chore(deps): update go dependencies

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
github.com/docker/docker-credential-helpers	indirect	patch	v0.9.4 -> v0.9.5
github.com/google/pprof	indirect	digest	4902fdd -> d7df1bf
github.com/letsencrypt/boulder	indirect	minor	v0.20250721.0 -> v0.20260105.0
github.com/secure-systems-lab/go-securesystemslib	indirect	minor	v0.9.1 -> v0.10.0
github.com/sigstore/sigstore	indirect	minor	v1.9.6-0.20251017153808-5089bd7668f3 -> v1.10.3
github.com/sigstore/sigstore-go	require	patch	v1.1.3 -> v1.1.4
golang.org/x/mod	indirect	minor	v0.31.0 -> v0.32.0
golang.org/x/sys	indirect	minor	v0.39.0 -> v0.40.0
golang.org/x/term	indirect	minor	v0.38.0 -> v0.39.0
golang.org/x/text	indirect	minor	v0.32.0 -> v0.33.0
google.golang.org/genproto/googleapis/rpc	indirect	digest	97cd9d5 -> 0a764e5
k8s.io/api	require	minor	v0.34.2 -> v0.35.0
k8s.io/apiextensions-apiserver	indirect	minor	v0.34.2 -> v0.35.0
k8s.io/apimachinery	require	minor	v0.34.2 -> v0.35.0
k8s.io/client-go	require	minor	v0.34.2 -> v0.35.0
k8s.io/utils	require	digest	718f0e5 -> 914a6e7

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

docker/docker-credential-helpers (github.com/docker/docker-credential-helpers)

v0.9.5

Compare Source

What's Changed

• build(deps): bump actions/checkout from 5 to 6 #​395
• build(deps): bump actions/upload-artifact from 4 to 6 #​398
• build(deps): bump softprops/action-gh-release from 2.3.3 to 2.4.1 #​391
• build(deps): bump softprops/action-gh-release from 2.4.1 to 2.5.0 #​397
• Dockerfile: remove redundant DEBIAN_FRONTEND=noninteractive #​404
• Dockerfile: update golangci-lint to v2.8 #​402
• gha: update some actions to ubuntu 24.04 #​401
• update to go1.25.2 #​392
• update to go1.25.5 #​399

Full Changelog: docker/docker-credential-helpers@v0.9.4...v0.9.5

letsencrypt/boulder (github.com/letsencrypt/boulder)

v0.20260105.0

Compare Source

What's Changed

• lint: fix staticcheck QF issues by @​alexandear in #​8524
• fix: correct typos in test and documentation comments by @​alexandear in #​8526
• test: Refactor initSA to simplify cleanup in tests by @​alexandear in #​8525
• add bsetup notes to README by @​acaird in #​8521
• CA: Log error instead of cert upon storage failure by @​aarongable in #​8528
• web: No longer escape HTML characters in SendError by @​beautifulentropy in #​8533

New Contributors

• @​alexandear made their first contribution in #​8524
• @​acaird made their first contribution in #​8521

Full Changelog: letsencrypt/boulder@v0.20251216.0...v0.20260105.0

v0.20251216.0

Compare Source

What's Changed

• build(deps): bump the aws group across 1 directory with 4 updates by @​dependabot[bot] in #​8496
• Remove usage of subtle.ConstantTimeCompare in validation by @​aarongable in #​8519
• docker: Add build context for vtcomboserver service by @​sheurich in #​8520
• Fix wildcard authorization reuse with DNS-Account-01 by @​sheurich in #​8504
• Refactor DNS to pass full messages up to the VA by @​aarongable in #​8513
• ca/cert-checker: Support test log submissions by @​beautifulentropy in #​8522

Full Changelog: letsencrypt/boulder@v0.20251208.0...v0.20251216.0

v0.20251208.0

Compare Source

What's Changed

• ratelimits: Refactor Reset() to accept a batch of Transactions by @​beautifulentropy in #​8503
• Update CI to go1.25.5 by @​aarongable in #​8511
• Store authzIDs directly in order table by @​jsha in #​8460
• Add current datetime column to orderFqdnSets and authz2 tables by @​aarongable in #​8512
• sa: Fix modelToOrder to populate V2Authorizations from Authzs column by @​aaomidi in #​8514
• Remove ECDSA P-224 curve support from the ceremony tool by @​pgporada in #​8515
• Allow monitoring_only logs as well as test logs for submitToTestLogs by @​mcpherrinm in #​8510
• database: Add vitess + mysql 8.4 to our development environment by @​beautifulentropy in #​8468

