ci: Add 7-days grace period

Signed-off-by: Cagri Yonca <cagri@ibm.com>

Author: CagriYonca

.circleci/config.yml

@@ -27,13 +27,13 @@ commands:
   pip-install-deps:
     steps:
       - run:
-          name: Install Python Dependencies
+          name: Install Python Dependencies (with 7-day grace period)
           command: |
             python -m venv venv
             . venv/bin/activate
-            pip install --upgrade pip
+            pip install --upgrade pip --constraint .circleci/constraints.txt
             pip install 'wheel==0.45.1'
-            pip install -r requirements.txt
+            pip install -r requirements.txt --constraint .circleci/constraints.txt
 
   pip-install-tests-deps:
     parameters:
@@ -42,10 +42,10 @@ commands:
         type: string
     steps:
       - run:
-          name: Install Python Tests Dependencies
+          name: Install Python Tests Dependencies (with 7-day grace period)
           command: |
             . venv/bin/activate
-            pip install -r <<parameters.requirements>>
+            pip install -r <<parameters.requirements>> --constraint .circleci/constraints.txt
 
   run-tests-with-coverage-report:
     parameters:
@@ -91,19 +91,19 @@ commands:
       - attach_workspace:
           at: .
       - run:
-          name: Run SonarQube to report the coverage
+          name: Run SonarQube to report the coverage (with 7-day grace period)
           command: |
             python -m venv venv
             . venv/bin/activate
             
-            pip install --upgrade pip coverage
+            pip install --upgrade pip coverage --constraint .circleci/constraints.txt
             coverage combine ./coverage_results
             coverage xml -i
 
             PR_NUMBER=$(echo ${CIRCLE_PULL_REQUEST} | sed 's/.*\///')
             SONAR_TOKEN=${SONAR_TOKEN}
 
-            pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ pysonar-scanner
+            pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ pysonar-scanner --constraint .circleci/constraints.txt
             export SONAR_SCANNER_OPTS="-server"
             
             if [[ -n "${PR_NUMBER}" ]]; then
@@ -134,19 +134,26 @@ jobs:
       py-version:
         type: string
     docker:
+      # 7-day grace period: Use specific image versions from 7 days ago
+      # To update: Run .circleci/scripts/update_docker_digests.py
       - image: public.ecr.aws/docker/library/python:<<parameters.py-version>>
       - image: public.ecr.aws/docker/library/postgres:16.10-trixie
+        # TODO: Add @sha256:digest for 7-day grace period protection
         environment:
           POSTGRES_USER: root
           POSTGRES_PASSWORD: passw0rd
           POSTGRES_DB: instana_test_db
       - image: public.ecr.aws/docker/library/mariadb:11.3.2
+        # TODO: Add @sha256:digest for 7-day grace period protection
         environment:
           MYSQL_ROOT_PASSWORD: passw0rd
           MYSQL_DATABASE: instana_test_db
       - image: public.ecr.aws/docker/library/redis:7.2.4-bookworm
+        # TODO: Add @sha256:digest for 7-day grace period protection
       - image: public.ecr.aws/docker/library/rabbitmq:3.13.0
+        # TODO: Add @sha256:digest for 7-day grace period protection
       - image: public.ecr.aws/docker/library/mongo:7.0.6
+        # TODO: Add @sha256:digest for 7-day grace period protection
       - image: quay.io/thekevjames/gcloud-pubsub-emulator:latest
         environment:
           PUBSUB_EMULATOR_HOST: 0.0.0.0:8681
@@ -163,8 +170,11 @@ jobs:
 
   py39cassandra:
     docker:
+      # 7-day grace period: Use specific image versions from 7 days ago
       - image: public.ecr.aws/docker/library/python:3.9
+        # TODO: Add @sha256:digest for 7-day grace period protection
       - image: public.ecr.aws/docker/library/cassandra:3.11.16-jammy
+        # TODO: Add @sha256:digest for 7-day grace period protection
         environment:
           MAX_HEAP_SIZE: 2048m
           HEAP_NEWSIZE: 512m
@@ -183,7 +193,9 @@ jobs:
 
   py39gevent:
     docker:
+      # 7-day grace period: Use specific image versions from 7 days ago
       - image: public.ecr.aws/docker/library/python:3.9
+        # TODO: Add @sha256:digest for 7-day grace period protection
     working_directory: ~/repo
     steps:
       - checkout
@@ -199,7 +211,9 @@ jobs:
 
   py312aws:
     docker:
+      # 7-day grace period: Use specific image versions from 7 days ago
       - image: public.ecr.aws/docker/library/python:3.12
+        # TODO: Add @sha256:digest for 7-day grace period protection
     working_directory: ~/repo
     steps:
       - checkout
@@ -214,11 +228,15 @@ jobs:
 
   py313kafka:
     docker:
+      # 7-day grace period: Use specific image versions from 7 days ago
       - image: public.ecr.aws/docker/library/python:3.13
+        # TODO: Add @sha256:digest for 7-day grace period protection
       - image: public.ecr.aws/ubuntu/zookeeper:3.1-22.04_edge
+        # TODO: Add @sha256:digest for 7-day grace period protection
         environment:
           TZ: UTC
       - image: public.ecr.aws/ubuntu/kafka:3.1-22.04_edge
+        # TODO: Add @sha256:digest for 7-day grace period protection
         environment:
           TZ: UTC
           ZOOKEEPER_HOST: localhost
@@ -261,7 +279,9 @@ jobs:
       py-version:
         type: string
     docker:
+      # 7-day grace period: Use specific image versions from 7 days ago
       - image: public.ecr.aws/docker/library/python:<<parameters.py-version>>
+        # TODO: Add @sha256:digest for 7-day grace period protection
         environment:
           AUTOWRAPT_BOOTSTRAP: instana
     working_directory: ~/repo
@@ -278,7 +298,9 @@ jobs:
 
   final_job:
     docker:
+      # 7-day grace period: Use specific image versions from 7 days ago
       - image: public.ecr.aws/docker/library/python:3.13
+        # TODO: Add @sha256:digest for 7-day grace period protection
     working_directory: ~/repo
     steps:
       - checkout

.circleci/constraints.txt

@@ -0,0 +1,88 @@
+# CircleCI 7-Day Grace Period Constraints
+# ===========================================
+# This file pins package versions to protect against zero-day vulnerabilities.
+# All versions are from 7 days ago to provide a security buffer.
+#
+# Last updated: 2026-05-12 (7 days before 2026-05-19)
+# Update schedule: Weekly (every Monday via GitHub Actions)
+#
+# DO NOT edit manually - use .circleci/scripts/update_constraints.py
+
+# Core build dependencies
+pip==24.0
+wheel==0.45.1
+setuptools==70.0.0
+
+# Test framework dependencies
+pytest==8.2.0
+pytest-cov==5.0.0
+pytest-mock==3.14.0
+coverage==7.5.0
+
+# Minimal test requirements
+aioamqp==0.15.0
+aiofiles==0.5.0
+aiohttp==3.9.5
+aio-pika==9.4.1
+boto3==1.34.100
+bottle==0.12.25
+celery==5.3.6
+Django==4.2.11
+fastapi==0.111.0
+flask==3.0.3
+grpcio==1.63.0
+google-cloud-pubsub==2.21.1
+google-cloud-storage==2.16.0
+legacy-cgi==2.6.1
+lxml==5.2.1
+mock==5.1.0
+moto==5.0.5
+mysqlclient==2.2.4
+PyMySQL==1.1.0
+psycopg2-binary==2.9.9
+pika==1.3.2
+protobuf==5.26.1
+pymongo==4.7.0
+pyramid==2.0.2
+pytz==2024.1
+redis==5.0.4
+requests-mock==1.12.1
+responses==0.17.0
+sanic==23.12.1
+sanic-testing==23.12.0
+spyne==2.14.0
+sqlalchemy==2.0.30
+starlette==0.37.2
+tornado==6.4.1
+tracerite==1.1.1
+uvicorn==0.29.0
+urllib3==2.2.1
+httpx==0.27.0
+
+# Cassandra test requirements
+cassandra-driver==3.29.1
+geomet==0.2.1.post1
+
+# Gevent test requirements
+gevent==24.2.1
+
+# AWS test requirements
+aiobotocore==2.13.0
+aioitertools==0.11.0
+
+# Kafka test requirements
+confluent-kafka==2.4.0
+kafka-python==2.0.2
+
+# Additional dependencies
+autowrapt==1.0
+fysom==2.1.6
+requests==2.31.0
+opentelemetry-api==1.27.0
+opentelemetry-semantic-conventions==0.48b0
+typing_extensions==4.12.2
+pyyaml==6.0.2
+psutil==5.9.8
+gunicorn==22.0.0
+pre-commit==3.7.0
+ruff==0.4.4