airbyte-ci: bust java build cache to fix vulnerabilities

[alafanechere]

What

The yum update command occuring the java connector build pipeline is cached by dagger.
This prevents benefittng from updated system packages which might get fixed vulnerabilities.

How

Bust the yum update layer on a daily basis.

Pre-release source-postgres to check if less vulnerabilities are in a version with a fresh yum update

Results

grype airbyte/source-postgres:latest

1 critical, 12 high, 16 medium, 6 low, 0 negligible

grype airbyte/source-postgres:3.4.13-dev.fcd46868de

1 critical, 5 high, 6 medium, 0 low, 0 negligible

Sounds like a win 🎉

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
airbyte-docs	⬜️ Ignored (Inspect)	Visit Preview		Jun 6, 2024 4:04pm

[alafanechere]

• airbyte-ci: bust java build cache to fix vulnerabilities #39321 👈
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @alafanechere and the rest of your teammates on Graphite

[evantahler]

👊

[evantahler]

Does this update less things (only security) or more things (whatever we updated before AND security)?

[alafanechere]

@evantahler It updates less things (only security):

The --security parameter is important. Without it, yum update installs all updates, including bug fixes and enhancements.
(source)

[evantahler]

But don't we want all the updates?

[alafanechere]

I'm not sure, I think I prefer to know that only the security patches might lead to system library version change. The less versions change the less surprises, isn't it?

[natikgadzhi]

Should we re-build everything and re-publish patch versions of every java connector to clean out the vulnerabilities? Any good way to automate it? /cc @wennergr