TRT-1989: schema migration for non gorm based tables

[neisw]

Adding schema management for test_analysis_by_job_by_dates which previously was unmanaged.

Summary by CodeRabbit

• New Features

  • Added CLI subcommands to view migration version/status, force-set a migration version, and roll back migrations
  • Introduced embedded, runtime-handled DB migrations and migration orchestration

• Tests

  • Added end-to-end migration tests covering up/down/force/version flows and connection resilience

• Chores

  • Bumped Go toolchain to 1.25 and upgraded dependencies
  • Removed automatic partitioned-table sync from the schema update path

[openshift-ci-robot]

@neisw: This pull request references TRT-1989 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Adding schema management for test_analysis_by_job_by_dates which previously was unmanaged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[neisw]

/hold
for further review / testing

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neisw

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [neisw]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds an embedded SQL migrations set, a migration orchestrator package with runtime and CLI controls (run/version/force/down), runs migrations during DB initialization, removes runtime partitioned-table sync, updates go.mod, and adds E2E migration tests and test migrations.

Changes

Versioned Migration System

Layer / File(s)	Summary
Schema migration files pkg/db/migrations/000001_create_test_analysis_by_job_by_dates.up.sql, pkg/db/migrations/000001_create_test_analysis_by_job_by_dates.down.sql	Idempotent up/down SQL to create/drop test_analysis_by_job_by_dates and indexes.
Embedded migrations FS pkg/db/migrations/migrations.go	Embeds *.sql into an exported embed.FS (FS).
Migration orchestration & helpers pkg/db/migrate/migrate.go	New migrate layer using github.com/golang-migrate/migrate/v4: Logrus adapter, constructors from fs.FS, NewMigrateWithFS/newMigrate, RunMigrations/RunMigrationsWithFS, CurrentVersion/CurrentVersionWithFS, MigrateDown/MigrateDownWithFS, and ForceVersion; baselines legacy schema when detected and tolerates ErrNoChange/ErrNilVersion.
DB initialization wiring pkg/db/db.go	(*DB).UpdateSchema now calls sippymigrate.RunMigrations(d.DB) before model migrations and removes the syncPartitionedTables(d.DB) call.
Removed runtime partition sync pkg/db/partitionedtables.go (deleted)	Removes runtime partitioned-table sync implementation and the exported PostgresPartitionedTables registry.
CLI subcommands cmd/sippy/migrate.go	Adds migrate version, migrate force VERSION, and migrate down [STEPS] subcommands that bind Postgres flags and invoke the new migration helpers; print human-readable outcomes.
E2E tests + test migrations test/e2e/db/migrate/migrate_test.go, test/e2e/db/migrate/testmigrations/*	E2E tests validate Run/Version/Force/Down flows, ensure migrations do not close the shared DB connection, and exercise FS-based migrations; includes test SQL and embedded FS for tests.
Dependency/tooling updates go.mod	Bumps Go toolchain to 1.25 and updates multiple direct and indirect dependencies (including github.com/golang-migrate/migrate/v4).

Sequence Diagram

sequenceDiagram
    actor Operator as Operator
    participant CLI as CLI (cmd/sippy/migrate.go)
    participant App as App (pkg/db/db.go)
    participant Orchestrator as Migrate (pkg/db/migrate)
    participant FS as Embedded SQL (pkg/db/migrations.FS)
    participant PG as PostgreSQL

    rect rgba(173, 216, 230, 0.5)
    Note over Operator,PG: Startup migration flow
    Operator->>App: start / UpdateSchema()
    App->>Orchestrator: RunMigrations(db)
    Orchestrator->>PG: Inspect schema_migrations
    alt legacy schema detected
        Orchestrator->>PG: Stamp baseline version
    end
    Orchestrator->>FS: Load embedded SQL files
    Orchestrator->>PG: Execute Up() migrations
    Orchestrator-->>App: return success/failure
    App-->>Operator: startup complete
    end

    rect rgba(144, 238, 144, 0.5)
    Note over Operator,PG: CLI inspection
    Operator->>CLI: sippy migrate version
    CLI->>Orchestrator: CurrentVersion(db)
    Orchestrator->>PG: Query schema_migrations
    Orchestrator-->>CLI: version: <n>, dirty: <bool>
    CLI-->>Operator: print result
    end

    rect rgba(255, 192, 203, 0.5)
    Note over Operator,PG: CLI force/down
    Operator->>CLI: sippy migrate force 1
    CLI->>Orchestrator: ForceVersion(db,1)
    Orchestrator->>PG: Update schema_migrations entry
    Orchestrator-->>CLI: forced migration version to 1
    Operator->>CLI: sippy migrate down 2
    CLI->>Orchestrator: MigrateDown(db,2)
    Orchestrator->>PG: Steps(-2)
    Orchestrator-->>CLI: rolled back 2 migration(s)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~55 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 69.23% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Go Error Handling	⚠️ Warning	Ignores cleanup errors in 6 defer statements and missing validation for non-positive step counts in MigrateDownWithFS, allowing negative values to invert migration direction.	Add steps <= 0 validation in MigrateDownWithFS. Handle or document cleanup error ignoring in defer statements with explanatory comments per best practices.
Test Coverage For New Features	⚠️ Warning	8 exported functions in pkg/db/migrate/migrate.go lack unit tests. While E2E tests exist, pure functions need dedicated tests. Input validation missing in MigrateDownWithFS for steps <= 0.	Add unit tests for migrate.go functions. Add validation rejecting steps <= 0 in MigrateDownWithFS/Down. Add CLI command tests in cmd/sippy/migrate.go.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: introducing schema migration management for the non-GORM-based test_analysis_by_job_by_dates table.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sql Injection Prevention	✅ Passed	No SQL injection vulnerabilities. User inputs are validated via strconv.Atoi() and passed to golang-migrate library APIs. Parameterized queries used where appropriate.
Excessive Css In React Should Use Styles	✅ Passed	Backend database migration refactor with Go, SQL, and embedding files only. No React components, JSX, or CSS. The custom check for React inline CSS does not apply.
Single Responsibility And Clear Naming	✅ Passed	Packages are focused, functions use action-oriented names (no Manager/Handler), signatures are reasonable, WithFS pattern is standard Go idiom.
Stable And Deterministic Test Names	✅ Passed	Custom check for Ginkgo test names is not applicable. PR adds only standard Go tests (using testing.T) with static, deterministic names. No Ginkgo framework or dynamic test names found.
Test Structure And Quality	✅ Passed	Custom check requires Ginkgo test patterns. Repository uses standard Go testing (testing.T) with testify, not Ginkgo. Not applicable.
Microshift Test Compatibility	✅ Passed	The PR adds only a standard Go testing-based database migration test, not a Ginkgo e2e test. The custom check is specifically for Ginkgo tests and is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. The new test uses standard Go testing (testing.T), not Ginkgo. The custom check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only database migration infrastructure and CLI code. No Kubernetes manifests, operator code, controllers, or scheduling constraints are added or modified.
Ote Binary Stdout Contract	✅ Passed	OTE stdout contract check not applicable. Sippy is a Prow data analysis tool, not an OTE binary. No openshift-tests integration or JSON stdout contract exists.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	New e2e test is standard Go testing (testing.T), not Ginkgo. Custom check applies only to Ginkgo tests. No IPv4 assumptions or external connectivity found.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

cmd/sippy/migrate.go (1)

63-67: 💤 Low value

Consider validating version is non-negative.

The force command accepts any integer, including negative values. While golang-migrate may reject invalid versions internally, providing upfront validation with a clear error message improves user experience.

♻️ Suggested validation

 			version, err := strconv.Atoi(args[0])
 			if err != nil {
 				return errors.WithMessage(err, "invalid version number")
 			}
+			if version < -1 {
+				return errors.New("version must be -1 or greater (-1 resets to no migrations)")
+			}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/sippy/migrate.go` around lines 63 - 67, The RunE handler that parses the
target migration version (using strconv.Atoi on args[0] in the RunE function for
the force command) should validate the parsed integer is non-negative; after
converting version, check if version < 0 and return an error (e.g.,
errors.WithMessagef or errors.New) with a clear message like "invalid version:
must be non-negative" so negative values are rejected before calling
golang-migrate.

pkg/db/migrate/migrate.go (1)

104-106: 💤 Low value

Ignored errors from m.Close() in deferred calls.

The Close() method returns two errors (sourceErr, dbErr) that are discarded in the deferred calls. While this is common for cleanup, in Lines 90-96 you explicitly check these errors but here they're ignored. For consistency and to avoid masking issues, consider logging any close errors.

♻️ Suggested improvement to log close errors

 	defer func() {
-		m.Close()
+		srcErr, dbErr := m.Close()
+		if srcErr != nil {
+			log.WithError(srcErr).Warn("failed to close migration source")
+		}
+		if dbErr != nil {
+			log.WithError(dbErr).Warn("failed to close migration db driver")
+		}
 	}()

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/db/migrate/migrate.go` around lines 104 - 106, The deferred cleanup
currently discards errors from m.Close(); change the defer to call sourceErr,
dbErr := m.Close() and log any non-nil errors instead of ignoring them (e.g. if
sourceErr != nil || dbErr != nil { log.Printf("m.Close errors: sourceErr=%v
dbErr=%v", sourceErr, dbErr) }), keeping the same deferred anonymous func and
referencing the m.Close() call.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/sippy/migrate.go`:
- Around line 48-51: sippymigrate.CurrentVersion can return
migrate.ErrNilVersion for databases with no migrations; update the error
handling after calling sippymigrate.CurrentVersion(dbc.DB) to detect this case
(using errors.Is(err, migrate.ErrNilVersion) or direct comparison) and handle it
by returning or printing a clear "no migrations applied yet" message (or
treating version as zero/empty) instead of returning the error; change the
branch where you currently return errors.WithMessage(err, "could not get
migration version") to specially handle migrate.ErrNilVersion and only
wrap/return other errors.

---

Nitpick comments:
In `@cmd/sippy/migrate.go`:
- Around line 63-67: The RunE handler that parses the target migration version
(using strconv.Atoi on args[0] in the RunE function for the force command)
should validate the parsed integer is non-negative; after converting version,
check if version < 0 and return an error (e.g., errors.WithMessagef or
errors.New) with a clear message like "invalid version: must be non-negative" so
negative values are rejected before calling golang-migrate.

In `@pkg/db/migrate/migrate.go`:
- Around line 104-106: The deferred cleanup currently discards errors from
m.Close(); change the defer to call sourceErr, dbErr := m.Close() and log any
non-nil errors instead of ignoring them (e.g. if sourceErr != nil || dbErr !=
nil { log.Printf("m.Close errors: sourceErr=%v dbErr=%v", sourceErr, dbErr) }),
keeping the same deferred anonymous func and referencing the m.Close() call.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 898f5524-2be7-4ba1-8b70-aa2f14f331be

📥 Commits

Reviewing files that changed from the base of the PR and between d088bde and 58f9538.

