fix(deps): update ocm monorepo go module dependencies (no ctf)

[frewilhelm]

What this PR does / why we need it

e2b46f9 introduced a change in ocm.software/open-component-model/bindings/go/ctf v0.4.0 that breaks tests in bindings/go/oci/ctf. A fix is already in progress but it includes a bigger implementation that is not ready to merge yet. This is why, this PR reverts the version bump for that module for now.

Which issue(s) this PR fixes

Fixes #2152

Testing

Run task test and task test/integration

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR updates OCM-related Go module versions across multiple go.mod files, mainly advancing pseudo-version commits for descriptor/*, cel, transfer, transform, and bumping ctf (v0.3.0 → v0.4.0) and oci (v0.0.37 → v0.0.38).

Changes

Cohort / File(s)	Summary
Input Modules bindings/go/input/dir/go.mod, bindings/go/input/file/go.mod, bindings/go/input/utf8/go.mod	Updated indirect descriptor/normalisation and descriptor/runtime pseudo-versions from ...e120070fd921 → ...5b24debae3cf.
Descriptor & Runtime bindings/go/descriptor/normalisation/go.mod, bindings/go/oci/go.mod, bindings/go/repository/go.mod, bindings/go/rsa/go.mod	Bumped descriptor/runtime pseudo-version to ...5b24debae3cf.
Signing & Plugin bindings/go/signing/go.mod, bindings/go/plugin/go.mod	Advanced descriptor/normalisation and descriptor/runtime pseudo-versions; plugin updated signing pin.
Transfer & Integration bindings/go/transfer/go.mod, bindings/go/transfer/integration/go.mod	Updated descriptor/runtime, signing, transform, cel, and related indirects; bumped ctf v0.3.0 → v0.4.0.
OCI & Helm bindings/go/oci/integration/go.mod, bindings/go/helm/go.mod	Bumped descriptor/runtime pseudo-version and oci v0.0.37 → v0.0.38; helm also advanced related indirects.
Helm & Transform bindings/go/helm/go.mod, bindings/go/transform/go.mod	Advanced descriptor/normalisation, descriptor/runtime, and cel pseudo-versions.
Constructor bindings/go/constructor/go.mod	Bumped descriptor/normalisation, descriptor/runtime, oci, and indirect ctf to v0.4.0.
CLI & Integration cli/go.mod, cli/integration/go.mod	Updated many OCM binding pins (cel, ctf, descriptor/*, helm, rsa, signing, transfer, transform) to newer pseudo-versions and v0.4.0 for ctf; oci → v0.0.38 where present.
OCI Integration & Repository bindings/go/oci/integration/go.mod, bindings/go/repository/go.mod	Advanced descriptor/runtime and oci pins to newer versions.
Kubernetes Controller kubernetes/controller/go.mod	Bumped ctf to v0.4.0 and advanced descriptor/normalisation, descriptor/runtime, rsa, and signing pseudo-versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: explicit transfer module #2047 — Changes touch the bindings/go/transfer module and its integration go.mod, overlapping dependency pins updated here.
• Repository PR/Issue #2152 — Renovate-style dependency update for OCM Go modules; directly related to the monorepo go module bumps in this diff.

Suggested reviewers

• Skarlso
• fabianburth
• jakobmoellerdev

Poem

🐰
I hopped through go.mod with care,
Bumped versions here and there,
From e120070 to 5b24deb's tune,
Modules align beneath the moon,
Cheers — a rabbit's tidy prune. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating OCM monorepo Go module dependencies while explicitly excluding the ctf module version bump.
Description check	✅ Passed	The description clearly explains why the PR is needed: reverting a ctf version bump that broke tests, with context about an in-progress larger fix.
Linked Issues check	✅ Passed	The PR addresses issue #2152 by updating Go module dependencies as required, but strategically reverts the ctf v0.4.0 bump to v0.3.0 to fix breaking tests caused by that specific change.
Out of Scope Changes check	✅ Passed	All changes are in-scope: Go module dependency updates across 18 go.mod files targeting modules from issue #2152, with the intentional exclusion of ctf v0.4.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindings/go/oci/integration/go.mod`:
- Line 16: Update the module version pin in bindings/go/oci/integration/go.mod
so the ctf dependency matches the main binding; change the
ocm.software/open-component-model/bindings/go/ctf entry (currently v0.4.0) to
v0.3.0 to align with bindings/go/oci/go.mod and keep versions consistent across
the bindings.

In `@bindings/go/transfer/integration/go.mod`:
- Line 14: Update the version of the ctf module in the go.mod entry for
ocm.software/open-component-model/bindings/go/ctf from v0.4.0 back to v0.3.0 so
it matches the main branch; edit the dependency line in
bindings/go/transfer/integration/go.mod to reference
ocm.software/open-component-model/bindings/go/ctf v0.3.0 and run go mod tidy to
verify there are no module resolution issues.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c5c97d9b-a433-42bc-b592-109c34bb0789

📥 Commits

Reviewing files that changed from the base of the PR and between 6d0ee2c and ce31d30.

⛔ Files ignored due to path filters (18)

• bindings/go/constructor/go.sum is excluded by !**/*.sum
• bindings/go/descriptor/normalisation/go.sum is excluded by !**/*.sum
• bindings/go/helm/go.sum is excluded by !**/*.sum
• bindings/go/input/dir/go.sum is excluded by !**/*.sum
• bindings/go/input/file/go.sum is excluded by !**/*.sum
• bindings/go/input/utf8/go.sum is excluded by !**/*.sum
• bindings/go/oci/go.sum is excluded by !**/*.sum
• bindings/go/oci/integration/go.sum is excluded by !**/*.sum
• bindings/go/plugin/go.sum is excluded by !**/*.sum
• bindings/go/repository/go.sum is excluded by !**/*.sum
• bindings/go/rsa/go.sum is excluded by !**/*.sum
• bindings/go/signing/go.sum is excluded by !**/*.sum
• bindings/go/transfer/go.sum is excluded by !**/*.sum
• bindings/go/transfer/integration/go.sum is excluded by !**/*.sum
• bindings/go/transform/go.sum is excluded by !**/*.sum
• cli/go.sum is excluded by !**/*.sum
• cli/integration/go.sum is excluded by !**/*.sum
• kubernetes/controller/go.sum is excluded by !**/*.sum

📒 Files selected for processing (18)

• bindings/go/constructor/go.mod
• bindings/go/descriptor/normalisation/go.mod
• bindings/go/helm/go.mod
• bindings/go/input/dir/go.mod
• bindings/go/input/file/go.mod
• bindings/go/input/utf8/go.mod
• bindings/go/oci/go.mod
• bindings/go/oci/integration/go.mod
• bindings/go/plugin/go.mod
• bindings/go/repository/go.mod
• bindings/go/rsa/go.mod
• bindings/go/signing/go.mod
• bindings/go/transfer/go.mod
• bindings/go/transfer/integration/go.mod
• bindings/go/transform/go.mod
• cli/go.mod
• cli/integration/go.mod
• kubernetes/controller/go.mod

[netlify]

❌ Deploy Preview for ocm-website failed. Why did it fail? →

Name	Link
🔨 Latest commit	d9fbcab
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/69d6177725adb70008de56cd