Skip to content

Upgrade github.com/google/ko to v0.18.1#9939

Merged
mattsanta merged 8 commits into
GoogleContainerTools:mainfrom
ChrisGe4:chore-12-18
Jan 7, 2026
Merged

Upgrade github.com/google/ko to v0.18.1#9939
mattsanta merged 8 commits into
GoogleContainerTools:mainfrom
ChrisGe4:chore-12-18

Conversation

@ChrisGe4

Copy link
Copy Markdown
Contributor

Description

Upgrade github.com/google/ko to v0.18.1 to update the indirect dependency github.com/sigstore/timestamp-authority to v2.0.3 and address CVE-2025-66564.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello @ChrisGe4, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on enhancing security and maintaining up-to-date dependencies. It includes a critical upgrade of the github.com/google/ko module to mitigate a known CVE, alongside a general update of the Go language version and various other direct and indirect Go modules. A significant structural change involves the removal of previously vendored cloud.google.com/go/spanner related files, streamlining the project's dependency footprint.

Highlights

  • Dependency Upgrade: Upgraded the github.com/google/ko module to v0.18.1.
  • Security Fix: The github.com/google/ko upgrade addresses CVE-2025-66564 by updating the indirect dependency github.com/sigstore/timestamp-authority to v2.0.3.
  • Go Version Update: The Go language version used in the project and its examples has been updated from 1.19 to 1.23.0.
  • Dependency Cleanup: Removed a substantial amount of vendored code related to cloud.google.com/go/spanner and its sub-modules, indicating a shift in dependency management strategy or a major refactoring.
  • Other Dependency Updates: Numerous other direct and indirect Go dependencies have been updated to their latest versions, including github.com/docker/cli, github.com/google/go-containerregistry, go.opentelemetry.io/otel components, golang.org/x libraries, google.golang.org/grpc, and google.golang.org/protobuf.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request upgrades github.com/google/ko to v0.18.1 and numerous other dependencies, which is crucial for addressing CVE-2025-66564 and maintaining the project's security and health. The update of Go versions in example modules is also a good step.

A significant change in this PR is the removal of a large number of vendored files, which suggests a move away from vendoring dependencies. This is a positive change for modernizing dependency management. However, this major change is not mentioned in the pull request description. For better maintainability and easier reviews in the future, I recommend providing a more comprehensive description that outlines all major changes, including dependency management strategy shifts and the full scope of dependency upgrades.

Comment thread examples/grpc-e2e-tests/service/go.mod Outdated
module github.com/GoogleContainerTools/skaffold/v2/integration/examples/grpc-e2e-tests/service

go 1.19
go 1.23.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Upgrading the Go version from 1.19 to 1.23.0 is a significant jump. This could introduce breaking changes, for instance, the change in for loop variable semantics in Go 1.22. Please ensure that the example code is compatible with Go 1.23 and that all related tests are passing.

module github.com/GoogleContainerTools/skaffold/v2/integration/examples/grpc-e2e-tests/service

go 1.19
go 1.23.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Similar to the other example module, upgrading the Go version from 1.19 to 1.23.0 is a significant jump. This could introduce breaking changes, for instance, the change in for loop variable semantics in Go 1.22. Please ensure that the example code is compatible with Go 1.23 and that all related tests are passing.

@ChrisGe4 ChrisGe4 marked this pull request as ready for review December 19, 2025 02:41
@ChrisGe4 ChrisGe4 requested a review from a team as a code owner December 19, 2025 02:41
@mattsanta mattsanta added the kokoro:force-run forces a kokoro re-run on a PR label Jan 7, 2026
@kokoro-team kokoro-team removed the kokoro:force-run forces a kokoro re-run on a PR label Jan 7, 2026
@mattsanta mattsanta merged commit 2923b22 into GoogleContainerTools:main Jan 7, 2026
12 checks passed
mattsanta pushed a commit to mattsanta/skaffold that referenced this pull request Jan 7, 2026
* Upgrade github.com/google/ko to v0.18.1

* Upgrade github.com/google/ko to v0.18.1 continue

* fix a issue in docker/auth.go

* fix go version issue in test

* revert go version changes in test

* update docker cli vendor files

* Trigger GitHub Actions
@mattsanta mattsanta mentioned this pull request Jan 7, 2026
mattsanta added a commit that referenced this pull request Jan 7, 2026
* chore: bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#9917)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.43.0 to 0.45.0.
- [Commits](golang/crypto@v0.43.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: bump the github-actions group across 1 directory with 3 updates (#9934)

Bumps the github-actions group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [actions/cache](https://github.com/actions/cache) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/checkout` from 5 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v5...v6)

Updates `actions/cache` from 4 to 5
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v4...v5)

Updates `actions/upload-artifact` from 5 to 6
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: disabling kaniko integration tests due to kaniko service account permissions issue and fix github workflow (#9943)

disabling kaniko integration tests due to kaniko service accountpermissioning issue and fix github workflow

Co-authored-by: Darien-Lin <darienl@google.com>

* chore: upgrade golang to 1.25.5 (#9944)

* Upgrade github.com/google/ko to v0.18.1 (#9939)

* Upgrade github.com/google/ko to v0.18.1

* Upgrade github.com/google/ko to v0.18.1 continue

* fix a issue in docker/auth.go

* fix go version issue in test

* revert go version changes in test

* update docker cli vendor files

* Trigger GitHub Actions

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Darien Lin <lind3686@gmail.com>
Co-authored-by: Darien-Lin <darienl@google.com>
Co-authored-by: Chris <chris.ge@live.com>
orospakr pushed a commit to orospakr/skaffold-spawnexec that referenced this pull request May 14, 2026
* Upgrade github.com/google/ko to v0.18.1

* Upgrade github.com/google/ko to v0.18.1 continue

* fix a issue in docker/auth.go

* fix go version issue in test

* revert go version changes in test

* update docker cli vendor files

* Trigger GitHub Actions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants