OCM-22871 | chore: update Go version to 1.25.8 in order to fix

[olucasfreitas]

PR Summary

Remediate CVE-2026-25679 (incorrect parsing of IPv6 host literals in net/url) by upgrading ROSA to Go 1.25.8 and hardening URL parsing.

Detailed Description of the Issue

Go's net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by treating garbage before an IPv6 literal as ignorable (for example, http://example.com[::1]:8080 was accepted instead of rejected). This affects Parse, ParseRequestURI, JoinPath, URL.Parse, and URL.UnmarshalBinary.

Upstream fixed this in Go 1.25.8 and Go 1.26.1. This PR now targets Go 1.25.8 specifically because it fixes the net/url issue tracked in OCM-22871 while avoiding OCM-22870 / CVE-2026-27137, which upstream states only affects Go 1.26.

ROSA CLI uses url.Parse and url.ParseRequestURI extensively for validating user-supplied URLs (OIDC endpoints, proxy URLs, IDP issuer URLs, gateway URLs). An attacker could potentially craft a malformed IPv6 URL that bypasses validation.

Related Issues and PRs

• Jira: OCM-22871
• Jira: OCM-22870
• CVE: CVE-2026-25679
• CVE: CVE-2026-27137
• Go issue: net/url: reject IPv6 literal not at start of host (CVE-2026-25679) golang/go#77578
• Go issue: crypto/x509: incorrect enforcement of email constraints (CVE-2026-27137) golang/go#77952
• External CI follow-up: OCM-22871 | fix: restore ROSA CI build root to Go 1.25 release#77262

Type of Change

• fix - resolves an incorrect behavior or bug.

Previous Behavior

• go.mod declared a vulnerable Go version line for the net/url issue.
• Production code called net/url.Parse / ParseRequestURI directly without additional host validation.
• cmd/dlt/oidcprovider/cmd.go silently ignored URL parse errors, risking nil pointer dereferences.
• Builder Dockerfiles used floating go-toolset:latest tags with GOTOOLCHAIN=auto, which could make container builds depend on toolchain downloads.

Behavior After This Change

• ROSA now targets Go 1.25.8, which includes the upstream net/url fix for CVE-2026-25679.
• This avoids moving ROSA onto the Go 1.26 line, which is the only affected line for CVE-2026-27137.
• Production URL parsing goes through pkg/helper/url.Parse / ParseRequestURI wrappers that independently validate IPv6 host literal placement.
• URL parse errors in cmd/dlt/oidcprovider/cmd.go are now reported and cause the command to exit.
• UBI builder images are pinned to registry.access.redhat.com/ubi9/go-toolset:1.25.8, so container builds no longer depend on GOTOOLCHAIN=auto inside those Dockerfiles.

How to Test (Step-by-Step)

1. make lint
2. make test
3. make rosa
4. goreleaser-v2.15.1 check --config .goreleaser.yaml
5. podman run --rm registry.access.redhat.com/ubi9/go-toolset:1.25.8 go version
6. podman build -f Dockerfile .
7. podman build -f images/Dockerfile.konflux .

Expected Results

All commands above exit 0. images/Dockerfile.e2e still requires authenticated access to registry.ci.openshift.org for a local build.

Breaking Changes

• No breaking changes

Developer Verification Checklist

• Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
• PR description clearly explains both what changed and why.
• Relevant Jira/GitHub issues and related PRs are linked.
• Tests were added/updated where appropriate.
• I manually tested the change.
• make test passes.
• make lint passes.
• make rosa passes.
• Documentation was added/updated where appropriate.
• Any risk, limitation, or follow-up work is documented.

