[2024-04-08] Bump dependency updates identified by dependabot

[henrybear327]

This pull request completes this week's etcd dependency updates following our dependency roster and dependency management instructions.

Summary of actions

• Bumped
  • github.com/golangci/golangci-lint from 1.57.1 to 1.57.2
    • build(deps): bump github.com/golangci/golangci-lint from 1.57.1 to 1.57.2 in /tools/mod #17738
  • google.golang.org/grpc from 1.62.1 to 1.63.0
    • build(deps): bump google.golang.org/grpc from 1.62.1 to 1.63.0 #17749
    • build(deps): bump go.opentelemetry.io/proto/otlp from 1.1.0 to 1.2.0 #17750
    • build(deps): bump google.golang.org/grpc from 1.62.1 to 1.63.0 in /tools/mod #17740
  • golang.org/x/crypto from 0.21.0 to 0.22.0
    • build(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 #17746
    • build(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 in /tools/mod #17742
  • go.opentelemetry.io/proto/otlp from v1.1.0 to v1.2.0
    • build(deps): bump go.opentelemetry.io/proto/otlp from 1.1.0 to 1.2.0 #17750
• Closed (fully indirect)
  • build(deps): bump go.opentelemetry.io/otel/metric from 1.24.0 to 1.25.0 #17747
  • build(deps): bump github.com/ldez/gomoddirectives from 0.2.3 to 0.2.4 in /tools/mod #17741
  • build(deps): bump golang.org/x/term from 0.18.0 to 0.19.0 in /tools/mod #17739

[k8s-ci-robot]

Hi @henrybear327. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[henrybear327]

Thanks to @ivanvc for the help!

[ivanvc]

/ok-to-test

[ivanvc]

@henrybear327, seems like the commits are not properly signed

[jmhbnz]

Nit: Suggest following the commit message format specified here: https://github.com/etcd-io/etcd/blob/main/Documentation/contributor-guide/dependency_management.md#steps-to-bump-a-dependency

[henrybear327]

Nit: Suggest following the commit message format specified here: https://github.com/etcd-io/etcd/blob/main/Documentation/contributor-guide/dependency_management.md#steps-to-bump-a-dependency

Fixed :)

[henrybear327]

@henrybear327, seems like the commits are not properly signed

Thanks for spotting! :)

[ivanvc]

/retest

[jmhbnz]

Hey @henrybear327 - Thanks for taking care of dependencies this week. We need to bump golang.org/x/crypto it is not purely indirect, refer:

 james  ~  D  etcd   dependencies/0..                                                                          12:06:53 
 ➜ grep -Ri "golang.org/x/crypto v" | grep -v sum
tests/go.mod:   golang.org/x/crypto v0.21.0
server/go.mod:  golang.org/x/crypto v0.21.0
tools/mod/go.mod:       golang.org/x/crypto v0.21.0 // indirect
go.mod: golang.org/x/crypto v0.21.0 // indirect
etcdutl/go.mod: golang.org/x/crypto v0.21.0 // indirect

We also need to bump grpc in all places, checking this pr there are a couple of instances where grpc is using an older version:

 james  ~  D  etcd   dependencies/0..                                                                          12:07:16 
 ➜ grep -Ri "google.golang.org/grpc v" | grep -v sum
etcdctl/go.mod: google.golang.org/grpc v1.63.0
pkg/go.mod:     google.golang.org/grpc v1.63.0
tests/go.mod:   google.golang.org/grpc v1.63.0
server/go.mod:  google.golang.org/grpc v1.63.0
tools/mod/go.mod:       google.golang.org/grpc v1.62.1 // indirect
tools/testgrid-analysis/go.mod: google.golang.org/grpc v1.62.1 // indirect
client/v3/go.mod:       google.golang.org/grpc v1.63.0
go.mod: google.golang.org/grpc v1.63.0
etcdutl/go.mod: google.golang.org/grpc v1.63.0 // indirect
api/go.mod:     google.golang.org/grpc v1.63.0

[ivanvc]

Hi @jmhbnz, I also noticed google.golang.org/grpc v1.62.1 in tools/testgrid-analysis. While I was looking at it, I realized that scripts/fix.sh, specifically scripts/test_lib.sh's run_for_modules is not running for tools/{testgrid-analysis,rw-heatmaps}.

