[VAULT-42862] upgrade cloudflare/circl => v1.6.3 to partially resolve CVE-2026-1229 (#12567) (#12651)

Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229. We had
several transient dependencies that depend on various versions of
`circl` that also needed to be updated in order to resolve the latest
version everywhere.

- github.com/ProtonMail/go-crypto v1.2.0 => v1.3.0
- github.com/google/go-github v17 => v83/v83.0.0
- github.com/google/go-github/v81 => v83/v83.0.0

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>

builtin/credential/github/backend.go

@@ -7,7 +7,7 @@ import (
 	"context"
 	"net/url"
 
-	"github.com/google/go-github/github"
+	"github.com/google/go-github/v83/github"
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"

builtin/credential/github/path_config.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/google/go-github/github"
+	"github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/tokenutil"
 	"github.com/hashicorp/vault/sdk/logical"

builtin/credential/github/path_login.go

@@ -9,7 +9,7 @@ import (
 	"fmt"
 	"net/url"
 
-	"github.com/google/go-github/github"
+	"github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/cidrutil"
 	"github.com/hashicorp/vault/sdk/helper/policyutil"

changelog/_12567.txt

@@ -0,0 +1,6 @@
+```release-note:security
+vault/sdk: Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
+```
+```release-note:security
+Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
+```

go.mod

@@ -41,7 +41,7 @@ require (
 	github.com/Azure/azure-storage-blob-go v0.15.0
 	github.com/Azure/go-autorest/autorest v0.11.29
 	github.com/Azure/go-autorest/autorest/adal v0.9.24
-	github.com/ProtonMail/go-crypto v1.2.0
+	github.com/ProtonMail/go-crypto v1.3.0
 	github.com/ProtonMail/gopenpgp/v3 v3.2.1
 	github.com/SAP/go-hdb v1.10.1
 	github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a
@@ -79,7 +79,7 @@ require (
 	github.com/golang/protobuf v1.5.4
 	github.com/google/certificate-transparency-go v1.3.2
 	github.com/google/go-cmp v0.7.0
-	github.com/google/go-github v17.0.0+incompatible
+	github.com/google/go-github/v83 v83.0.0
 	github.com/google/go-metrics-stackdriver v0.2.0
 	github.com/hashicorp/cap v0.11.0
 	github.com/hashicorp/cap/ldap v0.0.0-20250911140431-44d01434c285
@@ -339,7 +339,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible // indirect
 	github.com/circonus-labs/circonusllhist v0.1.3 // indirect
-	github.com/cloudflare/circl v1.6.2-0.20250618153321-aa837fd1539d // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/cloudfoundry-community/go-cfclient v0.0.0-20220930021109-9c4e6c59ccf1 // indirect
 	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
@@ -405,7 +405,7 @@ require (
 	github.com/golang/snappy v1.0.0 // indirect
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0

go.sum

@@ -750,8 +750,8 @@ github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/ProtonMail/go-crypto v1.2.0 h1:+PhXXn4SPGd+qk76TlEePBfOfivE0zkWFenhGhFLzWs=
-github.com/ProtonMail/go-crypto v1.2.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
+github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw=
+github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
 github.com/ProtonMail/gopenpgp/v3 v3.2.1 h1:ohRlKL5YwyIkN5kk7uBvijiMsyA57mK0yBEJg9xButU=
 github.com/ProtonMail/gopenpgp/v3 v3.2.1/go.mod h1:x7RduTo/0n/2PjTFRoEHApaxye/8PFbhoCquwfYBUGM=
 github.com/SAP/go-hdb v1.10.1 h1:c9dGT5xHZNDwPL3NQcRpnNISn3MchwYaGoMZpCAllUs=
@@ -905,8 +905,8 @@ github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6D
 github.com/circonus-labs/circonusllhist v0.1.3 h1:TJH+oke8D16535+jHExHj4nQvzlZrj7ug5D7I/orNUA=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/circl v1.6.2-0.20250618153321-aa837fd1539d h1:IiIprFGH6SqstblP0Y9NIo3eaUJGkI/YDOFVSL64Uq4=
-github.com/cloudflare/circl v1.6.2-0.20250618153321-aa837fd1539d/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
 github.com/cloudfoundry-community/go-cfclient v0.0.0-20220930021109-9c4e6c59ccf1 h1:ef0OsiQjSQggHrLFAMDRiu6DfkVSElA5jfG1/Nkyu6c=
 github.com/cloudfoundry-community/go-cfclient v0.0.0-20220930021109-9c4e6c59ccf1/go.mod h1:sgaEj3tRn0hwe7GPdEUwxrdOqjBzyjyvyOCGf1OQyZY=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
@@ -1270,14 +1270,15 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY=
-github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
+github.com/google/go-github/v83 v83.0.0 h1:Ydy4gAfqxrnFUwXAuKl/OMhhGa0KtMtnJ3EozIIuHT0=
+github.com/google/go-github/v83 v83.0.0/go.mod h1:gbqarhK37mpSu8Xy7sz21ITtznvzouyHSAajSaYCHe8=
 github.com/google/go-metrics-stackdriver v0.2.0 h1:rbs2sxHAPn2OtUj9JdR/Gij1YKGl0BTVD0augB+HEjE=
 github.com/google/go-metrics-stackdriver v0.2.0/go.mod h1:KLcPyp3dWJAFD+yHisGlJSZktIsTjb50eB72U2YZ9K0=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
+github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=

