Upgrade baton-sdk to v0.7.4 and Go to 1.25.2

[gontzess]

Summary

• Upgrade Go version to 1.25.2
• Upgrade baton-sdk to v0.7.4
• Add capabilities connector builder support
• Update all dependencies

Test plan

• go build ./... passes
• go test ./... passes

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added Bitbucket connector with support for multiple authentication methods (username/password, token, and OAuth credentials) and workspace filtering.

• Chores

  • Updated Go toolchain to version 1.25.2 and upgraded core dependencies.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR updates the Go toolchain from 1.22 to 1.25.2 and performs major dependency upgrades including baton-sdk, gRPC, OpenTelemetry, and AWS SDK components. It introduces Bitbucket connector configuration with code-generated accessors and refactors permission-checking logic in project and repository connectors from if/else to switch statements.

Changes

Cohort / File(s)	Change Summary
Dependency Management go.mod	Updated Go toolchain to 1.25.2; major version upgrades: baton-sdk (v0.2.17→v0.7.4), gRPC (v1.63.2→v1.71.0), golang.org/x/text (v0.16.0→v0.22.0); numerous indirect AWS SDK v2, OpenTelemetry, and stdlib package updates; new and removed transitive dependencies across observability and infrastructure stacks.
Bitbucket Configuration pkg/config/conf.gen.go, pkg/config/config.go	Code-generated file introduces exported Bitbucket struct with mapstructure tags and reflection-based type-safe accessors (GetStringSlice, GetString, GetInt, GetBool, GetStringMap). New config module defines configuration fields (Username, AppPassword, Token, ConsumerKey, ConsumerSecret, Workspaces) with metadata, enforces ConsumerKey/ConsumerSecret dependency via ConfigRelations, and exposes aggregated ConfigurationFields and Config variable.
Bitbucket Client pkg/bitbucket/client.go	Simplified filterWorkspaces guard to check only len(c.workspaceIDs) > 0; altered handlePagination to detect next page via resp.Next directly instead of resp.PaginationData.Next, leveraging struct field promotion.
Permission Logic Refactoring pkg/connector/project.go, pkg/connector/repository.go	Converted GetPermission if/else chains into switch statements on principal.Id.ResourceType, adding explicit default cases for invalid resource types with improved error handling.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Poem

🐰 Hop, skip, and upgrade we go,
Dependencies dance in a grand tableau,
Bitbucket binds with config so neat,
Switches replace branches—refactoring's sweet!
From toolchain one-two-two to five-two-five spins,
New features emerge as the changelog begins! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the primary changes: upgrading baton-sdk to v0.7.4 and Go to 1.25.2, which aligns with the main dependencies updated in go.mod and the PR's stated objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 3: The workflow main.yaml is still pinned to go-version: 1.22.x while
go.mod specifies go 1.25.2; update main.yaml to use go-version: 1.25.2 (or
switch its step to use go-version-file: 'go.mod' like ci.yaml) so the CI Go
version matches the module; also check the external workflow referenced in
release.yaml (ConductorOne/github-workflows) to ensure it supports Go 1.25.2 and
update its go-version usage if necessary.
- Around line 110-113: Update the indirect module versions for
golang.org/x/crypto and golang.org/x/oauth2 in go.mod to secure releases (bump
golang.org/x/crypto to v0.45.0 or later—preferably v0.47.0—and
golang.org/x/oauth2 to v0.27.0 or later—preferably v0.34.0), then run go get
golang.org/x/crypto@v0.47.0 golang.org/x/oauth2@v0.34.0 (or the chosen target
versions) followed by go mod tidy and run tests/build to ensure nothing breaks;
this replaces the current golang.org/x/crypto v0.34.0 and golang.org/x/oauth2
v0.26.0 entries with the patched versions to mitigate the listed DoS
vulnerabilities.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for Go version pins in CI/build files
rg -n --glob '!**/vendor/**' -e 'go-version|GOVERSION|golang:' -e '^go [0-9]+\.[0-9]+' .

Repository: ConductorOne/baton-bitbucket

Length of output: 92

---

🏁 Script executed:

#!/bin/bash
# List relevant CI/build files
find . -type f \( -name 'go.mod' -o -name '.github' -type d \) | head -20

Repository: ConductorOne/baton-bitbucket

Length of output: 80

---

🏁 Script executed:

#!/bin/bash
# Check go.mod content
head -20 go.mod

Repository: ConductorOne/baton-bitbucket

Length of output: 679

---

🏁 Script executed:

#!/bin/bash
# Search for GitHub Actions workflows or CI configs
find . -type f \( -name '*.yml' -o -name '*.yaml' \) -path '*/.github/workflows/*' 2>/dev/null | head -10

Repository: ConductorOne/baton-bitbucket

Length of output: 162

---

🏁 Script executed:

#!/bin/bash
# Check Go version configuration in CI workflows
for file in ./.github/workflows/ci.yaml ./.github/workflows/main.yaml ./.github/workflows/release.yaml; do
  echo "=== $file ==="
  cat "$file" | head -50
  echo ""
done

Repository: ConductorOne/baton-bitbucket

Length of output: 2818

---

🏁 Script executed:

#!/bin/bash
# Search for all Go-related configuration in workflows
rg -n 'go-version|go-version-file|setup-go' ./.github/workflows/

Repository: ConductorOne/baton-bitbucket

Length of output: 675

---

Update main.yaml to use Go 1.25.2 instead of 1.22.x.

The main.yaml workflow is pinned to go-version: 1.22.x, which conflicts with the newly bumped go.mod (1.25.2). The ci.yaml workflow correctly uses go-version-file: 'go.mod' and will pick up the new version, but main.yaml needs to be updated to 1.25.2 to maintain consistency. Verify that release.yaml's external workflow (ConductorOne/github-workflows) also supports Go 1.25.2.

🤖 Prompt for AI Agents

In `@go.mod` at line 3, The workflow main.yaml is still pinned to go-version:
1.22.x while go.mod specifies go 1.25.2; update main.yaml to use go-version:
1.25.2 (or switch its step to use go-version-file: 'go.mod' like ci.yaml) so the
CI Go version matches the module; also check the external workflow referenced in
release.yaml (ConductorOne/github-workflows) to ensure it supports Go 1.25.2 and
update its go-version usage if necessary.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GO-2025-3487 golang.org/x/crypto vulnerability

💡 Result:

GO-2025-3487 is a Go vulnerability report for golang.org/x/crypto (specifically golang.org/x/crypto/ssh) aliased as CVE-2025-22869. It affects SSH servers that implement file-transfer protocols (e.g., SFTP/SCP-like subsystems): a client can complete SSH key exchange very slowly (or never finish), causing the server to buffer pending outbound data in memory, potentially leading to denial of service via memory exhaustion. [1][2]

• Affected: golang.org/x/crypto/ssh before v0.35.0 [1][2]
• Fixed in: golang.org/x/crypto v0.35.0 (tagged to address this issue) [1][4]
• Impact: DoS (memory growth); commonly scored CVSS 7.5 (High) by downstream advisories [3]

What to do

1. Upgrade:
   • Update to golang.org/x/crypto v0.35.0 or newer. [1][3]
2. Find if you’re affected:
   • Run govulncheck on your module/repo and look for GO-2025-3487 / CVE-2025-22869. (The canonical record is the Go vuln report.) [1][2]

Sources: Go Vulnerability Database report [1], OSV entry [2], downstream advisory summary/CVSS [3], Go security announcement (v0.35.0 tag) [4].

---

🌐 Web query:

GO-2025-4134 GO-2025-4135 GHSA-hcg3-q754-cr77 golang.org/x/crypto

💡 Result:

• GO-2025-4134 (aliases: CVE-2025-58181, GHSA-j5w8-q4qc-rx2x) — golang.org/x/crypto/ssh: SSH servers parsing GSSAPI auth requests don’t validate the number of mechanisms, allowing unbounded memory consumption (DoS). Fixed in golang.org/x/crypto v0.45.0 (affected: < v0.45.0). [1][2]
• GO-2025-4135 (aliases: CVE-2025-47914, GHSA-f6x5-jh6r-wrfv) — golang.org/x/crypto/ssh/agent: SSH agent servers don’t validate message sizes for new identity requests, leading to out-of-bounds read → panic (DoS). Fixed in golang.org/x/crypto v0.45.0 (affected: < v0.45.0). [3]
• GHSA-hcg3-q754-cr77 (NVD: CVE-2025-22869) — golang.org/x/crypto: DoS via slow or incomplete key exchange. Patched in v0.35.0 (affected: < v0.35.0). [4]

Action: upgrade golang.org/x/crypto to v0.45.0 or later to address all three items above. [1][3][4]

Sources

[1] https://osv.dev/vulnerability/GO-2025-4134
[2] https://pkg.go.dev/vuln/GO-2025-4134
[3] https://pkg.go.dev/vuln/GO-2025-4135
[4] GHSA-hcg3-q754-cr77

---

🌐 Web query:

GO-2025-3488 GHSA-6v2p-p543-phr9 golang.org/x/oauth2 vulnerability

💡 Result:

GO-2025-3488 / GHSA-6v2p-p543-phr9 (CVE-2025-22868) is a denial-of-service issue in golang.org/x/oauth2, specifically golang.org/x/oauth2/jws: a malformed token can trigger unexpected memory consumption during token parsing (notably via jws.Verify). [1][2]

• Affected versions: golang.org/x/oauth2 < v0.27.0 [2][3]
• Fixed version: v0.27.0 (tagged to address this security issue) [2][3]
• Severity: High, CVSS 3.1 7.5 (availability impact) [3]

What to do

• Upgrade to golang.org/x/oauth2 v0.27.0+. [2][3]
• If you can’t upgrade immediately, reduce DoS risk by rejecting/limiting untrusted token sizes and enforcing request size/time limits at your API boundary (reverse proxy / gateway), since exploitation is via attacker-supplied malformed tokens. [2]

Sources: Go vulnerability report (GO-2025-3488) [1], OSV entry (GO-2025-3488) [2], GitHub Advisory (GHSA-6v2p-p543-phr9) [3]

---

🌐 Web query:

golang.org/x/crypto latest version 2025 security patches

💡 Result:

Latest golang.org/x/crypto versions (as of Jan 28, 2026)

• Latest overall: v0.47.0 (published Jan 12, 2026) [1]
• Latest released in 2025: v0.46.0 (published Dec 8, 2025) [1]

2025 security patches / fixed versions (Go vuln DB / CVEs)

• CVE-2025-22869 (GO-2025-3487) – SSH DoS via slow/incomplete key exchange
  • Fixed in: v0.35.0 (affects versions < v0.35.0) [2]
• CVE-2025-47913 (GO-2025-4116) – x/crypto/ssh/agent panic on unexpected SSH_AGENT_SUCCESS
  • Fixed in: v0.43.0 (affects versions < v0.43.0) [3]
• CVE-2025-58181 (GO-2025-4134) – x/crypto/ssh unbounded memory consumption (GSSAPI auth request parsing)
  • Fixed in: v0.45.0 (affects versions < v0.45.0) [4]
• CVE-2025-47914 (GO-2025-4135) – x/crypto/ssh/agent panic due to missing message size validation (OOB read)
  • Fixed in: v0.45.0 (affects versions < v0.45.0) [5]

What to upgrade to

• If you want “patched for the 2025 issues above”, use v0.45.0+ (covers all listed 2025 CVEs), or just upgrade to the current latest v0.47.0. [1][2][3][4][5]

go get golang.org/x/crypto@v0.47.0
go mod tidy

Sources: Go package versions page + Go vulnerability database entries for each CVE. [1][2][3][4][5]

References

1. Go package versions for golang.org/x/crypto (shows v0.47.0 on Jan 12, 2026; v0.46.0 on Dec 8, 2025) [1]
2. GO-2025-3487 / CVE-2025-22869 (fixed before v0.35.0) [2]
3. GO-2025-4116 / CVE-2025-47913 (fixed before v0.43.0) [3]
4. GO-2025-4134 / CVE-2025-58181 (fixed before v0.45.0) [4]
5. GO-2025-4135 / CVE-2025-47914 (fixed before v0.45.0) [5]

---

🌐 Web query:

golang.org/x/oauth2 latest version 2025 security patches

💡 Result:

