Ensure pinned protobuf persists after conda updates in smoke test (#1785)

* Initial plan

* Pin protobuf to required version

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

* Reapply pinned pip packages after conda installs

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

* Cache required versions for pinned packages

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

* Defer pinned installs until after conda updates

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

* Fix version comparisons and clarify pin reapply

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

* Clarify pinned package reinstall comment

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

* Expand pinned package reinstall comment

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

* Align comment terminology for pin list

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

* Refine pin list comment wording

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

* Clarify pin list timing in comment

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

* Quote associative array subscripts

Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Kaniska244 <186041440+Kaniska244@users.noreply.github.com>

Author: Copilot

src/anaconda/.devcontainer/apply_security_patches.sh

@@ -14,19 +14,21 @@ cols=2
 
 # Define the 2D array
 declare -A packages_array
+declare -A required_versions
 
 # Fill the 2D array
 for ((i=0; i<rows; i++)); do
     # Split each element of vulnerable_packages by the '=' sign
     IFS='=' read -ra parts <<< "${vulnerable_packages[$i]}"
     # Assign the parts to the 2D array
-    packages_array[$i,0]=${parts[0]}
-    packages_array[$i,1]=${parts[1]}
+    packages_array["$i,0"]="${parts[0]}"
+    packages_array["$i,1"]="${parts[1]}"
+    required_versions["${parts[0]}"]="${parts[1]}"
 done
 
 # Add an array for packages that should always pin to the provided version, 
 # even if higher version is available in conda channel
-pin_to_required_version=("transformers" "imagecodecs" "brotli")
+pin_to_required_version=("transformers" "imagecodecs" "brotli" "protobuf")
 
 # Function to check if a package is in the pin_to_required_version array
 function is_pin_to_required_version() {
@@ -40,38 +42,51 @@ function is_pin_to_required_version() {
 }
 
