diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml
index 055f275f..0ee7a2c0 100644
--- a/.github/workflows/pr_build.yaml
+++ b/.github/workflows/pr_build.yaml
@@ -2,8 +2,6 @@ name: PR Build
 on:
   pull_request: {}
   workflow_dispatch: {}
-env:
-  GO_VERSION: 1.21
 jobs:
   lint-linux:
     runs-on: ubuntu-latest
@@ -15,7 +13,7 @@ jobs:
         with:
           cache: true
           cache-dependency-path: v2/go.sum
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: v2/go.mod
       - name: Lint
         run: make lint
 
@@ -29,7 +27,7 @@ jobs:
         with:
           cache: true
           cache-dependency-path: v2/go.sum
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: v2/go.mod
       - name: Test
         run: make test
 
@@ -46,7 +44,7 @@ jobs:
         with:
           cache: true
           cache-dependency-path: v2/go.sum
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: v2/go.mod
       - name: Install msys2
         uses: msys2/setup-msys2@v2
         with:
@@ -73,7 +71,7 @@ jobs:
         with:
           cache: true
           cache-dependency-path: v2/go.sum
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: v2/go.mod
       - name: Install msys2
         uses: msys2/setup-msys2@v2
         with:
diff --git a/Makefile b/Makefile
index 289db316..41bb4fe0 100644
--- a/Makefile
+++ b/Makefile
@@ -72,7 +72,7 @@ protoc_gen_go_grpc_base_dir := $(build_dir)/protoc-gen-go-grpc
 protoc_gen_go_grpc_dir := $(protoc_gen_go_grpc_base_dir)/$(protoc_gen_go_grpc_version)-go$(go_version)
 protoc_gen_go_grpc_bin := $(protoc_gen_go_grpc_dir)/protoc-gen-go-grpc
 
-golangci_lint_version = v1.57.2
+golangci_lint_version = v1.63.4
 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version)
 golangci_lint_bin = $(golangci_lint_dir)/golangci-lint
 
diff --git a/v2/.golangci.yml b/v2/.golangci.yml
index 90bf4c66..b80a116c 100644
--- a/v2/.golangci.yml
+++ b/v2/.golangci.yml
@@ -10,7 +10,7 @@ linters:
     - gosec
     - misspell
     - nakedret
-    - exportloopref
+    - copyloopvar
     - unconvert
     - unparam
     - whitespace
diff --git a/v2/bundle/jwtbundle/bundle_test.go b/v2/bundle/jwtbundle/bundle_test.go
index 53790b3f..76318d41 100644
--- a/v2/bundle/jwtbundle/bundle_test.go
+++ b/v2/bundle/jwtbundle/bundle_test.go
@@ -77,7 +77,6 @@ func TestLoad(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.tf.filePath, func(t *testing.T) {
 			bundle, err := jwtbundle.Load(td, testCase.tf.filePath)
 			if testCase.err != "" {
@@ -113,7 +112,6 @@ func TestRead(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.tf.filePath, func(t *testing.T) {
 			// we expect the Open call to fail in some cases
 			file, _ := os.Open(testCase.tf.filePath)
@@ -153,7 +151,6 @@ func TestParse(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.tf.filePath, func(t *testing.T) {
 			// we expect the ReadFile call to fail in some cases
 			bundleBytes, _ := os.ReadFile(testCase.tf.filePath)
@@ -306,7 +303,6 @@ func TestEqual(t *testing.T) {
 			expectEqual: false,
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			require.Equal(t, tt.expectEqual, tt.a.Equal(tt.b))
 		})
diff --git a/v2/bundle/spiffebundle/bundle_test.go b/v2/bundle/spiffebundle/bundle_test.go
index bff65a44..4a890177 100644
--- a/v2/bundle/spiffebundle/bundle_test.go
+++ b/v2/bundle/spiffebundle/bundle_test.go
@@ -73,7 +73,6 @@ func TestLoad(t *testing.T) {
 	testCases[0].err = "spiffebundle: unable to read SPIFFE bundle: open testdata/does-not-exist.json: " + errstrings.FileNotFound
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.filePath, func(t *testing.T) {
 			bundle, err := spiffebundle.Load(td, testCase.filePath)
 			checkBundleProperties(t, err, testCase, bundle)
@@ -85,7 +84,6 @@ func TestRead(t *testing.T) {
 	testCases[0].err = "spiffebundle: unable to read: invalid argument"
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.filePath, func(t *testing.T) {
 			// we expect the Open call to fail in some cases
 			file, _ := os.Open(testCase.filePath)
@@ -101,7 +99,6 @@ func TestParse(t *testing.T) {
 	testCases[0].err = "spiffebundle: unable to parse JWKS: unexpected end of JSON input"
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.filePath, func(t *testing.T) {
 			// we expect the ReadFile call to fail in some cases
 			bundleBytes, _ := os.ReadFile(testCase.filePath)
@@ -447,7 +444,6 @@ func TestEqual(t *testing.T) {
 			expectEqual: false,
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			require.Equal(t, tt.expectEqual, tt.a.Equal(tt.b))
 		})
diff --git a/v2/bundle/x509bundle/bundle_test.go b/v2/bundle/x509bundle/bundle_test.go
index 2348a3cc..ec0d879c 100644
--- a/v2/bundle/x509bundle/bundle_test.go
+++ b/v2/bundle/x509bundle/bundle_test.go
@@ -113,7 +113,6 @@ func TestParse(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			fileBytes, err := os.ReadFile(test.path)
 			require.NoError(t, err)
@@ -157,7 +156,6 @@ func TestParseRaw(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			certsBytes := loadRawCertificates(t, test.path)
 			bundle, err := x509bundle.ParseRaw(td, certsBytes)
@@ -297,7 +295,6 @@ func TestEqual(t *testing.T) {
 			expectEqual: false,
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			require.Equal(t, tt.expectEqual, tt.a.Equal(tt.b))
 		})
diff --git a/v2/federation/handler_test.go b/v2/federation/handler_test.go
index 5a0b2baa..cd7d4f86 100644
--- a/v2/federation/handler_test.go
+++ b/v2/federation/handler_test.go
@@ -118,7 +118,6 @@ func TestHandler(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			writer.Reset()
 
