OADP-7565: Go 1.25.8 + x/* dep bumps for CVE fixes

[kaovilai]

Summary

• Update Go toolchain to 1.25.8 (fixes GO-2026-4337, GO-2026-4340, GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137)
• Bump golang.org/x/net to v0.52.0 (fixes GHSA-vvgc-356p-c3xw)
• Bump golang.org/x/crypto to v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
• Transitive bumps: x/sync v0.20.0, x/sys v0.42.0, x/term v0.41.0, x/text v0.35.0
• Dockerfile updated to golang:1.25.8
• Upgrade actions/setup-go from v5 to v6 (v6 reads the toolchain directive from go.mod)

Test plan

• go build ./... passes
• CI passes

Note

Responses generated with Claude

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated Go toolchain version and upgraded multiple module dependencies to latest versions
  • Updated GitHub Actions workflows to use newer action versions
  • Updated Docker base image to a newer Go version for builds

[openshift-ci-robot]

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

• Update Go toolchain to 1.25.8 (fixes GO-2026-4337, GO-2026-4340, GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137)
• Bump golang.org/x/net to v0.52.0 (fixes GHSA-vvgc-356p-c3xw)
• Bump golang.org/x/crypto to v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
• Transitive bumps: x/sync v0.20.0, x/sys v0.42.0, x/term v0.41.0, x/text v0.35.0
• Dockerfile updated to golang:1.25.8

Test plan

• go build ./... passes
• CI passes

[!Note]
Responses generated with Claude

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 815a735b-1b15-403e-ac5b-30b7e6271505

📥 Commits

Reviewing files that changed from the base of the PR and between 2b4e699 and fd47831.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• .github/workflows/lint.yml
• .github/workflows/test-e2e.yml
• .github/workflows/test.yml
• Dockerfile
• go.mod

---

📝 Walkthrough

Walkthrough

GitHub Actions workflows across lint, test, and end-to-end testing are updated to use setup-go@v6 instead of v5. The Dockerfile base image is upgraded to golang:1.25.8. Go module dependencies and toolchain versions are updated, including multiple indirect dependencies across networking, tools, and system packages.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Upgrades .github/workflows/lint.yml, .github/workflows/test-e2e.yml, .github/workflows/test.yml	Updated setup-go action from v5 to v6 across all workflow files while preserving go-version-file configuration and downstream steps.
Docker Base Image Dockerfile	Bumped Go base image in builder stage from golang:1.25 to golang:1.25.8 for patch-level updates.
Go Module Dependencies go.mod	Updated Go toolchain directive and added golang.org/x/sync v0.20.0. Upgraded six indirect dependencies across mod, net, sys, term, text, and tools packages to newer versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hoppity-hop, we bounce ahead,
With Go v6 and toolchain spread,
Dependencies synced, a fine update spree,
Our workflows now flow more smoothly, you'll see! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main changes: upgrading Go to 1.25.8 and bumping golang.org/x/* dependencies for CVE fixes, which aligns with the primary focus of the changeset across go.mod, Dockerfile, and workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the project’s Go toolchain and Go module dependencies to incorporate upstream security fixes in Go and golang.org/x/* libraries.

Changes:

• Adds toolchain go1.25.8 and adjusts the module’s Go version declaration.
• Bumps several golang.org/x/* dependencies (e.g., x/net, x/mod, x/sys, x/text, x/tools, x/sync).
• Updates the builder image in the Dockerfile to golang:1.25.8.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File	Description
go.mod	Updates Go/toolchain settings and bumps golang.org/x/* module versions.
go.sum	Refreshes sums to match updated golang.org/x/* dependency versions.
Dockerfile	Pins builder stage to golang:1.25.8.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[openshift-ci-robot]

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

• Update Go toolchain to 1.25.8 (fixes GO-2026-4337, GO-2026-4340, GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137)
• Bump golang.org/x/net to v0.52.0 (fixes GHSA-vvgc-356p-c3xw)
• Bump golang.org/x/crypto to v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
• Transitive bumps: x/sync v0.20.0, x/sys v0.42.0, x/term v0.41.0, x/text v0.35.0
• Dockerfile updated to golang:1.25.8
• Upgrade actions/setup-go from v5 to v6 (v6 reads the toolchain directive from go.mod)

Test plan

• go build ./... passes
• CI passes

[!Note]
Responses generated with Claude

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

• Update Go toolchain to 1.25.8 (fixes GO-2026-4337, GO-2026-4340, GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137)
• Bump golang.org/x/net to v0.52.0 (fixes GHSA-vvgc-356p-c3xw)
• Bump golang.org/x/crypto to v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
• Transitive bumps: x/sync v0.20.0, x/sys v0.42.0, x/term v0.41.0, x/text v0.35.0
• Dockerfile updated to golang:1.25.8
• Upgrade actions/setup-go from v5 to v6 (v6 reads the toolchain directive from go.mod)

Test plan

• go build ./... passes
• CI passes

[!Note]
Responses generated with Claude

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
• Updated Go toolchain version and upgraded multiple module dependencies to latest versions
• Updated GitHub Actions workflows to use newer action versions
• Updated Docker base image to a newer Go version for builds

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.