tools/pipeline/go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/PuerkitoBio/goquery v1.11.0
 	github.com/avast/retry-go/v4 v4.6.1
-	github.com/google/go-github/v81 v81.0.0
+	github.com/google/go-github/v83 v83.0.0
 	github.com/hashicorp/hcl/v2 v2.24.0
 	github.com/hashicorp/releases-api v0.2.3
 	github.com/jedib0t/go-pretty/v6 v6.6.8
@@ -45,7 +45,7 @@ require (
 	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect

tools/pipeline/go.sum

@@ -77,14 +77,13 @@ github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/golang-migrate/migrate/v4 v4.14.1 h1:qmRd/rNGjM1r3Ve5gHd5ZplytrD02UcItYNxJ3iUHHE=
 github.com/golang-migrate/migrate/v4 v4.14.1/go.mod h1:l7Ks0Au6fYHuUIxUhQ0rcVX1uLlJg54C/VvW7tvxSz0=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-github/v81 v81.0.0 h1:hTLugQRxSLD1Yei18fk4A5eYjOGLUBKAl/VCqOfFkZc=
-github.com/google/go-github/v81 v81.0.0/go.mod h1:upyjaybucIbBIuxgJS7YLOZGziyvvJ92WX6WEBNE3sM=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/go-github/v83 v83.0.0 h1:Ydy4gAfqxrnFUwXAuKl/OMhhGa0KtMtnJ3EozIIuHT0=
+github.com/google/go-github/v83 v83.0.0/go.mod h1:gbqarhK37mpSu8Xy7sz21ITtznvzouyHSAajSaYCHe8=
+github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
+github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
@@ -300,7 +299,6 @@ golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxb
 golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
 golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=

tools/pipeline/internal/cmd/github.go

@@ -10,7 +10,7 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/google/go-github/v81/github"
+	"github.com/google/go-github/v83/github"
 	"github.com/shurcooL/githubv4"
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"

tools/pipeline/internal/pkg/changed/config_test.go

@@ -8,7 +8,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 	"github.com/stretchr/testify/require"
 )
 

tools/pipeline/internal/pkg/changed/file.go

@@ -8,7 +8,7 @@ import (
 	"slices"
 	"strings"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 )
 
 // File represents a changed file in a PR or commit.

tools/pipeline/internal/pkg/config/config_test.go

@@ -10,7 +10,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	"github.com/google/go-github/v81/github"
+	"github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/changed"
 	"github.com/stretchr/testify/require"
 	"github.com/zclconf/go-cty/cty"

tools/pipeline/internal/pkg/github/add_assignees.go

@@ -8,7 +8,7 @@ import (
 	"log/slog"
 	"slices"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	slogctx "github.com/veqryn/slog-context"
 )
 

tools/pipeline/internal/pkg/github/check_commit_status.go

@@ -10,7 +10,7 @@ import (
 	"slices"
 	"strings"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/jedib0t/go-pretty/v6/table"
 )
 

tools/pipeline/internal/pkg/github/check_go_mod_diff_request.go

@@ -11,7 +11,7 @@ import (
 	"log/slog"
 	"os"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	libgit "github.com/hashicorp/vault/tools/pipeline/internal/pkg/git/client"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/golang"
 	"github.com/jedib0t/go-pretty/v6/table"

