chore: add upper camel case types by morri-son · Pull Request #1881 · open-component-model/ocm

morri-son · 2026-03-25T17:01:07Z

On-behalf-of: Gerald Morrison (SAP) gerald.morrison@sap.com

What this PR does / why we need it

Registers UpperCamelCase type names as additional aliases for all OCM access and input types, as part of aligning type notation to Kubernetes-style UpperCamelCase (open-component-model/ocm-project#962).

No behavior change: all existing lowerCamelCase and lower/v1 type strings continue to deserialize correctly. The new aliases allow components authored with the new open-component-model bindings (which emit UpperCamelCase/v1 as the primary type) to be read by this legacy CLI.

Access types:

ociBlob → alias OCIImageLayer / OCIImageLayer/v1
ociArtifact → alias OCIImage / OCIImage/v1 (already registered as LegacyType2 prior to this PR)
helm → alias Helm / Helm/v1
localBlob → alias LocalBlob / LocalBlob/v1
gitHub → alias GitHub / GitHub/v1
s3 → alias S3 / S3/v1 / S3/v2 (already registered via WithKindAliases prior to this PR)
npm → alias Npm / Npm/v1
wget → alias Wget / Wget/v1
git → alias Git / Git/v1alpha1
maven → alias Maven / Maven/v1

Input types (CLI):

dir → alias Dir
file → alias File
utf8 → alias UTF8
helm → alias Helm

…docs (open-component-model#1880) On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>  #### What this PR does / why we need it Adds cross reference from wget access method to credential mapping and add an example for wget in ocmconfig. #### Which issue(s) this PR is related to Related to open-component-model#1821 Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

…pen-component-model#1886) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.17.0 to 5.17.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's releases</a>.</em></p> <blockquote> <h2>v5.17.1</h2> <h2>What's Changed</h2> <ul> <li>build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1930">go-git/go-git#1930</a></li> <li>[v5] plumbing: format/index, Improve v4 entry name validation by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1935">go-git/go-git#1935</a></li> <li>[v5] plumbing: format/idxfile, Fix version and fanout checks by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1937">go-git/go-git#1937</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1">https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/go-git/go-git/commit/5e23dfd02db92644dc4a3358ceb297fce875b772"><code>5e23dfd</code></a> Merge pull request <a href="https://redirect.github.com/go-git/go-git/issues/1937">#1937</a> from pjbgf/idx-v5</li> <li><a href="https://github.com/go-git/go-git/commit/6b38a326816b80f64c20cc0e6113958b65c05a1c"><code>6b38a32</code></a> Merge pull request <a href="https://redirect.github.com/go-git/go-git/issues/1935">#1935</a> from pjbgf/index-v5</li> <li><a href="https://github.com/go-git/go-git/commit/cd757fcb856a2dcc5fff6c110320a8ff62e99513"><code>cd757fc</code></a> plumbing: format/idxfile, Fix version and fanout checks</li> <li><a href="https://github.com/go-git/go-git/commit/3ec0d70cb687ae1da5f4d18faa4229bd971a8710"><code>3ec0d70</code></a> plumbing: format/index, Fix tree extension invalidated entry parsing</li> <li><a href="https://github.com/go-git/go-git/commit/dbe10b6b425a2a4ea92a9d98e20cd68e15aede01"><code>dbe10b6</code></a> plumbing: format/index, Align V2/V3 long name and V4 prefix encoding with Git</li> <li><a href="https://github.com/go-git/go-git/commit/e9b65df44cb97faeba148b47523a362beaecddf9"><code>e9b65df</code></a> plumbing: format/index, Improve v4 entry name validation</li> <li><a href="https://github.com/go-git/go-git/commit/adad18daabddee04c5a889f0230035e74bca32c0"><code>adad18d</code></a> Merge pull request <a href="https://redirect.github.com/go-git/go-git/issues/1930">#1930</a> from go-git/renovate/releases/v5.x-go-github.com-clo...</li> <li><a href="https://github.com/go-git/go-git/commit/29470bd1d862c6e902996b8e8ff8eb7a0515a9be"><code>29470bd</code></a> build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY]</li> <li>See full diff in <a href="https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/go-git/go-git/v5&package-manager=go_modules&previous-version=5.17.0&new-version=5.17.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/open-component-model/ocm/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Update OCM CLI vendor hash (see: .github/workflows/flake_vendorhash.yaml) Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

