*: upgrade Golang to 1.25.8, dependencies, and fix lint issues

[JmPotato]

What problem does this PR solve?

Issue Number: Close #10314

What is changed and how does it work?

Upgrade Golang from 1.25.6 to 1.25.8 and bump tidb-dashboard dependency.

Upgrade golangci-lint from v2.6.0 to v2.11.2, which introduces new gosec
rules. Add documented exclusions for 8 gosec rules (G118, G120, G123,
G602, G702, G704, G705, G706) that have high false-positive rates in
PD's context as an internal distributed systems component.

Fix 4 potential slice out-of-bounds in key-pair iteration loops by
changing `i < len(keys)` to `i+1 < len(keys)`. Replace 4
`WriteString(fmt.Sprintf(...))` with `fmt.Fprintf()` to avoid
intermediate string allocations.

Check List

Tests

• Unit test
• No code

Code changes

• Has the configuration change

Release note

None.

Summary by CodeRabbit

• Chores

  • Bumped Go toolchain to 1.25.8 across modules.
  • Updated lint tooling installer/version and expanded linter exclude list.

• Bug Fixes

  • Fixed out-of-bounds handling when constructing key-range pairs to prevent rare panics.

• Tests

  • Updated tests to align with the key-range pairing fix.

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign andremouche for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

Go toolchain directives bumped from 1.25.6 → 1.25.8 across multiple go.mod files. Linter config and installer version updated. Several small code tweaks: safer loop bounds to avoid OOB and replacing fmt.Sprintf + WriteString with fmt.Fprintf to write into builders. No public API changes.

Changes

Cohort / File(s)	Summary
Go toolchain updates client/go.mod, go.mod, tests/integrations/go.mod, tools/go.mod	Bumped go directive from 1.25.6 → 1.25.8 in module go.mod files.
Indirect dependency bump go.mod	Updated indirect github.com/pingcap/tidb-dashboard reference to the newer commit/version recorded in the module file.
Linter config & installer .golangci.yml, Makefile	Expanded gosec excludes in .golangci.yml and bumped the golangci-lint installer version from v2.6.0 → v2.11.2 in the Makefile.
String construction changes pkg/mcs/scheduling/server/apis/v1/api.go, pkg/schedule/labeler/rules.go, server/api/region.go	Replaced fmt.Sprintf(...) + WriteString with direct fmt.Fprintf into builders to avoid intermediate allocations; output unchanged.
Loop-bound safety fixes pkg/mock/mockcluster/mockcluster.go, pkg/schedule/checker/merge_checker_test.go, pkg/schedule/labeler/labeler.go, tests/server/api/region_label_test.go	Tightened loops to i+1 < len(...) when forming pairs to prevent possible out-of-bounds access; behavior unchanged for even-length inputs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(go): bump Go version to 1.25.6 across modules #10211 — Related go.mod Go version bumps across module files.
• chore(dashboard): update TiDB Dashboard to 20260305120502-70e5bb19e006 [master] #10324 — Update of the tidb-dashboard dependency to the commit used here.
• *: upgrade Golang to 1.25.8, dependencies, and fix lint issues #10315 — Cherrypick/upgrade to Go 1.25.8 referenced in linked issue discussion.

