build: go1.25.1 to fix CVE (#1314)

The majority of changes here are to ensure that the kube-api-linter tool
is built with the same version as golangci-lint, which in turn is built
with the same go language version of the project, otherwise linting will
fail due to language incompatibilities.

**What problem does this PR solve?**:

**Which issue(s) this PR fixes**:
Fixes #

**How Has This Been Tested?**:
<!--
Please describe the tests that you ran to verify your changes.
Provide output from the tests and any manual steps needed to replicate
the tests.
-->

**Special notes for your reviewer**:
<!--
Use this to provide any additional information to the reviewers.
This may include:
- Best way to review the PR.
- Where the author wants the most review attention on.
- etc.
-->

Author: jimmidyson

api/go.mod

@@ -5,7 +5,7 @@ module github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/ap
 
 go 1.23.0
 
-toolchain go1.24.5
+toolchain go1.25.1
 
 replace github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common => ../common
 

common/go.mod

@@ -5,7 +5,7 @@ module github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/co
 
 go 1.23.0
 
-toolchain go1.24.5
+toolchain go1.25.1
 
 require (
 	github.com/evanphx/json-patch/v5 v5.9.11

devbox.json

@@ -1,45 +1,49 @@
 {
-  "packages": [
-    "actionlint@latest",
-    "chart-testing@latest",
-    "clusterctl@latest",
-    "coreutils@latest",
-    "crane@latest",
-    "envsubst@latest",
-    "findutils@latest",
-    "gh@latest",
-    "ginkgo@latest",
-    "git@latest",
-    "gnumake@latest",
-    "gnused@latest",
-    "go@latest",
-    "gojq@latest",
-    "golangci-lint@latest",
-    "gomplate@latest",
-    "goreleaser@latest",
-    "gotestsum@latest",
-    "govulncheck@latest",
-    "helm-docs@latest",
-    "hugo@latest",
-    "kind@latest",
-    "ko@latest",
-    "kubebuilder@latest",
-    "kubectl@latest",
-    "kubernetes-controller-tools@latest",
-    "kustomize@latest",
-    "pre-commit@latest",
-    "reviewdog@latest",
-    "rsync@latest",
-    "setup-envtest@latest",
-    "shfmt@latest",
-    "yamale@latest",
-    "yamllint@latest",
-    "yq-go@latest",
-    "path:./hack/flakes#clusterctl-aws",
-    "path:./hack/flakes#goprintconst",
-    "path:./hack/flakes#helm-with-plugins",
-    "path:./hack/flakes#release-please"
-  ],
+  "packages": {
+    "actionlint":                           "latest",
+    "chart-testing":                        "latest",
+    "clusterctl":                           "latest",
+    "coreutils":                            "latest",
+    "crane":                                "latest",
+    "envsubst":                             "latest",
+    "findutils":                            "latest",
+    "gh":                                   "latest",
+    "ginkgo":                               "latest",
+    "git":                                  "latest",
+    "gnumake":                              "latest",
+    "gnused":                               "latest",
+    "go":                                   "latest",
+    "gojq":                                 "latest",
+    "gomplate":                             "latest",
+    "goreleaser":                           "latest",
+    "gotestsum":                            "latest",
+    "govulncheck":                          "latest",
+    "helm-docs":                            "latest",
+    "hugo":                                 "latest",
+    "kind":                                 "latest",
+    "ko":                                   "latest",
+    "kubebuilder":                          "latest",
+    "kubectl":                              "latest",
+    "kubernetes-controller-tools":          "latest",
+    "kustomize":                            "latest",
+    "pre-commit":                           "latest",
+    "reviewdog":                            "latest",
+    "rsync":                                "latest",
+    "setup-envtest":                        "latest",
+    "shfmt":                                "latest",
+    "yamale":                               "latest",
+    "yamllint":                             "latest",
+    "yq-go":                                "latest",
+    "path:./hack/flakes#clusterctl-aws":    "",
+    "path:./hack/flakes#golangci-lint":     "",
+    "path:./hack/flakes#goprintconst":      "",
+    "path:./hack/flakes#helm-with-plugins": "",
+    "path:./hack/flakes#release-please":    "",
+    "apple-sdk_12": {
+      "version":   "latest",
+      "platforms": ["aarch64-darwin"]
+    }
+  },
   "shell": {
     "scripts": {
       "preview-docs": [

