chore(deps): bump golang.org/x/oauth2 from 0.24.0 to 0.28.0 to fix CVE-2025-22868

[chengfang]

Fixes CVE-2025-22868. Note that the master branch already contains the fix in PR #22211, and #21990

golang.org/x/oauth2 0.28 (and 0.27) requires go version 1.23 or later, hence the additional upgrade of go version in this PR. If this is ok, I'll send similar PRs for other recent release branches.

In master branch, the PR to bump to go 1.23.5 is PR #21748, which may also need to be backedported to release-2.14 to address some test failures.

PS: I should probably remove the toolchain line in go.mod "toolchain go1.24.0", which has caused golangci-lint error.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).