Why
As of mid-2026 the Go ecosystem has moved to Go 1.25. Current releases of Conduit's core dependencies now declare go 1.25.0 in their own go.mod and cannot be built under the repo's current go 1.24.2 directive:
google.golang.org/grpc (1.81+)
github.com/grpc-ecosystem/grpc-gateway/v2 (2.29+)
golang.org/x/net (0.55+) — includes security fixes
go.opentelemetry.io/otel (1.43+)
github.com/jackc/pgx/v5 (5.9+)
github.com/apache/thrift (0.23+)
Bumping any of them pulls the module go directive to 1.25.0. There is no meaningful subset that stays on 1.24, so the Go 1.25 upgrade is now a hard prerequisite for all dependency maintenance, including security updates. This is why the consolidated dependency-refresh attempt (PR #2503) and the individual dependabot go.mod PRs below are all blocked.
What it entails
- Bump the
go directive to 1.25 in go.mod and tools/go.mod. CI reads it via go-version-file: go.mod, so the test/validate-generated-files/lint jobs will run under 1.25 automatically.
- Bump the CI toolchain (the
tool directives in tools/go.mod) to Go-1.25-built versions — the old pins fail to compile under 1.25:
golangci-lint/v2 v2.1.1 → v2.12.2 (v2.1.1 errors: "the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.0)")
gofumpt v0.8.0 → v0.10.0
go.uber.org/mock v0.5.2 → v0.6.0
golang.org/x/tools → v0.44.0 (old transitive v0.22.0 fails: "invalid array length -delta * delta" in tokeninternal.go under 1.25)
- Verified locally:
make install-tools succeeds and golangci-lint loads once these are bumped.
- Regenerate stringer output —
make generate produces cosmetically-updated bounds checks in 5 *_string.go files (pkg/pipeline/status_string.go, pkg/connector/type_string.go, pkg/lifecycle/stream/messagestatus_string.go, pkg/lifecycle-poc/funnel/recordflag_string.go, pkg/processor/parenttype_string.go). Functionally identical; must be committed so validate-generated-files passes.
- Fix the 34 lint issues the newer golangci-lint surfaces in existing code (none introduced by the upgrade itself):
goconst (22) — repeated string literals → named constants
noctx (6) — use context-aware APIs: net/http.NewRequestWithContext, os/exec.CommandContext, (*net.ListenConfig).Listen (e.g. pkg/conduit/runtime.go:764,796, pkg/plugin/processor/builtin/impl/webhook/http.go:190, pkg/schemaregistry/schemaregistrytest/inmemory.go:86, two test files)
govet (3), staticcheck QF1012 (2 — fmt.Fprintf instead of WriteString(fmt.Sprintf(...))), gosec (1) — inspect individually
- Verify
make install-tools generate proto-generate is clean and golangci-lint run ./... passes.
Risk / tier
Tier 2, but touches pkg/conduit/runtime.go (listener setup) — the noctx fixes there are on the startup path; keep them behavior-preserving (swap to ListenConfig{}.Listen(ctx, ...) without changing semantics). Small, reviewable commits per fix category.
Blocks / supersedes
Resolving this unblocks and supersedes the dependabot go.mod PRs: #2486, #2490, #2495, #2496, #2501 (each individually forces go 1.25 and hits the same wall). PR #2503 (consolidated refresh) is closed in favor of this.
🤖 Generated with Claude Code
Why
As of mid-2026 the Go ecosystem has moved to Go 1.25. Current releases of Conduit's core dependencies now declare
go 1.25.0in their owngo.modand cannot be built under the repo's currentgo 1.24.2directive:google.golang.org/grpc(1.81+)github.com/grpc-ecosystem/grpc-gateway/v2(2.29+)golang.org/x/net(0.55+) — includes security fixesgo.opentelemetry.io/otel(1.43+)github.com/jackc/pgx/v5(5.9+)github.com/apache/thrift(0.23+)Bumping any of them pulls the module
godirective to1.25.0. There is no meaningful subset that stays on 1.24, so the Go 1.25 upgrade is now a hard prerequisite for all dependency maintenance, including security updates. This is why the consolidated dependency-refresh attempt (PR #2503) and the individual dependabot go.mod PRs below are all blocked.What it entails
godirective to1.25ingo.modandtools/go.mod. CI reads it viago-version-file: go.mod, so thetest/validate-generated-files/lintjobs will run under 1.25 automatically.tooldirectives intools/go.mod) to Go-1.25-built versions — the old pins fail to compile under 1.25:golangci-lint/v2v2.1.1 → v2.12.2 (v2.1.1 errors: "the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.0)")gofumptv0.8.0 → v0.10.0go.uber.org/mockv0.5.2 → v0.6.0golang.org/x/tools→ v0.44.0 (old transitive v0.22.0 fails: "invalid array length -delta * delta" intokeninternal.gounder 1.25)make install-toolssucceeds andgolangci-lintloads once these are bumped.make generateproduces cosmetically-updated bounds checks in 5*_string.gofiles (pkg/pipeline/status_string.go,pkg/connector/type_string.go,pkg/lifecycle/stream/messagestatus_string.go,pkg/lifecycle-poc/funnel/recordflag_string.go,pkg/processor/parenttype_string.go). Functionally identical; must be committed sovalidate-generated-filespasses.goconst(22) — repeated string literals → named constantsnoctx(6) — use context-aware APIs:net/http.NewRequestWithContext,os/exec.CommandContext,(*net.ListenConfig).Listen(e.g.pkg/conduit/runtime.go:764,796,pkg/plugin/processor/builtin/impl/webhook/http.go:190,pkg/schemaregistry/schemaregistrytest/inmemory.go:86, two test files)govet(3),staticcheckQF1012 (2 —fmt.Fprintfinstead ofWriteString(fmt.Sprintf(...))),gosec(1) — inspect individuallymake install-tools generate proto-generateis clean andgolangci-lint run ./...passes.Risk / tier
Tier 2, but touches
pkg/conduit/runtime.go(listener setup) — thenoctxfixes there are on the startup path; keep them behavior-preserving (swap toListenConfig{}.Listen(ctx, ...)without changing semantics). Small, reviewable commits per fix category.Blocks / supersedes
Resolving this unblocks and supersedes the dependabot go.mod PRs: #2486, #2490, #2495, #2496, #2501 (each individually forces go 1.25 and hits the same wall). PR #2503 (consolidated refresh) is closed in favor of this.
🤖 Generated with Claude Code