diff --git a/.github/updatecli.d/bump-go-release-version.sh b/.github/updatecli.d/bump-go-release-version.sh
index 64030b8f..ecfd2b4f 100755
--- a/.github/updatecli.d/bump-go-release-version.sh
+++ b/.github/updatecli.d/bump-go-release-version.sh
@@ -43,7 +43,6 @@ echo "Update go version ${GO_RELEASE_VERSION}"
 
 find "go" -type f -name Dockerfile.tmpl -print0 |
     while IFS= read -r -d '' line; do
-        ${SED} -E -e "s#(ARG GOLANG_VERSION)=[0-9]+\.[0-9]+(\.[0-9]+)?#\1=${GO_RELEASE_VERSION}#g" "$line"
         if echo "$line" | grep -q 'arm' ; then
             ${SED} -E -e "s#(ARG GOLANG_DOWNLOAD_SHA256)=.+#\1=${GOLANG_DOWNLOAD_SHA256_ARM}#g" "$line"
             ${SED} -E -e "s#(ARG MSFT_DOWNLOAD_SHA256)=.+#\1=${MSFT_DOWNLOAD_SHA256_ARM}#g" "$line"
diff --git a/.github/updatecli.d/bump-microsoft.yml b/.github/updatecli.d/bump-microsoft.yml
new file mode 100644
index 00000000..b3a766e5
--- /dev/null
+++ b/.github/updatecli.d/bump-microsoft.yml
@@ -0,0 +1,100 @@
+---
+name: Bump golang-microsoft to latest version
+pipelineid: 'bump-golang-microsoft-version-{{ requiredEnv "BRANCH" }}'
+
+scms:
+  githubConfig:
+    kind: github
+    spec:
+      user: '{{ requiredEnv "GITHUB_ACTOR" }}'
+      username: '{{ requiredEnv "GITHUB_ACTOR" }}'
+      owner: elastic
+      repository: golang-crossbuild
+      token: '{{ requiredEnv "GITHUB_TOKEN" }}'
+      branch: '{{ requiredEnv "BRANCH" }}'
+      commitusingapi: true
+
+actions:
+  default:
+    title: '[Automation] Bump Microsoft version to {{ source "latestGoVersion" }}'
+    kind: github/pullrequest
+    scmid: githubConfig
+    spec:
+      automerge: true
+      labels:
+        - automation
+        - dependencies
+        - backport-skip
+      description: |
+        See https://github.com/microsoft/go/releases/v{{ source "latestGoVersion" }}
+
+sources:
+  minor:
+    name: Get minor version
+    kind: shell
+    transformers:
+      - findsubmatch:
+          pattern: '^\d+.(\d+)'
+          captureindex: 1
+    spec:
+      command: echo {{ requiredEnv "GO_MINOR" }}
+
+  latestGoVersion:
+    name: Get Latest Go Release
+    kind: githubrelease
+    dependson:
+      - minor
+    transformers:
+      - trimprefix: v
+    spec:
+      owner: microsoft
+      repository: go
+      token: '{{ requiredEnv "GITHUB_TOKEN" }}'
+      username: '{{ requiredEnv "GITHUB_ACTOR" }}'
+      versionfilter:
+        kind: regex
+        pattern: v1\.{{ source "minor" }}\.(\d*)(-\d*)$
+
+  securityVersion:
+    name: Get security version
+    dependson:
+      - latestGoVersion
+    kind: shell
+    transformers:
+      - findsubmatch:
+          pattern: '^1.{{ source "minor" }}.\d+(-\d+)'
+          captureindex: 1
+    spec:
+      command: echo {{ source "latestGoVersion" }}
+
+  golangVersion:
+    name: Get golang version
+    dependson:
+      - latestGoVersion
+    kind: shell
+    transformers:
+      - findsubmatch:
+          pattern: '^(\d+.\d+.\d+)-(\d+)'
+          captureindex: 1
+    spec:
+      command: echo {{ source "latestGoVersion" }}
+
+conditions:
+  is-security-already-updated:
+    name: Is security version '{{ source "securityVersion" }}' not updated in 'go/base/Dockerfile.tmpl'?
+    disablesourceinput: true
+    kind: shell
+    spec:
+      command: grep 'ARG SECURITY_VERSION={{ source `securityVersion` }}' go/base/Dockerfile.tmpl && exit 1 || exit 0
+    failwhen: false
+
+targets:
+  update-go-versions:
+    name: 'Update go version {{ source "latestGoVersion" }}'
+    kind: shell
+    sourceid: latestGoVersion
+    scmid: githubConfig
+    spec:
+      command: .github/updatecli.d/bump-go-microsoft-version.sh
+      environments:
+        - name: PATH
diff --git a/go/base-arm/Dockerfile.tmpl b/go/base-arm/Dockerfile.tmpl
index 7f8b4a1f..b290e9c5 100644
--- a/go/base-arm/Dockerfile.tmpl
+++ b/go/base-arm/Dockerfile.tmpl
@@ -57,14 +57,14 @@ RUN \
             libsqlite3-0 \
         && rm -rf /var/lib/apt/lists/*
 