⛔ Files ignored due to path filters (292)

• go.sum is excluded by !**/*.sum, !go.sum
• vendor/cel.dev/expr/.bazelversion is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/.gitattributes is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/GOVERNANCE.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MAINTAINERS.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/WORKSPACE is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/WORKSPACE.bzlmod is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/cloudbuild.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/regen_go_proto.sh is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/regen_go_proto_canonical_protos.sh is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/auth.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/compute.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/aws_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/externalaccount.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/url_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/x509_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccountuser/externalaccountuser.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/impersonate/idtoken.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/impersonate/impersonate.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/stsexchange/sts_exchange.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/selfsignedjwt.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/grpctransport/directpath.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/grpctransport/grpctransport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/httptransport/httptransport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/httptransport/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/httptransport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/compute.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/manufacturer.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/manufacturer_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/manufacturer_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/jwt/jwt.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cba.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cert/enterprise_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cert/secureconnect_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cert/workload_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/s2a.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/oauth2adapt/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/oauth2adapt/oauth2adapt.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/threelegged.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/arrow.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/bigquery.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/copy.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/dataset.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/external.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/extract.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/inserter.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/internal/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/job.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/load.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/model.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/params.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/query.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/routine.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/auxiliary.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/big_query_read_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/big_query_write_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/annotations.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/arrow.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/avro.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/protobuf.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/storage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/stream.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/table.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage_iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/table.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/civil/civil.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/log.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/iam_policy.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/options.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/policy.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/resource_policy_member.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/.repo-metadata-full.json is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/detect/detect.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/trace/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/uid/uid.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/auxiliary.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/internal/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/TESTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/acl.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/bucket.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/dynamic_delay.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/emulator_test.sh is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/experimental/experimental.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_dp.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_metrics.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_reader.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_reader_multi_range.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_writer.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/hmac.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/http_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/iam.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/auxiliary.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/storage_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/experimental.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/invoke.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/notifications.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/option.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/reader.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/storage.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/writer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/app_engine.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/bms.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/detector.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/faas.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/gce.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/gke.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/cloudmonitoring.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/constants.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/error.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/metric.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/option.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping/resourcemapping.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/type/v1/typed_struct.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/udpa/type/v1/typed_struct.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/certs.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/certs.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/certs_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/clusters.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/clusters.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/clusters_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump_shared.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump_shared.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump_shared_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/init_dump.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/init_dump.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/init_dump_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/listeners.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/listeners.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/listeners_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/memory.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/memory.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/memory_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/metrics.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/metrics.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/metrics_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/mutex_stats.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/mutex_stats.pb.validate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/mutex_stats_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**

📒 Files selected for processing (8)

• cmd/sippy/migrate.go
• go.mod
• pkg/db/db.go
• pkg/db/migrate/migrate.go
• pkg/db/migrations/000001_create_test_analysis_by_job_by_dates.down.sql
• pkg/db/migrations/000001_create_test_analysis_by_job_by_dates.up.sql
• pkg/db/migrations/migrations.go
• pkg/db/partitionedtables.go

💤 Files with no reviewable changes (1)

• pkg/db/partitionedtables.go

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 157: Update the indirect dependency line for google.golang.org/grpc to
v1.79.3 or later to resolve the GHSA-p77j-4mvh-x3m3 authorization bypass; run
`go get google.golang.org/grpc@v1.79.3` (or newer) and then `go mod tidy` to
update go.mod/go.sum, and verify the module entry for google.golang.org/grpc now
shows v1.79.3+ (or later) so the vulnerable v1.74.2 is removed.
- Line 141: The go.mod entry for the OpenTelemetry SDK pins a vulnerable version
(go.opentelemetry.io/otel/sdk v1.36.0); update that module to v1.43.0 or later
(e.g., replace with go.opentelemetry.io/otel/sdk v1.43.0), then run go get/go
mod tidy to refresh go.sum and ensure all transitive dependencies are updated;
afterwards run your test/build pipeline to confirm nothing breaks.
- Line 14: Update the migrate dependency from
github.com/golang-migrate/migrate/v4 v4.19.1 to v4.19.2 in go.mod and refresh
modules; change the version string for the module
github.com/golang-migrate/migrate/v4 to v4.19.2 and then run the Go tooling
(e.g., go get github.com/golang-migrate/migrate/v4@v4.19.2 and go mod tidy or go
mod download) to update go.sum and ensure the new version is resolved.
- Line 13: The go-git dependency is pinned at a vulnerable version
(github.com/go-git/go-git/v5 v5.12.0); update the module declaration for
github.com/go-git/go-git/v5 to v5.19.0 and then run the module update (eg. go
get github.com/go-git/go-git/v5@v5.19.0 and go mod tidy) to refresh go.sum and
ensure transitive deps are resolved; after updating, run the test suite and a
build to confirm no API breakages and adjust any call sites if needed.
- Line 102: The project depends on a vulnerable module
github.com/jackc/pgproto3/v2 (v2.3.3) declared in go.mod; update the dependency
to a patched version as soon as one is released (replace the version string in
the go.mod require directive for github.com/jackc/pgproto3/v2) or, until a patch
exists, mitigate by replacing direct usage with a safer alternative (e.g., use a
vetted fork or add connection-level timeouts/retries in PostgreSQL client code
such as where pgx/pgproto3 is constructed) and add a comment and TODO in go.mod
to monitor upstream for a fixed release.
- Line 11: Update the three vulnerable module versions in go.mod: bump
github.com/apache/thrift from v0.17.0 to v0.23.0 or later,
github.com/go-jose/go-jose/v4 from v4.0.5 to v4.1.4 or later, and
go.opentelemetry.io/otel from v1.37.0 to v1.41.0 or later; after updating the
module versions in go.mod (referencing the module names
github.com/apache/thrift, github.com/go-jose/go-jose/v4, and
go.opentelemetry.io/otel), run module resolution (go get / go mod tidy) to
update go.sum and verify builds/tests pass.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7876ac64-38e0-46c1-88c5-19603daec50b

📥 Commits

Reviewing files that changed from the base of the PR and between 58f9538 and 5ea838b.