tools/pipeline/internal/pkg/github/close_copied_origin_pull_request.go

@@ -12,7 +12,7 @@ import (
 	"slices"
 	"strings"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/shurcooL/githubv4"
 	slogctx "github.com/veqryn/slog-context"

tools/pipeline/internal/pkg/github/commit.go

@@ -7,7 +7,7 @@ import (
 	"context"
 	"log/slog"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	slogctx "github.com/veqryn/slog-context"
 )
 

tools/pipeline/internal/pkg/github/copy_pull_request.go

@@ -15,7 +15,7 @@ import (
 	"slices"
 	"strings"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	libgit "github.com/hashicorp/vault/tools/pipeline/internal/pkg/git/client"
 	"github.com/jedib0t/go-pretty/v6/table"
 	slogctx "github.com/veqryn/slog-context"

tools/pipeline/internal/pkg/github/copy_pull_request_test.go

@@ -6,7 +6,7 @@ package github
 import (
 	"testing"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/stretchr/testify/require"
 )
 

tools/pipeline/internal/pkg/github/create_backport.go

@@ -15,7 +15,7 @@ import (
 	"slices"
 	"strings"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/changed"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/config"
 	libgit "github.com/hashicorp/vault/tools/pipeline/internal/pkg/git/client"
@@ -760,6 +760,21 @@ func (r *CreateBackportReq) backportRef(
 		return res
 	}
 
+	// Copy non-backport labels from the original PR to the backport PR
+	labelsToAdd := filterNonBackportLabels(pr.Labels, r.BackportLabelPrefix)
+	err = addLabelsToIssue(
+		ctx,
+		github,
+		r.Owner,
+		r.Repo,
+		int(res.PullRequest.GetNumber()),
+		labelsToAdd,
+	)
+	if err != nil {
+		res.Error = fmt.Errorf("adding labels to backport PR: %w", err)
+		return res
+	}
+
 	return res
 }
 

tools/pipeline/internal/pkg/github/create_backport_test.go

@@ -8,7 +8,7 @@ import (
 	"errors"
 	"testing"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/changed"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/config"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/releases"
@@ -746,3 +746,76 @@ func TestCreateBackportRes_Err(t *testing.T) {
 		})
 	}
 }
+
+// Test_filterNonBackportLabels tests the label filtering functionality
+func Test_filterNonBackportLabels(t *testing.T) {
+	t.Parallel()
+
+	for name, test := range map[string]struct {
+		backportPrefix string
+		sourceLabels   Labels
+		expectedLabels []string
+	}{
+		"no labels": {
+			backportPrefix: "backport",
+			sourceLabels:   Labels{},
+			expectedLabels: nil,
+		},
+		"only backport labels": {
+			backportPrefix: "backport",
+			sourceLabels: Labels{
+				&libgithub.Label{Name: libgithub.Ptr("backport/1.18.x")},
+				&libgithub.Label{Name: libgithub.Ptr("backport/1.19.x")},
+			},
+			expectedLabels: nil,
+		},
+		"mixed labels": {
+			backportPrefix: "backport",
+			sourceLabels: Labels{
+				&libgithub.Label{Name: libgithub.Ptr("bug")},
+				&libgithub.Label{Name: libgithub.Ptr("backport/1.18.x")},
+				&libgithub.Label{Name: libgithub.Ptr("enhancement")},
+				&libgithub.Label{Name: libgithub.Ptr("backport/ce/main")},
+				&libgithub.Label{Name: libgithub.Ptr("docs")},
+			},
+			expectedLabels: []string{"bug", "enhancement", "docs"},
+		},
+		"no backport labels": {
+			backportPrefix: "backport",
+			sourceLabels: Labels{
+				&libgithub.Label{Name: libgithub.Ptr("bug")},
+				&libgithub.Label{Name: libgithub.Ptr("enhancement")},
+				&libgithub.Label{Name: libgithub.Ptr("docs")},
+				&libgithub.Label{Name: libgithub.Ptr("priority/high")},
+			},
+			expectedLabels: []string{"bug", "enhancement", "docs", "priority/high"},
+		},
+		"custom backport prefix": {
+			backportPrefix: "cherry-pick",
+			sourceLabels: Labels{
+				&libgithub.Label{Name: libgithub.Ptr("bug")},
+				&libgithub.Label{Name: libgithub.Ptr("cherry-pick/1.18.x")},
+				&libgithub.Label{Name: libgithub.Ptr("enhancement")},
+			},
+			expectedLabels: []string{"bug", "enhancement"},
+		},
+		"backport-like but different prefix": {
+			backportPrefix: "backport",
+			sourceLabels: Labels{
+				&libgithub.Label{Name: libgithub.Ptr("backup/daily")},
+				&libgithub.Label{Name: libgithub.Ptr("backport/1.18.x")},
+				&libgithub.Label{Name: libgithub.Ptr("enhancement")},
+			},
+			expectedLabels: []string{"backup/daily", "enhancement"},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			filteredLabels := filterNonBackportLabels(test.sourceLabels, test.backportPrefix)
+
+			require.Equal(t, test.expectedLabels, filteredLabels,
+				"filtered labels should match expected labels")
+		})
+	}
+}

