chore(deps): bump go version to v1.25.9

[rohanKanojia]

What does this PR do?

Update Go toolchain to 1.25.9

• use Red Hat UBI9 go-toolset:1.25-1777043046

What issues does this PR fix or reference?

This PR aims to resolve these CVE(s) :

• CVE-2026-32283
• CVE-2026-32280
• CVE-2026-33810

Is it tested? How?

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

• Chores
  • Updated Go toolchain from version 1.25.8 to 1.25.9 across CI/CD pipelines and build configurations.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates the Go toolchain version from 1.25.8 to 1.25.9 across CI/CD pipelines, build configurations, and the go.mod file. All changes are patch-level version bumps with no functional modifications.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/code-coverage.yml, pr.yml, release.yml	Updated Go version in actions/setup-go from 1.25.8 to 1.25.9 across three workflow files.
Go Module & CI Configuration go.mod, .ci/oci.Dockerfile	Updated toolchain directive in go.mod and GO_VERSION environment variable in CI Dockerfile from 1.25.8 to 1.25.9.
Build Dockerfiles build/Dockerfile, project-clone/Dockerfile	Updated registry.access.redhat.com/ubi9/go-toolset builder image tags and SHA256 digests to use the newer Go 1.25.x toolset versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• chore (deps) : bump go version to v1.25.8 #1611: Directly related; also updates Go toolchain versions in go.mod, workflows, and Dockerfiles (1.25.7→1.25.8 in that PR vs. 1.25.8→1.25.9 in this PR).

Suggested reviewers

• ibuziuk
• akurinnoy
• dkwon17

Poem

🐰 A carrot patch version, oh what a sight!
From point-eight to nine, we upgraded right.
Go toolchains aligned, across every place,
This tiny bump keeps the code in good grace! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: bumping the Go version to 1.25.9 across the codebase, which aligns with all file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

.ci/oci.Dockerfile (2)

18-24: Remove the duplicate ENV block.

Lines 18-20 and 22-24 declare the exact same three environment variables (GO_VERSION, GOROOT, PATH). The second block is a no-op and just adds maintenance overhead — note that this PR already had to update GO_VERSION in two places. Consolidating now will prevent the two from drifting on the next bump.

♻️ Proposed cleanup

 ENV GO_VERSION=1.25.9
 ENV GOROOT=/usr/local/go
 ENV PATH=$GOROOT/bin:$PATH

-ENV GO_VERSION=1.25.9
-ENV GOROOT=/usr/local/go
-ENV PATH=$GOROOT/bin:$PATH
-
 SHELL ["/bin/bash", "-c"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.ci/oci.Dockerfile around lines 18 - 24, Duplicate ENV block setting
GO_VERSION, GOROOT and PATH appears twice; remove the redundant second block so
these variables are declared only once. Locate the duplicate ENV statements for
GO_VERSION, GOROOT and PATH in the Dockerfile and delete the repeated three-line
block (keep a single declaration), ensuring future version bumps only need to
change the remaining GO_VERSION/GOROOT/PATH lines.

---

28-28: Nit: keep the comment in sync with GO_VERSION.

The comment hard-codes 1.25.9, while the install command below uses the ${GO_VERSION} env var. On the next patch bump this comment will need to be updated separately (and was updated separately in this PR). Consider rewording to avoid repeating the literal version, e.g. # Install Go (version pinned via GO_VERSION) to satisfy go.mod toolchain requirement (go 1.25.0).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.ci/oci.Dockerfile at line 28, The comment above the Go install step
hard-codes "1.25.9" and can drift from the actual variable used; update the
comment to avoid repeating a literal version and reference the GO_VERSION
variable instead (e.g., "Install Go (version pinned via GO_VERSION) to satisfy
go.mod toolchain requirement (go 1.25.0)") so it remains accurate when
${GO_VERSION} changes; locate the comment near the GO_VERSION usage in the
.ci/oci.Dockerfile and replace the hard-coded version text accordingly.

build/Dockerfile (1)

19-19: Consider using 1.25.9-1777043046 for better readability.

The tag changed from 1.25.8-1775651161 to 1.25-1777043046, dropping the patch version from the human-readable portion. While the SHA256 digest remains the true pin and guarantees deterministic behavior, a reader reviewing the Dockerfile can no longer tell at a glance which patch version this stage uses. The registry exposes 1.25.9-1777043046 pointing to the same image, offering patch-specific clarity without losing the digest pin.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@build/Dockerfile` at line 19, Update the FROM image tag to include the patch
version for readability while keeping the digest pin: replace the current tag
portion "1.25-1777043046" in the FROM line (the builder stage) with the
human-readable "1.25.9-1777043046" so the digest remains the source of truth but
the Dockerfile shows the specific patch version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.ci/oci.Dockerfile:
- Around line 18-24: Duplicate ENV block setting GO_VERSION, GOROOT and PATH
appears twice; remove the redundant second block so these variables are declared
only once. Locate the duplicate ENV statements for GO_VERSION, GOROOT and PATH
in the Dockerfile and delete the repeated three-line block (keep a single
declaration), ensuring future version bumps only need to change the remaining
GO_VERSION/GOROOT/PATH lines.
- Line 28: The comment above the Go install step hard-codes "1.25.9" and can
drift from the actual variable used; update the comment to avoid repeating a
literal version and reference the GO_VERSION variable instead (e.g., "Install Go
(version pinned via GO_VERSION) to satisfy go.mod toolchain requirement (go
1.25.0)") so it remains accurate when ${GO_VERSION} changes; locate the comment
near the GO_VERSION usage in the .ci/oci.Dockerfile and replace the hard-coded
version text accordingly.

In `@build/Dockerfile`:
- Line 19: Update the FROM image tag to include the patch version for
readability while keeping the digest pin: replace the current tag portion
"1.25-1777043046" in the FROM line (the builder stage) with the human-readable
"1.25.9-1777043046" so the digest remains the source of truth but the Dockerfile
shows the specific patch version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: af002cc9-f3f0-4236-8e44-686820f0c1a1

📥 Commits

Reviewing files that changed from the base of the PR and between 943ae8e and de337a5.

📒 Files selected for processing (7)

• .ci/oci.Dockerfile
• .github/workflows/code-coverage.yml
• .github/workflows/pr.yml
• .github/workflows/release.yml
• build/Dockerfile
• go.mod
• project-clone/Dockerfile

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: akurinnoy, rohanKanojia
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment