[release/2.0] update to Go 1.25.9, 1.26.2

.devcontainer/devcontainer.json

@@ -12,7 +12,7 @@
 	"features": {
 		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
 		"ghcr.io/devcontainers/features/go:1": {
-			"version": "1.24.9"
+			"version": "1.25.9"
 		}
 	},
 

.github/actions/install-go/action.yml

@@ -3,7 +3,7 @@ description: "Reusable action to install Go, so there is one place to bump Go ve
 inputs:
   go-version:
     required: true
-    default: "1.24.9"
+    default: "1.25.9"
     description: "Go version to install"
 
 runs:

.github/workflows/api-release.yml

@@ -6,7 +6,7 @@ on:
 name: API Release
 
 env:
-  GO_VERSION: "1.24.9"
+  GO_VERSION: "1.25.9"
 
 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read

.github/workflows/ci.yml

@@ -31,9 +31,9 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: ./.github/actions/install-go
-      - uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
+      - uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd  # v7.0.0
         with:
-          version: v1.64.2
+          version: v2.1.5
           skip-cache: true
           args: --timeout=8m
 
@@ -195,7 +195,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, ubuntu-24.04-arm, macos-latest, windows-latest]
-        go-version: ["1.23.12", "1.24.9", "1.25.3"]
+        go-version: ["1.25.9", "1.26.2"]
         exclude:
           - os: ${{ github.event.repository.private && 'ubuntu-24.04-arm' || '' }}
     steps:

.github/workflows/release/Dockerfile

@@ -15,7 +15,7 @@
 # UBUNTU_VERSION can be set to 18.04 (bionic, DEPRECATED), 20.04 (focal), or 22.04 (jammy)
 ARG UBUNTU_VERSION=20.04
 ARG BASE_IMAGE=ubuntu:${UBUNTU_VERSION}
-ARG GO_VERSION
+ARG GO_VERSION=1.25.9
 ARG GO_IMAGE=golang:${GO_VERSION}
 FROM --platform=$BUILDPLATFORM $GO_IMAGE AS go
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1@sha256:923441d7c25f1e2eb5789f82d987693c47b8ed987c4ab3b075d6ed2b5d6779a3 AS xx

.golangci.yml

@@ -1,89 +1,121 @@
+version: "2"
 linters:
   enable:
-    - depguard # Checks for dependencies that should not be (re)introduced. See "linter-settings" for further details.
-    # - copyloopvar # Checks for loop variable copies in Go 1.22+
-    - gofmt
-    - goimports
+    - depguard # Checks for dependencies that should not be (re)introduced. See "settings" for further details.
+    - dupword # Checks for duplicate words in the source code
     - gosec
-    - ineffassign
+    - revive
     - misspell
     - nolintlint
-    - revive
-    - staticcheck
-    - tenv # Detects using os.Setenv instead of t.Setenv since Go 1.17
     - unconvert
-    - unused
-    - govet
-    - dupword # Checks for duplicate words in the source code
   disable:
     - errcheck
-
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: github.com/opencontainers/runc
+              desc: We don't want to depend on runc (libcontainer), unless there is no other option; see https://github.com/opencontainers/runc/issues/3028.
+    forbidigo:
+      forbid:
+        - pkg: ^regexp$
+          msg: Use internal/lazyregexp.New instead.
+    gosec:
+      # The following issues surfaced when `gosec` linter
+      # was enabled. They are temporarily excluded to unblock
+      # the existing workflow, but still to be addressed by
+      # future works.
+      excludes:
+        - G204
+        - G305
+        - G306
+        - G402
+        - G404
+        - G115
+        - G103
+        - G104
+        - G301
+        - G302
+        - G304
+    staticcheck:
+      checks:
+        - all
+        - -QF1001
+        - -QF1002
+        - -QF1003
+        - -QF1004
+        - -QF1008 # Excludes QF1008 from staticcheck
+        - -QF1012
+        - -ST1000
+        - -ST1001
+        - -ST1003
+        - -ST1005
+        - -ST1019
+        - -ST1020
+        - -ST1021
+    revive:
+      rules:
+        - name: package-comments
+          severity: warning
+          disabled: true
+          exclude: [ "" ]
+    nolintlint:
+      allow-unused: true
+  exclusions:
+    generated: lax
+    rules:
+      - path: cmd[\\/]containerd[\\/]builtins[\\/]
+        text: 'blank-imports:'
+      - path: contrib[\\/]fuzz[\\/]
+        text: 'exported: func name will be used as fuzz.Fuzz'
+      - path: archive[\\/]tarheader[\\/]
+        # conversion is necessary on Linux, unnecessary on macOS
+        text: unnecessary conversion
+      - path: integration[\\/]client
+        text: 'dot-imports:'
+      - linters:
+          - revive
+        text: if-return
+      - linters:
+          - revive
+        text: empty-block
+      - linters:
+          - revive
+        text: superfluous-else
+      - linters:
+          - revive
+        text: unused-parameter
+      - linters:
+          - revive
+        text: unreachable-code
+      - linters:
+          - revive
+        text: redefines-builtin-id
+      - linters:
+          - forbidigo
+        text: 'use of `regexp.MustCompile` forbidden'
+        path: _test\.go
+    paths:
+      - api
+      - cluster
+      - docs
+      - docs/man
+      - releases
+      - test
 issues:
-  include:
-    - EXC0002
   max-issues-per-linter: 0
   max-same-issues: 0
-
-  exclude-dirs:
-    - api
-    - cluster
-    - docs
-    - docs/man
-    - releases
-    - test # e2e scripts
-
-  # Only using / doesn't work due to https://github.com/golangci/golangci-lint/issues/1398.
-  exclude-rules:
-    - path: 'cmd[\\/]containerd[\\/]builtins[\\/]'
-      text: "blank-imports:"
-    - path: 'contrib[\\/]fuzz[\\/]'
-      text: "exported: func name will be used as fuzz.Fuzz"
-    - path: 'archive[\\/]tarheader[\\/]'
-      # conversion is necessary on Linux, unnecessary on macOS
-      text: "unnecessary conversion"
-    - path: 'integration[\\/]client'
-      text: "dot-imports:"
-    - linters:
-        - revive
-      text: "if-return"
-    - linters:
-        - revive
-      text: "empty-block"
-    - linters:
-        - revive
-      text: "superfluous-else"
-    - linters:
-        - revive
-      text: "unused-parameter"
-    - linters:
-        - revive
-      text: "unreachable-code"
-    - linters:
-        - revive
-      text: "redefines-builtin-id"
-
-linters-settings:
-  depguard:
-    rules:
-      main:
-        deny:
-          - pkg: github.com/opencontainers/runc
-            desc: We don't want to depend on runc (libcontainer), unless there is no other option; see https://github.com/opencontainers/runc/issues/3028.
-
-  gosec:
-    # The following issues surfaced when `gosec` linter
-    # was enabled. They are temporarily excluded to unblock
-    # the existing workflow, but still to be addressed by
-    # future works.
-    excludes:
-      - G204
-      - G305
-      - G306
-      - G402
-      - G404
-      - G115
-  nolintlint:
-    allow-unused: true
-
-run:
-  timeout: 8m
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: strict
+    paths:
+      - api
+      - cluster
+      - docs
+      - docs/man
+      - releases
+      - test

