[cherry-pick v20260505] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0

[djsly]

Summary

Cherry-pick of #8551 to official/vv20260505.

Bumps the Go toolchain and golang.org/x/net to address upstream CVEs:

Vulnerability	CVE	Component	Fixed by
net/mail DoS via crafted addresses	CVE-2026-39820	net/mail (stdlib)	Go 1.25.10
cmd/go pack subcommand directory traversal	CVE-2026-39817	cmd/go (stdlib)	Go 1.25.10
HTTP/2 + IPv6 host parsing fixes	(various, see x/net release notes)	golang.org/x/net	v0.55.0

Why bump to Go 1.25 (and not a 1.24.x patch)

Go 1.24 reached EOL in February 2026 and does NOT receive security backports. go1.25.10 is the only release stream that contains these fixes.

golang.org/x/net v0.51.0+ also requires go 1.25.0 in its own go.mod, so the Go bump is required regardless.

Verification

• go mod tidy succeeds for every module in the branch.
• go build ./... clean across every module.
• PR CI must pull go 1.25 runners.

Release plan

Once merged, two tags are pushed off the resulting commit:

• v0.v20260505.<N+1> (AgentBaker module)
• aks-node-controller/v0.v20260505.<N+1> (aks-node-controller submodule)

🤖 Generated with GitHub Copilot CLI

[Copilot]

Pull request overview

Backports security tooling updates onto official/v20260505 by moving the repository’s Go toolchain baseline to Go 1.25.10 and updating golang.org/x/net to v0.55.0 (plus related x/* transitive updates), aligning CI workflows and fixing a fmt.Sprintf misuse caught by stricter vetting.

Changes:

• Bump go directives across all Go modules to 1.25.10 and refresh dependency graphs (go.sum) accordingly.
• Update golang.org/x/net to v0.55.0 (and related x/sys, x/text, x/crypto, etc. as pulled by tidy) in root/e2e/aks-node-controller.
• Update GitHub Actions workflows to use Go 1.25, and fix %w usage in fmt.Sprintf in e2e config.

Reviewed changes

Copilot reviewed 15 out of 18 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
go.mod	Bumps Go directive to 1.25.10; updates indirect golang.org/x/* versions.
go.sum	Refreshes sums for updated golang.org/x/* module versions.
e2e/go.mod	Bumps Go directive to 1.25.10; updates x/crypto and indirect x/* deps.
e2e/go.sum	Refreshes sums for updated e2e dependency versions.
e2e/config/config.go	Fixes invalid %w usage in fmt.Sprintf panic message.
aks-node-controller/go.mod	Bumps Go directive to 1.25.10; updates indirect x/sys.
aks-node-controller/go.sum	Refreshes sums for updated golang.org/x/* module versions.
vhdbuilder/prefetch/go.mod	Bumps Go directive to 1.25.10.
vhdbuilder/lister/go.mod	Bumps Go directive to 1.25.10.
image-fetcher/go.mod	Bumps Go directive to 1.25.10.
hack/tools/go.mod	Bumps Go directive to 1.25.10.
.github/workflows/validate-components.yml	Updates setup-go to use Go 1.25 for validation jobs.
.github/workflows/shellspec.yaml	Updates setup-go to use Go 1.25.
.github/workflows/shellcheck.yml	Updates setup-go to use Go 1.25.
.github/workflows/golangci-lint.yml	Updates setup-go to use Go 1.25.
.github/workflows/go-test.yml	Updates setup-go to use Go 1.25.
.github/workflows/copilot-setup-steps.yml	Updates setup-go to use Go 1.25.
.github/workflows/check-coverage.yml	Updates setup-go to use Go 1.25.

[djsly]

Closing in favor of #8572 (recreated from Azure/AgentBaker branch — repo policy rejects fork-sourced PRs).