[oadp-dev] public velero ref 1.18.1 to match openshift/velero replace

[openshift-cherrypick-robot]

This is an automated cherry-pick of #2228

/assign weshayutin

Summary by CodeRabbit

• Chores
  • Updated backup and disaster recovery tool dependency to the latest stable version, bringing performance improvements, security enhancements, and bug fixes.

[coderabbitai]

Walkthrough

The PR updates the github.com/vmware-tanzu/velero dependency from v1.14.0 to v1.18.1 in go.mod. This is a single-line version bump in the module's primary dependency list.

Changes

Velero Dependency Update

Layer / File(s)	Summary
Velero dependency version bump go.mod	The required version of github.com/vmware-tanzu/velero is updated from v1.14.0 to v1.18.1 in the main require block.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete, missing both required template sections: 'Why the changes were made' and 'How to test the changes made'.	Add detailed explanations for why velero was upgraded to 1.18.1 and document testing procedures for verifying the dependency update.
Test Structure And Quality	⚠️ Warning	Test code violates quality requirements: 19 bare assertions without messages in readiness_test.go; 15+ test files lack BeforeEach/AfterEach for resource cleanup.	Add meaningful messages to all assertions (e.g., "failed to update condition"); implement consistent BeforeEach/AfterEach patterns for setup/cleanup in all test files.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: updating the velero dependency to version 1.18.1 to align with openshift/velero configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 31 Ginkgo It() declarations use stable, static test names with no dynamic content (fmt.Sprintf, concatenation, variables). PR only updates go.mod, not test definitions.
Microshift Test Compatibility	✅ Passed	This PR only updates the velero dependency in go.mod from v1.14.0 to v1.18.1. No new Ginkgo e2e tests are added; the MicroShift compatibility check applies only when new tests are added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates a dependency version in go.mod and adds no new Ginkgo e2e tests, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR updates go.mod dependency (v1.18.1) only. No new scheduling constraints added. Existing controller supports topology-aware configuration via CRD; no hardcoded topology-unfriendly constraints.
Ote Binary Stdout Contract	✅ Passed	This is a Kubernetes operator (oadp-operator), not an OTE binary. The go.mod Velero version bump does not affect stdout behavior.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only updates the velero dependency version in go.mod (+1/-1); no new Ginkgo e2e tests are added, so the IPv6/disconnected network compatibility check does not apply.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns detected in codebase. PR only updates go.mod dependency versions with no new crypto implementations.
Container-Privileges	✅ Passed	No privileged containers found. Manager deployment has allowPrivilegeEscalation: false, dropped all capabilities, enforces non-root, and read-only filesystem.
No-Sensitive-Data-In-Logs	✅ Passed	Code logs only secret metadata (names/keys) not actual credential values; no passwords, tokens, API keys, or PII are exposed in logs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-cherrypick-robot
Once this PR has been reviewed and has the lgtm label, please assign rayfordj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 42: Add CI evidence showing SBOM/provenance and artifact signing for the
dependency bump of github.com/vmware-tanzu/velero v1.18.1 declared in go.mod:
update CI pipeline to generate an SBOM (e.g., using syft), produce provenance
attestations (e.g., in-toto or sigstore/rekor entries), and sign built artifacts
and attestations with cosign, then attach or link the generated SBOM, provenance
attestation, and cosign signatures to the PR/CI run; ensure the CI job names and
artifacts are clearly referenced in the PR so reviewers can verify the Velero
v1.18.1 release has SBOM/provenance/signing evidence.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7ee3e535-97a6-46f2-80fa-182b2d6c2808

📥 Commits

Reviewing files that changed from the base of the PR and between 627d54e and 4dc72e2.

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

`Check github.com/vmware-tanzu/velero v1.18.1 for:

1. Known vulnerabilities on osv.dev
2. License type and compatibility for Apache-2.0 downstream projects
3. Whether v1.18.1 is a stable (non-pre-release, non-yanked) tag/release`

💡 Result:

As of June 1, 2026, here is the information for Velero v1.18.1: 1) Known Vulnerabilities: A search of the Open Source Vulnerabilities (OSV) database does not yield specific vulnerabilities indexed for Velero v1.18.1 [1][2][3]. 2) License Type and Compatibility: Velero is licensed under the Apache License 2.0 [1][4][5]. This is a permissive license that is generally highly compatible with downstream projects [6]. It allows for commercial use, modification, distribution, and private use [6]. Apache 2.0 is compatible with many other open-source licenses, including GPLv3, though it is incompatible with GPLv2 due to specific patent retaliation clauses [6]. Downstream projects utilizing Velero should ensure they comply with the attribution requirements of the Apache 2.0 license (e.g., maintaining notice files) [6]. 3) Release Status: Velero v1.18.1 is a stable, non-pre-release, and non-yanked official release [1][7][8]. It was published on May 19, 2026, and is listed as a standard tag in the official repository [7][8].

Citations:

• 1: https://pkg.go.dev/github.com/vmware-tanzu/velero
• 2: https://pkg.go.dev/github.com/google/osv.dev
• 3: https://dev.to/alanwest/bumblebee-vs-osv-scanner-two-takes-on-supply-chain-scanning-j29
• 4: https://github.com/velero-io/velero
• 5: https://github.com/vmware-tanzu/velero/blob/main/LICENSE
• 6: https://dev.to/andrewleejenkins/mit-vs-gpl-vs-agpl-vs-proprietary-which-license-fits-your-crm-build-309n
• 7: https://github.com/velero-io/velero/releases/tag/v1.18.1
• 8: https://github.com/velero-io/velero/releases

---

Require CI evidence for SBOM/provenance/signing for the Velero v1.18.1 bump before merge.

• osv.dev: no specific vulnerabilities indexed for github.com/vmware-tanzu/velero v1.18.1.
• License: Velero is Apache-2.0 (permissive; downstreams must satisfy Apache 2.0 notice/attribution requirements).
• Release integrity: v1.18.1 is a stable, non-pre-release, non-yanked release.

Missing from the PR/CI evidence: confirmation that your build produces SBOM/provenance attestations and that released artifacts are signed (Sigstore/cosign) per your supply-chain guidelines.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 42, Add CI evidence showing SBOM/provenance and artifact
signing for the dependency bump of github.com/vmware-tanzu/velero v1.18.1
declared in go.mod: update CI pipeline to generate an SBOM (e.g., using syft),
produce provenance attestations (e.g., in-toto or sigstore/rekor entries), and
sign built artifacts and attestations with cosign, then attach or link the
generated SBOM, provenance attestation, and cosign signatures to the PR/CI run;
ensure the CI job names and artifacts are clearly referenced in the PR so
reviewers can verify the Velero v1.18.1 release has SBOM/provenance/signing
evidence.

[mpryc]

shouldn't we here track the oadp-dev branch of velero ?

[openshift-ci]

@openshift-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.22-e2e-test-aws	4dc72e2	link	true	/test 4.22-e2e-test-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kaovilai]

The require directive in go.mod always stores an exact module version, never a branch name. When we run go get github.com/openshift/oadp-operator@oadp-dev, Go resolves oadp-dev to the branch tip, then records either a semantic version tag (if present on that commit) or a pseudo‑version in go.mod. After that resolution step, the branch name is discarded and only the concrete version remains in the require entry.

So require github.com/openshift/oadp-operator oadp-dev isn’t a stable form Go will preserve. The intended workflow is to use the branch name only as a go get version query and let Go lock it to a specific version or pseudo‑version in go.mod. If we want to follow oadp-dev, we can periodically run go get ...@oadp-dev to advance to the latest commit, but the file will always show a resolved version. Ideally, we’d pin to a version or pseudo‑version that is explicitly derived from oadp-dev, rather than treating this as a pure cherry‑pick. Otherwise, this “name‑only ref” should resolve to the latest Velero tag, since the effective dependency comes from the replace directive and shouldn’t drift far from the intended upstream release.