Skip to content

Commit dbba580

Browse files
authored
fix(security): refresh CI and gateway image dependencies (#1432)
Refresh the CI image tool pins so Go-built tools are rebuilt with patched Go releases and move the sandbox Python runtime to 3.14.5. Rebase the gateway runtime to a pinned distroless Debian 13 image with glibc 2.41-12+deb13u3 while preserving the existing UID/GID 1000 runtime identity for upgrade compatibility. Update rustls-webpki to 0.103.13 and clarify Linux k3d guidance now that k3d is not installed through mise on Linux. Signed-off-by: John Myers <9696606+johntmyers@users.noreply.github.com>
1 parent f257ed0 commit dbba580

13 files changed

Lines changed: 86 additions & 129 deletions

File tree

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -196,6 +196,9 @@ artifacts/
196196
# Local mise settings
197197
mise.local.toml
198198

199+
# Local Codex app state
200+
.codex/
201+
199202
# Ignore plans for now
200203
architecture/plans
201204

Cargo.lock

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ The sandbox container includes the following tools by default:
6060
| Category | Tools |
6161
| ---------- | -------------------------------------------------------- |
6262
| Agent | `claude`, `opencode`, `codex`, `copilot` |
63-
| Language | `python` (3.13), `node` (22) |
63+
| Language | `python` (3.14), `node` (22) |
6464
| Developer | `gh`, `git`, `vim`, `nano` |
6565
| Networking | `ping`, `dig`, `nslookup`, `nc`, `traceroute`, `netstat` |
6666

architecture/build.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,8 +40,8 @@ the staging directory before running Buildx.
4040

4141
Runtime layout:
4242

43-
- **Gateway**: `nvcr.io/nvidia/distroless/cc` base, GNU-linked binary at
44-
`/usr/local/bin/openshell-gateway`, runs as UID/GID `65532:65532`.
43+
- **Gateway**: `gcr.io/distroless/cc-debian13:nonroot` base, GNU-linked binary at
44+
`/usr/local/bin/openshell-gateway`, runs as UID/GID `1000:1000`.
4545
- **Supervisor**: `scratch` base, static musl binary at `/openshell-sandbox`.
4646
Static linkage is required because the image is mounted/extracted into
4747
sandbox environments (Docker extraction, Podman image volumes, Kubernetes

deploy/docker/Dockerfile.ci

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@
88

99
FROM nvcr.io/nvidia/base/ubuntu:noble-20251013
1010

11-
ARG DOCKER_VERSION=29.4.1
12-
ARG BUILDX_VERSION=v0.33.0
11+
ARG DOCKER_VERSION=29.5.1
12+
ARG BUILDX_VERSION=v0.34.0
1313
ARG NPM_VERSION=11.13.0
1414
ARG TARGETARCH
1515

@@ -57,7 +57,7 @@ RUN case "$TARGETARCH" in \
5757
&& chmod +x /usr/local/lib/docker/cli-plugins/docker-buildx
5858

5959
# Install GitHub CLI used by install.sh and CI jobs
60-
ARG GH_VERSION=2.91.0
60+
ARG GH_VERSION=2.92.0
6161
RUN case "$TARGETARCH" in \
6262
amd64) gh_arch=amd64 ;; \
6363
arm64) gh_arch=arm64 ;; \

deploy/docker/Dockerfile.gateway

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,12 @@
1414
# an artifact, which is downloaded into the same staging directory before the
1515
# image build job runs.
1616
#
17-
# The runtime is `nvcr.io/nvidia/distroless/cc:4.0.0`, which provides glibc and
18-
# the dynamic loader needed by the GNU-linked gateway binary while keeping the
19-
# attack surface small.
17+
# The runtime is distroless Debian 13, which provides glibc and the dynamic
18+
# loader needed by the GNU-linked gateway binary while keeping the attack
19+
# surface small. The default digest currently carries Debian glibc
20+
# 2.41-12+deb13u3.
2021

21-
ARG GATEWAY_BASE_IMAGE=nvcr.io/nvidia/distroless/cc:v4.0.4
22+
ARG GATEWAY_BASE_IMAGE=gcr.io/distroless/cc-debian13:nonroot@sha256:e1fd250ce83d94603e9887ec991156a6c26905a6b0001039b7a43699018c0733
2223

2324
FROM ${GATEWAY_BASE_IMAGE} AS gateway
2425

@@ -28,7 +29,7 @@ WORKDIR /app
2829

2930
COPY deploy/docker/.build/prebuilt-binaries/${TARGETARCH}/openshell-gateway /usr/local/bin/openshell-gateway
3031

31-
USER nvs:nvs
32+
USER 1000:1000
3233
EXPOSE 8080
3334

3435
ENTRYPOINT ["/usr/local/bin/openshell-gateway"]

e2e/with-kube-gateway.sh

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,14 @@ if [ -n "${OPENSHELL_E2E_KUBE_CONTEXT:-}" ]; then
129129
exit 2
130130
fi
131131
else
132-
require_cmd k3d
132+
if ! command -v k3d >/dev/null 2>&1; then
133+
if [ "$(uname -s)" = "Linux" ]; then
134+
echo "ERROR: k3d is not installed by mise on Linux in this repo." >&2
135+
echo "Set OPENSHELL_E2E_KUBE_CONTEXT to a kind/existing cluster, or install k3d explicitly." >&2
136+
exit 2
137+
fi
138+
require_cmd k3d
139+
fi
133140
CLUSTER_NAME="oshe2e-$$-$(date +%s | tail -c 8)"
134141
echo "Creating ephemeral k3d cluster ${CLUSTER_NAME}..."
135142
HELM_K3S_CLUSTER_NAME="${CLUSTER_NAME}" \

mise.lock

Lines changed: 37 additions & 103 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

mise.toml

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -19,16 +19,19 @@ lockfile = true
1919
lockfile_platforms = ["linux-x64", "linux-arm64", "macos-arm64"]
2020

2121
[tools]
22-
python = "3.13.13"
22+
python = "3.14.5"
2323
rust = "1.95.0"
2424
node = "24.15.0"
25-
kubectl = "1.35.4"
25+
kubectl = "1.36.1"
2626
uv = "0.10.12"
2727
protoc = "29.6"
28-
helm = "4.1.4"
29-
skaffold = "2.19.0"
30-
k3d = "5.8.3"
31-
"github:anchore/syft" = { version = "1.43.0" }
28+
helm = "4.2.0"
29+
skaffold = "2.20.0"
30+
# Keep k3d out of Linux CI images until upstream ships a release rebuilt with
31+
# patched Go/container dependencies. Linux Kubernetes E2E uses kind or an
32+
# externally provided cluster context.
33+
k3d = { version = "5.8.3", os = ["macos"] }
34+
"github:anchore/syft" = { version = "1.44.0" }
3235
"github:EmbarkStudios/cargo-about" = { version = "0.8.4", version_prefix = "" }
3336
zig = "0.14.1"
3437
"cargo:cargo-zigbuild" = { version = "0.22.3", os = ["macos"] }

pyproject.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ classifiers = [
2626
"Programming Language :: Python :: 3",
2727
"Programming Language :: Python :: 3.12",
2828
"Programming Language :: Python :: 3.13",
29+
"Programming Language :: Python :: 3.14",
2930
"Programming Language :: Rust",
3031
"License :: OSI Approved :: Apache Software License",
3132
"Topic :: Security",

0 commit comments

Comments
 (0)