ci(rds): rebuild gosu + strip mysqlsh to clear Trivy CVE findings

crates/fakecloud-rds/assets/mariadb/Dockerfile

@@ -5,10 +5,22 @@
 # tries to pull that tag first and falls back to building from this
 # Dockerfile locally when the pull fails.
 
+# MARIADB_VERSION must sit before the first FROM so its substitution is
+# available across all stages.
 ARG MARIADB_VERSION=10.11
+
+# Rebuild gosu from source with current Go to eliminate upstream
+# mariadb image's bundled go1.24.6 stdlib CVEs in /usr/local/bin/gosu.
+FROM golang:1.25-bookworm AS gosu-builder
+ENV CGO_ENABLED=0
+RUN go install -ldflags='-s -w' github.com/tianon/gosu@v0.0.0-20250923190938-6456aaa0f3c8
+
 FROM mariadb:${MARIADB_VERSION}
 
 USER root
+
+COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
+RUN chmod 0755 /usr/local/bin/gosu
 # UDF plugin API structs are vendored inline in fakecloud_udf.c so we
 # only need a C compiler + libcurl headers. Keeping the dep set
 # symmetric with the mysql Dockerfile means a single source of truth

crates/fakecloud-rds/assets/mysql/Dockerfile

@@ -10,10 +10,37 @@
 # procedures so SQL inside an RDS-managed MySQL instance can invoke
 # fakecloud Lambda functions.
 
+# MYSQL_VERSION must sit before the first FROM so its substitution is
+# available across all stages.
 ARG MYSQL_VERSION=8.0
+
+# Rebuild gosu from source with current Go to eliminate upstream
+# mysql:8.0 image's bundled go1.24.6 stdlib CVEs in /usr/local/bin/gosu.
+FROM golang:1.25-bookworm AS gosu-builder
+ENV CGO_ENABLED=0
+RUN go install -ldflags='-s -w' github.com/tianon/gosu@v0.0.0-20250923190938-6456aaa0f3c8
+
 FROM mysql:${MYSQL_VERSION}
 
 USER root
+
+COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
+RUN chmod 0755 /usr/local/bin/gosu
+
+# Strip the bundled `mysql-shell` (mysqlsh) tooling. We drive the
+# server over the wire from Rust (`mysql_async`); mysqlsh is never
+# invoked, but its vendored Python site-packages bring pyOpenSSL +
+# other libraries that Trivy flags as CVEs we cannot fix without
+# a coordinated upstream re-release.
+RUN set -eux; \
+    if command -v microdnf >/dev/null 2>&1; then \
+        microdnf remove -y mysql-shell || true; \
+        microdnf clean all; \
+    elif command -v apt-get >/dev/null 2>&1; then \
+        apt-get remove -y --purge mysql-shell || true; \
+        rm -rf /var/lib/apt/lists/*; \
+    fi; \
+    rm -rf /usr/lib/mysqlsh /usr/bin/mysqlsh
 # UDF needs only gcc + libcurl headers; mysql plugin API structs are
 # vendored inline in fakecloud_udf.c (the upstream mysql:8.0 image
 # strips its community release repo so `mysql-community-devel` is not

crates/fakecloud-rds/assets/postgres/Dockerfile

@@ -4,10 +4,26 @@
 # (plus a rolling :<major> tag). RdsRuntime::ensure_postgres_image
 # tries to pull that tag first and falls back to building from this
 # Dockerfile locally when the pull fails (dev / unreleased / airgapped).
+# PG_VERSION must sit before the first FROM so its substitution is
+# available across all stages. Inside each stage it has to be
+# re-declared (Dockerfile spec) for `RUN`/`COPY` references to expand.
 ARG PG_VERSION=16
+
+# Rebuild `gosu` from source with current Go to eliminate the upstream
+# postgres image's bundled `/usr/local/bin/gosu` Go-stdlib CVEs (Trivy
+# flags 8 HIGH + 1 CRITICAL on go1.24.6 stdlib at scan time). gosu
+# upstream is rarely re-released; pinning the source version + rebuilding
+# on every image build means we control the stdlib version baked in.
+FROM golang:1.25-bookworm AS gosu-builder
+ENV CGO_ENABLED=0
+RUN go install -ldflags='-s -w' github.com/tianon/gosu@v0.0.0-20250923190938-6456aaa0f3c8
+
 FROM postgres:${PG_VERSION}
 ARG PG_VERSION
 
+COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
+RUN chmod 0755 /usr/local/bin/gosu
+
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
         postgresql-plpython3-${PG_VERSION} \