build(deps): bump Rust and Python deps to clear CI security gates#444
Merged
build(deps): bump Rust and Python deps to clear CI security gates#444
Conversation
katriendg
force-pushed
the
fix/bundle-cargo-grype
branch
from
362ba2f to
4d86fa7
Compare
katriendg
changed the title
katriendg
force-pushed
the
fix/bundle-cargo-grype
branch
from
4d86fa7 to
ed53d4e
Compare
- Update rand, openssl, rustls-webpki across all Rust Cargo.lock files - Upgrade lxml 5.3.0 to 6.1.0 in onvif-camera-simulator 🔒 - Generated by Copilot
katriendg
force-pushed
the
fix/bundle-cargo-grype
branch
from
ed53d4e to
0c18be7
Compare
Collaborator
Author
|
Note our current CI is failing on ORT CDN, seems other users are facing it as well, which we expect to be transient |
bindsi
approved these changes
Apr 24, 2026
bindsi
approved these changes
Apr 24, 2026
29 tasks
katriendg
added a commit
that referenced
this pull request
Apr 30, 2026
Migrate GitHub-side release management from GitVersion + the custom `create-release` workflow to [release-please-action v4.4.1](https://github.com/googleapis/release-please-action) using the `simple` release type with a manifest-driven configuration. The new workflow is `workflow_dispatch` only (no auto-trigger on push) so releases remain explicitly gated. This PR also removes the parallel Azure DevOps release-branch automation that was tightly coupled to GitVersion, since release management now runs from GitHub. The Azure DevOps `github-push` mirror pipeline is retained but trimmed of GitVersion references. Net change: **17 files, +148 / -1364**. ## Related Issue Relates to WI-01 (replace GitVersion with release-please on GitHub side). ## Type of Change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Blueprint modification or addition - [ ] Component modification or addition - [x] Documentation update - [x] CI/CD pipeline change - [ ] Other (please describe): ## Implementation Details **Added** - `.github/workflows/release-please.yml` — `workflow_dispatch`-only workflow invoking `googleapis/release-please-action@v4.4.1` (pinned). - `release-please-config.json` — `simple` release type, single root package. - `.release-please-manifest.json` — pinned to current version `2.8.0`. **Disabled** (kept on disk, renamed so GitHub no longer schedules it) - `.github/workflows/create-release.yml` → `.github/workflows/create-release.yml.disabled` **Deleted** - `GitVersion.yml` (root) - `.azuredevops/pipelines/release-branch-create.yml` - `.azuredevops/docs/release-branch-create.md` - `.azdo/pipelines/github-push.yml` (superseded by `.azuredevops/pipelines/github-push.yml`) **Modified (docs + ADO mirror)** - `docs/build-cicd/release-workflow.md` — describes release-please trigger, manifest, and version bump flow. - `docs/build-cicd/configuration-reference.md` — replaces GitVersion config reference with release-please config reference. - `.azuredevops/docs/github-push.md` — removes GitVersion language. - `.azuredevops/pipelines/github-push.yml` — removes GitVersion variable group and step. - `.azuredevops/README.md` — drops the release-branch-create entry. - `.github/copilot-instructions.md` — points contributors at release-please instead of GitVersion. ## Testing Performed - [ ] Terraform plan/apply - [ ] Blueprint deployment test - [ ] Unit tests - [ ] Integration tests - [ ] Bug fix includes regression test (see [Test Policy](docs/contributing/testing-validation.md)) - [x] Manual validation - [x] Other: actionlint, yamllint, prettier --check, markdownlint-cli2 all pass on the changed files. ## Validation Steps ```bash # YAML / Actions actionlint .github/workflows/release-please.yml yamllint .github/workflows/release-please.yml release-please-config.json .release-please-manifest.json # Formatting npx prettier --check release-please-config.json .release-please-manifest.json .github/workflows/release-please.yml # Markdown npx markdownlint-cli2 \ docs/build-cicd/release-workflow.md \ docs/build-cicd/configuration-reference.md \ .azuredevops/docs/github-push.md \ .azuredevops/README.md \ .github/copilot-instructions.md ``` All validators reported no errors at HEAD `6427d727`. ## Checklist - [x] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] All new and existing tests passed - [ ] I have run `terraform fmt` on all Terraform code - [ ] I have run `terraform validate` on all Terraform code - [ ] I have run `az bicep format` on all Bicep code - [ ] I have run `az bicep build` to validate all Bicep code - [x] I have checked for any sensitive data/tokens that should not be committed - [x] Lint checks pass (run applicable linters for changed file types) Terraform / Bicep / test items are N/A — this PR is JSON + YAML + Markdown only. ## Security Review - [x] No credentials, secrets, or tokens are hardcoded or logged - [x] RBAC and identity changes follow least-privilege principles - [x] No new network exposure or public endpoints introduced without justification - [x] Dependency additions or updates have been reviewed for known vulnerabilities - [x] Container image changes use pinned digests or SHA references The diff touches only release tooling configuration and docs. The release-please action is pinned to `v4.4.1`. No code paths, identity boundaries, or network resources are changed. Note: a Grype scan of the repo (unrelated to files modified by this PR) reports 4 pre-existing CVEs in dependencies (`go.opentelemetry.io/otel`, `postcss`, `uuid`, `github.com/jackc/pgx/v5`). These should be addressed in a separate dependency-bump PR per precedent (#427, #444). ## Additional Notes - HEAD: `6427d727` (up to date with `main` at `c01b934f`). - The new workflow is intentionally `workflow_dispatch`-only for this rollout; once verified, a follow-up PR can enable the standard `push: branches: [main]` trigger. - The ADO `release-branch-create` pipeline is removed because release-branch creation is now handled by release-please's release PR. The ADO `github-push` mirror remains. ## Screenshots (if applicable) N/A — no UI changes. --------- Co-authored-by: Bill Berry <wbery@microsoft.com> Co-authored-by: Katrien De Graeve <katriendg@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates pending Rust and Python dependency security updates into a single PR to unblock CI. Every open PR currently fails the same two required checks (Cargo Audit and Security Scan / Grype) due to transitive dependency vulnerabilities. This PR resolves both blockers.
Supersedes: #413, #425, #430, #431, #432, #434, #435, #436, #437, #438, #439, #440, #441, #442, #443
Root Causes & Fixes
rand,openssl, andrustls-webpkiin transitive depscargo updateacross all 14 Rust workspaces bumps to patched versionsopenssl(0.10.73/74/76),rand(0.8.5/0.9.2),rustls-webpki, andlxml(5.3.0)Changes
Rust Cargo.lock updates (14 files, lockfiles only — no
Cargo.tomlchanges)cargo updatePython dependency update (1 service)
src/500-application/510-onvif-connector/services/onvif-camera-simulator/— lxml 5.3.0 → 6.1.0 inrequirements.in(clears GHSA-vfmq-68hx-4jfw);requirements.txtregenerated withuv pip compile --generate-hashesVerification
cargo audit --deny warningspasses on all 14 Rust crates with.github/audit.tomlconfiggrype dir:. --config .grype.yamlreturns exit 0 in a clean checkout (only Medium-severityuuidnpm finding remains, belowfail-on-severity: highthreshold)govulncheck ./...passes on both Go modules (unchanged from main — no Go-related changes in this PR)Cargo.toml, Go module, source code, or behavioral changesKnown Residuals (already suppressed)
rand 0.8.6still appears in Grype scans (advisory fixed-in is 0.9.3). Suppressed in.github/audit.tomlvia RUSTSEC-2026-0097. Blocked on upstreamazure_iot_operations_mqttreleasing withoutrand 0.8.x.rustls-webpki 0.102.8(transitive via AIO SDK's rumqttc fork) suppressed in.grype.yamlvia GHSA-pwjx-qhcg-rvj4.Impact on Other PRs
Once merged, Dependabot will auto-close the 15 superseded PRs when it detects the fixes on
main. The remaining open PRs (#411, #422, #401, #427, #428, #429, #433) will have their two universal CI blockers resolved and can proceed through review.🔒 - Generated by Copilot