OCPBUGS-83520: Merge https://github.com/kubernetes-sigs/cloud-provider-azure:master (6e026a5) into main

[cloud-team-rebase-bot]

No description provided.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updated pinned GitHub Action revisions; bumped Go builder images and added GOEXPERIMENT build arg; Makefiles and CI changed to prefer podman with conditional buildx flags; multiple Go module version bumps; added a .agents skills catalog with docs and several Python automation scripts; Helm chart and index updated.

Changes

Cohort / File(s)	Summary
GitHub workflows \.github/workflows/... cleanupcache.yaml, codeql-azclient.yml, dependency-review.yml, go-mod-consistency.yaml, lint-azclient.yaml, release-azclient-trace.yml, release-azclient.yml, release-cache.yml, release-configloader.yml, scorecards.yml, update-trivy-db.yaml, update-vendor-license.yml	Updated pinned uses: commit SHAs for step-security/harden-runner (v2.15.1→v2.16.0) across workflows; several additional action pins updated (actions/setup-go, CodeQL/upload-sarif, cache/save) where noted. No other workflow inputs or control flow changes.
Dockerfiles Dockerfile, cloud-node-manager.Dockerfile, e2e.Dockerfile	Bumped Go base image tags/digests to 1.25.8-bookworm; added ARG GOEXPERIMENT and ENV GOEXPERIMENT=${GOEXPERIMENT} in builder stages where applicable.
Top-level Makefile Makefile	Removed GOTOOLCHAIN default/export and related override; introduced podman-first CONTAINER_CLI/CONTAINER_BUILDX selection and conditional buildx/manifest flags; added --build-arg GOEXPERIMENT="$(GOEXPERIMENT)" to Linux builds; switched image build/push commands to $(CONTAINER_CLI)/$(CONTAINER_BUILDX).
Other Makefiles & build targets health-probe-proxy/Makefile, kubetest2-aks/Makefile, .../Makefile	Made podman-first container CLI detection, adapted buildx-setup, build/push targets, and parameterized buildx/manifest flags; suppressed which() stderr where applied.
Pipelines .pipelines/ccm-image.yml, .pipelines/cnm-image.yml	Replaced hardcoded docker login with $CONTAINER_CLI login ... (podman-first detection); credential usage unchanged.
.agents docs & templates .agents/agents.md, .agents/skills/*, AGENTS.md, CLAUDE.md	Added .agents catalog, authoring guidance, README, templates, and .gitkeep placeholders; updated references from ai/agents.md to .agents/agents.md.
New agent skills (docs) .agents/skills/cherry-pick-pr/SKILL.md, .agents/skills/create-release-note-doc-pr/SKILL.md, .agents/skills/create-release-tags/SKILL.md, .agents/skills/release/SKILL.md, .agents/skills/fix-image-cves/SKILL.md	Added skill documentation describing workflows for cherry-picking PRs, creating release-note doc PRs, creating release tags, release orchestration, and fixing image CVEs.
New agent scripts (automation) .agents/skills/cherry-pick-pr/scripts/cherry_pick_pr.py, .agents/skills/create-release-note-doc-pr/scripts/create_release_note_doc_pr.py, .agents/skills/create-release-tags/scripts/create_release_tags.py, .agents/skills/release/scripts/release.py, .agents/skills/fix-image-cves/scripts/fix_image_cves.py	Added several large executable Python CLI tools implementing the documented workflows; each introduces CLI entrypoints, state file handling, error types (e.g., CommandError/GitError), and substantial new logic.
Go module bumps (various) go.mod, pkg/azclient/.../go.mod, pkg/azclient/cache/go.mod, pkg/azclient/configloader/go.mod, pkg/azclient/trace/go.mod, kubetest2-aks/go.mod, pkg/azclient/go.mod, tests/go.mod	Bumped numerous dependency versions (OpenTelemetry, golang.org/x/, k8s.io/, grpc/genproto, cel.dev/expr, oauth2, and internal azclient versions). Changes limited to go.mod files.
Helm chart & index helm/cloud-provider-azure/Chart.yaml, helm/cloud-provider-azure/templates/..., helm/repo/index.yaml	Bumped chart version to 1.35.1, updated provider-version mappings for new Kubernetes minors, and added a 1.35.1 entry to the repo index with an updated generated timestamp.
Provider code & tests pkg/provider/storage/azure_storageaccount.go, pkg/provider/storage/azure_storageaccount_test.go	Added AccountOptions.AllowCrossTenantReplication *bool, updated matching/creation logic to honor the option, and added unit tests exercising the new comparison behavior.
Misc small changes .github/workflows/update-trivy-db.yaml, .pipelines/..., various Makefile adjustments, AGENTS.md/CLAUDE.md path updates	One cache action pin bumped, Docker build-arg propagation added, podman detection adjusted in pipelines/Makefiles, and small docs/path string updates.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @cloud-team-rebase-bot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign damdo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/azclient/trace/go.mod`:
- Line 9: The go.mod bump to sigs.k8s.io/cloud-provider-azure/pkg/azclient
v0.15.2 pulls in Azure SDK major changes (v6→v9) and VNet API version updates;
audit and adapt any code that imports or calls Azure SDK interfaces (search for
uses of types/functions from sigs.k8s.io/cloud-provider-azure/pkg/azclient and
Azure VNet clients), update affected import paths/signatures to match v9, run
`go list -m all`/`go mod tidy` and full unit/integration tests to surface
breaking changes, and update call sites (methods in your azclient wrappers) to
the new method names/parameter types or add compatibility adapters if necessary.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: db31cca9-ca89-49b3-a644-18c674b428a6

📥 Commits

Reviewing files that changed from the base of the PR and between 4c7a764 and 83ec174.

⛔ Files ignored due to path filters (36)

• pkg/azclient/go.sum is excluded by !**/*.sum
• pkg/azclient/trace/go.sum is excluded by !**/*.sum
• pkg/azclient/trace/vendor/modules.txt is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/net/http2/writesched_random.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/asm_darwin_arm64_gc.s is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/cpu_darwin_arm64.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/cpu_darwin_arm64_other.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/cpu_other_arm64.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/cpu/syscall_darwin_arm64_gc.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/windows/aliases.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**
• pkg/azclient/vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**
• pkg/azclient/vendor/modules.txt is excluded by !**/vendor/**

📒 Files selected for processing (18)

• .github/workflows/cleanupcache.yaml
• .github/workflows/codeql-azclient.yml
• .github/workflows/dependency-review.yml
• .github/workflows/go-mod-consistency.yaml
• .github/workflows/lint-azclient.yaml
• .github/workflows/release-azclient-trace.yml
• .github/workflows/release-azclient.yml
• .github/workflows/release-cache.yml
• .github/workflows/release-configloader.yml
• .github/workflows/scorecards.yml
• .github/workflows/update-trivy-db.yaml
• .github/workflows/update-vendor-license.yml
• Dockerfile
• Makefile
• cloud-node-manager.Dockerfile
• e2e.Dockerfile
• pkg/azclient/go.mod
• pkg/azclient/trace/go.mod

💤 Files with no reviewable changes (1)

• Makefile

[openshift-ci]

@cloud-team-rebase-bot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	e5978a7	link	true	/test images
ci/prow/e2e-azurestack-ipi	e5978a7	link	true	/test e2e-azurestack-ipi
ci/prow/e2e-azure-ovn-upgrade	e5978a7	link	true	/test e2e-azure-ovn-upgrade
ci/prow/regression-clusterinfra-azure-ipi-ccm	e5978a7	link	false	/test regression-clusterinfra-azure-ipi-ccm
ci/prow/verify-deps	e5978a7	link	true	/test verify-deps
ci/prow/e2e-azure-ovn	e5978a7	link	true	/test e2e-azure-ovn
ci/prow/unit	e5978a7	link	true	/test unit
ci/prow/okd-scos-images	e5978a7	link	true	/test okd-scos-images
ci/prow/verify	e5978a7	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.