Upgrade and don't pin go infra images

eng/pipeline/pr-outerloop-pipeline.yml

@@ -24,13 +24,13 @@ variables:
 resources:
   containers:
     - container: ubuntu2204
-      image: mcr.microsoft.com/microsoft-go/infra-images:ubuntu-22.04-amd64-default-20241026145220-02e8663
+      image: mcr.microsoft.com/microsoft-go/infra-images:ubuntu-22.04-amd64-default
     - container: mariner2
-      image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-amd64-default-20241029143752-6049f85
+      image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-amd64-default
     - container: mariner2arm64
-      image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-arm64-default-20241029143304-6049f85
+      image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-arm64-default
     - container: azurelinux3
-      image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default-20241210101540-a3a1203
+      image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default
 
 stages:
   - template: stages/go-builder-matrix-stages.yml

eng/pipeline/pr-pipeline.yml

@@ -21,13 +21,13 @@ resources:
     # (container: ... image: ...) is not the same as the one 1ES PT uses, so updating these requires
     # separate changes.
     - container: ubuntu2204
-      image: mcr.microsoft.com/microsoft-go/infra-images:ubuntu-22.04-amd64-default-20241026145220-02e8663
+      image: mcr.microsoft.com/microsoft-go/infra-images:ubuntu-22.04-amd64-default
     - container: mariner2
-      image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-amd64-default-20241029143752-6049f85
+      image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-amd64-default
     - container: mariner2arm64
-      image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-arm64-default-20241029143304-6049f85
+      image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-arm64-default
     - container: azurelinux3
-      image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default-20241210101540-a3a1203
+      image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default
 
 stages:
   - template: stages/go-builder-matrix-stages.yml

eng/pipeline/rolling-innerloop-pipeline.yml

@@ -44,13 +44,13 @@ extends:
         suppressionFile: $(Build.SourcesDirectory)/.config/guardian/.gdnsuppress
     containers:
       ubuntu2204:
-        image: mcr.microsoft.com/microsoft-go/infra-images:ubuntu-22.04-amd64-default-20241026145220-02e8663
+        image: mcr.microsoft.com/microsoft-go/infra-images:ubuntu-22.04-amd64-default
       mariner2:
-        image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-amd64-default-20241029143752-6049f85
+        image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-amd64-default
       mariner2arm64:
-        image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-arm64-default-20241029143304-6049f85
+        image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-arm64-default
       azurelinux3:
-        image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default-20241210101540-a3a1203
+        image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default
 
     stages:
       - template: stages/go-builder-matrix-stages.yml

eng/pipeline/rolling-pipeline.yml

@@ -37,13 +37,13 @@ extends:
         suppressionFile: $(Build.SourcesDirectory)/.config/guardian/.gdnsuppress
     containers:
       ubuntu2204:
-        image: mcr.microsoft.com/microsoft-go/infra-images:ubuntu-22.04-amd64-default-20241026145220-02e8663
+        image: mcr.microsoft.com/microsoft-go/infra-images:ubuntu-22.04-amd64-default
       mariner2:
-        image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-amd64-default-20241029143752-6049f85
+        image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-amd64-default
       mariner2arm64:
-        image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-arm64-default-20241029143304-6049f85
+        image: mcr.microsoft.com/microsoft-go/infra-images:cbl-mariner-2.0-arm64-default
       azurelinux3:
-        image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default-20241210101540-a3a1203
+        image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default
 
