chore(deps): update module github.com/cenkalti/backoff/v4 to v5

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cenkalti/backoff/v4	v4.3.0 -> v5.0.3

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

cenkalti/backoff (github.com/cenkalti/backoff/v4)

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The go.mod file is updated to replace the indirect dependency github.com/cenkalti/backoff/v4 v4.3.0 with github.com/cenkalti/backoff/v5 v5.0.3, a major-version upgrade of the backoff library.

Changes

Cohort / File(s)	Summary
Dependency Update go.mod	Replaced indirect dependency github.com/cenkalti/backoff/v4 v4.3.0 with github.com/cenkalti/backoff/v5 v5.0.3 (major version bump).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description provides relevant context about the dependency update, including the version change details, release notes links, and configuration information.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title directly and accurately describes the main change: updating the backoff dependency from v4 to v5.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/github.com-cenkalti-backoff-v4-5.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign rcampos2029 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 78: The go.mod entry for github.com/cenkalti/backoff/v5 conflicts with
three direct deps that still require backoff v4
(github.com/openshift-online/ocm-common, github.com/openshift-online/ocm-sdk-go,
github.com/openshift/rosa); either revert the backoff line to the v4 module
path/version or upgrade those three dependencies to releases that depend on
backoff v5, update any code using the old Retry API to the v5 signatures if you
choose v5, and then run `go mod tidy` to synchronize go.sum (ensure
github.com/cenkalti/backoff/v5 is removed if reverting, or ensure all three deps
no longer reference v4 if upgrading).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 3141a0f and 668fa6d.

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 78: go.mod currently pins github.com/cenkalti/backoff/v5 v5.0.3 which
conflicts with all direct deps (ocm-common, ocm-sdk-go, rosa) that require
backoff/v4; fix by aligning versions: either upgrade the direct dependencies
(ocm-common, ocm-sdk-go, rosa) to releases that depend on backoff v5, or revert
go.mod to the v4 module path and version that satisfies them (e.g., replace the
github.com/cenkalti/backoff/v5 v5.0.3 entry with github.com/cenkalti/backoff/v4
at a compatible v4.x (such as v4.3.0) so go.mod matches go.sum and the three
direct deps).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 668fa6d and 003b154.

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the module graph and go.sum to verify backoff dependency resolution

echo "=== Checking module graph for backoff dependencies ==="
go mod graph | grep 'cenkalti/backoff' | sort | uniq

echo ""
echo "=== Checking go.sum for backoff entries ==="
grep 'cenkalti/backoff' go.sum || echo "No backoff entries in go.sum"

echo ""
echo "=== Verifying direct dependencies require which backoff version ==="
echo "Checking ocm-common v0.0.34..."
go mod graph | grep 'ocm-common@v0.0.34' | grep backoff || echo "No backoff dependency found"

echo ""
echo "Checking ocm-sdk-go v0.1.496..."
go mod graph | grep 'ocm-sdk-go@v0.1.496' | grep backoff || echo "No backoff dependency found"

echo ""
echo "Checking rosa v1.2.60..."
go mod graph | grep 'rosa@v1.2.60' | grep backoff || echo "No backoff dependency found"

echo ""
echo "=== Running go mod tidy to check for issues ==="
go mod tidy -v 2>&1 | head -30

Repository: openshift-online/ocm-cli

Length of output: 2988

---

Critical dependency conflict: backoff v5 in go.mod but v4 required by all direct dependencies.

The previous review identified this issue, but it remains unresolved. All three direct dependencies require backoff v4:

• ocm-common@v0.0.34 requires backoff/v4@v4.1.3
• ocm-sdk-go@v0.1.496 requires backoff/v4@v4.1.3
• rosa@v1.2.60 requires backoff/v4@v4.3.0

However, go.mod specifies v5.0.3, and go.sum contains only v4 entries. This creates an inconsistency where go.mod declares v5 but the actual dependency resolution pulls v4. Either upgrade the direct dependencies to versions supporting v5, or correct go.mod to specify v4.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 78, go.mod currently pins github.com/cenkalti/backoff/v5
v5.0.3 which conflicts with all direct deps (ocm-common, ocm-sdk-go, rosa) that
require backoff/v4; fix by aligning versions: either upgrade the direct
dependencies (ocm-common, ocm-sdk-go, rosa) to releases that depend on backoff
v5, or revert go.mod to the v4 module path and version that satisfies them
(e.g., replace the github.com/cenkalti/backoff/v5 v5.0.3 entry with
github.com/cenkalti/backoff/v4 at a compatible v4.x (such as v4.3.0) so go.mod
matches go.sum and the three direct deps).

[openshift-ci]

@red-hat-konflux[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images-images	fa780cc	link	true	/test images-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.