Fix govulncheck failures (9 CVEs in Go dependencies)

[mohammedfirdouss]

PR #6435 adds govulncheck CI. It correctly detects these pre-existing vulnerabilities:

• GO-2025-4007, GO-2025-4008, GO-2025-4009, GO-2025-4010, GO-2025-4011
• GO-2025-4012, GO-2025-4013, GO-2025-4155, GO-2026-4603
  16 vulnerabilities from Go stdlib + 1 module affect code paths.

Failing modules

• ./tool/actions-plan-preview
• ./tool/actions-gh-release
• ./pkg/app/pipedv1/plugin/* (multiple)
• Root module (.)

Main failures:

• https://github.com/pipe-cd/pipecd/actions/runs/23225026408/job/67505807200 — govulncheck (.)
• https://github.com/pipe-cd/pipecd/actions/runs/23225026408/job/67505807194 — govulncheck
  (./pkg/app/pipedv1/plugin/kubernetes)
• https://github.com/pipe-cd/pipecd/actions/runs/23225026408/job/67505807219 — govulncheck (./tool/actions-plan-preview)

Full workflow run: https://github.com/pipe-cd/pipecd/actions/runs/23225026408

Fix approach

• Update Go version (if stdlib-related)
• Run go get -u on affected deps
• Re-run govulncheck ./... locally
• Confirm all pass before merge

cc @Warashi @khanhtc1202

[Warashi]

Hi, @mohammedfirdouss
I assigned you to this issue because you are actually trying this.

[mohammedfirdouss]

Hi, @mohammedfirdouss
I assigned you to this issue because you are actually trying this.

Yes @Warashi I had to work on the issues with the multi cluster plugin, so I had to push this forward. Thank you for the reminder. Would work on the updates soon.