fix(ci): bump Go version to 1.25.9

[notJoon]

Description

Bump Go from 1.24 to 1.25.9 and golangci-lint from v2.3 to v2.11 across the entire monorepo.

Changes

Go 1.25.9 upgrade

• Updated go.mod in all 21 modules (root, contribs/*, misc/*, tm2/pkg/libtm, gno.land/pkg/gnoweb/tools)
• Removed toolchain directives (unnecessary with Go 1.25.9)
• Updated all CI workflow files (.github/workflows/*.yml) from 1.24.x to 1.25.x
• Changed Dockerfile base image to golang:1.25-alpine

GnoVM adjustments for Go 1.25

• Regenerated gnovm/pkg/gnolang/string_methods.go via stringer — Go 1.25 changed the bounds-check pattern from if i >= Kind(len(...)) to idx := int(i) - 0; if i < 0 || idx >= len(...)
• Updated 10 filetest .gno files where Go 1.25's type checker changed error message wording:
  • "invalid operation: cannot slice ... (value not addressable)" → "cannot slice unaddressable value ..."
  • "cannot call non-function X (variable of type T)" → "cannot call X (variable of type T): T is not a function"
  • "cannot make int; type must be" → "cannot make int: type must be" (semicolon → colon)
• Added //nolint:staticcheck to gnovm/pkg/doc/json_doc.go for ast.MergePackageFiles, which was deprecated in Go 1.25 with no direct replacement available

golangci-lint v2.11 config changes (.github/golangci.yml)

Disabled prealloc linter

v2.11 significantly increased false positives for the prealloc linter. It now flags cases like []string{} inside loops where preallocation is impractical or the capacity is unknowable at declaration time. Rather than adding //nolint:prealloc across dozens of files, the linter was disabled entirely — the signal-to-noise ratio no longer justifies the maintenance overhead.

Added gosec excludes: G122, G602, G703, G704, G705

golangci-lint v2.11 ships with gosec's new taint-analysis rules enabled by default. These rules track data flow from "sources" (e.g., http.Request, os.Args) through to "sinks" (e.g., os.Open, http.Redirect, template.HTML). In this codebase, they produce a high volume of false positives:

Rule	Category	Why excluded
G703	Path traversal	Taint analysis doesn't recognize validation/sanitization across package boundaries. Flagged instances involve data from trusted internal sources (CLI args, config files).
G704	SSRF	Same cross-boundary taint tracking limitation. Flags internal HTTP routing and test fixtures.
G705	XSS	Flags template rendering with data that is already sanitized by upstream helpers.
G602	Slice bounds	Flags valid slice indexing patterns as potential out-of-bounds access — a known false-positive pattern.
G122	Filesystem race	Flags filepath.Walk/WalkDir callbacks with no practical mitigation available.

Added staticcheck exclude: -QF1012

Suppresses quick-fix suggestions to replace WriteString(fmt.Sprintf(...)) with fmt.Fprintf(...). This is a style preference, not a correctness issue. Stale //nolint:staticcheck comments in tm2/pkg/iavl/internal/bytes/bytes.go that were previously suppressing this rule were also removed.

[Gno2D2]

🛠 PR Checks Summary

🔴 Changes related to gnoweb must be reviewed by its codeowners

Manual Checks (for Reviewers):

• IGNORE the bot requirements for this PR (force green CI check)
• Determine if infra needs to be updated before merging

Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)
🔴 Changes related to gnoweb must be reviewed by its codeowners
🟢 Pending initial approval by a review team member, or review from tech-staff

☑️ Contributor Actions:

1. Fix any issues flagged by automated checks.
2. Follow the Contributor Checklist to ensure your PR is ready for review.
   • Add new tests, or document why they are unnecessary.
   • Provide clear examples/screenshots, if necessary.
   • Update documentation, if required.
   • Ensure no breaking changes, or include BREAKING CHANGE notes.
   • Link related issues/PRs, where applicable.

☑️ Reviewer Actions:

1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.

📚 Resources:

• Report a bug with the bot.
• View the bot’s configuration file.

Debug

Automated Checks

Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 The pull request was created from a fork (head branch repo: notJoon/gno-core)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request

Changes related to gnoweb must be reviewed by its codeowners

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 A changed file matches this pattern: ^gno.land/pkg/gnoweb/ (filename: gno.land/pkg/gnoweb/tools/go.mod)

Then

🔴 Requirement not satisfied
└── 🔴 Or
    ├── 🔴 Or
    │   ├── 🔴 And
    │   │   ├── 🔴 Pull request author is user: alexiscolin
    │   │   └── 🔴 This user reviewed pull request: gfanton (with state "APPROVED")
    │   └── 🔴 And
    │       ├── 🔴 Pull request author is user: gfanton
    │       └── 🔴 This user reviewed pull request: alexiscolin (with state "APPROVED")
    └── 🔴 And
        ├── 🟢 Not (🔴 Pull request author is user: alexiscolin)
        ├── 🟢 Not (🔴 Pull request author is user: gfanton)
        └── 🔴 Or
            ├── 🔴 This user reviewed pull request: alexiscolin (with state "APPROVED")
            └── 🔴 This user reviewed pull request: gfanton (with state "APPROVED")

Pending initial approval by a review team member, or review from tech-staff

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 Not (🔴 Pull request author is a member of the team: tech-staff)

Then

🟢 Requirement satisfied
└── 🟢 If
    ├── 🟢 Condition
    │   └── 🟢 Or
    │       ├── 🟢 User davd-gzl already reviewed PR 5441 with state APPROVED
    │       ├── 🔴 At least 1 user(s) of the team tech-staff reviewed pull request
    │       └── 🔴 This pull request is a draft
    └── 🟢 Then
        └── 🟢 Not (🔴 This label is applied to pull request: review/triage-pending)

Manual Checks

**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

• Any user with comment edit permission

Determine if infra needs to be updated before merging

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 Or
        ├── 🟢 A changed file matches this pattern: Dockerfile (filename: Dockerfile)
        ├── 🔴 A changed file matches this pattern: ^misc/deployments
        ├── 🔴 A changed file matches this pattern: ^misc/docker-
        └── 🔴 A changed file matches this pattern: ^.github/workflows/release.*\.yml$

Can be checked by

• team devops

[codecov]

Codecov Report

❌ Patch coverage is 38.46154% with 8 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
gnovm/pkg/gnolang/string_methods.go	33.33%	6 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

[davd-gzl]

Overall looks good, there's no missing go.mod to update. I didn't re verify versions of packages, but tests are passing and new excluded rules seems valid to me.

To note, GnoLSP (from another repository) is in 1.23, it is broken in 1.25.

[jefft0]

Hello @notJoon . The CI check for gnoland/main fails with "panic: txDispatcher subscription unexpectedly closed". I ran this PR branch with make test locally and it passes. Do you think that the CI check failure is related to this PR?

[jefft0]

This dependabot PR tries to use go1.25, and one of the workflow tools requires go >= 1.25.5.

golang.org/x/pkgsite@v0.0.0-20260410212959-70e508737129 requires go >= 1.25.5 (running go 1.24.4; GOTOOLCHAIN=local)

In general, shouldn't we use the latest version with recent security fixes? This is go 1.25.9 .
https://go.dev/doc/devel/release#go1.25.minor

[jefft0]

Builds on my local macOS. CI checks pass.