     stages:
       - template: stages/go-builder-matrix-stages.yml

patches/0001-Vendor-external-dependencies.patch

@@ -126,7 +126,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../openssl/v2/internal/ossl/zossl.go         |   67 +
  .../openssl/v2/internal/ossl/zossl.h          |  363 +++
  .../openssl/v2/internal/ossl/zossl_cgo.go     | 1368 ++++++++++
- .../v2/internal/ossl/zossl_cgo_go124.go       |   41 +
+ .../v2/internal/ossl/zossl_cgo_go124.go       |   45 +
  .../openssl/v2/internal/ossl/zossl_nocgo.go   | 2390 +++++++++++++++++
  .../golang-fips/openssl/v2/mlkem.go           |  371 +++
  .../golang-fips/openssl/v2/openssl.go         |  253 ++
@@ -143,7 +143,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../golang-fips/openssl/v2/params.go          |  184 ++
  .../golang-fips/openssl/v2/pbkdf2.go          |   54 +
  .../golang-fips/openssl/v2/provideropenssl.go |  239 ++
- .../openssl/v2/providersymcrypt.go            |  338 +++
+ .../openssl/v2/providersymcrypt.go            |  330 +++
  .../github.com/golang-fips/openssl/v2/rand.go |   21 +
  .../github.com/golang-fips/openssl/v2/rc4.go  |   68 +
  .../github.com/golang-fips/openssl/v2/rsa.go  |  714 +++++
@@ -268,7 +268,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../internal/subtle/aliasing.go               |   32 +
  .../internal/sysdll/sys_windows.go            |   55 +
  src/vendor/modules.txt                        |   23 +
- 260 files changed, 33278 insertions(+), 7 deletions(-)
+ 260 files changed, 33274 insertions(+), 7 deletions(-)
  create mode 100644 src/cmd/internal/telemetry/counter/deps_ignore.go
  create mode 100644 src/cmd/vendor/github.com/microsoft/go-infra/telemetry/LICENSE
  create mode 100644 src/cmd/vendor/github.com/microsoft/go-infra/telemetry/README.md
@@ -2195,7 +2195,7 @@ index 00000000000000..ae4055d2d71303
 +// that are used by the backend package. This allows to track
 +// their versions in a single patch file.
 diff --git a/src/go.mod b/src/go.mod
-index d6c515017a7009..c5ad7ca640eeb6 100644
+index d6c515017a7009..922ff660ba1a10 100644
 --- a/src/go.mod
 +++ b/src/go.mod
 @@ -11,3 +11,9 @@ require (
@@ -2204,17 +2204,17 @@ index d6c515017a7009..c5ad7ca640eeb6 100644
  )
 +
 +require (
-+	github.com/golang-fips/openssl/v2 v2.0.4-0.20260203103936-d61ccf20b60f
++	github.com/golang-fips/openssl/v2 v2.0.4-0.20260209104757-7aebba71e96c
 +	github.com/microsoft/go-crypto-darwin v0.0.3-0.20260130143703-78cb726ef357
 +	github.com/microsoft/go-crypto-winnative v0.0.0-20260127024749-832b168a84e9
 +)
 diff --git a/src/go.sum b/src/go.sum
-index 2223d2a7c231c1..641e90d4ca1db2 100644
+index 2223d2a7c231c1..7fa45836c2c67e 100644
 --- a/src/go.sum
 +++ b/src/go.sum
 @@ -1,3 +1,9 @@
-+github.com/golang-fips/openssl/v2 v2.0.4-0.20260203103936-d61ccf20b60f h1:1niOn99Euubk0wtGY3dJvgFQh0+KOG3eMtg4AkbjOlg=
-+github.com/golang-fips/openssl/v2 v2.0.4-0.20260203103936-d61ccf20b60f/go.mod h1:EtVnMfLGkB4pihGOH+tXEV0WlXxewWdT1n3GLJEHvpw=
++github.com/golang-fips/openssl/v2 v2.0.4-0.20260209104757-7aebba71e96c h1:p0QTwdjwbAVb2M+qYggEEeVLGW/lHYx623pr16NBHHQ=
++github.com/golang-fips/openssl/v2 v2.0.4-0.20260209104757-7aebba71e96c/go.mod h1:EtVnMfLGkB4pihGOH+tXEV0WlXxewWdT1n3GLJEHvpw=
 +github.com/microsoft/go-crypto-darwin v0.0.3-0.20260130143703-78cb726ef357 h1:ILqgGD8SGjjtSweSBanrXyX8Aco33yFSJEqsnJgmXHU=
 +github.com/microsoft/go-crypto-darwin v0.0.3-0.20260130143703-78cb726ef357/go.mod h1:MTii5PQwRlfUjYpGoF8CPLGwXSHTbLHGRN9FVNML5N0=
 +github.com/microsoft/go-crypto-winnative v0.0.0-20260127024749-832b168a84e9 h1:joliMChkkfHV3vAPKzu9kefdw0K+d89A8r9gTm3MFS4=
@@ -7969,12 +7969,12 @@ index 00000000000000..7927deb2785263
 +}
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/internal/fakecgo/fakecgo.lock b/src/vendor/github.com/golang-fips/openssl/v2/internal/fakecgo/fakecgo.lock
 new file mode 100644
-index 00000000000000..57250706a043f1
+index 00000000000000..0a5d657971cba1
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/internal/fakecgo/fakecgo.lock
 @@ -0,0 +1,3 @@
 +{
-+  "commit_hash": "49bede11a66085d4400e4a257e4c77c9604c791a"
++  "commit_hash": "071d22a94b4bc442118b3b0927274dd5ae4d7551"
 +}
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/internal/fakecgo/generate.go b/src/vendor/github.com/golang-fips/openssl/v2/internal/fakecgo/generate.go
 new file mode 100644
@@ -8929,14 +8929,14 @@ index 00000000000000..ddd01434d04cda
 +	RET
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/internal/fakecgo/trampolines_ppc64le.s b/src/vendor/github.com/golang-fips/openssl/v2/internal/fakecgo/trampolines_ppc64le.s
 new file mode 100644
-index 00000000000000..b9b5016a611382
+index 00000000000000..586ccaf91df1a4
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/internal/fakecgo/trampolines_ppc64le.s
 @@ -0,0 +1,227 @@
 +// SPDX-License-Identifier: Apache-2.0
-+// SPDX-FileCopyrightText: 2024 The Ebitengine Authors
++// SPDX-FileCopyrightText: 2026 The Ebitengine Authors
