Lower go directive to minimum required version

[silv-io]

Motivation

The go directive in go.mod was being bumped to the latest Go release weekly, but it specifies the minimum version required to build the module — not the target. Setting it to bleeding-edge made it harder for downstream packagers (AUR, Nix /cc @purcell) to build lstk without the latest Go toolchain.

Changes

• Set go directive to 1.25.0 (the actual minimum, constrained by golang.org/x/sys and golang.org/x/term)
• Add explicit toolchain go1.26.1 directive so CI and developers still use the latest Go via auto-download
• Update weekly-go-upgrade workflow to bump toolchain instead of go — packagers using GOTOOLCHAIN=local are unaffected by toolchain bumps
• CI keeps using go-version-file: go.mod (which reads the toolchain directive)

Tests

• Existing CI will validate — no code changes, only build/workflow config
• The new tidy CI job will verify go mod tidy produces no diff

Related

• FLC-545

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: e5d100de-e565-47f4-8628-2ed7aacf545e

📥 Commits

Reviewing files that changed from the base of the PR and between 57b1679 and 73fc69c.

⛔ Files ignored due to path filters (1)

• test/integration/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• .github/workflows/weekly-go-upgrade.yml
• test/integration/go.mod

---

📝 Walkthrough

Walkthrough

Rename and adjust the weekly Go upgrade workflow to use the Go toolchain updater; add/modify toolchain directives in the root go.mod; and update test/integration/go.mod toolchain and multiple direct/indirect dependency versions.

Changes

Cohort / File(s)	Summary
Workflow .github/workflows/weekly-go-upgrade.yml	Renamed workflow/job/step labels to "Toolchain". Script now fetches toolchain@latest (instead of go@latest), runs go mod tidy, cd's into test/integration, runs go get toolchain@latest and another go mod tidy. PR title/body updated to reference "toolchain upgrade".
Root go.mod go.mod	Changed module go directive from 1.26.1 → 1.25.0 and added toolchain go1.26.1 directive (separating language version from toolchain selection).
Integration test module test/integration/go.mod	Bumped test module toolchain to go 1.26.1; updated direct deps (e.g., aws-sdk-go-v2/service/s3 v1.97.1→v1.97.2, github.com/docker/docker v28.2.2→v28.5.2, go-keyring v0.2.6→v0.2.7); updated many indirect deps (adds, removals, and version bumps including OpenTelemetry, golang.org/x/sys/time, grpc), and removed some indirects (e.g., al.essio.dev/pkg/shellescape).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• Fix upgrade workflow #31 — Modifies the weekly Go upgrade workflow and upgrade steps (closely related workflow changes).
• chore(go): weekly Go upgrade #35 — Changes module Go version in go.mod (closely related to root/module version edits).
• chore(go): weekly Go upgrade #85 — Adjusts module Go directives/toolchain (overlaps with toolchain vs go directive changes).

Suggested labels

dependencies

Suggested reviewers

• carole-lavillonniere
• anisaoshafi

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: lowering the go directive from 1.26.1 to 1.25.0 to reflect the actual minimum required version.
Description check	✅ Passed	The description is well-structured and directly relates to the changeset, explaining the motivation, changes made, and testing approach.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch silv-io/flc-545

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/weekly-go-upgrade.yml (1)

26-32: Workflow intent and command behavior are misaligned.

The workflow is framed as a toolchain upgrade, but Line 31 uses go get go@latest in test/integration, which upgrades the go directive rather than the toolchain directive. The root module (go 1.25.0 + toolchain go1.26.1) uses go get toolchain@latest at Line 28, keeping the go directive unchanged. For consistency, either:

1. Update Line 31 to go get toolchain@latest to match the root strategy, or
2. Clarify why test/integration intentionally tracks a separate go version

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/weekly-go-upgrade.yml around lines 26 - 32, The workflow
currently mixes upgrading the Go toolchain and the module 'go' directive: it
runs "go get toolchain@latest" at the root but uses "go get go@latest" in the
test/integration module; change the test/integration invocation to "go get
toolchain@latest" to match the root strategy (or explicitly document why
test/integration should track a different 'go' directive), ensuring consistency
between the "go get toolchain@latest" steps and the module "go" vs "toolchain"
directives (e.g., the root's "go 1.25.0" and "toolchain go1.26.1" vs
test/integration).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/integration/go.mod`:
- Line 1: The module declaration in the integration module is incorrect: update
the module path string currently set to "module github.com/localstack/lstk" so
that the integration package declares itself as "module
github.com/localstack/lstk/test/integration" (i.e., change the module line in
test/integration/go.mod to the integration-specific path) to resolve the
duplicate-module conflict referenced by the require of
github.com/localstack/lstk/test/integration.
- Line 69: Replace the vulnerable grpc dependency version
"google.golang.org/grpc v1.77.0" in the go.mod entry with
"google.golang.org/grpc v1.79.3" (or any later patch >= v1.79.3) to mitigate
CVE-2026-33186, then run "go get google.golang.org/grpc@v1.79.3" and "go mod
tidy" to update go.sum and vendor files; ensure the test/integration go.mod
entry is the one updated.

---

Nitpick comments:
In @.github/workflows/weekly-go-upgrade.yml:
- Around line 26-32: The workflow currently mixes upgrading the Go toolchain and
the module 'go' directive: it runs "go get toolchain@latest" at the root but
uses "go get go@latest" in the test/integration module; change the
test/integration invocation to "go get toolchain@latest" to match the root
strategy (or explicitly document why test/integration should track a different
'go' directive), ensuring consistency between the "go get toolchain@latest"
steps and the module "go" vs "toolchain" directives (e.g., the root's "go
1.25.0" and "toolchain go1.26.1" vs test/integration).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: f5dfa36b-8622-4837-9202-815d015f2a19

📥 Commits

Reviewing files that changed from the base of the PR and between 59d5815 and 57b1679.

⛔ Files ignored due to path filters (1)

• test/integration/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .github/workflows/weekly-go-upgrade.yml
• go.mod
• test/integration/go.mod

[purcell]

Nice! Yes, I can confirm this will be helpful downstream.