…pen-component-model#1891) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.17.1 to 5.17.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's releases</a>.</em></p> <blockquote> <h2>v5.17.2</h2> <h2>What's Changed</h2> <ul> <li>build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1941">go-git/go-git#1941</a></li> <li>dotgit: skip writing pack files that already exist on disk by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1944">go-git/go-git#1944</a></li> </ul> <p>:warning: This release fixes a bug (<a href="https://redirect.github.com/go-git/go-git/issues/1942">go-git/go-git#1942</a>) that blocked some users from upgrading to <code>v5.17.1</code>. Thanks <a href="https://github.com/pskrbasu"><code>@pskrbasu</code></a> for reporting it. 🙇</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2">https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/go-git/go-git/commit/45ae193b3a60aa8ec8a3e373f7265a7819473d5f"><code>45ae193</code></a> Merge pull request <a href="https://redirect.github.com/go-git/go-git/issues/1944">#1944</a> from go-git/fix-perms</li> <li><a href="https://github.com/go-git/go-git/commit/fda4f7464b597ff33d2dea1c026482a5e900037c"><code>fda4f74</code></a> storage: filesystem/dotgit, Skip writing pack files that already exist on disk</li> <li><a href="https://github.com/go-git/go-git/commit/2212dc7caeb2a389fe2129923811ef63f75a557a"><code>2212dc7</code></a> Merge pull request <a href="https://redirect.github.com/go-git/go-git/issues/1941">#1941</a> from go-git/renovate/releases/v5.x-go-github.com-go-...</li> <li><a href="https://github.com/go-git/go-git/commit/ebb2d7da7f5d5aebeaa0b5e13276d72d602c1ae3"><code>ebb2d7d</code></a> build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY]</li> <li>See full diff in <a href="https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/go-git/go-git/v5&package-manager=go_modules&previous-version=5.17.1&new-version=5.17.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/open-component-model/ocm/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Update OCM CLI vendor hash (see: .github/workflows/flake_vendorhash.yaml) Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

…l#1898)  #### What this PR does / why we need it `github.com/containers/image` is no longer maintained because it was moved to the monorepository https://github.com/containers/container-libs. Hence, we migrate to the recommended import path `go.podman.io/image/v5`. #### Which issue(s) this PR is related to Fixes open-component-model#1897 Signed-off-by: Frederic Wilhelm <frederic.wilhelm@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Update OCM CLI vendor hash (see: .github/workflows/flake_vendorhash.yaml) Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Update OCM Version to 0.41.0-dev This makes sure that the branch contains the next valid version. This is a minor bump, the next release will be a new minor version and signals opening of the development branch for new features. Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

…pen-component-model#1902) Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.41.0 to 1.43.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md">go.opentelemetry.io/otel/sdk's changelog</a>.</em></p> <blockquote> <h2>[1.43.0/0.65.0/0.19.0] 2026-04-02</h2> <h3>Added</h3> <ul> <li>Add <code>IsRandom</code> and <code>WithRandom</code> on <code>TraceFlags</code>, and <code>IsRandom</code> on <code>SpanContext</code> in <code>go.opentelemetry.io/otel/trace</code> for <a href="https://www.w3.org/TR/trace-context-2/#random-trace-id-flag">W3C Trace Context Level 2 Random Trace ID Flag</a> support. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8012">#8012</a>)</li> <li>Add service detection with <code>WithService</code> in <code>go.opentelemetry.io/otel/sdk/resource</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7642">#7642</a>)</li> <li>Add <code>DefaultWithContext</code> and <code>EnvironmentWithContext</code> in <code>go.opentelemetry.io/otel/sdk/resource</code> to support plumbing <code>context.Context</code> through default and environment detectors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8051">#8051</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Add support for per-series start time tracking for cumulative metrics in <code>go.opentelemetry.io/otel/sdk/metric</code>. Set <code>OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true</code> to enable. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8060">#8060</a>)</li> <li>Add <code>WithCardinalityLimitSelector</code> for metric reader for configuring cardinality limits specific to the instrument kind. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7855">#7855</a>)</li> </ul> <h3>Changed</h3> <ul> <li>Introduce the <code>EMPTY</code> Type in <code>go.opentelemetry.io/otel/attribute</code> to reflect that an empty value is now a valid value, with <code>INVALID</code> remaining as a deprecated alias of <code>EMPTY</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Improve slice handling in <code>go.opentelemetry.io/otel/attribute</code> to optimize short slice values with fixed-size fast paths. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8039">#8039</a>)</li> <li>Improve performance of span metric recording in <code>go.opentelemetry.io/otel/sdk/trace</code> by returning early if self-observability is not enabled. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8067">#8067</a>)</li> <li>Improve formatting of metric data diffs in <code>go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8073">#8073</a>)</li> </ul> <h3>Deprecated</h3> <ul> <li>Deprecate <code>INVALID</code> in <code>go.opentelemetry.io/otel/attribute</code>. Use <code>EMPTY</code> instead. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Return spec-compliant <code>TraceIdRatioBased</code> description. This is a breaking behavioral change, but it is necessary to make the implementation <a href="https://opentelemetry.io/docs/specs/otel/trace/sdk/#traceidratiobased">spec-compliant</a>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8027">#8027</a>)</li> <li>Fix a race condition in <code>go.opentelemetry.io/otel/sdk/metric</code> where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8056">#8056</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li><code>WithHostID</code> detector in <code>go.opentelemetry.io/otel/sdk/resource</code> to use full path for <code>kenv</code> command on BSD. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8113">#8113</a>)</li> <li>Fix missing <code>request.GetBody</code> in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code> to correctly handle HTTP2 GOAWAY frame. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8096">#8096</a>)</li> </ul> <h2>[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06</h2> <h3>Added</h3> <ul> <li>Add <code>go.opentelemetry.io/otel/semconv/v1.40.0</code> package. The package contains semantic conventions from the <code>v1.40.0</code> version of the OpenTelemetry Semantic Conventions. See the <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/semconv/v1.40.0/MIGRATION.md">migration documentation</a> for information on how to upgrade from <code>go.opentelemetry.io/otel/semconv/v1.39.0</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7985">#7985</a>)</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/9276201a64b623606e3eaa0d61ae8ee6d62756c0"><code>9276201</code></a> Release v1.43.0 / v0.65.0 / v0.19.0 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8128">#8128</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/61b8c9466c4e6b17e69b622279fe9b63fb15c89a"><code>61b8c94</code></a> chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8131">#8131</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/97a086e82ffe01502f4c620e9c447efa229e2a23"><code>97a086e</code></a> chore(deps): update github.com/golangci/dupl digest to c99c5cf (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8122">#8122</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/5e363de517dba6db62736b2f5cdef0e0929b4cd0"><code>5e363de</code></a> limit response body size for OTLP HTTP exporters (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/35214b60138eac8dec97a2d2b851d8c8471680c7"><code>35214b6</code></a> Use an absolute path when calling bsd kenv (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8113">#8113</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/290024ceaf695f9cdbf29a0c6731a317d92bc361"><code>290024c</code></a> fix(deps): update module google.golang.org/grpc to v1.80.0 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8121">#8121</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/e70658e098033d6bb5ec1b399de16bbb2642f6dc"><code>e70658e</code></a> fix: support getBody in otelploghttp (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8096">#8096</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/4afe468e3b4859c949a1c1e8d92684d43d86ef8a"><code>4afe468</code></a> fix(deps): update googleapis to 9d38bb4 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8117">#8117</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/b9ca729776309e3c08fe700c131797a3b4d10634"><code>b9ca729</code></a> chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8115">#8115</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/69472ec56cb7674d55ca2e2bcb04dea73228ab79"><code>69472ec</code></a> chore(deps): update fossas/fossa-action action to v1.9.0 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8118">#8118</a>)</li> <li>Additional commits viewable in <a href="https://github.com/open-telemetry/opentelemetry-go/compare/v1.41.0...v1.43.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=go.opentelemetry.io/otel/sdk&package-manager=go_modules&previous-version=1.41.0&new-version=1.43.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/open-component-model/ocm/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Update OCM CLI vendor hash (see: .github/workflows/flake_vendorhash.yaml) Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

…he ci group (open-component-model#1904) Bumps the ci group with 1 update: [codelytv/pr-size-labeler](https://github.com/codelytv/pr-size-labeler). Updates `codelytv/pr-size-labeler` from 1.10.3 to 1.10.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/codelytv/pr-size-labeler/releases">codelytv/pr-size-labeler's releases</a>.</em></p> <blockquote> <h2>v1.10.4</h2> <h2>What's Changed</h2> <ul> <li>fix: avoid accumulating PR size labeler related labels by <a href="https://github.com/alexisribot"><code>@alexisribot</code></a> in <a href="https://redirect.github.com/CodelyTV/pr-size-labeler/pull/97">CodelyTV/pr-size-labeler#97</a> solving <a href="https://redirect.github.com/CodelyTV/pr-size-labeler/issues/96">CodelyTV/pr-size-labeler#96</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/manishprivet"><code>@manishprivet</code></a> made their first contribution in <a href="https://redirect.github.com/CodelyTV/pr-size-labeler/pull/97">CodelyTV/pr-size-labeler#97</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/CodelyTV/pr-size-labeler/compare/v1.10.3...v1.10.4">https://github.com/CodelyTV/pr-size-labeler/compare/v1.10.3...v1.10.4</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/CodelyTV/pr-size-labeler/commit/095a41fca88b8764fd9e008ad269bcdb82bb38b9"><code>095a41f</code></a> fix: avoid accumulating PR size labeler related labels (<a href="https://redirect.github.com/codelytv/pr-size-labeler/issues/97">#97</a>)</li> <li>See full diff in <a href="https://github.com/codelytv/pr-size-labeler/compare/4ec67706cd878fbc1c8db0a5dcd28b6bb412e85a...095a41fca88b8764fd9e008ad269bcdb82bb38b9">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=codelytv/pr-size-labeler&package-manager=github_actions&previous-version=1.10.3&new-version=1.10.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

…-model#1908) Bumps [helm.sh/helm/v4](https://github.com/helm/helm) from 4.1.3 to 4.1.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/helm/helm/releases">helm.sh/helm/v4's releases</a>.</em></p> <blockquote> <p>Helm v4.1.4 is a security fix patch release. Users are encouraged to upgrade for the best experience.</p> <p>The community keeps growing, and we'd love to see you there!</p> <ul> <li>Join the discussion in <a href="https://kubernetes.slack.com">Kubernetes Slack</a>: <ul> <li>for questions and just to hang out</li> <li>for discussing PRs, code, and bugs</li> </ul> </li> <li>Hang out at the Public Developer Call: Thursday, 9:30 Pacific via <a href="https://zoom.us/j/696660622">Zoom</a></li> <li>Test, debug, and contribute charts: <a href="https://artifacthub.io/packages/search?kind=0">ArtifactHub/packages</a></li> </ul> <h2>Security fixes</h2> <ul> <li><a href="https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr">GHSA-hr2v-4r36-88hr </a> Helm Chart extraction output directory collapse via <code>Chart.yaml</code> name dot-segment</li> <li><a href="https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7">GHSA-q5jf-9vfq-h4h7</a> Plugin verification fails open when <code>.prov</code> is missing, allowing unsigned plugin install</li> <li><a href="https://github.com/helm/helm/security/advisories/GHSA-vmx8-mqv2-9gmg">GHSA-vmx8-mqv2-9gmg</a> Path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory</li> </ul> <p>A big thank you to the reporters of these issues (<a href="https://github.com/maru1009"><code>@maru1009</code></a>, <a href="https://github.com/1seal"><code>@1seal</code></a>).</p> <h2>Installation and Upgrading</h2> <p>Download Helm v4.1.4. The common platform binaries are here:</p> <ul> <li><a href="https://get.helm.sh/helm-v4.1.4-darwin-amd64.tar.gz">MacOS amd64</a> (<a href="https://get.helm.sh/helm-v4.1.4-darwin-amd64.tar.gz.sha256sum">checksum</a> / abf09c8503ad1d8ef76d3737a058c3456a998aae5f5966fce4bb3031aeb1654e)</li> <li><a href="https://get.helm.sh/helm-v4.1.4-darwin-arm64.tar.gz">MacOS arm64</a> (<a href="https://get.helm.sh/helm-v4.1.4-darwin-arm64.tar.gz.sha256sum">checksum</a> / 7c2eca678e8001fa863cdf8cbf6ac1b3799f9404a89eb55c08260ef5732e658d)</li> <li><a href="https://get.helm.sh/helm-v4.1.4-linux-amd64.tar.gz">Linux amd64</a> (<a href="https://get.helm.sh/helm-v4.1.4-linux-amd64.tar.gz.sha256sum">checksum</a> / 70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09)</li> <li><a href="https://get.helm.sh/helm-v4.1.4-linux-arm.tar.gz">Linux arm</a> (<a href="https://get.helm.sh/helm-v4.1.4-linux-arm.tar.gz.sha256sum">checksum</a> / c4a7d37032379cc7e82c9c76487d1041b193c9a0fbb4b8f3790230899b830a4f)</li> <li><a href="https://get.helm.sh/helm-v4.1.4-linux-arm64.tar.gz">Linux arm64</a> (<a href="https://get.helm.sh/helm-v4.1.4-linux-arm64.tar.gz.sha256sum">checksum</a> / 13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1)</li> <li><a href="https://get.helm.sh/helm-v4.1.4-linux-386.tar.gz">Linux i386</a> (<a href="https://get.helm.sh/helm-v4.1.4-linux-386.tar.gz.sha256sum">checksum</a> / 3e9bcefb85293854367bea931d669bb742974bbd978b3960df921ed129ff40f9)</li> <li><a href="https://get.helm.sh/helm-v4.1.4-linux-ppc64le.tar.gz">Linux ppc64le</a> (<a href="https://get.helm.sh/helm-v4.1.4-linux-ppc64le.tar.gz.sha256sum">checksum</a> / 35a48f5db5c655b4471b37be75e76bfb2b23fc8a95d0fa2f0f344f0694336358)</li> <li><a href="https://get.helm.sh/helm-v4.1.4-linux-s390x.tar.gz">Linux s390x</a> (<a href="https://get.helm.sh/helm-v4.1.4-linux-s390x.tar.gz.sha256sum">checksum</a> / c5653d0b3687f008dc48f80219906b574af3b623ddc114f92383327299ad935e)</li> <li><a href="https://get.helm.sh/helm-v4.1.4-linux-riscv64.tar.gz">Linux riscv64</a> (<a href="https://get.helm.sh/helm-v4.1.4-linux-riscv64.tar.gz.sha256sum">checksum</a> / 9d747ed5761a6a5c15aa7ad108b65aee917d8e33448690e83a6451b6a48748e6)</li> <li><a href="https://get.helm.sh/helm-v4.1.4-windows-amd64.zip">Windows amd64</a> (<a href="https://get.helm.sh/helm-v4.1.4-windows-amd64.zip.sha256sum">checksum</a> / bd60f567f667631a2c9b698dfabe5e3cd52eaaf4264163c0a9cae566db8560e8)</li> <li><a href="https://get.helm.sh/helm-v4.1.4-windows-arm64.zip">Windows arm64</a> (<a href="https://get.helm.sh/helm-v4.1.4-windows-arm64.zip.sha256sum">checksum</a> / d0a651026da4a26b28bdfc3d455ce3dfacbc267182dc2225c2172b1dcc549643)</li> </ul> <p>The <a href="https://helm.sh/docs/intro/quickstart/">Quickstart Guide</a> will get you going from there. For <strong>upgrade instructions</strong> or detailed installation notes, check the <a href="https://helm.sh/docs/intro/install/">install guide</a>. You can also use a <a href="https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-4">script to install</a> on any system with <code>bash</code>.</p> <h2>What's Next</h2> <ul> <li>4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026</li> <li>4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026</li> </ul> <h2>Changelog</h2> <ul> <li>fix: Plugin missing provenance bypass 05fa37973dc9e42b76e1d2883494c87174b6074f (George Jenkins)</li> <li>fix: Chart dot-name path bug 4e7994d4467182f535b6797c94b5b0e994a91436 (George Jenkins)</li> <li>ignore error plugin loads (cli, getter) 25819432bf87ac0b54f0d3fa54982add2cac609e (George Jenkins)</li> <li>fix: Plugin version path traversal 36c8539e99bc42d7aef9b87d136254662d04f027 (George Jenkins)</li> <li>fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow c61e0860ec797330a4c26a78dde7020cdc6743b1 (Terry Howe)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f"><code>05fa379</code></a> fix: Plugin missing provenance bypass</li> <li><a href="https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436"><code>4e7994d</code></a> fix: Chart dot-name path bug</li> <li><a href="https://github.com/helm/helm/commit/25819432bf87ac0b54f0d3fa54982add2cac609e"><code>2581943</code></a> ignore error plugin loads (cli, getter)</li> <li><a href="https://github.com/helm/helm/commit/36c8539e99bc42d7aef9b87d136254662d04f027"><code>36c8539</code></a> fix: Plugin version path traversal</li> <li><a href="https://github.com/helm/helm/commit/c61e0860ec797330a4c26a78dde7020cdc6743b1"><code>c61e086</code></a> fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow</li> <li>See full diff in <a href="https://github.com/helm/helm/compare/v4.1.3...v4.1.4">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=helm.sh/helm/v4&package-manager=go_modules&previous-version=4.1.3&new-version=4.1.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/open-component-model/ocm/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Accept upstream dependency updates (toxiproxy, containerd v2, etc.) Branch has no dependency changes of its own. On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

morri-son · 2026-04-14T10:56:00Z

@coderabbitai review

jakobmoellerdev

LGTM
@fabianburth please take another look before we merge

…types On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Skarlso

@fabianburth as well ping from previous ping. :D

…i group (open-component-model#1919) Bumps the ci group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 4.35.1 to 4.35.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v4.35.2</h2> <ul> <li>The undocumented TRAP cache cleanup feature that could be enabled using the <code>CODEQL_ACTION_CLEANUP_TRAP_CACHES</code> environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the <code>trap-caching: false</code> input to the <code>init</code> Action. <a href="https://redirect.github.com/github/codeql-action/pull/3795">#3795</a></li> <li>The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. <a href="https://redirect.github.com/github/codeql-action/pull/3789">#3789</a></li> <li>Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. <a href="https://redirect.github.com/github/codeql-action/pull/3794">#3794</a></li> <li>Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. <a href="https://redirect.github.com/github/codeql-action/pull/3807">#3807</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2">2.25.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3823">#3823</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>4.35.2 - 15 Apr 2026</h2> <ul> <li>The undocumented TRAP cache cleanup feature that could be enabled using the <code>CODEQL_ACTION_CLEANUP_TRAP_CACHES</code> environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the <code>trap-caching: false</code> input to the <code>init</code> Action. <a href="https://redirect.github.com/github/codeql-action/pull/3795">#3795</a></li> <li>The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. <a href="https://redirect.github.com/github/codeql-action/pull/3789">#3789</a></li> <li>Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. <a href="https://redirect.github.com/github/codeql-action/pull/3794">#3794</a></li> <li>Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. <a href="https://redirect.github.com/github/codeql-action/pull/3807">#3807</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2">2.25.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3823">#3823</a></li> </ul> <h2>4.35.1 - 27 Mar 2026</h2> <ul> <li>Fix incorrect minimum required Git version for <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a>: it should have been 2.36.0, not 2.11.0. <a href="https://redirect.github.com/github/codeql-action/pull/3781">#3781</a></li> </ul> <h2>4.35.0 - 27 Mar 2026</h2> <ul> <li>Reduced the minimum Git version required for <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> from 2.38.0 to 2.11.0. <a href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1">2.25.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3773">#3773</a></li> </ul> <h2>4.34.1 - 20 Mar 2026</h2> <ul> <li>Downgrade default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a> due to issues with a small percentage of Actions and JavaScript analyses. <a href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li> </ul> <h2>4.34.0 - 20 Mar 2026</h2> <ul> <li>Added an experimental change which disables TRAP caching when <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. <a href="https://redirect.github.com/github/codeql-action/pull/3569">#3569</a></li> <li>We are rolling out improved incremental analysis to C/C++ analyses that use build mode <code>none</code>. We expect this rollout to be complete by the end of April 2026. <a href="https://redirect.github.com/github/codeql-action/pull/3584">#3584</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0">2.25.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3585">#3585</a></li> </ul> <h2>4.33.0 - 16 Mar 2026</h2> <ul> <li> <p>Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. <a href="https://redirect.github.com/github/codeql-action/pull/3562">#3562</a></p> <p>To opt out of this change:</p> <ul> <li><strong>Repositories owned by an organization:</strong> Create a custom repository property with the name <code>github-codeql-file-coverage-on-prs</code> and the type "True/false", then set this property to <code>true</code> in the repository's settings. For more information, see <a href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing custom properties for repositories in your organization</a>. Alternatively, if you are using an advanced setup workflow, you can set the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to <code>true</code> in your workflow.</li> <li><strong>User-owned repositories using default setup:</strong> Switch to an advanced setup workflow and set the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to <code>true</code> in your workflow.</li> <li><strong>User-owned repositories using advanced setup:</strong> Set the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to <code>true</code> in your workflow.</li> </ul> </li> <li> <p>Fixed <a href="https://redirect.github.com/github/codeql-action/issues/3555">a bug</a> which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. <a href="https://redirect.github.com/github/codeql-action/pull/3557">#3557</a></p> </li> <li> <p>The CodeQL Action now loads <a href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">custom repository properties</a> on GitHub Enterprise Server, enabling the customization of features such as <code>github-codeql-disable-overlay</code> that was previously only available on GitHub.com. <a href="https://redirect.github.com/github/codeql-action/pull/3559">#3559</a></p> </li> <li> <p>Once <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries</a> can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. <a href="https://redirect.github.com/github/codeql-action/pull/3563">#3563</a></p> </li> <li> <p>Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". <a href="https://redirect.github.com/github/codeql-action/pull/3564">#3564</a></p> </li> <li> <p>A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3570">#3570</a></p> </li> </ul> <h2>4.32.6 - 05 Mar 2026</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/95e58e9a2cdfd71adc6e0353d5c52f41a045d225"><code>95e58e9</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3824">#3824</a> from github/update-v4.35.2-d2e135a73</li> <li><a href="https://github.com/github/codeql-action/commit/6f31bfe060e817d81e938dbec767969d20031e25"><code>6f31bfe</code></a> Update changelog for v4.35.2</li> <li><a href="https://github.com/github/codeql-action/commit/d2e135a73a39154e3a231aeb49163c4661c5b8b1"><code>d2e135a</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3823">#3823</a> from github/update-bundle/codeql-bundle-v2.25.2</li> <li><a href="https://github.com/github/codeql-action/commit/60abb65df09fcf213c398e064c8a80db1f15cdaf"><code>60abb65</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/5a0a562209255e956ad8aafcee303294e64eefa2"><code>5a0a562</code></a> Update default bundle to codeql-bundle-v2.25.2</li> <li><a href="https://github.com/github/codeql-action/commit/65216971a11ded447a6b76263d5a144519e5eee1"><code>6521697</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3820">#3820</a> from github/dependabot/github_actions/dot-github/wor...</li> <li><a href="https://github.com/github/codeql-action/commit/3c45af2dd258e1623af1898da5c86545b514e028"><code>3c45af2</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3821">#3821</a> from github/dependabot/npm_and_yarn/npm-minor-345b93...</li> <li><a href="https://github.com/github/codeql-action/commit/f1c339364c12f922998186ed897e45e3b4ae8874"><code>f1c3393</code></a> Rebuild</li> <li><a href="https://github.com/github/codeql-action/commit/1024fc496c87e944a93e98d8cf2c09e2c7602a30"><code>1024fc4</code></a> Rebuild</li> <li><a href="https://github.com/github/codeql-action/commit/9dd4cfed96030ccdfe1af4daf7a7964322704fed"><code>9dd4cfe</code></a> Bump the npm-minor group across 1 directory with 6 updates</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/c10b8064de6f491fea524254123dbe5e09572f13...95e58e9a2cdfd71adc6e0353d5c52f41a045d225">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=4.35.1&new-version=4.35.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…types On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Add UpperCamelCase type aliases for all access methods and input types that were missing after open-component-model#1881. This completes the type notation alignment per ocm-project#962 and ocm-spec#141. Access methods: GitHub/v1, NPM/v1, Wget/v1, Git/v1alpha1, Maven/v1 Input types: Git, Maven, NPM, Wget, Binary, Docker, DockerMulti, Spiff, OCIArtifact On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

