Azure · bosesuneha · Jan 5, 2026 · Dec 19, 2025 · Dec 19, 2025 · Dec 19, 2025
diff --git a/.github/workflows/e2e-info.yml b/.github/workflows/e2e-info.yml
@@ -16,7 +16,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: make
         run: make
       - name: Validate JSON

diff --git a/.github/workflows/integration-json.yml b/.github/workflows/integration-json.yml
@@ -16,7 +16,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: make
         run: make
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0

diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -13,7 +13,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: make
         run: make
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -34,7 +34,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: make
         run: make
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0

diff --git a/.github/workflows/release-and-publish.yml b/.github/workflows/release-and-publish.yml
@@ -38,7 +38,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
       with:
-        go-version: '1.24'
+        go-version: '1.25'
     # Check if the newest tag already exists
     - name: Check if tag exist
       uses: mukunku/tag-exists-action@5c39604fe8aef7e65acb6fbcf96ec580f7680313 # v1.7.0

diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -11,6 +11,6 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: make
         run: make run-unit-tests
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.24-alpine
+FROM golang:1.25-alpine
 
 WORKDIR /draft
 

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/pkg/safeguards/helpers.go b/pkg/safeguards/helpers.go
@@ -11,6 +11,7 @@ import (
 
 	"helm.sh/helm/v3/pkg/chartutil"
 
+	apiconstraints "github.com/open-policy-agent/frameworks/constraint/pkg/apis/constraints"
 	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/core/templates"
@@ -112,7 +113,11 @@ func getConstraintClient() (*constraintclient.Client, error) {
 		return nil, fmt.Errorf("could not create rego driver: %w", err)
 	}
 
-	c, err := constraintclient.NewClient(constraintclient.Targets(&target.K8sValidationTarget{}), constraintclient.Driver(driver))
+	c, err := constraintclient.NewClient(
+		constraintclient.Targets(&target.K8sValidationTarget{}),
+		constraintclient.Driver(driver),
+		constraintclient.EnforcementPoints(apiconstraints.WebhookEnforcementPoint),
+	)
 	if err != nil {
 		return nil, fmt.Errorf("could not create constraint client: %w", err)
 	}
@@ -140,6 +145,10 @@ func AddSafeguardCRIP() {
 
 // loads constraint templates, constraints into constraint client
 func loadConstraintTemplates(ctx context.Context, c *constraintclient.Client, constraintTemplates []*templates.ConstraintTemplate) error {
+	if c == nil {
+		return fmt.Errorf("constraint client is nil")
+	}
+
 	// AddTemplate adds the template source code to OPA and registers the CRD with the client for
 	// schema validation on calls to AddConstraint. On error, the responses return value
 	// will still be populated so that partial results can be analyzed.
@@ -154,6 +163,10 @@ func loadConstraintTemplates(ctx context.Context, c *constraintclient.Client, co
 }
 
 func loadConstraints(ctx context.Context, c *constraintclient.Client, constraints []*unstructured.Unstructured) error {
+	if c == nil {
+		return fmt.Errorf("constraint client is nil")
+	}
+
 	// AddConstraint validates the constraint and, if valid, inserts it into OPA.
 	// On error, the responses return value will still be populated so that
 	// partial results can be analyzed.
@@ -168,6 +181,10 @@ func loadConstraints(ctx context.Context, c *constraintclient.Client, constraint
 }
 
 func loadManifestObjects(ctx context.Context, c *constraintclient.Client, objects []*unstructured.Unstructured) error {
+	if c == nil {
+		return fmt.Errorf("constraint client is nil")
+	}
+
 	// AddData inserts the provided data into OPA for every target that can handle the data.
 	// On error, the responses return value will still be populated so that
 	// partial results can be analyzed.
@@ -198,6 +215,10 @@ func IsYAML(path string) bool {
 
 // getObjectViolations executes validation on manifests based on loaded constraint templates and returns a map of manifest name to list of objectViolations
 func getObjectViolations(ctx context.Context, c *constraintclient.Client, objects []*unstructured.Unstructured) (map[string][]string, error) {
+	if c == nil {
+		return nil, fmt.Errorf("constraint client is nil")
+	}
+
 	// Review makes sure the provided object satisfies all stored constraints.
 	// On error, the responses return value will still be populated so that
 	// partial results can be analyzed.