fix(security): remediate CVE vulnerabilities

[upbound-bot]

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA	Severity	Package	Fixed Version
CVE-2025-61723	High	stdlib	go1.24.11
CVE-2025-61725	High	stdlib	go1.24.11
CVE-2025-61729	High	stdlib	go1.24.11
CVE-2025-58187	High	stdlib	go1.24.11
CVE-2025-58188	High	stdlib	go1.24.11
CVE-2025-58185	Medium	stdlib	go1.24.11
CVE-2025-47912	Medium	stdlib	go1.24.11
CVE-2025-58186	Medium	stdlib	go1.24.11
CVE-2025-61724	Medium	stdlib	go1.24.11
CVE-2025-58189	Medium	stdlib	go1.24.11
CVE-2025-58183	Medium	stdlib	go1.24.11
CVE-2025-61727	Medium	stdlib	go1.24.11
GHSA-j5w8-q4qc-rx2x	Medium	golang.org/x/crypto	v0.45.0
GHSA-f6x5-jh6r-wrfv	Medium	golang.org/x/crypto	v0.45.0

Changes Made

• Updated Go toolchain from go1.24.4 to go1.24.11
• Updated golang.org/x/crypto from v0.39.0 to v0.45.0
• Ran go mod tidy to update transitive dependencies

References

• CVE-2025-61723
• CVE-2025-61725
• CVE-2025-61729
• CVE-2025-58187
• CVE-2025-58188
• CVE-2025-58185
• CVE-2025-47912
• CVE-2025-58186
• CVE-2025-61724
• CVE-2025-58189
• CVE-2025-58183
• CVE-2025-61727
• GHSA-j5w8-q4qc-rx2x
• GHSA-f6x5-jh6r-wrfv

Verification

• Rescanned with cve-scan skill after fixes
• All listed vulnerabilities resolved

[upbound-bot]

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T09:15:00Z

Summary

The push check failed when trying to download the up CLI. The actual package push to the registry succeeded.

Root Cause

The workflow is configured to use upbound/action-up@v1 with a specific pre-release version (v0.39.0-384.g0a0c8634) from the main channel. This version is no longer available at the download endpoint (https://cli.upbound.io), resulting in a 404 Not Found error.

Error Details

##[error]Unexpected HTTP response: 404

The step that failed:

- uses: upbound/action-up@v1
  with:
    skip-login: true
    channel: main
    version: v0.39.0-384.g0a0c8634

Recommendation

This is a CI workflow configuration issue, not a code issue. The fix requires updating .github/workflows/ci.yaml to use an available version of the up CLI. Options:

1. Update to the latest stable version
2. Remove the explicit version to use the default
3. Update to a newer available pre-release version

A retry will NOT help - the workflow configuration needs to be updated.

---

_{This analysis was generated by the build-failure-analyze skill.}

[upbound-bot]

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T09:25:00Z

Summary

The push check failed during composition tests due to an invalid OpenAI API key. The package build and push to registry succeeded.

Root Cause

The OPENAI_API_KEY_B64 repository secret contains an invalid or expired API key. The composition tests (up test run tests/*) require a valid OpenAI API key, but the current key returns a 401 Unauthorized error from the OpenAI API.

Error Details

cannot render composite resource: cannot run pipeline step "make-gpt-do-it": rpc error: code = Unknown desc = API returned unexpected status code: 401: Incorrect API key provided

Recommendation

This cannot be fixed by code changes. The repository secret needs to be updated by a repository administrator:

1. Generate a new OpenAI API key at https://platform.openai.com/account/api-keys
2. Base64 encode the key and update the OPENAI_API_KEY_B64 repository secret
3. Re-run the CI workflow

Note: The CVE fix changes are valid - the package builds and pushes successfully. Only the composition tests fail due to this infrastructure issue.

---

_{This analysis was generated by the build-failure-analyze skill.}

[ulucinar]

Updated the repo secret OPENAI_API_KEY_B64. Will retrigger the build pipeline...