From 5a1eae14198e9f9e2a9668eb79dffbcac5472253 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Tue, 5 Nov 2024 08:36:36 +0000
Subject: [PATCH 1/3] keda-2.15/2.15.1-r3: fix GHSA-29wx-vh33-7x7r

---
 keda-2.15.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/keda-2.15.yaml b/keda-2.15.yaml
index f281f3703bf..971093f8a68 100644
--- a/keda-2.15.yaml
+++ b/keda-2.15.yaml
@@ -1,7 +1,7 @@
 package:
   name: keda-2.15
   version: 2.15.1
-  epoch: 3
+  epoch: 4
   description: KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes
   copyright:
     - license: Apache-2.0
@@ -28,6 +28,10 @@ pipeline:
       repository: https://github.com/kedacore/keda
       tag: v${{package.version}}
 
+  - uses: go/bump
+    with:
+      deps: github.com/golang-jwt/jwt/v4@v4.5.1
+
   - runs: |
       ARCH=$(go env GOARCH) make build
       mkdir -p "${{targets.destdir}}/usr/bin"

From c74acc1c38c50c9a8f992e619d72dc3999ede6fb Mon Sep 17 00:00:00 2001
From: Aditvil-Dev <aditya.tirmanwar@chainguard.dev>
Date: Tue, 5 Nov 2024 16:21:54 -0500
Subject: [PATCH 2/3] Replacing go/bump with go get

Signed-off-by: Aditvil-Dev <aditya.tirmanwar@chainguard.dev>
---
 keda-2.15.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/keda-2.15.yaml b/keda-2.15.yaml
index 971093f8a68..c43f13f90c0 100644
--- a/keda-2.15.yaml
+++ b/keda-2.15.yaml
@@ -28,9 +28,9 @@ pipeline:
       repository: https://github.com/kedacore/keda
       tag: v${{package.version}}
 
-  - uses: go/bump
-    with:
-      deps: github.com/golang-jwt/jwt/v4@v4.5.1
+  - runs: |
+      go get github.com/golang-jwt/jwt/v4@v4.5.1
+      go mod tidy
 
   - runs: |
       ARCH=$(go env GOARCH) make build

From 436f102403b2a6c9447ac9268514e24eaee5f28d Mon Sep 17 00:00:00 2001
From: debasishbsws <debasishbsws.dev@gmail.com>
Date: Wed, 6 Nov 2024 17:42:28 +0000
Subject: [PATCH 3/3] fix(build): add a patch to remove
 github.com/dgrijalva/jwt-go from go mod

The module is not getting used anywhere but it is mentioned in the go.mod file and now it causing error when we try to update the github.com/golang-jwt/jwt/v4

Signed-off-by: debasishbsws <debasishbsws.dev@gmail.com>
---
 keda-2.15.yaml                          | 10 +++++++---
 keda-2.15/remove-dgrijalva-jwt-go.patch | 12 ++++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 keda-2.15/remove-dgrijalva-jwt-go.patch

diff --git a/keda-2.15.yaml b/keda-2.15.yaml
index c43f13f90c0..238ee8cb5c0 100644
--- a/keda-2.15.yaml
+++ b/keda-2.15.yaml
@@ -28,9 +28,13 @@ pipeline:
       repository: https://github.com/kedacore/keda
       tag: v${{package.version}}
 
-  - runs: |
-      go get github.com/golang-jwt/jwt/v4@v4.5.1
-      go mod tidy
+  - uses: patch
+    with:
+      patches: remove-dgrijalva-jwt-go.patch
+
+  - uses: go/bump
+    with:
+      deps: github.com/golang-jwt/jwt/v4@v4.5.1
 
   - runs: |
       ARCH=$(go env GOARCH) make build
diff --git a/keda-2.15/remove-dgrijalva-jwt-go.patch b/keda-2.15/remove-dgrijalva-jwt-go.patch
new file mode 100644
index 00000000000..ebc28c9d21e
--- /dev/null
+++ b/keda-2.15/remove-dgrijalva-jwt-go.patch
@@ -0,0 +1,12 @@
+diff --git a/go.mod b/go.mod
+index b6eff2b66..205bcfab8 100644
+--- a/go.mod
++++ b/go.mod
+@@ -143,7 +143,6 @@ replace (
+ 	github.com/chzyer/logex => github.com/chzyer/logex v1.2.1
+ 
+ 	// https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26160
+-	github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt/v4 v4.4.0
+ 	github.com/golang-jwt/jwt/v4 => github.com/golang-jwt/jwt/v4 v4.5.0
+ 
+ 	// opentelemetry cannot update to 1.25.0 according to the dependencies of google.golang.org/grpc