[cherry-pick v20260424] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0

[djsly]

Summary

Cherry-pick of #8551 to official/vv20260424.

Bumps the Go toolchain and golang.org/x/net to address upstream CVEs:

Vulnerability	CVE	Component	Fixed by
net/mail DoS via crafted addresses	CVE-2026-39820	net/mail (stdlib)	Go 1.25.10
cmd/go pack subcommand directory traversal	CVE-2026-39817	cmd/go (stdlib)	Go 1.25.10
HTTP/2 + IPv6 host parsing fixes	(various, see x/net release notes)	golang.org/x/net	v0.55.0

Why bump to Go 1.25 (and not a 1.24.x patch)

Go 1.24 reached EOL in February 2026 and does NOT receive security backports. go1.25.10 is the only release stream that contains these fixes.

golang.org/x/net v0.51.0+ also requires go 1.25.0 in its own go.mod, so the Go bump is required regardless.

Verification

• go mod tidy succeeds for every module in the branch.
• go build ./... clean across every module.
• PR CI must pull go 1.25 runners.

Release plan

Once merged, two tags are pushed off the resulting commit:

• v0.v20260424.<N+1> (AgentBaker module)
• aks-node-controller/v0.v20260424.<N+1> (aks-node-controller submodule)

🤖 Generated with GitHub Copilot CLI

[Copilot]

Pull request overview

Backports the security remediation from #8551 onto official/v20260424 by upgrading the Go toolchain baseline and refreshing golang.org/x/net (and related x/* transitive deps) across the repo’s multiple Go modules, plus a small e2e formatting fix required by newer vet behavior.

Changes:

• Bump Go language/toolchain directive from 1.24.12 → 1.25.10 across all repo Go modules.
• Update golang.org/x/net to v0.55.0 (and refresh related go.sum entries via tidy).
• Fix an invalid %w usage in fmt.Sprintf within e2e/config/config.go to keep vet/build clean under Go 1.25.

Reviewed changes

Copilot reviewed 15 out of 18 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
go.mod	Updates Go directive to 1.25.10 and bumps golang.org/x/net/x/sys/x/text indirect versions.
go.sum	Refreshes sums to match the updated golang.org/x/* dependency set.
e2e/go.mod	Updates Go directive to 1.25.10 and bumps golang.org/x/net to v0.55.0 (plus related x/*).
e2e/go.sum	Refreshes e2e module sums for updated golang.org/x/* dependencies.
e2e/config/config.go	Replaces invalid fmt.Sprintf(...%w...) usage with %v to satisfy stricter vet behavior.
aks-node-controller/go.mod	Updates Go directive to 1.25.10 and reflects tidy results (including direct gopkg.in/yaml.v3).
aks-node-controller/go.sum	Refreshes sums to align with the updated dependency graph.
vhdbuilder/prefetch/go.mod	Updates module Go directive to 1.25.10.
vhdbuilder/lister/go.mod	Updates module Go directive to 1.25.10.
image-fetcher/go.mod	Updates module Go directive to 1.25.10.
hack/tools/go.mod	Updates module Go directive to 1.25.10.
.github/workflows/check-coverage.yml	Updates CI Go version to 1.25.
.github/workflows/copilot-setup-steps.yml	Updates CI Go version to 1.25.
.github/workflows/go-test.yml	Updates CI Go version to 1.25.
.github/workflows/golangci-lint.yml	Updates CI Go version to 1.25.
.github/workflows/shellcheck.yml	Updates CI Go version to 1.25.
.github/workflows/shellspec.yaml	Updates CI Go version to 1.25.
.github/workflows/validate-components.yml	Updates CI Go version to 1.25 for both jobs.

[djsly]

Closing in favor of #8570 (recreated from Azure/AgentBaker branch — repo policy rejects fork-sourced PRs).