fix(security): remediate CVE vulnerabilities

[upbound-bot]

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Tracking issue: https://github.com/upbound/upbound-official-build/issues/225

Vulnerabilities Fixed

CVE/GHSA	Severity	Package	Fixed Version
CVE-2025-61726	High	stdlib	go1.24.12
CVE-2025-61731	High	stdlib	go1.24.12
CVE-2025-61728	Medium	stdlib	go1.24.12
CVE-2025-61730	Medium	stdlib	go1.24.12

Changes Made

• Updated go directive in go.mod from 1.24.11 to 1.24.12
• Ran go mod tidy to update dependencies

References

• CVE-2025-61726
• CVE-2025-61728
• CVE-2025-61730
• CVE-2025-61731

Verification

• Rescanned with cve-scan skill after fixes
• All listed vulnerabilities resolved

[upbound-bot]

Build Failure Analysis

Check: build (amd64)
Status: Failed
Analyzed: 2026-02-05T21:26:00Z

Summary

The Docker build failed due to a Go version mismatch. The go.mod requires Go 1.24.12, but the CI workflow is configured to use Go 1.24.11.

Root Cause

The CVE remediation updated go.mod to require Go 1.24.12 to fix security vulnerabilities. However, the CI workflow (.github/workflows/ci.yml) still specifies GO_VERSION: '1.24.11'. When the Docker build runs with GOTOOLCHAIN=local, it cannot automatically download a newer toolchain and fails with:

go: go.mod requires go >= 1.24.12 (running go 1.24.11; GOTOOLCHAIN=local)

Error Details

#14 0.060 go: go.mod requires go >= 1.24.12 (running go 1.24.11; GOTOOLCHAIN=local)
#14 ERROR: process "/bin/sh -c bash -c '...' go mod download'" did not complete successfully: exit code: 1
ERROR: failed to solve: process "..." did not complete successfully: exit code: 1

Recommendation

Update GO_VERSION in .github/workflows/ci.yml from '1.24.11' to '1.24.12' to match the go.mod requirement. A retry will not help - this requires a code change.

---

_{This analysis was generated by the build-failure-analyze skill.}