Bump cockroachdb/swiss for Go 1.26 compatibility

[dom-nie]

Closes: #8493

Summary

• Bumps cockroachdb/swiss from v0.0.0-20250624142022-d6e517c1d961 to v0.0.0-20251224182025-b0f6560f979b across all three modules (root, insecure, integration)
• The old version uses //go:linkname to access Go runtime internals (hashFn, getRuntimeHasher, fastrand64) that were removed in Go 1.26, causing build failures
• The new version includes cockroachdb/swiss#50 which adds Go 1.26 support

Summary by CodeRabbit

• Chores
  • Updated an internal dependency across build modules to a newer patch release. No public APIs or user-facing behavior changed.

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumped the indirect dependency github.com/cockroachdb/swiss from v0.0.0-20250624142022-d6e517c1d961 to v0.0.0-20251224182025-b0f6560f979b in three go.mod files to address Go 1.26 compatibility issues.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod, insecure/go.mod, integration/go.mod	Updated indirect requirement github.com/cockroachdb/swiss -> v0.0.0-20251224182025-b0f6560f979b (commit b0f6560f). No other code, API, or module directives changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• jordanschalm
• tarakby

Poem

🐰 I hopped through modules, quick and keen,

Switched Swiss to keep the build routine.
Go 1.26 now hums along,
No broken links — a happy song.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: bumping the cockroachdb/swiss dependency for Go 1.26 compatibility.
Linked Issues check	✅ Passed	The PR successfully addresses issue #8493 by updating cockroachdb/swiss to the version that includes Go 1.26 support.
Out of Scope Changes check	✅ Passed	All changes are scoped to updating the cockroachdb/swiss dependency across three go.mod files; no unrelated modifications present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

insecure/go.mod (1)

312-312: ⚠️ Potential issue | 🟠 Major

Bump go.opentelemetry.io/otel/sdk to v1.40.0 to address HIGH severity PATH hijacking vulnerability (GO-2026-4394/GHSA-9h8m-3fm2-qjrq).

Version v1.39.0 remains vulnerable to this code execution risk. Patched version v1.40.0 is available.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@insecure/go.mod` at line 312, Update the vulnerable dependency
go.opentelemetry.io/otel/sdk from v1.39.0 to the patched v1.40.0 in the go.mod
entry for go.opentelemetry.io/otel/sdk; after updating the version string, run
go get go.opentelemetry.io/otel/sdk@v1.40.0 (or go get ./... as appropriate) and
then go mod tidy to reconcile go.sum and ensure the new version is recorded and
vendored if used. Ensure the module line referencing
go.opentelemetry.io/otel/sdk is the only change and verify builds/tests pass.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@insecure/go.mod`:
- Line 312: Update the vulnerable dependency go.opentelemetry.io/otel/sdk from
v1.39.0 to the patched v1.40.0 in the go.mod entry for
go.opentelemetry.io/otel/sdk; after updating the version string, run go get
go.opentelemetry.io/otel/sdk@v1.40.0 (or go get ./... as appropriate) and then
go mod tidy to reconcile go.sum and ensure the new version is recorded and
vendored if used. Ensure the module line referencing
go.opentelemetry.io/otel/sdk is the only change and verify builds/tests pass.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d90c90e1-1fef-471e-804a-31a234170a1e

📥 Commits

Reviewing files that changed from the base of the PR and between dee4396 and 3f46f12.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• insecure/go.sum is excluded by !**/*.sum
• integration/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod
• insecure/go.mod
• integration/go.mod

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

insecure/go.mod (1)

312-312: ⚠️ Potential issue | 🟠 Major

Upgrade OpenTelemetry SDK to patch PATH hijacking vulnerability.

The dependency go.opentelemetry.io/otel/sdk v1.39.0 contains a HIGH severity vulnerability (GHSA-9h8m-3fm2-qjrq / CVE-2026-24051) in the resource detection code that allows arbitrary code execution via PATH hijacking on macOS/Darwin systems. Upgrade to v1.40.0 or later to resolve.

While unrelated to this PR's changes, this is a separate security issue that should be addressed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@insecure/go.mod` at line 312, The go.opentelemetry.io/otel/sdk dependency
pinned to v1.39.0 is vulnerable; update the module requirement to v1.40.0 or
later (replace the line referencing go.opentelemetry.io/otel/sdk v1.39.0 in
go.mod), then run the Go tooling (e.g., go get
go.opentelemetry.io/otel/sdk@v1.40.0 and go mod tidy) to refresh go.sum and
ensure the updated version is vendored/locked across the build; verify no other
constraints pin the older version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@insecure/go.mod`:
- Line 312: The go.opentelemetry.io/otel/sdk dependency pinned to v1.39.0 is
vulnerable; update the module requirement to v1.40.0 or later (replace the line
referencing go.opentelemetry.io/otel/sdk v1.39.0 in go.mod), then run the Go
tooling (e.g., go get go.opentelemetry.io/otel/sdk@v1.40.0 and go mod tidy) to
refresh go.sum and ensure the updated version is vendored/locked across the
build; verify no other constraints pin the older version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2a75638b-06d5-4968-a3c8-b7ba0e4aa6c0

📥 Commits

Reviewing files that changed from the base of the PR and between f8990db and 42dbfca.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• insecure/go.sum is excluded by !**/*.sum
• integration/go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod
• insecure/go.mod
• integration/go.mod

✅ Files skipped from review due to trivial changes (1)

• integration/go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod