build: bump go version to 1.25

[jason-lynch]

Summary

Increments our minimum compatible go version to 1.25.0 and sets our toolchain version to 1.25.5. Also upgrades our tools to be compatible with the latest versions of x/tools. This resolves the errors from the install-tools target that several folks have run into.

Testing

make install-tools

Summary by CodeRabbit

• Chores

  • Upgraded Go toolchain to 1.25.x across build configs and the development container.
  • Bumped module dependencies and developer/build tooling to newer versions for compatibility and security.

• Documentation

  • Expanded NOTICE with more precise dependency attributions and full license texts.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (18)

• api/apiv1/gen/control_plane/client.go is excluded by !**/gen/**
• api/apiv1/gen/control_plane/endpoints.go is excluded by !**/gen/**
• api/apiv1/gen/control_plane/service.go is excluded by !**/gen/**
• api/apiv1/gen/control_plane/views/view.go is excluded by !**/gen/**
• api/apiv1/gen/http/cli/control_plane/cli.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/client/cli.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/client/client.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/client/encode_decode.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/client/paths.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/client/types.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/server/encode_decode.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/server/paths.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/server/server.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/server/types.go is excluded by !**/gen/**
• api/apiv1/gen/http/openapi.json is excluded by !**/gen/**
• api/apiv1/gen/http/openapi.yaml is excluded by !**/gen/**
• api/apiv1/gen/http/openapi3.json is excluded by !**/gen/**
• api/apiv1/gen/http/openapi3.yaml is excluded by !**/gen/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

Go toolchain and related developer tooling were bumped: CircleCI and Docker Go images updated to 1.25.5, go.mod/go directive/toolchain moved to Go 1.25 (go1.25.5), multiple module dependency upgrades, development tool pins updated, and NOTICE.txt license entries expanded. No control-flow or API changes.

Changes

Cohort / File(s)	Summary
CI / Docker Go toolchain .circleci/config.yml, docker/control-plane-dev/Dockerfile	Bumped Go from 1.24.3 → 1.25.5 in CI install step and Docker base image.
Module & deps go.mod	go directive/toolchain set to Go 1.25 / go1.25.5; multiple dependency version upgrades (notable: goa.design/goa/v3, golang.org/x/*, google.golang.org/*, google.golang.org/grpc, google.golang.org/protobuf) and some indirect additions.
Development tools tools.mk	Updated pinned tool versions (e.g., gotestsum v1.12.0→v1.13.0, golangci-lint v2.1.5→v2.8.0, protoc-gen-go v1.35.2→v1.36.11, goa v3.19.1→v3.23.4, goreleaser, syft, changie, yamlfmt).
Licensing notices NOTICE.txt	Expanded and updated dependency license entries and URLs; added more detailed license texts for several modules.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through versions, light and spry,
Pushed Go up a notch and gave tools a try,
Modules polished, NOTICE in tow,
CI and Docker ready to go,
Carrot-coded joy — a tiny rabbit sigh.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'build: bump go version to 1.25' clearly and concisely summarizes the main change - upgrading the Go version to 1.25, with corresponding toolchain and dependency updates across all configuration files.
Description check	✅ Passed	The PR description includes a summary explaining the Go version increment and tooling upgrades, and provides testing instructions. However, it lacks several template sections: Changes (bulleted details), Checklist items, and Notes for Reviewers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.circleci/config.yml:
- Around line 40-41: The CircleCI config uses a non-existent Go version '1.25.5'
under the go/install step; update the version string in the .circleci config
(the go/install -> version entry) to the correct released Go version that
matches the project's go.mod toolchain directive (or change go.mod to the
intended released version), and ensure the value in go/install and the go.mod
`toolchain` directive remain synchronized.

In @docker/control-plane-dev/Dockerfile:
- Line 1: The Dockerfile uses a nonexistent base image tag "golang:1.25.5" in
the FROM instruction; replace that tag with a valid released Go image (for
example "golang:1.25" or "golang:1.24" or a specific patch tag listed on Docker
Hub) and verify the chosen tag exists on the official golang repository so
Docker builds will succeed.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8d87ef9 and 072c3ab.

📒 Files selected for processing (4)

• .circleci/config.yml
• docker/control-plane-dev/Dockerfile
• go.mod
• tools.mk

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (2)

tools.mk (1)

14-21: All specified tool versions exist and are available on the Go module registry. The updates are valid:

• gotestsum v1.13.0 ✓
• golangci-lint/v2 v2.8.0 ✓ (released 2026-01-07)
• protobuf v1.36.11 ✓
• goa/v3 v3.23.4 ✓ (released 2025-12-14)
• goreleaser/v2 v2.13.3 ✓
• syft v1.40.0 ✓ (released 2026-01-08)
• changie v1.24.0 ✓
• yamlfmt v0.21.0 ✓

All versions are properly released and available. However, verify that golangci-lint v2.x configuration changes (if any) have been applied to the project's linter configuration before merging.

go.mod (1)

3-5: No action needed. Go 1.25.0 and go1.25.5 are valid Go releases (1.25 was released August 12, 2025, with 1.25.5 being the latest stable patch as of January 2026).

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @go.mod:
- Around line 3-5: The go.mod currently sets the language version to the
vulnerable release "go 1.25.0" while the toolchain is pinned to "toolchain
go1.25.5"; update the go directive to a patched release (e.g., change the "go"
directive from 1.25.0 to 1.25.5 or at minimum 1.25.1) so the minimum required Go
matches the patched toolchain and avoids known CVEs.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8b90115 and e98cafb.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• NOTICE.txt
• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (3)

NOTICE.txt (1)

2484-2485: NOTICE.txt dependency versions are correct and secure.

All versions listed in NOTICE.txt match go.mod exactly. The critical dependencies—golang.org/x/crypto v0.46.0, google.golang.org/grpc v1.77.0, google.golang.org/protobuf v1.36.11, and golang.org/x/net v0.48.0—have no unpatched security vulnerabilities. License documentation is complete and valid.

go.mod (2)

47-47: The new indirect dependency is legitimate and verified.

The github.com/gohugoio/hashstructure v0.6.0 dependency is valid and available on the Go module registry. No security advisories were found for this version.

---

147-158: All dependency versions are secure with no known vulnerabilities.

Verified that golang.org/x/crypto v0.46.0, golang.org/x/net v0.48.0, and google.golang.org/grpc v1.77.0 all exist and have no CVE advisories affecting them. These versions are well-patched and current.

[rshoemaker]

LGTM