Prod release from post-switchover dev updates

[lukaszgryglicki]

Prod release from post-switchover dev updates.

Signed-off-by: Lukasz Gryglicki lgryglicki@cncf.io

Assisted by OpenAI

Assisted by GitHub Copilot

Assisted by Claude

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9f255c82-543a-4bec-8c42-810f682b0f20

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Production release sync that pulls in post-switchover dev updates across Go services, JS/Python test tooling, and CI workflows—primarily dependency/security maintenance plus a new Go client for the Sanctions Screening Service (SSS).

Changes:

• Upgraded Go toolchain targets and key Go dependencies (notably OpenTelemetry and gin), plus refreshed module sums.
• Replaced imroc/req usage with net/http in Go components and added a new cla-backend-go/sss client package with tests.
• Updated Node/Python dependencies and tightened CI security/workflow behavior (permissions, fork PR handling, audit allowlist removal, scan artifact handling).

Reviewed changes

Copilot reviewed 29 out of 39 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
utils/otel_dd_go/go.sum	Refreshes Go dependency checksums for the otel_dd_go utility after version bumps.
utils/otel_dd_go/go.mod	Updates Go version and OpenTelemetry/grpc-gateway dependency versions for otel_dd_go.
tests/rest/requirements.freeze.txt	Bumps Python REST test dependencies (PyJWT, urllib3).
tests/rest/package.json	Updates/restores Node dependency constraints and adds resolutions for REST tests.
tests/rest/package-lock.json	Locks updated transitive Node dependency versions for REST tests.
tests/functional/package.json	Adds/updates resolutions/overrides to address dependency advisories in functional tests.
tests/functional/package-lock.json	Locks updated functional test dependency tree.
docs/Python_APIs.md	Updates corporate console repository link to the linuxfoundation org.
docs/Python_APIs_updates.md	Same link update as above for the “updates” doc.
cla-backend/yarn.lock	Updates backend lockfile to align with dependency/resolution changes (axios, simple-git, xml libs, etc.).
cla-backend/package.json	Updates backend dependency versions and expands resolutions to remediate advisories.
cla-backend-legacy/go.sum	Refreshes legacy backend Go sums for upgraded OTel, grpc, x/* libs, etc.
cla-backend-legacy/go.mod	Updates legacy backend toolchain patch version and dependency versions (OTel, backoff v5, x/*).
cla-backend-go/v2/sign/service.go	Refactors metadata parsing/validation and uses context-aware return URL lookup method.
cla-backend-go/v2/metrics/repository.go	Replaces imroc/req with net/http for project membership caching calls.
cla-backend-go/token/token.go	Replaces imroc/req with net/http for Auth0 token acquisition.
cla-backend-go/sss/types.go	Adds SSS client config and request/response types.
cla-backend-go/sss/errors.go	Adds typed error models for SSS responses (400/401/404/503/timeouts).
cla-backend-go/sss/client.go	Implements the SSS client (Auth0 client-credentials + status endpoint).
cla-backend-go/sss/client_test.go	Adds comprehensive unit tests for SSS client behavior and error mapping.
cla-backend-go/sss/auth.go	Adds Auth0 request/response payload structs for the SSS client.
cla-backend-go/package.json	Updates JS tooling deps/resolutions for cla-backend-go packaging/audit remediation.
cla-backend-go/go.sum	Refreshes Go sums for upgraded Go deps (gin, validator, OTel, x/*, etc.).
cla-backend-go/go.mod	Updates Go version/toolchain and upgrades key dependencies; removes imroc/req.
cla-backend-go/github/github_repository.go	Hardens GitHub return URL lookup with input validation and error wrapping.
cla-backend-go/cmd/server_standalone.go	Buffers the signal channel to avoid potential goroutine blocking on notify/send.
.yarn-audit-allowlist.json	Clears allowlist/notes, implying advisories are intended to be resolved via upgrades.
.gitignore	Ignores additional build artifacts and .claude/* directory.
.github/workflows/yarn-scan-backend-pr.yml	Adds explicit read-only contents permissions for PR yarn audit workflow.
.github/workflows/yarn-scan-backend-go-pr.yml	Adds explicit read-only contents permissions for PR yarn audit workflow.
.github/workflows/security-scan-go.yml	Adjusts SARIF upload conditions for fork PRs and adds artifact upload fallback.
.github/workflows/license-header-check.yml	Adds explicit read-only contents permissions.
.github/workflows/go-audit.yml	Removes Nancy and makes govulncheck gating stricter (no longer continue-on-error).
.github/workflows/deploy-dev.yml	Adds concurrency, supports merged PR deploys via pull_request_target closed, and pins DD_VERSION to merge SHA when available.
.github/workflows/codeql-analysis.yml	Skips Go CodeQL on fork PRs (private module access) with notices and conditional steps.
.github/workflows/build-pr.yml	Skips cla-backend-go build/test/lint on fork PRs (private modules) while keeping notices and conditions.

Files not reviewed (2)

• tests/functional/package-lock.json: Language not supported
• tests/rest/package-lock.json: Language not supported