[relay] Update GO version and QUIC version

[pappz]

Update:

• Go 1.25.5
• QUIC 0.55.0

Describe your changes

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

• Chores

  • Upgraded Go toolchain to 1.25.x, bumped several dependencies, and updated CI/workflows and container images.

• Refactor

  • Modernized build-tag syntax, simplified conditional and control-flow logic, and streamlined lint configuration.

• Style

  • Standardized error/message capitalization and added targeted lint-suppression comments.

• Tests

  • Adjusted tests for style, parallelism limits, and per-test server configurations; no user-facing behavior changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Actionable comments posted: 1

Fix all issues with AI Agents 🤖

In @go.mod:
- Around line 102-106: You upgraded otelgrpc to v0.61.0—review and update any
code that sets OpenTelemetry semantic attributes and gRPC instrumentation
options: search for usages of otelgrpc (e.g., NewUnaryServerInterceptor,
NewStreamServerInterceptor) and add or consider the new WithPublicEndpoint /
WithPublicEndpointFn options if your service is a public endpoint; also search
for direct semantic attribute references (semantic conventions, attribute keys,
span.SetAttributes calls, or semconv imports) and reconcile any renamed/changed
attributes per the v1.34.0 semantic convention changes so dashboards/alerts
continue to receive the correct attribute names.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 76b387b and 1f61b00.

📒 Files selected for processing (1)

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (27)

• GitHub Check: Management / Integration (amd64, sqlite)
• GitHub Check: Management / Integration (amd64, postgres)
• GitHub Check: Management / Benchmark (API) (amd64, postgres)
• GitHub Check: Management / Benchmark (API) (amd64, sqlite)
• GitHub Check: Relay / Unit (386)
• GitHub Check: Client / Unit (amd64)
• GitHub Check: Management / Unit (amd64, sqlite)
• GitHub Check: Management / Unit (amd64, mysql)
• GitHub Check: Relay / Unit (amd64, -race)
• GitHub Check: Client / Unit (386)
• GitHub Check: Management / Unit (amd64, postgres)
• GitHub Check: Management / Benchmark (amd64, sqlite)
• GitHub Check: Management / Benchmark (amd64, postgres)
• GitHub Check: Client (Docker) / Unit
• GitHub Check: Windows
• GitHub Check: Linux
• GitHub Check: release
• GitHub Check: release_ui_darwin
• GitHub Check: FreeBSD Port / Build & Test
• GitHub Check: test-docker-compose (sqlite)
• GitHub Check: test-docker-compose (mysql)
• GitHub Check: test-docker-compose (postgres)
• GitHub Check: test-getting-started-script
• GitHub Check: JS / Lint
• GitHub Check: Client / Unit
• GitHub Check: Android / Build
• GitHub Check: Client / Unit

🔇 Additional comments (5)

go.mod (5)

3-5: Clarify the Go version discrepancy between PR description and implementation.

The PR description states Go 1.25.3, the commit message references 1.25.5, and the code shows toolchain go1.25.5. The toolchain version in the file is correct, but the PR description should be aligned with the actual version for clarity and future reference.

---

262-272: Module replacements look appropriate.

The module replacements consistently use netbirdio forks and specific commit hashes/versions, maintaining reproducibility and customization for internal needs. No concerns here.

---

85-85: No action needed. The quic-go v0.55.0 upgrade does not introduce breaking changes and is fully compatible with netbird's Go 1.25 requirement.

---

27-28: No action required. gRPC v1.76.0 and protobuf v1.36.10 are compatible with each other and with the project's Go version (1.25). OpenTelemetry instrumentation supports gRPC 1.76.0, and there are no breaking changes that would affect the netbird codebase.

---

128-130: Indirect dependencies resolve correctly without conflicts.