I'm not sure we want to add those two new directories with go modules to module_dirs. I'm also not sure if they will dodge some of the checks that the current library does over the code (i.e., static checks).

[jmhbnz]

Hi @jmhbnz, I also noticed google.golang.org/grpc v1.62.1 in tools/testgrid-analysis. While I was looking at it, I realized that scripts/fix.sh, specifically scripts/test_lib.sh's run_for_modules is not running for tools/{testgrid-analysis,rw-heatmaps}.

I'm not sure we want to add those two new directories with go modules to module_dirs. I'm also not sure if they will dodge some of the checks that the current library does over the code (i.e., static checks).

Good spotting. My first instinct is we should probably update test_lib.sh, @ahrtr do you agree?

[ahrtr]

I realized that scripts/fix.sh, specifically scripts/test_lib.sh's run_for_modules is not running for tools/{testgrid-analysis,rw-heatmaps}.

Yes, please update the script to cover the tools/* as well. It's another minor technical debt I noticed long time ago. Thanks both @ivanvc @jmhbnz

[henrybear327]

Hey @henrybear327 - Thanks for taking care of dependencies this week. We need to bump golang.org/x/crypto it is not purely indirect, refer:

 james  ~  D  etcd   dependencies/0..                                                                          12:06:53 
 ➜ grep -Ri "golang.org/x/crypto v" | grep -v sum
tests/go.mod:   golang.org/x/crypto v0.21.0
server/go.mod:  golang.org/x/crypto v0.21.0
tools/mod/go.mod:       golang.org/x/crypto v0.21.0 // indirect
go.mod: golang.org/x/crypto v0.21.0 // indirect
etcdutl/go.mod: golang.org/x/crypto v0.21.0 // indirect

We also need to bump grpc in all places, checking this pr there are a couple of instances where grpc is using an older version:

 james  ~  D  etcd   dependencies/0..                                                                          12:07:16 
 ➜ grep -Ri "google.golang.org/grpc v" | grep -v sum
etcdctl/go.mod: google.golang.org/grpc v1.63.0
pkg/go.mod:     google.golang.org/grpc v1.63.0
tests/go.mod:   google.golang.org/grpc v1.63.0
server/go.mod:  google.golang.org/grpc v1.63.0
tools/mod/go.mod:       google.golang.org/grpc v1.62.1 // indirect
tools/testgrid-analysis/go.mod: google.golang.org/grpc v1.62.1 // indirect
client/v3/go.mod:       google.golang.org/grpc v1.63.0
go.mod: google.golang.org/grpc v1.63.0
etcdutl/go.mod: google.golang.org/grpc v1.63.0 // indirect
api/go.mod:     google.golang.org/grpc v1.63.0

Thanks @jmhbnz for reviewing and catching issues! :)

I have ended up adding go.opentelemetry.io/proto/otlp as it's not fully indirect, either!

[jmhbnz]

LGTM - Thanks @henrybear327

[ahrtr]

lgtm

Thanks

[ivanvc]

Hi @henrybear327, it looks like the summary of actions in the description got out of date after you bumped other dependencies.

Edit: You mentioned that #17748 was going to be bumped. It's direct, but it isn't part of these commits.

[henrybear327]

Hi @henrybear327, it looks like the summary of actions in the description got out of date after you bumped other dependencies.

Edit: You mentioned that #17748 was going to be bumped. It's direct, but it isn't part of these commits.

That's a miss ... sorry. I will fix it in #17767