Use go.mod as single source of truth for Go version in CI

[czunker]

Read Go version from go.mod via go-version-file instead of .github/env, and bump Go from 1.25.1 to 1.25.8.

[mondoo-code-review]

CI now reads Go version from go.mod instead of a separate .github/env file, reducing version drift risk.

[github-actions]

Test Results

  1 files  ±0   36 suites  ±0   1m 28s ⏱️ +12s
647 tests ±0  646 ✅ ±0  1 💤 ±0  0 ❌ ±0 
648 runs  ±0  647 ✅ ±0  1 💤 ±0  0 ❌ ±0 

Results for commit 6160dcb. ± Comparison against base commit e5416be.

♻️ This comment has been updated with latest results.

[imilchev]

i think this will not do what we want it to do. go.mod is specifying the minimum go version required to build our binary. However, that doesn't mean we cannot use a newer version to build it.

If we pair these 2 it means we always need to update the go.mod version to latest possible Go complier, to use the latest compiler improvements in the toolchain. When we have 2 separate number, we can still make sure the server builds with older versions but use newer Go versions just for building in CI

[czunker]

I don't understand this part:

When we have 2 separate number, we can still make sure the server builds with older versions ...

What do we need the old versions for?

When we want the latest patch version, we could use: https://github.com/actions/setup-go/blob/main/docs/advanced-usage.md#check-latest-version

[imilchev]

we are importing this in other projects as well. Forcing the latest go version in the go.mod would mean anywhere where we import cnspec we will need to be updating the go version in the go.mod. As we have seen in the past that may not always be possible if other packages don't build with latest golang version

[czunker]

@imilchev Please have another look.
I changed how we use the version.