devbox.lock

@@ -49,6 +49,34 @@
         }
       }
     },
+    "apple-sdk_12@latest": {
+      "last_modified": "2025-07-28T17:09:23Z",
+      "resolved": "github:NixOS/nixpkgs/648f70160c03151bc2121d179291337ad6bc564b#apple-sdk_12",
+      "source": "devbox-search",
+      "version": "12.3",
+      "systems": {
+        "aarch64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/kvs20yk8vvs0201i1xczafjibvklcacc-apple-sdk-12.3",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/kvs20yk8vvs0201i1xczafjibvklcacc-apple-sdk-12.3"
+        },
+        "x86_64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/0lwhprmdl5qfhca48jhg3r9zsyv2a7p2-apple-sdk-12.3",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/0lwhprmdl5qfhca48jhg3r9zsyv2a7p2-apple-sdk-12.3"
+        }
+      }
+    },
     "chart-testing@latest": {
       "last_modified": "2025-07-13T22:45:35Z",
       "resolved": "github:NixOS/nixpkgs/a421ac6595024edcfbb1ef950a3712b89161c359#chart-testing",
@@ -853,54 +881,6 @@
         }
       }
     },
-    "golangci-lint@latest": {
-      "last_modified": "2025-07-18T03:30:42Z",
-      "resolved": "github:NixOS/nixpkgs/e821e03193486359aa942372be2d9c1f377b7a18#golangci-lint",
-      "source": "devbox-search",
-      "version": "2.2.2",
-      "systems": {
-        "aarch64-darwin": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/00sy2bp921ax5cxphxz0ifgax6i97mx7-golangci-lint-2.2.2",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/00sy2bp921ax5cxphxz0ifgax6i97mx7-golangci-lint-2.2.2"
-        },
-        "aarch64-linux": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/gvay3vc5ll70dfryiy6qa16w3ybagiq7-golangci-lint-2.2.2",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/gvay3vc5ll70dfryiy6qa16w3ybagiq7-golangci-lint-2.2.2"
-        },
-        "x86_64-darwin": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/9pxfg0y3hiaf08vnzk2fs4qh76r2kd22-golangci-lint-2.2.2",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/9pxfg0y3hiaf08vnzk2fs4qh76r2kd22-golangci-lint-2.2.2"
-        },
-        "x86_64-linux": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/z0d7708yc7d0z6nj0mwalbi6hf79yj68-golangci-lint-2.2.2",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/z0d7708yc7d0z6nj0mwalbi6hf79yj68-golangci-lint-2.2.2"
-        }
-      }
-    },
     "gomplate@latest": {
       "last_modified": "2025-07-13T22:45:35Z",
       "resolved": "github:NixOS/nixpkgs/a421ac6595024edcfbb1ef950a3712b89161c359#gomplate",
@@ -1142,50 +1122,50 @@
       }
     },
     "hugo@latest": {
-      "last_modified": "2025-05-16T20:19:48Z",
-      "resolved": "github:NixOS/nixpkgs/12a55407652e04dcf2309436eb06fef0d3713ef3#hugo",
+      "last_modified": "2025-07-28T17:09:23Z",
+      "resolved": "github:NixOS/nixpkgs/648f70160c03151bc2121d179291337ad6bc564b#hugo",
       "source": "devbox-search",
-      "version": "0.147.3",
+      "version": "0.148.2",
       "systems": {
         "aarch64-darwin": {
           "outputs": [
             {
               "name": "out",
-              "path": "/nix/store/2wcphqjdn02ym0ps4jj9rimakxffjkhh-hugo-0.147.3",
+              "path": "/nix/store/9yj3fphpkjkkhhr8pfxk5r6ws41n17qy-hugo-0.148.2",
               "default": true
             }
           ],
-          "store_path": "/nix/store/2wcphqjdn02ym0ps4jj9rimakxffjkhh-hugo-0.147.3"
+          "store_path": "/nix/store/9yj3fphpkjkkhhr8pfxk5r6ws41n17qy-hugo-0.148.2"
         },
         "aarch64-linux": {
           "outputs": [
             {
               "name": "out",
-              "path": "/nix/store/msavmv3qsw5dxbffdinl8r6gabljc3lq-hugo-0.147.3",
+              "path": "/nix/store/zg314jwfh6q428ymnl57nv7jqyyaq1qz-hugo-0.148.2",
               "default": true
             }
           ],
-          "store_path": "/nix/store/msavmv3qsw5dxbffdinl8r6gabljc3lq-hugo-0.147.3"
+          "store_path": "/nix/store/zg314jwfh6q428ymnl57nv7jqyyaq1qz-hugo-0.148.2"
         },
         "x86_64-darwin": {
           "outputs": [
             {
               "name": "out",
-              "path": "/nix/store/ahhy6049rlifzxr2y5azy2mnvpqpbk32-hugo-0.147.3",
+              "path": "/nix/store/wyhy996fyn61b1cgbl5b7xpha74kxzcq-hugo-0.148.2",
               "default": true
             }
           ],
-          "store_path": "/nix/store/ahhy6049rlifzxr2y5azy2mnvpqpbk32-hugo-0.147.3"
+          "store_path": "/nix/store/wyhy996fyn61b1cgbl5b7xpha74kxzcq-hugo-0.148.2"
         },
         "x86_64-linux": {
           "outputs": [
             {
               "name": "out",
-              "path": "/nix/store/i9xazh3hcy7q364vns26c19jwqv6xgik-hugo-0.147.3",
+              "path": "/nix/store/ji15a88bnlzhpkinvbmbb9vnkhmmx3m2-hugo-0.148.2",
               "default": true
             }
           ],
-          "store_path": "/nix/store/i9xazh3hcy7q364vns26c19jwqv6xgik-hugo-0.147.3"
+          "store_path": "/nix/store/ji15a88bnlzhpkinvbmbb9vnkhmmx3m2-hugo-0.148.2"
         }
       }
     },

