Merge pull request #49487 from austinvazquez/cherry-pick-838ae09a2337e6561b40d13be6ddf43005a92a9e-to-27.x

[27.x backport] Dockerfile: update runc binary to v1.2.5
Dockerfile: update runc binary to v1.2.5
2026-01-13 11:42:02 +00:00 · 2025-02-18 18:08:52 +01:00 · 2025-02-18 15:19:10 +00:00 · 2025-02-06 09:38:21 +01:00 · 2025-02-04 20:31:16 +01:00 · 2025-02-04 17:24:07 +01:00
14 changed files with 36 additions and 25 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -19,11 +19,14 @@ Please provide the following information:

 **- How to verify it**

-**- Description for the changelog**
+**- Human readable description for the release notes**
 <!--
 Write a short (one line) summary that describes the changes in this
 pull request for inclusion in the changelog.
-It must be placed inside the below triple backticks section:
+It must be placed inside the below triple backticks section.
+
+NOTE: Only fill this section if changes introduced in this PR are user-facing.
+The PR must have a relevant impact/ label.
 -->
 ```markdown changelog

--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -21,7 +21,7 @@ on:
        default: "graphdriver"

 env:
-  GO_VERSION: "1.22.11"
+  GO_VERSION: "1.22.12"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  ITG_CLI_MATRIX_SIZE: 6
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -29,7 +29,7 @@ on:
        default: false

 env:
-  GO_VERSION: "1.22.11"
+  GO_VERSION: "1.22.12"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
--- a/.github/workflows/arm64.yml
+++ b/.github/workflows/arm64.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.22.11"
+  GO_VERSION: "1.22.12"
  TESTSTAT_VERSION: v0.1.25
  DESTDIR: ./build
  SETUP_BUILDX_VERSION: edge
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.22.11"
+  GO_VERSION: "1.22.12"
  DESTDIR: ./build
  SETUP_BUILDX_VERSION: latest
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -58,7 +58,7 @@ jobs:
      - name: Update Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.22.11"
+          go-version: "1.22.12"
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.22.11"
+  GO_VERSION: "1.22.12"
  GIT_PAGER: "cat"
  PAGER: "cat"
  SETUP_BUILDX_VERSION: latest
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -11,7 +11,7 @@ permissions:

 on:
  pull_request:
-    types: [opened, edited, labeled, unlabeled]
+    types: [opened, edited, labeled, unlabeled, synchronize]

 jobs:
  check-area-label:
@@ -27,10 +27,10 @@ jobs:
        run: exit 0

  check-changelog:
-    if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/')
    runs-on: ubuntu-20.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
+      HAS_IMPACT_LABEL: ${{ contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') }}
      PR_BODY: |
        ${{ github.event.pull_request.body }}
    steps:
@@ -42,15 +42,23 @@ jobs:
          # Strip empty lines
          desc=$(echo "$block" |  awk NF)

-          if [ -z "$desc" ]; then
-            echo "::error::Changelog section is empty. Please provide a description for the changelog."
-            exit 1
-          fi
+          if [ "$HAS_IMPACT_LABEL" = "true" ]; then
+            if [ -z "$desc" ]; then
+              echo "::error::Changelog section is empty. Please provide a description for the changelog."
+              exit 1
+            fi

-          len=$(echo -n "$desc" | wc -c)
-          if [[ $len -le 6 ]]; then
-            echo "::error::Description looks too short: $desc"
-            exit 1
+            len=$(echo -n "$desc" | wc -c)
+            if [[ $len -le 6 ]]; then
+              echo "::error::Description looks too short: $desc"
+              exit 1
+            fi
+          else
+            if [ -n "$desc" ]; then
+              echo "::error::PR has a changelog description, but no changelog label"
+              echo "::error::Please add the relevant 'impact/' label to the PR or remove the changelog description"
+              exit 1
+            fi
          fi

          echo "This PR will be included in the release notes with the following note:"
--- a/4
+++ b/4
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1.7

-ARG GO_VERSION=1.22.11
+ARG GO_VERSION=1.22.12
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
 ARG XX_VERSION=1.6.1
@@ -287,7 +287,7 @@ RUN git init . && git remote add origin "https://github.com/opencontainers/runc.
