From 2bcf047f90e7cbc2a728ff96168b511f931b2a10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Tue, 14 Oct 2025 09:11:31 +0200
Subject: [PATCH] update to go1.25.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This release addresses breakage caused by a security patch included in
Go 1.25.2 and 1.24.8, which enforced overly restrictive validation on
the parsing of X.509 certificates. We've removed those restrictions
while maintaining the security fix that the initial release addressed.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
 .github/workflows/codeql.yml     | 2 +-
 .github/workflows/test.yml       | 2 +-
 .golangci.yml                    | 2 +-
 Dockerfile                       | 2 +-
 docker-bake.hcl                  | 2 +-
 dockerfiles/Dockerfile.dev       | 2 +-
 dockerfiles/Dockerfile.lint      | 2 +-
 dockerfiles/Dockerfile.vendor    | 2 +-
 e2e/testdata/Dockerfile.gencerts | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2244352e54..046760faf6 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -63,7 +63,7 @@ jobs:
         name: Update Go
         uses: actions/setup-go@v6
         with:
-          go-version: "1.25.2"
+          go-version: "1.25.3"
       -
         name: Initialize CodeQL
         uses: github/codeql-action/init@v4
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a22736841f..b3732c708e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -67,7 +67,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: "1.25.2"
+          go-version: "1.25.3"
       -
         name: Test
         run: |
diff --git a/.golangci.yml b/.golangci.yml
index 4fc4e841fb..400a5ffbab 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -5,7 +5,7 @@ run:
   # which causes it to fallback to go1.17 semantics.
   #
   # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24
-  go: "1.25.2"
+  go: "1.25.3"
 
   timeout: 5m
 
diff --git a/Dockerfile b/Dockerfile
index f534322fd2..604d73fcba 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,7 +8,7 @@ ARG BASE_VARIANT=alpine
 ARG ALPINE_VERSION=3.22
 ARG BASE_DEBIAN_DISTRO=bookworm
 
-ARG GO_VERSION=1.25.2
+ARG GO_VERSION=1.25.3
 
 # XX_VERSION specifies the version of the xx utility to use.
 # It must be a valid tag in the docker.io/tonistiigi/xx image repository.
diff --git a/docker-bake.hcl b/docker-bake.hcl
index b5466270c0..3d4f2f1a1c 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.25.2"
+    default = "1.25.3"
 }
 variable "VERSION" {
     default = ""
diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev
index 3582bb46d8..25b500dc8a 100644
--- a/dockerfiles/Dockerfile.dev
+++ b/dockerfiles/Dockerfile.dev
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.25.2
+ARG GO_VERSION=1.25.3
 
 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image.
 # It must be a supported tag in the docker.io/library/alpine image repository
diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint
index d6ae99ad68..f5eeb39de1 100644
--- a/dockerfiles/Dockerfile.lint
+++ b/dockerfiles/Dockerfile.lint
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.25.2
+ARG GO_VERSION=1.25.3
 
 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image.
 # It must be a supported tag in the docker.io/library/alpine image repository
diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor
index 8e19482e93..98bb2aaddc 100644
--- a/dockerfiles/Dockerfile.vendor
+++ b/dockerfiles/Dockerfile.vendor
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.25.2
+ARG GO_VERSION=1.25.3
 
 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image.
 # It must be a supported tag in the docker.io/library/alpine image repository
diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts
index ca8cb11656..3eba51c256 100644
--- a/e2e/testdata/Dockerfile.gencerts
+++ b/e2e/testdata/Dockerfile.gencerts
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.25.2
+ARG GO_VERSION=1.25.3
 
 FROM golang:${GO_VERSION}-alpine AS generated
 ENV GOTOOLCHAIN=local