Merge remote-tracking branch 'upstream/main'

jiridanek · jiridanek · commit 09a72354ea37 · 2025-11-12T18:07:48.000Z
diff --git a/.github/workflows/build-notebooks-pr-aipcc.yaml b/.github/workflows/build-notebooks-pr-aipcc.yaml
@@ -90,5 +90,5 @@ jobs:
       github: "${{ toJSON(github) }}"
       platform: "${{ matrix.platform }}"
       # rhds/notebooks builds from AIPCC base images that are RHEL-based
-      subscription: "true"
+      subscription: ${{ true }}
     secrets: inherit
diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cpu b/rstudio/rhel9-python-3.12/Dockerfile.cpu
@@ -24,6 +24,13 @@ USER root
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 COPY --from=ubi-repos /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # upgrade first to avoid fixable vulnerabilities begin
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
@@ -151,6 +158,8 @@ mkdir -p /usr/share/doc/R
 # package installation
 # install necessary texlive-framed package to make Knit R markup to PDF rendering possible
 dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed
+# install npm to run cve_remediation script
+dnf install -y npm
 dnf clean all
 rm -rf /var/cache/yum
 (cd /tmp/utils && ./cve_remediation.sh)
diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cuda b/rstudio/rhel9-python-3.12/Dockerfile.cuda
@@ -24,6 +24,13 @@ USER root
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 COPY --from=ubi-repos /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # upgrade first to avoid fixable vulnerabilities begin
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
@@ -165,6 +172,8 @@ mkdir -p /usr/share/doc/R
 # package installation
 # install necessary texlive-framed package to make Knit R markup to PDF rendering possible
 dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed
+# install npm to run cve_remediation script
+dnf install -y npm
 dnf clean all
 rm -rf /var/cache/yum
 (cd /tmp/utils && ./cve_remediation.sh)
@@ -185,7 +194,6 @@ ENV APP_ROOT=/opt/app-root
 
 # Install NGINX to proxy RStudio and pass probes check
 ENV NGINX_VERSION=1.24 \
-    NGINX_VERSION=1.24 \
     NGINX_SHORT_VER=124 \
     NGINX_CONFIGURATION_PATH=${APP_ROOT}/etc/nginx.d \
     NGINX_CONF_PATH=/etc/nginx/nginx.conf \
