fix(security): remediate CVE vulnerabilities

[upbound-bot]

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA	Severity	Package	Fixed Version
CVE-2025-68121	Critical	stdlib (Go runtime)	go1.24.13
CVE-2025-61732	High	stdlib (Go runtime)	go1.24.13

Changes Made

• Updated Go version from 1.24.12 to 1.24.13 in go.mod

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-68121
• https://nvd.nist.gov/vuln/detail/CVE-2025-61732

Verification

• Rescanned with cve-scan skill after fixes
• All listed vulnerabilities resolved

[upbound-bot]

Build Failure Analysis

Check: build (arm64)
Status: Failed
Analyzed: 2026-03-02T17:13:31Z

Summary

The Docker build failed because the Go version specified in the CI workflow (1.24.12) is older than the version required by go.mod (1.24.13).

Root Cause

The CI workflow at .github/workflows/ci.yml sets GO_VERSION: '1.24.12' which is passed to the Dockerfile as a build argument. However, go.mod was updated to require go 1.24.13 as part of CVE remediation. When the Docker build tries to run go mod download, Go detects the version mismatch and fails with:

go: go.mod requires go >= 1.24.13 (running go 1.24.12; GOTOOLCHAIN=local)

Error Details

#14 [build 3/4] RUN --mount=target=. ...
#14 0.066 go: go.mod requires go >= 1.24.13 (running go 1.24.12; GOTOOLCHAIN=local)
#14 ERROR: process "/bin/sh -c ..." did not complete successfully: exit code: 1

Recommendation

Update the GO_VERSION environment variable in .github/workflows/ci.yml from '1.24.12' to '1.24.13' to match the go.mod requirement. This is a code fix, not a retry.

---

_{This analysis was generated by the build-failure-analyze skill.}