build(deps): Bump github.com/oasisprotocol/oasis-core/go from 0.2509.0 to 0.2600.0

[dependabot]

Bumps github.com/oasisprotocol/oasis-core/go from 0.2509.0 to 0.2600.0.

Commits

• 76002fa Merge pull request #6473 from oasisprotocol/peternose/feature/changelog-26.0
• 546f914 changelog: Assemble changes for 26.0 release
• 5a56a5d Merge pull request #6208 from oasisprotocol/peternose/internal/remove-get-sig...
• 10ba8cc go/consensus/api: Remove GetSignerNonce
• 923c916 Merge pull request #6468 from oasisprotocol/peternose/bugfix/skip-km-committe...
• 450646e ci: Make coverage nonfatal
• 32d0841 go/consensus/cometbft/apps/scheduler: Skip key manager runtimes
• f1ef5c2 Merge pull request #6469 from oasisprotocol/peternose/bugfix/pcesvn
• 373d3f9 go: Extend ignore rule for CVE-2026-26014
• d1a4edd go/common/sgx/pcs/tcb: Fix pcesvn validation
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[lklimek]

Dependency Review: oasis-core/go 0.2509.0 -> 0.2600.0

Summary

This is a major version bump (v0.2509 to v0.2600) of github.com/oasisprotocol/oasis-core/go. All CI checks except check-mocks and check-proto are failing. This PR requires manual intervention and cannot be merged as-is.

Root Cause of CI Failures

The new oasis-core/go v0.2600.0 declares go 1.26.0 in its own go.mod. When dependabot updated go.sum, Go's module resolution also bumped the go directive in tenderdash's go.mod from 1.25.7 to 1.26.0. This single change is the root cause of every CI failure:

Check	Status	Cause
Build	FAILURE	go.mod requires Go 1.26.0, CI installs Go 1.25.7
golangci-lint	FAILURE	the Go language version (go1.25) used to build golangci-lint is lower than the targeted Go version (1.26.0)
tests (00-05)	FAILURE	Cannot compile with Go 1.25.7 when go.mod targets 1.26.0
e2e	FAILURE/CANCELLED	Build prerequisite failed

Impact Assessment

Go toolchain upgrade (Go 1.25 -> 1.26): This is not just a library bump -- it forces a Go compiler version upgrade across the entire project. This requires:

1. Updating CI workflows (actions/setup-go version) to use Go 1.26.x
2. Verifying golangci-lint compatibility with Go 1.26
3. Verifying all other tooling (protobuf generators, mock generators, etc.)
4. Developer environment updates

API surface: Tenderdash uses three packages from oasis-core:

• go/common/crypto/sakg (BIP32 path derivation)
• go/common/crypto/signature (Signer, UnsafeSigner interfaces)
• go/common/crypto/slip10 (SLIP-10 key derivation)

The oasis-core v0.2600.0 release includes a notable commit: go/consensus/api: Remove GetSignerNonce -- this indicates breaking API removals are happening in this release. While the specific packages tenderdash uses may be unaffected, we cannot verify this until the Go version issue is resolved.

Recommendation

Do not merge. This PR needs manual handling:

1. Option A (preferred): Ignore this major version for now (@dependabot ignore this major version) and plan the Go 1.26 + oasis-core v0.2600 upgrade as a deliberate effort in a separate branch.
2. Option B: If the upgrade is desired, create a manual PR that:
   • Bumps oasis-core to v0.2600.0
   • Updates CI to use Go 1.26.x
   • Updates golangci-lint to a Go 1.26-compatible version
   • Verifies no breaking API changes in the three crypto packages used
   • Runs full CI green

Severity: HIGH

A Go toolchain version bump bundled silently into a library update is high-risk. Merging this would break the build for every developer on Go 1.25.x.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[lklimek]

@dependabot rebase