[cherry-pick v20260514] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0

[djsly]

Summary

Cherry-pick of #8551 to official/vv20260514.

Bumps the Go toolchain and golang.org/x/net to address upstream CVEs:

Vulnerability	CVE	Component	Fixed by
net/mail DoS via crafted addresses	CVE-2026-39820	net/mail (stdlib)	Go 1.25.10
cmd/go pack subcommand directory traversal	CVE-2026-39817	cmd/go (stdlib)	Go 1.25.10
HTTP/2 + IPv6 host parsing fixes	(various, see x/net release notes)	golang.org/x/net	v0.55.0

Why bump to Go 1.25 (and not a 1.24.x patch)

Go 1.24 reached EOL in February 2026 and does NOT receive security backports. go1.25.10 is the only release stream that contains these fixes.

golang.org/x/net v0.51.0+ also requires go 1.25.0 in its own go.mod, so the Go bump is required regardless.

Verification

• go mod tidy succeeds for every module in the branch.
• go build ./... clean across every module.
• PR CI must pull go 1.25 runners.

Release plan

Once merged, two tags are pushed off the resulting commit:

• v0.v20260514.<N+1> (AgentBaker module)
• aks-node-controller/v0.v20260514.<N+1> (aks-node-controller submodule)

🤖 Generated with GitHub Copilot CLI

[Copilot]

Pull request overview

Backports a security/toolchain update onto official/v20260514 by moving the repo and its submodules to Go 1.25.10 and updating golang.org/x/net (plus related transitive x/* deps), with CI workflows adjusted to use Go 1.25.

Changes:

• Bumped go directives across the root module and submodules from 1.24.12 → 1.25.10.
• Updated golang.org/x/net to v0.55.0 (and refreshed related go.sum entries / transitives in affected modules).
• Updated GitHub Actions workflows to set up Go 1.25, and fixed invalid %w usage in an fmt.Sprintf call in e2e config.

Reviewed changes

Copilot reviewed 15 out of 18 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
go.mod	Updates Go directive and bumps indirect golang.org/x/* deps (incl. x/net).
go.sum	Refreshes sums for updated golang.org/x/* versions.
e2e/go.mod	Updates Go directive and golang.org/x/* dependency versions for the e2e module.
e2e/go.sum	Refreshes sums for updated golang.org/x/* versions in e2e.
e2e/config/config.go	Fixes invalid fmt.Sprintf %w usage to a valid formatting verb.
aks-node-controller/go.mod	Updates Go directive and indirect x/sys version.
aks-node-controller/go.sum	Refreshes sums for updated golang.org/x/* versions.
vhdbuilder/prefetch/go.mod	Updates Go directive to 1.25.10.
vhdbuilder/lister/go.mod	Updates Go directive to 1.25.10.
image-fetcher/go.mod	Updates Go directive to 1.25.10.
hack/tools/go.mod	Updates Go directive to 1.25.10.
.github/workflows/validate-components.yml	Updates setup-go version to 1.25 (and retains a job using go-version-file).
.github/workflows/shellspec.yaml	Updates setup-go version to 1.25.
.github/workflows/shellcheck.yml	Updates setup-go version to 1.25.
.github/workflows/golangci-lint.yml	Updates setup-go version to 1.25.
.github/workflows/go-test.yml	Updates setup-go version to 1.25.
.github/workflows/copilot-setup-steps.yml	Updates setup-go version to 1.25.
.github/workflows/check-coverage.yml	Updates setup-go version to 1.25.

[djsly]

Closing in favor of #8571 (recreated from Azure/AgentBaker branch — repo policy rejects fork-sourced PRs).