Use an explicit js-yaml version in the reusable test workflow so CI does
not silently pick up parser behavior changes from future npm releases.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The reusable test workflow installs js-yaml dynamically during CI. After
js-yaml 5.0.0 was released on 2026-06-20, load("") started throwing
instead of returning undefined.
Callers such as frontend.yml omit the optional includes input, so GitHub
Actions passes an empty string. Guard that value before parsing so omitted
or explicitly empty includes produce an empty JSON matrix while valid YAML
includes continue to work.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
When git runs as root under sudo it consults SUDO_UID to decide whether a
repository's ownership can be trusted, additionally granting access to
repositories owned by the user who invoked sudo. GitCLI builds a
restricted environment for the git subprocess and did not forward
SUDO_UID, so commands such as `sudo docker build` tripped git's "detected
dubious ownership" check and silently lost commit provenance: the build
still succeeds but prints "current commit information was not captured by
the build".
Forward SUDO_UID (only when present) on the host git config path enabled
via WithHostGitConfig, i.e. client-side local git inspection. The default
isolated path used by daemon-side callers is left untouched so it does not
pick up host environment. This matches git's own default behavior under
sudo: it does not disable safe.directory checks and is not equivalent to
safe.directory=*; it merely lets git trust repositories owned by the
invoking user. Only SUDO_UID is forwarded (git's ownership check is
uid-based and never consults SUDO_GID).
Fixes the root cause for docker/buildx#3855. buildx inspects the build
context through this GitCLI with WithHostGitConfig enabled, so buildx
picks the fix up via a moby/buildkit dependency bump with no buildx-side
code change.
Signed-off-by: MohammadHasan Akbari <jarqvi.jarqvi@gmail.com>
The github.com/mitchellh/hashstructure/v2 module was archived, and
there's a maintained fork in the gohugoio org.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is the sixth patch release of the 1.3.z series of runc. Among some
performance improvements and bugfixes, it includes a fix for a low-severity
vulnerability ([CVE-2026-41579]) and users are encouraged to update. As it was
a low-severity vulnerability and it was reported by multiple people, we decided
to release it publicly with NO EMBARGO.
Security
This release includes a fix for the following low-severity security issue:
- CVE-2026-41579 allowed a malicious image with a /dev symlink to have
limited write access to the host filesystem in ways that our analysis
indicates was too limited to be problematic in practice. This bug was very
similar to those fixed in CVE-2025-31133, CVE-2025-52565, CVE-2025-31133
and was simply missed at the time when we hardened the rootfs preparation
code. We have conducted a deeper audit and not found any other problematic
cases.
Fixed
- A regression in runc v1.3.0 which can result in a stuck runc exec or
runc run when the container process runs for a short time.
- Various integration test improvements.
Changed
- When masking directories with maskPaths, runc will now re-use a single
tmpfs instance (which is not writable) to reduce the number tmpfs
superblocks that need to be reaped when containers die (in particular,
Kubernetes applies masks to per-CPU sysfs directories which get expensive
quickly).
[CVE-2026-41579]: https://github.com/opencontainers/runc/security/advisories/GHSA-xjvp-4fhw-gc47
full diff: https://github.com/opencontainers/runc/compare/v1.3.5...v1.3.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When noCache=true, Platforms() appends to w.WorkerOpt.Platforms.
Concurrent gRPC calls to ListWorkers (each handled in a separate
goroutine) can cause a data race where one goroutine creates matchers
with length N, while another appends new platforms, causing the first
goroutine's range to exceed matchers bounds:
panic: runtime error: index out of range [81] with length 81
Add sync.Mutex to serialize access to Platforms().
Signed-off-by: okhowang(王沛文) <okhowang@tencent.com>
Dialing from a CNI namespace with the standard net.Dialer can escape the
namespace through happy-eyeballs connection attempts or resolver goroutines.
Use a serial dialer and route Go resolver sockets through the target
namespace, while preserving host loopback DNS stubs such as systemd-resolved
and Docker embedded DNS.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
A CONVERT rule whose selector uses matchType EXACT matched the source but
silently performed no conversion: the source identifier was left unchanged
and no error was returned.
The destination of a CONVERT is computed by selectorCache.Format(match,
format), where format is the rule's Updates.Identifier. For WILDCARD and
REGEX the groups captured from match are substituted into format. The EXACT
branch has no captures and should return the target format verbatim, but it
returned s.Identifier (the selector's own identifier, i.e. the matched
source) instead. mutate() then computed a destination equal to the source,
saw op.Identifier == dest, and returned mutated=false without applying the
update.
This made exact-match source pinning/substitution silently fail, e.g.
pinning an image tag to a digest for reproducible builds.
Return format from the EXACT branch. The empty-destination case is
unaffected: mutate() already falls back to the selector identifier before
calling Format, so an empty Updates.Identifier remains a correct no-op.
Add testConvertExact covering an explicit MatchType_EXACT conversion; the
existing testConvert only exercised the default wildcard path.
Signed-off-by: ZRHann <zrhann@foxmail.com>
Commit 91cc422d5 split exec proxying from exec network mode and
started cloning the proxy transport per egress namespace with a custom
DialContext.
Without ForceAttemptHTTP2, the cloned transport could advertise h2 via
ALPN without a registered HTTP/2 RoundTripper, causing Alpine apk update
requests to fail with proxy 502 responses.
Restoring HTTP/2 upstream also exposes unknown-length HTTP/2 responses.
When those responses are rewritten for the MITM HTTP/1.1 client, close
the client-facing connection so clients can delimit the response body.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