Full Changelog: letsencrypt/boulder@v0.20251202.0...v0.20251208.0

v0.20251202.0

Compare Source

What's Changed

• sa: use dummy date instead of zero date by @​jsha in #​8481
• borp/sa: Update borp to pass Transaction args through BoulderTypeConverter by @​beautifulentropy in #​8494
• sfe: Keep loading intervals in sync with promise, fix wording by @​beautifulentropy in #​8500
• sfe/redis: Add limiter config to SFE and cleanup creds by @​beautifulentropy in #​8501
• Make CAA checking more like DCV checking by @​aarongable in #​8491
• Update Public Suffix List to v0.50.1 by @​aarongable in #​8495
• sa: Stop injecting max_statement_time and long_query_time into DSNs by @​beautifulentropy in #​8490
• Remove dead code by @​mcpherrinm in #​8506
• build(deps): bump github/codeql-action from 3 to 4 by @​dependabot[bot] in #​8507

Full Changelog: letsencrypt/boulder@v0.20251118.0...v0.20251202.0

v0.20251118.0

Compare Source

What's Changed

• build(deps): bump actions/github-script from 7 to 8 by @​dependabot[bot] in #​8472
• wfe: Add healthz endpoint by @​jprenken in #​8484
• Use promauto.With(stats) instead of stats.MustRegister() by @​aarongable in #​8483
• database: Remove Partitions from our tables by @​beautifulentropy in #​8489
• sfe/overrides: Update agreements with revised wording from legal by @​beautifulentropy in #​8488

Full Changelog: letsencrypt/boulder@v0.20251110.0...v0.20251118.0

v0.20251110.0

Compare Source

What's Changed

• Remove 10-second timeout from RA's override loading code by @​jprenken in #​8477
• test: Remove queries containing DDL from unit tests by @​beautifulentropy in #​8479
• Refactor GetSCTs to use a single loop with a ticker by @​mcpherrinm in #​8470
• Use promauto to register stats in bdns by @​mcpherrinm in #​8480
• Export prometheus client_golang's Go build_info metric by @​mcpherrinm in #​8482

Full Changelog: letsencrypt/boulder@v0.20251103.0...v0.20251110.0

v0.20251103.0

Compare Source

What's Changed

• sa: NewOrderAndAuthzs checks that nonzero authzs were provided by @​jsha in #​8464
• Add visibility into nonce redemption failure causes by @​aarongable in #​8448
• Use json tags to suppress Account fields in API responses by @​aarongable in #​8455
• Deprecate NoPendingAuthzReuse flag by @​jsha in #​8458
• build(deps): bump the aws group with 3 updates by @​dependabot[bot] in #​8467
• iana: Remove hardcoded multicast prefixes by @​jprenken in #​8456
• Remove Python tests for TLS-ALPN-01 by @​jsha in #​8457
• wfe/ra: Periodically load rate limit overrides from the database by @​jprenken in #​8407
• sfe: Create Salesforce Case at override request form submission time by @​beautifulentropy in #​8438
• Clean up dangling OCSP configs by @​jenhagg in #​8461

New Contributors

• @​jenhagg made their first contribution in #​8461

Full Changelog: letsencrypt/boulder@v0.20251027.0...v0.20251103.0

v0.20251027.0

Compare Source

What's Changed

• Add an extra timeout waiting for RVAs by @​mcpherrinm in #​8434
• Use a newer version of proxysql, consul, and redis by @​pgporada in #​8450
• Bind issuers to only issue for specified profiles by @​aarongable in #​8409
• build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 by @​dependabot[bot] in #​8449
• Remove requirement for IncludeCRLDistributionPoints config by @​aarongable in #​8462
• Update README to reference t.sh and tn.sh by @​aarongable in #​8463
• bdns: remove logDNSError by @​jsha in #​8445
• Remove deprecated Temporary() usage in DNS retry logic by @​sheurich in #​8441
• Make release workflow compatible with immutable releases by @​aarongable in #​8454

