build(deps): pin shared/golang to latest stable Go release

[Copilot]

shared/golang/Dockerfile was tracking golang:1.26.3-bookworm — a non-stable/rolling development line — causing Dependabot to repeatedly bump the digest within an unstable series (supersedes #1165).

Change

Pinned to golang:1.25.10-bookworm, the current stable maintained release per go.dev/dl, with a precise multi-arch manifest digest from Docker Hub:

- FROM golang:1.26.3-bookworm@sha256:b09e568dcf2a1ff3ce09a230ea234193fc014dc195472fe63316e50238453d96 AS golang-base
+ FROM golang:1.25.10-bookworm@sha256:e3a54b77385b4f8a31c1db4d12429ffb3718ea76865731a787c497755d409547 AS golang-base

Dependabot remains enabled for /shared/golang and will continue bumping within the 1.25.x stable line going forward.

Original prompt

Background

The shared/golang/Dockerfile is currently pinned to a rolling/unstable Go Docker image tag. Dependabot keeps bumping it (see PR #1165 which bumped from b09e568 to 252599a while keeping the tag golang:1.26.3-bookworm). Go 1.26 is not the latest stable Go release — it appears to be a development/rolling line — and we should not be tracking that.

File to update

shared/golang/Dockerfile

Current relevant line (line 6):

FROM golang:1.26.3-bookworm@sha256:b09e568dcf2a1ff3ce09a230ea234193fc014dc195472fe63316e50238453d96 AS golang-base

Task

1. Identify the latest stable Go release (i.e. the most recent stable major.minor.patch published on https://go.dev/dl/ — NOT a release candidate, beta, or development version). As of now, the latest stable Go line is most likely 1.25.x (verify on https://go.dev/dl/ and on the golang Docker Hub page https://hub.docker.com/_/golang). Do not use 1.26.x — that line is not stable.
2. Update shared/golang/Dockerfile line 6 to use the latest stable golang:<version>-bookworm tag, pinned by digest in the same tag@sha256:... style as the existing line. Look up the actual current digest for that specific <version>-bookworm tag on Docker Hub and use it.
3. Do not modify any other line of the Dockerfile.
4. Do not change .github/dependabot.yml — keep dependabot enabled for /shared/golang so it continues to bump within the chosen stable line going forward. (Dependabot will track the tag we pin to; by pinning to a stable 1.X.Y-bookworm tag rather than a rolling one, future bumps will stay on the stable line.)

PR details

• Title: build(deps): pin shared/golang to latest stable Go release
• In the PR description, explain that the previous tag (1.26.3-bookworm) was tracking a non-stable Go line, and state which stable version + digest you pinned to and where you sourced them (link to https://go.dev/dl/ and the Docker Hub golang tags page).
• This will supersede build(deps): bump golang from 1.25.10-bookworm to 1.26.3-bookworm in /shared/golang #1165 (mention it in the description).

Verification

• Confirm the chosen version appears on https://go.dev/dl/ under the "Stable versions" section (not "Unstable" / "Archived" / "Release candidate").
• Confirm the <version>-bookworm tag exists on Docker Hub and the digest you use matches the one shown there for linux/amd64 manifest list.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: this dependency is on rolling releases - it shouldnt be - please open a pr to set it to latest stable

Assistant: I'll delegate this to the coding agent to investigate and fix.

Assistant: Waiting for your confirmation on the dialog before I dispatch the coding agent to open the PR.

This pull request was created from Copilot chat.