Bump manylinux versions for CVEs (#250)

* Bump manylinux versions for CVEs

The `libgcc.so` is packaged for Linux wheels via `auditwheel`. However,
currently the `manylinux2014` and `musllinux_1_1` images are used, where
the GCC version is 9.3.0 that has CVEs.

This patch bumps the images to `manylinux_2_28` and `musllinux_1_2` to
have a higher version `libgcc`.

* Use ubuntu-latest runner

* Fix build script

Author: BewareMyPower

.github/workflows/ci-build-release-wheels.yaml

@@ -31,14 +31,14 @@ jobs:
 
   linux-wheel:
     name: Wheel ${{matrix.image.name}} - Py ${{matrix.python.version}} - ${{matrix.cpu.platform}}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     timeout-minutes: 300
 
     strategy:
       fail-fast: false
       matrix:
         image:
-          - {name: 'manylinux2014', py_suffix: ''}
+          - {name: 'manylinux', py_suffix: ''}
           - {name: 'manylinux_musl', py_suffix: '-alpine'}
         python:
           - {version: '3.9', spec: 'cp39-cp39'}

.github/workflows/ci-pr-validation.yaml

@@ -29,7 +29,7 @@ concurrency:
 jobs:
   check-and-lint:
     name: Lint and check code
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
@@ -48,7 +48,7 @@ jobs:
 
   unit-tests:
     name: Run unit tests for Python ${{matrix.version}}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     timeout-minutes: 120
 
     strategy:
@@ -105,14 +105,14 @@ jobs:
   linux-wheel:
     name: Wheel ${{matrix.image.name}} - Py ${{matrix.python.version}} - ${{matrix.cpu.platform}}
     needs: unit-tests
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     timeout-minutes: 300
 
     strategy:
       fail-fast: false
       matrix:
         image:
-          - {name: 'manylinux2014', py_suffix: ''}
+          - {name: 'manylinux', py_suffix: ''}
           - {name: 'manylinux_musl', py_suffix: '-alpine'}
         python:
           - {version: '3.13', spec: 'cp313-cp313'}

pkg/build-wheel-inside-docker.sh

@@ -31,14 +31,14 @@ fi
 PULSAR_CPP_VERSION=$(cat ./dependencies.yaml | grep pulsar-cpp | awk '{print $2}')
 
 if [ $CPP_BINARY_TYPE == "rpm" ]; then
-    # The pre-built RPM packages have incompatible ABI with manylinux2014, so we have to build from source
+    # The pre-built RPM packages have incompatible ABI with manylinux, so we have to build from source
     download_dependency ./dependencies.yaml pulsar-cpp
     cd apache-pulsar-client-cpp-${PULSAR_CPP_VERSION}
 
     git clone https://github.com/microsoft/vcpkg.git
     cd vcpkg
 
-    # manylinux2014 does not have ninja in the system package manager
+    # manylinux does not have ninja in the system package manager
     git clone https://github.com/ninja-build/ninja.git
     cd ninja
     git checkout release
@@ -48,7 +48,7 @@ if [ $CPP_BINARY_TYPE == "rpm" ]; then
     ./bootstrap-vcpkg.sh
     cd ..
     if [ $PULSAR_CPP_VERSION == "3.7.0" ]; then
-        patch lib/CMakeLists.txt $ROOT_DIR/pkg/manylinux2014/pulsar-client-cpp-3.7.0.patch
+        patch lib/CMakeLists.txt $ROOT_DIR/pkg/manylinux/pulsar-client-cpp-3.7.0.patch
     fi
     cmake -B build-cpp -DINTEGRATE_VCPKG=ON -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTS=OFF -DBUILD_DYNAMIC_LIB=ON -DBUILD_STATIC_LIB=ON
     cmake --build build-cpp -j8 --target install

pkg/manylinux2014/Dockerfile renamed to pkg/manylinux/Dockerfile

@@ -18,7 +18,7 @@
 #
 
 ARG ARCH
-FROM quay.io/pypa/manylinux2014_${ARCH}
+FROM quay.io/pypa/manylinux_2_28_${ARCH}
 
 ARG PYTHON_VERSION
 ARG PYTHON_SPEC

pkg/manylinux2014/pulsar-client-cpp-3.7.0.patch renamed to pkg/manylinux/pulsar-client-cpp-3.7.0.patch

@@ -18,7 +18,7 @@
 #
 
 ARG ARCH
-FROM quay.io/pypa/musllinux_1_1_${ARCH}
+FROM quay.io/pypa/musllinux_1_2_${ARCH}
 
 ARG PYTHON_VERSION
 ARG PYTHON_SPEC