Upgrade golang and docker/cli (v07)

[simonbaird]

Since we've having trouble getting the tests to pass in PR #3221, I thought I'd try splitting it into smaller chunks. This PR contains just the golang upgrade, which IIUC does fix a couple of the vulnerabilities we're aiming resolve.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1c4c1310-1999-4ac6-a7c5-9d0cea2354ce

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Upgrade Go to 1.25.8 and update dependencies

✨ Enhancement

Walkthroughs

Description

• Upgrade Go runtime from 1.25.3 to 1.25.8 across all modules
• Update Docker base images to use Go 1.25.8 versions
• Clean up go.mod and go.sum files with updated dependencies
• Addresses security vulnerabilities SECURESIGN-3982 and SECURESIGN-3984

Diagram

flowchart LR
  A["Go 1.25.3"] -- "upgrade" --> B["Go 1.25.8"]
  B -- "updates" --> C["Dockerfiles"]
  B -- "updates" --> D["go.mod files"]
  B -- "updates" --> E["go.sum files"]
  B -- "resolves" --> F["Security Vulnerabilities"]

Loading

File Changes

1. .tool-versions ⚙️ Configuration changes +1/-1

Update Go version specification

.tool-versions

---

2. Dockerfile Dependencies +1/-1

Update base Go image to 1.25.8

Dockerfile

---

3. Dockerfile.dist Dependencies +1/-1

Update RedHat UBI Go toolset to 1.25.8

Dockerfile.dist

---

View more (7)

4. acceptance/go.mod Dependencies +1/-1

Update Go version requirement to 1.25.8

acceptance/go.mod

---

5. acceptance/go.sum Dependencies +0/-6

Clean up and update dependency checksums

acceptance/go.sum

---

6. go.mod Dependencies +1/-1

Update Go version requirement to 1.25.8

go.mod

---

7. go.sum Dependencies +0/-6

Clean up and update dependency checksums

go.sum

---

8. tools/go.mod Dependencies +1/-1

Update Go version requirement to 1.25.8

tools/go.mod

---

9. tools/kubectl/go.mod Dependencies +1/-1

Update Go version requirement to 1.25.8

tools/kubectl/go.mod

---

10. tools/kubectl/go.sum Dependencies +0/-2

Update Kubernetes dependency to 1.34.3

tools/kubectl/go.sum

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (0)   📎 Requirement gaps (0)

🐞\ ⛨ Security (1)

1. Unpinned Go base image 🐞 ⛨

Description

Dockerfile builds from the floating tag golang:1.25.8 (no digest), so images produced via the
Makefile’s podman build -f Dockerfile path can change over time without a code change, undermining
reproducibility and supply-chain integrity. This is inconsistent with Dockerfile.dist, which pins
its builder image by digest.

Code

Dockerfile[19]

+FROM docker.io/library/golang:1.25.8 AS build

Evidence

The release/image build path uses Dockerfile (not Dockerfile.dist), and Dockerfile’s builder image
is referenced by tag only; Dockerfile.dist demonstrates the project already uses digest pinning for
its builder image.

Dockerfile[19-19]
Makefile[256-267]
Dockerfile.dist[19-19]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`Dockerfile` uses `docker.io/library/golang:1.25.8` without an image digest. Because this is tag-only, the resolved image content can change over time (rebuilds/re-pushes), making the produced release images non-reproducible and weakening supply-chain guarantees.

### Issue Context
The repository builds/pushes images using `podman build -f Dockerfile` (Makefile image_* targets). `Dockerfile.dist` already pins its builder image by digest, so the repo has precedent for digest pinning.

### Fix Focus Areas
- Dockerfile[19-19]
- Makefile[256-267]
- Dockerfile.dist[19-19]

### Suggested change
Update the `FROM docker.io/library/golang:1.25.8 AS build` line to include an `@sha256:<digest>` for the exact intended Go toolchain image (and document/update any helper scripts if needed).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
generative	69.55% <ø> (ø)
integration	69.55% <ø> (ø)
unit	69.55% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[simonbaird]

Acceptance tests are green, which is great. I guess the snapshot change in the wiremock fix was significant.

The only thing failing now is the Conforma check, and it's due to a github.com/docker/cli CVE being detected by clair (even though it's Windows-only IIUC).

So I'm adding a docker/cli update here in this PR too.