build(deps): bump the golang group across 2 directories with 2 updates

[dependabot]

Bumps the golang group with 1 update in the / directory: github.com/cert-manager/cert-manager.
Bumps the golang group with 1 update in the /tools/virtctl directory: kubevirt.io/kubevirt.

Updates github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.20.3

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING] Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

• Security (HIGH): Remove Challenge create and Order create, patch, update verbs from the cert-manager-edit aggregate ClusterRole (GHSA-8rvj-mm4h-c258). (#8940, @​wallrj-cyberark)
• Remove issuer owner reference from challenges blocking challenge garbage collection (#8759, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go to 1.26.3, other deps to fix several govulncheck issues (#8789, @​SgtCoDFish)
• Update Go to v1.26.4 to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 (#8926, @​wallrj-cyberark)

Commits

• 1e1d16d Merge pull request #8940 from wallrj-cyberark/restrict-edit-clusterrole-rbac-...
• 6bda472 Restrict Challenge and Order verbs in aggregate edit ClusterRole
• 3428d65 Merge pull request #8926 from wallrj-cyberark/update-go-1.26.4-release-1.20
• b352e55 [release-1.20] Update Go to v1.26.4
• 725a401 Merge pull request #8899 from cert-manager/renovate/release-1.20-base-images
• 29ae077 chore(deps): update base images
• 0bca8fd Merge pull request #8817 from cert-manager/renovate/release-1.20-go-golang.or...
• 15988af chore(deps): update module golang.org/x/net to v0.55.0 [security]
• 27414f9 Merge pull request #8818 from cert-manager/renovate/release-1.20-go-golang.or...
• 136b418 fix(deps): update module golang.org/x/crypto to v0.52.0 [security]
• Additional commits viewable in compare view

Updates kubevirt.io/kubevirt from 1.7.3 to 1.8.4

Release notes

Sourced from kubevirt.io/kubevirt's releases.

v1.8.4

tag v1.8.4 Tagger: Federico Fossemo ffossemo@redhat.com

This release follows v1.8.3 and consists of 31 changes, contributed by 12 people, leading to 60 files changed, 1901 insertions(+), 475 deletions(-).

The source code and selected binaries are available for download at: https://github.com/kubevirt/kubevirt/releases/tag/v1.8.4.

The primary release artifact of KubeVirt is the git tree. The release tag is signed and can be verified using git tag -v v1.8.4.

Pre-built containers are published on Quay and can be viewed at: https://quay.io/kubevirt/.

Notable changes

• [PR #17987][Ronilerr] Adding missing metrics, recording rules and alerts for virt components
• [PR #17962][UdayYendva] Bump github.com/moby/spdystream from v0.5.0 to v0.5.1 to address CVE-2026-35469 (GHSA-pc3f-x583-g7j2).
• [PR #18059][kubevirt-bot] Use --expand-cpu-features and --supported-cpu-features in node-labeller for
• [PR #18031][SamAlber] Fixed a gRPC connection leak in virt-handler's GetLauncherClient that caused unbounded memory growth, socket accumulation, and goroutine leaks when multiple controllers raced to create connections for the same VMI.

Contributors

12 people contributed to this release:

6 ronilerr rrabinov@redhat.com 3 Adi Aloni aaloni@redhat.com 2 Samuel Albershtein salbersh@redhat.com 2 bmordeha bmordeha@redhat.com 1 Javier Cano Cano jcanocan@redhat.com 1 Lee Yarwood lyarwood@redhat.com 1 Or Shoval oshoval@redhat.com 1 Oren Cohen ocohen@redhat.com 1 Uday Yendava uyendava@redhat.com 1 fossedihelm ffossemo@redhat.com

Additional Resources

• Mailing list: https://groups.google.com/forum/#!forum/kubevirt-dev
• Slack: https://kubernetes.slack.com/messages/virtualization
• An easy to use demo: https://github.com/kubevirt/demo
• How to contribute
• License

--- -----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQT336LhfFzgGMwYm4OriYWHZ3eqPAUCai/AYwAKCRCriYWHZ3eq

... (truncated)

Commits

• dfaa398 Merge pull request #17901 from dasionov/backport/16759-to-release-1.8
• 3509dc6 Merge pull request #17662 from kubevirt-bot/cherry-pick-17401-to-release-1.8
• 85be67f Merge pull request #17987 from Ronilerr/release-1.8-virt-aligment-alerts
• dbf6eca Merge pull request #18055 from kubevirt-bot/cherry-pick-17469-to-release-1.8
• 796e60a Merge pull request #17639 from kubevirt-bot/cherry-pick-17481-to-release-1.8
• b14f28a Merge pull request #18056 from kubevirt-bot/cherry-pick-17690-to-release-1.8
• 94e3b1f Merge pull request #17991 from kubevirt-bot/cherry-pick-17763-to-release-1.8
• 2719f44 Merge pull request #18078 from kubevirt-bot/cherry-pick-17743-to-release-1.8
• 3445ac2 Merge pull request #17962 from UdayYendva/release-1.8
• 6646d1c chore(tests): Add missing virtiofs decorator
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a trusted-execution-clusters member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Jakob-Naucke]

/ok-to-test

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot], Jakob-Naucke

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment