chore(deps): bump python, gosu, and Django (#69626)

- bump python to 3.11.8 to resolve security vulnerabilities
- bump gosu to 1.17 to resolve security vulnerabilities
- bump Django to 5.0.4
- bump self-hosted docker image to _bookworm_ (Debian 12)

We [previously tried bumping to Python
3.11.9](#69468), but ran into an
odd unicode decoding error in
getsentry/getsentry#13760 within our tests. See
python/cpython#76511. Python 3.11.8 works.

---------

Co-authored-by: getsantry[bot] <66042841+getsantry[bot]@users.noreply.github.com>

Author: mdtro

.github/actions/setup-sentry/action.yml

@@ -38,7 +38,7 @@ inputs:
   python-version:
     description: 'python version to install'
     required: false
-    default: '3.11.6'
+    default: '3.11.8'
   pg-version:
     description: 'PostgreSQL version to use'
     default: '14'

.github/workflows/backend.yml

@@ -210,7 +210,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: getsentry/action-setup-venv@a133e6fd5fa6abd3f590a1c106abda344f5df69f # v2.1.0
         with:
-          python-version: 3.11.6
+          python-version: 3.11.8
           cache-dependency-path: requirements-dev-frozen.txt
           install-cmd: python3 -m tools.hack_pip && pip install -q --constraint requirements-dev-frozen.txt pip-tools
       - name: check requirements
@@ -306,7 +306,7 @@ jobs:
 
       - uses: getsentry/action-setup-venv@a133e6fd5fa6abd3f590a1c106abda344f5df69f # v2.1.0
         with:
-          python-version: 3.11.6
+          python-version: 3.11.8
           cache-dependency-path: requirements-dev-frozen.txt
           install-cmd: python3 -m tools.hack_pip && pip install -r requirements-dev-frozen.txt
 

.github/workflows/development-environment.yml

@@ -33,7 +33,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: getsentry/action-setup-venv@a133e6fd5fa6abd3f590a1c106abda344f5df69f # v2.1.0
         with:
-          python-version: 3.11.6
+          python-version: 3.11.8
           cache-dependency-path: |
             requirements-dev.txt
             requirements-dev-frozen.txt
@@ -51,7 +51,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: getsentry/action-setup-venv@a133e6fd5fa6abd3f590a1c106abda344f5df69f # v2.1.0
         with:
-          python-version: 3.11.6
+          python-version: 3.11.8
           cache-dependency-path: |
             requirements-dev.txt
             requirements-dev-frozen.txt

.github/workflows/pre-commit.yml

@@ -55,7 +55,7 @@ jobs:
 
       - uses: getsentry/action-setup-venv@a133e6fd5fa6abd3f590a1c106abda344f5df69f # v2.1.0
         with:
-          python-version: 3.11.6
+          python-version: 3.11.8
           cache-dependency-path: |
             requirements-dev.txt
             requirements-dev-frozen.txt

.python-version

@@ -1 +1 @@
-3.11.6
+3.11.8

devenv/config.ini

@@ -1,5 +1,5 @@
 [venv.sentry]
-python = 3.11.6
+python = 3.11.8
 path = .venv
 requirements = requirements-dev.txt
 editable =
@@ -8,7 +8,7 @@ editable =
 # bins =
 
 [venv.getsentry]
-python = 3.11.6
+python = 3.11.8
 # technically these are conflicting paths but getsentry is special
 # and would rather keep devenv config symlinked
 path = .venv
@@ -17,15 +17,15 @@ editable = .
 # but we'll just install it during sync as it's rarely populated
 requirements = sentry-requirements-dev-frozen.txt
 
-[python3.11.6]
-darwin_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-apple-darwin-install_only.tar.gz
-darwin_x86_64_sha256 = 178cb1716c2abc25cb56ae915096c1a083e60abeba57af001996e8bc6ce1a371
-darwin_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-aarch64-apple-darwin-install_only.tar.gz
-darwin_arm64_sha256 = 916c35125b5d8323a21526d7a9154ca626453f63d0878e95b9f613a95006c990
-linux_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-unknown-linux-gnu-install_only.tar.gz
-linux_x86_64_sha256 = ee37a7eae6e80148c7e3abc56e48a397c1664f044920463ad0df0fc706eacea8
-linux_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-aarch64-unknown-linux-gnu-install_only.tar.gz
-linux_arm64_sha256 = 3e26a672df17708c4dc928475a5974c3fb3a34a9b45c65fb4bd1e50504cc84ec
+[python3.11.8]
+darwin_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20240224/cpython-3.11.8+20240224-x86_64-apple-darwin-install_only.tar.gz
+darwin_x86_64_sha256 = 097f467b0c36706bfec13f199a2eaf924e668f70c6e2bd1f1366806962f7e86e
+darwin_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20240224/cpython-3.11.8+20240224-aarch64-apple-darwin-install_only.tar.gz
+darwin_arm64_sha256 = 389a51139f5abe071a0d70091ca5df3e7a3dfcfcbe3e0ba6ad85fb4c5638421e
+linux_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20240224/cpython-3.11.8+20240224-x86_64-unknown-linux-gnu-install_only.tar.gz
+linux_x86_64_sha256 = 94e13d0e5ad417035b80580f3e893a72e094b0900d5d64e7e34ab08e95439987
+linux_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20240224/cpython-3.11.8+20240224-aarch64-unknown-linux-gnu-install_only.tar.gz
+linux_arm64_sha256 = 389b9005fb78dd5a6f68df5ea45ab7b30d9a4b3222af96999e94fd20d4ad0c6a
 
 [colima]
 darwin_x86_64 = https://github.com/abiosoft/colima/releases/download/v0.6.6/colima-Darwin-x86_64
@@ -41,12 +41,12 @@ version = v0.6.6
 
 # kept here only for compatibility with older `devenv`
 [python]
-version = 3.11.6
-darwin_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-apple-darwin-install_only.tar.gz
-darwin_x86_64_sha256 = 178cb1716c2abc25cb56ae915096c1a083e60abeba57af001996e8bc6ce1a371
-darwin_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-aarch64-apple-darwin-install_only.tar.gz
-darwin_arm64_sha256 = 916c35125b5d8323a21526d7a9154ca626453f63d0878e95b9f613a95006c990
-linux_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-unknown-linux-gnu-install_only.tar.gz
-linux_x86_64_sha256 = ee37a7eae6e80148c7e3abc56e48a397c1664f044920463ad0df0fc706eacea8
-linux_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-aarch64-unknown-linux-gnu-install_only.tar.gz
-linux_arm64_sha256 = 3e26a672df17708c4dc928475a5974c3fb3a34a9b45c65fb4bd1e50504cc84ec
+version = 3.11.8
+darwin_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20240224/cpython-3.11.8+20240224-x86_64-apple-darwin-install_only.tar.gz
+darwin_x86_64_sha256 = 097f467b0c36706bfec13f199a2eaf924e668f70c6e2bd1f1366806962f7e86e
+darwin_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20240224/cpython-3.11.8+20240224-aarch64-apple-darwin-install_only.tar.gz
+darwin_arm64_sha256 = 389a51139f5abe071a0d70091ca5df3e7a3dfcfcbe3e0ba6ad85fb4c5638421e
+linux_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20240224/cpython-3.11.8+20240224-x86_64-unknown-linux-gnu-install_only.tar.gz
+linux_x86_64_sha256 = 94e13d0e5ad417035b80580f3e893a72e094b0900d5d64e7e34ab08e95439987
+linux_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20240224/cpython-3.11.8+20240224-aarch64-unknown-linux-gnu-install_only.tar.gz
+linux_arm64_sha256 = 389b9005fb78dd5a6f68df5ea45ab7b30d9a4b3222af96999e94fd20d4ad0c6a

requirements-base.txt

@@ -13,7 +13,7 @@ datadog>=0.49
 django-crispy-forms>=1.14.0
 django-csp>=3.8
 django-pg-zero-downtime-migrations>=0.13
-Django>=5.0.3
+Django>=5.0.4
 djangorestframework>=3.15.1
 drf-spectacular>=0.26.3
 email-reply-parser>=0.5.12

requirements-dev-frozen.txt

@@ -39,7 +39,7 @@ cssutils==2.9.0
 datadog==0.49.1
 distlib==0.3.8
 distro==1.8.0
-django==5.0.3
+django==5.0.4
 django-crispy-forms==1.14.0
 django-csp==3.8
 django-pg-zero-downtime-migrations==0.13

requirements-frozen.txt

@@ -32,7 +32,7 @@ cssselect==1.0.3
 cssutils==2.9.0
 datadog==0.49.1
 distro==1.8.0
-django==5.0.3
+django==5.0.4
 django-crispy-forms==1.14.0
 django-csp==3.8
 django-pg-zero-downtime-migrations==0.13

self-hosted/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11.6-slim-bullseye
+FROM python:3.11.8-slim-bookworm
 
 LABEL maintainer="oss@sentry.io"
 LABEL org.opencontainers.image.title="Sentry"
@@ -11,8 +11,8 @@ LABEL org.opencontainers.image.authors="oss@sentry.io"
 # add our user and group first to make sure their IDs get assigned consistently
 RUN groupadd -r sentry && useradd -r -m -g sentry sentry
 
-ENV GOSU_VERSION=1.12 \
-  GOSU_SHA256=0f25a21cf64e58078057adc78f38705163c1d564a959ff30a891c31917011a54 \
+ENV GOSU_VERSION=1.17 \
+  GOSU_SHA256=bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3 \
   TINI_VERSION=0.19.0 \
   TINI_SHA256=93dcc18adc78c65a028a84799ecf8ad40c936fdfc5f2a57b1acda5a8117fa82c
 
@@ -62,7 +62,7 @@ RUN set -x \
   && apt-get install -y --no-install-recommends $buildDeps \
   && pip install -r /tmp/requirements-frozen.txt \
   && mkdir /tmp/uwsgi-dogstatsd \
-                                                                  # pinned the same as in getsentry
+  # pinned the same as in getsentry
   && wget -O - https://github.com/DataDog/uwsgi-dogstatsd/archive/1a04f784491ab0270b4e94feb94686b65d8d2db1.tar.gz | \
   tar -xzf - -C /tmp/uwsgi-dogstatsd --strip-components=1 \
   && UWSGI_NEED_PLUGIN="" uwsgi --build-plugin /tmp/uwsgi-dogstatsd \