chore(deps): bump python to 3.11.9 and gosu to 1.17 (#69468)

- bump python to 3.11.9 to resolve security vulnerabilities
- bump gosu to 1.17 to resolve security vulnerabilities
- bump self-hosted docker image to _bookworm_ (Debian 12)

Author: mdtro

.github/actions/setup-sentry/action.yml

@@ -38,7 +38,7 @@ inputs:
   python-version:
     description: 'python version to install'
     required: false
-    default: '3.11.6'
+    default: '3.11.9'
   pg-version:
     description: 'PostgreSQL version to use'
     default: '14'

.github/workflows/backend.yml

@@ -210,7 +210,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: getsentry/action-setup-venv@a133e6fd5fa6abd3f590a1c106abda344f5df69f # v2.1.0
         with:
-          python-version: 3.11.6
+          python-version: 3.11.9
           cache-dependency-path: requirements-dev-frozen.txt
           install-cmd: python3 -m tools.hack_pip && pip install -q --constraint requirements-dev-frozen.txt pip-tools
       - name: check requirements
@@ -306,7 +306,7 @@ jobs:
 
       - uses: getsentry/action-setup-venv@a133e6fd5fa6abd3f590a1c106abda344f5df69f # v2.1.0
         with:
-          python-version: 3.11.6
+          python-version: 3.11.9
           cache-dependency-path: requirements-dev-frozen.txt
           install-cmd: python3 -m tools.hack_pip && pip install -r requirements-dev-frozen.txt
 

.github/workflows/development-environment.yml

@@ -33,7 +33,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: getsentry/action-setup-venv@a133e6fd5fa6abd3f590a1c106abda344f5df69f # v2.1.0
         with:
-          python-version: 3.11.6
+          python-version: 3.11.9
           cache-dependency-path: |
             requirements-dev.txt
             requirements-dev-frozen.txt
@@ -51,7 +51,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: getsentry/action-setup-venv@a133e6fd5fa6abd3f590a1c106abda344f5df69f # v2.1.0
         with:
-          python-version: 3.11.6
+          python-version: 3.11.9
           cache-dependency-path: |
             requirements-dev.txt
             requirements-dev-frozen.txt

.github/workflows/pre-commit.yml

@@ -55,7 +55,7 @@ jobs:
 
       - uses: getsentry/action-setup-venv@a133e6fd5fa6abd3f590a1c106abda344f5df69f # v2.1.0
         with:
-          python-version: 3.11.6
+          python-version: 3.11.9
           cache-dependency-path: |
             requirements-dev.txt
             requirements-dev-frozen.txt

.python-version

@@ -1 +1 @@
-3.11.6
+3.11.9

devenv/config.ini

@@ -1,5 +1,5 @@
 [venv.sentry]
-python = 3.11.6
+python = 3.11.9
 path = .venv
 requirements = requirements-dev.txt
 editable =
@@ -8,7 +8,7 @@ editable =
 # bins =
 
 [venv.getsentry]
-python = 3.11.6
+python = 3.11.9
 # technically these are conflicting paths but getsentry is special
 # and would rather keep devenv config symlinked
 path = .venv
@@ -17,15 +17,15 @@ editable = .
 # but we'll just install it during sync as it's rarely populated
 requirements = sentry-requirements-dev-frozen.txt
 
-[python3.11.6]
-darwin_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-apple-darwin-install_only.tar.gz
-darwin_x86_64_sha256 = 178cb1716c2abc25cb56ae915096c1a083e60abeba57af001996e8bc6ce1a371
-darwin_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-aarch64-apple-darwin-install_only.tar.gz
-darwin_arm64_sha256 = 916c35125b5d8323a21526d7a9154ca626453f63d0878e95b9f613a95006c990
-linux_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-unknown-linux-gnu-install_only.tar.gz
-linux_x86_64_sha256 = ee37a7eae6e80148c7e3abc56e48a397c1664f044920463ad0df0fc706eacea8
-linux_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-aarch64-unknown-linux-gnu-install_only.tar.gz
-linux_arm64_sha256 = 3e26a672df17708c4dc928475a5974c3fb3a34a9b45c65fb4bd1e50504cc84ec
+[python3.11.9]
+darwin_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.11.9+20240415-x86_64-apple-darwin-install_only.tar.gz
+darwin_x86_64_sha256 = 9afd734f63a23783cf0257bef25c9231ffc80e7747486dc54cf72f325213fd15
+darwin_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.11.9+20240415-aarch64-apple-darwin-install_only.tar.gz
+darwin_arm64_sha256 = 7af7058f7c268b4d87ed7e08c2c7844ef8460863b3e679db3afdce8bb1eedfae
+linux_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.11.9+20240415-x86_64-unknown-linux-gnu-install_only.tar.gz
+linux_x86_64_sha256 = 78b1c16a9fd032997ba92a60f46a64f795cd18ff335659dfdf6096df277b24d5
+linux_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.11.9+20240415-aarch64-unknown-linux-gnu-install_only.tar.gz
+linux_arm64_sha256 = b3a7199ac2615d75fb906e5ba556432efcf24baf8651fc70370d9f052d4069ee
 
