Bump golang from 1.25.4 to 1.25.9

[djeebus]

this preps us for some other upgrades

[cursor]

PR Summary

Low Risk
Primarily a toolchain/version bump across build, lint, and module metadata with no functional code changes; risk is limited to potential CI/build/runtime differences introduced by the newer Go patch release.

Overview
Updates the repository to build and lint against Go 1.25.9 (from 1.25.4), including workspace/module version declarations and Docker build images/tooling so local development, CI, and container builds all use the same newer Go patch release.

^{Reviewed by Cursor Bugbot for commit 043c865. Bugbot is set up for automated code reviews on this repo. Configure here.}

[claude]

🔴 The packages/nomad-nodepool-apm/Dockerfile was not updated in this PR and still uses the floating tag FROM golang:1.25-alpine instead of a pinned ARG GOLANG_VERSION=1.25.9 like all other Dockerfiles. This means the Docker build for this package could silently use a different Go patch version than the go 1.25.9 declared in its go.mod, undermining the version consistency this PR is intended to establish.

Extended reasoning...

What the bug is: This PR bumps Go from 1.25.4 to 1.25.9 across the entire monorepo. Every package's go.mod was updated, and every Dockerfile that builds a Go binary was updated to use ARG GOLANG_VERSION=1.25.9 with a pinned patch version — except packages/nomad-nodepool-apm/Dockerfile, which retains the hardcoded floating tag FROM golang:1.25-alpine AS builder (no patch version specified).

The specific code path that triggers it: When a CI/CD pipeline or developer runs docker build for the nomad-nodepool-apm package, Docker will resolve golang:1.25-alpine to whatever the latest 1.25.x patch is at the time of the build. If Go 1.25.10 (or any later 1.25.x patch) is released after this PR merges, subsequent builds of this package will silently use a different Go version than what go.mod declares.

Why existing code doesn't prevent it: The golang:1.25-alpine tag is a mutable floating tag on Docker Hub — it is periodically updated to point to the latest 1.25.x release. Unlike the pinned golang:1.25.9-alpine3.22 images used by all other Dockerfiles in this repo, it offers no reproducibility guarantee. The go.mod directive go 1.25.9 only governs the language feature set and toolchain minimum requirement; it does not force Docker to pull a specific image version.

What the impact would be: The whole purpose of this PR is to pin everything to Go 1.25.9 consistently. After a future patch release, nomad-nodepool-apm builds would diverge silently — the binary would be compiled with a different Go toolchain than all other services. This breaks reproducibility, makes debugging toolchain-specific issues harder, and contradicts the stated goal of the PR.

Step-by-step proof:

1. This PR updates packages/nomad-nodepool-apm/go.mod line 3 from go 1.25.4 → go 1.25.9. ✓ (visible in the diff)
2. packages/nomad-nodepool-apm/Dockerfile is not listed in the PR's changed files. The file retains FROM golang:1.25-alpine AS builder.
3. Compare to e.g. packages/api/Dockerfile (in the diff): ARG GOLANG_VERSION=1.25.9 / FROM golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS builder — pinned.
4. Same pattern for all 7 other service Dockerfiles updated in this PR: api, clickhouse, client-proxy, dashboard-api, db, docker-reverse-proxy, orchestrator.
5. When Go 1.25.10 ships, docker pull golang:1.25-alpine will resolve to 1.25.10 while all other services resolve to the pinned 1.25.9 image.

How to fix it: Update packages/nomad-nodepool-apm/Dockerfile to follow the same pattern as the other Dockerfiles:

-FROM golang:1.25-alpine AS builder
+ARG GOLANG_VERSION=1.25.9
+ARG ALPINE_VERSION=3.22
+FROM golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS builder