fix: go mod tidy after Go 1.25.8 bump to unblock Vibe Check CI

[Copilot]

Vibe Check CI was failing after the Go 1.25.8 version bump because go mod tidy had not been run, leaving go.mod in an inconsistent state.

Changes

• go.mod: Ran go mod tidy — removes the now-redundant toolchain go1.25.8 directive (implicit when identical to the go version per Go toolchain semantics)

 go 1.25.8
-
-toolchain go1.25.8

Original prompt

Problem Statement

Update all Go version references in the repository to Go 1.25.8 to address security vulnerabilities CVE-2026-27142, CVE-2026-25679, and CVE-2026-27139.

Current State

The repository currently has:

• Dockerfile: Already using golang:1.25.8 (line 6) ✅ No change needed
• go.mod: Using go 1.24.0 with toolchain go1.24.1 (lines 3-5)
• .github/workflows/go.yml: Using go-version: 1.24 (line 18)
• .github/workflows/release.yml: Using go-version: stable (line 47) - This is acceptable as it uses the latest stable version
• .github/workflows/release-command.yml: Uses wangyoucao577/go-release-action@v1.55 which handles Go version internally
• .github/workflows/trigger.yml: Does not use Go

Required Changes

1. Update go.mod

Update the Go version and toolchain in go.mod:

go 1.25.8

toolchain go1.25.8

2. Update .github/workflows/go.yml

Update the go-version in the "Vibe Check" workflow:

- name: Set up Go
  uses: actions/setup-go@v6
  with:
    go-version: 1.25.8

Testing

After making these changes:

1. Run go mod tidy to ensure dependencies are compatible
2. Verify all tests pass with the updated Go version
3. Ensure the build workflow completes successfully

Security Context

These updates address three critical security vulnerabilities:

• CVE-2026-27142: XSS via unsanitized URLs in HTML meta tags
• CVE-2026-25679: Insufficient validation in url.Parse
• CVE-2026-27139: Flaw in file operations on Unix platforms

All three vulnerabilities are fixed in Go 1.25.8.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Docker is showing 3 vulnerabilities CVE-2026-27142, CVE-2026-25679 and CVE-2026-27139. Are there any fixes for these yet?

Assistant: Yes, there are fixes available for all three vulnerabilities: CVE-2026-27142, CVE-2026-25679, and CVE-2026-27139. These vulnerabilities primarily affect the Go (Golang) programming language ecosystem.

Here's a summary for each:

---

CVE-2026-27142

• Description: This flaw allows XSS via unsanitized URLs in the content attribute of HTML meta tags when http-equiv="refresh" is set.
• Fix: The vulnerability is fixed in Go 1.26.1 and Go 1.25.8. If you use these or newer versions, you are protected. A new GODEBUG setting (htmlmetacontenturlescape) has also been added for finer control[1][2][3][4][5].

CVE-2026-25679

• Description: Related to how url.Parse insufficiently validated host/authority components leading to various parsing and security issues.
• Fix: Addressed in Go 1.26.1 and Go 1.25.8 as part of their security updates[1][6][5].

CVE-2026-27139

• Description: Flaw in file operations (directory listings) on Unix platforms.
• Fix: Addressed with the same Go releases: 1.26.1 and 1.25.8[6][5].

---

Action:
Upgrade to Go 1.26.1, Go 1.25.8, or any later version to resolve these vulnerabilities. Major Go projects (like CoreDNS) and Linux distributions have already incorporated these patches into their recent releases[6][5].

For more details or the latest updates, refer to the official Go advisory:

• Go security announcement[2]

If you need specific package update instructions for a particular OS, let me know!

---

1. CVE-2026-27142 Impact, Exploitability, and Mitigation Steps | Wiz
2. CVE-2026-27142 : Actions which insert URLs into the content attribute ...
3. CVE-2026-27142 - vulmon.com
4. CVE-2026-27142 Go standard library html/template CVETodo
5. Information on source package golang-1.26
6. CoreDNS-1.14.2 Release

User: I wonder if there is anything breaking if i upgrade to 1.25.8?

Assistant: The official Go release history and security notes for Go 1.25.8 indicate t...

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This PR aims to unblock the “Vibe Check” GitHub Actions CI after the repository’s Go 1.25.8 bump by aligning module/workflow Go versions and cleaning up the module configuration.

Changes:

• Update go.mod to Go 1.25.8 and remove the toolchain directive.
• Update the Vibe Check workflow to run with Go 1.25.8.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
go.mod	Bumps the module Go version to 1.25.8 and removes the toolchain directive.
.github/workflows/go.yml	Pins CI to Go 1.25.8 for the “Vibe Check” workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

PR description lists only go.mod changes, but this PR also updates the Vibe Check workflow Go version here. Please either update the PR description/change list to mention the workflow update, or drop this change if it’s out of scope for the stated fix.