fix(security): remediate CVE vulnerabilities

[upbound-bot]

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA	Severity	Package	Fixed Version
CVE-2026-25679	High	stdlib	go1.25.8
CVE-2026-27142	High	stdlib	go1.25.8
CVE-2026-27139	Low	stdlib	go1.25.8

Changes Made

• Updated Go version from 1.24.13 to 1.25.8 in go.mod
• Updated GO_VERSION from 1.24.13 to 1.25.8 in .github/workflows/ci.yml
• Updated GOLANGCI_VERSION from v1.64.8 to v2.11.3 in .github/workflows/ci.yml
• Added .golangci.yml with golangci-lint v2 schema for Go 1.25.x compatibility

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-25679
• https://nvd.nist.gov/vuln/detail/CVE-2026-27142
• https://nvd.nist.gov/vuln/detail/CVE-2026-27139

Verification

• Rescanned with cve-scan skill after fixes
• All listed vulnerabilities resolved

[upbound-bot]

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-16T22:36:00Z

Summary

The lint check failed because golangci-lint-action@v6 does not support golangci-lint v2.

Root Cause

The CI workflow uses golangci/golangci-lint-action@v6, but the PR updated GOLANGCI_VERSION to v2.11.3 for Go 1.25.x compatibility. The GitHub Action v6 explicitly rejects golangci-lint v2 versions and requires an upgrade to golangci-lint-action@v7.

Error Details

##[error]invalid version string 'v2.11.3', golangci-lint v2 is not supported by golangci-lint-action v6, you must update to golangci-lint-action v7.

Recommendation

Update the CI workflow to use golangci/golangci-lint-action@v7 instead of @v6 to support golangci-lint v2.

---

_{This analysis was generated by the build-failure-analyze skill.}

[upbound-bot]

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-16T22:50:00Z

Summary

The lint check failed because .golangci.yml contains invalid properties for golangci-lint v2.11.3.

Root Cause

The golangci-lint v2 configuration schema has changed from v1. Several properties in the current .golangci.yml are no longer valid:

1. issues.max-per-linter - not allowed (use issues.max-issues-per-linter if needed)
2. issues.max-same-issues - not allowed in the same location
3. output.formats.colored-line-number: {} - wrong format (v2 uses a different structure)
4. linters.settings.govet.check-shadowing - deprecated/removed in v2

Error Details

jsonschema: "issues" does not validate with "/properties/issues/additionalProperties": additional properties 'max-per-linter' not allowed
jsonschema: "output.formats" does not validate with "/properties/output/properties/formats/additionalProperties": additional properties 'colored-line-number' not allowed
jsonschema: "linters.settings.govet.check-shadowing" does not validate with "/properties/linters/properties/settings/properties/govet/$ref/additionalProperties": additional properties 'check-shadowing' not allowed

Recommendation

Update .golangci.yml to use valid golangci-lint v2 schema by removing or fixing the invalid properties.

---

_{This analysis was generated by the build-failure-analyze skill.}

[upbound-bot]

🔧 Build Failure Fix Applied (Workflow Run 23163292891)

Fixed the lint check failure caused by unknown linter gosimple.

Root Cause

In golangci-lint v2, the gosimple linter has been merged into staticcheck and is no longer available as a standalone linter.

Fix Applied

Removed gosimple from the enabled linters list in .golangci.yml. The checks previously performed by gosimple are now automatically included when using staticcheck.

Commit

• 8c78daa - fix(lint): remove unknown linter 'gosimple' for golangci-lint v2

[upbound-bot]

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-17T00:00:00Z

Summary

The lint check failed with 2 issues: a goimports formatting error in cronjob_test.go and a staticcheck QF1008 warning in cronjob.go.

Root Cause

1. goimports formatting (healthchecks/cronjob_test.go:38:1): The test file has incorrect import formatting or whitespace issues that goimports detects.

2. staticcheck QF1008 (healthchecks/cronjob.go:45:40): The code uses a redundant embedded field selector .Time.After() when it can be simplified to just .After() since metav1.Time embeds time.Time and promotes its methods.

Error Details

healthchecks/cronjob_test.go:38:1: File is not properly formatted (goimports)

healthchecks/cronjob.go:45:40: QF1008: could remove embedded field "Time" from selector (staticcheck)
		if cronJob.Status.LastSuccessfulTime.Time.After(cronJob.Status.LastScheduleTime.Time) ||

Recommendation

A code fix is required:

1. Run goimports -w healthchecks/cronjob_test.go to fix formatting
2. In cronjob.go, change .Time.After() to .After() to simplify the embedded field selector

---

_{This analysis was generated by the build-failure-analyze skill.}

[upbound-bot]

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-17T00:00:00Z

Summary

The lint check failed with a typecheck error in healthchecks/cronjob.go:46:44 - the Equal method expects a *metav1.Time pointer, not a time.Time value.

Root Cause

The metav1.Time.Equal method has the signature Equal(u *Time) bool, which expects a pointer to *metav1.Time. The code is passing cronJob.Status.LastScheduleTime.Time (a time.Time struct) when it should pass cronJob.Status.LastScheduleTime (the *metav1.Time pointer directly).

Error Details

healthchecks/cronjob.go:46:44: cannot use cronJob.Status.LastScheduleTime.Time (variable of struct type time.Time) as *"k8s.io/apimachinery/pkg/apis/meta/v1".Time value in argument to cronJob.Status.LastSuccessfulTime.Equal

Recommendation

A code fix is required. Change:

cronJob.Status.LastSuccessfulTime.Equal(cronJob.Status.LastScheduleTime.Time)

to:

cronJob.Status.LastSuccessfulTime.Equal(cronJob.Status.LastScheduleTime)

---

_{This analysis was generated by the build-failure-analyze skill.}

[turkenf]

Thank you @ulucinar, LGTM.