The broad updates to indirect dependencies (Google Cloud APIs, s2a-go, gax-go, genproto, OTEL HTTP instrumentation) have been verified and resolve without issues. The dependency graph is consistent and all modules verify successfully.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

OpenTelemetry gRPC instrumentation v0.61.0 release notes compatibility gRPC

💡 Result:

The OpenTelemetry Go gRPC instrumentation (otelgrpc) v0.61.0 adds support for google.golang.org/grpc v1.68.0. [1][2]

Sources:

• opentelemetry-go-instrumentation release notes (mentions support for google.golang.org/grpc 1.68.0). [1]
• otelgrpc package docs. [2]

---

🌐 Web query:

go.opentelemetry.io/contrib instrumentation grpc otelgrpc v0.61.0 changelog breaking changes

💡 Result:

Summary of otelgrpc changes in v0.61.0 (opentelemetry-go-contrib)

• Added: WithPublicEndpoint and WithPublicEndpointFn options for go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. [1]
• Changed: otelgrpc’s semantic conventions were upgraded (previously v1.30.0 → v1.34.0). Upgrading semantic conventions can change attribute/semantic names and therefore may be breaking for consumers relying on exact attribute names. [1]

No other otelgrpc-specific breaking-change entry is listed in the v0.61.0 release notes; if you depend on stable semantic- conventions behavior, review the semantic-conventions changes between v1.30.0 and v1.34.0. [1][2]

Sources:
[1] open-telemetry/opentelemetry-go-contrib releases (v0.61.0) — release notes.
[2] OpenTelemetry semantic conventions documentation / migration guidance.

---

🌐 Web query:

OpenTelemetry instrumentation v0.61.0 gRPC 1.76 compatibility

💡 Result:

Short answer: It depends on the language/runtime.

• Node.js: @opentelemetry/instrumentation-grpc targets @grpc/grpc-js 1.x (i.e. any 1.* release). So OpenTelemetry instrumentation v0.61.0 (js) is compatible with grpc-js 1.x. [1][4]

• Go: the OpenTelemetry Go auto‑instrumentation has explicit support/cache updates for google.golang.org/grpc 1.76 (and nearby 1.74–1.76 dev). That indicates compatibility for gRPC 1.76 with recent otel-go auto-instrumentation releases. [3]

• Java: gRPC-Java 1.76.0 is published; OpenTelemetry Java agent/instrumentation provides gRPC instrumentation, but compatibility is tied to the specific opentelemetry-java-instrumentation (javaagent) release you use — check the javaagent's supported-libraries page and release notes for any version-specific notes or breaking changes. [2][5]

If you tell me which language (Node/Python/Java/Go/.NET) and whether you mean grpc-js, grpc-java, or the Python package, I’ll confirm the exact instrumentation release compatibility and link the precise changelog.

Sources:
[1] @opentelemetry/instrumentation-grpc — supported versions: @grpc/grpc-js 1.x.
[2] grpc-java v1.76.0 release metadata.
[3] opentelemetry-go-instrumentation changelog — grpc 1.76.0-dev / offsets added.
[4] open-telemetry/opentelemetry-js-contrib releases (v0.61.0).
[5] OpenTelemetry Java agent — supported libraries / releases.

---

OTEL instrumentation v0.61.0 is compatible with gRPC v1.76.0 — verify semantic convention changes.

The upgrade to OpenTelemetry instrumentation v0.61.0 is compatible with gRPC v1.76.0. However, note that semantic conventions were upgraded from v1.30.0 to v1.34.0, which may change attribute names used in observability/tracing. Review the semantic convention changes to ensure existing monitoring, alerts, and dashboards remain functional. Additionally, v0.61.0 adds WithPublicEndpoint and WithPublicEndpointFn options that may be relevant to your tracing configuration.

🤖 Prompt for AI Agents

In @go.mod around lines 102-106, You upgraded otelgrpc to v0.61.0—review and
update any code that sets OpenTelemetry semantic attributes and gRPC
instrumentation options: search for usages of otelgrpc (e.g.,
NewUnaryServerInterceptor, NewStreamServerInterceptor) and add or consider the
new WithPublicEndpoint / WithPublicEndpointFn options if your service is a
public endpoint; also search for direct semantic attribute references (semantic
conventions, attribute keys, span.SetAttributes calls, or semconv imports) and
reconcile any renamed/changed attributes per the v1.34.0 semantic convention
changes so dashboards/alerts continue to receive the correct attribute names.

[lixmal]

• .github/workflows/release.yml:66 still uses go1.24.10.freebsd-amd64.tar.gz
• .devcontainer/Dockerfile:1 - Still uses golang:1.23-bullseye

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

54-73: Reconcile Go version inconsistency between release and test workflows.

