fix: update Go version to 1.25.7 to address CVE-2025-68121

[WSandboxedOCCodeBot]

Summary

This updates the Go version from 1.25.6 to 1.25.7 to fix the following critical vulnerability:

CRITICAL:

• CVE-2025-68121: crypto/tls: Unexpected session resumption in crypto/tls

This also fixes additional vulnerabilities in golang.org/x/crypto and golang.org/x/oauth2 dependencies.

Vulnerability Scan Results

Trivy scan of registry.k8s.io/metrics-server/metrics-server:v0.7.0 found vulnerabilities that are fixed by updating to Go 1.25.7.

Testing

• go mod tidy completed successfully
• No breaking changes - only Go version bump

Signed-off-by: WSandboxedOCCodeBot bot@openclaw.dev

[linux-foundation-easycla]

• ❌ The email address for the commit (3933de0) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please submit a support request ticket.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: WSandboxedOCCodeBot
Once this PR has been reviewed and has the lgtm label, please assign dgrisonnet for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

This issue is currently awaiting triage.

If metrics-server contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

Hi @WSandboxedOCCodeBot. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[RainbowMango]

/ok-to-test

[RainbowMango]

@WSandboxedOCCodeBot You might need to sign the CLA to make the check happy.

[k8s-ci-robot]

@WSandboxedOCCodeBot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-metrics-server-test-version	3933de0	link	true	/test pull-metrics-server-test-version
pull-metrics-server-test-e2e-ha	3933de0	link	false	/test pull-metrics-server-test-e2e-ha
pull-metrics-server-test-e2e	3933de0	link	true	/test pull-metrics-server-test-e2e
pull-metrics-server-test-e2e-helm	3933de0	link	true	/test pull-metrics-server-test-e2e-helm

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.