📒 Files selected for processing (2)

• go.mod
• pkg/db/migrate/migrate.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/db/migrate/migrate.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the latest version of github.com/golang-migrate/migrate/v4 and are there any security vulnerabilities in v4.19.1?

💡 Result:

Latest version of github.com/golang-migrate/migrate/v4 (as of 2026-05-11): v4.19.2 (published 2026-03-11) [1]. Are there any security vulnerabilities in v4.19.1? Yes—at least one public security report indicates the v4.19.1 Docker image has multiple HIGH/CRITICAL vulnerabilities reported by Trivy, which were attributed to the Go standard library and other bundled components, not to a specific flaw in migrate’s migration logic itself [2]. Additionally, a v4.19.1-related report (Trivy scan) lists multiple CVEs affecting the image’s dependency set (again largely tied to the Go toolchain/stdlib and other components) [3]. What’s the official stance from the project? The project’s security page states there are currently no published security advisories, and it provides guidance for reporting vulnerabilities via GitHub security advisories [4]. So, while there is no project-published security advisory specific to v4.19.1, third-party scanning discussions/issues report multiple vulnerabilities present in the v4.19.1 build artifacts/images [2][3].

Citations:

• 1: https://pkg.go.dev/github.com/golang-migrate/migrate/v4
• 2: Security Issue: Docker image v4.19.1 has 2 CRITICAL and 6 HIGH vulnerabilities golang-migrate/migrate#1381
• 3: Multiple CVEs reported by Trivy scan tool for latest version 4.19.1 golang-migrate/migrate#1332
• 4: https://github.com/golang-migrate/migrate/security

---

Upgrade golang-migrate to v4.19.2.

v4.19.1 is outdated; v4.19.2 is the current stable release (published March 2026). Additionally, v4.19.1 has reported HIGH/CRITICAL vulnerabilities in its build artifacts according to third-party scanning tools, primarily affecting bundled dependencies. Update to v4.19.2 to address both version staleness and known security concerns.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 14, Update the migrate dependency from
github.com/golang-migrate/migrate/v4 v4.19.1 to v4.19.2 in go.mod and refresh
modules; change the version string for the module
github.com/golang-migrate/migrate/v4 to v4.19.2 and then run the Go tooling
(e.g., go get github.com/golang-migrate/migrate/v4@v4.19.2 and go mod tidy or go
mod download) to update go.sum and ensure the new version is resolved.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for patched versions of pgproto3

gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "github.com/jackc/pgproto3/v2") {
    nodes {
      advisory {
        summary
        severity
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift/sippy

Length of output: 643

---

Address HIGH severity denial of service vulnerability in pgproto3.

The github.com/jackc/pgproto3/v2 v2.3.3 dependency has a confirmed HIGH severity denial of service vulnerability with no available patch. This affects Sippy's PostgreSQL connectivity and availability. Monitor for upstream patches and consider upgrading as soon as a fixed version is released.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 102-102: github.com/jackc/pgproto3/v2 2.3.3: Denial of service in github.com/jackc/pgproto3/v2

(GO-2026-4518)

---

[HIGH] 102-102: github.com/jackc/pgproto3/v2 2.3.3: Denial of service in github.com/jackc/pgproto3/v2

(GHSA-jqcq-xjh3-6g23)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 102, The project depends on a vulnerable module
github.com/jackc/pgproto3/v2 (v2.3.3) declared in go.mod; update the dependency
to a patched version as soon as one is released (replace the version string in
the go.mod require directive for github.com/jackc/pgproto3/v2) or, until a patch
exists, mitigate by replacing direct usage with a safer alternative (e.g., use a
vetted fork or add connection-level timeouts/retries in PostgreSQL client code
such as where pgx/pgproto3 is constructed) and add a comment and TODO in go.mod
to monitor upstream for a fixed release.

[coderabbitai]

♻️ Duplicate comments (1)

cmd/sippy/migrate.go (1)

48-51: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Handle ErrNilVersion for fresh databases.

When no migrations have been applied yet, CurrentVersion returns migrate.ErrNilVersion (as seen in pkg/db/migrate/migrate.go line 138 where it directly returns m.Version()). This causes the command to fail with "could not get migration version" instead of displaying a user-friendly message.

🐛 Proposed fix to handle ErrNilVersion

+	"github.com/golang-migrate/migrate/v4"
 	"github.com/pkg/errors"

 		version, dirty, err := sippymigrate.CurrentVersion(dbc.DB)
-		if err != nil {
+		if err == migrate.ErrNilVersion {
+			fmt.Println("no migrations applied yet")
+			return nil
+		} else if err != nil {
 			return errors.WithMessage(err, "could not get migration version")
 		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/sippy/migrate.go` around lines 48 - 51, sippymigrate.CurrentVersion can
return migrate.ErrNilVersion for a fresh DB; update the error handling around
the call in migrate.go (the block that calls
sippymigrate.CurrentVersion(dbc.DB)) to detect errors.Is(err,
migrate.ErrNilVersion) and handle it as a non-fatal case by emitting a
user-friendly message like "no migrations have been applied yet" (or similar)
and proceeding appropriately instead of returning an error; keep the existing
behavior for other errors by returning errors.WithMessage(err, "could not get
migration version").

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@cmd/sippy/migrate.go`:
- Around line 48-51: sippymigrate.CurrentVersion can return
migrate.ErrNilVersion for a fresh DB; update the error handling around the call
in migrate.go (the block that calls sippymigrate.CurrentVersion(dbc.DB)) to
detect errors.Is(err, migrate.ErrNilVersion) and handle it as a non-fatal case
by emitting a user-friendly message like "no migrations have been applied yet"
(or similar) and proceeding appropriately instead of returning an error; keep
the existing behavior for other errors by returning errors.WithMessage(err,
"could not get migration version").

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9ce28e7b-9e16-407b-a8c3-51d9fde942b9

📥 Commits

Reviewing files that changed from the base of the PR and between 7ddb380 and 35bf135.

⛔ Files ignored due to path filters (151)

• go.sum is excluded by !**/*.sum, !go.sum
• vendor/cel.dev/expr/.bazelversion is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/.gitattributes is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/GOVERNANCE.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MAINTAINERS.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/WORKSPACE is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/WORKSPACE.bzlmod is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/cloudbuild.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/regen_go_proto.sh is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/regen_go_proto_canonical_protos.sh is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/auth.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/compute.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/aws_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/externalaccount.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/url_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/x509_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccountuser/externalaccountuser.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/impersonate/idtoken.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/impersonate/impersonate.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/stsexchange/sts_exchange.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/selfsignedjwt.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/grpctransport/directpath.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/grpctransport/grpctransport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/httptransport/httptransport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/httptransport/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/httptransport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/compute.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/manufacturer.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/manufacturer_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/manufacturer_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/jwt/jwt.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cba.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cert/enterprise_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cert/secureconnect_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cert/workload_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/s2a.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/oauth2adapt/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/oauth2adapt/oauth2adapt.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/threelegged.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/arrow.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/bigquery.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/copy.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/dataset.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/external.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/extract.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/inserter.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/internal/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/job.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/load.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/model.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/params.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/query.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/routine.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/auxiliary.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/big_query_read_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/big_query_write_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/annotations.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/arrow.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/avro.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/protobuf.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/storage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/stream.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/table.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage_iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/table.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/civil/civil.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/log.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/iam_policy.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/options.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/policy.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/resource_policy_member.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/.repo-metadata-full.json is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/detect/detect.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/trace/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/uid/uid.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/auxiliary.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/internal/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/TESTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/acl.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/bucket.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/client.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (14)

• cmd/sippy/migrate.go
• go.mod
• pkg/db/db.go
• pkg/db/migrate/migrate.go
• pkg/db/migrations/000001_create_test_analysis_by_job_by_dates.down.sql
• pkg/db/migrations/000001_create_test_analysis_by_job_by_dates.up.sql
• pkg/db/migrations/migrations.go
• pkg/db/partitionedtables.go
• test/e2e/db/migrate/migrate_test.go
• test/e2e/db/migrate/testmigrations/000001_create_e2e_test_table.down.sql
• test/e2e/db/migrate/testmigrations/000001_create_e2e_test_table.up.sql
• test/e2e/db/migrate/testmigrations/000002_add_column_to_e2e_test_table.down.sql
• test/e2e/db/migrate/testmigrations/000002_add_column_to_e2e_test_table.up.sql
• test/e2e/db/migrate/testmigrations/embed.go

💤 Files with no reviewable changes (1)

• pkg/db/partitionedtables.go

✅ Files skipped from review due to trivial changes (5)

• test/e2e/db/migrate/testmigrations/000002_add_column_to_e2e_test_table.down.sql
• test/e2e/db/migrate/testmigrations/000002_add_column_to_e2e_test_table.up.sql
• test/e2e/db/migrate/testmigrations/000001_create_e2e_test_table.down.sql
• test/e2e/db/migrate/testmigrations/000001_create_e2e_test_table.up.sql
• pkg/db/migrations/000001_create_test_analysis_by_job_by_dates.down.sql

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/db/migrations/migrations.go
• pkg/db/db.go
• pkg/db/migrations/000001_create_test_analysis_by_job_by_dates.up.sql

[neisw]

/test e2e

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 66: Update the vulnerable module versions in go.mod: bump
github.com/buger/jsonparser from v1.1.1 to at least v1.1.2 and bump the JWT
module (github.com/golang-jwt/jwt/v5) from v5.2.1 to at least v5.2.2; then run
the appropriate Go module commands (e.g., go get
github.com/buger/jsonparser@v1.1.2 and go get
github.com/golang-jwt/jwt/v5@v5.2.2, followed by go mod tidy) to update go.sum
and ensure builds pass.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b76c37bb-51c7-4c61-8917-e1b3a4e1d8f7

📥 Commits

Reviewing files that changed from the base of the PR and between 35bf135 and 43b41fb.

⛔ Files ignored due to path filters (98)

• go.sum is excluded by !**/*.sum, !go.sum
• vendor/cel.dev/expr/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/armor/armor.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/canonical_text.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/ecdh/ecdh.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/ed25519/ed25519.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/ed448/ed448.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed448.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/key_generation.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/keys.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config_v5.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/encrypted_key.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/literal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/marker.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/one_pass_signature.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/opaque.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet_sequence.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet_unsupported.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/padding.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/reader.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/recipient.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/signature.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetric_key_encrypted.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_mdc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userattribute.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userid.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/read.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/read_write_test_data.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k_cache.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k_config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/write.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/x25519/x25519.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/x448/x448.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/application_exception.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/binary_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/compact_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/configuration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/debug_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/duplicate_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/exception.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/framed_transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/header_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/header_transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/json_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/logger.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/multiplexed_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/pointerize.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/pool.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/processor_factory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/server_socket.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/simple_json_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/simple_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/slog.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket_aix_syscall.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket_conn.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket_non_aix_syscall.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket_non_unix_conn.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket_unix_conn.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/ssl_server_socket.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/type.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/uuid.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/zlib_pool.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/zlib_transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.s is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.s is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cloudflare/circl/ecc/goldilocks/curve.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cloudflare/circl/internal/conv/conv.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cloudflare/circl/internal/sha3/xor_unaligned.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.s is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (2)

• cmd/sippy/migrate.go
• go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• cmd/sippy/migrate.go

[neisw]

/test lint

[openshift-merge-bot]

Scheduling required tests:
/test e2e

[neisw]

@coderabbitai review the current state of the pr and resolve all of your comments that have been addressed

[coderabbitai]

🧩 Analysis chain

Let me check the current state of my review comments on this PR.

