OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps

[kaovilai]

Summary

• Adds toolchain go1.25.8 directive to fix Go stdlib CVEs:
  • GO-2026-4337, GO-2026-4340 (crypto/tls)
  • GO-2026-4341 (net/url)
  • GO-2026-4342 (archive/zip)
  • CVE-2026-25679 (net/url IPv6 host parsing)
  • CVE-2026-27137 (crypto/x509 email constraints)
• Bumps golang.org/x/net → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
• Bumps golang.org/x/crypto → v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
• Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0
• CI workflows updated to use go-version-file: 'go.mod' instead of hardcoded versions
  • test.yml: bumped actions/setup-go@v4 → @v6 (supports toolchain directive)

Supersedes #166

Test plan

• go build ./... passes
• CI passes

Note

Responses generated with Claude

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflows to derive Go version from project configuration instead of hardcoding values
  • Upgraded GitHub Actions setup tooling
  • Updated Go toolchain directive and indirect module dependencies

[openshift-ci-robot]

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

• Adds toolchain go1.25.8 directive to fix Go stdlib CVEs:
• GO-2026-4337, GO-2026-4340 (crypto/tls)
• GO-2026-4341 (net/url)
• GO-2026-4342 (archive/zip)
• CVE-2026-25679 (net/url IPv6 host parsing)
• CVE-2026-27137 (crypto/x509 email constraints)
• Bumps golang.org/x/net → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
• Bumps golang.org/x/crypto → v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
• Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0
• CI workflows updated to use go-version-file: 'go.mod' instead of hardcoded versions
• test.yml: bumped actions/setup-go@v4 → @v6 (supports toolchain directive)

Supersedes #166

Test plan

• go build ./... passes
• CI passes

[!Note]
Responses generated with Claude

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: da25e26f-af8e-431d-be99-89db166ccff5

📥 Commits

Reviewing files that changed from the base of the PR and between 9b3b53f and 6eb2e2a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .github/workflows/lint.yml
• .github/workflows/test.yml
• go.mod

---

📝 Walkthrough

Walkthrough

Updated GitHub Actions workflows to derive Go versions from go.mod rather than using fixed versions. Added a Go toolchain directive specifying version 1.25.8 to go.mod. Bumped multiple indirect dependencies in the golang.org/x namespace to newer versions.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/lint.yml, .github/workflows/test.yml	Updated Go setup steps to use go-version-file: 'go.mod' instead of fixed versions. Test workflow also upgraded actions/setup-go from v4 to v6.
Go Module Configuration go.mod	Added toolchain go1.25.8 directive. Updated indirect dependency versions: golang.org/x/mod (v0.30.0→v0.33.0), golang.org/x/net (v0.47.0→v0.52.0), golang.org/x/sys (v0.40.0→v0.42.0), golang.org/x/term (v0.37.0→v0.41.0), golang.org/x/text (v0.31.0→v0.35.0).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 twitches whiskers with glee

Workflows now dance with go.mod in hand,
Dependencies updated, oh how grand!
Toolchains aligned with version precision,
A hop, skip, and jump—no revision!
The burrow's Go setup, now lean and true. 🎯

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is comprehensive with a detailed summary section, but the required 'Why the changes were made' and 'How to test the changes made' sections from the template are missing.	Restructure the description to match the template by adding 'Why the changes were made' and 'How to test the changes made' sections with appropriate content.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main changes: upgrading Go toolchain to 1.25.8 and updating golang.org/x/* dependencies for CVE fixes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

• Adds toolchain go1.25.8 directive to fix Go stdlib CVEs:
• GO-2026-4337, GO-2026-4340 (crypto/tls)
• GO-2026-4341 (net/url)
• GO-2026-4342 (archive/zip)
• CVE-2026-25679 (net/url IPv6 host parsing)
• CVE-2026-27137 (crypto/x509 email constraints)
• Bumps golang.org/x/net → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
• Bumps golang.org/x/crypto → v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
• Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0
• CI workflows updated to use go-version-file: 'go.mod' instead of hardcoded versions
• test.yml: bumped actions/setup-go@v4 → @v6 (supports toolchain directive)

Supersedes #166

Test plan

• go build ./... passes
• CI passes

[!Note]
Responses generated with Claude

Summary by CodeRabbit

• Chores

• Updated CI/CD workflows to derive Go version from project configuration instead of hardcoding values
• Upgraded GitHub Actions setup tooling
• Updated Go toolchain directive and indirect module dependencies

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Copilot]

Pull request overview

This PR updates the repository’s Go toolchain/dependency versions to address security advisories, and adjusts CI workflows to derive the Go version from go.mod instead of hardcoding it.

Changes:

• Add toolchain go1.25.8 to go.mod and bump several golang.org/x/* module versions.
• Update GitHub Actions workflows (test.yml, lint.yml) to use go-version-file: 'go.mod' and newer actions/setup-go.
• Refresh corresponding go.sum entries for the bumped modules.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File	Description
go.mod	Adds toolchain directive and bumps indirect golang.org/x/* dependencies.
go.sum	Updates sums to match the bumped module versions.
.github/workflows/test.yml	Switches to setup-go@v6 and go-version-file from go.mod.
.github/workflows/lint.yml	Switches from hardcoded Go version to go-version-file from go.mod.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mpryc]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Joeavaikath, kaovilai, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Joeavaikath,kaovilai,weshayutin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment