From 7dd77745028e90809c0209f966342f3c5de576fd Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Fri, 13 Dec 2024 01:39:52 +0000
Subject: [PATCH 1/3] opentelemetry-collector/0.115.0-r0: fix
 GHSA-v778-237x-gjrc

---
 opentelemetry-collector.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/opentelemetry-collector.yaml b/opentelemetry-collector.yaml
index 7a993405e11..04b8199a0a1 100644
--- a/opentelemetry-collector.yaml
+++ b/opentelemetry-collector.yaml
@@ -1,7 +1,7 @@
 package:
   name: opentelemetry-collector
   version: 0.115.0
-  epoch: 0
+  epoch: 1
   description: OpenTelemetry Collector
   copyright:
     - license: Apache-2.0
@@ -30,6 +30,11 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 4ed80bbc4d9a6753ba6b959f5625a6f75fa1229c
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/crypto@v0.31.0
+      modroot: ./cmd/builder
+
   - uses: go/build
     with:
       packages: .

From 7eabc2aad1895c94ddec4f269db93d82d4ac730d Mon Sep 17 00:00:00 2001
From: Hunter Harris <hunter.harris@chainguard.dev>
Date: Fri, 13 Dec 2024 19:57:24 -0500
Subject: [PATCH 2/3] Fixed go modroot

---
 opentelemetry-collector.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/opentelemetry-collector.yaml b/opentelemetry-collector.yaml
index 04b8199a0a1..03958a5161c 100644
--- a/opentelemetry-collector.yaml
+++ b/opentelemetry-collector.yaml
@@ -33,7 +33,7 @@ pipeline:
   - uses: go/bump
     with:
       deps: golang.org/x/crypto@v0.31.0
-      modroot: ./cmd/builder
+      modroot: ./internal/tools
 
   - uses: go/build
     with:

From 10243bebdded83317ee1281ae57f06f7d81cb9c2 Mon Sep 17 00:00:00 2001
From: Batuhan Apaydin <batuhan.apaydin@chainguard.dev>
Date: Sat, 14 Dec 2024 22:51:11 +0300
Subject: [PATCH 3/3] fix the cve GHSA-v778-237x-gjrc

Signed-off-by: Batuhan Apaydin <batuhan.apaydin@chainguard.dev>
---
 opentelemetry-collector.yaml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/opentelemetry-collector.yaml b/opentelemetry-collector.yaml
index 03958a5161c..c3406d3c7cb 100644
--- a/opentelemetry-collector.yaml
+++ b/opentelemetry-collector.yaml
@@ -13,6 +13,7 @@ environment:
       - curl
       - go
       - openssf-compiler-options
+      - yq
 
 pipeline:
   - runs: |
@@ -30,11 +31,6 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 4ed80bbc4d9a6753ba6b959f5625a6f75fa1229c
 
-  - uses: go/bump
-    with:
-      deps: golang.org/x/crypto@v0.31.0
-      modroot: ./internal/tools
-
   - uses: go/build
     with:
       packages: .
@@ -44,6 +40,7 @@ pipeline:
   - runs: |
       set -x
       # Use the builder to compile opentelemetry-collector
+      yq eval '.replaces += ["golang.org/x/crypto => golang.org/x/crypto v0.31.0"]' builder-config.yaml -i
       ${{targets.destdir}}/usr/bin/ocb --config=builder-config.yaml
 
       install -Dm755 ./_build/otelcol "${{targets.destdir}}"/usr/bin/otelcol