Go 1.25.5 for FreeBSD AMD64 is available and valid. However, there is a version mismatch that should be addressed:

• release.yml (line 66): go1.25.5.freebsd-amd64.tar.gz
• golang-test-freebsd.yml (line 28): go1.25.3.freebsd-amd64.tar.gz

Update golang-test-freebsd.yml to use go1.25.5 for consistency, or document the reason for the version difference if intentional.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1f61b00 and 87b4f11.

📒 Files selected for processing (1)

• .github/workflows/release.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)

• GitHub Check: JS / Lint
• GitHub Check: release_ui_darwin
• GitHub Check: Windows
• GitHub Check: Darwin
• GitHub Check: test-docker-compose (sqlite)
• GitHub Check: test-docker-compose (postgres)
• GitHub Check: Client / Unit
• GitHub Check: test-docker-compose (mysql)
• GitHub Check: Linux
• GitHub Check: Client / Unit
• GitHub Check: Android / Build
• GitHub Check: test-getting-started-script
• GitHub Check: Build Cache
• GitHub Check: release_ui
• GitHub Check: iOS / Build
• GitHub Check: release
• GitHub Check: FreeBSD Port / Build & Test
• GitHub Check: Client / Unit
• GitHub Check: Check External GPL/AGPL Licenses

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.devcontainer/Dockerfile (1)

12-12: Consider pinning gopls version for build reproducibility.

Using @latest introduces unpredictability, as future gopls versions may have breaking changes or bugs. This is inconsistent with the pinned-version approach used for the apt packages above.

📌 Proposed fix to pin gopls version

-    && go install -v golang.org/x/tools/gopls@latest
+    && go install -v golang.org/x/tools/gopls@v0.18.1

Alternatively, if you want to use a newer version, specify it explicitly (e.g., @v0.19.0 or whatever the current stable version is).

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 87b4f11 and 93334bc.

📒 Files selected for processing (1)

• .devcontainer/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (30)

• GitHub Check: Client (Docker) / Unit
• GitHub Check: Management / Unit (amd64, postgres)
• GitHub Check: Management / Unit (amd64, mysql)
• GitHub Check: Client / Unit (amd64)
• GitHub Check: Management / Benchmark (amd64, postgres)
• GitHub Check: Client / Unit (386)
• GitHub Check: Management / Integration (amd64, postgres)
• GitHub Check: Management / Unit (amd64, sqlite)
• GitHub Check: Relay / Unit (386)
• GitHub Check: Relay / Unit (amd64, -race)
• GitHub Check: Management / Benchmark (API) (amd64, sqlite)
• GitHub Check: Management / Benchmark (API) (amd64, postgres)
• GitHub Check: Management / Benchmark (amd64, sqlite)
• GitHub Check: release_ui_darwin
• GitHub Check: release
• GitHub Check: FreeBSD Port / Build & Test
• GitHub Check: release_ui
• GitHub Check: Client / Unit
• GitHub Check: Client / Unit
• GitHub Check: iOS / Build
• GitHub Check: Android / Build
• GitHub Check: Client / Unit
• GitHub Check: JS / Lint
• GitHub Check: Linux
• GitHub Check: Windows
• GitHub Check: Darwin
• GitHub Check: test-docker-compose (postgres)
• GitHub Check: test-docker-compose (sqlite)
• GitHub Check: test-docker-compose (mysql)
• GitHub Check: test-getting-started-script

🔇 Additional comments (2)

.devcontainer/Dockerfile (2)

1-1: Good update to golang:1.25-bookworm.

This addresses the reviewer's concern about updating from golang:1.23-bullseye and aligns with the PR objective. The move to Debian bookworm (12) is also appropriate as the current stable release.

---

5-9: Pinned Debian package versions are available in bookworm repositories with no critical vulnerabilities.

All five packages (gettext-base, iptables, libgl1-mesa-dev, xorg-dev, libayatana-appindicator3-dev) exist at their pinned versions in Debian bookworm. The libgl1-mesa-dev package (22.3.6-1+deb12u1) has several disputed CVEs with negligible security impact noted by Debian's security tracker; no active security advisories affect any of these packages.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
6 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud