chore: update go version to 1.26.1

[Skarlso]

Problem Statement

What is the problem you're trying to solve?

Related Issue

Fixes #...

Proposed Changes

How do you like to solve the issue and why?

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Summary

Update Go toolchain from 1.25.7 to 1.26.1 across the repository, bump CI linter, and apply related lint/comment, test, allocation, and documentation edits.

Changes

• Bumped Go version to 1.26.1 in root go.mod and many module go.mod files (apis, runtime, e2e, generators, providers, etc.).
• Updated builder base images to golang:1.26.1 in Dockerfiles (Dockerfile.standalone, e2e/Dockerfile, tilt.debug.dockerfile) with updated digests.
• CI/tooling:
  • Bumped golangci-lint version (v2.4.0 → v2.11.3) in .github/workflows/ci.yml and Makefile.
  • Reduced LINT_JOBS default in Makefile.
• Linter-related edits: added/removed/suppressed various nolint/gosec/prealloc annotations across multiple files to satisfy new lint rules.
• Tests:
  • Adjusted error comparison in a vault provider test to explicit nil-check and string compare (removed EquateErrors).
  • Relaxed a strict test because Go 1.26's duration parser returns an unexported error type; matching logic was fixed accordingly.
• CRDs/docs: added deprecation notices and description updates in numerous CRD YAMLs and docs (purely descriptive).
• Minor code edits: allocation/preallocation tweaks (make(..., 0, N)), small slice-capacity optimizations, a few formatting/comment-only changes, and added nolint directives where appropriate.
• Misc: author posted /ok-to-test, iterated to fix parsing/test failures introduced by Go 1.26 and updated related linter changes.

Impact

• No public API/signature changes detected.
• Primary effects are on build/tooling and CI (Go 1.26.1 toolchain, updated Docker base images, updated linter). Tests and lint adjustments were made to accommodate Go 1.26 behavior changes.

[Skarlso]

/ok-to-test sha=d46f27535bc43cdddc266f208e778cf0111afb44

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Bumps Go toolchain and Docker builder images to 1.26.1, upgrades golangci-lint and reduces lint parallelism, adds CRD deprecation messages and small docs edits, and applies targeted nolint comments and slice preallocation/allocation-style changes. No public API signatures or CRD schemas were functionally changed.

Changes

Cohort / File(s)	Summary
Docker builder images Dockerfile.standalone, e2e/Dockerfile, tilt.debug.dockerfile	Builder base images updated from golang:1.25.7 variants to golang:1.26.1 (sha digests/variants updated).
Top-level & core modules go.mod, apis/go.mod, e2e/go.mod, runtime/go.mod	go directive bumped 1.25.7 → 1.26.1.
Generator modules generators/v1/.../go.mod	All generator module go directives updated to 1.26.1 across generator packages.
Provider modules providers/v1/.../go.mod	All provider module go directives updated to 1.26.1 across provider packages.
CI / Makefile .github/workflows/ci.yml, Makefile	golangci-lint version bumped (v2.4.0 → v2.11.3) and LINT_JOBS default reduced (20 → 1).
CRDs & docs config/crds/..., deploy/crds/bundle.yaml, docs/api/spec.md	Added deprecation notices and minor formatting edits to CRD description strings and docs; no schema/type validation changes.
Lint suppressions & annotations cmd/esoctl/generator/bootstrap.go, generators/v1/vault/vault.go, providers/v1/cloudru/secretmanager/endpoints.go, providers/v1/conjur/fake/fake.go	Added or removed //nolint annotations around file/HTTP/json calls and local initializations to silence specific linters.
Slice preallocation & allocation-style changes cmd/controller/certcontroller.go, pkg/controllers/..., providers/v1/onepassword/onepassword.go, providers/v1/previder/client_test.go, providers/v1/..._test.go	Preallocated slice capacities and related nolint adjustments; allocation optimizations only (no behavioral changes).
Vault code & tests providers/v1/vault/client_get.go, providers/v1/vault/provider_test.go	Rewrote intermediate slice construction for buildPath (allocation/style) and changed test error comparison from diff-based to explicit nil/string checks.

Possibly related PRs

• chore: bump golang to 1.25.7 because of cve #5938 — Repository-wide Go toolchain and Docker builder image bumps (same go.mod and Dockerfile version updates).
• chore(lint): enable concurrent execution for the linter and enable formatters #5752 — CI and lint configuration changes (golangci-lint version bump and Makefile lint parallelism adjustments).
• fix: a lot of sonar issue fixes #5771 — Changes touching generator bootstrap code (overlaps with nolint and generator bootstrap edits in cmd/esoctl/generator/bootstrap.go).

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can generate walkthrough in a markdown collapsible section to save space.

Enable the reviews.collapse_walkthrough setting to generate walkthrough in a markdown collapsible section.

[Skarlso]

This actually needs my linter update PR changes as well. Ugh.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tilt.debug.dockerfile (1)

1-5: ⚠️ Potential issue | 🟠 Major

Upgrade Delve to a Go 1.26-compatible version.

Line 1 uses Go 1.26.1, but Line 5 pins dlv@v1.22.0. Delve 1.22 does not support Go 1.26; support was added in Delve 1.26.0. This version mismatch will cause debugger incompatibility with binaries built on this toolchain.

🔧 Proposed fix

-RUN go install github.com/go-delve/delve/cmd/dlv@v1.22.0 && chmod +x /go/bin/dlv && mv /go/bin/dlv /
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.26.1 && chmod +x /go/bin/dlv && mv /go/bin/dlv /

Reference: https://github.com/go-delve/delve/blob/master/CHANGELOG.md#1260-2025-12-18

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tilt.debug.dockerfile` around lines 1 - 5, The Dockerfile pins Delve to an
incompatible version (dlv@v1.22.0) for Go 1.26.1; update the RUN instruction
that installs Delve so it uses a Go-1.26-compatible release (e.g., dlv@v1.26.0
or newer) — locate the RUN line that calls "go install
github.com/go-delve/delve/cmd/dlv@v1.22.0" and change the version token to
v1.26.0+ so the installed dlv binary matches the Go 1.26 toolchain.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@providers/v1/github/go.mod`:
- Line 3: Update the Go version string in the module template: find the template
file named "go.mod.tmpl" and replace the existing directive "go 1.25.3" with "go
1.26.1" so generated go.mod files match the repo-wide go 1.26.1 setting.

---

Outside diff comments:
In `@tilt.debug.dockerfile`:
- Around line 1-5: The Dockerfile pins Delve to an incompatible version
(dlv@v1.22.0) for Go 1.26.1; update the RUN instruction that installs Delve so
it uses a Go-1.26-compatible release (e.g., dlv@v1.26.0 or newer) — locate the
RUN line that calls "go install github.com/go-delve/delve/cmd/dlv@v1.22.0" and
change the version token to v1.26.0+ so the installed dlv binary matches the Go
1.26 toolchain.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aa2cf82e-414d-48d5-ba38-5c8182f7735a

📥 Commits

Reviewing files that changed from the base of the PR and between 3b3cf7a and d46f275.

📒 Files selected for processing (60)

• Dockerfile.standalone
• apis/go.mod
• e2e/Dockerfile
• e2e/go.mod
• generators/v1/acr/go.mod
• generators/v1/cloudsmith/go.mod
• generators/v1/ecr/go.mod
• generators/v1/fake/go.mod
• generators/v1/gcr/go.mod
• generators/v1/github/go.mod
• generators/v1/grafana/go.mod
• generators/v1/mfa/go.mod
• generators/v1/password/go.mod
• generators/v1/quay/go.mod
• generators/v1/sshkey/go.mod
• generators/v1/sts/go.mod
• generators/v1/uuid/go.mod
• generators/v1/vault/go.mod
• generators/v1/webhook/go.mod
• go.mod
• providers/v1/akeyless/go.mod
• providers/v1/aws/go.mod
• providers/v1/azure/go.mod
• providers/v1/barbican/go.mod
• providers/v1/beyondtrust/go.mod
• providers/v1/bitwarden/go.mod
• providers/v1/chef/go.mod
• providers/v1/cloudru/go.mod
• providers/v1/conjur/go.mod
• providers/v1/delinea/go.mod
• providers/v1/doppler/go.mod
• providers/v1/dvls/go.mod
• providers/v1/fake/go.mod
• providers/v1/fortanix/go.mod
• providers/v1/gcp/go.mod
• providers/v1/github/go.mod
• providers/v1/gitlab/go.mod
• providers/v1/ibm/go.mod
• providers/v1/infisical/go.mod
• providers/v1/keepersecurity/go.mod
• providers/v1/kubernetes/go.mod
• providers/v1/nebius/go.mod
• providers/v1/ngrok/go.mod
• providers/v1/onboardbase/go.mod
• providers/v1/onepassword/go.mod
• providers/v1/onepasswordsdk/go.mod
• providers/v1/oracle/go.mod
• providers/v1/passbolt/go.mod
• providers/v1/passworddepot/go.mod
• providers/v1/previder/go.mod
• providers/v1/pulumi/go.mod
• providers/v1/scaleway/go.mod
• providers/v1/secretserver/go.mod
• providers/v1/senhasegura/go.mod
• providers/v1/vault/go.mod
• providers/v1/volcengine/go.mod
• providers/v1/webhook/go.mod
• providers/v1/yandex/go.mod
• runtime/go.mod
• tilt.debug.dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod directives =="
fd 'go\.mod$' -x sh -c 'printf "\n%s\n" "$1"; rg -n "^go " "$1"' sh {}