---

🏁 Script executed:

#!/bin/bash
# Get all review comments by coderabbitai on PR `#3518`
gh pr view 3518 --repo openshift/sippy --comments --json comments,reviews | jq '.'

Length of output: 118425

---

Let me fetch the inline review comments to check their resolution status.

---

🏁 Script executed:

#!/bin/bash
# Get all inline review comments by coderabbitai on PR `#3518`
gh api repos/openshift/sippy/pulls/3518/comments --paginate | jq '[.[] | select(.user.login == "coderabbitai") | {id: .id, path: .path, line: .line, position: .position, body: (.body | .[0:200]), created_at: .created_at, updated_at: .updated_at}]'

Length of output: 3

---

Let me check the current state of the key files to assess what has been addressed.

---

🏁 Script executed:

#!/bin/bash
echo "=== cmd/sippy/migrate.go ==="
cat cmd/sippy/migrate.go

echo ""
echo "=== pkg/db/migrate/migrate.go (lines 85-120) ==="
sed -n '85,120p' pkg/db/migrate/migrate.go

echo ""
echo "=== go.mod relevant lines ==="
grep -n "golang-migrate\|go-git\|apache/thrift\|go-jose\|jackc/pgproto3\|buger/jsonparser\|golang-jwt\|grpc\|opentelemetry" go.mod | head -40

Length of output: 5980

---

@neisw: I've reviewed the current state of the PR. Here's a summary of what I found:

All inline review comments are already cleared. Here's the status of each previously raised issue:

Issue	Status
ErrNilVersion handling in cmd/sippy/migrate.go	✅ Fixed — now properly checks err == gomigrate.ErrNilVersion and prints "no migrations applied yet"
apache/thrift vulnerability in go.mod	✅ Fixed — bumped to v0.23.0
go-git/go-git/v5 vulnerability in go.mod	✅ Fixed — bumped to v5.19.0
go-jose/go-jose/v4 vulnerability in go.mod	✅ Fixed — bumped to v4.1.4
buger/jsonparser vulnerability in go.mod	✅ Fixed — bumped to v1.1.2
golang-jwt/jwt/v5 vulnerability in go.mod	✅ Fixed — bumped to v5.2.2
go.opentelemetry.io/otel & /otel/sdk vulnerabilities	✅ Fixed — bumped to v1.43.0
google.golang.org/grpc vulnerability	✅ Fixed — bumped to v1.79.3
Nitpick: negative version validation in force command	⚠️ Not addressed (low value)
Nitpick: m.Close() errors ignored in defers	⚠️ Not addressed (low value)
jackc/pgproto3/v2 v2.3.3	ℹ️ No upstream patch available

The two remaining nitpicks are low-value and the overall implementation looks solid. I'll kick off a fresh review of the current state now.

✅ Actions performed

Full review triggered.

[neisw]

/hold

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 86: The project uses andygrunwald/go-jira v1.14.0 which pulls in
github.com/golang-jwt/jwt v3.2.1 (vulnerable); update the go.mod dependency for
andygrunwald/go-jira to v1.17.0 or later so it transitively depends on
golang-jwt/jwt/v4 (e.g., v4.5.2). Run `go get
github.com/andygrunwald/go-jira@v1.17.0` (or higher), then `go mod tidy` and run
your tests/build to ensure no import breakages; confirm the go.sum now
references golang-jwt/jwt/v4 instead of the v3 entry.

In `@pkg/db/migrate/migrate.go`:
- Around line 148-156: Add input validation to prevent accidental direction
inversion by rejecting non-positive step counts: in MigrateDownWithFS check if
steps <= 0 at the top and return a descriptive error (e.g., "steps must be
positive"); ensure MigrateDown either performs the same validation or simply
relies on MigrateDownWithFS so callers cannot pass zero or negative values that
would flip to an UP migration. Reference the functions MigrateDownWithFS and
MigrateDown and return early on invalid input.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6c475597-0197-4d94-a56f-f65a5462c192

📥 Commits

Reviewing files that changed from the base of the PR and between 75f85c7 and af8b425.

⛔ Files ignored due to path filters (286)

