diff --git a/.github/updatecli.d/bump-go-microsoft-version.sh b/.github/updatecli.d/bump-go-microsoft-version.sh
deleted file mode 100755
index bf2f0a01..00000000
--- a/.github/updatecli.d/bump-go-microsoft-version.sh
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/usr/bin/env bash
-#
-# Given the Golang microsoft version this script will bump the version.
-#
-# This script is executed by the automation we are putting in place
-#
-# Parameters:
-#	$1 -> the Golang release version to be bumped. Mandatory.
-#
-set -euo pipefail
-MSG="parameter missing."
-GO_RELEASE_VERSION=${1:?$MSG}
-OS=$(uname -s| tr '[:upper:]' '[:lower:]')
-if [ "${OS}" == "darwin" ] ; then
-	SED="sed -i .bck"
-else
-	SED="sed -i"
-fi
-
-MAJOR_MINOR_PATCH_VERSION=$(echo "$GO_RELEASE_VERSION" | sed -E -e "s#([0-9]+\.[0-9]+\.[0-9]+).*#\1#g")
-SECURITY_VERSION=$(echo "$GO_RELEASE_VERSION" | sed -E -e "s#([0-9]+\.[0-9]+\.[0-9]+)(.+)#\2#g")
-
-# Gather microsoft/go sha256 values
-MSFT_DOWNLOAD_METADATA=$(curl -s -L https://aka.ms/golang/release/latest/go${MAJOR_MINOR_PATCH_VERSION}.assets.json)
-MSFT_DOWNLOAD_SHA256_ARM=$(echo $MSFT_DOWNLOAD_METADATA | jq -r ".arches[] | select( .env.GOOS == \"linux\") | select( .env.GOARCH == \"arm64\") | .sha256")
-MSFT_DOWNLOAD_SHA256_AMD=$(echo $MSFT_DOWNLOAD_METADATA | jq -r ".arches[] | select( .env.GOOS == \"linux\") | select( .env.GOARCH == \"amd64\") | .sha256")
-
-echo "Update go version ${GO_RELEASE_VERSION}"
-
-find "go" -type f -name Dockerfile.tmpl -print0 |
-    while IFS= read -r -d '' line; do
-        ${SED} -E -e "s#(ARG SECURITY_VERSION)=.*#\1=${SECURITY_VERSION}#g" "$line"
-        if echo "$line" | grep -q 'arm' ; then
-            ${SED} -E -e "s#(ARG MSFT_DOWNLOAD_SHA256)=.+#\1=${MSFT_DOWNLOAD_SHA256_ARM}#g" "$line"
-        else
-            ${SED} -E -e "s#(ARG MSFT_DOWNLOAD_SHA256)=.+#\1=${MSFT_DOWNLOAD_SHA256_AMD}#g" "$line"
-        fi
-    done
diff --git a/.github/updatecli.d/bump-go-release-version.sh b/.github/updatecli.d/bump-go-version.sh
similarity index 60%
rename from .github/updatecli.d/bump-go-release-version.sh
rename to .github/updatecli.d/bump-go-version.sh
index 3ba89563..8e6b0847 100755
--- a/.github/updatecli.d/bump-go-release-version.sh
+++ b/.github/updatecli.d/bump-go-version.sh
@@ -1,13 +1,15 @@
 #!/usr/bin/env bash
 #
-# Given the Golang release version this script will bump the version.
+# Given the Microsoft Golang release version this script will bump the version.
 #
 # This script is executed by the automation we are putting in place
 #
-# NOTE: sha256 is retrieved from https://pkg.go.dev/golang.org/x/website/internal/dl?utm_source=godoc
+# NOTE: 
+#   * sha256 is retrieved from https://pkg.go.dev/golang.org/x/website/internal/dl?utm_source=godoc
+#   * sha256 is retrieved from https://aka.ms/golang/release/latest/go${MAJOR_MINOR_PATCH_VERSION}.assets.json
 #
 # Parameters:
-#	$1 -> the Golang release version to be bumped. Mandatory.
+#	$1 -> the Microsoft Golang release version to be bumped. Mandatory.
 #
 set -euo pipefail
 MSG="parameter missing."
@@ -19,34 +21,30 @@ else
 	SED="sed -i"
 fi
 
-MAJOR_MINOR_VERSION=$(echo "$GO_RELEASE_VERSION" | sed -E -e "s#([0-9]+\.[0-9]+).*#\1#g")
+# Process the GO_RELEASE_VERSION to extract major, minor, patch and security versions
+MAJOR_MINOR_PATCH_VERSION=${GO_RELEASE_VERSION%-*}
+SECURITY_VERSION="-${GO_RELEASE_VERSION##*-}"
+
+# Gather golang/go sha256 values
 GOLANG_DOWNLOAD_SHA256_ARM=$(curl -s -L https://golang.org/dl/\?mode\=json | jq -r ".[] | select( .version | contains(\"go${GO_RELEASE_VERSION}\")) | .files[] | select (.filename | contains(\"go${GO_RELEASE_VERSION}.linux-arm64.tar.gz\")) | .sha256")
 GOLANG_DOWNLOAD_SHA256_AMD=$(curl -s -L https://golang.org/dl/\?mode\=json | jq -r ".[] | select( .version | contains(\"go${GO_RELEASE_VERSION}\")) | .files[] | select (.filename | contains(\"go${GO_RELEASE_VERSION}.linux-amd64.tar.gz\")) | .sha256")
 
 # Gather microsoft/go sha256 values
-URL=https://aka.ms/golang/release/latest/go${GO_RELEASE_VERSION}.assets.json
-if curl -s -L "$URL" > /dev/null ; then
-    MSFT_DOWNLOAD_METADATA=$(curl -s -L "$URL")
-    MSFT_DOWNLOAD_SHA256_ARM=$(echo $MSFT_DOWNLOAD_METADATA | jq -r ".arches[] | select( .env.GOOS == \"linux\") | select( .env.GOARCH == \"arm64\") | .sha256")
-    MSFT_DOWNLOAD_SHA256_AMD=$(echo $MSFT_DOWNLOAD_METADATA | jq -r ".arches[] | select( .env.GOOS == \"linux\") | select( .env.GOARCH == \"amd64\") | .sha256")
-    # when a new minor then we use `-1`
-    # then nex security versions will be `-2`, `-3`, etc, see bump-microsoft.yml
-    SECURITY_VERSION=-1
-fi
+MSFT_DOWNLOAD_METADATA=$(curl -s -L https://aka.ms/golang/release/latest/go${MAJOR_MINOR_PATCH_VERSION}.assets.json)
+MSFT_DOWNLOAD_SHA256_ARM=$(echo $MSFT_DOWNLOAD_METADATA | jq -r ".arches[] | select( .env.GOOS == \"linux\") | select( .env.GOARCH == \"arm64\") | .sha256")
+MSFT_DOWNLOAD_SHA256_AMD=$(echo $MSFT_DOWNLOAD_METADATA | jq -r ".arches[] | select( .env.GOOS == \"linux\") | select( .env.GOARCH == \"amd64\") | .sha256")
 
 ## As long as https://golang.org/dl/?mode=json supports only 2 major versions
 ## and there is a new major release, then it's required to parse https://golang.org/dl
 ## see https://github.com/elastic/golang-crossbuild/pull/389/commits/d0af04f97a2381630ea5e8da5a99f50cf27856a0
 if [ -z "$GOLANG_DOWNLOAD_SHA256_ARM" ] ; then
-    GOLANG_DOWNLOAD_SHA256_ARM=$(curl -s -L https://golang.org/dl | grep go${GO_RELEASE_VERSION}.linux-arm64.tar.gz -A 5 | grep "<tt>" | sed 's#.*<tt>##g' | sed 's#</t.*##g')
+    GOLANG_DOWNLOAD_SHA256_ARM=$(curl -s -L https://golang.org/dl | grep "go${MAJOR_MINOR_PATCH_VERSION}.linux-arm64.tar.gz" -A 5 | grep "<tt>" | sed 's#.*<tt>##g' | sed 's#</t.*##g')
 fi
 
 if [ -z "$GOLANG_DOWNLOAD_SHA256_AMD" ] ; then
-    GOLANG_DOWNLOAD_SHA256_AMD=$(curl -s -L https://golang.org/dl | grep go${GO_RELEASE_VERSION}.linux-amd64.tar.gz -A 5 | grep "<tt>" | sed 's#.*<tt>##g' | sed 's#</t.*##g')
+    GOLANG_DOWNLOAD_SHA256_AMD=$(curl -s -L https://golang.org/dl | grep "go${MAJOR_MINOR_PATCH_VERSION}.linux-amd64.tar.gz" -A 5 | grep "<tt>" | sed 's#.*<tt>##g' | sed 's#</t.*##g')
 fi
 
-echo "Update go version ${GO_RELEASE_VERSION}"
-
 find "go" -type f -name Dockerfile.tmpl -print0 |
     while IFS= read -r -d '' line; do
         if echo "$line" | grep -q 'arm' ; then
@@ -64,3 +62,11 @@ find "go" -type f -name Dockerfile.tmpl -print0 |
             ${SED} -E -e "s#(ARG SECURITY_VERSION)=.*#\1=${SECURITY_VERSION}#g" "$line"
         fi
     done
+
+if git diff --quiet ; then
+    # No modifications – exit successfully but keep stdout empty to that updatecli is happy
+    exit 0
+else
+    echo "Update Go version ${GO_RELEASE_VERSION}"
+    git --no-pager diff
+fi
\ No newline at end of file
diff --git a/.github/updatecli.d/bump-golang.yml b/.github/updatecli.d/bump-golang.yml
index fc0705a9..9f65ec62 100644
--- a/.github/updatecli.d/bump-golang.yml
+++ b/.github/updatecli.d/bump-golang.yml
@@ -16,17 +16,17 @@ scms:
 
 actions:
   default:
-    title: '[Automation] Bump Golang version to {{ source "latestGoVersion" }}'
+    title: '[Automation] Bump Golang version to {{ source "latestMicrosoftGoVersion" }}'
     kind: github/pullrequest
     scmid: githubConfig
     spec:
-      automerge: true
+      automerge: false
       labels:
         - automation
         - dependencies
         - backport-skip
       description: |
-        See [changelog](https://github.com/golang/go/issues?q=milestone%3AGo{{ source "latestGoVersion" }}+label%3ACherryPickApproved) for {{ source "latestGoVersion" }}
+        See [changelog](https://github.com/golang/go/issues?q=milestone%3AGo{{ source "golangVersion" }}+label%3ACherryPickApproved) for {{ source "golangVersion" }}
 
 sources:
   minor:
@@ -39,75 +39,78 @@ sources:
     spec:
       command: echo {{ requiredEnv "GO_MINOR" }}
 
-  latestGoVersion:
-    name: Get Latest Go Release
+  latestMicrosoftGoVersion:
+    name: Get Latest Microsoft Go Release
     kind: githubrelease
     dependson:
       - minor
     transformers:
-      - trimprefix: go
+      - trimprefix: v
     spec:
-      owner: golang
+      owner: microsoft
       repository: go
       token: '{{ requiredEnv "GITHUB_TOKEN" }}'
       username: '{{ requiredEnv "GITHUB_ACTOR" }}'
       versionfilter:
         kind: regex
-        pattern: go1\.{{ source "minor" }}(\.(\d*))?$
+        pattern: v1\.{{ source "minor" }}\.(\d*)(-\d*)$
+
+  golangVersion:
+    # NOTE: FIPS images need the Microsoft version.
+    name: Get the Microsoft version of Golang, as it comes out a little later
+    dependson:
+      - latestMicrosoftGoVersion
+    kind: shell
+    transformers:
+      - findsubmatch:
+          pattern: '^(\d+.\d+.\d+)-(\d+)'
+          captureindex: 1
+    spec:
+      command: echo {{ source "latestMicrosoftGoVersion" }}
 
 conditions:
   dockerTag:
-    name: Is docker image golang:{{ source "latestGoVersion" }} published
+    name: Is docker image golang:{{ source "golangVersion" }} published
     kind: dockerimage
     spec:
       image: golang
-      tag: '{{ source "latestGoVersion" }}'
-    sourceid: latestGoVersion
-## As long as there is a bug see https://github.com/updatecli/updatecli/issues/1849
-## Let's use the shell kind rather than the file kind.
-## When fixed then uncomment the code and remove is-already-updated
-#  is:
-#    name: Is version '{{ source "latestGoVersion" }}' not updated in 'go/Makefile.common'?
-#    disablesourceinput: true
-#    kind: file
-#    spec:
-#      file: go/Makefile.common
-#      line: 5
-#      content: VERSION        := {{ source `latestGoVersion` }}
-#    failwhen: true
-  is-already-updated:
-    name: Is version '{{ source "latestGoVersion" }}' not updated in 'go/Makefile.common'?
+      tag: '{{ source "golangVersion" }}'
+    sourceid: golangVersion
+  is:
+    name: Is version '{{ source "golangVersion" }}' not updated in 'go/Makefile.common'?
     disablesourceinput: true
-    kind: shell
+    kind: file
     spec:
-      command: grep 'VERSION        := {{ source `latestGoVersion` }}' go/Makefile.common && exit 1 || exit 0
-    failwhen: false
+      file: go/Makefile.common
+      line: 5
+      content: VERSION        := {{ source `golangVersion` }}
+    failwhen: true
 
 targets:
   update-go-version:
     name: "Update .go-version"
-    sourceid: latestGoVersion
+    sourceid: golangVersion
     scmid: githubConfig
     kind: file
     spec:
-      content: '{{ source "latestGoVersion" }}'
+      content: '{{ source "golangVersion" }}'
       file: .go-version
       matchpattern: '\d+.\d+.\d+'
   update-go-makefile.common:
     name: "Update go/Makefile.common"
-    sourceid: latestGoVersion
+    sourceid: golangVersion
     scmid: githubConfig
     kind: file
     spec:
-      content: '{{ source "latestGoVersion" }}'
+      content: '{{ source "golangVersion" }}'
       file: go/Makefile.common
       matchpattern: '\d+.\d+.\d+'
   update-go-versions:
-    name: 'Update go version {{ source "latestGoVersion" }}'
+    name: 'Update go version {{ source "latestMicrosoftGoVersion" }}'
     kind: shell
-    sourceid: latestGoVersion
+    sourceid: latestMicrosoftGoVersion
     scmid: githubConfig
     spec:
-      command: .github/updatecli.d/bump-go-release-version.sh
+      command: .github/updatecli.d/bump-go-version.sh
       environments:
         - name: PATH
diff --git a/.github/updatecli.d/bump-microsoft.yml b/.github/updatecli.d/bump-microsoft.yml
deleted file mode 100644
index b3a766e5..00000000
--- a/.github/updatecli.d/bump-microsoft.yml
+++ /dev/null
@@ -1,100 +0,0 @@
----
-name: Bump golang-microsoft to latest version
-pipelineid: 'bump-golang-microsoft-version-{{ requiredEnv "BRANCH" }}'
-
-scms:
-  githubConfig:
-    kind: github
-    spec:
-      user: '{{ requiredEnv "GITHUB_ACTOR" }}'
-      username: '{{ requiredEnv "GITHUB_ACTOR" }}'
-      owner: elastic
-      repository: golang-crossbuild
-      token: '{{ requiredEnv "GITHUB_TOKEN" }}'
-      branch: '{{ requiredEnv "BRANCH" }}'
-      commitusingapi: true
-
-actions:
-  default:
-    title: '[Automation] Bump Microsoft version to {{ source "latestGoVersion" }}'
-    kind: github/pullrequest
-    scmid: githubConfig
-    spec:
-      automerge: true
-      labels:
-        - automation
-        - dependencies
-        - backport-skip
-      description: |
-        See https://github.com/microsoft/go/releases/v{{ source "latestGoVersion" }}
-
-sources:
-  minor:
-    name: Get minor version
-    kind: shell
-    transformers:
-      - findsubmatch:
-          pattern: '^\d+.(\d+)'
-          captureindex: 1
-    spec:
-      command: echo {{ requiredEnv "GO_MINOR" }}
-
-  latestGoVersion:
-    name: Get Latest Go Release
-    kind: githubrelease
-    dependson:
-      - minor
-    transformers:
-      - trimprefix: v
-    spec:
-      owner: microsoft
-      repository: go
-      token: '{{ requiredEnv "GITHUB_TOKEN" }}'
-      username: '{{ requiredEnv "GITHUB_ACTOR" }}'
-      versionfilter:
-        kind: regex
-        pattern: v1\.{{ source "minor" }}\.(\d*)(-\d*)$
-
-  securityVersion:
-    name: Get security version
-    dependson:
-      - latestGoVersion
-    kind: shell
-    transformers:
-      - findsubmatch:
-          pattern: '^1.{{ source "minor" }}.\d+(-\d+)'
-          captureindex: 1
-    spec:
-      command: echo {{ source "latestGoVersion" }}
-
-  golangVersion:
-    name: Get golang version
-    dependson:
-      - latestGoVersion
-    kind: shell
-    transformers:
-      - findsubmatch:
-          pattern: '^(\d+.\d+.\d+)-(\d+)'
-          captureindex: 1
-    spec:
-      command: echo {{ source "latestGoVersion" }}
-
-conditions:
-  is-security-already-updated:
-    name: Is security version '{{ source "securityVersion" }}' not updated in 'go/base/Dockerfile.tmpl'?
-    disablesourceinput: true
-    kind: shell
-    spec:
-      command: grep 'ARG SECURITY_VERSION={{ source `securityVersion` }}' go/base/Dockerfile.tmpl && exit 1 || exit 0
-    failwhen: false
-
-targets:
-  update-go-versions:
-    name: 'Update go version {{ source "latestGoVersion" }}'
-    kind: shell
-    sourceid: latestGoVersion
-    scmid: githubConfig
-    spec:
-      command: .github/updatecli.d/bump-go-microsoft-version.sh
-      environments:
-        - name: PATH