echo
echo "== Docker/Tilt images using Go 1.26.1 =="
rg -n 'golang:1\.26\.1|go1\.26\.1|go-version:\s*["'\'']?1\.26\.1' -g '!**/vendor/**'

echo
echo "== Any remaining old 1.25.x references =="
rg -n '1\.25\.[0-9]+' -g '!**/vendor/**' || true

Repository: external-secrets/external-secrets

Length of output: 4322

---

Update the Go module template to maintain repo-wide consistency.

Module directives and Docker images are properly aligned to go 1.26.1. However, cmd/esoctl/generator/templates/go.mod.tmpl still references go 1.25.3. Update the template to go 1.26.1 to ensure generated modules remain consistent with the rest of the codebase.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/v1/github/go.mod` at line 3, Update the Go version string in the
module template: find the template file named "go.mod.tmpl" and replace the
existing directive "go 1.25.3" with "go 1.26.1" so generated go.mod files match
the repo-wide go 1.26.1 setting.

[eso-service-account-app]

[Bot] - ✅ e2e for d46f27535bc43cdddc266f208e778cf0111afb44 passed

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

cmd/esoctl/generator/bootstrap.go (1)

226-226: Consider centralizing repeated os.WriteFile + nolint into a helper.

Same write/suppression pattern appears in six places. A small helper keeps the rationale and file-mode policy in one audited path.

♻️ Proposed refactor

+func writeInternalFile(path string, data []byte) error {
+	//nolint:gosec // internal generator target paths
+	return os.WriteFile(filepath.Clean(path), data, 0o600)
+}
...
-	if err := os.WriteFile(filepath.Clean(registerFile), []byte(strings.Join(newLines, "\n")), 0o600); err != nil { //nolint:gosec // paths are constructed internally, not from user input
+	if err := writeInternalFile(registerFile, []byte(strings.Join(newLines, "\n"))); err != nil {
 		return err
 	}

Also applies to: 310-310, 373-373, 448-448, 514-514, 566-566

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/esoctl/generator/bootstrap.go` at line 226, Several places (including the
write at registerFile in bootstrap.go and the other occurrences) repeat
os.WriteFile(..., 0o600) with a //nolint:gosec comment; extract this pattern
into a single helper like writePrivateFile(path string, data []byte) error that
encapsulates filepath.Clean, the 0o600 mode, and the nolint justification in its
implementation, then replace the six direct os.WriteFile calls (the call writing
registerFile and the ones at the other noted locations) with calls to that
helper so the file-mode policy and gosec suppression are centralized and audited
in one place; update callers to pass []byte(strings.Join(..., "\n")) or the
appropriate byte slice.

providers/v1/cloudru/secretmanager/endpoints.go (1)

47-52: Use a bounded-timeout client instead of http.DefaultClient.

Line 52 can block indefinitely on slow or broken networks. The SSRF guard is properly in place; add an explicit timeout when executing the HTTP request.

Suggested change

 import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"time"
 )
...
-	resp, err := http.DefaultClient.Do(req) //nolint:gosec // URL is validated against EndpointsURI above
+	client := &http.Client{Timeout: 10 * time.Second}
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("get cloud.ru endpoints: %w", err)
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/v1/cloudru/secretmanager/endpoints.go` around lines 47 - 52,
Replace use of http.DefaultClient.Do(req) with an explicit http.Client that has
a bounded Timeout and use that client to execute the request; change the call
site that currently constructs req and calls http.DefaultClient.Do(req) to
create a client like &http.Client{Timeout: <reasonable duration>} and call
client.Do(req) (also add the time import). Keep the existing SSRF validation
around EndpointsURI and ensure the variable names req and resp are preserved.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/crds/bases/external-secrets.io_clustersecretstores.yaml`:
- Line 5129: Update the deprecation guidance string that currently references
"serviceAccountRef.Audiences" to use YAML/manifest casing
"serviceAccountRef.audiences" so it matches CR manifest keys; locate the
deprecation message text (the string containing "Deprecated: use
serviceAccountRef.Audiences") in the clustersecretstores manifest and replace
the field reference in that message (and the analogous occurrence around lines
9818) to "serviceAccountRef.audiences".

