chore(deps): bump go.etcd.io/etcd/server/v3 from 3.5.21 to 3.6.12

[dependabot]

Bumps go.etcd.io/etcd/server/v3 from 3.5.21 to 3.6.12.

Release notes

Sourced from go.etcd.io/etcd/server/v3's releases.

v3.6.12

Please check out CHANGELOG for a full list of changes. And make sure to read upgrade guide before upgrading etcd (there may be breaking changes).

For installation guides, please check out operating etcd. Latest support status for common architectures and operating systems can be found at supported platforms.

Linux

ETCD_VER=v3.6.12
choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test
curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/etcd-download-test --strip-components=1 --no-same-owner
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
/tmp/etcd-download-test/etcd --version
/tmp/etcd-download-test/etcdctl version
/tmp/etcd-download-test/etcdutl version
start a local etcd server
/tmp/etcd-download-test/etcd
write,read to etcd
/tmp/etcd-download-test/etcdctl --endpoints=localhost:2379 put foo bar
/tmp/etcd-download-test/etcdctl --endpoints=localhost:2379 get foo

macOS (Darwin)

ETCD_VER=v3.6.12
choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}
rm -f /tmp/etcd-${ETCD_VER}-darwin-amd64.zip
rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test
curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-darwin-amd64.zip -o /tmp/etcd-${ETCD_VER}-darwin-amd64.zip
unzip /tmp/etcd-${ETCD_VER}-darwin-amd64.zip -d /tmp && rm -f /tmp/etcd-${ETCD_VER}-darwin-amd64.zip
mv /tmp/etcd-${ETCD_VER}-darwin-amd64/* /tmp/etcd-download-test && rm -rf mv /tmp/etcd-${ETCD_VER}-darwin-amd64
</tr></table>

... (truncated)

Commits

• 90b034a version: bump up to 3.6.12
• 8b95963 Merge pull request #21811 from Deln0r/release-3.6-backport-21666
• 576a6a0 server: allow non-admin maintenance status
• 2286051 Merge pull request #21794 from vivekpatani/cherry-pick-21788-release-3.6
• e1468c8 client/pkg/fileutil: use os.Getuid() to skip TestIsDirWriteable as root
• aaf38f8 Merge pull request #21768 from silentred/release-3.6-etcdutl-invalid-datadir
• 449e34b etcdutl: validate data file path and return consistent errors instead of pani...
• 00e1b15 Merge pull request #21736 from silentred/release-3.6-bugfix-memberupdate-learner
• 49cd4a4 bugfix: MemberUpdate implicitly and unexpectedly promotes a learner
• 9bbe31b Merge pull request #21727 from silentred/release-3.6-bump-go-1.25.10
• Additional commits viewable in compare view

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 5b7a4ea1-7e59-4502-b9de-cae7ea3edf25

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR updates dependencies in go.mod, with a primary focus on upgrading etcd from v3.5.21 to v3.6.12 and consolidating related direct and indirect module version changes across the dependency tree.

Changes

Dependency Updates

Layer / File(s)	Summary
Direct etcd core upgrade go.mod	Direct dependencies go.etcd.io/etcd/api, go.etcd.io/etcd/client, and go.etcd.io/etcd/server upgraded from v3.5.21 to v3.6.12.
JWT and gRPC middleware infrastructure go.mod	github.com/golang-jwt/jwt switched from v4 to v5; older grpc-ecosystem middleware/prometheus/gateway v1 artifacts replaced with newer go-grpc-middleware and Prometheus provider v2 variants.
Indirect etcd internals and instrumentation go.mod	Etcd-related indirect modules (go.etcd.io/bbolt, go.etcd.io/etcd/client/pkg, go.etcd.io/etcd/pkg, go.etcd.io/raft/v3) and OpenTelemetry gRPC instrumentation (go.opentelemetry.io/contrib/instrumentation/.../otelgrpc) upgraded to align with primary etcd version bump.
Utility and standard library upgrades go.mod	github.com/coreos/go-semver bumped from v0.3.0 to v0.3.1; github.com/jonboulle/clockwork upgraded from v0.2.2 to v0.5.0; golang.org/x/* modules (mod, net, sync, text, tools), google.golang.org/genproto/googleapis/api, and sigs.k8s.io/json all updated to newer versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With etcd's newest version in tow,
And JWT v5 ready to go,
The middleware gleams, the dependencies align,
All bumped and buffed in this fine design!
From three-point-five to three-point-six we fly, 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change in the PR—bumping go.etcd.io/etcd/server/v3 from 3.5.21 to 3.6.12, which is the primary focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/go.etcd.io/etcd/server/v3-3.6.12

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

go.mod (1)

171-171: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Fix gRPC version downgrade in go.mod (replace pinning to v1.63.2).

• replace google.golang.org/grpc => ... v1.63.2 downgrades below what etcd v3.6.12 expects (google.golang.org/grpc v1.79.3), and no rationale for the downgrade was found in repo docs.
• google.golang.org/grpc v1.63.2 is affected by GHSA-p77j-4mvh-x3m3 / CVE-2026-33186 (authorization bypass via missing leading slash in :path), which impacts versions prior to 1.79.3—so this replace meaningfully increases security risk.

Remove the replace (or bump it to >= v1.79.3 / the required version) and document why the downgrade is necessary if it must remain.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 171, The go.mod replace directive currently pins
google.golang.org/grpc to v1.63.2 which downgrades gRPC below the version etcd
v3.6.12 expects and reintroduces CVE-2026-33186 risk; remove the `replace
google.golang.org/grpc => google.golang.org/grpc v1.63.2` line (or update it to
>= v1.79.3) so the module uses a safe gRPC version compatible with etcd, and if
you must keep a downgrade add a short comment documenting the rationale and the
chosen secure version; look for the `replace` entry in go.mod and modify it
accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@go.mod`:
- Line 171: The go.mod replace directive currently pins google.golang.org/grpc
to v1.63.2 which downgrades gRPC below the version etcd v3.6.12 expects and
reintroduces CVE-2026-33186 risk; remove the `replace google.golang.org/grpc =>
google.golang.org/grpc v1.63.2` line (or update it to >= v1.79.3) so the module
uses a safe gRPC version compatible with etcd, and if you must keep a downgrade
add a short comment documenting the rationale and the chosen secure version;
look for the `replace` entry in go.mod and modify it accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 208d1a08-dce9-4d36-b0d0-703f1ffbe6e4

📥 Commits

Reviewing files that changed from the base of the PR and between 9b825f1 and dfc9554.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[dongjiang1989]

@dependabot recreate

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud