fix(security): upgrade deck to Go 1.25.9

[bhatikuldeep]

Addresses the Go stdlib vulnerabilities confirmed on origin/main and release tag v1.57.3 when scanned with GOTOOLCHAIN=go1.25.7.

Changes:

• bump go.mod from go 1.25.7 to go 1.25.9
• update Dockerfile builder image to golang:1.25.9 with the matching pinned digest

Validation:

• GOTOOLCHAIN=go1.25.7 govulncheck ./... on origin/main and v1.57.3 reports 4 reachable stdlib vulnerabilities
• patched branch removes the reachable findings
• local Docker build succeeds with the pinned 1.25.9 image

Related issue: #1996

cc @Kong/team-deck

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

Updates the project’s Go toolchain version to address reachable Go standard library vulnerabilities reported by govulncheck, aligning both module configuration and container build tooling.

Changes:

• Bump go.mod Go version from 1.25.7 to 1.25.9.
• Update the Docker build stage to use golang:1.25.9 with a pinned image digest.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
go.mod	Updates the declared Go version to the patched release.
Dockerfile	Updates the Go builder image version/digest used for container builds.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

GO_VERSION is used as a build-arg in the release workflow (it passes only the version extracted from go.mod). That overrides this default tag@digest value, so CI/release builds will end up using an unpinned golang:1.25.9 base and the digest pinning here won’t actually take effect for published images. Consider either (a) passing tag@digest from the workflow, (b) splitting version and digest into separate args (or hardcoding digest in FROM), or (c) removing the workflow override if you want Dockerfile-controlled pinning.

Suggested change

	ARG GO_VERSION=1.25.9@sha256:7a00384194cf2cb68924bbb918d675f1517357433c8541bac0ab2f929b9d5447
	FROM golang:${GO_VERSION} AS build
	ARG GO_VERSION=1.25.9
	ARG GO_IMAGE_DIGEST=sha256:7a00384194cf2cb68924bbb918d675f1517357433c8541bac0ab2f929b9d5447
	FROM golang:${GO_VERSION}@${GO_IMAGE_DIGEST} AS build

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 32.88%. Comparing base (c07059f) to head (f33a08b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1997      +/-   ##
==========================================
- Coverage   32.92%   32.88%   -0.05%     
==========================================
  Files          77       77              
  Lines        6988     6988              
==========================================
- Hits         2301     2298       -3     
- Misses       4504     4506       +2     
- Partials      183      184       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.