From 20e715ba55cf92f72d55cee5a42dd6f8484fd6dc Mon Sep 17 00:00:00 2001
From: Jon Skeet <jonskeet@google.com>
Date: Wed, 22 Apr 2026 14:02:27 +0000
Subject: [PATCH 1/2] deps: update to bazelisk 1.28.1

We expect this to resolve security vulnerabilities associated with
older go standard libraries.
---
 infrastructure/googleapis/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/googleapis/Dockerfile b/infrastructure/googleapis/Dockerfile
index 0628b498..7c9f3d59 100644
--- a/infrastructure/googleapis/Dockerfile
+++ b/infrastructure/googleapis/Dockerfile
@@ -1,6 +1,6 @@
 FROM marketplace.gcr.io/google/debian12:latest
 
-ARG BAZELISK_VERSION=1.26.0
+ARG BAZELISK_VERSION=1.28.1
 ARG BAZEL_VERSION=7.7.1
 
 RUN apt-get update && \

From 8b4af6b825e6a951b7072bdc47f4900a4d896b3b Mon Sep 17 00:00:00 2001
From: Jon Skeet <jonskeet@google.com>
Date: Wed, 22 Apr 2026 14:03:56 +0000
Subject: [PATCH 2/2] chore: separate out chmod in the googleapis Dockerfile

This should make it easier to diagnose and resolve vulnerabilities.
---
 infrastructure/googleapis/Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/infrastructure/googleapis/Dockerfile b/infrastructure/googleapis/Dockerfile
index 7c9f3d59..d3131352 100644
--- a/infrastructure/googleapis/Dockerfile
+++ b/infrastructure/googleapis/Dockerfile
@@ -30,7 +30,10 @@ RUN mkdir -p /tools
 # Add bazelisk and bazel CLIs
 ADD https://github.com/bazelbuild/bazelisk/releases/download/v${BAZELISK_VERSION}/bazelisk-linux-amd64 /tools/bazelisk
 ADD https://github.com/bazelbuild/bazel/releases/download/${BAZEL_VERSION}/bazel-${BAZEL_VERSION}-linux-x86_64 /tools/bazel
-RUN chmod +x /tools/bazelisk /tools/bazel
+# Make the tools executable. These operations are performed in separate
+# layers to make it easier to determine where vulnerabilities come from.
+RUN chmod +x /tools/bazelisk
+RUN chmod +x /tools/bazel
 
 WORKDIR /