tools/pipeline/internal/pkg/github/find_workflow_artifact.go

@@ -13,7 +13,7 @@ import (
 	"regexp"
 	"slices"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 	"github.com/jedib0t/go-pretty/v6/table"
 	slogctx "github.com/veqryn/slog-context"
 )

tools/pipeline/internal/pkg/github/issue.go

@@ -7,7 +7,7 @@ import (
 	"context"
 	"log/slog"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	slogctx "github.com/veqryn/slog-context"
 )
 

tools/pipeline/internal/pkg/github/labels.go

@@ -0,0 +1,54 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package github
+
+import (
+	"context"
+	"log/slog"
+	"strings"
+
+	libgithub "github.com/google/go-github/v83/github"
+	slogctx "github.com/veqryn/slog-context"
+)
+
+// filterNonBackportLabels returns a slice of label names that do not have the
+// specified backport prefix, filtering out backport labels from the input labels
+func filterNonBackportLabels(labels Labels, backportPrefix string) []string {
+	var labelsToAdd []string
+	for _, label := range labels {
+		if label.GetName() != "" && !strings.HasPrefix(label.GetName(), backportPrefix+"/") {
+			labelsToAdd = append(labelsToAdd, label.GetName())
+		}
+	}
+	return labelsToAdd
+}
+
+// addLabelsToIssue adds the given labels to the issue or pull request
+func addLabelsToIssue(
+	ctx context.Context,
+	github *libgithub.Client,
+	owner string,
+	repo string,
+	number int,
+	labels []string,
+) error {
+	if len(labels) < 1 {
+		slog.Default().DebugContext(ctx, "skipping label assignment because no labels were provided")
+		return nil
+	}
+
+	ctx = slogctx.Append(ctx,
+		slog.String("labels", strings.Join(labels, ", ")),
+		slog.Int("issue-number", number),
+	)
+
+	slog.Default().DebugContext(ctx, "adding labels to issue or pull request")
+	_, _, err := github.Issues.AddLabelsToIssue(ctx, owner, repo, number, labels)
+	if err != nil {
+		return err
+	}
+
+	slog.Default().DebugContext(ctx, "successfully added labels to issue or pull request")
+	return nil
+}

tools/pipeline/internal/pkg/github/list_changed_files.go

@@ -10,7 +10,7 @@ import (
 	"fmt"
 	"strings"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/changed"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/config"
 	"github.com/jedib0t/go-pretty/v6/table"

tools/pipeline/internal/pkg/github/list_commit_statuses.go

@@ -8,7 +8,7 @@ import (
 	"errors"
 	"fmt"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/jedib0t/go-pretty/v6/table"
 )
 

tools/pipeline/internal/pkg/github/list_workflow_runs.go

@@ -10,7 +10,7 @@ import (
 	"net/http"
 	"sync"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 )
 
 // PerPageMax is the maximum number of entities to request for enpoints that

tools/pipeline/internal/pkg/github/pull_request.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"log/slog"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/shurcooL/githubv4"
 	slogctx "github.com/veqryn/slog-context"
 )

tools/pipeline/internal/pkg/github/sync_branch_request.go

@@ -13,7 +13,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/config"
 	gitpkg "github.com/hashicorp/vault/tools/pipeline/internal/pkg/git"
 	gitclient "github.com/hashicorp/vault/tools/pipeline/internal/pkg/git/client"

tools/pipeline/internal/pkg/github/templates_test.go

@@ -8,7 +8,7 @@ import (
 	"io"
 	"testing"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/stretchr/testify/require"
 )
 

tools/pipeline/internal/pkg/github/workflows.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"log/slog"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 	slogctx "github.com/veqryn/slog-context"
 )