Suggested labels

size/S, lgtm, contribution

Suggested reviewers

• nolouch
• disksing

Poem

🐰 I hopped through modules, tiny fixes in place,

fmt writes tidier, loops won’t misplace.
Go nudged to 1.25.8 — a quiet little cheer,
deps aligned and linters tuned, spring code arrives here. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: upgrading Golang to 1.25.8, dependencies, and fixing lint issues.
Description check	✅ Passed	The description includes all required sections: issue number, detailed explanation of changes with commit message, applicable checklist items, and release note.
Linked Issues check	✅ Passed	All coding requirements from issue #10314 are met: Go upgraded to 1.25.8 across all go.mod files, golangci-lint upgraded with gosec exclusions added, and slice out-of-bounds bugs fixed.
Out of Scope Changes check	✅ Passed	All changes are directly related to the PR objectives: Go version upgrades, golangci-lint version bump with configuration adjustments, and bug fixes for iteration bounds and string allocation optimizations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.golangci.yml:
- Line 82: The G120 exclusion removes the linter check that forces body size
limits and can expose admin endpoints to DoS; instead of keeping that exclusion,
wrap relevant HTTP handlers (e.g., PD admin handlers/ServeHTTP implementations
or specific handler funcs that serve internal admin endpoints) with
http.MaxBytesReader (or enforce request.Body read limits in their
ServeHTTP/handler functions) so each handler caps request body size, and remove
the global G120 exception from .golangci.yml; update any middleware or top-level
router (e.g., admin middleware, PDAdminHandler, or equivalent handler functions)
to apply the MaxBytesReader wrapper consistently for all admin/internal
endpoints.
- Line 86: The code unsafely indexes it.iters[0] without guarding against an
empty slice, relying on upstream callers (Handler.GetAllRequestHistoryHotRegion)
to provide defaults; fix by adding an explicit defensive check in the function
that accesses it.iters (verify len(it.iters) > 0 and return an error or default
behavior if empty) or, if you decide to accept the current pattern, restrict the
G602 suppression to only the specific function by adding a function-level nolint
comment for G602 rather than a global exclusion; update the function that uses
it.iters[0] to either validate input or document and narrowly suppress the
linter.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 88c503c2-84ee-41e9-ac75-38181a56905d

📥 Commits

Reviewing files that changed from the base of the PR and between 920dfb4 and 9b350e1.

📒 Files selected for processing (13)

• .golangci.yml
• Makefile
• client/go.mod
• go.mod
• pkg/mcs/scheduling/server/apis/v1/api.go
• pkg/mock/mockcluster/mockcluster.go
• pkg/schedule/checker/merge_checker_test.go
• pkg/schedule/labeler/labeler.go
• pkg/schedule/labeler/rules.go
• server/api/region.go
• tests/integrations/go.mod
• tests/server/api/region_label_test.go
• tools/go.mod

🚧 Files skipped from review as they are similar to previous changes (4)

• go.mod
• tools/go.mod
• client/go.mod
• tests/integrations/go.mod

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

G120 exclusion may leave endpoints vulnerable to DoS.

Even internal admin APIs should enforce body size limits. An internal attacker or misconfigured client could exhaust server memory. Consider adding explicit http.MaxBytesReader wrappers to HTTP handlers instead of globally excluding this check.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.golangci.yml at line 82, The G120 exclusion removes the linter check that
forces body size limits and can expose admin endpoints to DoS; instead of
keeping that exclusion, wrap relevant HTTP handlers (e.g., PD admin
handlers/ServeHTTP implementations or specific handler funcs that serve internal
admin endpoints) with http.MaxBytesReader (or enforce request.Body read limits
in their ServeHTTP/handler functions) so each handler caps request body size,
and remove the global G120 exception from .golangci.yml; update any middleware
or top-level router (e.g., admin middleware, PDAdminHandler, or equivalent
handler functions) to apply the MaxBytesReader wrapper consistently for all
admin/internal endpoints.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check how many G602 warnings exist in production code vs tools
echo "=== G602 occurrences in production code (pkg/, server/) ==="
rg -l "iters\[0\]|keys\[0\]|vals\[0\]" --type go -g '!tools/**' -g '!*_test.go' | head -20

echo ""
echo "=== Checking hot_region_storage.go for unguarded slice access ==="
rg -n -B2 -A2 'iters\[0\]' pkg/storage/hot_region_storage.go

Repository: tikv/pd

Length of output: 634

---

🏁 Script executed:

#!/bin/bash
# Check the second file with unguarded slice access
echo "=== Checking core.go for unguarded slice access ==="
rg -n -B3 -A3 'keys\[0\]|vals\[0\]' pkg/dashboard/keyvisual/input/core.go

echo ""
echo "=== Checking HotRegionStorageIterator constructor ==="
rg -n -B5 -A10 'func.*HotRegionStorageIterator' pkg/storage/hot_region_storage.go | head -50

echo ""
echo "=== Check if iterator can be created with empty slices ==="
rg -n 'HotRegionStorageIterator' pkg/storage/hot_region_storage.go | head -20

Repository: tikv/pd

Length of output: 2121

---

🏁 Script executed:

