chore: Bump Python to 3.11.13 in python connector base image

[David Gold (dbgold17)]

What

Publishes a new Python Connector Base Image version using 3.11.13 to resolve security vulnerabilities

publishing the new image as docker.io/airbyte/python-connector-base:4.0.2 because I noticed we already have a 4.0.1 referenced by source-s3

resolves https://github.com/airbytehq/oncall/issues/8316

How

For now, we define the python connector base image in 2 places:

• docker-images/Dockerfile.python-connector-base as a Dockerfile
• airbyte-ci/connectors/base_images/base_images/python/bases.py as a dagger object within AirbyteCI

I've updated both to use Python 3.11.13 and tried to keep them in sync although I then proceeded to ignore the AirbyteCI process for building the base image.

I manually published a release candidate of the new python connector base image using the Docker Image Publishing manual dispatch workflow: link

I tested that this new version worked with a handful of python connectors locally - source-s3, source-github, source-google-ads, source-facebook-marketing, source-salesforce (in addition to the automated tests that run on this PR: link)

The process for testing python connectors against a new base image locally is:

1. make sure you have published a base image as an rc docker image to Dockerhub
2. navigate to a connector directory
3. modify the base imaged used by changing the reference in the connector's metadata file
4. run airbyte-cdk secrets fetch to make sure you have the connector's test config files locally
5. run airbyte-cdk image test to build a docker image for the connector on top of the specified base image and run a suite of FAST tests using it.

I then also manually tested some manifest-only connectors by creating a release candidate of the SDM base image (link to PR)

Once ready to release, publish a version of the image without a -rc.# suffix using the same manual dispatch GH workflow (link)

Other notes

To generate the local json file registry and changelog used by airbyte-ci, follow the instructions in this README. I was unable to succesfully use AirbyteCI to build and publish to dockerhub with any creds I could find.

Can this PR be safely reverted and rolled back?

• YES 💚
• NO ❌

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
airbyte-docs	⬜️ Ignored (Inspect)	Visit Preview		Jul 11, 2025 7:27pm

[github-actions]

👋 Greetings, Contributor!

Here are some helpful tips and reminders for your convenience.

Helpful Resources

• Developing Connectors Locally
• Managing Connector Secrets
• On-Demand Live Tests
• On-Demand Regression Tests
• #connector-ci-issues
• #connector-publish-updates
• #connector-build-statuses

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

• /format-fix - Fixes most formatting issues.
• /bump-version - Bumps connector versions.
  • You can specify a custom changelog by passing changelog. Example: /bump-version changelog="My cool update"
  • Leaving the changelog arg blank will auto-populate the changelog from the PR title.
• /run-cat-tests - Runs legacy CAT tests (Connector Acceptance Tests)
• /build-connector-images - Builds and publishes a pre-release docker image for the modified connector(s).

📝 Edit this welcome message.

[David Gold (dbgold17)]

This was added by mistake for the last python base image release. I believe this changelog refers to versions of the airbyte ci base images tool

[Brian Lai (brianjlai)]

where does ths tag come from?

[David Gold (dbgold17)]

so a while ago I was working on reproducing the base image build process from AirbyteCI in a Dockerfile (docker-images/Dockerfile.python-connector-base) as part of patching a vulnerability. For some reason the poppler-utils version defined within airbyte-ci was not found for install when building the Dockerfile, so I used this version instead.
PR link: #60820

[David Gold (dbgold17)]

The version was never backported to the AirbyteCI base image build process though

[Brian Lai (brianjlai)]

for posterity after david and I synced briefly:

I was a bit confused or just generally unaware of the process of how a new version of the python-connector-base image gets published to Dockerhub so that it can be referenced where we build the source-declarative-manifest.

Sounds like the GH workflow is this:
https://github.com/airbytehq/airbyte/actions/workflows/docker-connector-image-publishing.yml

Looking things over, changes seem reasonable, but I don't have a ton of context into this part of our code. ✅

[github-actions]

source-google-drive Connector Test Results

1 tests   0 ✅  7s ⏱️
1 suites  0 💤
1 files    0 ❌  1 🔥

For more details on these errors, see this check.

Results for commit b896959.