 +
-+//go:build !cgo && linux
++//go:build !cgo && (darwin || linux)
 +
 +#include "textflag.h"
 +#include "go_asm.h"
@@ -11375,7 +11375,7 @@ index 00000000000000..9d38464e9fb964
 +}
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/internal/ossl/shims.h b/src/vendor/github.com/golang-fips/openssl/v2/internal/ossl/shims.h
 new file mode 100644
-index 00000000000000..3ce5eb8435c9fd
+index 00000000000000..d926c6adf17dda
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/internal/ossl/shims.h
 @@ -0,0 +1,434 @@
@@ -11597,8 +11597,8 @@ index 00000000000000..3ce5eb8435c9fd
 +int EVP_MD_CTX_copy_ex(_EVP_MD_CTX_PTR out, const _EVP_MD_CTX_PTR in);
 +const _OSSL_PARAM_PTR EVP_MD_CTX_gettable_params(_EVP_MD_CTX_PTR ctx) __attribute__((tag("3")));
 +const _OSSL_PARAM_PTR EVP_MD_CTX_settable_params(_EVP_MD_CTX_PTR ctx) __attribute__((tag("3")));
-+int EVP_MD_CTX_get_params(_EVP_MD_CTX_PTR ctx, _OSSL_PARAM_PTR params) __attribute__((tag("3")));
-+int EVP_MD_CTX_set_params(_EVP_MD_CTX_PTR ctx, const _OSSL_PARAM_PTR params) __attribute__((tag("3")));
++int EVP_MD_CTX_get_params(_EVP_MD_CTX_PTR ctx, _OSSL_PARAM_PTR params) __attribute__((tag("3"),noescape,nocallback));
++int EVP_MD_CTX_set_params(_EVP_MD_CTX_PTR ctx, const _OSSL_PARAM_PTR params) __attribute__((tag("3"),noescape,nocallback));
 +int EVP_Digest(const void *data, size_t count, unsigned char *md, unsigned int *size, const _EVP_MD_PTR type, _ENGINE_PTR impl) __attribute__((noescape,nocallback,slice("data","count"),slice("md")));
 +int EVP_DigestInit_ex(_EVP_MD_CTX_PTR ctx, const _EVP_MD_PTR type, _ENGINE_PTR impl);
 +int EVP_DigestInit(_EVP_MD_CTX_PTR ctx, const _EVP_MD_PTR type);
@@ -15969,10 +15969,10 @@ index 00000000000000..059562f35df7b3
 +}
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/internal/ossl/zossl_cgo_go124.go b/src/vendor/github.com/golang-fips/openssl/v2/internal/ossl/zossl_cgo_go124.go
 new file mode 100644
-index 00000000000000..7ced663df8a562
+index 00000000000000..677ef1d157a670
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/internal/ossl/zossl_cgo_go124.go
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,45 @@
 +// Code generated by mkcgo. DO NOT EDIT.
 +
 +//go:build go1.24 && !cmd_go_bootstrap
@@ -16004,6 +16004,10 @@ index 00000000000000..7ced663df8a562
 +#cgo nocallback _mkcgo_EVP_EncryptFinal_ex
 +#cgo noescape _mkcgo_EVP_EncryptUpdate
 +#cgo nocallback _mkcgo_EVP_EncryptUpdate
++#cgo noescape _mkcgo_EVP_MD_CTX_get_params
++#cgo nocallback _mkcgo_EVP_MD_CTX_get_params
++#cgo noescape _mkcgo_EVP_MD_CTX_set_params
++#cgo nocallback _mkcgo_EVP_MD_CTX_set_params
 +#cgo noescape _mkcgo_EVP_PKEY_derive
 +#cgo nocallback _mkcgo_EVP_PKEY_derive
 +#cgo noescape _mkcgo_EVP_PKEY_get_raw_private_key
@@ -20181,18 +20185,17 @@ index 00000000000000..e366c7a7a833fa
 +}
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/providersymcrypt.go b/src/vendor/github.com/golang-fips/openssl/v2/providersymcrypt.go
 new file mode 100644
-index 00000000000000..cc6e108e948727
+index 00000000000000..bdba34f1378e9c
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/providersymcrypt.go
-@@ -0,0 +1,338 @@
+@@ -0,0 +1,330 @@
 +//go:build !cmd_go_bootstrap
 +
 +package openssl
 +
 +import (
 +	"crypto"
 +	"errors"
-+	"runtime"
 +	"unsafe"
 +
 +	"github.com/golang-fips/openssl/v2/internal/ossl"
@@ -20380,9 +20383,6 @@ index 00000000000000..cc6e108e948727
 +func symCryptHashAppendBinary(ctx ossl.EVP_MD_CTX_PTR, ch crypto.Hash, magic string, buf []byte) ([]byte, error) {
 +	size, typ := symCryptHashStateInfo(ch)
 +	state := make([]byte, size, _SYMCRYPT_SHA512_STATE_EXPORT_SIZE) // 512 is the largest size
-+	var pinner runtime.Pinner
-+	pinner.Pin(&state[0])
-+	defer pinner.Unpin()
 +	params := [2]ossl.OSSL_PARAM{
 +		ossl.OSSL_PARAM_construct_octet_string(_SCOSSL_DIGEST_PARAM_STATE.ptr(), unsafe.Pointer(&state[0]), len(state)),
 +		ossl.OSSL_PARAM_construct_end(),
@@ -20458,10 +20458,6 @@ index 00000000000000..cc6e108e948727
 +		panic("unsupported hash " + ch.String())
 +	}
 +	var checksum int32 = 1
-+	var pinner runtime.Pinner
-+	pinner.Pin(blobPtr)
-+	pinner.Pin(&checksum)
-+	defer pinner.Unpin()
 +	params := [3]ossl.OSSL_PARAM{
 +		ossl.OSSL_PARAM_construct_octet_string(_SCOSSL_DIGEST_PARAM_STATE.ptr(), blobPtr, int(hdr.size)),
 +		ossl.OSSL_PARAM_construct_int32(_SCOSSL_DIGEST_PARAM_RECOMPUTE_CHECKSUM.ptr(), &checksum),
@@ -37426,11 +37422,11 @@ index 00000000000000..1722410e5af193
 +	return getSystemDirectory() + "\\" + dll
 +}
 diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
-index 48967bc9ee3bd2..e2d4b5953ee26a 100644
+index 48967bc9ee3bd2..a0d2092e08e8c4 100644
 --- a/src/vendor/modules.txt
 +++ b/src/vendor/modules.txt
 @@ -1,3 +1,26 @@
-+# github.com/golang-fips/openssl/v2 v2.0.4-0.20260203103936-d61ccf20b60f
++# github.com/golang-fips/openssl/v2 v2.0.4-0.20260209104757-7aebba71e96c
 +## explicit; go 1.24
 +github.com/golang-fips/openssl/v2
 +github.com/golang-fips/openssl/v2/bbig