#!/bin/bash
# Check callers of NewIterator
echo "=== Callers of NewIterator ==="
rg -n 'NewIterator' --type go pkg/ server/ | grep -v 'func.*NewIterator' | head -20

echo ""
echo "=== Callers of GetKeys ==="
rg -n 'GetKeys()' --type go pkg/ server/ | head -20

echo ""
echo "=== Check if requireTypes parameter validation exists ==="
rg -n -B10 'NewIterator' pkg/storage/hot_region_storage.go | grep -A10 'func.*NewIterator'

Repository: tikv/pd

Length of output: 3562

---

🏁 Script executed:

#!/bin/bash
# Check the server handler to see if hotRegionTypes validation exists
echo "=== Checking server/handler.go for hotRegionTypes validation ==="
rg -n -B10 -A5 'hotRegionTypes.*NewIterator' server/handler.go

echo ""
echo "=== Check initialization of hotRegionTypes ==="
rg -n -B15 'hotRegionTypes' server/handler.go | head -40

Repository: tikv/pd

Length of output: 1940

---

🏁 Script executed:

#!/bin/bash
# Check what storage.HotRegionTypes contains
echo "=== Checking storage.HotRegionTypes definition ==="
rg -n 'var.*HotRegionTypes\|HotRegionTypes\s*=' pkg/storage/ --type go | head -20

echo ""
echo "=== Get full definition ==="
rg -n -A5 'var.*HotRegionTypes\s*=' pkg/storage/ --type go

echo ""
echo "=== Check core.go RegionsInfo type and usage ==="
rg -n -B5 'type RegionsInfo' pkg/dashboard/keyvisual/input/core.go

Repository: tikv/pd

Length of output: 716

---

🏁 Script executed:

#!/bin/bash
# Verify the GetKeys() method in core.go and check its actual callers
echo "=== Full GetKeys() implementation in core.go ==="
rg -n -B2 -A15 'func.*GetKeys.*RegionsInfo' pkg/dashboard/keyvisual/input/core.go

echo ""
echo "=== Check if GetKeys is only on RegionsInfo or also on other types ==="
rg -n 'func.*GetKeys' pkg/dashboard/keyvisual/input/core.go

echo ""
echo "=== Search for actual calls to RegionsInfo.GetKeys ==="
rg -n 'RegionsInfo.*GetKeys\|\.GetKeys.*region' pkg/ server/ --type go | grep -v test | head -10

Repository: tikv/pd

Length of output: 273

---

🏁 Script executed:

#!/bin/bash
# Check if there are any cases where empty hotRegionTypes could reach NewIterator
echo "=== Check test cases for NewIterator with empty requireTypes ==="
rg -n -B5 -A5 'NewIterator.*\[\]' pkg/storage/ server/ --type go | head -40

echo ""
echo "=== Verify the handler logic more carefully ==="
rg -n -B20 -A10 'GetHistoryHotRegionIter' server/handler.go | head -60

echo ""
echo "=== Check if any code path could pass empty hotRegionTypes ==="
rg -n 'GetAllRequestHistoryHotRegion\|GetHistoryHotRegionIter' server/handler.go -A20 | head -40

Repository: tikv/pd

Length of output: 5748

---

G602 exclusion silences real bug patterns, though currently mitigated by caller validation.

The unguarded it.iters[0] access at pkg/storage/hot_region_storage.go:364 is a genuine code pattern that G602 would flag. However, the actual risk is lower than stated because the Handler.GetAllRequestHistoryHotRegion() method (lines 142-146 in server/handler.go) always ensures non-empty hotRegionTypes by defaulting to storage.HotRegionTypes when the request is empty.

That said, the function signature allows callers to pass empty slices without validation, and the code accesses iters[0] immediately without bounds checks. This is fragile defensive coding—while currently safe due to caller discipline, it could break with future refactoring.

Consider either:

1. Adding validation to reject empty slices upfront, or
2. Using file-level exclusions for this specific function rather than silencing all G602 warnings globally

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.golangci.yml at line 86, The code unsafely indexes it.iters[0] without
guarding against an empty slice, relying on upstream callers
(Handler.GetAllRequestHistoryHotRegion) to provide defaults; fix by adding an
explicit defensive check in the function that accesses it.iters (verify
len(it.iters) > 0 and return an error or default behavior if empty) or, if you
decide to accept the current pattern, restrict the G602 suppression to only the
specific function by adding a function-level nolint comment for G602 rather than
a global exclusion; update the function that uses it.iters[0] to either validate
input or document and narrowly suppress the linter.

