From a36972e7d325cb29d12af1666f0402a7bd56eaa1 Mon Sep 17 00:00:00 2001
From: sievdokymov-virtru <sergii.ievdokymov@virtru.com>
Date: Fri, 24 Apr 2026 12:43:21 +0300
Subject: [PATCH 1/2] Bumb go toolchain to solve reported security vulns

---
 .github/workflows/checks.yaml    | 3 ++-
 .github/workflows/sonarcloud.yml | 2 +-
 examples/go.mod                  | 2 +-
 go.work                          | 2 +-
 lib/fixtures/go.mod              | 2 +-
 lib/flattening/go.mod            | 2 +-
 lib/identifier/go.mod            | 2 +-
 lib/ocrypto/go.mod               | 2 +-
 otdfctl/go.mod                   | 2 +-
 protocol/go/go.mod               | 2 +-
 sdk/go.mod                       | 2 +-
 service/go.mod                   | 2 +-
 test/integration/go.mod          | 2 +-
 tests-bdd/go.mod                 | 2 +-
 14 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index 7bca30c5ce..a709c7922d 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -13,6 +13,7 @@ on:
     branches:
       - main
       - release/**
+      - dspx-2960-bump-go-toolchain-1.25.9
   merge_group:
     branches:
       - main
@@ -84,7 +85,7 @@ jobs:
         continue-on-error: true
         uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
         with:
-          go-version-input: "1.25.7"
+          go-version-input: "1.25.9"
           work-dir: ${{ matrix.directory }}
       - if: steps.govulncheck.outcome == 'failure'
         run: echo "$MODULE_DIR" > "/tmp/govulncheck-failure-${JOB_INDEX}.txt"
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index 94043c16d8..4ba1c93a69 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -26,7 +26,7 @@ jobs:
       - name: "Setup Go"
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.25.7"
+          go-version: "1.25.9"
           check-latest: false
           cache-dependency-path: |
             service/go.sum
diff --git a/examples/go.mod b/examples/go.mod
index 9da02faf7f..1e23a15877 100644
--- a/examples/go.mod
+++ b/examples/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/examples
 
 go 1.25.0
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 require (
 	connectrpc.com/connect v1.19.1
diff --git a/go.work b/go.work
index 8c899125a5..6a411e9524 100644
--- a/go.work
+++ b/go.work
@@ -1,6 +1,6 @@
 go 1.25.5
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 use (
 	./examples
diff --git a/lib/fixtures/go.mod b/lib/fixtures/go.mod
index 517a1d0696..112e05dc8d 100644
--- a/lib/fixtures/go.mod
+++ b/lib/fixtures/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/lib/fixtures
 
 go 1.25.0
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 require github.com/Nerzal/gocloak/v13 v13.9.0
 
diff --git a/lib/flattening/go.mod b/lib/flattening/go.mod
index c2d3d36534..09736cc2d9 100644
--- a/lib/flattening/go.mod
+++ b/lib/flattening/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/lib/flattening
 
 go 1.25.0
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 require github.com/stretchr/testify v1.11.1
 
diff --git a/lib/identifier/go.mod b/lib/identifier/go.mod
index a98dc19662..bf5185d058 100644
--- a/lib/identifier/go.mod
+++ b/lib/identifier/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/lib/identifier
 
 go 1.25.0
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 require github.com/stretchr/testify v1.11.1
 
diff --git a/lib/ocrypto/go.mod b/lib/ocrypto/go.mod
index dd05482470..fb1efec86f 100644
--- a/lib/ocrypto/go.mod
+++ b/lib/ocrypto/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/lib/ocrypto
 
 go 1.25.0
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 require (
 	github.com/stretchr/testify v1.11.1
diff --git a/otdfctl/go.mod b/otdfctl/go.mod
index 6358902221..756791b885 100644
--- a/otdfctl/go.mod
+++ b/otdfctl/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/otdfctl
 
 go 1.25.0
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 require (
 	github.com/adrg/frontmatter v0.2.0
diff --git a/protocol/go/go.mod b/protocol/go/go.mod
index 03c0ad01c8..cbd8b7b63d 100644
--- a/protocol/go/go.mod
+++ b/protocol/go/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/protocol/go
 
 go 1.25.0
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 require (
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.1-20240508200655-46a4cf4ba109.1
diff --git a/sdk/go.mod b/sdk/go.mod
index eb20584396..f1fd7302fb 100644
--- a/sdk/go.mod
+++ b/sdk/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/sdk
 
 go 1.25.0
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 require (
 	connectrpc.com/connect v1.19.1
diff --git a/service/go.mod b/service/go.mod
index b0e9d16fa4..cc8772dd9c 100644
--- a/service/go.mod
+++ b/service/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/service
 
 go 1.25.0
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 require (
 	buf.build/go/protovalidate v1.0.0
diff --git a/test/integration/go.mod b/test/integration/go.mod
index cc526ed60f..c93a447604 100644
--- a/test/integration/go.mod
+++ b/test/integration/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/test/integration
 
 go 1.25.0
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 replace (
 	github.com/opentdf/platform/lib/fixtures => ../../lib/fixtures
diff --git a/tests-bdd/go.mod b/tests-bdd/go.mod
index eb7d343f1b..0e0af20886 100644
--- a/tests-bdd/go.mod
+++ b/tests-bdd/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/tests-bdd
 
 go 1.25.5
 
-toolchain go1.25.8
+toolchain go1.25.9
 
 require (
 	github.com/cucumber/godog v0.15.0

From ab658c566cd60b33c94ec9aa99da1523a700a724 Mon Sep 17 00:00:00 2001
From: sievdokymov-virtru <sergii.ievdokymov@virtru.com>
Date: Fri, 24 Apr 2026 12:57:54 +0300
Subject: [PATCH 2/2] Cleanup

---
 .github/workflows/checks.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index a709c7922d..ac9e24c31d 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -13,7 +13,6 @@ on:
     branches:
       - main
       - release/**
-      - dspx-2960-bump-go-toolchain-1.25.9
   merge_group:
     branches:
       - main