• Latest golang.org/x/oauth2 version released in 2025: v0.34.0, tagged Dec 1, 2025. [1]
• 2025 security patch affecting golang.org/x/oauth2: CVE-2025-22868 (Go vuln GO-2025-3488) — unexpected memory consumption / DoS when parsing malformed tokens in golang.org/x/oauth2/jws. Fixed in v0.27.0 (released Feb 24, 2025); all versions < v0.27.0 are affected. [2][3][4]

What to do: upgrade to v0.27.0+ (or simply the latest 2025 release v0.34.0). [2][3]

Sources
[1] Git tag v0.34.0 (commit/tag metadata) — chromium.googlesource.com mirror: acc38155…, committer date Dec 01, 2025. (chromium.googlesource.com)
[2] Go vulnerability report GO-2025-3488 (CVE-2025-22868), fixed in v0.27.0. (pkg.go.dev)
[3] GitHub Advisory (GHSA-6v2p-p543-phr9): affected < 0.27.0, patched 0.27.0. (github.com)
[4] v0.27.0 tag commit message references fixing CVE-2025-22868; committer date Feb 24, 2025. (chromium.googlesource.com)

Citations:

• 1: https://chromium.googlesource.com/external/github.com/golang/oauth2/%2B/refs/tags/v0.34.0?utm_source=openai
• 2: https://pkg.go.dev/vuln/GO-2025-3488?utm_source=openai
• 3: https://github.com/advisories/GHSA-6v2p-p543-phr9?utm_source=openai
• 4: https://chromium.googlesource.com/external/github.com/golang/oauth2/%2B/refs/tags/v0.27.0?utm_source=openai

---

Upgrade golang.org/x/crypto to v0.45.0+ and golang.org/x/oauth2 to v0.27.0+ (or latest versions v0.47.0 and v0.34.0 respectively) to address multiple high-severity DoS vulnerabilities.

golang.org/x/crypto v0.34.0 is vulnerable to:

• GO-2025-3487 (CVE-2025-22869): SSH key exchange DoS via slow/incomplete handshake (CVSS 7.5)
• GO-2025-4134 (CVE-2025-58181): GSSAPI auth unbounded memory consumption (fixed v0.45.0)
• GO-2025-4135 (CVE-2025-47914): SSH agent message validation bypass causing panic (fixed v0.45.0)

golang.org/x/oauth2 v0.26.0 is vulnerable to:

• GO-2025-3488 (CVE-2025-22868): Malformed token parsing DoS (CVSS 7.5, fixed v0.27.0)

🧰 Tools

🪛 OSV Scanner (2.3.2)

[HIGH] 110-110: golang.org/x/crypto 0.34.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 110-110: golang.org/x/crypto 0.34.0: Potential denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4116)

---

[HIGH] 110-110: golang.org/x/crypto 0.34.0: Unbounded memory consumption in golang.org/x/crypto/ssh

(GO-2025-4134)

---

[HIGH] 110-110: golang.org/x/crypto 0.34.0: Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4135)

---

[HIGH] 110-110: golang.org/x/crypto 0.34.0: golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

(GHSA-f6x5-jh6r-wrfv)

---

[HIGH] 110-110: golang.org/x/crypto 0.34.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

---

[HIGH] 110-110: golang.org/x/crypto 0.34.0: golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

(GHSA-j5w8-q4qc-rx2x)

---

[HIGH] 113-113: golang.org/x/oauth2 0.26.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 113-113: golang.org/x/oauth2 0.26.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

In `@go.mod` around lines 110 - 113, Update the indirect module versions for
golang.org/x/crypto and golang.org/x/oauth2 in go.mod to secure releases (bump
golang.org/x/crypto to v0.45.0 or later—preferably v0.47.0—and
golang.org/x/oauth2 to v0.27.0 or later—preferably v0.34.0), then run go get
golang.org/x/crypto@v0.47.0 golang.org/x/oauth2@v0.34.0 (or the chosen target
versions) followed by go mod tidy and run tests/build to ensure nothing breaks;
this replaces the current golang.org/x/crypto v0.34.0 and golang.org/x/oauth2
v0.26.0 entries with the patched versions to mitigate the listed DoS
vulnerabilities.