• go.sum is excluded by !**/*.sum, !go.sum
• vendor/cel.dev/expr/.bazelversion is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/.gitattributes is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/GOVERNANCE.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MAINTAINERS.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/WORKSPACE is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/WORKSPACE.bzlmod is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/cloudbuild.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/regen_go_proto.sh is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/regen_go_proto_canonical_protos.sh is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/auth.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/compute.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/aws_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/externalaccount.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/url_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/x509_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/externalaccountuser/externalaccountuser.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/impersonate/idtoken.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/impersonate/impersonate.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/internal/stsexchange/sts_exchange.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/credentials/selfsignedjwt.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/grpctransport/directpath.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/grpctransport/grpctransport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/httptransport/httptransport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/httptransport/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/httptransport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/compute.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/manufacturer.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/manufacturer_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/compute/manufacturer_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/jwt/jwt.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cba.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cert/enterprise_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cert/secureconnect_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/cert/workload_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/s2a.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/oauth2adapt/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/oauth2adapt/oauth2adapt.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/auth/threelegged.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/arrow.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/bigquery.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/copy.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/dataset.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/external.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/extract.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/inserter.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/internal/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/job.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/load.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/model.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/params.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/query.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/routine.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/auxiliary.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/big_query_read_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/big_query_write_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/annotations.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/arrow.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/avro.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/protobuf.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/storage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/stream.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage/apiv1/storagepb/table.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/storage_iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/table.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/bigquery/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/civil/civil.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/log.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/iam_policy.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/options.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/policy.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/iam/apiv1/iampb/resource_policy_member.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/.repo-metadata-full.json is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/detect/detect.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/trace/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/internal/uid/uid.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/auxiliary.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/apiv3/v2/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/monitoring/internal/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/TESTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/acl.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/bucket.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/dynamic_delay.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/emulator_test.sh is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/experimental/experimental.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_dp.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_metrics.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_reader.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_reader_multi_range.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/grpc_writer.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/hmac.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/http_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/iam.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/auxiliary.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/storage_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/experimental.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/internal/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/invoke.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/notifications.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/option.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/reader.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/storage.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/cloud.google.com/go/storage/writer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/app_engine.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/bms.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/detector.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/faas.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/gce.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp/gke.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/cloudmonitoring.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/constants.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/error.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/metric.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/option.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping/resourcemapping.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/armor/armor.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/canonical_text.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/ecdh/ecdh.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/ed25519/ed25519.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/ed448/ed448.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed448.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/key_generation.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/keys.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config_v5.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/encrypted_key.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/literal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/marker.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/one_pass_signature.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/opaque.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet_sequence.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet_unsupported.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/padding.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/reader.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/recipient.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/signature.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetric_key_encrypted.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_mdc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userattribute.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userid.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/read.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/read_write_test_data.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k_cache.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k_config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/write.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/x25519/x25519.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/ProtonMail/go-crypto/openpgp/x448/x448.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/application_exception.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/binary_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/compact_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/configuration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/debug_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/duplicate_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/exception.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/framed_transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/header_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/header_transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/json_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/logger.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/multiplexed_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/pointerize.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/pool.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/processor_factory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/server_socket.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/simple_json_protocol.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/simple_server.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/slog.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket_aix_syscall.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket_conn.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket_non_aix_syscall.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket_non_unix_conn.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/socket_unix_conn.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/ssl_server_socket.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/type.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/uuid.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/zlib_pool.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/apache/thrift/lib/go/thrift/zlib_transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/buger/jsonparser/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/buger/jsonparser/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/buger/jsonparser/bytes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/buger/jsonparser/parser.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.s is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.s is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (14)

• cmd/sippy/migrate.go
• go.mod
• pkg/db/db.go
• pkg/db/migrate/migrate.go
• pkg/db/migrations/000001_create_test_analysis_by_job_by_dates.down.sql
• pkg/db/migrations/000001_create_test_analysis_by_job_by_dates.up.sql
• pkg/db/migrations/migrations.go
• pkg/db/partitionedtables.go
• test/e2e/db/migrate/migrate_test.go
• test/e2e/db/migrate/testmigrations/000001_create_e2e_test_table.down.sql
• test/e2e/db/migrate/testmigrations/000001_create_e2e_test_table.up.sql
• test/e2e/db/migrate/testmigrations/000002_add_column_to_e2e_test_table.down.sql
• test/e2e/db/migrate/testmigrations/000002_add_column_to_e2e_test_table.up.sql
• test/e2e/db/migrate/testmigrations/embed.go

💤 Files with no reviewable changes (1)

• pkg/db/partitionedtables.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find which dependencies require jwt v3

echo "=== Dependencies requiring jwt v3 ==="
go mod graph | grep 'github.com/golang-jwt/jwt@v3' | head -20

echo ""
echo "=== Checking if we can exclude v3 ==="
rg -n 'github.com/golang-jwt/jwt[^/]' go.mod

Repository: openshift/sippy

Length of output: 357

---

🏁 Script executed:

# Read the go.mod file to see context around line 86-87
cat -n go.mod | sed -n '80,95p'

Repository: openshift/sippy

Length of output: 1053

---

🌐 Web query:

GHSA-mh63-6h87-95cp jwt vulnerability

💡 Result:

GHSA-mh63-6h87-95cp is a high-severity vulnerability (CVSS 7.5-8.7) in the golang-jwt/jwt Go package, also known as CVE-2025-30204 and GO-2025-3553. It affects versions: v5 from 5.0.0-rc.1 before 5.2.2; v4 before 4.5.2; v3 from 3.2.0 before 3.2.3[1][2][3][4]. The issue is in parse.ParseUnverified, which uses strings.Split on untrusted input (JWT header) split by periods, leading to excessive memory allocation (O(n) bytes, constant factor ~16) on malicious Authorization: Bearer....... headers with many periods. This causes denial-of-service via resource exhaustion (CWE-405)[1][5][4]. Fixed in golang-jwt/jwt v5.2.2, v4.5.2, v3.2.3 via commits like bf316c4 and 0951d18[1][2]. Published March 21, 2025; last updated April 2025[1][4].

Citations:

• 1: GHSA-mh63-6h87-95cp
• 2: https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp
• 3: https://pkg.go.dev/vuln/GO-2025-3553
• 4: https://nvd.nist.gov/vuln/detail/CVE-2025-30204
• 5: https://cve.circl.lu/vuln/ghsa-mh63-6h87-95cp

---

🏁 Script executed:

# Check available versions of go-jira and their dependencies
# First, let's see if we can find info about go-jira versions that don't depend on v3
rg -A 5 'andygrunwald/go-jira' go.mod

Repository: openshift/sippy

Length of output: 327

---

🏁 Script executed:

# Search for information about go-jira versions
# Since we can't directly query Go registries, let's check if there are any comments or documentation in the repo
rg -i 'go-jira|jira' go.mod | head -20

Repository: openshift/sippy

Length of output: 100

---

🌐 Web query:

go-jira andygrunwald latest version jwt dependency

💡 Result:

The latest version of github.com/andygrunwald/go-jira (maintained by Andy Grunwald) is v1.17.0, released on 2025-09-16.[1][2][3][4][5] In this version, it depends on github.com/golang-jwt/jwt/v4 v4.5.2.[5][6] This was upgraded from v4.4.2 in v1.16.1 to address CVE-2025-30204.[2][5]

Citations:

• 1: https://pkg.go.dev/github.com/andygrunwald/go-jira@v1.17.0
• 2: https://github.com/andygrunwald/go-jira/releases
• 3: https://pkg.go.dev/github.com/andygrunwald/go-jira
• 4: https://github.com/andygrunwald/go-jira
• 5: https://github.com/andygrunwald/go-jira/releases/tag/v1.17.0
• 6: andygrunwald/go-jira@v1.16.1...v1.17.0

---

Upgrade andygrunwald/go-jira to resolve vulnerable JWT v3 dependency.