… type docs - Revert Is() changes in github/method.go and wget/method.go to match open-component-model#1881 pattern (don't touch existing functions) - Register UPPER_TYPE input types without usage text to avoid duplicate entries in generated reference docs (all 8: dir, file, git, helm, maven, npm, utf8, wget) - Regenerate docs/reference/ — removes ~1000 lines of duplicated content On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Add UpperCamelCase type aliases for all access methods and input types that were missing after open-component-model#1881. This completes the type notation alignment per ocm-project#962 and ocm-spec#141. Access methods: GitHub/v1, NPM/v1, Wget/v1, Git/v1alpha1, Maven/v1 Input types: Git, Maven, NPM, Wget, Binary, Docker, DockerMulti, Spiff, OCIArtifact On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

… type docs - Revert Is() changes in github/method.go and wget/method.go to match open-component-model#1881 pattern (don't touch existing functions) - Register UPPER_TYPE input types without usage text to avoid duplicate entries in generated reference docs (all 8: dir, file, git, helm, maven, npm, utf8, wget) - Regenerate docs/reference/ — removes ~1000 lines of duplicated content On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

…#1920) On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>  #### What this PR does / why we need it Completes the UpperCamelCase type alias registration started in #1881. That PR covered helm, localBlob, ociBlob (access) and dir, file, helm, utf8 (input) but missed several access methods and input types. This PR adds UpperCamelCase aliases for all remaining types: **Access methods:** - `gitHub` → alias `GitHub` / `GitHub/v1` - `npm` → alias `NPM` / `NPM/v1` - `wget` → alias `Wget` / `Wget/v1` - `git` → alias `Git` / `Git/v1alpha1` - `maven` → alias `Maven` / `Maven/v1` **Input types (CLI):** - `git` → alias `Git` - `maven` → alias `Maven` - `npm` → alias `NPM` - `wget` → alias `Wget` No behavior change: all existing lowercase type strings continue to work. The new aliases ensure components authored with the new `open-component-model` monorepo bindings (which emit UpperCamelCase as primary) can be read by this legacy CLI. Note: `NPM` follows the acronym convention used by `OCIImage`, `UTF8`, etc. **Documentation:** UpperCamelCase aliases are registered with empty usage text, so they are excluded from `--help` output and generated reference docs. A preamble note was added to the input type documentation stating that UpperCamelCase type names are aliases — check the corresponding lowercase entry for full documentation. #### Related - open-component-model/ocm-project#962 - open-component-model/open-component-model#2057 - ocm-spec PR: open-component-model/ocm-spec#141 - Predecessor: #1881 --------- Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

…ocalBlob so far) (#2057) On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>  ## Summary Register UpperCamelCase forms as the primary (default) serialization type for all input types, consistent with the existing convention used by access OCIImage/v1, Helm/v1 etc. ## Changes: - Input types: File/v1 (was file/v1), Dir/v1 (was dir/v1), UTF8/v1 (was utf8/v1), Helm/v1 (was helm/v1) **The localBlob/v1 access type IS NOT touched in the PR.**, but already prepared (including updating all tests using the new types) in [this branch](https://github.com/morri-son/open-component-model/tree/align-type-notation-for-acces-and-input). Lowercase forms remain registered as backward-compatible aliases so existing component descriptors and constructors continue to work. Adds named constants (Type, LegacyType) to each spec package following the pattern already established by access type packages. Also adds Type constants for OCIImage, OCIImageLayer, and Helm access types where hardcoded strings were previously used in schema registrations. ## Which issue(s) this PR fixes Usage: Fixes open-component-model/ocm-project#962 ## Dependencies Tests for type casing have been split off to PR #2071 to get the CI test not failing. ## Related - ocm-spec: open-component-model/ocm-spec#141 - ocm v1: open-component-model/ocm#1881 - ocm-website: #2244 ## Verification - [x] I have tested the changes locally by running `ocm` --------- Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

…ocalBlob so far) (open-component-model#2057) On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>  ## Summary Register UpperCamelCase forms as the primary (default) serialization type for all input types, consistent with the existing convention used by access OCIImage/v1, Helm/v1 etc. ## Changes: - Input types: File/v1 (was file/v1), Dir/v1 (was dir/v1), UTF8/v1 (was utf8/v1), Helm/v1 (was helm/v1) **The localBlob/v1 access type IS NOT touched in the PR.**, but already prepared (including updating all tests using the new types) in [this branch](https://github.com/morri-son/open-component-model/tree/align-type-notation-for-acces-and-input). Lowercase forms remain registered as backward-compatible aliases so existing component descriptors and constructors continue to work. Adds named constants (Type, LegacyType) to each spec package following the pattern already established by access type packages. Also adds Type constants for OCIImage, OCIImageLayer, and Helm access types where hardcoded strings were previously used in schema registrations. ## Which issue(s) this PR fixes Usage: Fixes open-component-model/ocm-project#962 ## Dependencies Tests for type casing have been split off to PR open-component-model#2071 to get the CI test not failing. ## Related - ocm-spec: open-component-model/ocm-spec#141 - ocm v1: open-component-model/ocm#1881 - ocm-website: open-component-model#2244 ## Verification - [x] I have tested the changes locally by running `ocm` --------- Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> 7756429

morri-son added the kind/chore chore, maintenance, etc. label Mar 25, 2026

github-actions Bot added component/ocm-cli OCM Command Line Interface size/s Small area/documentation Documentation related size/l Large labels Mar 25, 2026

morri-son mentioned this pull request Mar 25, 2026

feat: register UpperCamelCase as primary type for input types (skip localBlob so far) open-component-model/open-component-model#2057

Merged

1 task

morri-son linked an issue Apr 10, 2026 that may be closed by this pull request

align type notation for access and input open-component-model/ocm-project#962

Open

7 tasks

morri-son marked this pull request as ready for review April 10, 2026 13:25

morri-son requested a review from a team as a code owner April 10, 2026 13:25

github-actions Bot removed the size/s Small label Apr 10, 2026

jakobmoellerdev enabled auto-merge (squash) April 10, 2026 13:43

morri-son mentioned this pull request Apr 13, 2026

docs: align access type notation to UpperCamelCase open-component-model/ocm-spec#141

Open

morri-son and others added 16 commits April 14, 2026 12:47

add upper camel case types

0018a3a

On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

regenerate docs

4fb0e13

On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

chore: update 'flake.nix' (open-component-model#1889)

2670be8

Update OCM CLI vendor hash (see: .github/workflows/flake_vendorhash.yaml) Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

chore: update 'flake.nix' (open-component-model#1895)

719a7e1

Update OCM CLI vendor hash (see: .github/workflows/flake_vendorhash.yaml) Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

chore: update 'flake.nix' (open-component-model#1899)

84a3bfb

Update OCM CLI vendor hash (see: .github/workflows/flake_vendorhash.yaml) Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

chore: update 'flake.nix' (open-component-model#1903)

7b8cfda

Update OCM CLI vendor hash (see: .github/workflows/flake_vendorhash.yaml) Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

dependabot Bot added 4 commits April 14, 2026 12:47

morri-son force-pushed the add-upp-camel-case-types branch from 0f8f4c8 to 79701e9 Compare April 14, 2026 10:48

github-actions Bot added component/github-actions Changes on GitHub Actions or within `.github/` directory kind/skip-release-notes Pull request will not appear in release notes kind/dependency dependency update, etc. labels Apr 14, 2026

jakobmoellerdev reviewed Apr 14, 2026

View reviewed changes

morrison-sap and others added 2 commits April 14, 2026 21:31

Merge remote-tracking branch 'upstream/main' into add-upp-camel-case-…

ed5a79d

…types On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Merge branch 'main' into add-upp-camel-case-types

18abe21

matthiasbruns reviewed Apr 16, 2026

View reviewed changes

Comment thread cmds/ocm/commands/ocmcmds/common/inputs/types/directory/type.go

Skarlso previously approved these changes Apr 16, 2026

View reviewed changes

morri-son dismissed Skarlso’s stale review via 3c90c07 April 16, 2026 14:16

Merge remote-tracking branch 'upstream/main' into add-upp-camel-case-…

39a488d

…types On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

matthiasbruns approved these changes Apr 16, 2026

View reviewed changes

jakobmoellerdev merged commit df29bb3 into open-component-model:main Apr 16, 2026
24 checks passed

morri-son mentioned this pull request Apr 17, 2026

feat: add UpperCamelCase aliases for remaining access and input types #1920

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: add upper camel case types#1881

chore: add upper camel case types#1881
jakobmoellerdev merged 29 commits intoopen-component-model:mainfrom
morri-son:add-upp-camel-case-types

morri-son commented Mar 25, 2026 •

edited

Loading

Uh oh!

morri-son commented Apr 10, 2026

Uh oh!

morri-son commented Apr 10, 2026

Uh oh!

morri-son commented Apr 14, 2026

Uh oh!

jakobmoellerdev left a comment

Uh oh!

Uh oh!

Skarlso left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

morri-son commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What this PR does / why we need it

Related

Uh oh!

morri-son commented Apr 10, 2026

Uh oh!

morri-son commented Apr 10, 2026

Uh oh!

morri-son commented Apr 14, 2026

Uh oh!

jakobmoellerdev left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Skarlso left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

morri-son commented Mar 25, 2026 •

edited

Loading