Bump Go version to 1.25.4

[ycombinator]

This PR bumps up the Golang version to 1.25.4. It also:

• removes the ms_tls13kdf Golang build tag when building in FIPS mode because this tag was only needed with Golang versions 1.24.x.
• sets ths GODEBUG=tlsmlkem=0 environment variable when running FIPS140-only unit tests. This prevents errors like so: Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode.
• replaces any fmt.Sprintf("%s:%d", ip, port) code fragments with net.JoinHostPort(ip, strconv.Itoa(int(port))) to work with the new hostport go vet analyzer.

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @ycombinator? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[joecompute]

LGTM

[belimawr]

There is a new Go Vet rule: https://go.dev/doc/go1.25#vet

So many builds are breaking with:

helper/server/udp/udp_test.go:81:26: address format "%s:%d" does not work with IPv6 (passed to net.Dial at L82)

https://buildkite.com/elastic/beats-metricbeat/builds/24655/steps/canvas?jid=01998236-e28d-40a4-a759-d06b75055f5a#01998236-e28d-40a4-a759-d06b75055f5a/132-385

[ycombinator]

The fips140=only unit tests are failing like so:

crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode

These appear to be golang/go#75148, which should be fixable when golang/go#74630 is implemented. However, in order to upgrade to Go 1.25.1 now, we'll need to find a workaround.

[ycombinator]

The fips140=only unit tests are failing like so:

crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode

These appear to be golang/go#75148, which should be fixable when golang/go#74630 is implemented. However, in order to upgrade to Go 1.25.1 now, we'll need to find a workaround.

These errors are coming from Go downloading dependencies before executing the tests. The errors can be simulated like so:

GODEBUG=fips140=only go mod download -x
# get https://proxy.golang.org/github.com/opencontainers/image-spec/@v/v1.1.1.info
# get https://proxy.golang.org/github.com/opencontainers/image-spec/@v/v1.1.1.info: Get "https://proxy.golang.org/github.com/opencontainers/image-spec/@v/v1.1.1.info": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
...

I ran into the same problem in elastic/elastic-agent#10156 and I had success with explicitly downloading the dependencies before executing the tests. I'm running into a different problem on that PR now; once it's sorted out, I will apply the same approach on this PR here. Moving this PR into draft until then.

[ycombinator]

MacOS packaging steps are failing in CI like so (this example is from trying to package Agentbeat):

/usr/local/go/pkg/tool/linux_amd64/link: running o64-clang failed: exit status 1
--
  | /usr/local/osxcross/bin/o64-clang -arch x86_64 -m64 -Wl,-flat_namespace -Wl,-bind_at_load -Wl,-S -Wl,-x -o $WORK/b001/exe/a.out -Qunused-arguments /tmp/go-link-387501915/go.o /tmp/go-link-387501915/000000.o /tmp/go-link-387501915/000001.o /tmp/go-link-387501915/000002.o /tmp/go-link-387501915/000003.o /tmp/go-link-387501915/000004.o /tmp/go-link-387501915/000005.o /tmp/go-link-387501915/000006.o /tmp/go-link-387501915/000007.o /tmp/go-link-387501915/000008.o /tmp/go-link-387501915/000009.o /tmp/go-link-387501915/000010.o /tmp/go-link-387501915/000011.o /tmp/go-link-387501915/000012.o /tmp/go-link-387501915/000013.o /tmp/go-link-387501915/000014.o /tmp/go-link-387501915/000015.o /tmp/go-link-387501915/000016.o /tmp/go-link-387501915/000017.o /tmp/go-link-387501915/000018.o /tmp/go-link-387501915/000019.o /tmp/go-link-387501915/000020.o /tmp/go-link-387501915/000021.o /tmp/go-link-387501915/000022.o /tmp/go-link-387501915/000023.o /tmp/go-link-387501915/000024.o /tmp/go-link-387501915/000025.o /tmp/go-link-387501915/000026.o /tmp/go-link-387501915/000027.o /tmp/go-link-387501915/000028.o /tmp/go-link-387501915/000029.o /tmp/go-link-387501915/000030.o /tmp/go-link-387501915/000031.o /tmp/go-link-387501915/000032.o /tmp/go-link-387501915/000033.o /tmp/go-link-387501915/000034.o /tmp/go-link-387501915/000035.o /tmp/go-link-387501915/000036.o /tmp/go-link-387501915/000037.o /tmp/go-link-387501915/000038.o /tmp/go-link-387501915/000039.o /tmp/go-link-387501915/000040.o /tmp/go-link-387501915/000041.o /tmp/go-link-387501915/000042.o /tmp/go-link-387501915/000043.o /tmp/go-link-387501915/000044.o /tmp/go-link-387501915/000045.o /tmp/go-link-387501915/000046.o -lresolv -lpcap -lpcap -lpcap -lpcap -lproc -framework CoreFoundation -framework Security -lpcap -framework CoreServices -lpcap -lpthread -lpcap -lpcap -lpcap -lpcap -lpcap -lpcap
  | Undefined symbols for architecture x86_64:
  | "_SecTrustCopyCertificateChain", referenced from:
  | _crypto/x509/internal/macos.x509_SecTrustCopyCertificateChain_trampoline.abi0 in go.o
  | ld: symbol(s) not found for architecture x86_64
  | clang: error: linker command failed with exit code 1 (use -v to see invocation)
  |  
  | Error: running "go build -o build/golang-crossbuild/agentbeat-darwin-amd64 -buildmode pie -trimpath -tags=agentbeat -ldflags -s -X github.com/elastic/beats/v7/libbeat/version.buildTime=2025-09-26T23:08:11Z -X github.com/elastic/beats/v7/libbeat/version.commit=cf79447dfa4d2753c13a26766f8b25995a2062fe" failed with exit code 1
  | Error: failed building for darwin/amd64: exit status 1
  | failed building for darwin/amd64: exit status 1

From https://go.dev/doc/go1.25#darwin:

As announced in the Go 1.24 release notes, Go 1.25 requires macOS 12 Monterey or later. Support for previous versions has been discontinued.

And it looks like we're still using either the 10.11 or 11.3 MacOS SDK in golang-crossbuild images.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b bump-golang-1.25.1 upstream/bump-golang-1.25.1
git merge upstream/main
git push upstream bump-golang-1.25.1

[ycombinator]

Hi @khushijain21, one of the test failures in this PR is TestProxyHTTP/when_http/s_proxy_url_is_set. It is failing like so:

=== NAME  TestProxyHTTP/when_http/s_proxy_url_is_set
    logger.go:146: 2025-10-31T17:04:25.725-0700	DEBUG	Request failed.	{"reason": "tls: first record does not look like a TLS handshake"}
    logger.go:146: 2025-10-31T17:04:30.098-0700	ERROR	bulk indexer flush error	{"error": "failed to execute the request: tls: first record does not look like a TLS handshake"}
    logger.go:146: 2025-10-31T17:04:30.098-0700	ERROR	Exporting failed. Dropping data.	{"error": "failed to execute the request: tls: first record does not look like a TLS handshake", "dropped_items": 1}
    logger.go:146: 2025-10-31T17:04:30.098-0700	ERROR	Exporting failed. Rejecting data.	{"error": "failed to execute the request: tls: first record does not look like a TLS handshake", "rejected_items": 1}
    beatsauth_test.go:642:
        	Error Trace:	/Users/shaunak/development/github/beats/libbeat/otelbeat/oteltest/beatsauth_test.go:642
        	Error:      	Received unexpected error:
        	            	failed to execute the request: tls: first record does not look like a TLS handshake
        	Test:       	TestProxyHTTP/when_http/s_proxy_url_is_set
        	Messages:   	error sending logs
--- FAIL: TestProxyHTTP (10.22s)

Could you help me figure out where this error is coming from, please? You can reproduce this test failure in isolation by checking out this PR, and running:

GODEBUG=fips140=only go test ./libbeat/otelbeat/oteltest/... -test.run "TestProxyHTTP/when_http/s_proxy_url_is_set" -test.v