Vagrantfile

@@ -109,7 +109,7 @@ EOF
   config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
     sh.upload_path = "/tmp/vagrant-install-golang"
     sh.env = {
-        'GO_VERSION': ENV['GO_VERSION'] || "1.24.9",
+        'GO_VERSION': ENV['GO_VERSION'] || "1.25.9",
     }
     sh.inline = <<~SHELL
         #!/usr/bin/env bash

contrib/Dockerfile.test

@@ -34,7 +34,7 @@
 #   docker run --privileged --group-add keep-groups -v ./critest_exit_code.txt:/tmp/critest_exit_code.txt containerd-test
 # ------------------------------------------------------------------------------
 
-ARG GOLANG_VERSION=1.24.9
+ARG GOLANG_VERSION=1.25.9
 ARG GOLANG_IMAGE=golang
 
 FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang

contrib/fuzz/oss_fuzz_build.sh

@@ -39,11 +39,11 @@ compile_fuzzers() {
 
 apt-get update && apt-get install -y wget
 cd $SRC
-wget --quiet https://go.dev/dl/go1.24.9.linux-amd64.tar.gz
+wget --quiet https://go.dev/dl/go1.25.9.linux-amd64.tar.gz
 
 mkdir temp-go
 rm -rf /root/.go/*
-tar -C temp-go/ -xzf go1.24.9.linux-amd64.tar.gz
+tar -C temp-go/ -xzf go1.25.9.linux-amd64.tar.gz
 mv temp-go/go/* /root/.go/
 cd $SRC/containerd
 

script/setup/install-dev-tools

@@ -22,8 +22,8 @@ set -eu -o pipefail
 # install `protobuild` and other commands
 go install github.com/containerd/protobuild@v0.3.0
 go install github.com/containerd/protobuild/cmd/go-fix-acronym@v0.3.0
-go install github.com/cpuguy83/go-md2man/v2@v2.0.2
-go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.2
+go install github.com/cpuguy83/go-md2man/v2@v2.0.7
+go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.5
 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.28.1
 go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2.0
 go install github.com/containerd/ttrpc/cmd/protoc-gen-go-ttrpc@v1.2.5

script/setup/prepare_env_windows.ps1

@@ -5,7 +5,7 @@
 # lived test environment.
 Set-MpPreference -DisableRealtimeMonitoring:$true
 
-$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.24.9"; make = ""; nssm = "" }
+$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.25.9"; make = ""; nssm = "" }
 
 Write-Host "Downloading chocolatey package"
 curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'