CLOUDP-346332: Bump Go to 1.25.3 via flake (#2825)

* Bump Go to 1.25.3 via flake

Signed-off-by: jose.vazquez <[email protected]>

* Add doc on go flake support

* Fix typos

---------

Signed-off-by: jose.vazquez <[email protected]>

Author: josvazg

devbox.json

@@ -3,7 +3,6 @@
     "yq-go": "latest",
     "kubebuilder": "4.1.1",
     "jq": "latest",
-    "go": "latest",
     "gotests": "latest",
     "act": "latest",
     "kubectl": "latest",
@@ -29,9 +28,9 @@
     "addlicense": "latest",
     "fd": "latest",
     "apple-sdk_12": {
-      "name":      "sdk_12",
       "version":   "latest",
       "platforms": ["aarch64-darwin", "x86_64-darwin"]
-    }
+    },
+    "path:./flakes/go": {}
   }
 }

devbox.lock

@@ -650,56 +650,8 @@
       }
     },
     "github:NixOS/nixpkgs/nixpkgs-unstable": {
-      "last_modified": "2025-10-20T04:25:18Z",
-      "resolved": "github:NixOS/nixpkgs/87848bf0cc4f87717fc813a4575f07330c3e743c?lastModified=1760934318&narHash=sha256-%2FoUYsC0lUCBory65VK%2BUHqCCsCspbL1Vgfcf1KUYqVw%3D"
-    },
-    "go@latest": {
-      "last_modified": "2025-10-07T08:41:47Z",
-      "resolved": "github:NixOS/nixpkgs/bce5fe2bb998488d8e7e7856315f90496723793c#go",
-      "source": "devbox-search",
-      "version": "1.25.1",
-      "systems": {
-        "aarch64-darwin": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/mkdfnr1nkfj2kznxyag9pypbxp3wqqdv-go-1.25.1",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/mkdfnr1nkfj2kznxyag9pypbxp3wqqdv-go-1.25.1"
-        },
-        "aarch64-linux": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/0jzj8p7k9wkr4l17sgrlg3z5di27sggf-go-1.25.1",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/0jzj8p7k9wkr4l17sgrlg3z5di27sggf-go-1.25.1"
-        },
-        "x86_64-darwin": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/q2xylk8h3kbfajhw2lpdmyzyyqgqx8fl-go-1.25.1",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/q2xylk8h3kbfajhw2lpdmyzyyqgqx8fl-go-1.25.1"
-        },
-        "x86_64-linux": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/f01qkydd3c2jqwi4w6hkddkf3blp16kw-go-1.25.1",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/f01qkydd3c2jqwi4w6hkddkf3blp16kw-go-1.25.1"
-        }
-      }
+      "last_modified": "2025-10-20T13:06:07Z",
+      "resolved": "github:NixOS/nixpkgs/cb82756ecc37fa623f8cf3e88854f9bf7f64af93?lastModified=1760965567&narHash=sha256-0JDOal5P7xzzAibvD0yTE3ptyvoVOAL0rcELmDdtSKg%3D"
     },
     "golangci-lint@2": {
       "last_modified": "2025-10-07T08:41:47Z",

flakes/go/README.md

@@ -0,0 +1,52 @@
+# Custom Go Nix Flake
+
+## Why a flake?
+
+Nix tends to be several minor versions behind Go's official releases.
+
+This posses challenges in two situations:
+
+1. When Go moves to a new major version
+1. When Go has a vulnerability on the current latest Nix version, fixed by a newer official release
+
+For major versions it is usually fine to wait for Nix to have a major version compilation available for devbox to use. This is because, no matter how early we may want to upgrade, many go tools we depend on, such as license checking or linting or Kubernetes libraries such as `controller-runtime`, usually need some time to catch up with the major release anyways. By the time they support the new major version, there is usually a Nix compilation of the new Go release, at least in the unstable channel.
+
+For minor versions, it can be more problematic. If the latest Nix available release is compromised, it might take a few days or weeks for the new version to become available in Nix. On the other hand, Go only marks a vulnerable release after releasing the fixed version.
+
+In other words, we need to be able to move to the latest Go release as needed, specially to avoid vulnerabilities within the same major version.
+
+## How
+
+The current flake in this directory will download and install the pre-compiled binaries straight from https://go.dev/dl, that is the official Go downloads site. It only supports 2 platforms:
+- `x86_64-linux` for the CI and Linux developers.
+- `aarch64-darwin` for developers working on MacOS.
+
+The flake derivation does not build anything, just unpacks and places the binaries where expected to be used by the resulting flake.
+
+## Updating
+
+The flake is pinned to a particular Go point release. To bump the downloaded binary you have to:
+
+1. Bump the `goVersion` variable. E.g. `goVersion = "1.25.3";` -> `goVersion = "1.25.4";`
+2. Replace both `sha256` variable values with the correct ones for the new downloaded file.
+
+One easy way to read the expected sha 256 hash to be used for each `sha-256` setting is to using `nix-prefetch-url` or `nix store prefetch-file --json` to grab the file and hash it.
+
+For example:
+
+```shell
+$ nix store prefetch-file --json https://go.dev/dl/go1.25.3.linux-amd64.tar.gz |jq -r .hash
+sha256-AzXzFLbnv+CMPQz6p8GduWG3uZ+yC+YrCoJsmSrRTg8=
+```
+
+Make sure to use the correct architecture filename download to grab its corresponding sha 256 hash.
+
+## Testing
+
+Using `devbox shell` normally would already grab and build the flake, as referenced by devbox.json entry `"path:./flakes/go": {}`. Still if you want to test the flake build in isolation you can run (in this directory):
+
+``shell
+nix build .
+```
+
+On success a `result` entry in the directory soft links to the built flake.

flakes/go/flake.lock

@@ -0,0 +1,55 @@
+{
+  description = "A dev shell with a custom-fetched Go 1.25.3";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = nixpkgs.legacyPackages.${system};
+
+        goVersion = "1.25.3";
+
+        go-src =
+          if pkgs.stdenv.isLinux && pkgs.stdenv.hostPlatform.system == "x86_64-linux" then {
+            url = "https://go.dev/dl/go${goVersion}.linux-amd64.tar.gz";
+            sha256 = "sha256-AzXzFLbnv+CMPQz6p8GduWG3uZ+yC+YrCoJsmSrRTg8=";
+          }
+          else if pkgs.stdenv.isDarwin && pkgs.stdenv.hostPlatform.system == "aarch64-darwin" then {
+            url = "https://go.dev/dl/go${goVersion}.darwin-arm64.tar.gz";
+            sha256 = "sha256-fAg+PSwA3r/rL3fZpMAKGqyXETuJuczEKpBIevNDc4I=";
+          }
+          else throw "This flake does not support system: ${pkgs.stdenv.hostPlatform.system}";
+
+        go_1_25_3 = pkgs.stdenv.mkDerivation {
+          pname = "go-custom";
+          version = goVersion;
+
+          src = pkgs.fetchurl {
+            inherit (go-src) url sha256;
+          };
+
+          dontBuild = true;
+
+          installPhase = ''
+            mkdir -p $out
+            cp -a ./* $out/
+          '';
+        };
+
+      in
+      {
+        packages.go_1_25_3 = go_1_25_3;
+        packages.default = go_1_25_3;
+
+        devShells.default = pkgs.mkShell {
+          packages = [
+            go_1_25_3
+          ];
+        };
+      }
+    );
+}

flakes/go/flake.nix

@@ -1,8 +1,8 @@
 module github.com/mongodb/mongodb-atlas-kubernetes/v2
 
-go 1.25.0
+go 1.25
 
-toolchain go1.25.1
+toolchain go1.25.3
 
 require (
 	cloud.google.com/go/kms v1.23.2

go.mod

@@ -2,7 +2,7 @@ module tools/openapi2crd
 
 go 1.25
 
-toolchain go1.25.1
+toolchain go1.25.3
 
 require (
 	github.com/getkin/kin-openapi v0.131.0

tools/openapi2crd/go.mod

@@ -2,7 +2,7 @@ module toolbox
 
 go 1.25
 
-toolchain go1.25.1
+toolchain go1.25.3
 
 tool github.com/daixiang0/gci