Bump Go version to 1.25.1

[ycombinator]

This PR bumps up the Golang version to 1.25.1. It also:

• removes the ms_tls13kdf Golang build tag when building in FIPS mode because this tag was only needed with Golang versions 1.24.x.
• sets ths GODEBUG=tlsmlkem=0 environment variable when running FIPS140-only unit tests. This prevents errors like so: Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode.

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[ycombinator]

The fips140=only unit tests are failing like so:

crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode

These appear to be golang/go#75148, which should be fixable when golang/go#74630 is implemented. However, in order to upgrade to Go 1.25.1 now, we'll need to find a workaround.

[ycombinator]

The fips140=only unit tests are failing like so:

crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode

These appear to be golang/go#75148, which should be fixable when golang/go#74630 is implemented. However, in order to upgrade to Go 1.25.1 now, we'll need to find a workaround.

These errors are coming from Go downloading dependencies before executing the tests. The errors can be simulated like so:

GODEBUG=fips140=only go mod download -x
# get https://proxy.golang.org/github.com/opencontainers/image-spec/@v/v1.1.1.info
# get https://proxy.golang.org/github.com/opencontainers/image-spec/@v/v1.1.1.info: Get "https://proxy.golang.org/github.com/opencontainers/image-spec/@v/v1.1.1.info": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
...

So we probably just need to download the dependencies explicitly, ensuring that GODEBUG=fips140=only is not set for this step.

[ycombinator]

So we probably just need to download the dependencies explicitly, ensuring that GODEBUG=fips140=only is not set for this step.

I've implemented this approach in this PR and it has helped. However, now CI is failing with this odd error which seems unrelated to FIPS in any way.

https://buildkite.com/elastic/elastic-agent/builds/27575#0199842f-d9dd-4481-9d46-37baa5c789b1/155-822

=== FAIL: dev-tools/mage TestGoTest_CaptureOutput/capture_panic (1.61s)
--
  | >> go test: asserts Testing
  | >> ARGS: asserts Command: gotestsum --no-color --junitfile-hide-skipped-tests -f standard-quiet -- -test.run TestGoTest_Helper_WithPanic .
  | 2025/09/26 04:35:17 exec: gotestsum --no-color --junitfile-hide-skipped-tests -f standard-quiet -- -test.run TestGoTest_Helper_WithPanic .
  | exec: gotestsum --no-color --junitfile-hide-skipped-tests -f standard-quiet -- -test.run TestGoTest_Helper_WithPanic .
  | gotest_test.go:120: GoTest output mismatch:
  | want:
  | (?sm:
  | === FAIL: dev-tools/mage TestGoTest_Helper_WithPanic.*
  | panic: Kaputt. \[recovered\].*
  | panic: Kaputt.*
  | )
  |  
  | got:
  | FAIL	github.com/elastic/elastic-agent/dev-tools/mage	0.021s
  |  
  | === Failed
  | === FAIL: dev-tools/mage TestGoTest_Helper_WithPanic (0.00s)
  | panic: Kaputt. [recovered, repanicked]
  |  
  | goroutine 21 [running]:
  | testing.tRunner.func1.2({0xcd39e0, 0xf923f0})
  | /opt/buildkite-agent/.asdf/installs/golang/1.25.1/go/src/testing/testing.go:1872 +0x237
  | testing.tRunner.func1()
  | /opt/buildkite-agent/.asdf/installs/golang/1.25.1/go/src/testing/testing.go:1875 +0x35b
  | panic({0xcd39e0?, 0xf923f0?})
  | /opt/buildkite-agent/.asdf/installs/golang/1.25.1/go/src/runtime/panic.go:783 +0x132
  | github.com/elastic/elastic-agent/dev-tools/mage.TestGoTest_Helper_WithPanic(0xc000103880?)
  | /opt/buildkite-agent/builds/bk-agent-prod-gcp-1758859361500881345/elastic/elastic-agent/dev-tools/mage/gotest_test.go:329 +0x30
  | testing.tRunner(0xc000103880, 0xea4750)
  | /opt/buildkite-agent/.asdf/installs/golang/1.25.1/go/src/testing/testing.go:1934 +0xea
  | created by testing.(*T).Run in goroutine 1
  | /opt/buildkite-agent/.asdf/installs/golang/1.25.1/go/src/testing/testing.go:1997 +0x465
  |  
  | DONE 1 tests, 1 failure in 0.022s
  |  
  | === FAIL: dev-tools/mage TestGoTest_CaptureOutput (26.02s)

[ycombinator]

So we probably just need to download the dependencies explicitly, ensuring that GODEBUG=fips140=only is not set for this step.

I've implemented this approach in this PR and it has helped. However, now CI is failing with this odd error which seems unrelated to FIPS in any way.

https://buildkite.com/elastic/elastic-agent/builds/27575#0199842f-d9dd-4481-9d46-37baa5c789b1/155-822

=== FAIL: dev-tools/mage TestGoTest_CaptureOutput/capture_panic (1.61s)
--
  | >> go test: asserts Testing
  | >> ARGS: asserts Command: gotestsum --no-color --junitfile-hide-skipped-tests -f standard-quiet -- -test.run TestGoTest_Helper_WithPanic .
  | 2025/09/26 04:35:17 exec: gotestsum --no-color --junitfile-hide-skipped-tests -f standard-quiet -- -test.run TestGoTest_Helper_WithPanic .
  | exec: gotestsum --no-color --junitfile-hide-skipped-tests -f standard-quiet -- -test.run TestGoTest_Helper_WithPanic .
  | gotest_test.go:120: GoTest output mismatch:
  | want:
  | (?sm:
  | === FAIL: dev-tools/mage TestGoTest_Helper_WithPanic.*
  | panic: Kaputt. \[recovered\].*
  | panic: Kaputt.*
  | )
  |  
  | got:
  | FAIL	github.com/elastic/elastic-agent/dev-tools/mage	0.021s
  |  
  | === Failed
  | === FAIL: dev-tools/mage TestGoTest_Helper_WithPanic (0.00s)
  | panic: Kaputt. [recovered, repanicked]
  |  
  | goroutine 21 [running]:
  | testing.tRunner.func1.2({0xcd39e0, 0xf923f0})
  | /opt/buildkite-agent/.asdf/installs/golang/1.25.1/go/src/testing/testing.go:1872 +0x237
  | testing.tRunner.func1()
  | /opt/buildkite-agent/.asdf/installs/golang/1.25.1/go/src/testing/testing.go:1875 +0x35b
  | panic({0xcd39e0?, 0xf923f0?})
  | /opt/buildkite-agent/.asdf/installs/golang/1.25.1/go/src/runtime/panic.go:783 +0x132
  | github.com/elastic/elastic-agent/dev-tools/mage.TestGoTest_Helper_WithPanic(0xc000103880?)
  | /opt/buildkite-agent/builds/bk-agent-prod-gcp-1758859361500881345/elastic/elastic-agent/dev-tools/mage/gotest_test.go:329 +0x30
  | testing.tRunner(0xc000103880, 0xea4750)
  | /opt/buildkite-agent/.asdf/installs/golang/1.25.1/go/src/testing/testing.go:1934 +0xea
  | created by testing.(*T).Run in goroutine 1
  | /opt/buildkite-agent/.asdf/installs/golang/1.25.1/go/src/testing/testing.go:1997 +0x465
  |  
  | DONE 1 tests, 1 failure in 0.022s
  |  
  | === FAIL: dev-tools/mage TestGoTest_CaptureOutput (26.02s)

Turns out this is a change in behavior in Go 1.25: https://tip.golang.org/doc/go1.25#change-to-unhandled-panic-output. Addressed in 46cc036.

[pchila]

Looking at the latest build I see a couple of strange things (maybe some of those were already there and didn't notice until now)

• windows 2016 unit tests have some failures which seem to be related to keeping files open/locked during cleanups
  for example https://buildkite.com/elastic/elastic-agent/builds/27653#019988ea-47f4-49b3-8bfc-0710be9ad7ee/1293-1296
• Locking/keeping files open seem to appear a lot also in Windows Integration tests, for example there are a few failures to remove agent executable in a row:
  https://buildkite.com/elastic/elastic-agent/builds/27653#019988ea-f1b2-4aea-86d9-94c432db7258/1025-1918
  https://buildkite.com/elastic/elastic-agent/builds/27653#019988ea-f1b2-4aea-86d9-94c432db7258/1025-1965
  https://buildkite.com/elastic/elastic-agent/builds/27653#019988ea-f1b2-4aea-86d9-94c432db7258/1025-2042
  https://buildkite.com/elastic/elastic-agent/builds/27653#019988ea-f1b2-4aea-86d9-94c432db7258/1025-2094

[ycombinator]

Windows build steps are failing in CI on this PR. See a lot of Access is denied errors. 🤔

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: b6b1a81

Failed CI Steps

• Unit tests - fips140=only Ubuntu 22.04
• Unit tests - fips140=only Ubuntu 22.04
• Unit tests - Windows 2016
• Unit tests - Windows 2016
• Windows:2025:amd64:sudo
• Windows:2025:amd64:sudo
• Win2025:sudo:default
• Win2025:sudo:default
• Win2025:sudo:fleet
• Win2025:sudo:fleet
• Win2025:sudo:fleet-endpoint-security
• Win2025:sudo:fleet-endpoint-security
• Win2025:sudo:fleet-privileged
• Win2025:sudo:fleet-privileged
• Win2025:sudo:standalone-upgrade
• Win2025:sudo:standalone-upgrade
• Win2025:sudo:upgrade
• Win2025:sudo:upgrade
• Win2025:sudo:upgrade-flavor
• Win2025:sudo:upgrade-flavor
• Win2025:sudo:install-uninstall
• Win2025:sudo:install-uninstall
• Windows:2025:amd64:sudo
• Windows:2025:amd64:sudo

History

• 💔 Build #27773 failed 1ceaae8
• 💔 Build #27764 failed 4db5a4a
• 💔 Build #27653 failed 67096f0
• 💔 Build #27649 failed d52ffe0

cc @ycombinator

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b bump-golang-1.25.1 upstream/bump-golang-1.25.1
git merge upstream/main
git push upstream bump-golang-1.25.1