Skip to content

go.mod: Migrate to sigs.k8s.io/prow, remove vendored third_party/#576

Merged
justaugustus merged 3 commits into
uwu-tools:mainfrom
justaugustus:prow-import-refactor
Apr 14, 2026
Merged

go.mod: Migrate to sigs.k8s.io/prow, remove vendored third_party/#576
justaugustus merged 3 commits into
uwu-tools:mainfrom
justaugustus:prow-import-refactor

Conversation

@justaugustus
Copy link
Copy Markdown
Member

@justaugustus justaugustus commented Apr 14, 2026
edited
Loading

Summary

  • Replace vendored third_party/k8s.io/test-infra/prow/ packages with direct imports from sigs.k8s.io/prow/pkg/
  • Delete entire third_party/ directory (~13,000 lines of vendored code, 57 files)
  • Align transitive k8s dependencies to the k8s 0.32 stack that prow requires
  • Upgrade go-jose/v4 to fix high-severity vulnerability (GHSA-78h2-9frx-2jm8)
  • Drop unnecessary replace statement from go.mod

Context

Peribolos has vendored prow packages under third_party/ since March 2023 (aa185b2), originally copied from kubernetes/test-infra at commit d6acd1068fe6. After prow moved to its own repo (kubernetes-sigs/prow) in April 2024, the vendored code became unnecessary.

Why this is safe

The only local modifications to the vendored code (19662c2) were mechanical sets.Stringsets.Set[string] backports from upstream test-infra PRs (#27793, #30041). These changes are already present in sigs.k8s.io/prow. No project-specific customizations exist.

Import mapping

Vendored path New import
.../third_party/k8s.io/test-infra/prow/config/org sigs.k8s.io/prow/pkg/config/org
.../third_party/k8s.io/test-infra/prow/github sigs.k8s.io/prow/pkg/github
.../third_party/k8s.io/test-infra/prow/flagutil sigs.k8s.io/prow/pkg/flagutil
.../third_party/k8s.io/test-infra/prow/logrusutil sigs.k8s.io/prow/pkg/logrusutil

Dependency changes

  • Added sigs.k8s.io/prow v0.0.0-20260410153622-c210e98febf6
  • Upgraded go directive: 1.25.0 → 1.25.8 (prow minimum)
  • Aligned k8s.io/apimachinery to v0.32.9 (matches prow's k8s 0.32 stack)
  • Downgraded google/gnostic-models to v0.6.9 (resolves yaml type conflict)
  • Upgraded go-jose/v4 4.1.3 → 4.1.4 (fixes GHSA-78h2-9frx-2jm8)
  • Dropped unnecessary replace directive

Supersedes #338.

CI notes

Test plan

  • go build ./... passes
  • go test ./... passes (all existing tests)
  • go mod tidy is clean
  • No references to third_party/ remain in source code
  • CI: build, test, CodeQL, DCO, zizmor, codecov/patch all pass
  • CI: dependency-review passes (go-jose vulnerability fixed)
  • CI: codecov/project — pre-existing failure, not caused by this PR

🤖 Generated with Claude Code

@justaugustus @claude
go.mod: Migrate to sigs.k8s.io/prow, remove vendored third_party/
0900027 
Replace vendored third_party/k8s.io/test-infra/prow/ packages with
direct imports from sigs.k8s.io/prow/pkg/. This removes ~13,000 lines
of vendored code that was originally copied from kubernetes/test-infra
at commit d6acd1068fe6 (March 2023).

What changed:
- Rewrite all imports in 13 source files from vendored paths to
  sigs.k8s.io/prow/pkg/{config/org,github,flagutil,logrusutil}
- Add sigs.k8s.io/prow v0.0.0-20260410153622-c210e98febf6 to go.mod
- Delete entire third_party/ directory (57 files of vendored code)
- Upgrade go directive from 1.25.0 to 1.25.8 (prow minimum)
- Align k8s.io/apimachinery to v0.32.9 (matches prow's k8s 0.32 stack)
- Downgrade google/gnostic-models to v0.6.9 (resolves yaml type conflict)

Why this is safe:
- The only local patches to vendored code (commit 19662c2) were
  mechanical sets.String → sets.Set[string] backports from upstream
  test-infra PRs #27793 and #30041, already present in sigs.k8s.io/prow
- No Bloomberg or project-specific customizations existed
- All tests pass, build is clean

Supersedes: uwu-tools#338

Signed-off-by: Stephen Augustus <foo@auggie.dev>
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Stephen Augustus <foo@auggie.dev>
@justaugustus justaugustus requested a review from a team as a code owner April 14, 2026 11:48
@kusari-inspector
Copy link
Copy Markdown

kusari-inspector Bot commented Apr 14, 2026

⚠️ Workspace Mapping Required

Hello! We noticed that your GitHub organization is not yet mapped to a Kusari workspace. Kusari Inspector now requires installations to be associated with a Kusari workspace.

⚠️ NOTE: Only the admin who installed the Kusari GitHub App can complete these steps. If the admin is unable to complete these steps, please contact support@kusari.dev

To complete the setup:

  1. Visit https://console.us.kusari.cloud/auth/github and log in via github
  2. If you have only one workspace, it will be automatically selected for you
  3. Once the mapping is complete, return here and create a new comment with: @kusari-inspector re-run

This will trigger the analysis to run again.

For more information, or if you need help, visit https://github.com/kusaridev/community/discussions

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 14, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.73%. Comparing base (9c06520) to head (6fd5b15).
⚠️ Report is 211 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main     #576       +/-   ##
===========================================
- Coverage   59.70%   46.73%   -12.97%     
===========================================
  Files           7       15        +8     
  Lines        1144     1226       +82     
===========================================
- Hits          683      573      -110     
- Misses        424      616      +192     
  Partials       37       37

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

justaugustus and others added 2 commits April 14, 2026 07:59
@justaugustus
go.mod: Drop unneccesary replace statement
a49634f 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
@justaugustus @claude
go.mod: Upgrade go-jose/v4 to fix GHSA-78h2-9frx-2jm8
6fd5b15 
Upgrade github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 to fix
a high-severity JWE decryption panic vulnerability flagged by the
dependency-review CI check.

ref: GHSA-78h2-9frx-2jm8

Signed-off-by: Stephen Augustus <foo@auggie.dev>
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Stephen Augustus <foo@auggie.dev>
@kusari-inspector
Copy link
Copy Markdown

kusari-inspector Bot commented Apr 14, 2026

⚠️ Workspace Mapping Required

Hello! We noticed that your GitHub organization is not yet mapped to a Kusari workspace. Kusari Inspector now requires installations to be associated with a Kusari workspace.

⚠️ NOTE: Only the admin who installed the Kusari GitHub App can complete these steps. If the admin is unable to complete these steps, please contact support@kusari.dev

To complete the setup:

  1. Visit https://console.us.kusari.cloud/auth/github and log in via github
  2. If you have only one workspace, it will be automatically selected for you
  3. Once the mapping is complete, return here and create a new comment with: @kusari-inspector re-run

This will trigger the analysis to run again.

For more information, or if you need help, visit https://github.com/kusaridev/community/discussions

@justaugustus justaugustus merged commit a855f68 into uwu-tools:main Apr 14, 2026
9 of 11 checks passed
@justaugustus justaugustus mentioned this pull request Apr 14, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@justaugustus