LCORE-2011: Updated Konflux deps

[tisnik]

Description

LCORE-2011: Updated Konflux deps

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-2011

Summary by CodeRabbit

• Chores
  • Updated and re-pinned several third-party libraries (authentication, API clients, observability, OpenTelemetry exporters, and OpenAI-related packages). No user-facing or public API changes.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updates pinned versions and SHA256 hashes in .konflux/requirements.hashes.source.txt for idna, importlib-metadata, joserfc; mcp and msal; and openai plus OpenTelemetry packages and OTLP exporters.

Changes

Dependency Version and Hash Updates

Layer / File(s)	Summary
Lockfile version and hash pin updates .konflux/requirements.hashes.source.txt	Replaced pinned versions and SHA256 hashes for idna, importlib-metadata, joserfc, mcp, msal, openai, and OpenTelemetry-related packages (opentelemetry-api, opentelemetry-distro, opentelemetry-exporter-otlp, opentelemetry-exporter-otlp-proto-*, and opentelemetry-instrumentation).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• lightspeed-core/lightspeed-stack#1790: Also updates .konflux/requirements.hashes.source.txt pinned dependency versions and SHA256 hashes (e.g., cachetools).
• lightspeed-core/lightspeed-stack#1798: Updates Konflux requirements hash entries for other dependencies (e.g., chardet).
• lightspeed-core/lightspeed-stack#1826: Another PR that updates pinned dependency versions and SHA256 hashes in the same Konflux lockfile.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: updating Konflux dependency pins and hashes in the requirements file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.konflux/requirements.hashes.source.txt:
- Around line 682-699: The OpenTelemetry packages are pinned to mixed versions
(opentelemetry-api/exporters at 1.42.1 while opentelemetry-sdk and
opentelemetry-proto remain at 1.40.0), which breaks compatibility; update the
requirement pins so the core OTel packages and related packages
(opentelemetry-api, opentelemetry-sdk, opentelemetry-proto,
opentelemetry-exporter-otlp, opentelemetry-exporter-otlp-proto-http/grpc/common,
opentelemetry-distro, and any instrumentations/conventions) all target the same
compatible release (e.g., set opentelemetry-sdk and opentelemetry-proto to
1.42.1 or downgrade the api/exporters to 1.40.0), and ensure the corresponding
--hash entries are updated to match the chosen version set.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d6d43648-2d00-4a41-ab23-2dafc0114d8e

📥 Commits

Reviewing files that changed from the base of the PR and between 217490d and 4478278.

📒 Files selected for processing (1)

• .konflux/requirements.hashes.source.txt

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: list_outdated_dependencies
• GitHub Check: spectral
• GitHub Check: Pyright
• GitHub Check: Pylinter
• GitHub Check: unit_tests (3.13)
• GitHub Check: integration_tests (3.13)
• GitHub Check: integration_tests (3.12)
• GitHub Check: unit_tests (3.12)
• GitHub Check: build-pr
• GitHub Check: E2E: server mode / ci / group 3
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: E2E: server mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 1
• GitHub Check: E2E Tests for Lightspeed Evaluation job
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request

[tisnik]

/retest

[tisnik]

/retest

[tisnik]

/retest

[coderabbitai]

♻️ Duplicate comments (1)

.konflux/requirements.hashes.source.txt (1)

682-702: ⚠️ Potential issue | 🟠 Major

Align OpenTelemetry pins to one compatible release set.

opentelemetry-api/OTLP exporters are pinned at 1.42.1 while opentelemetry-sdk and opentelemetry-proto remain at 1.40.0 (Lines 703-708). This mixed core set is not supported; pin OTel core packages to the same compatible version line.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements.hashes.source.txt around lines 682 - 702, The
OpenTelemetry packages are pinned to mixed release lines (opentelemetry-api and
exporters at 1.42.1 while opentelemetry-sdk/opentelemetry-proto are at 1.40.0),
which is unsupported; update the package pins so all core OTel packages match a
single compatible version line — e.g., set opentelemetry-sdk and
opentelemetry-proto to 1.42.1 (or alternatively downgrade api/exporters to
1.40.0) and regenerate/update the corresponding hashes for opentelemetry-sdk and
opentelemetry-proto entries so the requirements file is consistent with
opentelemetry-api and opentelemetry-exporter-otlp.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.konflux/requirements.hashes.source.txt:
- Around line 682-702: The OpenTelemetry packages are pinned to mixed release
lines (opentelemetry-api and exporters at 1.42.1 while
opentelemetry-sdk/opentelemetry-proto are at 1.40.0), which is unsupported;
update the package pins so all core OTel packages match a single compatible
version line — e.g., set opentelemetry-sdk and opentelemetry-proto to 1.42.1 (or
alternatively downgrade api/exporters to 1.40.0) and regenerate/update the
corresponding hashes for opentelemetry-sdk and opentelemetry-proto entries so
the requirements file is consistent with opentelemetry-api and
opentelemetry-exporter-otlp.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 59a51007-bcd4-4e12-a2f7-fabbea4de73a

📥 Commits

Reviewing files that changed from the base of the PR and between 9f89a11 and 3213e70.

📒 Files selected for processing (1)

• .konflux/requirements.hashes.source.txt

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: mypy
• GitHub Check: build-pr
• GitHub Check: unit_tests (3.13)
• GitHub Check: unit_tests (3.12)
• GitHub Check: Pylinter
• GitHub Check: integration_tests (3.12)
• GitHub Check: spectral
• GitHub Check: E2E: library mode / ci / group 1
• GitHub Check: E2E: library mode / ci / group 2
• GitHub Check: E2E: server mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 2
• GitHub Check: E2E: server mode / ci / group 3
• GitHub Check: E2E Tests for Lightspeed Evaluation job
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request

🔇 Additional comments (1)

.konflux/requirements.hashes.source.txt (1)

527-535: LGTM!

Also applies to: 647-652

[tisnik]

/retest