Fix CVE-2026-27143: bump Go toolchain to 1.25.9

Daily vulnerability scan (CLC-2243) flagged 13 Classic component
images with a critical Go stdlib vulnerability:

- CVE-2026-27143 (GO-2026-4868): compiler did not correctly check
  underflow/overflow on arithmetic over induction variables in
  loops, allowing invalid indexing at runtime that could lead to
  memory corruption.

The vulnerability is fixed in Go 1.25.9 (and 1.26.2). Bump the
toolchain across the workspace:

- Set toolchain to go1.25.9 in all 71 go.mod files
- Update GO_VERSION in dev/image/Dockerfile and bump TRIGGER_REBUILD
  so the CI dev-environment image installs the patched compiler
- Update GO_VERSION in .devcontainer/Dockerfile for dev consistency

Verified locally by rebuilding all 13 affected components with
GOTOOLCHAIN=go1.25.9 and confirming grype reports zero critical
findings.

Co-authored-by: Ona <no-reply@ona.com>

Author: geropl

.devcontainer/Dockerfile

@@ -193,7 +193,7 @@ RUN curl -sSL "https://awscli.amazonaws.com/awscli-exe-linux-$(arch).zip" -o aws
     ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update && \
     rm -rf awscliv2.zip ./aws
 
-ENV GO_VERSION=1.24.13
+ENV GO_VERSION=1.25.9
 ENV GOPATH=/root/go-packages
 ENV GOROOT=/root/go
 ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH

components/blobserve/go.mod

@@ -2,7 +2,7 @@ module github.com/gitpod-io/gitpod/blobserve
 
 go 1.24.0
 
-toolchain go1.24.3
+toolchain go1.25.9
 
 godebug tlsmlkem=0
 

components/common-go/go.mod

@@ -2,7 +2,7 @@ module github.com/gitpod-io/gitpod/common-go
 
 go 1.24.0
 
-toolchain go1.24.3
+toolchain go1.25.9
 
 godebug tlsmlkem=0
 

components/content-service-api/go/go.mod

@@ -2,7 +2,7 @@ module github.com/gitpod-io/gitpod/content-service/api
 
 go 1.24.0
 
-toolchain go1.24.3
+toolchain go1.25.9
 
 godebug tlsmlkem=0
 

components/content-service-api/typescript/util/go.mod

@@ -2,7 +2,7 @@ module github.com/gitpod-io/gitpod/content-service-api/util
 
 go 1.24.0
 
-toolchain go1.24.3
+toolchain go1.25.9
 
 godebug tlsmlkem=0
 

components/content-service/go.mod

@@ -2,7 +2,7 @@ module github.com/gitpod-io/gitpod/content-service
 
 go 1.24.0
 
-toolchain go1.24.3
+toolchain go1.25.9
 
 godebug tlsmlkem=0
 

components/docker-up/go.mod

@@ -2,7 +2,7 @@ module github.com/gitpod-io/gitpod/docker-up
 
 go 1.24
 
-toolchain go1.24.3
+toolchain go1.25.9
 
 godebug tlsmlkem=0
 

components/ee/agent-smith/cmd/testbed/go.mod

@@ -2,6 +2,6 @@ module testbed
 
 go 1.24
 
-toolchain go1.24.3
+toolchain go1.25.9
 
 godebug tlsmlkem=0

components/ee/agent-smith/cmd/testtarget/go.mod

@@ -2,6 +2,6 @@ module testtarget
 
 go 1.24
 
-toolchain go1.24.3
+toolchain go1.25.9
 
 godebug tlsmlkem=0

components/ee/agent-smith/go.mod

@@ -2,7 +2,7 @@ module github.com/gitpod-io/gitpod/agent-smith
 
 go 1.24.0
 
-toolchain go1.24.3
+toolchain go1.25.9
 
 godebug tlsmlkem=0