chore(deps): Bump Go from 1.25.8 to 1.25.9

[ompushkara]

CVE Bumps for RHTAS

[qodo-for-conforma]

Review Summary by Qodo

Bump Go version from 1.25.8 to 1.25.9

✨ Enhancement

Walkthroughs

Description

• Update Go version from 1.25.8 to 1.25.9
• Update all Docker base images to use Go 1.25.9
• Update all go.mod files across modules
• Update UBI9 go-toolset image with new SHA256 digest

Diagram

flowchart LR
  A["Go 1.25.8"] -- "Version Bump" --> B["Go 1.25.9"]
  B --> C["Dockerfile"]
  B --> D["Dockerfile.dist"]
  B --> E["go.mod files"]
  D --> F["UBI9 Toolset SHA256"]

Loading

File Changes

1. .tool-versions Dependencies +1/-1

Update golang version specification

• Update golang version from 1.25.8 to 1.25.9

.tool-versions

---

2. Dockerfile Dependencies +1/-1

Update Go base image version

• Update base image from golang:1.25.8 to golang:1.25.9

Dockerfile

---

3. Dockerfile.dist Dependencies +1/-1

Update UBI9 go-toolset and digest

• Update UBI9 go-toolset base image from 1.25.8 to 1.25.9
• Update image SHA256 digest to reflect new version

Dockerfile.dist

---

View more (4)

4. acceptance/go.mod Dependencies +1/-1

Update acceptance module Go version

• Update go version directive from 1.25.8 to 1.25.9

acceptance/go.mod

---

5. go.mod Dependencies +1/-1

Update main module Go version

• Update go version directive from 1.25.8 to 1.25.9

go.mod

---

6. tools/go.mod Dependencies +1/-1

Update tools module Go version

• Update go version directive from 1.25.8 to 1.25.9

tools/go.mod

---

7. tools/kubectl/go.mod Dependencies +1/-1

Update kubectl tools Go version

• Update go version directive from 1.25.8 to 1.25.9

tools/kubectl/go.mod

---

[qodo-for-conforma]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Unpinned Go builder image 🐞 Bug ⛨ Security

Description

Dockerfile builds with golang:1.25.9 without a digest, so the build input is not reproducible
and can change without a code change (unlike Dockerfile.dist, which pins its builder image by
digest). This is a pre-existing pattern (tag-only) that this PR continues on the touched line,
leaving the two build paths with different supply-chain guarantees.

Code

Dockerfile[19]

+FROM docker.io/library/golang:1.25.9 AS build

Relevance

⭐ Low

History keeps Dockerfile golang builder tag-only (e.g., #3052) while only dist/runtime images are
digest-pinned (#2545).

PR-#3052
PR-#2545

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The main Dockerfile uses a tag-only Go builder image, while the dist build explicitly pins its Go
toolset image by sha256 digest; additionally, the Makefile documents Dockerfile.dist as the
pipeline build path, highlighting the split between build flows.

Dockerfile[19-19]
Dockerfile.dist[19-19]
Makefile[63-72]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`Dockerfile` uses a tag-only Go builder image (`docker.io/library/golang:1.25.9`) which is mutable and makes builds non-reproducible. `Dockerfile.dist` already pins its builder image by digest, so the two Docker build paths differ in supply-chain/reproducibility properties.

## Issue Context
This PR updates the `FROM` line in `Dockerfile`, making it a good opportunity to align it with the digest-pinning approach already used elsewhere in the repo.

## Fix Focus Areas
- Dockerfile[19-19]
- Dockerfile.dist[19-19]

## Suggested change
- Update the builder stage in `Dockerfile` to pin the `golang:1.25.9` image by digest (e.g., `FROM docker.io/library/golang:1.25.9@sha256:<digest> AS build`).
- (Optional) If you intentionally don’t pin Docker Hub images, add a short comment explaining why this differs from `Dockerfile.dist` to avoid future confusion.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: fe4f8483-6bb2-473b-8a20-b26658a6684b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[simonbaird]

Looks good. If it goes green, I will merge.

[simonbaird]

There might be another CVE for github.com/moby/spdystream similar to #3314 . I can push that if needed.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
generative	69.55% <ø> (ø)
integration	69.55% <ø> (ø)
unit	69.55% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[simonbaird]

/ok-to-test

[ompushkara]

There might be another CVE for github.com/moby/spdystream similar to #3314 . I can push that if needed.

Its not reported by ProdSec yet in RHTAS. But yeah always good to have the bump :)

[simonbaird]

Pushed two more commits to try to get this green.

[simonbaird]

/ok-to-test

[robnester-rh]

LGTM