Bump Go version to 1.25.8

.buildkite/pipeline.yml

@@ -69,7 +69,7 @@ steps:
         # Note: The GODEBUG=fips140=only environment variable must be set in the command itself (as opposed to
         # in the env block) so that it is applied *only* to the 'go' command invoked by the script, and
         # not to any other Go code executed as part of the Buildkite agent itself.
-        command: 'GODEBUG="fips140=only" .buildkite/scripts/steps/unit-tests.sh'
+        command: 'GODEBUG="fips140=only,tlsmlkem=0" .buildkite/scripts/steps/unit-tests.sh'
         env:
           FIPS: "true"
         artifact_paths:

.github/workflows/golangci-lint.yml

@@ -32,7 +32,7 @@ jobs:
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v2.1.0
+          version: v2.5.0
 
           # Give the job more time to execute.
           # Regarding `--whole-files`, the linter is supposed to support linting of changed a patch only but,

.go-version

@@ -1 +1 @@
-1.24.13
+1.25.8

Dockerfile

@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.24.7
+ARG GO_VERSION=1.25.8
 FROM circleci/golang:${GO_VERSION}
 
 

NOTICE-fips.txt

@@ -79933,11 +79933,11 @@ Contents of probable licence file $GOMODCACHE/github.com/gomodule/redigo@v1.9.3/
 
 --------------------------------------------------------------------------------
 Dependency : github.com/google/cel-go
-Version: v0.26.0
+Version: v0.26.1
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/google/cel-go@v0.26.0/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/google/cel-go@v0.26.1/LICENSE:
 
 
                                  Apache License

NOTICE.txt

@@ -83464,11 +83464,11 @@ Contents of probable licence file $GOMODCACHE/github.com/gomodule/redigo@v1.9.3/
 
 --------------------------------------------------------------------------------
 Dependency : github.com/google/cel-go
-Version: v0.26.0
+Version: v0.26.1
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/google/cel-go@v0.26.0/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/google/cel-go@v0.26.1/LICENSE:
 
 
                                  Apache License

changelog/fragments/1758822287-bump-golang-1.25.8.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Update Go version to 1.25.8
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/10156
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234

dev-tools/mage/gotest_test.go

@@ -331,9 +331,7 @@ func TestGoTest_Helper_WithPanic(t *testing.T) {
 
 var wantTestWithPanic = `(?sm:
 === FAIL: dev-tools/mage TestGoTest_Helper_WithPanic.*
-panic: Kaputt. \[recovered\].*
-	panic: Kaputt.*
-)`
+panic: Kaputt. \[recovered, repanicked\].*)`
 
 func TestGoTest_Helper_WithWrongPanic(t *testing.T) {
 	if !gotestHelperMode {

dev-tools/mage/otel/deps_test.go

@@ -16,7 +16,7 @@ import (
 func TestGetOtelDependencies(t *testing.T) {
 	goModContent := `module github.com/elastic/elastic-agent
 
-go 1.24.1
+go 1.25.8
 
 require (
 	github.com/elastic/opentelemetry-collector-components/connector/signaltometricsconnector v0.3.0

dev-tools/mage/settings.go

@@ -1702,7 +1702,7 @@ func (s *Settings) TestTagsWithFIPS() []string {
 	tags := make([]string, len(s.Test.Tags))
 	copy(tags, s.Test.Tags)
 	if s.Build.FIPSBuild {
-		tags = append(tags, "requirefips", "ms_tls13kdf")
+		tags = append(tags, "requirefips")
 	}
 	return tags
 }

dev-tools/mage/settings_test.go

@@ -307,7 +307,7 @@ func TestSettingsTestTagsWithFIPS(t *testing.T) {
 
 		tags := s.TestTagsWithFIPS()
 
-		assert.Equal(t, []string{"tag1", "requirefips", "ms_tls13kdf"}, tags)
+		assert.Equal(t, []string{"tag1", "requirefips"}, tags)
 	})
 
 	t.Run("does not modify original tags", func(t *testing.T) {
@@ -327,7 +327,7 @@ func TestSettingsTestTagsWithFIPS(t *testing.T) {
 
 		tags := s.TestTagsWithFIPS()
 
-		assert.Equal(t, []string{"requirefips", "ms_tls13kdf"}, tags)
+		assert.Equal(t, []string{"requirefips"}, tags)
 	})
 }
 

dev-tools/packaging/packages.yml

@@ -46,7 +46,6 @@ settings:
         MS_GOTOOLCHAIN_TELEMETRY_ENABLED: "0"
       tags:
         - requirefips
-        - ms_tls13kdf
       platforms:
         - *linux-amd64
         - *linux-arm64

go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/elastic-agent
 
-go 1.24.13
+go 1.25.8
 
 replace github.com/elastic/beats/v7 => ./beats
 

internal/edot/go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/elastic-agent/internal/edot
 
-go 1.24.13
+go 1.25.8
 
 // use in-repo directory
 replace github.com/elastic/elastic-agent => ../../
@@ -439,7 +439,7 @@ require (
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v1.0.0 // indirect
 	github.com/gomodule/redigo v1.9.3 // indirect
-	github.com/google/cel-go v0.26.0 // indirect
+	github.com/google/cel-go v0.26.1 // indirect
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0

internal/edot/go.sum

@@ -752,8 +752,8 @@ github.com/gomodule/redigo v1.9.3/go.mod h1:KsU3hiK/Ay8U42qpaJk+kuNa3C+spxapWpM+
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI=
-github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
+github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ=
+github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
 github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
 github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=

internal/pkg/agent/application/upgrade/marker_watcher.go

@@ -20,13 +20,15 @@ import (
 type MarkerWatcher interface {
 	Watch() <-chan UpdateMarker
 	Run(ctx context.Context) error
+	Done() <-chan struct{}
 	SetUpgradeStarted()
 }
 
 type MarkerFileWatcher struct {
 	markerFilePath string
 	logger         *logger.Logger
 	updateCh       chan UpdateMarker
+	doneCh         chan struct{}
 
 	upgradeStarted atomic.Bool
 	lastMarker     *UpdateMarker
@@ -39,6 +41,7 @@ func newMarkerFileWatcher(upgradeMarkerFilePath string, logger *logger.Logger) M
 		markerFilePath: upgradeMarkerFilePath,
 		logger:         logger,
 		updateCh:       make(chan UpdateMarker),
+		doneCh:         make(chan struct{}),
 	}
 }
 
@@ -50,6 +53,10 @@ func (mfw *MarkerFileWatcher) SetUpgradeStarted() {
 	mfw.upgradeStarted.Store(true)
 }
 
+func (mfw *MarkerFileWatcher) Done() <-chan struct{} {
+	return mfw.doneCh
+}
+
 func (mfw *MarkerFileWatcher) Run(ctx context.Context) error {
 	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
@@ -70,6 +77,7 @@ func (mfw *MarkerFileWatcher) Run(ctx context.Context) error {
 
 	// Handle watching
 	go func() {
+		defer close(mfw.doneCh)
 		defer watcher.Close()
 		for {
 			select {
@@ -100,7 +108,7 @@ func (mfw *MarkerFileWatcher) Run(ctx context.Context) error {
 				case e.Op&(fsnotify.Create|fsnotify.Write) != 0:
 					// Upgrade marker file was created or updated; read its contents
 					// and send them over the update channel.
-					mfw.processMarker(version.GetAgentPackageVersion(), version.Commit())
+					mfw.processMarker(ctx, version.GetAgentPackageVersion(), version.Commit())
 				case e.Op&(fsnotify.Remove) != 0:
 					// Upgrade marker file was removed.
 					// - Upgrade could've been rolled back
@@ -109,19 +117,23 @@ func (mfw *MarkerFileWatcher) Run(ctx context.Context) error {
 					// upgrade was successful
 					if mfw.lastMarker != nil && mfw.lastMarker.Details != nil && mfw.lastMarker.Details.State != details.StateRollback {
 						mfw.lastMarker.Details = nil
-						mfw.updateCh <- *mfw.lastMarker
+						select {
+						case mfw.updateCh <- *mfw.lastMarker:
+						case <-ctx.Done():
+							return
+						}
 					}
 				}
 			case <-doInitialRead:
-				mfw.processMarker(version.GetAgentPackageVersion(), version.Commit())
+				mfw.processMarker(ctx, version.GetAgentPackageVersion(), version.Commit())
 			}
 		}
 	}()
 
 	return nil
 }
 
-func (mfw *MarkerFileWatcher) processMarker(currentVersion string, commit string) {
+func (mfw *MarkerFileWatcher) processMarker(ctx context.Context, currentVersion string, commit string) {
 	marker, err := loadMarker(mfw.markerFilePath)
 	if err != nil {
 		mfw.logger.Error(err)
@@ -151,5 +163,8 @@ func (mfw *MarkerFileWatcher) processMarker(currentVersion string, commit string
 	}
 
 	mfw.lastMarker = marker
-	mfw.updateCh <- *marker
+	select {
+	case mfw.updateCh <- *marker:
+	case <-ctx.Done():
+	}
 }

internal/pkg/agent/application/upgrade/marker_watcher_test.go

@@ -30,7 +30,10 @@ func TestMarkerWatcher(t *testing.T) {
 	markerWatcher := newMarkerFileWatcher(testMarkerFile, testLogger)
 
 	testCtx, testCancel := context.WithCancel(context.Background())
-	defer testCancel()
+	defer func() {
+		testCancel()
+		<-markerWatcher.Done()
+	}()
 
 	var testDetails *details.Details
 	var testDetailsMu sync.Mutex
@@ -270,7 +273,7 @@ details:
 				mfw.SetUpgradeStarted()
 			}
 
