chore(deps): update dependency gitlab-org/gitlab-runner to v17.9.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
gitlab-org/gitlab-runner	minor	17.8.3 -> 17.9.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

gitlab-org/gitlab-runner (gitlab-org/gitlab-runner)

v17.9.0

Compare Source

New features

• Add support for fleeting heartbeats/connectivity check before instance acquisition !5340
• Remove lock files left over in .git/refs !5260 (Ben Brown @​benjamb)
• Autogenerate documentation for supported linux distros/versions !5276
• use '-f' to allow for race condition (issue #​38447) !5324 (Christian Moore @​moorehfl)
• Allow custom naming of service container for the k8s executor !4469
• Mask by default all known token prefixes !4853
• Introduce new custom executor build exit code !5028 (Paul Bryant @​paulbry)
• Add GRIT documentation !5263
• Expand default labels on build pods !5212 (Zalan Meggyesi @​zmeggyesi)
• Add finished job usage data logging !5202
• Add gitlab_runner_job_prepare_stage_duration_seconds histogram !5334
• Inject the step-runner binary into the build container [docker executor] !5322
• Run rpm_verify_fips against FIPS images !5317
• Support ImageLoad for prebuilt images !5187
• Update step-runner docker executor integration docs !5347
• Add labeling to Usage Logger !5283

Security fixes

• Bump base images version to 0.0.6 !5346

Bug fixes

• Upgrade RUNNER_IMAGES_VERSION to v0.0.4 !5305
• Fix Role ARN support with S3 Express buckets !5291
• Fix Windows image gitlab-runner-helper path !5302
• Image pusher fixes !5294
• Fix step-runner inject container run !5354
• Improve job final update mechanism !5275
• Revert "Merge branch 'sh-fix-role-arn-s3-express' into 'main'" !5308
• Deflake pod watcher tests !5310
• Fix runner image missing tag !5289
• Do not create containers with duplicate env vars !5325
• Upgrade RUNNER_IMAGES_VERSION to v0.0.3 !5300
• Fix race in pod watcher test !5296
• Fix runner release bugs !5286
• Document how to configure S3 Express buckets !5321
• Make custom_build_dir-enabled optional !5333
• Push the helper image packages to S3 !5288
• Create copy of aliased helper images, not symlinks !5287
• Disable interactive git credentials !5080
• Add clear-docker-cache script to runner image !5357
• Gracefully handle missing informer permissions !5290
• Catch external pod disruptions / terminations !5068
• Fix a Vault kv_ v2 error !5341
• Document apt limitation and required workaround !5319
• CI: add release on riscv64 !5131 (Meng Zhuo @​mengzhuo1203)
• Fix missing default alpine images !5318

Maintenance

• Add clarification on the support policy for the docker machine executor to dockermachine.md !5358
• Update docs content to use Hugo shortcodes !5362
• Update self-managed naming in all Runner docs !5309
• Run ubi images with BUILD_COMMIT_SHA and PARENT_PIPELINE_ID !5244
• Fix formatting and add link to GRIT docs !5273
• Replace deprecated field name with the new name !5298
• Bump base image version !5282
• Docs: Fix broken external links in runner docs !5344
• Deploy each commit from main to kubernetes cluster !5314
• Fix flaky logrotate write test !5292
• Update step-runner library version to 0.3.0 !5272
• Make sure deploy to kubernets works only on main !5352
• Add global operator config options docs !5351
• Update offering badges to standard name !5303
• Update feature flag docs template for Hugo site launch !5258
• Docs update - Update Architecture naming for GRIT !5274
• Properly handle shortening for tokens with prefix glcbt- !5270
• Document userns_mode by providing links to Docker docs !5194
• Document select executors information as an unordered list !5268
• Update links to docs from runner docs !5363
• Docs: Render RPM distro table correctly !5338
• Fix helper-bin-host target !5252
• Reduce busy work in main job loop !5350
• Add riscv64 binary download links !5304 (Meng Zhuo @​mengzhuo1203)
• Remove hosted runner section from under Administer !5299
• Update docker-machine version !5339
• More debug logging for artifact uploads & troubleshoot docs !5285
• Update taskscaler to get ConnectInfo fix for state storage instances !5281 (Matthias Baur @​m.baur)
• Use embedded VCS information rather than add manually !5330
• Add clarification on the support policy for the docker machine executor to autoscale.md !5359
• Fix windows image zstd compressing !5323
• Clean up unused GetUploadEnv() in cache code !5265
• Document proxy and self-signed certificate error !5280
• Add service_account parameter in [runners.kubernetes] section !5297
• Docs: add the mount_propagation parameter to the k8s executors documentation !5353 (Georgi N. Georgiev @​ggeorgiev_gitlab)
• Roll docs linting tooling forward !5284
• Rename index and move titles to frontmatter !5327
• Direct-use of the rpm command adversely impacts the yum/dnf database... !5311 (Thomas H Jones II @​ferricoxide)
• Disable Windows Defender properly !5279
• Add support for building docker images for local dev !5271 (Anthony Juckel @​ajuckel)
• Add a CI job to test the docs website build !5306
• Add a template for kubernetes feature toggle !5315
• Remove obsolete note regarding Alpine DNS issues !5320 (Craig Andrews @​candrews)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/gitlab-runner:17.9.0

📦 Image Reference ghcr.io/uniget-org/tools/gitlab-runner:17.9.0

digest	sha256:a5ac18da602aa12c53a700fa6ddf557df972e35fd173c2003ac618e5353d9895
vulnerabilities
platform	linux/amd64
size	30 MB
packages	226

github.com/aws/aws-sdk-go 1.55.5 (golang) pkg:golang/github.com/aws/aws-sdk-go@1.55.5 Affected range >=0 Fixed version Not Fixed Description A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files. Affected range >=0 Fixed version Not Fixed Description A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

github.com/docker/machine 0.7.1-0.20170120224952-7b7a141da844 (golang) pkg:golang/github.com/docker/machine@0.7.1-0.20170120224952-7b7a141da844 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=v0.16.2 Fixed version Not Fixed CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Description Docker Machine through 0.16.2 allows an attacker, who has control of a worker node, to provide crafted version data, which might potentially trick an administrator into performing an unsafe action (via escape sequence injection), or might have a data size that causes a denial of service to a bastion node. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/13430208516.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/13430208516.