OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps

[kaovilai]

Summary

• Adds toolchain go1.25.8 directive to fix Go stdlib CVEs:
  • GO-2026-4337, GO-2026-4340 (crypto/tls)
  • GO-2026-4341 (net/url)
  • GO-2026-4342 (archive/zip)
  • CVE-2026-25679 (net/url IPv6 host parsing)
  • CVE-2026-27137 (crypto/x509 email constraints)
• Bumps golang.org/x/net v0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
• Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0
• CI workflows updated to use go-version-file: 'go.mod' instead of hardcoded versions
  • test.yml: bumped actions/setup-go@v4 → @v6 (supports toolchain directive)

Note

golang.org/x/crypto is not in this module's dependency graph — those CVEs do not apply here.

Supersedes #159

Test plan

• go build ./... passes
• CI passes

Note

Responses generated with Claude

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflows to dynamically detect Go toolchain version from project configuration.
  • Upgraded Go dependency ecosystem to latest compatible versions for improved stability.

[openshift-ci-robot]

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

• Adds toolchain go1.25.8 directive to fix Go stdlib CVEs:
• GO-2026-4337, GO-2026-4340 (crypto/tls)
• GO-2026-4341 (net/url)
• GO-2026-4342 (archive/zip)
• CVE-2026-25679 (net/url IPv6 host parsing)
• CVE-2026-27137 (crypto/x509 email constraints)
• Bumps golang.org/x/net v0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
• Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0
• CI workflows updated to use go-version-file: 'go.mod' instead of hardcoded versions
• test.yml: bumped actions/setup-go@v4 → @v6 (supports toolchain directive)

[!Note]
golang.org/x/crypto is not in this module's dependency graph — those CVEs do not apply here.

Supersedes #159

Test plan

• go build ./... passes
• CI passes

[!Note]
Responses generated with Claude

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 443ed253-5ad1-46c7-972f-8da259d8e3ec

📥 Commits

Reviewing files that changed from the base of the PR and between b0f18b2 and 500dee9.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .github/workflows/lint.yml
• .github/workflows/test.yml
• go.mod

---

📝 Walkthrough

Walkthrough

Updated GitHub Actions workflows to dynamically source Go versions from go.mod instead of hardcoded versions, upgraded the setup-go action, and bumped multiple indirect module dependencies including golang.org/x packages. A toolchain directive was added to go.mod.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Updates .github/workflows/lint.yml, .github/workflows/test.yml	Updated Go toolchain discovery to use go-version-file: 'go.mod' instead of fixed versions. Test workflow also upgraded actions/setup-go from v4 to v6.
Module Dependency and Toolchain go.mod	Added toolchain go1.25.8 directive. Bumped indirect dependencies: golang.org/x/mod (v0.22.0→v0.33.0), golang.org/x/net (v0.38.0→v0.52.0), golang.org/x/sys (v0.35.0→v0.42.0), golang.org/x/term (v0.30.0→v0.41.0), golang.org/x/text (v0.23.0→v0.35.0).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Workflows refined with versions from the source,
Dependencies dance to a newer course,
Toolchain directive now leads the way,
Go modules hop into the light of day! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: upgrading Go toolchain to 1.25.8 and bumping golang.org/x/* CVE fixes, which directly correspond to the primary modifications across go.mod and CI workflows.
Description check	✅ Passed	The PR description comprehensively covers the motivations (CVEs addressed), changes made (toolchain directive, dependency bumps, CI updates), and a test plan, though it does not follow the exact template structure with the specified section headings.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cve-fix-oadp-dev-v2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

• Adds toolchain go1.25.8 directive to fix Go stdlib CVEs:
• GO-2026-4337, GO-2026-4340 (crypto/tls)
• GO-2026-4341 (net/url)
• GO-2026-4342 (archive/zip)
• CVE-2026-25679 (net/url IPv6 host parsing)
• CVE-2026-27137 (crypto/x509 email constraints)
• Bumps golang.org/x/net v0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
• Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0
• CI workflows updated to use go-version-file: 'go.mod' instead of hardcoded versions
• test.yml: bumped actions/setup-go@v4 → @v6 (supports toolchain directive)

[!Note]
golang.org/x/crypto is not in this module's dependency graph — those CVEs do not apply here.

Supersedes #159

Test plan

• go build ./... passes
• CI passes

[!Note]
Responses generated with Claude

Summary by CodeRabbit

• Chores
• Updated CI/CD workflows to dynamically detect Go toolchain version from project configuration.
• Upgraded Go dependency ecosystem to latest compatible versions for improved stability.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Copilot]

Pull request overview

Updates the module’s Go toolchain and golang.org/x/* dependencies to pick up security fixes, and aligns CI to use the Go version declared in go.mod.

Changes:

• Add toolchain go1.25.8 to go.mod to ensure builds use the patched Go toolchain.
• Bump golang.org/x/net and related transitive golang.org/x/* modules to newer versions (and update go.sum accordingly).
• Update GitHub Actions workflows to use actions/setup-go@v6 with go-version-file: go.mod.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File	Description
go.mod	Adds toolchain directive and bumps indirect golang.org/x/* module versions.
go.sum	Updates sums to match the new golang.org/x/* dependency versions.
.github/workflows/test.yml	Switches to setup-go@v6 and reads version from go.mod.
.github/workflows/lint.yml	Reads Go version from go.mod (already on setup-go@v6).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Other workflows in this repo still use actions/setup-go@v5 (e.g., cross-arch-build-test.yml, release.yml, quay_binaries_push.yml). If the toolchain directive in go.mod requires setup-go@v6 to parse/apply correctly, those workflows may start failing or may run with an unpatched Go toolchain, undermining the CVE fix. Consider bumping those workflows to setup-go@v6 as well (or otherwise ensuring they correctly honor the toolchain directive).

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Joeavaikath, kaovilai, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Joeavaikath,kaovilai,weshayutin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kaovilai]

out of date gahharhrhahrh

rebase required.. then will push to origin next time

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kaovilai]

Closed in favor of #167. Prior PRs were pushed directly to migtools/oadp-cli because kaovilai/oadp-cli was not a fork of migtools/oadp-cli at the time — it was a separate, unrelated repository. This prevented cross-repo PRs from the fork. The repo has now been renamed to kaovilai/container-oadp-cli-suite and kaovilai/oadp-cli has been re-created as a proper fork of migtools/oadp-cli.

Note

Responses generated with Claude