patches/0014-skip-sanitizer-tests.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com>
+Date: Fri, 13 Feb 2026 16:58:59 +0100
+Subject: [PATCH] skip sanitizer tests
+
+Skipping sanitizer tests until they are less flaky.
+See https://github.com/golang/go/issues/72996.
+---
+ src/cmd/cgo/internal/testsanitizers/asan_test.go | 1 +
+ src/cmd/cgo/internal/testsanitizers/lsan_test.go | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/cmd/cgo/internal/testsanitizers/asan_test.go b/src/cmd/cgo/internal/testsanitizers/asan_test.go
+index cb7d857280416f..3c6aa4a324f7e7 100644
+--- a/src/cmd/cgo/internal/testsanitizers/asan_test.go
++++ b/src/cmd/cgo/internal/testsanitizers/asan_test.go
+@@ -144,6 +144,7 @@ func TestASANFuzz(t *testing.T) {
+ }
+
+ func mustHaveASAN(t *testing.T) *config {
++	t.Skip("skipping sanitizer tests until we have a better way to reliably test it in CI. See https://github.com/golang/go/issues/72996.")
+ 	testenv.MustHaveGoBuild(t)
+ 	testenv.MustHaveCGO(t)
+ 	goos, err := goEnv("GOOS")
+diff --git a/src/cmd/cgo/internal/testsanitizers/lsan_test.go b/src/cmd/cgo/internal/testsanitizers/lsan_test.go
+index 4dde3d20eca038..0e0ed2ffab8c3f 100644
+--- a/src/cmd/cgo/internal/testsanitizers/lsan_test.go
++++ b/src/cmd/cgo/internal/testsanitizers/lsan_test.go
+@@ -74,6 +74,7 @@ func TestLSAN(t *testing.T) {
+ }
+
+ func mustHaveLSAN(t *testing.T) *config {
++	t.Skip("skipping sanitizer tests until we have a better way to reliably test it in CI. See https://github.com/golang/go/issues/72996.")
+ 	testenv.MustHaveGoBuild(t)
+ 	testenv.MustHaveCGO(t)
+ 	goos, err := goEnv("GOOS")