[coderabbitai]

♻️ Duplicate comments (1)

.golangci.yml (1)

81-90: ⚠️ Potential issue | 🟠 Major

Scope these new gosec suppressions to the packages that actually need them.

Most of the justifications here are package-specific (internal admin APIs, dev tools, CLI tools), but linters.settings.gosec.excludes disables the rules for the entire repository. That means future G118/G120/G702/G704/G705/G706 findings in unrelated production code will never surface. Please move these to path-level exclusions or inline #nosec / //gosec:disable on the audited call sites instead. golangci-lint and gosec both support narrower false-positive handling for exactly this case. (golangci-lint.run)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.golangci.yml around lines 81 - 90, The current .golangci.yml places many
gosec rule IDs (G118, G120, G123, G402, G404, G602, G702, G704, G705, G706) into
the global linters.settings.gosec.excludes which disables them repository-wide;
instead, move each suppression into package/path-scoped exclusions or local
inline disables at the audited call sites. Edit linters.settings.gosec.excludes
to remove the global entries and add targeted exclusions for only the packages
that legitimately need them (or use golangci-lint path-level exclude patterns or
gosec inline comments like // `#nosec` or //gosec:disable on the specific
functions/files), and ensure you reference the exact rule IDs (e.g., G118, G120,
etc.) in those targeted excludes so unrelated production code keeps those checks
enabled.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.golangci.yml:
- Around line 81-90: The current .golangci.yml places many gosec rule IDs (G118,
G120, G123, G402, G404, G602, G702, G704, G705, G706) into the global
linters.settings.gosec.excludes which disables them repository-wide; instead,
move each suppression into package/path-scoped exclusions or local inline
disables at the audited call sites. Edit linters.settings.gosec.excludes to
remove the global entries and add targeted exclusions for only the packages that
legitimately need them (or use golangci-lint path-level exclude patterns or
gosec inline comments like // `#nosec` or //gosec:disable on the specific
functions/files), and ensure you reference the exact rule IDs (e.g., G118, G120,
etc.) in those targeted excludes so unrelated production code keeps those checks
enabled.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 082602f1-cac5-4929-9337-b1ae415ba327

📥 Commits

Reviewing files that changed from the base of the PR and between 9b350e1 and 1d3db52.

📒 Files selected for processing (13)

• .golangci.yml
• Makefile
• client/go.mod
• go.mod
• pkg/mcs/scheduling/server/apis/v1/api.go
• pkg/mock/mockcluster/mockcluster.go
• pkg/schedule/checker/merge_checker_test.go
• pkg/schedule/labeler/labeler.go
• pkg/schedule/labeler/rules.go
• server/api/region.go
• tests/integrations/go.mod
• tests/server/api/region_label_test.go
• tools/go.mod

🚧 Files skipped from review as they are similar to previous changes (10)

• tests/server/api/region_label_test.go
• pkg/schedule/labeler/labeler.go
• pkg/mcs/scheduling/server/apis/v1/api.go
• client/go.mod
• go.mod
• pkg/schedule/checker/merge_checker_test.go
• server/api/region.go
• tests/integrations/go.mod
• pkg/mock/mockcluster/mockcluster.go
• Makefile

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.90%. Comparing base (c1f3166) to head (1d3db52).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10315      +/-   ##
==========================================
+ Coverage   78.78%   78.90%   +0.11%     
==========================================
  Files         527      527              
  Lines       70916    70920       +4     
==========================================
+ Hits        55870    55956      +86     
+ Misses      11026    10966      -60     
+ Partials     4020     3998      -22     

Flag	Coverage Δ
unittests	78.90% <100.00%> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ti-chi-bot]

@JmPotato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-unit-test-next-gen-2	1d3db52	link	true	/test pull-unit-test-next-gen-2
pull-unit-test-next-gen-1	1d3db52	link	true	/test pull-unit-test-next-gen-1
pull-unit-test-next-gen-3	1d3db52	link	true	/test pull-unit-test-next-gen-3
pull-integration-realcluster-test	1d3db52	link	true	/test pull-integration-realcluster-test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.