Full Changelog: letsencrypt/boulder@v0.20251021.0...v0.20251027.0

v0.20251021.0

Compare Source

What's Changed

• Reduce nonce redemption flake by giving WFE time to mark SubConns READY by @​aarongable in #​8442
• Simplify IssueCertificate into straight-line code by @​aarongable in #​8424
• Delete sa.GetMaxExpiration and sa.GetRevokedCerts by @​aarongable in #​8401
• Ceremony: add checks for too-large validity period by @​aarongable in #​8446
• build(deps): bump the aws group with 3 updates by @​dependabot[bot] in #​8444
• Remove support for the old log line checksum format by @​mcpherrinm in #​8416

Full Changelog: letsencrypt/boulder@v0.20251014.0...v0.20251021.0

v0.20251014.0

Compare Source

What's Changed

• build(deps): bump the otel group with 6 updates by @​dependabot[bot] in #​8437
• sfe: Add configurable automatic approvals for first-tier limits by @​beautifulentropy in #​8381
• Switch to new log checksum format by @​mcpherrinm in #​8415
• Reland "SA: Stop supporting OCSP status NotReady" by @​aarongable in #​8430

Full Changelog: letsencrypt/boulder@v0.20251007.0...v0.20251014.0

v0.20251007.0

Compare Source

What's Changed

• Revert "SA: Stop supporting OCSP status NotReady" by @​aarongable in #​8429
• Introduce nonfunctional IssuerConfig.Profiles config field by @​aarongable in #​8423
• Refactor CA unittests to focus on top-level IssueCertificate by @​aarongable in #​8422
• Add logging of nonce prefix at nonce-service startup by @​jsha in #​8433
• publisher: Do not log failures to submit to audit logs by @​beautifulentropy in #​8435
• Update CI to go1.25.2 by @​aarongable in #​8436

Full Changelog: letsencrypt/boulder@v0.20251003.0...v0.20251007.0

v0.20251003.0

Compare Source

v0.20250929.0

Compare Source

What's Changed

• CA: Stop using OCSP status NotReady by @​aarongable in #​8394
• Remove support for temporally-sharded CRLs by @​aarongable in #​8400
• wfe: Permit Transfer-Encoding: chunked HTTP request bodies by @​benburkert in #​8403
• build(deps): bump the aws group with 4 updates by @​dependabot[bot] in #​8392
• Use GetRevocationStatus instead of GetCertificateStatus by @​aarongable in #​8402
• Start accepting a new log checksum format by @​mcpherrinm in #​8413

New Contributors

• @​benburkert made their first contribution in #​8403

Full Changelog: letsencrypt/boulder@v0.20250922.0...v0.20250929.0

v0.20250922.0

Compare Source

What's Changed

• Remove '-tags "integration"' from build by @​jsha in #​8383
• feat: Support for dns-account-01 Challenge by @​sheurich in #​8149
• test: Work around integration failures & flake by @​jprenken in #​8393
• Delete akamai-purger by @​aarongable in #​8352
• Upload releases to GHCR by @​jprenken in #​8386
• Move //revocation/reasons.go into the post-OCSP world by @​aarongable in #​8355
• Remove "ocsp-response" Ceremony type by @​aarongable in #​8396
• Ceremony: remove support for AIA OCSP URIs by @​aarongable in #​8397
• issuance: Remove last vestiges of OCSP support by @​aarongable in #​8398
• Recognize, but do not process, issuevmc CAA tags by @​BartG95 in #​8374
• Fix location of release.md by @​pgporada in #​8404

New Contributors

• @​BartG95 made their first contribution in #​8374

Full Changelog: letsencrypt/boulder@v0.20250908.0...v0.20250922.0

v0.20250908.0

Compare Source

What's Changed

• Upgrade to latest publicsuffix-go by @​mcpherrinm in #​8376
• sfe: Export emails to mailing list at submission time by @​beautifulentropy in #​8378
• sfe: Periodically import approved rate limit override tickets by @​beautifulentropy in #​8372
• build(deps): bump docker/login-action from 3.4.0 to 3.5.0 by @​dependabot[bot] in #​8375

Full Changelog: letsencrypt/boulder@v0.20250902.0...v0.20250908.0

v0.20250902.0

Compare Source

What's Changed

• test: Enable optional coverage reporting by @​akshithg in #​8306
• sfe: Add rate limit override request portal Web UI and endpoints by @​beautifulentropy in #​8365
• Run go's modernize tool by @​mcpherrinm in #​8371
• sfe: Add per IP rate limits to the overrides request form submissions by @​beautifulentropy in #​8366

New Contributors

• @​akshithg made their first contribution in #​8306

Full Changelog: letsencrypt/boulder@v0.20250825.0...v0.20250902.0

v0.20250825.0

Compare Source

What's Changed

• test: rewrite CAA integration test in Go by @​jsha in #​8340
• test: Remove go1.24.x by @​beautifulentropy in #​8364
• RA: remove dependency on akamai-purger by @​aarongable in #​8353
• CA: delete GenerateOCSP method by @​aarongable in #​8351
• Ceremony: allow CRL ceremonies to skip certain lints by @​aarongable in #​8368
• sfe/zendesk: Add support for status to Zendesk client by @​beautifulentropy in #​8367

Full Changelog: letsencrypt/boulder@v0.20250819.0...v0.20250825.0

v0.20250819.0

Compare Source

What's Changed

• Add --generate-notes flag to gh release create by @​mcpherrinm in #​8337
• admin: Add tooling to support rate limit overrides in the database by @​beautifulentropy in #​8281
• Remove GO111MODULE and GOFLAGS. by @​jsha in #​8333
• Add tool to generate, verify, and output a list of CRLDPs by @​aarongable in #​8329
• Build Boulder in a container for release by @​jsha in #​8331
• Restrict permissions of merged-to-main workflow by @​aarongable in #​8347
• sfe/zendesk: Add a Zendesk API client implementation by @​beautifulentropy in #​8320
• grpc: remove serverIPAddresses config option by @​jsha in #​8339
• Remove ocsp-responder by @​aarongable in #​8344
• Remove python integration test in-the-past scaffolding by @​aarongable in #​8086
• go: Add go1.25.0 to the test suite by @​beautifulentropy in #​8357
• sfe/test: Configure SFE to use a zendesk-test-srv by @​beautifulentropy in #​8354
• RA: delete GenerateOCSP method by @​aarongable in #​8350
• Remove Boulder's understanding of FAKECLOCK by @​aarongable in #​8356

Full Changelog: letsencrypt/boulder@v0.20250812.0...v0.20250819.0

v0.20250812.0

Compare Source

v0.20250805.0

Compare Source

v0.20250728.0

Compare Source

secure-systems-lab/go-securesystemslib (github.com/secure-systems-lab/go-securesystemslib)

v0.10.0

Compare Source

sigstore/sigstore (github.com/sigstore/sigstore)

v1.10.3

Compare Source

What's Changed

v1.10.3 adds ValidatePubKey back to the cryptoutils package to avoid a breaking API change.

• Add back ValidatePubKey as a deprecated, minimal function in #​2235

Full Changelog: sigstore/sigstore@v1.10.2...v1.10.3

v1.10.2

v1.10.2

Functionally equivalent to v1.10.0. v1.10.1 has been retracted to remove copied code.

v1.10.0

Breaking change

#​2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

• feat(hashivault): token helper in #​2174
• set GoogleAPIClientOption on GCP KMS provider in #​2128

Refactoring

• cryptoutils: move goodkey validation to separate package in #​2194
• Stop depending on golang.org/x/crypto for sha3 in #​2209
• remove duplicative dependency for portable browser opener in #​2178
• consolidate deep Equal usage to one library in #​2177
• Drop redundant aws-sdk-go dependency in the e2e kms tests in #​2172

sigstore/sigstore-go (github.com/sigstore/sigstore-go)

v1.1.4

Compare Source

What's Changed

• Update rekor-tiles version path in #​531
• Bump production Sigstore TUF root to latest in #​537
• Bump staging Sigstore TUF root to latest in #​538
• Bump deps for sigstore libraries in #​543

Full Changelog: sigstore/sigstore-go@v1.1.3...v1.1.4

kubernetes/api (k8s.io/api)

v0.35.0

Compare Source

v0.34.3

Compare Source

kubernetes/apiextensions-apiserver (k8s.io/apiextensions-apiserver)

v0.35.0

Compare Source

v0.34.3

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.35.0

Compare Source

v0.34.3

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.35.0

Compare Source

v0.34.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.0
github.com/theupdateframework/go-tuf/v2	v2.2.0 -> v2.3.0