NO-JIRA: Bump go-jose dependency

[rh-roman]

Bumping dependency to stay current.

Also, new version of go-jose (4.1.4) addresses CVE-2026-34986. The vulnerable code isn't in the execution path though because oc doesn't handle JWE tokens.

Summary by CodeRabbit

• Chores
  • Updated OpenID Connect and JWT handling library dependencies to the latest versions for improved stability and compatibility.

[openshift-ci-robot]

@rh-roman: This pull request explicitly references no jira issue.

Details

In response to this:

Bumping dependency to stay current.

Also, new version of go-jose (4.1.4) addresses CVE-2026-34986. The vulnerable code isn't in the execution path though because oc doesn't handle JWE tokens.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ea49ba7d-45dc-4e13-9f12-ebc4d5b28900

📥 Commits

Reviewing files that changed from the base of the PR and between 6ac0669 and 3b58b08.

⛔ Files ignored due to path filters (5)

• go.sum is excluded by !**/*.sum
• vendor/github.com/go-jose/go-jose/v4/asymmetric.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-jose/go-jose/v4/symmetric.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

---

Walkthrough

Go module dependencies are bumped: github.com/coreos/go-oidc/v3 to v3.18.0 and its indirect transitive dependency github.com/go-jose/go-jose/v4 to v4.1.4.

Changes

Dependency Version Bumps

Layer / File(s)	Summary
Module Dependencies go.mod	github.com/coreos/go-oidc/v3 upgraded from v3.17.0 to v3.18.0; indirect github.com/go-jose/go-jose/v4 upgraded from v4.1.3 to v4.1.4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references bumping the go-jose dependency, which is the main change in the changeset. However, it only partially captures the complete scope—the PR also bumps go-oidc/v3, which is the primary dependency being updated.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies go.mod/go.sum dependencies. No Ginkgo test files were modified, added, or created. The check for stable test names is not applicable to this change.
Test Structure And Quality	✅ Passed	PR is a dependency bump with no test modifications. All test files are newly added, not modified. Ginkgo test review check is inapplicable.
Microshift Test Compatibility	✅ Passed	PR only bumps go-jose/go-oidc dependencies. Existing e2e tests were not added in this PR and already have proper MicroShift guards. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates Go module dependencies (go-jose/v4 to v4.1.4) and is not applicable to this check. No new Ginkgo e2e tests are added; test files use standard Go testing framework.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Go dependencies (go-oidc/v3, go-jose/v4). The check applies only to manifest/operator/controller code changes, which this PR does not include.
Ote Binary Stdout Contract	✅ Passed	Only dependency version updates in go.mod/go.sum. No process-level stdout writes. Existing klog defaults to stderr output, compliant with OTE binary stdout contract requirements.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only updates Go module dependencies (go-oidc/v3 and go-jose/v4 versions) with no new Ginkgo e2e tests added. The custom check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rh-roman
Once this PR has been reviewed and has the lgtm label, please assign ardaguclu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@rh-roman: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-oc-ote-serial	3b58b08	link	false	/test e2e-aws-oc-ote-serial
ci/prow/e2e-aws-ovn-upgrade	3b58b08	link	true	/test e2e-aws-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.