fix(security): remediate CVE vulnerabilities for release-0.4

[upbound-bot]

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Tracking issue: https://github.com/upbound/upbound-official-build/issues/226

Vulnerabilities Fixed

CVE/GHSA	Severity	Package	Fixed Version
CVE-2025-61726	High	stdlib	go1.24.12
CVE-2025-61728	Medium	stdlib	go1.24.12
CVE-2025-61730	Medium	stdlib	go1.24.12
CVE-2025-61731	High	stdlib	go1.24.12

Changes Made

• Updated Go version from 1.24.11 to 1.24.12 in go.mod

References

• CVE-2025-61726
• CVE-2025-61728
• CVE-2025-61730
• CVE-2025-61731

Verification

• Rescanned with cve-scan skill after fixes
• All listed vulnerabilities resolved

[upbound-bot]

Build Failure Analysis

Check: build (amd64)
Status: Failed
Analyzed: 2026-02-05T18:33:04Z

Summary

The Docker build failed due to a Go version mismatch between the CI workflow configuration and the go.mod requirements.

Root Cause

The CVE remediation commit updated the go directive in go.mod from 1.24.11 to 1.24.12 to fix security vulnerabilities. However, the CI workflow's GO_VERSION environment variable in .github/workflows/ci.yml still specifies 1.24.11. When Docker builds the image using the golang:1.24.11 base image and tries to run go mod download, it fails because Go 1.24.11 cannot satisfy the go >= 1.24.12 requirement.

Error Details

go: go.mod requires go >= 1.24.12 (running go 1.24.11; GOTOOLCHAIN=local)
ERROR: failed to solve: process "...go mod download..." did not complete successfully: exit code: 1

Recommendation

Update the GO_VERSION environment variable in .github/workflows/ci.yml from 1.24.11 to 1.24.12 to match the go.mod requirements. This is a code fix, not a retry candidate.

---

_{This analysis was generated by the build-failure-analyze skill.}