 # that is used. If you need to update runc, open a pull request in the containerd
 # project first, and update both after that is merged. When updating RUNC_VERSION,
 # consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.2.4
+ARG RUNC_VERSION=v1.2.5
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS runc-build
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,7 +5,7 @@

 # This represents the bare minimum required to build and test Docker.

-ARG GO_VERSION=1.22.11
+ARG GO_VERSION=1.22.12

 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,7 +161,7 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

-ARG GO_VERSION=1.22.11
+ARG GO_VERSION=1.22.12
 ARG GOTESTSUM_VERSION=v1.8.2
 ARG GOWINRES_VERSION=v0.3.1
 ARG CONTAINERD_VERSION=v1.7.25
--- a/hack/dockerfile/install/runc.installer
+++ b/hack/dockerfile/install/runc.installer
@@ -9,7 +9,7 @@ set -e
 # the containerd project first, and update both after that is merged.
 #
 # When updating RUNC_VERSION, consider updating runc in vendor.mod accordingly
-: "${RUNC_VERSION:=v1.2.4}"
+: "${RUNC_VERSION:=v1.2.5}"

 install_runc() {
 	RUNC_BUILDTAGS="${RUNC_BUILDTAGS:-"seccomp"}"
--- a/hack/dockerfiles/generate-files.Dockerfile
+++ b/hack/dockerfiles/generate-files.Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.22.11
+ARG GO_VERSION=1.22.12
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG PROTOC_VERSION=3.11.4

--- a/hack/dockerfiles/govulncheck.Dockerfile
+++ b/hack/dockerfiles/govulncheck.Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.22.11
+ARG GO_VERSION=1.22.12
 ARG GOVULNCHECK_VERSION=v1.1.3
 ARG FORMAT=text
Author	SHA1	Message	Date
Sebastiaan van Stijn	77446557b0	Merge pull request #49487 from austinvazquez/cherry-pick-838ae09a2337e6561b40d13be6ddf43005a92a9e-to-27.x [27.x backport] Dockerfile: update runc binary to v1.2.5	2025-02-18 18:08:52 +01:00
Sebastiaan van Stijn	20755a757c	Dockerfile: update runc binary to v1.2.5 This is the fifth patch release in the 1.2.z series of runc. It primarily fixes an issue caused by an upstream systemd bug. * There was a regression in systemd v230 which made the way we define device rule restrictions require a systemctl daemon-reload for our transient units. This caused issues for workloads using NVIDIA GPUs. Workaround the upstream regression by re-arranging how the unit properties are defined. * Dependency github.com/cyphar/filepath-securejoin is updated to v0.4.1, to allow projects that vendor runc to bump it as well. * CI: fixed criu-dev compilation. * Dependency golang.org/x/net is updated to 0.33.0. full diff: https://github.com/opencontainers/runc/compare/v1.2.4...v1.2.5 release notes: https://github.com/opencontainers/runc/releases/tag/v1.2.5 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `838ae09a23`) Signed-off-by: Austin Vazquez <macedonv@amazon.com>	2025-02-18 15:19:10 +00:00
Sebastiaan van Stijn	15c6aaf0e9	Merge pull request #49394 from vvoland/update-go-27.x [27.x] update to go1.22.12	2025-02-06 09:38:21 +01:00
Paweł Gronowski	a584f0b227	update to go1.22.12 This minor release include 1 security fix following the security policy: - crypto/elliptic: timing sidechannel for P-256 on ppc64le Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols. This is CVE-2025-22866 and Go issue https://go.dev/issue/71383. View the release notes for more information: https://go.dev/doc/devel/release#go1.22.12 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2025-02-04 20:31:16 +01:00
Sebastiaan van Stijn	5df78b0645	Merge pull request #49384 from vvoland/49362-27.x [27.x backport] github: Clarify release notes description	2025-02-04 17:24:07 +01:00
Paweł Gronowski	b4d7cb0141	Merge pull request #49383 from vvoland/49361-27.x [27.x backport] gha/validate-pr: Also run when PR has new commits	2025-02-03 16:38:09 +00:00
Paweł Gronowski	ced95906a4	github: Clarify release notes description Error out if the release notes section is filled for PRs without the `impact/` label. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `79b0e89628`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2025-02-03 17:27:13 +01:00
Paweł Gronowski	48d2940834	gha/validate-pr: Also run when PR has new commits Otherwise, the workflow will won't be rerun even if it was failing before. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `7ac0e34dba`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2025-02-03 16:28:55 +01:00