Update module github.com/cenkalti/backoff/v5 to v6

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cenkalti/backoff/v5	v5.0.3 → v6.0.1

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

cenkalti/backoff (github.com/cenkalti/backoff/v5)

v6.0.1

Compare Source

v6.0.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux-kflux-prd-rh02]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading go.opentelemetry.io/otel/sdk v1.43.0
go: downloading github.com/prometheus/client_golang v1.16.0
go: downloading go.opentelemetry.io/otel v1.43.0
go: downloading github.com/onsi/gomega v1.42.0
go: downloading github.com/prometheus/client_model v0.3.0
go: downloading gorm.io/gorm v1.31.1
go: downloading github.com/testcontainers/testcontainers-go v0.42.0
go: downloading github.com/testcontainers/testcontainers-go/modules/postgres v0.42.0
go: downloading go.opentelemetry.io/contrib/propagators/autoprop v0.68.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0
go: downloading go.opentelemetry.io/otel/trace v1.43.0
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading github.com/getkin/kin-openapi v0.133.0
go: downloading github.com/prometheus/common v0.42.0
go: downloading github.com/prometheus/procfs v0.10.1
go: downloading golang.org/x/sys v0.45.0
go: downloading github.com/golang/protobuf v1.5.4
go: downloading gorm.io/driver/mysql v1.5.6
go: downloading github.com/bxcodec/faker/v3 v3.2.0
go: downloading golang.org/x/time v0.14.0
go: downloading golang.org/x/crypto v0.52.0
go: downloading golang.org/x/text v0.37.0
go: downloading github.com/fsnotify/fsnotify v1.9.0
go: downloading github.com/go-viper/mapstructure/v2 v2.4.0
go: downloading github.com/sagikazarmark/locafero v0.11.0
go: downloading github.com/jackc/pgx/v5 v5.6.0
go: downloading github.com/moby/moby/api v1.54.1
go: downloading github.com/moby/moby/client v0.4.0
go: downloading go.opentelemetry.io/otel/metric v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/aws v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/b3 v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/jaeger v1.43.0
go: downloading go.opentelemetry.io/contrib/propagators/ot v1.43.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9
go: downloading google.golang.org/grpc v1.80.0
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.4
go: downloading github.com/go-openapi/jsonpointer v0.21.0
go: downloading github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
go: downloading github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037
go: downloading github.com/perimeterx/marshmallow v1.1.5
go: downloading github.com/woodsbury/decimal128 v1.3.0
go: downloading golang.org/x/net v0.54.0
go: downloading github.com/go-sql-driver/mysql v1.8.1
go: downloading github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8
go: downloading github.com/pelletier/go-toml/v2 v2.2.4
go: downloading github.com/moby/sys/sequential v0.6.0
go: downloading github.com/moby/sys/user v0.4.0
go: downloading github.com/docker/go-connections v0.6.0
go: downloading github.com/shirou/gopsutil/v4 v4.26.3
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0
go: downloading github.com/go-openapi/swag v0.23.0
go: downloading github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading filippo.io/edwards25519 v1.1.0
go: downloading github.com/klauspost/compress v1.18.5
go: downloading github.com/tklauser/go-sysconf v0.3.16
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9
go: downloading github.com/josharian/intern v1.0.0
go: downloading golang.org/x/sync v0.20.0
go: downloading github.com/ebitengine/purego v0.10.0
go: downloading github.com/tklauser/numcpus v0.11.0
go: downloading github.com/go-ole/go-ole v1.2.6
go: github.com/openshift-hyperfleet/hyperfleet-api/pkg/api imports
	github.com/openshift-hyperfleet/hyperfleet-api/pkg/api/openapi: cannot find module providing package github.com/openshift-hyperfleet/hyperfleet-api/pkg/api/openapi
go: module github.com/bxcodec/faker/v3 is deprecated: use github.com/go-faker/faker/v4 instead.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign vkareh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7ee49bdd-5d20-4d9e-b76a-d83953131a8f

📥 Commits

Reviewing files that changed from the base of the PR and between 43c0474 and 57beff1.

📒 Files selected for processing (1)

• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated an underlying dependency to a newer major version.

Walkthrough

go.mod replaces the indirect dependency github.com/cenkalti/backoff/v5 v5.0.3 with github.com/cenkalti/backoff/v6 v6.0.1. No exported or public API declarations are altered.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Supply chain surface — indirect dependency, but still a go module import path change (CWE-1104: Use of Unmaintained Third-Party Components; potential CWE-506 if the new release introduces unexpected code). Verify:

1. go.sum was updated and committed alongside this go.mod change — absence of a matching go.sum update is a red flag.
2. Confirm v6.0.1 checksum matches the upstream published hash at sum.golang.org.
3. Since this is a major version bump (v5 → v6), the API surface of backoff changed. Identify every call site in the codebase that transitively pulls this in and confirm no behavioral regression (e.g., retry semantics, context handling).
4. No CVEs are currently published against cenkalti/backoff v5 or v6, but a major bump without an accompanying go.sum diff or explicit caller-side adaptation is worth scrutinizing.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the dependency version bump from backoff v5 to v6.
Description check	✅ Passed	The description matches the dependency update and references the changed versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	Only go.mod changed; no Go log statements or secret-bearing log fields/strings were introduced (CWE-532).
No Hardcoded Secrets	✅ Passed	PASS: go.mod only bumps backoff v5→v6; no hardcoded creds, embedded user:pass@ URLs, or secret-like literals found (CWE-798/CWE-321).
No Weak Cryptography	✅ Passed	Only go.mod changed; no crypto APIs, ECB, SHA1-for-security, or secret comparisons were introduced. No CWE-327/328/327 signal in diff.
No Injection Vectors	✅ Passed	Only go.mod changed; no touched source introduced CWE-89/78/79/502 sinks.
No Privileged Containers	✅ Passed	No deployed manifest enables privileged mode; chart runs non-root with allowPrivilegeEscalation=false, and Dockerfile root use is documented build-stage only (CWE-250 not triggered).
No Pii Or Sensitive Data In Logs	✅ Passed	PASS: PR only bumps an indirect Go dependency in go.mod; no slog/logr/zap/fmt.Print* code changed, so no new CWE-532 log exposure risk.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux/mintmaker/main/github.com-cenkalti-backoff-v5-6.x

---

_{Comment @coderabbitai help to get the list of available commands.}