diff --git a/v2/go.mod b/v2/go.mod
index 292dc538..d9bfeff6 100644
--- a/v2/go.mod
+++ b/v2/go.mod
@@ -1,6 +1,6 @@
 module github.com/spiffe/go-spiffe/v2
 
-go 1.21
+go 1.22.11
 
 require (
 	github.com/Microsoft/go-winio v0.6.2
diff --git a/v2/spiffetls/spiffetls_test.go b/v2/spiffetls/spiffetls_test.go
index b15f05f8..0512acd2 100644
--- a/v2/spiffetls/spiffetls_test.go
+++ b/v2/spiffetls/spiffetls_test.go
@@ -248,8 +248,6 @@ func TestListenAndDial(t *testing.T) {
 	tests = append(tests, listenAndDialCasesOS()...)
 
 	for _, test := range tests {
-		test := test
-
 		if test.defaultWlAPIAddr != "" {
 			require.NoError(t, os.Setenv("SPIFFE_ENDPOINT_SOCKET", test.defaultWlAPIAddr))
 		} else {
diff --git a/v2/spiffetls/tlsconfig/config_test.go b/v2/spiffetls/tlsconfig/config_test.go
index 6bdb68d9..814c28ae 100644
--- a/v2/spiffetls/tlsconfig/config_test.go
+++ b/v2/spiffetls/tlsconfig/config_test.go
@@ -307,7 +307,6 @@ func TestGetCertificate(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			getCertificateCalls := 0
 			tracer := hookedTracer(
@@ -361,7 +360,6 @@ func TestGetClientCertificate(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			getCertificateCalls := 0
 			tracer := hookedTracer(
@@ -427,7 +425,6 @@ func TestVerifyPeerCertificate(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			verifyPeerCertificate := tlsconfig.VerifyPeerCertificate(testCase.bundle, testCase.authorizer)
 			require.NotNil(t, verifyPeerCertificate)
@@ -500,7 +497,6 @@ func TestWrapVerifyPeerCertificate(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			verifyPeerCertificate := tlsconfig.WrapVerifyPeerCertificate(testCase.wrapped, testCase.bundle, testCase.authorizer)
 			require.NotNil(t, verifyPeerCertificate)
@@ -567,7 +563,6 @@ func TestTLSHandshake(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			testConnection(t, testCase.serverConfig, testCase.clientConfig, testCase.serverErr, testCase.clientErr)
 		})
@@ -647,7 +642,6 @@ func TestMTLSHandshake(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			testConnection(t, testCase.serverConfig, testCase.clientConfig, testCase.serverErr, testCase.clientErr)
 		})
@@ -722,7 +716,6 @@ func TestMTLSWebHandshake(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			testConnection(t, testCase.serverConfig, testCase.clientConfig, testCase.serverErr, testCase.clientErr)
 		})
diff --git a/v2/svid/jwtsvid/svid_test.go b/v2/svid/jwtsvid/svid_test.go
index 78c23e69..cfdded5b 100644
--- a/v2/svid/jwtsvid/svid_test.go
+++ b/v2/svid/jwtsvid/svid_test.go
@@ -251,7 +251,6 @@ func TestParseAndValidate(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			// Generate token
 			token := testCase.generateToken(t)
@@ -405,7 +404,6 @@ func TestParseInsecure(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			// Create token
 			token := testCase.generateToken(t)
diff --git a/v2/svid/x509svid/svid_test.go b/v2/svid/x509svid/svid_test.go
index cd6d4eca..17579e7e 100644
--- a/v2/svid/x509svid/svid_test.go
+++ b/v2/svid/x509svid/svid_test.go
@@ -181,7 +181,6 @@ func TestParse(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			certBytes, err := os.ReadFile(test.certsPath)
 			require.NoError(t, err)
@@ -251,7 +250,6 @@ func TestMarshal(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			s, err := x509svid.Load(test.certsPath, test.keyPath)
 			require.NoError(t, err)
@@ -322,7 +320,6 @@ func TestMarshalRaw(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			s, err := x509svid.Load(test.certsPath, test.keyPath)
 			require.NoError(t, err)
@@ -389,7 +386,6 @@ func TestParseRaw(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			svid, err := x509svid.ParseRaw(test.rawCerts, test.rawKey)
 			if test.expErrContains != "" {
diff --git a/v2/svid/x509svid/verify_test.go b/v2/svid/x509svid/verify_test.go
index ae071440..ac088622 100644
--- a/v2/svid/x509svid/verify_test.go
+++ b/v2/svid/x509svid/verify_test.go
@@ -127,7 +127,6 @@ func TestVerify(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		testCase := testCase // alias loop var as it is used in the closure
 		t.Run(testCase.name, func(t *testing.T) {
 			_, verifiedChains, err := x509svid.Verify(testCase.chain, testCase.bundle, testCase.opts...)
 			if testCase.err != "" {