-ARG GOLANG_VERSION=1.23.10
+ARG VERSION
 {{- if eq .FIPS "true"}}
-ARG GOLANG_DOWNLOAD_URL=https://aka.ms/golang/release/latest/go$GOLANG_VERSION-1.linux-arm64.tar.gz
+ARG GOLANG_DOWNLOAD_URL=https://aka.ms/golang/release/latest/go$VERSION-1.linux-arm64.tar.gz
 # Use a different arg name for microsoft/go sha so it can be handled seperately from the regular golang sha
 ARG MSFT_DOWNLOAD_SHA256=901f023a7ad01b743f4f1f7c6e5dd12c03c2aaaebedd70f7eef415caae79510d
 ARG DOWNLOAD_SHA256=$MSFT_DOWNLOAD_SHA256
 {{- else}}
-ARG GOLANG_DOWNLOAD_URL=https://golang.org/dl/go$GOLANG_VERSION.linux-arm64.tar.gz
+ARG GOLANG_DOWNLOAD_URL=https://golang.org/dl/go$VERSION.linux-arm64.tar.gz
 ARG GOLANG_DOWNLOAD_SHA256=bfb1f1df7173f44648ee070a39ab0481068632f595305a699d89cd56a33b8081
 ARG DOWNLOAD_SHA256=$GOLANG_DOWNLOAD_SHA256
 {{- end}}
@@ -81,6 +81,10 @@ ENV PATH $PATH:/usr/local/go/bin
 RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH"
 WORKDIR $GOPATH
 
+# Validate the Go installation
+RUN go version \
+    && go version | grep "go${VERSION}" || (echo "Go version mismatch: expected to contain go${VERSION}" && exit 1)
+
 COPY rootfs /
 
 # show the GLIBC version
@@ -90,7 +94,7 @@ WORKDIR /
 
 RUN mkdir -p /root/.config/go/telemetry && echo "off 2024-08-23" > /root/.config/go/telemetry/mode
 ENV GOTOOLCHAIN local
-RUN go mod init github.com/elastic/golang-crossbuild-$GOLANG_VERSION-arm \
+RUN go mod init github.com/elastic/golang-crossbuild-$VERSION-arm \
     && go get . \
     && go env \
     && echo "toolcompile=$(go tool compile -V)" \
diff --git a/go/base/Dockerfile.tmpl b/go/base/Dockerfile.tmpl
index 8ba8872f..b110844b 100644
--- a/go/base/Dockerfile.tmpl
+++ b/go/base/Dockerfile.tmpl
@@ -31,14 +31,14 @@ RUN apt-get -o Acquire::Check-Valid-Until=false update -y --no-install-recommend
 RUN ln -s /usr/bin/pip3 /usr/bin/pip
 {{- end }}
 
-ARG GOLANG_VERSION=1.23.10
+ARG VERSION
 {{- if eq .FIPS "true"}}
-ARG GOLANG_DOWNLOAD_URL=https://aka.ms/golang/release/latest/go$GOLANG_VERSION-1.linux-amd64.tar.gz
+ARG GOLANG_DOWNLOAD_URL=https://aka.ms/golang/release/latest/go$VERSION-1.linux-amd64.tar.gz
 # Use a different arg name for microsoft/go sha so it can be handled seperately from the regular golang sha
 ARG MSFT_DOWNLOAD_SHA256=c4ee22c0de9fd2ff2c0d0d1a446e5aac75c9e3a3bfdc16e25e32d2461c5347ed
 ARG DOWNLOAD_SHA256=$MSFT_DOWNLOAD_SHA256
 {{- else}}
-ARG GOLANG_DOWNLOAD_URL=https://golang.org/dl/go$GOLANG_VERSION.linux-amd64.tar.gz
+ARG GOLANG_DOWNLOAD_URL=https://golang.org/dl/go$VERSION.linux-amd64.tar.gz
 ARG GOLANG_DOWNLOAD_SHA256=535f9f81802499f2a7dbfa70abb8fda3793725fcc29460f719815f6e10b5fd60
 ARG DOWNLOAD_SHA256=$GOLANG_DOWNLOAD_SHA256
 {{- end }}
@@ -55,6 +55,10 @@ ENV PATH $PATH:/usr/local/go/bin
 RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH"
 WORKDIR $GOPATH
 
+# Validate the Go installation
+RUN go version \
+    && go version | grep "go${VERSION}" || (echo "Go version mismatch: expected to contain go${VERSION}" && exit 1)
+
 COPY rootfs /
 
 # show the GLIBC version
@@ -63,7 +67,7 @@ RUN ldd --version
 WORKDIR /
 RUN mkdir -p /root/.config/go/telemetry && echo "off 2024-08-23" > /root/.config/go/telemetry/mode
 ENV GOTOOLCHAIN=local
-RUN go mod init github.com/elastic/golang-crossbuild-$GOLANG_VERSION \
+RUN go mod init github.com/elastic/golang-crossbuild-$VERSION \
     && go get . \
     && go env \
     && echo "toolcompile=$(go tool compile -V)" \