[olucasfreitas]

/retest

[olucasfreitas]

Follow-up update:

• addressed the review feedback to keep go.mod as the source of truth by removing the explicit Go version from .golangci.yml and changing CLAUDE.md to reference the go directive instead
• removed USER root from the main Dockerfile; the builder now uses COPY --chown=1001:0 . ., which still lets make release succeed locally
• updated images/Dockerfile.e2e to use the existing rhel-9-golang-1.25-openshift-4.21 CI builder stream while keeping GOTOOLCHAIN=auto

The remaining red Prow jobs are blocked on external CI config rather than the repo diff itself. The earlier openshift/release bump landed on a 1.26 builder tag that does not exist in CI, so I opened a follow-up draft PR to correct that and force GOTOOLCHAIN=auto in the Go-based ROSA jobs:

• OCM-22871 | fix: restore ROSA presubmits to an available builder release#77187

Local verification after the follow-up commit:

• make lint
• make test
• podman build -f Dockerfile .

podman build -f images/Dockerfile.e2e . now reaches the existing 1.25 builder tag locally and only stops on local auth to registry.ci.openshift.org, rather than manifest unknown for a nonexistent tag.

[olucasfreitas]

/retest-required

[coderabbitai]

Walkthrough

This PR upgrades the Go toolchain from 1.24.x to 1.25.8 across build configurations, updates golangci-lint to v2.11.4 and goreleaser to v2.15.1, introduces URL validation helpers to block malformed IPv6 literals, and migrates all URL parsing calls to use this new validation.

Changes

Cohort / File(s)	Summary
Go Toolchain Version Updates .bingo/bingo.mod, .bingo/gci.mod, .bingo/go-bindata.mod, .bingo/golangci-lint.mod, .bingo/mockgen.mod, go.mod	Updated go directive from 1.24.* to 1.25.8 across all build module files and main go.mod.
Tool Version Pinning .bingo/Variables.mk, .bingo/variables.env	Updated pinned golangci-lint from v2.6.1 to v2.11.4 and goreleaser from v1.25.1 to v2.15.1 (v2 major version with updated module path).
Configuration Schema Updates .golangci.yml, .goreleaser.yaml	Removed explicit Go 1.24 constraint from golangci config; upgraded GoReleaser config schema from version: 1 to version: 2 with updated archive format fields.
Docker and Build Infrastructure Dockerfile, images/Dockerfile.e2e, images/Dockerfile.konflux, Makefile	Pinned base images to Go 1.25.8; added GOTOOLCHAIN=auto and unexported GOROOT in Makefile for automatic toolchain selection; updated ownership flags and Go installation paths in Docker builds.
URL Validation Helper pkg/helper/url/helpers.go, pkg/helper/url/helpers_test.go	Introduced new Parse and ParseRequestURI helpers that validate and reject malformed IPv6 literals before delegation to standard library parsers; added comprehensive Ginkgo test suite.
URL Parsing Migration cmd/create/idp/github.go, cmd/create/idp/gitlab.go, cmd/create/idp/ldap.go, cmd/create/idp/openid.go, cmd/create/operatorroles/by_prefix.go, cmd/dlt/oidcprovider/cmd.go, cmd/login/cmd.go, pkg/aws/idps.go, pkg/aws/policy_document.go, pkg/interactive/validation.go, pkg/ocm/config.go, pkg/ocm/helpers.go, pkg/ocm/idps.go	Replaced net/url parsing calls with new urlHelper.Parse or urlHelper.ParseRequestURI throughout the codebase for consistent IPv6 validation; normalized error message capitalization to lowercase across error strings.
Test Updates pkg/ocm/config_test.go, pkg/ocm/helpers_test.go	Added test cases validating rejection of malformed IPv6 URLs; expanded invalidUrlOverrides test data to include IPv6 literal test case.
Documentation CLAUDE.md	Updated dependency documentation to reference go.mod directive instead of hardcoded Go version requirement.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amandahla]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amandahla, olucasfreitas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [olucasfreitas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

Dockerfile (1)

1-2: ⚠️ Potential issue | 🟠 Major

Set a non-root user in the final stage.

Line 2 hardens ownership in the builder, but the produced ubi-micro image still defaults to root because the final stage never sets USER. That keeps the DS-0002 finding alive and leaves the image with unnecessary privileges.

