Fix CVE-2026-27143: bump Go toolchain to 1.25.9 (#21411)

* Fix CVE-2026-27143: bump Go toolchain to 1.25.9

Daily vulnerability scan (CLC-2243) flagged 13 Classic component
images with a critical Go stdlib vulnerability:

- CVE-2026-27143 (GO-2026-4868): compiler did not correctly check
  underflow/overflow on arithmetic over induction variables in
  loops, allowing invalid indexing at runtime that could lead to
  memory corruption.

The vulnerability is fixed in Go 1.25.9 (and 1.26.2). Bump the
toolchain across the workspace:

- Set toolchain to go1.25.9 in all 71 go.mod files
- Update GO_VERSION in dev/image/Dockerfile and bump TRIGGER_REBUILD
  so the CI dev-environment image installs the patched compiler
- Update GO_VERSION in .devcontainer/Dockerfile for dev consistency

Verified locally by rebuilding all 13 affected components with
GOTOOLCHAIN=go1.25.9 and confirming grype reports zero critical
findings.

Co-authored-by: Ona <no-reply@ona.com>

* Pin golangci-lint --go=1.24 to match CI image toolchain

The CI dev-environment image bundles golangci-lint v1.64.8 built with
Go 1.24, which refuses to lint code declaring "toolchain go1.25.9".
Pin the lint target to 1.24 so the existing image keeps working without
a rebuild. We don't use any 1.25 language features; the toolchain bump
only addresses CVE-2026-27143 in the Go stdlib.

Co-authored-by: Ona <no-reply@ona.com>

* Revert toolchain bumps; rely on CI image's system Go for fix

The previous commit bumped 'toolchain go1.25.9' across all 71 go.mod
files. That worked locally but broke the existing CI dev-environment
image, which:
  1. ships golangci-lint v1.64.8 built with Go 1.24 (rejects modules
     declaring toolchain >= 1.25)
  2. has system Go 1.24.13, so GOTOOLCHAIN=auto downloads the 1.25.9
     toolchain module — but that module's prebuilt tools dir lacks
     'covdata', breaking 'go test -coverprofile' for any Go library
     package.

Instead, leave the 'toolchain' directive at go1.24.13 and rely on the
new dev-environment image (which has system Go 1.25.9 from
dev/image/Dockerfile) to compile binaries with the patched stdlib.
Once branch CI publishes the new image, a follow-up commit will update
the image tag references in .gitpod.yml and the workflow files (same
two-step pattern as #21327).

Co-authored-by: Ona <no-reply@ona.com>

* Update dev-environment image to ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275

This image was published by the previous run of this PR and contains
Go 1.25.9, which is needed to compile binaries free of CVE-2026-27143.
Switching the workflow and devcontainer references over so subsequent
CI runs use the patched toolchain.

Co-authored-by: Ona <no-reply@ona.com>

---------

Co-authored-by: Ona <no-reply@ona.com>

Author: geropl

.devcontainer/Dockerfile

@@ -193,7 +193,7 @@ RUN curl -sSL "https://awscli.amazonaws.com/awscli-exe-linux-$(arch).zip" -o aws
     ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update && \
     rm -rf awscliv2.zip ./aws
 
-ENV GO_VERSION=1.24.13
+ENV GO_VERSION=1.25.9
 ENV GOPATH=/root/go-packages
 ENV GOROOT=/root/go
 ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH

.github/workflows/branch-build.yml

@@ -112,7 +112,7 @@ jobs:
       cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
     runs-on: ubuntu-latest-16-cores
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
@@ -140,7 +140,7 @@ jobs:
       (needs.configuration.outputs.is_scheduled_run != 'true')
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure
@@ -187,7 +187,7 @@ jobs:
         ports:
           - 6379:6379
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
       env:
         DB_HOST: "mysql"
@@ -410,7 +410,7 @@ jobs:
     if: needs.configuration.outputs.is_scheduled_run != 'true'
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install
@@ -463,7 +463,7 @@ jobs:
     environment: branch-build
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     if: needs.configuration.outputs.with_monitoring == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
     concurrency:
@@ -492,7 +492,7 @@ jobs:
     environment: branch-build
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     if: needs.configuration.outputs.with_integration_tests != '' && needs.configuration.outputs.is_scheduled_run != 'true'
     concurrency:

.github/workflows/build.yml

@@ -115,7 +115,7 @@ jobs:
       cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
     runs-on: ubuntu-latest-16-cores
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
@@ -143,7 +143,7 @@ jobs:
       (needs.configuration.outputs.is_scheduled_run != 'true')
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure
@@ -190,7 +190,7 @@ jobs:
         ports:
           - 6379:6379
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
       env:
         DB_HOST: "mysql"
@@ -448,7 +448,7 @@ jobs:
     if: needs.configuration.outputs.is_scheduled_run != 'true'
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install
@@ -501,7 +501,7 @@ jobs:
     environment: main-build
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     if: needs.configuration.outputs.with_monitoring == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
     concurrency:
@@ -530,7 +530,7 @@ jobs:
     environment: main-build
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     if: needs.configuration.outputs.with_integration_tests != '' && needs.configuration.outputs.is_scheduled_run != 'true'
     concurrency:

.github/workflows/code-nightly.yml

@@ -11,7 +11,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4

.github/workflows/ide-integration-tests.yml

@@ -36,7 +36,7 @@ jobs:
     name: Configuration
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     outputs:
       name: ${{ steps.configuration.outputs.name }}
@@ -93,7 +93,7 @@ jobs:
     needs: [configuration]
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     concurrency:
       group: ${{ needs.configuration.outputs.name }}-infrastructure
@@ -126,7 +126,7 @@ jobs:
     needs: [configuration, infrastructure]
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
       volumes:
         - /var/tmp:/var/tmp
@@ -216,7 +216,7 @@ jobs:
     if: github.event.inputs.skip_delete != 'true' && always()
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4

.github/workflows/jetbrains-auto-update-template.yml

@@ -15,7 +15,7 @@ jobs:
   update-jetbrains:
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     steps:
       - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@v2

.github/workflows/jetbrains-integration-test.yml

@@ -34,7 +34,7 @@ on:
 jobs:
   jetbrains-smoke-test-linux:
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     runs-on: ubuntu-latest
     steps:

.github/workflows/preview-env-check-regressions.yml

@@ -60,7 +60,7 @@ jobs:
     needs: [configuration]
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     concurrency:
       group: ${{ needs.configuration.outputs.name }}-infrastructure
@@ -93,7 +93,7 @@ jobs:
     if: ${{ needs.configuration.outputs.skip == 'false' }}
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
       volumes:
         - /var/tmp:/var/tmp
@@ -171,7 +171,7 @@ jobs:
     if: always()
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4

.github/workflows/preview-env-delete.yml

@@ -15,7 +15,7 @@ jobs:
     if: github.event.ref_type == 'branch' || github.event.inputs.name != ''
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4

.github/workflows/preview-env-gc.yml

@@ -11,7 +11,7 @@ jobs:
     name: "Find stale preview environments"
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     outputs:
       names: ${{ steps.set-matrix.outputs.names }}
@@ -43,7 +43,7 @@ jobs:
     needs: [stale]
     runs-on: ubuntu-latest
     container:
-      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
+      image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275
       options: --user root
     if: ${{ needs.stale.outputs.count > 0 }}
     strategy: