fix(seed): overlay containerd v2.3.0 in php-seed to clear upstream Go-module CVEs (#15765)

fix(seed): overlay containerd v2.3.0 in php-seed to address upstream Go-module CVEs

The docker:29.4.1-dind-alpine3.23 base image ships containerd v2.2.3, whose
transitive Go-module deps in /usr/local/bin/containerd, /usr/local/bin/ctr,
and /usr/local/bin/containerd-shim-runc-v2 trip a Critical (gRPC) and two
High (go-jose, otel SDK) findings in grype/AWS Inspector scans.

containerd v2.3.0 bumps these deps to patched versions
(grpc v1.78.0 -> v1.80.0, otel v1.38.0 -> v1.43.0, otel/sdk v1.38.0 -> v1.43.0,
go-jose v4.1.3 -> v4.1.4). We overlay the statically-linked containerd-2.3.0
binaries on top of the base image; dockerd talks to containerd via the stable
gRPC plugin protocol so a newer minor is wire-compatible.

Reduces unique fixable CVEs in the php-seed image from 19 to 16
(eliminates the only Critical and 2 High findings: CVE-2026-33186,
GHSA-78h2-9frx-2jm8, GHSA-9h8m-3fm2-qjrq). Remaining findings live in
docker-buildx / docker-compose / runc binaries and are blocked on upstream
releases of those projects.

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: davidkonigsberg

docker/seed/Dockerfile.php

@@ -5,12 +5,48 @@
     curl -sL "https://github.com/google/go-containerregistry/releases/download/v0.21.2/go-containerregistry_Linux_${ARCH}.tar.gz" | tar xz -C /usr/local/bin crane && \
     crane pull wiremock/wiremock:3.9.1 /wiremock.tar
 
-# Stage 2: Build the seed image
+# Stage 2: Download a newer containerd build to address CVEs in the Go-module
+# deps baked into docker:29.4.1-dind-alpine3.23 (which ships containerd v2.2.3).
+#
+# containerd v2.3.0 bumps grpc v1.78.0 -> v1.80.0, otel v1.38.0 -> v1.43.0,
+# otel/sdk v1.38.0 -> v1.43.0, go-jose v4.1.3 -> v4.1.4 in the /usr/local/bin
+# containerd / ctr / containerd-shim-runc-v2 binaries. The dockerd binary in
+# 29.4.1 talks to containerd over the stable gRPC plugin protocol so newer
+# minor versions of containerd are wire-compatible.
+#
+# We use the `containerd-static-*` archive (statically linked) because the
+# default release tarball is dynamically linked against glibc and won't run
+# on Alpine's musl libc.
+#
+# We deliberately do NOT overlay runc here: the upstream runc v1.4.2 release
+# was built with go1.25.8, which has unfixed stdlib CVEs (CVE-2026-27143 et
+# al.), while the runc v1.3.5 already shipped in the base image was built
+# with the patched go1.26.2 toolchain. Bumping runc would trade two
+# golang.org/x/net findings for several Critical/High stdlib findings, which
+# is a regression.
+FROM alpine:3.23 AS overlay-binaries
+ARG CONTAINERD_VERSION=2.3.0
+RUN apk add --no-cache curl tar && \
+    ARCH=$(uname -m) && \
+    case "$ARCH" in \
+      x86_64) GOARCH=amd64 ;; \
+      aarch64) GOARCH=arm64 ;; \
+      *) echo "Unsupported arch: $ARCH"; exit 1 ;; \
+    esac && \
+    mkdir -p /overlay/usr/local/bin && \
+    curl -fsSL "https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/containerd-static-${CONTAINERD_VERSION}-linux-${GOARCH}.tar.gz" \
+      | tar -xz -C /overlay/usr/local --no-same-owner \
+        bin/containerd bin/containerd-shim-runc-v2 bin/ctr
+
+# Stage 3: Build the seed image
 FROM docker:29.4.1-dind-alpine3.23
 
 # Apply latest security patches to base image packages (libssl3, libcrypto3, libcurl, etc.)
 RUN apk upgrade --no-cache
 
+# Overlay newer containerd binaries (see overlay-binaries stage above).
+COPY --from=overlay-binaries /overlay/ /
+
 # Copy pre-pulled wiremock image
 COPY --from=wiremock-pull /wiremock.tar /wiremock.tar