chore(bases): refresh pingcap-base packages and release v1.11.2

[Copilot]

The pingcap-base image needs its packages refreshed to pick up security fixes, and a new patch version needs to be cut to ship those updates.

Changes

• pingcap-base/Dockerfile — Advance the _date cache-bust token from 20260204 → 20260314, forcing dnf upgrade -y to re-execute on the next build.
• bases/skaffold.yaml — Bump the default config tag from v1.11.1 → v1.11.2 so the CI workflow pushes the refreshed image under the new patch version.
• release-prod-runtime-images.yaml — After publishing, extract the pingcap-base tag from skaffold.yaml and run a Trivy scan (HIGH/CRITICAL severity, fixable CVEs only) on the pushed image; the job fails if any fixable vulnerabilities are found.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Update the pingcap-base image and prepare to release a new patch version.</issue_title>
<issue_description>Let's refresh the packages in the base image to solve some security issues:

1. update the date flag to make the docker building can run the dnf upgrade command.
2. update the version in skaffold file, so our ci workflow can build and push with new patch version.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Update the pingcap-base image and prepare to release a new patch version. #911

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[wuhuizuo]

@copilot you should test the building and use Trivy to scan the image after built.

[Copilot]

@copilot you should test the building and use Trivy to scan the image after built.

Added Trivy scanning to both the PR validation and release workflows (commit ad47b62). After the Build images / Publish images step, a new "Run Trivy vulnerability scanner on pingcap-base" step runs (scoped to the default module) with severity: HIGH,CRITICAL, ignore-unfixed: true, and exit-code: '1' — so the workflow fails if fixable HIGH/CRITICAL CVEs are found in the built image.

Note: the local sandbox has external DNS blocked inside Docker build containers, so the build and scan couldn't be executed here — they'll run in the actual GitHub Actions environment where external network access is available.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• mirror.gcr.io
  • Triggering command: /usr/local/bin/trivy trivy image --severity HIGH,CRITICAL --format table ghcr.io/pingcap-qe/bases/pingcap-base:v1.11.1 (dns block)
• mirrors.rockylinux.org
  • Triggering command: /usr/bin/dnf dnf upgrade -y (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[wuhuizuo]

@copilot the ci was failed in some jobs

[Copilot]

@copilot the ci was failed in some jobs

Fixed in commit a35f948. The (default, linux/arm64) job was failing for two reasons:

1. The PR build workflow uses --push=false, so the image is never pushed to the registry — Trivy's image-ref pointed to a non-existent tag and the install itself failed on the arm64 runner.
2. Trivy binary installation exits with code 1 on the ubuntu-24.04-arm runner.

Trivy scanning only makes sense after the image is published. The scan steps have been removed from the PR validation workflow and kept exclusively in the release workflow (release-prod-runtime-images.yaml), which runs on amd64 and scans the freshly-published image.

[ti-chi-bot]

I have already done a preliminary review for you, and I hope to help you do a better job.

Summary
This PR updates the pingcap-base image by refreshing its package cache date token to trigger a dnf upgrade -y and bumps the patch version from v1.11.1 to v1.11.2 in the skaffold config. Additionally, it adds a Trivy vulnerability scan step in the CI workflow (release-prod-runtime-images.yaml) that inspects the newly pushed base image for high/critical fixable vulnerabilities and fails if any are found. The approach is straightforward, aligning with security best practices by automating vulnerability detection. The changes are minimal and focused, with good CI integration.

---

Critical Issues

• .github/workflows/release-prod-runtime-images.yaml (lines 70-94):

  • The extraction of the tag via yq uses a selector and then tries to echo the entire template string as the tag. However, the current skaffold.yaml uses a straightforward template like "v1.11.2" rather than a full image tag. This may cause the Trivy scan to fail if the full image reference is not correctly constructed.

  • Suggestion: Confirm that the extracted tag is the exact image tag portion (e.g., v1.11.2), then construct the full image reference including the registry and repo prefix explicitly, e.g.:

    tag=$(yq 'select(.metadata.name == "default") | .build.tagPolicy.customTemplate.template' skaffold.yaml)
    full_image="ghcr.io/pingcap-qe/bases/pingcap-base:${tag//\"/}" # Remove quotes if any
    echo "full_image=${full_image}" >> "$GITHUB_OUTPUT"

    Then use ${{ steps.pingcap-base-tag.outputs.full_image }} in the Trivy step.

• The Trivy scan uses ignore-unfixed: true which ignores vulnerabilities without fixes. This is reasonable but may miss important vulnerabilities that have no fix yet but still pose a risk. Consider whether this is the desired policy.

---

Code Improvements

• dockerfiles/bases/pingcap-base/Dockerfile (line 3):

  • The cache-bust token _date is updated from 20260204 to 20260330, but the PR description says 20260314. This discrepancy should be clarified and documented.

  • Suggestion: Add a comment explaining why this date is updated and how it triggers dnf upgrade. For example:

    # Update _date token to force dnf upgrade cache refresh (updated 2023-03-30)
    RUN _date=20260330 dnf upgrade -y && dnf clean all

• .github/workflows/release-prod-runtime-images.yaml (lines 70-94):

  • The working-directory is set to dockerfiles/bases but the skaffold.yaml is under dockerfiles/bases/skaffold.yaml. This looks correct, but verify that the workflow runs from the expected directory.
  • The if: matrix.module == 'default' condition is repeated twice. Consider grouping these steps under a single job or step block with this condition to reduce duplication.

---

Best Practices

• Documentation:

  • No comments are present in the new workflow steps explaining the purpose of the Trivy scan or the tag extraction logic.
  • Suggestion: Add brief comments in release-prod-runtime-images.yaml to make this clearer to future maintainers.

• Testing:

  • There is no indication that the Trivy scan step has been tested in the CI environment. Ensure the workflow is validated to correctly fail on vulnerabilities.
  • Consider adding a smoke test or workflow dry-run to verify the new scan step.

• Naming:

  • The output name tag from the extraction step is somewhat generic. Renaming it to image_tag or image_version might improve clarity.

---

Overall, this PR addresses its main goal well but could improve robustness in tag extraction and add more documentation for clarity. The Trivy scan integration is a strong security practice and should be monitored carefully for false positives or workflow failures after merge.

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wuhuizuo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wuhuizuo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-03-30 08:46:59.912550648 +0000 UTC m=+168425.117910705: ☑️ agreed by wuhuizuo.