In `@deploy/crds/bundle.yaml`:
- Around line 6861-6865: The deprecation note incorrectly references
"serviceAccountRef.Audiences" (PascalCase) which doesn't match CR manifest
JSON/YAML paths; update the text to use the manifest path
"serviceAccountRef.audiences" instead. Replace the string in the shown diff and
the other reported occurrences (around lines 11207-11211, 18620-18624,
22966-22970, 25645-25649, 28332-28336) so the deprecation message is directly
usable by manifest authors and consistently uses the lowercase dot-separated
path.
- Around line 6871-6876: Update the deprecation text for the "expiration"
description so it directs users to the concrete replacement field/path (similar
to how the "audiences" note does) instead of just saying it will be removed;
specifically, change the sentence after the description of serviceAccountRef to
"Deprecated: use <CONCRETE_SUCCESSOR_FIELD_PATH> instead." and apply the same
precise migration-oriented message to the other occurrences mentioned (lines
around the other ranges), referencing the same successor path and keeping the
default/timeout note intact.
- Around line 665-669: The CRD description for the field named namespaceSelector
currently points users to the Go-field spelling "NamespaceSelectors" and also
uses an incorrect "namespaces" sentence; update the description text to
reference the manifest key exactly as `namespaceSelectors` (lower camel case,
matching what users write in YAML) and adjust the preceding sentence that
mentions "namespaces" to the correct `namespaceSelectors` key; make the same
wording change in the other occurrences of this deprecation guidance (the two
additional description blocks with the same message).

---

Nitpick comments:
In `@cmd/esoctl/generator/bootstrap.go`:
- Line 226: Several places (including the write at registerFile in bootstrap.go
and the other occurrences) repeat os.WriteFile(..., 0o600) with a //nolint:gosec
comment; extract this pattern into a single helper like writePrivateFile(path
string, data []byte) error that encapsulates filepath.Clean, the 0o600 mode, and
the nolint justification in its implementation, then replace the six direct
os.WriteFile calls (the call writing registerFile and the ones at the other
noted locations) with calls to that helper so the file-mode policy and gosec
suppression are centralized and audited in one place; update callers to pass
[]byte(strings.Join(..., "\n")) or the appropriate byte slice.

In `@providers/v1/cloudru/secretmanager/endpoints.go`:
- Around line 47-52: Replace use of http.DefaultClient.Do(req) with an explicit
http.Client that has a bounded Timeout and use that client to execute the
request; change the call site that currently constructs req and calls
http.DefaultClient.Do(req) to create a client like &http.Client{Timeout:
<reasonable duration>} and call client.Do(req) (also add the time import). Keep
the existing SSRF validation around EndpointsURI and ensure the variable names
req and resp are preserved.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7e39731b-30ba-4a13-b8f2-895f00b577bd

📥 Commits

Reviewing files that changed from the base of the PR and between d46f275 and 4185eed.

📒 Files selected for processing (29)

• .github/workflows/ci.yml
• Makefile
• apis/externalsecrets/v1/clusterexternalsecret_types.go
• apis/externalsecrets/v1/secretstore_vault_types.go
• apis/externalsecrets/v1beta1/clusterexternalsecret_types.go
• apis/externalsecrets/v1beta1/secretstore_vault_types.go
• cmd/controller/certcontroller.go
• cmd/esoctl/generator/bootstrap.go
• config/crds/bases/external-secrets.io_clusterexternalsecrets.yaml
• config/crds/bases/external-secrets.io_clustersecretstores.yaml
• config/crds/bases/external-secrets.io_secretstores.yaml
• config/crds/bases/generators.external-secrets.io_clustergenerators.yaml
• config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml
• deploy/crds/bundle.yaml
• docs/api/spec.md
• generators/v1/vault/vault.go
• pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller.go
• pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller_test.go
• pkg/controllers/clusterpushsecret/clusterpushsecret_controller.go
• pkg/controllers/clusterpushsecret/clusterpushsecret_controller_test.go
• providers/v1/cloudru/secretmanager/endpoints.go
• providers/v1/conjur/fake/fake.go
• providers/v1/infisical/api/api_test.go
• providers/v1/nebius/mysterybox/validation_test.go
• providers/v1/onepassword/onepassword.go
• providers/v1/previder/client_test.go
• providers/v1/scaleway/client.go
• providers/v1/secretserver/client_test.go
• providers/v1/vault/client_get.go

✅ Files skipped from review due to trivial changes (13)

• providers/v1/secretserver/client_test.go
• providers/v1/scaleway/client.go
• apis/externalsecrets/v1/secretstore_vault_types.go
• apis/externalsecrets/v1beta1/secretstore_vault_types.go
• providers/v1/conjur/fake/fake.go
• providers/v1/nebius/mysterybox/validation_test.go
• apis/externalsecrets/v1beta1/clusterexternalsecret_types.go
• apis/externalsecrets/v1/clusterexternalsecret_types.go
• generators/v1/vault/vault.go
• pkg/controllers/clusterpushsecret/clusterpushsecret_controller.go
• config/crds/bases/external-secrets.io_secretstores.yaml
• docs/api/spec.md
• config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use manifest field casing in deprecation guidance.

The deprecation message points to serviceAccountRef.Audiences, but in CR manifests the field is serviceAccountRef.audiences. Using the YAML key casing avoids user confusion.

✏️ Suggested wording tweak

- Deprecated: use serviceAccountRef.Audiences instead
+ Deprecated: use serviceAccountRef.audiences instead

Also applies to: 9818-9818

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/crds/bases/external-secrets.io_clustersecretstores.yaml` at line 5129,
Update the deprecation guidance string that currently references
"serviceAccountRef.Audiences" to use YAML/manifest casing
"serviceAccountRef.audiences" so it matches CR manifest keys; locate the
deprecation message text (the string containing "Deprecated: use
serviceAccountRef.Audiences") in the clustersecretstores manifest and replace
the field reference in that message (and the analogous occurrence around lines
9818) to "serviceAccountRef.audiences".

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use namespaceSelectors in the deprecation guidance.

NamespaceSelectors is the Go-field spelling. The generated CRD should point users at the manifest key namespaceSelectors, otherwise the migration hint does not match what they can actually write in YAML. The same casing issue is also present in the preceding namespaces sentence.

✏️ Suggested wording

- Deprecated: Use NamespaceSelectors instead.
+ Deprecated: use `namespaceSelectors` instead.

Also applies to: 762-766, 1496-1500

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/crds/bundle.yaml` around lines 665 - 669, The CRD description for the
field named namespaceSelector currently points users to the Go-field spelling
"NamespaceSelectors" and also uses an incorrect "namespaces" sentence; update
the description text to reference the manifest key exactly as
`namespaceSelectors` (lower camel case, matching what users write in YAML) and
adjust the preceding sentence that mentions "namespaces" to the correct
`namespaceSelectors` key; make the same wording change in the other occurrences
of this deprecation guidance (the two additional description blocks with the
same message).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use the manifest path in the audiences replacement note.

serviceAccountRef.Audiences does not exist in CR manifests. Please generate this description with the JSON/YAML path serviceAccountRef.audiences so the deprecation text is directly usable by manifest authors.

✏️ Suggested wording

- Deprecated: use serviceAccountRef.Audiences instead
+ Deprecated: use `serviceAccountRef.audiences` instead.

Also applies to: 11207-11211, 18620-18624, 22966-22970, 25645-25649, 28332-28336

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/crds/bundle.yaml` around lines 6861 - 6865, The deprecation note
incorrectly references "serviceAccountRef.Audiences" (PascalCase) which doesn't
match CR manifest JSON/YAML paths; update the text to use the manifest path
"serviceAccountRef.audiences" instead. Replace the string in the shown diff and
the other reported occurrences (around lines 11207-11211, 18620-18624,
22966-22970, 25645-25649, 28332-28336) so the deprecation message is directly
usable by manifest authors and consistently uses the lowercase dot-separated
path.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Make the expiration deprecation note migration-oriented.

Deprecated: this will be removed in the future. warns about removal but does not tell users what to switch to. Please point this description at the concrete successor field/path here as well, the same way the audiences note does.

