fix: rebuild binaries using Go 1.25.5 to address CVE-2025-61729

[ucatbas]

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to version 1.25.5 across all build workflows, Docker configurations, and project modules. This upgrade aligns development and deployment environments with the latest stable Go runtime, providing enhanced compatibility, performance improvements, and security patches available in Go 1.25.5.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Go toolchain version updated from 1.25.1/1.25.4 to 1.25.5 across GitHub Actions workflows, Dockerfiles, and go.mod configuration files to standardize the build and deployment environment.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/coverage.yml, .github/workflows/nightly.yaml, .github/workflows/release.yml	Updated Go setup versions from 1.25.1 to 1.25.5 in workflow steps.
Dockerfiles Dockerfile, Dockerfile.local, Dockerfile.release	Updated base image references from golang:1.25.4-alpine variants to golang:1.25.5-alpine, maintaining multi-stage build structure.
Go Module Configuration go.mod, sdk/go/grpc/go.mod	Bumped Go toolchain directive from 1.25.1 to 1.25.5 in both module files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• All changes follow a consistent, repetitive pattern of version string updates with no logic modifications, structural changes, or new dependencies.

Possibly related PRs

• chore: update Go version to 1.23 #1483: Directly modifies Go toolchain version in GitHub Actions workflows and go.mod files using the same version directives.
• chore: update Go versions in workflows and go.mod files #2026: Updates Go toolchain version in workflow files and go.mod across the same configuration files.
• chore: adjust Dockerfile dependencies and resolve code formatting issues #2334: Performs analogous Go version bumps in Dockerfiles, go.mod, and GitHub workflow setup steps.

Poem

🐰 A version bump hops through the files,
From 1.25.1 to 1.25.5 with style,
Docker, workflows, and modules align—
The toolchain's upgraded, everything's fine! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: updating Go version to 1.25.5 to address a specific CVE vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/update-go-version-1.25.5

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 54b7cfc and c3bd61f.

⛔ Files ignored due to path filters (1)

• go.work is excluded by !**/*.work

📒 Files selected for processing (8)

• .github/workflows/coverage.yml (1 hunks)
• .github/workflows/nightly.yaml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• Dockerfile (1 hunks)
• Dockerfile.local (1 hunks)
• Dockerfile.release (1 hunks)
• go.mod (1 hunks)
• sdk/go/grpc/go.mod (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Test with Coverage
• GitHub Check: Analyze (go)
• GitHub Check: Test with Coverage

🔇 Additional comments (7)

go.mod (1)

3-3: Approve the Go toolchain version bump.

The go.mod file correctly updates the Go version directive to 1.25.5. No changes to require blocks or public APIs, which is appropriate for a patch version update to address a security vulnerability.

.github/workflows/nightly.yaml (1)

26-26: Approve the Go version update in nightly workflow.

The semantic version constraint ~1.25.5 appropriately restricts to patch versions >= 1.25.5 and < 1.26.0, which is suitable for a security patch release workflow.

sdk/go/grpc/go.mod (1)

3-3: Approve the Go version update in SDK go.mod.

The gRPC SDK's go.mod correctly updates to Go 1.25.5, maintaining consistency with the root go.mod file. No other dependencies or configurations are affected.

.github/workflows/release.yml (1)

26-26: Approve the Go version update in release workflow.

The semantic version constraint ~1.25.5 is consistent with the nightly workflow and ensures release builds use the patched Go version and any subsequent 1.25.x patches without crossing major or minor version boundaries.

Dockerfile.local (1)

2-2: Verify the Docker image digest is correct.

This file uses the same golang:1.25.5-alpine digest as the main Dockerfile. The digest validity should be confirmed as part of the main Dockerfile verification.

Dockerfile.release (1)

2-2: Verify the Docker image digest is correct.

This file also uses the golang:1.25.5-alpine digest. Confirm the digest validity along with the main Dockerfile check.

.github/workflows/coverage.yml (1)

26-26: Update to Go 1.25.5 addresses CVE-2025-61729 — a DoS vulnerability in crypto/x509.

Go 1.25.5 fixes CVE-2025-61729, which allows excessive resource consumption (quadratic-time CPU/memory usage) when printing HostnameError exceptions with unbounded host lists. This patch is security-critical for applications processing untrusted certificates. The update also includes CVE-2025-61727 (wildcard SAN constraint bypass fix).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

golang:1.25.5-alpine sha256 digest Docker Hub

💡 Result:

I found two image digests shown on Docker Hub for golang:1.25.5-alpine:

• sha256:6d6d1e4e530e8512543843504590c86b30524dd8644953c3435fa5b3396ae39c. [1]
• sha256:c07ca287f049960e8b699d433376d879b7ee3e576b1e0239c476d9b28c6343c4. [2]

Note: multi‑arch images often show a manifest-list digest and per‑platform image digests; use docker pull golang:1.25.5-alpine (the CLI prints the digest you pulled) or docker manifest inspect / Registry API to confirm the exact digest for your platform. [2]

---

Update the Docker image digest for golang:1.25.5-alpine.

The digest sha256:26111811bc967321e7b6f852e914d14bede324cd1accb7f81811929a6a57fea9 pinned on lines 1 and 7 does not match the official golang:1.25.5-alpine image on Docker Hub. The correct digests are:

• sha256:6d6d1e4e530e8512543843504590c86b30524dd8644953c3435fa5b3396ae39c
• sha256:c07ca287f049960e8b699d433376d879b7ee3e576b1e0239c476d9b28c6343c4

(Exact digest depends on platform architecture.) Update both stages to use the correct digest to ensure reproducibility and security.

🤖 Prompt for AI Agents

In Dockerfile around lines 1 and 7, the pinned digest for golang:1.25.5-alpine
is incorrect; replace the bad
sha256:26111811bc967321e7b6f852e914d14bede324cd1accb7f81811929a6a57fea9 with one
of the official digests for golang:1.25.5-alpine (for your target platform) —
either sha256:6d6d1e4e530e8512543843504590c86b30524dd8644953c3435fa5b3396ae39c
or sha256:c07ca287f049960e8b699d433376d879b7ee3e576b1e0239c476d9b28c6343c4 — and
update both FROM lines (both stages) to use the chosen correct digest to ensure
reproducible, secure builds.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.58%. Comparing base (54b7cfc) to head (c3bd61f).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2682      +/-   ##
==========================================
- Coverage   82.59%   82.58%   -0.01%     
==========================================
  Files          74       74              
  Lines        8125     8125              
==========================================
- Hits         6710     6709       -1     
- Misses        901      902       +1     
  Partials      514      514              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.