[cherry-pick v20260413] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0

[djsly]

Summary

Cherry-pick of #8551 to official/vv20260413.

Bumps the Go toolchain and golang.org/x/net to address upstream CVEs:

Vulnerability	CVE	Component	Fixed by
net/mail DoS via crafted addresses	CVE-2026-39820	net/mail (stdlib)	Go 1.25.10
cmd/go pack subcommand directory traversal	CVE-2026-39817	cmd/go (stdlib)	Go 1.25.10
HTTP/2 + IPv6 host parsing fixes	(various, see x/net release notes)	golang.org/x/net	v0.55.0

Why bump to Go 1.25 (and not a 1.24.x patch)

Go 1.24 reached EOL in February 2026 and does NOT receive security backports. go1.25.10 is the only release stream that contains these fixes.

golang.org/x/net v0.51.0+ also requires go 1.25.0 in its own go.mod, so the Go bump is required regardless.

Verification

• go mod tidy succeeds for every module in the branch.
• go build ./... clean across every module.
• PR CI must pull go 1.25 runners.

Release plan

Once merged, two tags are pushed off the resulting commit:

• v0.v20260413.<N+1> (AgentBaker module)
• aks-node-controller/v0.v20260413.<N+1> (aks-node-controller submodule)

🤖 Generated with GitHub Copilot CLI

[Copilot]

Pull request overview

Backports a security-driven Go toolchain and dependency update onto the v20260413 branch, aligning all tracked Go modules and CI workflows with the patched toolchain and updated golang.org/x/net.

Changes:

• Bump go directive to 1.25.10 across all tracked Go modules and refresh go.sum via tidy.
• Update golang.org/x/net to v0.55.0 (and associated x/* transitive versions) where applicable.
• Update GitHub Actions workflows to use Go 1.25, and fix an invalid %w usage under fmt.Sprintf in e2e config.

Reviewed changes

Copilot reviewed 15 out of 18 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
go.mod	Bumps Go directive; updates indirect golang.org/x/* versions after tidy.
go.sum	Reflects updated module checksums after dependency upgrades/tidy.
e2e/go.mod	Bumps Go directive; updates x/crypto and indirect x/* versions.
e2e/go.sum	Updates checksums for e2e module dependency refresh.
e2e/config/config.go	Replaces invalid fmt.Sprintf(...%w...) with %v to satisfy vet/format correctness.
aks-node-controller/go.mod	Bumps Go directive; updates indirect x/sys.
aks-node-controller/go.sum	Updates checksums for aks-node-controller module dependency refresh.
vhdbuilder/prefetch/go.mod	Bumps Go directive to 1.25.10.
vhdbuilder/lister/go.mod	Bumps Go directive to 1.25.10.
image-fetcher/go.mod	Bumps Go directive to 1.25.10.
hack/tools/go.mod	Bumps Go directive to 1.25.10.
.github/workflows/check-coverage.yml	Updates CI Go version from 1.24 to 1.25.
.github/workflows/copilot-setup-steps.yml	Updates CI Go version from 1.24 to 1.25.
.github/workflows/go-test.yml	Updates CI Go version from 1.24 to 1.25.
.github/workflows/golangci-lint.yml	Updates CI Go version from 1.24 to 1.25.
.github/workflows/shellcheck.yml	Updates CI Go version from 1.24 to 1.25.
.github/workflows/shellspec.yaml	Updates CI Go version from 1.24 to 1.25.
.github/workflows/validate-components.yml	Updates CI Go version from 1.24 to 1.25 for both jobs.

[djsly]

Closing in favor of #8569 (recreated from Azure/AgentBaker branch — repo policy rejects fork-sourced PRs).