 [colima]
 darwin_x86_64 = https://github.com/abiosoft/colima/releases/download/v0.6.6/colima-Darwin-x86_64
@@ -41,12 +41,12 @@ version = v0.6.6
 
 # kept here only for compatibility with older `devenv`
 [python]
-version = 3.11.6
-darwin_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-apple-darwin-install_only.tar.gz
-darwin_x86_64_sha256 = 178cb1716c2abc25cb56ae915096c1a083e60abeba57af001996e8bc6ce1a371
-darwin_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-aarch64-apple-darwin-install_only.tar.gz
-darwin_arm64_sha256 = 916c35125b5d8323a21526d7a9154ca626453f63d0878e95b9f613a95006c990
-linux_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-unknown-linux-gnu-install_only.tar.gz
-linux_x86_64_sha256 = ee37a7eae6e80148c7e3abc56e48a397c1664f044920463ad0df0fc706eacea8
-linux_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-aarch64-unknown-linux-gnu-install_only.tar.gz
-linux_arm64_sha256 = 3e26a672df17708c4dc928475a5974c3fb3a34a9b45c65fb4bd1e50504cc84ec
+version = 3.11.9
+darwin_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.11.9+20240415-x86_64-apple-darwin-install_only.tar.gz
+darwin_x86_64_sha256 = 9afd734f63a23783cf0257bef25c9231ffc80e7747486dc54cf72f325213fd15
+darwin_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.11.9+20240415-aarch64-apple-darwin-install_only.tar.gz
+darwin_arm64_sha256 = 7af7058f7c268b4d87ed7e08c2c7844ef8460863b3e679db3afdce8bb1eedfae
+linux_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.11.9+20240415-x86_64-unknown-linux-gnu-install_only.tar.gz
+linux_x86_64_sha256 = 78b1c16a9fd032997ba92a60f46a64f795cd18ff335659dfdf6096df277b24d5
+linux_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.11.9+20240415-aarch64-unknown-linux-gnu-install_only.tar.gz
+linux_arm64_sha256 = b3a7199ac2615d75fb906e5ba556432efcf24baf8651fc70370d9f052d4069ee

self-hosted/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11.6-slim-bullseye
+FROM python:3.11.9-slim-bookworm
 
 LABEL maintainer="oss@sentry.io"
 LABEL org.opencontainers.image.title="Sentry"
@@ -11,8 +11,8 @@ LABEL org.opencontainers.image.authors="oss@sentry.io"
 # add our user and group first to make sure their IDs get assigned consistently
 RUN groupadd -r sentry && useradd -r -m -g sentry sentry
 
-ENV GOSU_VERSION=1.12 \
-  GOSU_SHA256=0f25a21cf64e58078057adc78f38705163c1d564a959ff30a891c31917011a54 \
+ENV GOSU_VERSION=1.17 \
+  GOSU_SHA256=bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3 \
   TINI_VERSION=0.19.0 \
   TINI_SHA256=93dcc18adc78c65a028a84799ecf8ad40c936fdfc5f2a57b1acda5a8117fa82c
 
@@ -62,7 +62,7 @@ RUN set -x \
   && apt-get install -y --no-install-recommends $buildDeps \
   && pip install -r /tmp/requirements-frozen.txt \
   && mkdir /tmp/uwsgi-dogstatsd \
-                                                                  # pinned the same as in getsentry
+  # pinned the same as in getsentry
   && wget -O - https://github.com/DataDog/uwsgi-dogstatsd/archive/1a04f784491ab0270b4e94feb94686b65d8d2db1.tar.gz | \
   tar -xzf - -C /tmp/uwsgi-dogstatsd --strip-components=1 \
   && UWSGI_NEED_PLUGIN="" uwsgi --build-plugin /tmp/uwsgi-dogstatsd \