chore(deps): bump github.com/opencontainers/runc from 1.2.0-rc.1 to 1.2.0-rc.3

[dependabot]

Bumps github.com/opencontainers/runc from 1.2.0-rc.1 to 1.2.0-rc.3.

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.0-rc.2 -- "TRUE or FALSE, it's a problem!"

This is the second release candidate for the 1.2.0 branch of runc. It includes all patches and bugfixes included in runc 1.1 patch releases (up to and including 1.1.13). A fair few new features have been added, and some changes have been made which may affect users. Please help us thoroughly test this release candidate before we release 1.2.0.

Breaking

• runc now requires a minimum of Go 1.20 to compile. If building with Go 1.22, make sure to use 1.22.4 or later version (#4233).
• libcontainer/cgroups users who want to manage cgroup devices need to explicitly import libcontainer/cgroups/devices. (#3452, #4248)

Security

• The runc binaries provided here were built with go1.21.11, which includes a security fix for os.RemoveAll to fix a bug that would allow an attacker to trick runc into deleting a directory on the host. We encourage users to update, and if they build runc themselves, make sure they build their binaries using go1.21.11 or later, or go1.22.4 or later.

Added

• CI: add actuated-arm64. (#4142, #4252, #4276)

Fixed

• cgroup v2: do not set swap to 0 or unlimited when it's not available. (#4188)
• Set the default value of CpuBurst to nil instead of 0. (#4210, #4211)
• libct/cg: write unified resources line by line. (#4186)
• libct.Start: fix locking, do not allow a second container init. (#4271)
• Fix tests in debian testing (mount_sshfs.bats). (#4245)
• libct/cg/dev: fix TestSetV1Allow panic. (#4295)
• tests/int/scheduler: require smp. (#4298)

Changed

• libct/cg/fs: don't write cpu_burst twice on ENOENT. (#4259)
• Make trimpath optional. (#3908)
• Remove unused system.Execv. (#4268)
• Stop blacklisting Go 1.22+, drop Go < 1.21 support, use Go 1.22 in CI. (#4292)
• Improve some error messages for runc exec. (#4320)
• ci/gha: bump golangci-lint[-action]. (#4255)
• tests/int/tty: increase the timeout. (#4260)
• [ci] use go mod instead of go get in spec.bats. (#4264)
• tests/int/checkpoint: rm double logging. (#4251)
• ci/gha: bump golangci-lint-action from 5 to 6. (#4275)
• .cirrus.yml: rm FIXME from rootless fs on CentOS 7. (#4279)

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.0-rc.3] - 2024-09-02

The supreme happiness of life is the conviction that we are loved.

Security

• Fix CVE-2024-45310, a low-severity attack that allowed maliciously configured containers to create empty files and directories on the host.

Added

• Document build prerequisites for different platforms. (#4353)

Fixed

• Try to delete exec fifo file when failure in creation. (#4319)
• Revert "libcontainer: seccomp: pass around *os.File for notifyfd". (#4337)
• Fix link to gvariant documentation in systemd docs. (#4369)

Changed

• Remove pre-go1.17 build-tags. (#4329)
• libct/userns: assorted (godoc) improvements. (#4330)
• libct/userns: split userns detection from internal userns code. (#4331)
• rootfs: consolidate mountpoint creation logic. (#4359)
• Add Go 1.23, drop 1.21. (#4360)
• Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION. (#4370)
• Mv contrib/cmd tests/cmd (except memfd-bind). (#4377)
• Makefile: Don't read COMMIT, BUILDTAGS, EXTRA_BUILDTAGS from env vars. (#4380)

[1.2.0-rc.2] - 2024-06-26

TRUE or FALSE, it's a problem!

Important Notes

• libcontainer/cgroups users who want to manage cgroup devices need to explicitly import libcontainer/cgroups/devices. (#3452, #4248)
• If building with Go 1.22.x, make sure to use 1.22.4 or a later version. (see #4233 for more details)

Added

• CI: add actuated-arm64. (#4142, #4252, #4276)

... (truncated)

Commits

• 45471bc VERSION: release v1.2.0-rc.3
• 6c24b2e changelog: update to include 1.1.14 notes
• 9e9fdd8 Merge commit from fork
• 63c2908 rootfs: try to scope MkdirAll to stay inside the rootfs
• 346b818 Merge pull request #4380 from rata/makefile-no-envs
• 767bc00 Makefile: Don't read COMMIT, BUILDTAG, EXTRA_BUILDTAGS from env vars
• a41b62a Merge pull request #4376 from kolyshkin/simplify-branch-protection
• 2cd24a4 ci/gha: add all-done jobs
• 41831e7 Merge pull request #4377 from AkihiroSuda/distro-should-not-install-recvtty-etc
• 376e875 Merge pull request #4370 from rata/main
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[johanbrandhorst]

This fixes https://github.com/hashicorp/crt-workflows-common/actions/runs/10743624811/job/29799584625. I don't see any real CI failures here, all seem circumstantial or false positives.