🌱 Bump Go 1.24

[sivchari]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Part of #11642

/area dependency

[sivchari]

Error: can't load config: the Go language version (go1.23) used to build golangci-lint is lower than the targeted Go version (1.24)
Failed executing command with error: can't load config: the Go language version (go1.23) used to build golangci-lint is lower than the targeted Go version (1.24)

We should merge #12088 at first since the golangci-lint version that Go1.24 is available is only golangci-lint v2.

[fabriziopandini]

/hold

We usually use the same go version used by K8s version we are importing, and we import the same K8s version used by the controller runtime version we are using.
(so most probably we should stick to go 1.23 until we bump to CR 0.21)

[sivchari]

Thanks!
Other PRs about dependency could be merged, when new CR is published.

[sbueringer]

I would like to do the CR bump. I'm usually using CAPI as a final verification for CR before the CR release is published. I will coordinate with you that this PR is merged right before.

Can you please rebase this PR?

[sivchari]

@sbueringer
rebased it.

EDIT
I'll take it later.

[sivchari]

This failure is led by Go 1.24 since the go test run the vet implicitly before run test. Since 1.24, printf linter is called every time, then I disabled it on golanci.yml to deal with these issues on another PR. But it seems to deal with it too including with this PR.

[sivchari]

Okay, it works correctly 😄

[sivchari]

=== Symbol Results ===

Vulnerability #1: GO-2025-3563
    Request smuggling due to acceptance of invalid chunked data in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3563
  Standard library
    Found in: net/http/[email protected]
    Fixed in: net/http/[email protected]
    Example traces found:
      #1: cmd/clusterctl/client/repository/repository_gitlab.go:184:28: repository.gitLabRepository.GetFile calls io.ReadAll, which eventually calls internal.chunkedReader.Read

Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 1 vulnerability in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
=== Symbol Results ===

Vulnerability #1: GO-2025-3563
    Request smuggling due to acceptance of invalid chunked data in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3563
  Standard library
    Found in: net/http/[email protected]
    Fixed in: net/http/[email protected]
    Example traces found:
      #1: infrastructure/container/docker.go:130:24: container.dockerRuntime.PullContainerImage calls io.ReadAll, which eventually calls internal.chunkedReader.Read

Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
make: *** [verify-govulncheck] Error 1

We met the vulnerability, then I decide to upgrade from go1.24.0 to go1.24.2.

[sivchari]

/retest

[sivchari]

Thx! rebased.

[sbueringer]

Thx!

/lgtm

Waiting with merge until we can be sure that we'll get a CR v0.21.0 release ahead of the CAPI alpha we want to do in a few weeks

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 6d2002d939e9353ec159a0f77321ec13626a72da

[chrischdi]

lgtm, besides google cloud build image bump

[chrischdi]

Last open point: update the cloudbuild yaml files to use
gcr.io/k8s-staging-test-infra/gcb-docker-gcloud@sha256:fe4041d57c711070436d3c5b7702534b7158f464e9772aa9e333a5e0e24fd854 / v20250513-9264efb079 which contains go 1.24 🎉

[sbueringer]

I cannot pull this image

docker pull gcr.io/k8s-staging-test-infra/gcb-docker-gcloud@sha256:fe4041d57c711070436d3c5b7702534b7158f464e9772aa9e333a5e0e24fd854
Error response from daemon: manifest for gcr.io/k8s-staging-test-infra/gcb-docker-gcloud@sha256:fe4041d57c711070436d3c5b7702534b7158f464e9772aa9e333a5e0e24fd854 not found: manifest unknown: Requested entity was not found.

[sbueringer]

I think this sha works sha256:63840f133e0dfeea0af9ef391210da7fab9d2676172e2967fccab0cd6110c4e7

[sbueringer]

@chrischdi please confirm :)

(https://console.cloud.google.com/artifacts/docker/k8s-staging-test-infra/us/gcr.io/gcb-docker-gcloud/sha256:63840f133e0dfeea0af9ef391210da7fab9d2676172e2967fccab0cd6110c4e7?inv=1&invt=AbxYag)

[sivchari]

Thx! I fixed it.

[sbueringer]

We met the vulnerability, then I decide to upgrade from go1.24.0 to go1.24.2.

Nice catch btw.

I discussed this with Christian and Fabrizio. Given that we are going to merge the CR bump ahead of the next release anyway we would like to merge the current PR as soon as it's ready (last finding should be: #12128 (comment))

[sbueringer]

/hold cancel
/lgtm
/approve

(double checked the gcb-docker-gcloud images, now all good)

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: ba67208b2af6fd5eb5c6279aa2f6e8e00a4792f0

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sbueringer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment