fix: update Go security toolchain

[777genius]

Summary

• update CI Go setup and workspace toolchain from 1.25.9 to 1.25.10
• update local govulncheck toolchain and maintainer docs to the fixed Go patch version
• enable GitHub vulnerability alerts so Dependency Review can run against the repository

Verification

• make test-govulncheck-local
• go test ./...
• make test-plugin-manifest-workflow
• make generated-check
• make vet

Summary by CodeRabbit

• Chores
  • Updated Go toolchain version from 1.25.9 to 1.25.10 across CI/CD pipelines, build configurations, and development environment.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 66cac206-9eaf-465a-a495-60f0f1601794

📥 Commits

Reviewing files that changed from the base of the PR and between 9d493c8 and 033a5b8.

⛔ Files ignored due to path filters (1)

• go.work is excluded by !**/*.work

📒 Files selected for processing (20)

• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/docs-canary.yml
• .github/workflows/docs-pages.yml
• .github/workflows/docs.yml
• .github/workflows/extended.yml
• .github/workflows/govulncheck.yml
• .github/workflows/homebrew-tap.yml
• .github/workflows/live.yml
• .github/workflows/polyglot-smoke.yml
• .github/workflows/release-assets.yml
• CHANGELOG.md
• Makefile
• README.md
• cli/plugin-kit-ai/README.md
• cli/plugin-kit-ai/go.mod
• go.mod
• install/integrationctl/go.mod
• install/plugininstall/go.mod
• sdk/go.mod

---

📝 Walkthrough

Walkthrough

This pull request updates the Go toolchain version from 1.25.9 to 1.25.10 across the entire monorepo, including root and workspace module directives, all CI workflows, build automation, and supporting documentation.

Changes

Go Toolchain Version Update

Layer / File(s)	Summary
Module Toolchain Directives go.mod, cli/plugin-kit-ai/go.mod, install/integrationctl/go.mod, install/plugininstall/go.mod, sdk/go.mod	All toolchain directives updated from go1.25.9 to go1.25.10 across root and workspace modules.
Build Automation Makefile, .github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/docs-canary.yml, .github/workflows/docs-pages.yml, .github/workflows/docs.yml, .github/workflows/extended.yml, .github/workflows/govulncheck.yml, .github/workflows/homebrew-tap.yml, .github/workflows/live.yml, .github/workflows/polyglot-smoke.yml, .github/workflows/release-assets.yml	SECURITY_GOTOOLCHAIN variable and all actions/setup-go configurations updated to Go 1.25.10 across test, CodeQL, docs, extended, security, homebrew, live, polyglot-smoke, and release workflows.
Documentation & Changelog CHANGELOG.md, README.md, cli/plugin-kit-ai/README.md	Maintainer and user-facing documentation updated to reflect Go 1.25.10 requirement for monorepo workspace, CI lanes, and local build targets.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A version bump hops along the way,
From .9 to .10, come what may,
Through workflows and modules it bounds with glee,
One consistent Go across the monorepo spree!
With docs all in sync, the update's complete,
A tidy little toolchain feat!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description is missing the required 'Release Impact' section and verification checklist format is incomplete, though key verification steps are documented.	Add the 'Release Impact' section with checkboxes for public contract changes, docs updates, and release-sensitive path reviews to match the template structure.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: updating Go security toolchain from 1.25.9 to 1.25.10 across all CI workflows and workspace configurations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-security-checks

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[review-router-ai]

🤖 ReviewRouter Progress

Step	Status	Details
Build code graph	⏭️ Not run	Skipped after an earlier failure.
LLM review (batched)	⏭️ Not run	Skipped after an earlier failure.
Static analysis & rules	⏭️ Not run	Skipped after an earlier failure.
Synthesize & report	❌ Failed	No configured review provider passed health checks.

Review needs attention

What failed: No configured review provider passed health checks.

How to fix

• Check provider credentials and model names.
• For Codex OAuth, reseed CODEX_AUTH_JSON if the token is stale.
• For API-key modes, verify the key secret is available to this repository.

Technical details

Error code: no_healthy_providers

No healthy providers available; failing because FAIL_ON_NO_HEALTHY_PROVIDERS=true

[review-router-ai]

ReviewRouter

🔴 Review failed before comments could be completed.

PR: #22

What failed

No configured review provider passed health checks.

Why it matters

ReviewRouter would otherwise report a misleading clean review without model coverage.

How to fix

• Check provider credentials and model names.
• For Codex OAuth, reseed CODEX_AUTH_JSON if the token is stale.
• For API-key modes, verify the key secret is available to this repository.

Technical details

Code: no_healthy_providers
Category: provider_runtime
Retryable: yes
User action required: yes

Error: No healthy providers available; failing because FAIL_ON_NO_HEALTHY_PROVIDERS=true
    at ReviewOrchestrator.executeReview (/home/runner/work/plugin-kit-ai/plugin-kit-ai/.reviewrouter-runtime/dist/index.js:27930:19)
    at async run (/home/runner/work/plugin-kit-ai/plugin-kit-ai/.reviewrouter-runtime/dist/index.js:30198:20)