go.mod

@@ -5,7 +5,7 @@ module github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix
 
 go 1.24.0
 
-toolchain go1.24.5
+toolchain go1.25.1
 
 replace (
 	github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api => ./api

hack/flakes/flake.lock

@@ -10,6 +10,12 @@
     flake-utils.lib.eachDefaultSystem (system:
       with nixpkgs.legacyPackages.${system}; rec {
         packages = rec {
+          # Versions available via Devbox are currently behind due to nixhubi.io not being updated
+          # correctly. Referencing the package in this flake directly from nixpkgs is the workaround.
+          # This is required to support Go 1.25.
+          # Once https://github.com/jetify-com/devbox/issues/2609 is fixed, this can be removed.
+          golangci-lint = pkgs.golangci-lint;
+
           goprintconst = buildGo124Module rec {
             name = "goprintconst";
             version = "0.0.1-dev";

hack/flakes/flake.nix

@@ -45,6 +45,8 @@ endif
 
 .PHONY: test.%
 test.%: ## Runs go tests for a specific module
+# TODO: Remove once https://github.com/golang/go/issues/75031 is fixed.
+test.%: export GOTOOLCHAIN := $(shell go version | cut -d ' ' -f3)+auto
 test.%: go-generate ; $(info $(M) running tests$(if $(GOTEST_RUN), matching "$(GOTEST_RUN)") for $* module)
 	$(if $(filter-out root,$*),cd $* && )$(call go_test)
 
@@ -156,9 +158,19 @@ lint.%: ## Runs golangci-lint run for a specific module
 lint.%: hack/tools/golangci-lint-kube-api-linter fmt.% ; $(info $(M) linting $* module)
 	$(if $(filter-out root,$*),cd $* && )$(PWD)/hack/tools/golangci-lint-kube-api-linter run --fix --config=$(GOLANGCI_CONFIG_FILE)
 
+# Ensure that the golangci-lint-kube-api-linter tool is using the same version of Go as the golangci-lint tool, which
+# should in turn be the same language version as the project.
+GOLANGCI_LINT_VERSION := $(shell golangci-lint version --json 2>/dev/null | gojq --raw-output '.goVersion')
+GOLANGCI_LINT_KUBE_API_LINTER_VERSION := $(shell hack/tools/golangci-lint-kube-api-linter version --json 2>/dev/null | gojq --raw-output '.goVersion')
+ifneq ($(GOLANGCI_LINT_VERSION),$(GOLANGCI_LINT_KUBE_API_LINTER_VERSION))
+.PHONY: hack/tools/golangci-lint-kube-api-linter
+endif
+# Explicitly set the GOTOOLCHAIN environment variable to the same version of Go as the golangci-lint tool
+# to ensure that the go version is the same as the golangci-lint tool.
+hack/tools/golangci-lint-kube-api-linter: export GOTOOLCHAIN := $(GOLANGCI_LINT_VERSION)
 hack/tools/golangci-lint-kube-api-linter: hack/tools/.custom-gcl.yml
 hack/tools/golangci-lint-kube-api-linter: ; $(info $(M) installing golangci-lint-kube-api-linter tool)
-	cd hack/tools && golangci-lint custom
+	cd hack/tools && golangci-lint custom --verbose
 
 .PHONY: mod-tidy
 mod-tidy: ## Run go mod tidy for all modules
@@ -259,6 +271,9 @@ endif
 ifneq ($(words $(GO_SUBMODULES_NO_DOCS)),0)
 go-mod-edit-toolchain: $(addprefix go-mod-edit-toolchain.,$(GO_SUBMODULES_NO_DOCS:/go.mod=))
 endif
+ifneq ($(wildcard $(REPO_ROOT)/hack/tools/go.mod),)
+	cd hack/tools && go mod edit -toolchain=$(GO_TOOLCHAIN_VERSION)
+endif
 
 .PHONY: go-mod-edit-toolchain.%
 go-mod-edit-toolchain.%: ## Edits the go.mod file of a specifc module in repository to use the toolchain version