chore: upgrade Go toolchain 1.25 & zoekt version

[brendan-kellam]

bump zoekt dependency & upgrade to go 1.25

Summary by CodeRabbit

• Bug Fixes

  • Patched critical and high-severity security vulnerabilities in Go standard library through an upgrade to Go toolchain version 1.25, addressing CVE-2025-68121 and multiple additional Go standard library CVEs affecting the runtime and security subsystems.

• Chores

  • Updated vendored dependencies and build infrastructure to maintain compatibility with the latest Go toolchain version, ensuring secure and stable operations.

[coderabbitai]

Walkthrough

The pull request updates the Go toolchain from version 1.23.4 to 1.25, addressing CVE-2025-68121 and additional Go standard library vulnerabilities. The Dockerfile Go builder image and vendor/zoekt submodule are updated correspondingly.

Changes

Cohort / File(s)	Summary
Go Toolchain Upgrade CHANGELOG.md, Dockerfile	Version bump from Go 1.23.4 to 1.25, with updated Alpine base image from alpine3.19 to alpine. Changelog entry documenting CVE remediation added.
Submodule Update vendor/zoekt	Git submodule reference advanced from 4a11080 to dec971a commit.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• chore: Bump zoekt #921: Updates vendor/zoekt submodule to the base commit (4a1108…) from which this PR advances it further to dec971a.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately and concisely summarizes the main changes: upgrading Go toolchain to 1.25 and zoekt version, matching all three file modifications (Dockerfile, CHANGELOG, vendor/zoekt).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch brendan/upgrade-go-1.25

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

Dockerfile (1)

19-19: Pin the Go builder image more tightly to keep builds reproducible.

golang:1.25-alpine is a floating tag; patch/Alpine drift can cause non-deterministic CI behavior. Pin to a specific patch version (e.g., golang:1.25.0-alpine) or digest instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 19, The Dockerfile uses a floating builder image tag
"golang:1.25-alpine" in the FROM instruction which can cause non-deterministic
builds; update the FROM line to pin the Go builder to a specific patch version
(e.g., "golang:1.25.0-alpine") or, better, to an immutable digest for
reproducibility, ensuring the image reference is stable for CI and local builds.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile`:
- Line 19: The Dockerfile uses a floating builder image tag "golang:1.25-alpine"
in the FROM instruction which can cause non-deterministic builds; update the
FROM line to pin the Go builder to a specific patch version (e.g.,
"golang:1.25.0-alpine") or, better, to an immutable digest for reproducibility,
ensuring the image reference is stable for CI and local builds.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a1e93270-e7bf-4067-829f-d7257ef6a7df

📥 Commits

Reviewing files that changed from the base of the PR and between 5420c3d and bf87d88.

📒 Files selected for processing (3)

• CHANGELOG.md
• Dockerfile
• vendor/zoekt