fix(cloud-provider-gcp-cloud-controller-manager): CVE-2026-39821 35.0.5-r10 (#110155)

* Automated fixes:

- CVE-2026-39821: os/cloud-provider-gcp-cloud-controller-manager.yaml - remediate CVE-2026-39821 for cloud-provider-gcp-cloud-controller-manager@35.0.5-r10

* fix(cloud-provider-gcp-cloud-controller-manager): remove incompatible go.opentelemetry.io/otel/sdk@v1.43.0 bump

* fix(cloud-provider-gcp-cloud-controller-manager): bump k8s.io/kubernetes to v1.34.2 and update replaces to v0.34.2

* fix(cloud-provider-gcp-cloud-controller-manager): add k8s.io/endpointslice replace directive for v1.34.2

* fix(cloud-provider-gcp-cloud-controller-manager): add k8s.io/externaljwt replace for v1.34.2

* fix(cloud-provider-gcp-cloud-controller-manager): add k8s.io/kms replace directive for v1.34.2

---------

Co-authored-by: cve-remediation <cve-remediation@chainguard.dev>

Export:  308f772350a600dc229f33f9ff76f122c8554f4b

Author: octo-sts-5[bot]

cloud-provider-gcp-cloud-controller-manager.yaml

@@ -1,7 +1,7 @@
 package:
   name: cloud-provider-gcp-cloud-controller-manager
   version: "35.0.5"
-  epoch: 10 # toolchain rebuild for  go-1.25-1.25.11
+  epoch: 11 # CVE-2026-39821
   description: cloud-provider-gcp contains several projects used to run Kubernetes in Google Cloud
   copyright:
     - license: Apache-2.0
@@ -19,45 +19,37 @@ pipeline:
       tag: ccm/v${{package.version}}
       expected-commit: 5ad4222f1d178e1386111fe41f635742b2604567
 
-  - uses: go/bump
+  - uses: bump
     with:
       deps: |-
         google.golang.org/grpc@v1.79.3
-      modroot: providers
-      tidy: false
-
-  - uses: go/bump
-    with:
-      deps: |-
-        google.golang.org/grpc@v1.79.3
-        go.opentelemetry.io/otel/sdk@v1.43.0
-      work: true
+        k8s.io/kubernetes@v1.34.2
+        golang.org/x/net@v0.55.0
+      replaces: |-
+        k8s.io/mount-utils=k8s.io/mount-utils@v0.34.2
+        k8s.io/cri-client=k8s.io/cri-client@v0.34.2
+        k8s.io/dynamic-resource-allocation=k8s.io/dynamic-resource-allocation@v0.34.2
+        k8s.io/kube-scheduler=k8s.io/kube-scheduler@v0.34.2
+        k8s.io/csi-translation-lib=k8s.io/csi-translation-lib@v0.34.2
+        k8s.io/endpointslice=k8s.io/endpointslice@v0.34.2
+        k8s.io/externaljwt=k8s.io/externaljwt@v0.34.2
+        k8s.io/kms=k8s.io/kms@v0.34.2
+      modroot: |-
+        providers
+        .
+        test/e2e
 
   - runs: |
       # Explicitly update go.work to use the installed Go version
       go work edit -go=$(go version | awk '{print $3}' | sed 's/go//')
 
-  - uses: go/bump
-    with:
-      deps: |-
-        k8s.io/kubernetes@v1.33.2
-        google.golang.org/grpc@v1.79.3
-        go.opentelemetry.io/otel/sdk@v1.43.0
-      modroot: test/e2e
-      replaces: |-
-        k8s.io/mount-utils=k8s.io/mount-utils@v0.33.3
-        k8s.io/cri-client=k8s.io/cri-client@v0.33.3
-        k8s.io/dynamic-resource-allocation=k8s.io/dynamic-resource-allocation@v0.33.3
-        k8s.io/kube-scheduler=k8s.io/kube-scheduler@v0.33.3
-        k8s.io/csi-translation-lib=k8s.io/csi-translation-lib@v0.33.3
-      tidy: false
-
   - uses: go/build
     with:
       packages: ./cmd/cloud-controller-manager
       output: cloud-controller-manager
       ldflags: |
         -X k8s.io/component-base/version.gitVersion=v${{package.version}}
+      go-package: go-1.26
 
 subpackages:
   - name: ${{package.name}}-compat
@@ -101,4 +93,4 @@ test:
 environment:
   contents:
     packages:
-      - go-1.25
+      - go-1.26