-			mfw.processMarker(currentVersion, currentCommit)
+			mfw.processMarker(t.Context(), currentVersion, currentCommit)
 
 			// error loading marker
 			if test.expectedErrLogMsg {

internal/pkg/agent/application/upgrade/watcher.go

@@ -374,13 +374,18 @@ type createContextWithTimeout func(ctx context.Context, timeout time.Duration) (
 func waitForWatcherWithTimeoutCreationFunc(ctx context.Context, log *logger.Logger, markerFilePath string, waitTime time.Duration, createTimeoutContext createContextWithTimeout) error {
 	// Wait for the watcher to be up and running
 	watcherContext, cancel := createTimeoutContext(ctx, waitTime)
-	defer cancel()
 
 	markerWatcher := newMarkerFileWatcher(markerFilePath, log)
 	err := markerWatcher.Run(watcherContext)
 	if err != nil {
 		return fmt.Errorf("error starting update marker watcher: %w", err)
 	}
+	// Ensure the fsnotify watcher goroutine fully exits before returning,
+	// so that directory handles are released (needed on Windows for cleanup).
+	defer func() {
+		cancel()
+		<-markerWatcher.Done()
+	}()
 
 	log.Infof("waiting up to %s for upgrade watcher to set %s state in upgrade marker", waitTime, details.StateWatching)
 

internal/pkg/agent/install/uninstall.go

@@ -285,7 +285,7 @@ func RemovePath(path string) error {
 	start := time.Now()
 	var lastErr error
 	for time.Since(start) <= arbitraryTimeout {
-		lastErr = os.RemoveAll(path)
+		lastErr = removeAll(path)
 
 		if lastErr == nil || !isRetryableError(lastErr) {
 			return lastErr
@@ -326,6 +326,70 @@ func RemoveBut(path string, bestEffort bool, exceptions ...string) error {
 	return err
 }
 
+// TODO: Replace this with a more robust and less mysterious approach.
+// removeAll is a reimplementation of Go 1.24's os.RemoveAll. Go 1.25 switched
+// to directory-relative unlinkat/openat syscalls (removeall_at.go) which on
+// Windows use NtCreateFile with DELETE access — these are stricter about file
+// state and fail on files that have been ADS-renamed. The simple path-based
+// approach using os.Remove works correctly with the ADS rename trick that
+// RemovePath uses to delete running executables on Windows.
+// Taken from: https://cs.opensource.google/go/go/+/refs/tags/go1.24.13:src/os/removeall_noat.go;drc=a2baae6851a157d662dff7cc508659f66249698a;l=15
+// The implementation which breaks our install is here:
+// https://cs.opensource.google/go/go/+/refs/tags/go1.25.8:src/os/removeall_at.go;drc=e81c624656e415626c7ac3a97768f5c2717979a4;l=15
+func removeAll(path string) error {
+	// Try simple remove first (handles files and empty directories).
+	err := os.Remove(path)
+	if err == nil || errors.Is(err, fs.ErrNotExist) {
+		return nil
+	}
+
+	// Check if it's a directory.
+	info, serr := os.Lstat(path)
+	if serr != nil {
+		if errors.Is(serr, fs.ErrNotExist) {
+			return nil
+		}
+		return serr
+	}
+	if !info.IsDir() {
+		// Not a directory — return the original Remove error.
+		return err
+	}
+
+	// Remove directory contents recursively.
+	err = removeAllChildren(path)
+	if err != nil {
+		return err
+	}
+
+	// Remove the now-empty directory.
+	err = os.Remove(path)
+	if errors.Is(err, fs.ErrNotExist) {
+		return nil
+	}
+	return err
+}
+
+func removeAllChildren(path string) error {
+	entries, err := os.ReadDir(path)
+	if err != nil {
+		if errors.Is(err, fs.ErrNotExist) {
+			return nil
+		}
+		return err
+	}
+
+	var firstErr error
+	for _, entry := range entries {
+		child := filepath.Join(path, entry.Name())
+		err := removeAll(child)
+		if err != nil && firstErr == nil {
+			firstErr = err
+		}
+	}
+	return firstErr
+}
+
 func containsString(str string, a []string, caseSensitive bool) bool {
 	if !caseSensitive {
 		str = strings.ToLower(str)