chore(deps): update apache/age, spicedb, and ubi9 base images

[jsell-rh]

Summary

• Update apache/age from release_PG17_1.6.0 to release_PG18_1.7.0
• Update authzed/spicedb from v1.48.0 to v1.50.0
• Pin ubi9/python-312 base image to digest sha256:d7b4607a...

Test plan

• CI tests pass with updated images
• Verify staging deployment with new image versions

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Upgraded PostgreSQL runtime from v17 to v18 across environments.
  • Upgraded SpiceDB service from v1.48.0 to v1.50.0.
  • Switched Python runtime base image to a pinned digest for more reproducible builds and deployments.

[jonmosco]

LGTM

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c4320cab-0d61-4dfd-9b54-7e4a8a98f674

📥 Commits

Reviewing files that changed from the base of the PR and between 342abac and d1f7297.

📒 Files selected for processing (2)

• compose.yaml
• deploy/apps/kartograph/base/job-db-init.yaml

✅ Files skipped from review due to trivial changes (1)

• deploy/apps/kartograph/base/job-db-init.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• compose.yaml

---

Walkthrough

This PR updates container image versions across CI, Compose, Kubernetes manifests, and a Dockerfile: PostgreSQL/Apache AGE images move from PG17 (postgres:17-alpine / apache/age:release_PG17_1.6.0) to PG18 (postgres:18-alpine / apache/age:release_PG18_1.7.0); SpiceDB images are bumped from authzed/spicedb:v1.48.0 to v1.50.0 in CI, Compose, Job, and Deployment manifests; the API Dockerfile now uses an explicit UBI9 Python 3.12 sha256 digest for its base image. No other logic or configuration changes were made.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: updating three container image versions (apache/age, spicedb, and ubi9 base images).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-container-images

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

compose.yaml (1)

54-56: Consider pinning spicedb-migrate image version for consistency.

The spicedb-migrate service uses an untagged image (authzed/spicedb), which defaults to latest. This creates version drift risk since the main spicedb service is explicitly pinned to v1.50.0.

Proposed fix

   spicedb-migrate:
-    image: "authzed/spicedb"
+    image: "authzed/spicedb:v1.50.0"
     command: "migrate head"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@compose.yaml` around lines 54 - 56, The spicedb-migrate service is using the
untagged image "authzed/spicedb" causing drift; update the spicedb-migrate image
to the same pinned tag as the main spicedb service (e.g., change image for the
spicedb-migrate service to "authzed/spicedb:v1.50.0" or whatever tag is used by
the spicedb service) so both services use an explicit version; after changing
the image ensure you pull/recreate containers to apply the pinned version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy/apps/kartograph/base/postgres-deployment.yaml`:
- Line 22: The init job is still using postgres:17-alpine while the deployment
image was changed to apache/age:release_PG18_1.7.0 causing a PG version
mismatch; update job-db-init.yaml to use a PG18-compatible image (e.g.,
postgres:18-alpine or the matching apache/age PG18 image) for both its
initContainers and main container, ensure the PVC name kartograph-postgres-pvc
is preserved, and make sure the init job completes before the postgres/age
deployment starts so any initialization runs with the same major PG version to
avoid catalog incompatibility.

---

Nitpick comments:
In `@compose.yaml`:
- Around line 54-56: The spicedb-migrate service is using the untagged image
"authzed/spicedb" causing drift; update the spicedb-migrate image to the same
pinned tag as the main spicedb service (e.g., change image for the
spicedb-migrate service to "authzed/spicedb:v1.50.0" or whatever tag is used by
the spicedb service) so both services use an explicit version; after changing
the image ensure you pull/recreate containers to apply the pinned version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 21b778d1-99a3-45d8-9279-d82b952a40a2

📥 Commits

Reviewing files that changed from the base of the PR and between d9cb51f and 342abac.

📒 Files selected for processing (6)

• .github/workflows/tests.yml
• compose.yaml
• deploy/apps/kartograph/base/job-spicedb-migrate.yaml
• deploy/apps/kartograph/base/postgres-deployment.yaml
• deploy/apps/kartograph/base/spicedb-deployment.yaml
• src/api/Dockerfile