Skip to content

Upgrade to Go 1.25 (toolchain + linter + surfaced fixes) #2506

Description

@devarismeroxa

Why

As of mid-2026 the Go ecosystem has moved to Go 1.25. Current releases of Conduit's core dependencies now declare go 1.25.0 in their own go.mod and cannot be built under the repo's current go 1.24.2 directive:

  • google.golang.org/grpc (1.81+)
  • github.com/grpc-ecosystem/grpc-gateway/v2 (2.29+)
  • golang.org/x/net (0.55+) — includes security fixes
  • go.opentelemetry.io/otel (1.43+)
  • github.com/jackc/pgx/v5 (5.9+)
  • github.com/apache/thrift (0.23+)

Bumping any of them pulls the module go directive to 1.25.0. There is no meaningful subset that stays on 1.24, so the Go 1.25 upgrade is now a hard prerequisite for all dependency maintenance, including security updates. This is why the consolidated dependency-refresh attempt (PR #2503) and the individual dependabot go.mod PRs below are all blocked.

What it entails

  1. Bump the go directive to 1.25 in go.mod and tools/go.mod. CI reads it via go-version-file: go.mod, so the test/validate-generated-files/lint jobs will run under 1.25 automatically.
  2. Bump the CI toolchain (the tool directives in tools/go.mod) to Go-1.25-built versions — the old pins fail to compile under 1.25:
    • golangci-lint/v2 v2.1.1 → v2.12.2 (v2.1.1 errors: "the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.0)")
    • gofumpt v0.8.0 → v0.10.0
    • go.uber.org/mock v0.5.2 → v0.6.0
    • golang.org/x/tools → v0.44.0 (old transitive v0.22.0 fails: "invalid array length -delta * delta" in tokeninternal.go under 1.25)
    • Verified locally: make install-tools succeeds and golangci-lint loads once these are bumped.
  3. Regenerate stringer outputmake generate produces cosmetically-updated bounds checks in 5 *_string.go files (pkg/pipeline/status_string.go, pkg/connector/type_string.go, pkg/lifecycle/stream/messagestatus_string.go, pkg/lifecycle-poc/funnel/recordflag_string.go, pkg/processor/parenttype_string.go). Functionally identical; must be committed so validate-generated-files passes.
  4. Fix the 34 lint issues the newer golangci-lint surfaces in existing code (none introduced by the upgrade itself):
    • goconst (22) — repeated string literals → named constants
    • noctx (6) — use context-aware APIs: net/http.NewRequestWithContext, os/exec.CommandContext, (*net.ListenConfig).Listen (e.g. pkg/conduit/runtime.go:764,796, pkg/plugin/processor/builtin/impl/webhook/http.go:190, pkg/schemaregistry/schemaregistrytest/inmemory.go:86, two test files)
    • govet (3), staticcheck QF1012 (2 — fmt.Fprintf instead of WriteString(fmt.Sprintf(...))), gosec (1) — inspect individually
  5. Verify make install-tools generate proto-generate is clean and golangci-lint run ./... passes.

Risk / tier

Tier 2, but touches pkg/conduit/runtime.go (listener setup) — the noctx fixes there are on the startup path; keep them behavior-preserving (swap to ListenConfig{}.Listen(ctx, ...) without changing semantics). Small, reviewable commits per fix category.

Blocks / supersedes

Resolving this unblocks and supersedes the dependabot go.mod PRs: #2486, #2490, #2495, #2496, #2501 (each individually forces go 1.25 and hits the same wall). PR #2503 (consolidated refresh) is closed in favor of this.

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    housekeepingSmall improvements or chores

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions