chore(deps): bump Go to 1.25.9 [security] (release-1.20)

[phisco]

Description of your changes

Mirrors #961 for release-1.20, adapted for Earthly.

govulncheck reports 5 reachable stdlib vulnerabilities on this branch
with the current Go 1.23.7 toolchain (same CVE set as release-2.0 and
release-2.1):

ID	Package
GO-2026-4947	crypto/x509 (chain-building DoS)
GO-2026-4946	crypto/x509 (policy validation)
GO-2026-4870	crypto/tls (KeyUpdate DoS)
GO-2026-4865	html/template (XSS)
GO-2026-4601	net/url

Both Go 1.23 and Go 1.24 went end-of-life before the April 2026
security batch (1.23 EOL: 2025-08-12 when 1.25.0 shipped; 1.24 EOL:
2026-02-10 when 1.26.0 shipped). The latest 1.23 release (1.23.12)
does not contain these fixes and none will be backported. Fixing them
requires moving off the 1.23 line entirely.

This PR therefore jumps straight to Go 1.25.9 — a two-minor bump —
updating both the Earthfile toolchain and the `go.mod` directive.
The now-redundant `toolchain go1.23.7` line is dropped.

Alternatives worth considering before merging:

• Is release-1.20 still receiving patches? If it's effectively
  archived, we could mark these CVEs as won't-fix on this branch.
• A smaller jump to Go 1.24.x would not help — also EOL, no CVE fixes.
• If a minor bump is too intrusive but the CVEs are a blocker, we
  could bump only `Earthfile`'s `GO_VERSION` and leave `go.mod`
  untouched, keeping library consumers unaffected.

Fixes #

I have:

• Read and followed Crossplane's contribution process.
• Run `earthly +reviewable` to ensure this PR is ready for review.
• Added or updated unit tests.
• Linked a PR or a docs tracking issue to document this change.
• Added `backport release-x.y` labels to auto-backport this PR.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a8126803-f4f3-4b5d-9e84-74922582ea08

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[phisco]

Closing as won't-fix.

Bumping Go to 1.25.9 on this branch hits two compounding issues that each
require non-trivial work well beyond a Go bump:

1. golangci-lint v1 → v2 migration. GOLANGCI_LINT_VERSION on this
   branch is v1.64.8, on the v1.x line, built with Go ≤ 1.24. It refuses
   to lint code declaring go 1.25.9. The v2.x line (the only line still
   receiving releases) ships a new .golangci.yml config format, so a
   bump requires a config migration.

2. x/tools v0.24.0 incompatibility with Go 1.25. check-diff's
   go generate fails with invalid array length -delta * delta from
   golang.org/x/tools@v0.24.0/internal/tokeninternal/tokeninternal.go.
   This requires bumping x/tools (and likely controller-gen, which
   pulls it in) in go.mod — a dep sweep on an old branch.

Given release-1.20 is three minor versions behind main and the 5 reachable
CVEs do not have backports in the 1.23 Go line (and won't: Go 1.23 EOL'd
on 2025-08-12, Go 1.24 on 2026-02-10), the cost/benefit of a full chain of
fixes here is poor. Tracking these CVEs as won't-fix on release-1.20.

Consumers on release-1.20 who care about the stdlib fixes should upgrade
to release-2.0 or later (#964 / #963 / #966 / #961).