fix: update distroless go container for operator to fix openssl

[saturley-hall]

Overview:

Bumps the version of the runtime base distroless container to fix CVE-2025-9230

Summary by CodeRabbit

• Chores
  • Upgraded the operator container base image to the latest patch release for the distroless Go runtime used in deployments. This brings upstream security and stability updates with no expected behavior changes.
  • Aligned build and deployment configurations to the same base image version for consistency across environments and reduced supply-chain variance.

[saturley-hall]

I have confirmed with nspect scan that this container does not have the CVE in it.

[coderabbitai]

Walkthrough

Updated the operator’s base image tag for nvcr.io/nvidia/distroless/go from v3.1.12 to v3.1.13 in both the Dockerfile and Earthfile. No build steps, commands, or control flow were changed.

Changes

Cohort / File(s)	Summary
Operator base image bump deploy/cloud/operator/Dockerfile, deploy/cloud/operator/Earthfile	Incremented distroless Go base image tag from v3.1.12 to v3.1.13; no other edits.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix: update golang container to remove CVE #3088 — Prior patch bump of the same operator base image tag (v3.1.10→v3.1.12), preceding this update to v3.1.13.

Poem

Patch hop, tiny pop—v3.1.13 I go!
In clouds I pack my carrot snacks, distroless to and fro.
Two files tweaked, no turns oblique—
A tidy build to show.
🥕✨
(_/)
(•‿•)⛅

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description only fills the Overview section and omits the required Details, Where should the reviewer start, and Related Issues sections specified in the template.	Please expand the description by adding a Details section describing the changes, a pointer to key files for review, and a Related Issues section that references the CVE or any relevant issue numbers.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly and accurately describes the primary change—which is bumping the distroless Go container in the operator to fix an OpenSSL vulnerability—and follows a clear conventional commit style.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c4c4d1 and 39f5f77.

📒 Files selected for processing (2)

• deploy/cloud/operator/Dockerfile (1 hunks)
• deploy/cloud/operator/Earthfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build and Test - dynamo

🔇 Additional comments (2)

deploy/cloud/operator/Earthfile (1)

51-51: LGTM! Consistent base image update.

The base image version bump matches the change in the Dockerfile, ensuring consistency across both build systems.

Note: The deprecation notice (lines 16-22) indicates this Earthfile will be removed in a future release in favor of the Docker-based build system.

deploy/cloud/operator/Dockerfile (1)

50-50: Verify Distroless Go v3.1.13 and CVE-2025-9230 patch

• Authenticate to NGC and confirm nvcr.io/nvidia/distroless/go:v3.1.13 exists (e.g. via docker manifest inspect or NVIDIA CLI).
• Inspect the image or official release notes to ensure OpenSSL is updated to a version that includes the CVE-2025-9230 fix (≥ 3.0.18).

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}