The github.com/golang-jwt/jwt v3.2.1+incompatible has a HIGH severity vulnerability (GHSA-mh63-6h87-95cp / CVE-2025-30204) allowing excessive memory allocation during header parsing. This is brought in by andygrunwald/go-jira v1.14.0. Upgrade go-jira to v1.17.0 or later, which now depends on golang-jwt/jwt/v4 v4.5.2 (patched).

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 86-86: github.com/golang-jwt/jwt 3.2.1+incompatible: Excessive memory allocation during header parsing in github.com/golang-jwt/jwt

(GO-2025-3553)

---

[HIGH] 86-86: github.com/golang-jwt/jwt 3.2.1+incompatible: jwt-go allows excessive memory allocation during header parsing

(GHSA-mh63-6h87-95cp)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 86, The project uses andygrunwald/go-jira v1.14.0 which pulls
in github.com/golang-jwt/jwt v3.2.1 (vulnerable); update the go.mod dependency
for andygrunwald/go-jira to v1.17.0 or later so it transitively depends on
golang-jwt/jwt/v4 (e.g., v4.5.2). Run `go get
github.com/andygrunwald/go-jira@v1.17.0` (or higher), then `go mod tidy` and run
your tests/build to ensure no import breakages; confirm the go.sum now
references golang-jwt/jwt/v4 instead of the v3 entry.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In github.com/golang-migrate/migrate/v4, what is the exact direction behavior of Migrate.Steps(n) for positive vs negative n?

💡 Result:

In github.com/golang-migrate/migrate/v4, the Migrate.Steps(n) method migrates up (applies the next n up migrations from the current version) if n is positive, and migrates down (applies the previous |n| down migrations from the current version) if n is negative. If n == 0, it returns ErrNoChange without doing anything.[1]

Citations:

• 1: https://github.com/golang-migrate/migrate/blob/master/migrate.go

---

🏁 Script executed:

# Find all calls to MigrateDownWithFS in the codebase
rg "MigrateDownWithFS" --type go -B 2 -A 2

Repository: openshift/sippy

Length of output: 1768

---

🏁 Script executed:

# Check for similar validation patterns in migrate.go or related files
rg "steps.*<|>|<=|>=" pkg/db/migrate/ --type go -B 1 -A 1

Repository: openshift/sippy

Length of output: 41

---

🏁 Script executed:

# Look for any integration tests or usages in cmd/
fd -e go . cmd/ | xargs rg "MigrateDownWithFS" -l 2>/dev/null || echo "No matches in cmd/"

Repository: openshift/sippy

Length of output: 78

---

Validate rollback step count before negating it.

Line 154 passes -steps to m.Steps(...). If steps is zero or negative, this inverts the migration direction: MigrateDownWithFS(..., -2) would migrate UP instead of rolling back. Add input validation to reject non-positive steps.

• Proposed fix: Check if steps <= 0 at function entry and return error.
• Also affects MigrateDown (line 160), which wraps this function without validation.

Proposed fix

 func MigrateDownWithFS(gormDB *gorm.DB, fsys fs.FS, migrationsTable string, steps int) error {
+	if steps <= 0 {
+		return fmt.Errorf("steps must be greater than 0")
+	}
+
 	m, cleanup, err := NewMigrateWithFS(gormDB, fsys, migrationsTable)
 	if err != nil {
 		return err
 	}
 	defer func() { _ = cleanup() }()
 	if err := m.Steps(-steps); err != nil {
 		return fmt.Errorf("migrate down failed: %w", err)
 	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func MigrateDownWithFS(gormDB *gorm.DB, fsys fs.FS, migrationsTable string, steps int) error {
	m, cleanup, err := NewMigrateWithFS(gormDB, fsys, migrationsTable)
	if err != nil {
	return err
	}
	defer func() { _ = cleanup() }()
	if err := m.Steps(-steps); err != nil {
	return fmt.Errorf("migrate down failed: %w", err)
	}
	func MigrateDownWithFS(gormDB *gorm.DB, fsys fs.FS, migrationsTable string, steps int) error {
	if steps <= 0 {
	return fmt.Errorf("steps must be greater than 0")
	}
	m, cleanup, err := NewMigrateWithFS(gormDB, fsys, migrationsTable)
	if err != nil {
	return err
	}
	defer func() { _ = cleanup() }()
	if err := m.Steps(-steps); err != nil {
	return fmt.Errorf("migrate down failed: %w", err)
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/db/migrate/migrate.go` around lines 148 - 156, Add input validation to
prevent accidental direction inversion by rejecting non-positive step counts: in
MigrateDownWithFS check if steps <= 0 at the top and return a descriptive error
(e.g., "steps must be positive"); ensure MigrateDown either performs the same
validation or simply relies on MigrateDownWithFS so callers cannot pass zero or
negative values that would flip to an UP migration. Reference the functions
MigrateDownWithFS and MigrateDown and return early on invalid input.

[openshift-ci]

@neisw: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.