build: bump runc to v1.2.8

[rloomba]

Change Description

Bump github.com/opencontainers/runc to v1.2.8 in the root, sqldb, and sqldb/v2 modules.

This updates runc to the patched version for the following CVEs:

• CVE-2025-31133
• CVE-2025-52565
• CVE-2025-52881

Steps to Test

Run the following compile-only checks:

go test -run '^$' ./batch ./invoices ./chainparams ./payments/db ./payments/db/migration1 ./graph/db ./graph/db/migration1

cd sqldb
go test -run '^$' ./...

cd sqldb/v2
go test -run '^$' ./...

Pull Request Checklist

Testing

• Your PR passes all CI checks.
• Tests covering the positive and negative (error paths) are included.
• Bug fixes contain tests triggering the bug to prevent regressions.

Code Style and Documentation

• The change is not insubstantial (https://github.com/lightningnetwork/lnd/blob/master/docs/code_contribution_guidelines.md#substantial-contributions-only). Typo fixes are not accepted to
  fight bot spam.
• The change obeys the Code Documentation and Commenting (https://github.com/lightningnetwork/lnd/blob/master/docs/development_guidelines.md#code-documentation-and-commenting) guidelines,
  and lines wrap at 80.
• Commits follow the Ideal Git Commit Structure (https://github.com/lightningnetwork/lnd/blob/master/docs/development_guidelines.md#ideal-git-commit-structure).
• Any new logging statements use an appropriate subsystem and logging level.
• Any new lncli commands have appropriate tags in the comments for the rpc in the proto file.
• There is a change description in the release notes (https://github.com/lightningnetwork/lnd/tree/master/docs/release-notes), or [skip ci] in the commit message for small changes.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a security-focused dependency update, primarily targeting the runc library to mitigate identified vulnerabilities. It ensures that the project's container runtime dependencies are patched and brings other related modules up to date to maintain overall project health and security posture.

Highlights

• Security Update: Bumped github.com/opencontainers/runc to v1.2.8 to address CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881.
• Dependency Management: Updated various dependencies across root, sqldb, and sqldb/v2 modules, including urfave/cli, sirupsen/logrus, and golang.org/x/net.
• Documentation: Added a note regarding the runc security update to the release notes for 0.22.0.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🟠 PR Severity: HIGH

Automated classification | 7 files | 83 lines changed

🟠 High (4 files)

• sqldb/go.mod - dependency update for sqldb module (sqldb/*)
• sqldb/go.sum - lockfile for sqldb module dependencies (sqldb/*)
• sqldb/v2/go.mod - dependency update for sqldb/v2 module (sqldb/*)
• sqldb/v2/go.sum - lockfile for sqldb/v2 module dependencies (sqldb/*)

🟡 Medium (2 files)

• go.mod - root module dependency update
• go.sum - root module lockfile update

🟢 Low (1 file)

• docs/release-notes/release-notes-0.22.0.md - release notes documentation

Analysis

This PR updates Go module dependencies, primarily for the sqldb and sqldb/v2 submodules along with the root module. The sqldb/* path maps to the HIGH severity tier per classification rules, as it covers database-related packages used for persistent storage.

The changes are dependency/lockfile updates (go.mod/go.sum), which are typically low-risk in isolation, but dependency changes to the sqldb module warrant knowledgeable review to ensure no regressions are introduced in the database layer. A reviewer should verify that the updated dependencies do not introduce breaking API changes or known vulnerabilities.

No bump rules triggered: 7 files (threshold: >20), 83 lines changed (threshold: >500), and no multiple distinct critical packages touched.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}
<!-- pr-severity-bot -->

[gemini-code-assist]

Code Review

This pull request updates several dependencies, primarily runc to v1.2.8 to address security vulnerabilities. Other updates include logrus, go-systemd, and urfave/cli. Feedback was provided questioning the validity of the 2025 CVE years mentioned in the release notes.

[gemini-code-assist]

The CVE years appear to be incorrect. CVEs are typically assigned for the current year or past years, but 2025 is in the future. Please verify the correct CVE numbers for this runc update.

[lightninglabs-deploy]

@rloomba, remember to re-request review from reviewers when ready

[rloomba]

@rloomba, remember to re-request review from reviewers when ready

Hi @bhandras, any thoughts on this PR?