Stop supporting 3 releases of Go

[dfawley]

Per https://go.dev/doc/modules/gomod-ref#go-notes:

• At go 1.21 or higher:
  • The go line declares a required minimum version of Go to use with this module.

Because of this, any time we update our dependencies, if any of them requires Go 1.21, we either have to not update those packages (which may represent a security risk), or we cannot support Go 1.20 any longer.

I believe we need to change our support policy to only cover the last two releases of Go, which is what the Go team maintains, itself:

https://go.dev/doc/devel/release#policy

Each major Go release is supported until there are two newer major releases.

[dfawley]

If we make this change, it should not affect our strategy of updating the go directive in our go.mod files(s): we should only bump it when we require a language feature of a newer version, or if required by one of our dependencies.

[dfawley]

With no comments in this issue in 1 week, we will go forward with this plan.

[perezd]

isn't this out of compliance with GCP's Go version support policy? https://cloud.google.com/go/getting-started/supported-go-versions

From my read that is 3 supported versions, no?

[dfawley]

I'm not sure how they intend to do this, as Go's version support policy is effectively trickle-down with the recent go.mod tooling changes -- if any dependency demands it, you must upgrade your minimum supported version.

If a dependency only supports a newer version, and you don't want to upgrade, you can pin to an older release of theirs. But if they then have a CVE and address it in a newer version, then you are in a very tough position -- drop support for the older version or not address the CVE.

cc @codyoss we should probably chat about this some time?