Stop bumping go directive unless necessitated by other dependencies

There is nothing necessitating this bump.

❯ go mod graph | grep go@1.23.4

github.com/sigstore/fulcio go@1.23.4

go@1.23.4 toolchain@go1.23.4

❯ go mod graph | grep go@1.23.| grep -v fulcio

chainguard.dev/go-grpc-kit@v0.17.7 go@1.23.1

chainguard.dev/sdk@v0.1.29 go@1.23.3

go@1.23.4 toolchain@go1.23.4

The minimum should be 1.23.3 without fulcio's own bump.

Stop the minimum virus :D

This repo by itself should not be enforcing minimum on other repositories importing it. Stop spreading "minimum virus"

toolchain version used will be defined outside of go.mod ideally, such as by installing a newer compatible go toolchain to ci/cd/development env.

Failing that, toolchain directive should be used instead of go directive for bumping versions to not cascade minimum versions to importing dependencies.

toolchain directive, in contrast to the go directive, applies only to the current module (the one defined by the go.mod file). It suggests the toolchain to be used when in that very module, and doesn't propagate to other modules.

High profile repos that have removed/reduced minimum go patch version per user requests

• deps: Remove Go minor version from go.mods grpc/grpc-go#7831 motivation

Being proactive to prevent following from reoccuring

• deps: Remove Go patch version from go.mods kopia/kopia#4292

• Do not set minimum go toolchain version in release branches. vmware-tanzu/velero#8397

• Bump github.com/vmware-tanzu/velero from 1.14.0 to 1.15.0 kubevirt/kubevirt-velero-plugin#292 (comment)

Originally posted by @kaovilai in eb1f9a3