Suggested fix

 FROM registry.access.redhat.com/ubi9/ubi-micro:latest
@@
-COPY --from=builder /opt/app-root/src/releases /releases
+COPY --from=builder --chown=1001:0 /opt/app-root/src/releases /releases
+USER 1001

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 1 - 2, The final image still runs as root because
the Dockerfile only sets ownership in the builder stage; update the final stage
to run as a non-root user (match the UID/GID used in builder, e.g., 1001:0) by
creating or using that user and adding a USER directive in the final stage;
ensure the runtime files/directories produced by the builder are owned by that
UID/GID (or chowned during the final stage) so the non-root user can access
them—look for the builder stage name ("builder") and add the USER instruction
and any necessary ownership changes in the final stage.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@images/Dockerfile.e2e`:
- Around line 10-12: The Dockerfile currently installs rosa-support with an
open-ended version ("github.com/openshift-online/rosa-support@latest"); change
RUN go install github.com/openshift-online/rosa-support@latest to pin a specific
released tag or commit (for example replace `@latest` with `@vX.Y.Z` or
@<commit-hash>) so the rosa-support binary is reproducible and won't break
builds when upstream changes; update the RUN line in the Dockerfile (the
rosa-support install step) to use the chosen fixed tag/commit and update any
accompanying build comments to record the pinned version.

---

Duplicate comments:
In `@Dockerfile`:
- Around line 1-2: The final image still runs as root because the Dockerfile
only sets ownership in the builder stage; update the final stage to run as a
non-root user (match the UID/GID used in builder, e.g., 1001:0) by creating or
using that user and adding a USER directive in the final stage; ensure the
runtime files/directories produced by the builder are owned by that UID/GID (or
chowned during the final stage) so the non-root user can access them—look for
the builder stage name ("builder") and add the USER instruction and any
necessary ownership changes in the final stage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 507007a9-c280-47ed-9bf9-43dacf2b89d3

📥 Commits

Reviewing files that changed from the base of the PR and between a8e53c3 and c552146.

⛔ Files ignored due to path filters (2)

• .bingo/golangci-lint.sum is excluded by !**/*.sum
• .bingo/goreleaser.sum is excluded by !**/*.sum

📒 Files selected for processing (33)

• .bingo/Variables.mk
• .bingo/bingo.mod
• .bingo/gci.mod
• .bingo/go-bindata.mod
• .bingo/golangci-lint.mod
• .bingo/goreleaser.mod
• .bingo/mockgen.mod
• .bingo/variables.env
• .golangci.yml
• .goreleaser.yaml
• CLAUDE.md
• Dockerfile
• Makefile
• cmd/create/idp/github.go
• cmd/create/idp/gitlab.go
• cmd/create/idp/ldap.go
• cmd/create/idp/openid.go
• cmd/create/operatorroles/by_prefix.go
• cmd/dlt/oidcprovider/cmd.go
• cmd/login/cmd.go
• go.mod
• images/Dockerfile.e2e
• images/Dockerfile.konflux
• pkg/aws/idps.go
• pkg/aws/policy_document.go
• pkg/helper/url/helpers.go
• pkg/helper/url/helpers_test.go
• pkg/interactive/validation.go
• pkg/ocm/config.go
• pkg/ocm/config_test.go
• pkg/ocm/helpers.go
• pkg/ocm/helpers_test.go
• pkg/ocm/idps.go

💤 Files with no reviewable changes (1)

• .golangci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd images && ls -la Dockerfile.e2e && wc -l Dockerfile.e2e

Repository: openshift/rosa

Length of output: 139

---

🏁 Script executed:

head -30 images/Dockerfile.e2e

Repository: openshift/rosa

Length of output: 1427

---

Pin rosa-support instead of building @latest.

Line 12 pulls whatever upstream publishes at build time, making this image non-reproducible. It can fail without a repo change if rosa-support changes behavior or raises its minimum Go version.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@images/Dockerfile.e2e` around lines 10 - 12, The Dockerfile currently
installs rosa-support with an open-ended version
("github.com/openshift-online/rosa-support@latest"); change RUN go install
github.com/openshift-online/rosa-support@latest to pin a specific released tag
or commit (for example replace `@latest` with `@vX.Y.Z` or @<commit-hash>) so the
rosa-support binary is reproducible and won't break builds when upstream
changes; update the RUN line in the Dockerfile (the rosa-support install step)
to use the chosen fixed tag/commit and update any accompanying build comments to
record the pinned version.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 5b8027a and 2 for PR HEAD c552146 in total

[openshift-ci]

@olucasfreitas: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.