chore: bump Go toolchain to 1.24.13 on release-1.20

[phisco]

Description of your changes

Minimal Go-only bump on release-1.20 to unblock the queued security
dependency updates. No code changes.

Why

The security bumps currently failing CI on this branch each declare
go 1.24.0 in their own go.mod:

• chore(deps): update module golang.org/x/net to v0.45.0 [security] (release-1.20) #918 - golang.org/x/net -> v0.45.0 (CVE-2025-47911 quadratic parsing
  DoS in html.Parse, CVE-2025-58190 infinite parsing loop; GitHub
  advisory confirms first_patched_version: 0.45.0, no usable
  intermediate version on the go 1.23 line).
• fix(deps): update module google.golang.org/grpc to v1.79.3 [security] (release-1.20) #971 - google.golang.org/grpc -> v1.79.3 (CVE-2026-33186 authorization
  bypass via missing leading slash in :path).

With release-1.20 pinned at go 1.23.0 / toolchain go1.23.7 and
Earthly set to GOTOOLCHAIN=local, go mod download fails for both PRs
with:

go.mod requires go >= 1.24.0 (running go 1.23.7; GOTOOLCHAIN=local)

which cascades to unit-tests, lint, check-diff, and codeql.

What

• go.mod: go 1.23.0 -> go 1.24.0, toolchain go1.23.7 -> go1.24.13
  (latest 1.24 patch).
• Earthfile: GO_VERSION=1.23.7 -> 1.24.13.

go mod tidy produces no dependency changes. go build ./... and
go vet ./... are clean on the branch.

Why 1.24 and not 1.25

An earlier attempt to bump to 1.25 on this branch (#965) was closed as
won't-fix because it required:

1. A golangci-lint v1 -> v2 migration (the pinned v1.64.8 refuses
   to lint code declaring go 1.25).
2. Dependency updates to escape an x/tools v0.24.0 incompatibility
   with Go 1.25 (invalid array length -delta * delta).

Staying on the 1.24 line avoids both. golangci-lint v1.64.8 was built
against Go 1.24 and continues to work, and x/tools v0.24.0 is
compatible with Go 1.24. The 5 reachable stdlib CVEs flagged on this
branch remain won't-fix (Go 1.24 is also EOL and does not backport
them); this PR is scoped strictly to unblocking the dep bumps above.

Fixes #

I have:

• Read and followed Crossplane's contribution process.
• Run earthly +reviewable to ensure this PR is ready for review. (local Earthly setup unavailable; CI will run it)
• Added or updated unit tests.
• Linked a PR or a docs tracking issue to document this change.
• Added backport release-x.y labels to auto-backport this PR.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 842e47da-e859-4976-8581-1e8c95ed8686

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}