chore: fix security vulnerabilities for 1.0

[ldming]

Summary

Upgrade Go builder, base image, and toolchain to fix CRITICAL/HIGH vulnerabilities detected by trivy. This PR also migrates golangci-lint to v2 and upgrades controller-gen to maintain compatibility with Go 1.25.

Changes

Builder & Base Image

• docker/Dockerfile: golang:1.24.11-alpine → golang:1.25-alpine
• go.mod: go 1.24 → go 1.25.0
• Upgrade google.golang.org/grpc and other dependencies

CI/CD

• Sync GO_VERSION to 1.25 in all workflow files

Toolchain (Go 1.25 Compatibility)

• Makefile: golangci-lint v1.64.8 → v2.11.4
• Makefile: controller-gen v0.14.0 → v0.16.5
• Makefile: staticcheck v0.6.1 → 2026.1
• .golangci.yaml: migrate from v1 format to v2 format, remove staticcheck from golangci-lint (covered by standalone staticcheck)

Code Fixes

• apis/apps/v1alpha1/type.go: fix deprecated comment format for gocritic
• apis/workloads/v1alpha1/instanceset_types.go: fix deprecated comment format for gocritic
• apis/operations/v1alpha1/opsrequest_types.go: remove incorrect +kubebuilder:validation:Required from FromBackup.Namespace (optional field)
• pkg/kbagent/service/task_new_replica.go: fix IPv6 address format (fmt.Sprintf → net.JoinHostPort)
• controllers/dataprotection/backuppolicytemplate_controller_test.go: add missing required compDefs field

Generated Files

• Regenerate all CRDs with controller-gen v0.16.5
• Regenerate API reference docs (docs/developer_docs/api-reference/cluster.md)
• Update config/rbac/role.yaml and Helm CRDs

Scan Context

Version scanned: apecloud/kubeblocks:1.0.3-beta.5

• 2 CRITICAL (grpc CVE-2026-33186, net/netip)
• 6 HIGH (stdlib)

[apecloud-bot]

Auto Cherry-pick Instructions

Usage:
  - /nopick: Not auto cherry-pick when PR merged.
  - /pick: release-x.x [release-x.x]: Auto cherry-pick to the specified branch when PR merged.

Example:
  - /nopick
  - /pick release-1.1

[codecov]

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 53.73%. Comparing base (e2f5433) to head (a367048).
⚠️ Report is 2 commits behind head on release-1.0.

Files with missing lines	Patch %	Lines
pkg/kbagent/service/task_new_replica.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@               Coverage Diff               @@
##           release-1.0   #10179      +/-   ##
===============================================
- Coverage        53.78%   53.73%   -0.06%     
===============================================
  Files              493      493              
  Lines            54911    54911              
===============================================
- Hits             29534    29505      -29     
- Misses           22437    22456      +19     
- Partials          2940     2950      +10     

Flag	Coverage Δ
unittests	53.73% <0.00%> (-0.06%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment