[release-1.29]Bump runc to v1.2.8 - CVE-2025-52881

[TomSweeneyRedHat]

This addresses bumping crun to v1.2.8, which is a huge jump
for this repository, but it's the first version of runc
with the fix for CVE-2025-52881.

This also fixes CVE-2025-31133 and CVE-2025-52565.

Fixes: https://issues.redhat.com/browse/RHEL-126920, https://issues.redhat.com/browse/RHEL-126922
and partially addresses: https://issues.redhat.com/browse/OCPBUGS-64906

Then bump to Buildah v1.29.6

What type of PR is this?

/kind api-change
/kind bug
/kind cleanup
/kind deprecation
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake
/kind other

What this PR does / why we need it:

How to verify it

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

None

[NO NEW TESTS NEEDED]

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: TomSweeneyRedHat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [TomSweeneyRedHat]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[TomSweeneyRedHat]

@timcoding1988 any thoughts on the errors in here? I think I may need to update the AWS creds here too? The smoke test error looks like lint ran out of resources?

[+0015s] ./tests/tools/build/golangci-lint run --deadline=20m --color=always -j1
[+0168s] make: *** [Makefile:199: lint] Killed

@cevich holler if you have thoughts on this.

[cevich]

I had the exact same problem on my PR. I believe removing this line was what fixed it for me.

Edit: Another thing that may be relevant, on my PR all the "Gb" units were changed to just "G" in my cirrus.yaml, for example.

[TomSweeneyRedHat]

@cevich that revive line wasn't there, but I did change the Gb to G and we'll see how that goes.

[TomSweeneyRedHat]

@cevich, I forgot to add a commit to bump x/tools per an earlier suggestion from @nalind. I think that might turn the trick.

[cevich]

@TomSweeneyRedHat I'm so sorry: David Shea is off this week and I was looking at picking up for him. I noticed he didn't have a PR for 1.29 and completely forgot you had this PR open already. Didn't even register to me that I had already answered your questions on it. So dumb. 😞

Anyway, I released the Clanker[*] to backport my 1.33 PR (in full) to 1.29 and just pushed that up as #6538 It wasn't my intention to usurp your work here, though, maybe, just maybe, the CI gods will give us some more insights from my PR? Regardless, I'm happy to close and let you continue here if you wish.

[*] Clanker is gen-Z derogatory slang for AI 🤣

[cevich]

Interesting, the Smoke Test failure on my PR is the same! On my 1.33 PR, I had a similar issue (in appearance) and it definitely went away when I removed revive. So this must be something different.

In the distant past when I encountered this golangci-lint behavior, it was always very frustrating to debug. On some occasions the root cause was the environment not having enough memory. Other times the tool was segfaulting while running some check or another. In all cases, it never gave any feedback it just died (like it is here).

Maybe there's a way to run this tool locally with some added "-v" options to increase the noise?

[TomSweeneyRedHat]

@cevich no worries at all about over-riding this with your own PR. I just know this whole mess will be a slog, so was just trying to move things along.

[TomSweeneyRedHat]

@nalind any thoughts on the smoke test error or best yet, how to make it disappear?

[TomSweeneyRedHat]

Closing in favor of #6538 from @cevich