Also applies to: 11217-11222, 18630-18635, 22976-22981, 25655-25660, 28342-28347

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/crds/bundle.yaml` around lines 6871 - 6876, Update the deprecation
text for the "expiration" description so it directs users to the concrete
replacement field/path (similar to how the "audiences" note does) instead of
just saying it will be removed; specifically, change the sentence after the
description of serviceAccountRef to "Deprecated: use
<CONCRETE_SUCCESSOR_FIELD_PATH> instead." and apply the same precise
migration-oriented message to the other occurrences mentioned (lines around the
other ranges), referencing the same successor path and keeping the
default/timeout note intact.

[evrardjp]

While I don't see the point of diverging of the go version used in client-go and our operator tooling, I don't see a problem with it either. When that passes CI, it should be good to go. I did not check the source of TestNewVault/InvalidRetrySettings issue...

[Skarlso]

Ah it's an error parsing failure. I will fix it, thanks 🙇

[Skarlso]

Okay, the matching logic is fixed now. The test was way too strict and since go 1.26 the duration parser returns an unexported error type.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@providers/v1/vault/provider_test.go`:
- Around line 747-750: Fix the nil-error dereference and missing assertion by
explicitly handling the three cases for tc.want.err vs err in the test: when
tc.want.err != nil, first assert err is non-nil (fail the test if err == nil),
then compare error messages (use tc.want.err.Error() vs err.Error()); when
tc.want.err == nil, assert that err is nil and fail the test if err != nil;
update the assertion logic around the newClient() call in provider_test.go
(referencing variables tc.want.err and err) to avoid calling err.Error() on a
nil error and to fail on unexpected errors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 71e17820-bc08-448f-8e6f-c12d8c69822e

📥 Commits

Reviewing files that changed from the base of the PR and between 4185eed and 0e5002b.

📒 Files selected for processing (1)

• providers/v1/vault/provider_test.go

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

♻️ Duplicate comments (1)

deploy/crds/bundle.yaml (1)

6861-6865: ⚠️ Potential issue | 🟡 Minor

Fix the Go doc that generates this description.

apis/externalsecrets/v1beta1/secretstore_vault_types.go:276-285 still has the same serviceAccountRef.Audiences wording and the it not specified typo, so adjusting only deploy/crds/bundle.yaml will drift again on the next CRD regeneration. Please correct the source comment to serviceAccountRef.audiences and if not specified, then regenerate the bundle.

✏️ Suggested source fix

- // Defaults to a single audience `vault` it not specified.
+ // Defaults to a single audience `vault` if not specified.
@@
- // Deprecated: use serviceAccountRef.Audiences instead
+ // Deprecated: use `serviceAccountRef.audiences` instead.

Also applies to: 11207-11211, 18629-18633, 22975-22979, 25654-25658, 28341-28345

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/crds/bundle.yaml` around lines 6861 - 6865, Update the Go doc in
apis/externalsecrets/v1beta1/secretstore_vault_types.go (the comment that
produces the CRD description for serviceAccountRef) to use the correct field
casing and wording: change "serviceAccountRef.Audiences" to
"serviceAccountRef.audiences" and fix the typo "it not specified" to "if not
specified"; then regenerate the CRD bundle so deploy/crds/bundle.yaml (and all
other CRD locations noted) are updated consistently.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@deploy/crds/bundle.yaml`:
- Around line 6861-6865: Update the Go doc in
apis/externalsecrets/v1beta1/secretstore_vault_types.go (the comment that
produces the CRD description for serviceAccountRef) to use the correct field
casing and wording: change "serviceAccountRef.Audiences" to
"serviceAccountRef.audiences" and fix the typo "it not specified" to "if not
specified"; then regenerate the CRD bundle so deploy/crds/bundle.yaml (and all
other CRD locations noted) are updated consistently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 43854905-28bf-45fa-b23e-cb01f7afe655

📥 Commits

Reviewing files that changed from the base of the PR and between 08afb4f and dd7d0d7.

📒 Files selected for processing (7)

• Dockerfile.standalone
• cmd/controller/certcontroller.go
• deploy/crds/bundle.yaml
• go.mod
• providers/v1/onepassword/go.mod
• providers/v1/onepassword/onepassword.go
• providers/v1/passbolt/go.mod

✅ Files skipped from review due to trivial changes (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (3)

• providers/v1/onepassword/go.mod
• providers/v1/onepassword/onepassword.go
• cmd/controller/certcontroller.go