 for ((i=0; i<rows; i++)); do
-    CURRENT_VERSION=$(pip show "${packages_array[$i,0]}" --disable-pip-version-check | grep '^Version:' | awk '{print $2}')
-    REQUIRED_VERSION="${packages_array[$i,1]}"
-    GREATER_VERSION_A=$((echo ${REQUIRED_VERSION}; echo ${CURRENT_VERSION}) | sort -V | tail -1)
+    CURRENT_VERSION=$(pip show "${packages_array["$i,0"]}" --disable-pip-version-check | grep '^Version:' | awk '{print $2}')
+    REQUIRED_VERSION="${packages_array["$i,1"]}"
+    if is_pin_to_required_version "${packages_array["$i,0"]}"; then
+        continue
+    fi
+    GREATER_VERSION_A=$( (echo ${REQUIRED_VERSION}; echo ${CURRENT_VERSION}) | sort -V | tail -1)
     # Check if the required_version is greater than current_version
     if [[ $CURRENT_VERSION != $GREATER_VERSION_A ]]; then
-        echo "${packages_array[$i,0]} version v${CURRENT_VERSION} installed by the base image is not greater or equal to the required: v${REQUIRED_VERSION}"
+        echo "${packages_array["$i,0"]} version v${CURRENT_VERSION} installed by the base image is not greater or equal to the required: v${REQUIRED_VERSION}"
         # Check whether conda channel has a greater or equal version available, so install from conda, otherwise use pip package manager
         channel_name="anaconda"
-        CONDA_VERSION=$(conda search "${packages_array[$i,0]}" -c "$channel_name" | \
+        CONDA_VERSION=$(conda search "${packages_array["$i,0"]}" -c "$channel_name" | \
             grep -E '^[[:alnum:]]' | \
             awk '{print $2}' | \
             sort -V | \
             uniq | \
             tail -n 2 | \
             head -n 1)
         if [[ -z "$CONDA_VERSION" ]]; then
-            echo "No version for ${packages_array[$i,0]} found in conda channel."
+            echo "No version for ${packages_array["$i,0"]} found in conda channel."
             CONDA_VERSION="0"
         fi
-        GREATER_VERSION_B=$((echo ${REQUIRED_VERSION}; echo ${CONDA_VERSION}) | sort -V | tail -1)
-        if is_pin_to_required_version "${packages_array[$i,0]}"; then
-            echo -e "Package ${packages_array[$i,0]} is set to always use the required version: v${REQUIRED_VERSION}.\n";
-            echo "Installing ${packages_array[$i,0]} from pip for v${REQUIRED_VERSION}..."
-            python3 -m pip install --upgrade --no-cache-dir "${packages_array[$i,0]}==${REQUIRED_VERSION}"
-        elif [[ $CONDA_VERSION == $GREATER_VERSION_B ]]; then        
+        GREATER_VERSION_B=$( (echo ${REQUIRED_VERSION}; echo ${CONDA_VERSION}) | sort -V | tail -1)
+        if [[ $CONDA_VERSION == $GREATER_VERSION_B ]]; then        
             echo -e "Found Version v${CONDA_VERSION} in the Conda channel which is greater than or equal to the required version: v${REQUIRED_VERSION}. \n";
-            echo "Installing ${packages_array[$i,0]} from source from conda channel for v${REQUIRED_VERSION}..."
-            conda install "${packages_array[$i,0]}==${CONDA_VERSION}"        
+            echo "Installing ${packages_array["$i,0"]} from source from conda channel for v${REQUIRED_VERSION}..."
+            conda install "${packages_array["$i,0"]}==${CONDA_VERSION}"        
         elif [[ $REQUIRED_VERSION == $GREATER_VERSION_B ]]; then 
             echo -e "Required version: v${REQUIRED_VERSION} is greater than the version found in the Conda channel v${CONDA_VERSION}. \n";
-            echo "Installing ${packages_array[$i,0]} from source from pip package manager for v${REQUIRED_VERSION}..."
-            python3 -m pip install --upgrade --no-cache-dir "${packages_array[$i,0]}==${REQUIRED_VERSION}"
+            echo "Installing ${packages_array["$i,0"]} from source from pip package manager for v${REQUIRED_VERSION}..."
+            python3 -m pip install --upgrade --no-cache-dir "${packages_array["$i,0"]}==${REQUIRED_VERSION}"
         fi
     fi
 done
+
+# After the main upgrade loop, install packages from the pin_to_required_version list at their required versions to keep exact versions even if conda upgrades them as dependencies.
+for pkg in "${pin_to_required_version[@]}"; do
+    REQUIRED_VERSION="${required_versions["$pkg"]}"
+    if [[ -z "${REQUIRED_VERSION}" ]]; then
+        echo "WARNING: Missing required version for ${pkg}. Skipping installation."
+        continue
+    fi
+    CURRENT_VERSION=$(pip show "${pkg}" --disable-pip-version-check | grep '^Version:' | awk '{print $2}')
+    if [[ "${CURRENT_VERSION}" != "${REQUIRED_VERSION}" ]]; then
+        echo "Installing ${pkg} from pip for v${REQUIRED_VERSION}..."
+        python3 -m pip install --upgrade --no-cache-dir "${pkg}==${REQUIRED_VERSION}"
+    fi
+done

src/anaconda/README.md

@@ -30,7 +30,7 @@ You can decide how often you want updates by referencing a [semantic version](ht
 
 - `mcr.microsoft.com/devcontainers/anaconda:1-3`
 - `mcr.microsoft.com/devcontainers/anaconda:1.3-3`
-- `mcr.microsoft.com/devcontainers/anaconda:1.3.10-3`
+- `mcr.microsoft.com/devcontainers/anaconda:1.3.11-3`
 
 See [history](history) for information on the contents of each version and [here for a complete list of available tags](https://mcr.microsoft.com/v2/devcontainers/anaconda/tags/list).
 

src/anaconda/manifest.json

@@ -1,5 +1,5 @@
 {
-	"version": "1.3.10",
+	"version": "1.3.11",
 	"build": {
 		"latest": true,
 		"rootDistro": "debian",
@@ -67,4 +67,4 @@
 			}
 		}
 	}
-}
+}