release(v0.13.2): supply-chain hardening for prebuilt RDS images#826
Merged
vieiralucas merged 1 commit intomainfrom Apr 28, 2026
Merged
release(v0.13.2): supply-chain hardening for prebuilt RDS images#826vieiralucas merged 1 commit intomainfrom
vieiralucas merged 1 commit intomainfrom
Conversation
Workspace + SDK version bump 0.13.1 -> 0.13.2 (Cargo, npm, PyPI, Maven, Go via tag). This is a follow-up release on the v0.13.x train shipping Trivy scanning + cosign keyless signing on prebuilt fakecloud-postgres / fakecloud-mysql / fakecloud-mariadb images, plus the Dockerfile hardening that was needed to make the scan policy (CRITICAL/HIGH, hard-fail) actually pass on a real publish: - Rebuild `gosu` from source with current Go (golang:1.25-bookworm builder stage). Eliminates 8 HIGH + 1 CRITICAL Go-stdlib CVEs that Trivy flagged on the upstream postgres/mysql/mariadb base images' bundled `/usr/local/bin/gosu` (statically linked against go1.24.6). - Strip `mysql-shell` + `/usr/lib/mysqlsh` from the mysql:8.0 image — its vendored Python ships pyOpenSSL 25.3.0 (CVE-2026-27459). The runtime drives the server over the wire from `mysql_async`, mysqlsh is never invoked. - `apt-get upgrade -y` during image build. Pulls patched debian packages (openssl, glibc, dirmngr, ...) when the upstream `<engine>:<major>` tag lags the security DB by a refresh cycle. - Bump trivy-action to v0.36.0 — older v0.30.0 referenced `setup-trivy@v0.2.2` which upstream deleted. Validation: workflow_dispatch run on main published 8 dev-tagged images (postgres 13/14/15/16, mysql 8.0, mariadb 10.6/10.11/11.4) across linux/amd64 + linux/arm64. Trivy scan exits 0 on all. Cosign verify against the GitHub OIDC issuer succeeds (workflow `RDS support images`, repo `faiscadev/fakecloud`). Other changes that piggyback on the bump: - `aws_s3` postgres extension (`table_import_from_s3` / `query_export_to_s3` + `aws_commons.create_s3_uri`) — Aurora-PG parity, mirrors the `aws_lambda` extension shipped in v0.13.1. - Async `CreateDBInstance` — returns `creating` in <1s, container start runs as a tokio task. Drops the 180s SDK e2e timeout. - MySQL/MariaDB Aurora `mysql.lambda_async`/`mysql.lambda_sync` bridge (libcurl-backed UDF + bootstrap procedures), prebuilt images on ghcr.io for mysql 8.0 + mariadb 10.6/10.11/11.4. - mariadb 11.4 wired through the engine validator + parameter group routing.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
apt-get upgradebaked in.workflow_dispatchagainst main published 8 dev-tagged images (postgres 13/14/15/16, mysql 8.0, mariadb 10.6/10.11/11.4) × linux/amd64 + linux/arm64. Trivy: 0 CRITICAL/HIGH on all 8.cosign verifyagainst GitHub OIDC issuer succeeds.Test plan
RDS support imagesrun onv0.13.2ref publishes pinned<engine>:<major>-0.13.2tags + rolling<major>tags + cosign signs each; Trivy gates on CRITICAL/HIGHNote on current main CI state
E2E general-1red on a pre-existing regression:ecs_task_resolves_secretsmanager_secretreturns empty captured logs (not introduced by this bump; passes locally). To be tracked in a follow-up.release.yml) excludes E2E + conformance + tfacc + parity, so the publish path is unaffected.Summary by cubic
Release v0.13.2 hardens prebuilt Postgres/MySQL/MariaDB RDS images with Trivy scans and
cosignsigning, and bumps workspace/SDK versions. It also adds faster async DB instance creation and new engine/extension support.New Features
gosu, removedmysqlsh, and baked inapt-get upgrade. Trivy finds 0 CRITICAL/HIGH;cosignverify passes. Validated on Postgres 13–16, MySQL 8.0, and MariaDB 10.6/10.11/11.4 for linux/amd64 and linux/arm64.CreateDBInstanceis now async for faster returns.aws_s3extension; added MySQL/MariaDB Aurora lambda bridge; wired in MariaDB 11.4.Dependencies
0.13.2(Cargo,npm,PyPI, Maven).trivy-actiontov0.36.0.Written for commit 5956a15. Summary will update on new commits. Review in cubic