[ci] fix zlib1g security vulnerability

dockerfiles/apt_preferences

@@ -0,0 +1,9 @@
+Explanation: Uninstall or do not install any Debian-originated
+Explanation: package versions other than those in the stable distro
+Package: *
+Pin: release a=stable
+Pin-Priority: 900
+
+Package: zlib1g
+Pin: release a=trixie
+Pin-Priority: -10

dockerfiles/debian.sources

@@ -0,0 +1,17 @@
+Types: deb deb-src
+URIs: http://deb.debian.org/debian
+Suites: bookworm bookworm-updates
+Components: main
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+Types: deb deb-src
+URIs: http://deb.debian.org/debian-security
+Suites: bookworm-security
+Components: main
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+Types: deb
+URIs: http://deb.debian.org/debian
+Suites: trixie
+Components: main
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

dockerfiles/dockerfile-samgis-base

@@ -21,6 +21,7 @@ ARG POETRY_VIRTUALENVS_CREATE
 ARG POETRY_CACHE_DIR
 ARG RIE
 ARG DEPENDENCY_GROUP
+ARG ZLIB1G="http://ftp.it.debian.org/debian/pool/main/z/zlib/zlib1g_1.3.dfsg-3+b1_amd64.deb"
 
 RUN echo "ARCH: $ARCH ..."
 
@@ -36,9 +37,15 @@ WORKDIR ${LAMBDA_TASK_ROOT}
 COPY requirements_poetry.txt pyproject.toml poetry.lock README.md ${LAMBDA_TASK_ROOT}/
 
 # avoid segment-geospatial exception caused by missing libGL.so.1 library
-# RUN apt update && apt install -y libgl1 curl python3-pip && apt clean
-RUN apt update && apt install -y libgl1 curl
-RUN apt update && apt install -y python3-pip && apt clean
+RUN echo "BUILDER: check libz.s* before start" && ls -l /usr/lib/${ARCH}-linux-gnu/libz.so*
+RUN apt update && apt install -y libgl1 curl python3-pip && apt clean
+COPY ./dockerfiles/apt_preferences /etc/apt/preferences
+COPY ./dockerfiles/debian.sources /etc/apt/sources.list.d/debian.sources
+RUN apt update && apt install -t trixie zlib1g -y && apt clean
+RUN echo "BUILDER: check libz.s* after install from trixie" && ls -l /usr/lib/${ARCH}-linux-gnu/libz.so*
+
+RUN ls -l /etc/apt/sources* /etc/apt/preferences*
+RUN curl -Lo /usr/local/bin/aws-lambda-rie ${RIE}
 
 # poetry installation path is NOT within ${LAMBDA_TASK_ROOT}: not needed for runtime docker image
 RUN python -m pip install -r ${LAMBDA_TASK_ROOT}/requirements_poetry.txt
@@ -48,8 +55,6 @@ RUN poetry config virtualenvs.path ${LAMBDA_TASK_ROOT}
 RUN echo "# poetry config --list #" && poetry config --list
 RUN poetry install --with ${DEPENDENCY_GROUP} --no-root
 
-RUN curl -Lo /usr/local/bin/aws-lambda-rie ${RIE}
-
 
 FROM python:3.11-slim-bookworm as runtime
 
@@ -61,6 +66,10 @@ ENV VIRTUAL_ENV=${LAMBDA_TASK_ROOT}/.venv \
 
 RUN echo "COPY --from=builder_global /usr/lib/${ARCH}-linux-gnu/libGL.so* /usr/lib/${ARCH}-linux-gnu/"
 COPY --from=builder_global /usr/lib/${ARCH}-linux-gnu/libGL.so* /usr/lib/${ARCH}-linux-gnu/
+RUN echo "RUNTIME: check libz.s* before upgrade" && ls -l /usr/lib/${ARCH}-linux-gnu/libz.so*
+RUN echo "RUNTIME: remove libz.s* to force upgrade" && rm /usr/lib/${ARCH}-linux-gnu/libz.so*
+COPY --from=builder_global /usr/lib/${ARCH}-linux-gnu/libz.so* /usr/lib/${ARCH}-linux-gnu/
+RUN echo "RUNTIME: check libz.s* after copy" && ls -l /usr/lib/${ARCH}-linux-gnu/libz.so*
 COPY --from=builder_global ${LAMBDA_TASK_ROOT}/.venv ${LAMBDA_TASK_ROOT}/.venv
 
 RUN echo "new LAMBDA_TASK_ROOT after hidden venv copy => ${LAMBDA_TASK_ROOT}"

scripts/copy_folder_to_host.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-
-echo "options:"
-echo "\$1: container folder we copy from"
-echo "\$2: container folder we copy to (could also be an host folder)"
-
-cp -r "$1" "$2"
-echo "copied folder $1 to folder $2!"
-ls -ld "$2"
-ls -l "$2"
-
-exit 0