Build: upgrade dependencies

[TenSt]

This PR upgrades all golang dependencies.

Summary by Sourcery

Upgrade Go toolchain and project dependencies and apply minor refactors for compatibility and performance.

Enhancements:

• Refine pprof controller to validate parameters via a fixed allowlist and resolve service addresses by name.
• Optimize GORM conflict helpers and request logging middleware with preallocated slices and clearer naming.
• Simplify timeout middleware configuration to rely on the default handler behavior.
• Annotate security-related code paths and configuration fields to satisfy static analysis and linters.

Build:

• Bump Go version in go.mod and update Dockerfile tooling including golangci-lint version.
• Upgrade multiple direct and indirect Go module dependencies to newer versions.

[sourcery-ai]

Reviewer's Guide

Upgrade the Go toolchain and various dependencies, and adjust application code and build tooling to align with new library versions and static-analysis expectations.

File-Level Changes

Change	Details	Files
Update Go toolchain version and refresh application/library dependencies.	Bump Go version in go.mod from 1.24.10 to 1.25.7. Increment versions of key runtime dependencies (gin, gin-timeout, AWS SDK, Prometheus, go-gin-prometheus, x/exp, OpenAPI-related packages, OpenTelemetry components, x/net, Prometheus procfs, Google genproto, etc.). Refresh indirect dependencies and add go.mongodb.org/mongo-driver/v2 as an indirect dependency. Regenerate go.sum to match upgraded modules.	go.mod go.sum
Refactor pprof controller routing to use service names and modern slice utilities, and tighten parameter validation.	Replace regexp-based parameter validation with slices.Contains over a fixed allow-list of pprof endpoints. Change pprof handler callers to pass a logical service name instead of a raw address. Resolve service name to address inside getPprof using a switch over utils.CoreCfg fields, returning an error for unknown services. Annotate HTTP request creation and execution with #nosec to satisfy security linters.	turnpike/controllers/pprof.go
Improve GORM conflict-handling helpers with better naming and allocation patterns.	Rename internal variables from confilctColumns to conflictColumns for clarity. Preallocate clause.Column slices using make with len(keys) instead of appending in a loop. Pre-size the updateColsValues map based on the number of update expressions.	base/database/database.go
Tweak Docker build tooling and formatting, including golangci-lint update.	Reformat the dnf module enable/install RUN step for consistent indentation. Upgrade golangci-lint installed in the builder image from v2.2.2 to v2.10.1.	Dockerfile
Optimize and adjust Gin middlewares to match new timeout behavior and logging needs.	Preallocate the logging fields slice in the request/response logger based on a fixed base size plus per-parameter capacity. Remove the explicit timeout.WithHandler wrapper so the timeout middleware uses the default handler semantics while retaining a custom timeout response.	manager/middlewares/logger.go manager/middlewares/timeout.go
Add security/static-analysis annotations to satisfy linters around credentials and HTTP calls.	Mark PostgreSQL password field with a #nosec comment to silence G117 warnings about credentials in struct fields. Add nolint: staticcheck comments around aws and aws/credentials imports used by CloudWatch logging. Annotate HTTP client.Do usage with #nosec to acknowledge and silence G704 warnings where appropriate.	base/database/setup.go base/utils/awscloudwatch.go base/utils/http.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

SC Environment Impact Assessment

Overall Impact: ⚪ NONE

No SC Environment-specific impacts detected in this PR.

What was checked

This PR was automatically scanned for:

• Database migrations
• ClowdApp configuration changes
• Kessel integration changes
• AWS service integrations (S3, RDS, ElastiCache)
• Kafka topic changes
• Secrets management changes
• External dependencies

[codecov-commenter]

Codecov Report

❌ Patch coverage is 12.12121% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.40%. Comparing base (cab0992) to head (cff0fbb).

Files with missing lines	Patch %	Lines
turnpike/controllers/pprof.go	0.00%	22 Missing ⚠️
base/database/database.go	44.44%	5 Missing ⚠️
base/utils/http.go	0.00%	1 Missing ⚠️
manager/middlewares/logger.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2089      +/-   ##
==========================================
- Coverage   59.45%   59.40%   -0.06%     
==========================================
  Files         134      134              
  Lines        8699     8707       +8     
==========================================
  Hits         5172     5172              
- Misses       2981     2989       +8     
  Partials      546      546              

Flag	Coverage Δ
unittests	59.40% <12.12%> (-0.06%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The pprofHandler / getPprof refactor now relies on string service names and a hard‑coded switch; consider either passing the address directly (as before) or introducing typed constants / a map to avoid runtime errors from typos and to make it easier to add new services.
• In RequestResponseLogger, the 17 used to preallocate fields is a magic number; it would be clearer and less fragile to derive this from the actual fixed fields or define it as a named constant that is updated alongside any changes to the logged fields.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `pprofHandler` / `getPprof` refactor now relies on string service names and a hard‑coded switch; consider either passing the address directly (as before) or introducing typed constants / a map to avoid runtime errors from typos and to make it easier to add new services.
- In `RequestResponseLogger`, the `17` used to preallocate `fields` is a magic number; it would be clearer and less fragile to derive this from the actual fixed fields or define it as a named constant that is updated alongside any changes to the logged fields.

## Individual Comments

### Comment 1
<location path="manager/middlewares/logger.go" line_range="18-20" />
<code_context>
 		tStart := time.Now()
 		c.Next()
-		var fields []interface{}
+		// 17 is the number of fields that are always logged
+		// 2 is the number of fields for each parameter
+		var fields = make([]any, 0, 17+2*len(c.Params))

 		duration := time.Since(tStart).Nanoseconds() / 1e6
</code_context>
<issue_to_address>
**suggestion:** Hardcoding the field count in the preallocation is brittle and can easily get out of sync.

Preallocation is useful here, but coupling it to a hardcoded literal + comment makes it easy to miss when fields change. Consider deriving the base capacity from a constant or from the actual fixed fields (e.g., via a helper that builds the base slice), so changes to logged keys don’t require manually updating this number and comment.

Suggested implementation:

```golang
	const (
		baseLogFieldCount = 17 // number of fields that are always logged
		paramFieldCount   = 2  // number of fields for each parameter
	)

	return func(c *gin.Context) {

```

```golang
		var fields = make([]any, 0, baseLogFieldCount+paramFieldCount*len(c.Params))

```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}