Build(deps): Bump cloud.google.com/go/storage from 1.58.0 to 1.61.3

[dependabot]

Bumps cloud.google.com/go/storage from 1.58.0 to 1.61.3.

Release notes

Sourced from cloud.google.com/go/storage's releases.

storage: v1.61.3

v1.61.3 (2026-03-13)

Documentation

• Fix godoc formatting (#14169) (428b2288)

storage: v1.61.2

v1.61.2 (2026-03-12)

storage: v1.61.1

v1.61.1 (2026-03-11)

storage: v1.61.0

v1.61.0 (2026-03-10)

Features

• add bucket encryption enforcement configuration (#13874) (245c8d76)

• add multistream options to MRD (#13758) (4557675e)

• add a DeleteFolderRecursive API definition (PiperOrigin-RevId: 866471251) (6f310199)

• add multistream support to MRD (#13792) (ffa7268c)

Bug Fixes

• Fix TM download dir corner case (#14142) (87cdcc9f)

• Omit auto checksum in final request when MD5 is given (#14024) (d4047774)

• optimize gRPC writer with zero-copy and lazy allocation (#13481) (df641476)

storage 1.60.0

1.60.0 (2026-02-10)

Features

• adding support for max-retry-duration for all api other than resumable-upload (#13749) (31c352bd)

• support checksum validation in resumable json uploads (#13573) (337ca078)

• Added a new field ComposeObjectRequest.delete_source_objects field (PiperOrigin-RevId: 863087065) (611f2392)

Bug Fixes

• change TestValidateChecksumFromServer error message (#13810) (07414143)

• fix panic error in transfermanager downloads (#13815) (42722719)

... (truncated)

Commits

• 35cd86a chore: librarian release pull request: 20260313T045834Z (#14170)
• 428b228 docs(storage): Fix godoc formatting (#14169)
• e56381c feat(vertexai): Support AgentEngine for Agent Development Kit (#14168)
• d38abf9 feat(auth): add OpenTelemetry gRPC and HTTP wrappers for T4 tracing (#14133)
• 9f56e9f chore: librarian release pull request: 20260312T071057Z (#14164)
• 2dc8c9f chore: librarian release pull request: 20260312T041544Z (#14162)
• aeffa93 feat(pubsub/v2): add keep alive support (#13457)
• bb64998 feat(bigtable): add load balancing penalty for channel (#14149)
• 704a21f Revert "Revert "chore: librarian release pull request: 20260311T074420Z"" (#1...
• b1b0586 Revert "chore: librarian release pull request: 20260311T074420Z" (#14157)
• Additional commits viewable in compare view

[coderabbitai]

Walkthrough

Bumped Go toolchain from 1.24.13 to 1.25.0 and updated multiple module versions in go.mod, including cloud.google.com/go/storage, google.golang.org/api, google.golang.org/grpc, OpenTelemetry packages, and several golang.org/x modules. No source-code or public API changes were introduced.

Changes

Cohort / File(s)	Summary
Dependency and Toolchain Updates go.mod	Updated go directive to 1.25.0 and bumped direct and indirect dependency versions (notably cloud.google.com/go/storage, github.com/googleapis/gax-go/v2, google.golang.org/api, google.golang.org/grpc, OpenTelemetry packages, golang.org/x/*, google.golang.org/genproto, and other transitive deps). No additions/removals of require entries or changes to exported APIs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: bumping the cloud.google.com/go/storage dependency from 1.58.0 to 1.61.3, which is the primary focus of this dependency update pull request.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed information about the dependency bump including release notes, features, bug fixes, and relevant commits from the updated package.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/cloud.google.com/go/storage-1.61.3

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 3: The go.mod change bumped the module toolchain to "go 1.25.0" which
conflicts with CI workflows; either revert the go.mod entry back to the previous
toolchain version (restore the "go X.Y.Z" line to the prior value) or update all
GitHub Actions workflows that reference older Go versions to include and test
"1.25.0" so CI and go.mod remain consistent; locate the "go 1.25.0" entry in
go.mod and apply the chosen fix, and if you update CI ensure each workflow
matrix or uses: actions/setup-go references 1.25.0.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1d69a47c-72fa-451b-928a-dfc0555019ef

📥 Commits

Reviewing files that changed from the base of the PR and between 188c8ce and dc9265f.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify repo toolchain expectations vs go.mod
set -euo pipefail

echo "== go.mod go directive =="
rg -n '^\s*go\s+[0-9]+\.[0-9]+' go.mod

echo
echo "== GitHub Actions Go versions =="
fd -H -t f '\.ya?ml$' .github/workflows | xargs -I{} rg -n 'go-version|setup-go|golang:' {}

echo
echo "== Dockerfiles / Makefiles with Go version pins =="
fd -H -t f 'Dockerfile|Makefile|\.tool-versions|go\.env' . | xargs -I{} rg -n '1\.25|1\.24|golang:|GO_VERSION|go version' {}

Repository: openshift-online/ocm-cli

Length of output: 382

---

Go toolchain bump to 1.25.0 conflicts with CI configuration and should not be part of this dependency update PR.

go.mod declares go 1.25.0 (line 3), but GitHub Actions workflows are pinned to Go 1.22 and 1.23. This version mismatch means CI will not test against the declared minimum toolchain, risking undetected incompatibilities or failures in production environments running Go 1.25.0.

Either revert the toolchain change to align with the PR's dependency-only scope, or update all CI workflows to test with Go 1.25.0.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, The go.mod change bumped the module toolchain to "go
1.25.0" which conflicts with CI workflows; either revert the go.mod entry back
to the previous toolchain version (restore the "go X.Y.Z" line to the prior
value) or update all GitHub Actions workflows that reference older Go versions
to include and test "1.25.0" so CI and go.mod remain consistent; locate the "go
1.25.0" entry in go.mod and apply the chosen fix, and if you update CI ensure
each workflow matrix or uses: actions/setup-go references 1.25.0.

[openshift-ci]

rebase

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign rcampos2029 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 31: Update the grpc dependency from google.golang.org/grpc v1.79.2 to
v1.79.3 to pull in the security fix; change the dependency entry (the line
containing "google.golang.org/grpc v1.79.2") to "google.golang.org/grpc v1.79.3"
and then run go get google.golang.org/grpc@v1.79.3 (or go get ./... and go mod
tidy) to update go.sum and ensure the module is rebuilt with the patched
version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4bf2bad3-7323-415c-972c-005db8ed94ab

📥 Commits

Reviewing files that changed from the base of the PR and between dc9265f and aa37855.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Is google.golang.org/grpc version 1.79.2 affected by CVE or vulnerability GO-2026-4762 or GHSA-p77j-4mvh-x3m3 (authorization bypass via missing leading slash in :path)? What is the latest patched version of google.golang.org/grpc?

💡 Result:

Yes. google.golang.org/grpc v1.79.2 is affected by GO-2026-4762 / GHSA-p77j-4mvh-x3m3 (authorization bypass when an attacker sends an HTTP/2 :path without a leading /). The advisory states affected versions are < 1.79.3 and the patched version is 1.79.3. [1]

Latest patched version: v1.79.3 (this is also the current latest grpc-go release as of today, March 31, 2026). [2]

Action: upgrade to google.golang.org/grpc v1.79.3 or newer. [1]

Sources
[1] GitHub Security Advisory GHSA-p77j-4mvh-x3m3 (grpc/grpc-go)
[2] grpc/grpc-go “latest release” tag (currently v1.79.3)

---

Upgrade google.golang.org/grpc to v1.79.3 to address critical authorization bypass vulnerability.

google.golang.org/grpc v1.79.2 contains a critical authorization bypass vulnerability (GO-2026-4762, GHSA-p77j-4mvh-x3m3) where missing leading slash in HTTP/2 :path can bypass authorization checks. The patched version is v1.79.3.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[CRITICAL] 31-31: google.golang.org/grpc 1.79.2: Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

(GO-2026-4762)

---

[CRITICAL] 31-31: google.golang.org/grpc 1.79.2: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 31, Update the grpc dependency from google.golang.org/grpc
v1.79.2 to v1.79.3 to pull in the security fix; change the dependency entry (the
line containing "google.golang.org/grpc v1.79.2") to "google.golang.org/grpc
v1.79.3" and then run go get google.golang.org/grpc@v1.79.3 (or go get ./... and
go mod tidy) to update go.sum and ensure the module is rebuilt with the patched
version.

[dependabot]

Superseded by #1087.