fix(security): remediate CVE vulnerabilities

[upbound-bot]

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Tracking issue: https://github.com/upbound/upbound-official-build/issues/228

Vulnerabilities Fixed

CVE/GHSA	Severity	Package	Fixed Version
CVE-2025-61726	High	stdlib	go1.24.12
CVE-2025-61731	High	stdlib	go1.24.12
CVE-2025-61728	Medium	stdlib	go1.24.12
CVE-2025-61730	Medium	stdlib	go1.24.12

Changes Made

• Updated Go version from 1.24.11 to 1.24.12 in go.mod

References

• CVE-2025-61726
• CVE-2025-61731
• CVE-2025-61728
• CVE-2025-61730

Verification

• Rescanned with cve-scan skill after fixes
• All listed vulnerabilities resolved

[upbound-bot]

Build Failure Analysis

Check: build (arm64)
Status: Failed
Analyzed: 2026-02-05T21:30:00Z

Summary

The Docker build failed due to a Go version mismatch. The CI workflow uses Go 1.24.4, but go.mod requires Go 1.24.12.

Root Cause

The go.mod file was updated to require Go 1.24.12 for CVE remediation, but the CI workflow (.github/workflows/ci.yml) still specifies GO_VERSION: '1.24.4'. The Docker build uses GOTOOLCHAIN=local, which prevents automatic toolchain downloading, causing the build to fail when it cannot satisfy the Go version requirement.

Error Details

go: go.mod requires go >= 1.24.12 (running go 1.24.4; GOTOOLCHAIN=local)

Recommendation

Update GO_VERSION in .github/workflows/ci.yml from 1.24.4 to 1.24.12 to match the go.mod requirement. A fix is being prepared.

---

_{This analysis was generated by the build-failure-analyze skill.}