Skip to content

Commit 30115bd

Browse files
authored
fix(ci): patch CI container vulnerability toolchain (#959)
1 parent 5e28ea3 commit 30115bd

3 files changed

Lines changed: 17 additions & 6 deletions

File tree

deploy/docker/Dockerfile.ci

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ FROM nvcr.io/nvidia/base/ubuntu:noble-20251013
1010

1111
ARG DOCKER_VERSION=29.4.1
1212
ARG BUILDX_VERSION=v0.33.0
13+
ARG NPM_VERSION=11.13.0
1314
ARG TARGETARCH
1415

1516
ENV DEBIAN_FRONTEND=noninteractive
@@ -65,7 +66,7 @@ RUN case "$TARGETARCH" in \
6566
| tar xz --strip-components=2 -C /usr/local/bin "gh_${GH_VERSION}_linux_${gh_arch}/bin/gh"
6667

6768
# Install mise
68-
ARG MISE_VERSION=v2026.4.18
69+
ARG MISE_VERSION=v2026.4.20
6970
RUN curl https://mise.run | MISE_VERSION=$MISE_VERSION sh
7071

7172
# Copy mise.toml and task includes, then install all tools via mise
@@ -77,6 +78,8 @@ RUN --mount=type=secret,id=MISE_GITHUB_TOKEN \
7778
mise trust /opt/mise/mise.toml && \
7879
env -u RUSTC_WRAPPER mise install && \
7980
mise reshim && \
81+
npm install -g "npm@${NPM_VERSION}" && \
82+
mise reshim && \
8083
(/root/.cargo/bin/rustup component remove rust-docs || true) && \
8184
rm -rf /root/.rustup/toolchains/*/share/doc /root/.rustup/toolchains/*/share/man
8285

mise.toml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,15 +13,15 @@ experimental = true
1313
python.precompiled_flavor = "install_only_stripped"
1414

1515
[tools]
16-
python = "3.13.12"
16+
python = "3.13.13"
1717
rust = "stable"
18-
node = "24"
19-
kubectl = "1.35.1"
20-
uv = "0.10.2"
18+
node = "24.15.0"
19+
kubectl = "1.35.4"
20+
uv = "0.10.12"
2121
protoc = "29.6"
2222
helm = "4.1.4"
2323
"ubi:mozilla/sccache" = { version = "0.14.0", matching = "sccache-v" }
24-
"github:anchore/syft" = { version = "1.42.3" }
24+
"github:anchore/syft" = { version = "1.43.0" }
2525
"github:EmbarkStudios/cargo-about" = { version = "0.8.4", version_prefix = "" }
2626
zig = "0.14.1"
2727
"npm:markdownlint-cli2" = "0.22.0"

tasks/scripts/docker-build-ci.sh

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,17 @@ elif [[ "${DOCKER_PLATFORM:-}" == *","* ]]; then
1818
OUTPUT_ARGS=(--push)
1919
fi
2020

21+
SECRET_ARGS=()
22+
if [[ -n "${MISE_GITHUB_TOKEN:-}" ]]; then
23+
SECRET_ARGS=(--secret id=MISE_GITHUB_TOKEN,env=MISE_GITHUB_TOKEN)
24+
elif [[ -n "${GITHUB_TOKEN:-}" ]]; then
25+
SECRET_ARGS=(--secret id=MISE_GITHUB_TOKEN,env=GITHUB_TOKEN)
26+
fi
27+
2128
exec ce_build \
2229
${DOCKER_BUILDER:+--builder ${DOCKER_BUILDER}} \
2330
${DOCKER_PLATFORM:+--platform ${DOCKER_PLATFORM}} \
31+
${SECRET_ARGS[@]+"${SECRET_ARGS[@]}"} \
2432
-f deploy/docker/Dockerfile.ci \
2533
-t "openshell/ci:${IMAGE_TAG:-dev}" \
2634
--provenance=false \

0 commit comments

Comments
 (0)