-directory' .github/workflows/ -A 2 -B 2

Repository: openshift/oc-mirror

Length of output: 122

---

🏁 Script executed:

# Check .ci-operator.yaml to understand CI setup
cat -n .ci-operator.yaml | head -100

Repository: openshift/oc-mirror

Length of output: 197

---

🏁 Script executed:

# List all .yml/.yaml files in root to find CI config
fd -HI '\.(yml|yaml)$' . --maxdepth 1

Repository: openshift/oc-mirror

Length of output: 139

---

🏁 Script executed:

# Check if there's any CI documentation
find . -name 'CONTRIBUTING*' -o -name 'CI*' -o -name '*ci*' -type f -maxdepth 2 2>/dev/null | head -20

Repository: openshift/oc-mirror

Length of output: 121

---

Verify and align all Go module versions and Dockerfiles to 1.25 before merging.

CI's build root uses Go 1.25 (golang-1.25-openshift-4.22), but bumping tests/e2e to 1.25.0 while root go.mod remains at 1.24.3 creates version inconsistencies that will break builds. Additional mismatches found:

• Root go.mod: 1.24.3 (conflicts with CI)
• Root Dockerfile: 1.23.5 (severely outdated)
• Dockerfile.tests-extension: 1.24 (incompatible with 1.25 modules)
• v1/go.mod: 1.24.0
• tests/integration/image-builders/release/go.mod: 1.23.0

tests/e2e/go.mod upgrade to 1.25.0 is correct, but the root module and build tooling must also be updated to 1.25 to maintain consistency with the CI environment. Without this, tests importing root modules will fail due to version mismatches.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/e2e/go.mod` at line 3, Align all Go module and Docker base image
versions to 1.25: update the root go.mod "go" directive to 1.25 (matching the
tests/e2e change), and update the Go version tags in the project Dockerfile and
Dockerfile.tests-extension to the 1.25 base images; also bump the go directives
in v1/go.mod and tests/integration/image-builders/release/go.mod to 1.25, run go
mod tidy in each module and rebuild the test images to ensure no version
mismatches remain with the CI golang-1.25 environment.

[aguidirh]

/ok-to-test

[openshift-ci]

@dependabot[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.