security: upgrade golang to 1.25.6 to fix CVE-2025-61729 (#1214)

* Bump go version

Signed-off-by: liamfallon <liam.fallon@est.tech>

* Update docker base images to go 1.25.6

Signed-off-by: liamfallon <liam.fallon@est.tech>

* Fix ci job go-version-file

Signed-off-by: liamfallon <liam.fallon@est.tech>

* Fix ci job go-version-file

Signed-off-by: liamfallon <liam.fallon@est.tech>

* Fix ci job go-version-file

Signed-off-by: liamfallon <liam.fallon@est.tech>

* Fix ci job go-version-file

Signed-off-by: liamfallon <liam.fallon@est.tech>

* Bump version of golangci-lint

Signed-off-by: liamfallon <liam.fallon@est.tech>

* Update versions of kpt and sdk

Signed-off-by: liamfallon <liam.fallon@est.tech>

---------

Signed-off-by: liamfallon <liam.fallon@est.tech>

Author: liamfallon

.github/workflows/after-push-to-branch.yaml

@@ -28,10 +28,11 @@ jobs:
       packages: write
       contents: read
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v5
+    - uses: actions/checkout@v5
+    - uses: actions/setup-go@v6
       with:
-        go-version: '1.24.10'
+        go-version-file: documentation/go.mod
+        cache: true
     - uses: docker/setup-qemu-action@v3
     - uses: docker/setup-buildx-action@v3
     - name: Log in to GHCR
@@ -47,10 +48,11 @@ jobs:
       packages: write
       contents: read
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v5
+    - uses: actions/checkout@v5
+    - uses: actions/setup-go@v6
       with:
-        go-version: '1.24.10'
+        go-version-file: documentation/go.mod
+        cache: true
     - uses: docker/setup-qemu-action@v3
     - uses: docker/setup-buildx-action@v3
     - name: Log in to GHCR

.github/workflows/after-tag-with-version.yaml

@@ -32,9 +32,10 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.24.10'
+          go-version-file: documentation/go.mod
+          cache: true
 
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v3

.github/workflows/ci.yaml

@@ -31,7 +31,7 @@ jobs:
         platform: [ubuntu-latest]
     runs-on: ${{ matrix.platform }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Lint shell scripts, ignoring third-party files
         run: |
           find . -name "*.sh" > shell_files.out
@@ -43,15 +43,16 @@ jobs:
       GOPATH: /home/runner/work/krm-functions-catalog/functions/go
       GO111MODULE: on
     steps:
-      - name: Set up Go 1.24.10
-        uses: actions/setup-go@v5
-        with:
-          go-version: '1.24.10'
-        id: go
       - name: Check out code into GOPATH
         uses: actions/checkout@v1
         with:
-          path: go/src/github.com/${{ github.repository }}
+          path: go/src/github.com/kptdev/krm-functions-catalog
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: documentation/go.mod
+          cache: true
+        id: go
       - name: Run unit tests
         run: |
           make unit-test
@@ -63,11 +64,12 @@ jobs:
       GOPATH: /home/runner/work/krm-functions-catalog/functions/go
       GO111MODULE: on
     steps:
-      - uses: actions/checkout@v4
-      - name: Set up Go 1.24.10
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v5
+      - name: Set up Go
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.24.10'
+          go-version-file: documentation/go.mod
+          cache: true
       - name: Install kpt
         run: |
           go install github.com/kptdev/kpt@main

.github/workflows/release.yaml

@@ -27,7 +27,7 @@ jobs:
     name: function-release
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Create Short Tag for Function Release
       # Create secondary short tag, e.g. functions/go/apply-setters/v1.1.1 -> apply-setters/v1.1.1
       run: |

archived/build/docker/go/defaults.env

@@ -1,2 +1,2 @@
-BUILDER_IMAGE=golang:1.24.10-alpine3.22
-BASE_IMAGE=alpine:3.22
+BUILDER_IMAGE=golang:1.25.6-alpine3.23
+BASE_IMAGE=alpine:3.23

archived/functions/go/Makefile

@@ -98,7 +98,7 @@ func-fmt:
 
 func-lint:
 	(which $(GOPATH)/bin/golangci-lint || \
-		curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/v1.64.8/install.sh | sh -s -- -b $(GOPATH)/bin v1.64.8)
+		curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/v2.8.0/install.sh | sh -s -- -b $(GOPATH)/bin v2.8.0)
 	cd $(CURRENT_FUNCTION) && time $(GOPATH)/bin/golangci-lint run --timeout=10m ./...
 
 func-test:

archived/functions/go/enable-gcp-services/go.mod

@@ -1,6 +1,6 @@
 module github.com/kptdev/krm-functions-catalog/archived/functions/go/project-services
 
-go 1.24.10
+go 1.25.6
 
 require (
 	github.com/stretchr/testify v1.10.0

archived/functions/go/export-terraform/go.mod

@@ -1,6 +1,6 @@
 module github.com/kptdev/krm-functions-catalog/archived/functions/go/export-terraform
 
-go 1.24.10
+go 1.25.6
 
 require (
 	github.com/kptdev/krm-functions-catalog/archived/functions/go/export-terraform/thirdparty/kyaml/fnsdk v0.0.0

archived/functions/go/fix/go.mod

@@ -1,6 +1,6 @@
 module github.com/kptdev/krm-functions-catalog/archived/functions/go/fix
 
-go 1.24.10
+go 1.25.6
 
 require (
 	github.com/stretchr/testify v1.10.0

archived/functions/go/format/go.mod

@@ -1,6 +1,6 @@
 module github.com/kptdev/krm-functions-catalog/archived/functions/go/format
 
-go 1.24.10
+go 1.25.6
 
 require sigs.k8s.io/kustomize/kyaml v0.19.0