fix: Bump the base image and the CDK version in source-snowflake to receiv…

[Rodi Reich Zilberman (rodireich)]

Security update to remove well known vulnerabilities

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

• 🛠️ Quick Fixes
  • /format-fix - Fixes most formatting issues.
  • /bump-version - Bumps connector versions, scraping changelog description from the PR title.
• ❇️ AI Testing and Review (internal link: AI-SDLC Docs):
  • /ai-prove-fix - Runs prerelease readiness checks, including testing against customer connections.
  • /ai-canary-prerelease - Rolls out prerelease to 5-10 connections for canary testing.
  • /ai-review - AI-powered PR review for connector safety and quality gates.
• 🚀 Connector Releases:
  • /publish-connectors-prerelease - Publishes pre-release connector builds (tagged as {version}-preview.{git-sha}) for all modified connectors in the PR.
  • /bump-progressive-rollout-version - Bumps connector version with an RC suffix (2.16.10-rc.1) for progressive rollouts (enableProgressiveRollout: true).
    • Example: /bump-progressive-rollout-version changelog="Add new feature for progressive rollout"
• ☕️ JVM connectors:
  • /update-connector-cdk-version connector=<CONNECTOR_NAME> - Updates the specified connector to the latest CDK version.
    Example: /update-connector-cdk-version connector=destination-bigquery
  • /bump-bulk-cdk-version bump=patch changelog='foo' - Bump the Bulk CDK's version. bump can be major/minor/patch.
• 🐍 Python connectors:
  • /poe connector source-example lock - Run the Poe lock task on the source-example connector, committing the results back to the branch.
  • /poe source example lock - Alias for /poe connector source-example lock.
  • /poe source example use-cdk-branch my/branch - Pin the source-example CDK reference to the branch name specified.
  • /poe source example use-cdk-latest - Update the source-example CDK dependency to the latest available version.
• ⚙️ Admin commands:
  • /force-merge reason="<REASON>" - Force merges the PR using admin privileges, bypassing CI checks. Requires a reason.
    Example: /force-merge reason="CI is flaky, tests pass locally"

📚 Show Repo Guidance

Helpful Resources

• Breaking Changes Guide - Breaking changes, migration guides, and upgrade deadlines
• Developing Connectors Locally
• Managing Connector Secrets
• On-Demand Regression Tests
• #connector-ci-issues
• #connector-publish-updates
• #connector-build-statuses

📝 Edit this welcome message.

[Rodi Reich Zilberman (rodireich)]

/ai-prove-fix

AI Prove Fix Started

Running readiness checks and testing against customer connections.
View workflow run
🔍 AI Prove Fix session starting... Running readiness checks and testing against customer connections. View playbook

• 🔗 Session URL: https://app.devin.ai/sessions/06d99dc66b9c41c38e26c7068e546ea6

✅ Devin AI session created successfully!

[github-actions]

source-snowflake Connector Test Results

14 tests   14 ✅  0s ⏱️
 2 suites   0 💤
 2 files     0 ❌

Results for commit da656ff.

♻️ This comment has been updated with latest results.

[github-actions]

Note

Detected that there are differences in the Gradle dependencies.

• https://github.com/airbytehq/airbyte/runs/65103664266

[devin-ai-integration]

Fix Validation Evidence

Outcome: Fix/Feature Proven Successfully

Evidence Summary

Regression tests comparing source-snowflake v1.0.8 (control) against the PR build (target) passed all 4 test phases: spec, check, discover, and read. The security update (base image bump to java-connector-base:2.0.4 + CDK bump to 1.0.1) introduces no regressions. Pre-release image airbyte/source-snowflake:1.0.9-preview.7fa963f was successfully published.

Live connection testing was not performed because all internal Airbyte organization connections are stale (no syncs within 48 hours), and approval for external connection pinning is pending. However, the regression test results provide strong confidence that this dependency-only update does not break functionality.

Next Steps

1. This PR appears ready for review and merge — all regression tests passed and the changes are limited to dependency version bumps.
2. For broader validation before release, consider running /ai-canary-prerelease to test on additional connections.
3. The weekly /ai-release-manager will automatically monitor the release rollout after merge.

---

Connector & PR Details

Connector: source-snowflake
PR: #74081
Pre-release Version Tested: 1.0.9-preview.7fa963f
Detailed Results: https://github.com/airbytehq/oncall/issues/11323#issuecomment-3971002850

Changes:

• Base image: java-connector-base:2.0.2 → 2.0.4
• CDK version: 0.1.31 → 1.0.1
• Connector version: 1.0.8 → 1.0.9

Evidence Plan

Proving Criteria

A sync that previously succeeded on 1.0.8 also succeeds on 1.0.9-preview with the updated base image and CDK, demonstrating no regression from the security update.

Disproving Criteria

• Syncs that were succeeding on 1.0.8 fail on 1.0.9-preview
• New errors appear related to the base image or CDK upgrade

Cases Attempted

1. Regression Tests (comparison mode): Control=v1.0.8, Target=PR build. All 4 verbs passed (spec, check, discover, read). Workflow run
2. Live Connection Tests: Not executed — internal connections are stale; external connection pinning pending approval.

Pre-flight Checks

• Viability: Fix addresses the reported issue — dependency bumps resolve CVEs (GLib, SQLite, libxml2)
• Safety: No malicious code — changes limited to version numbers in build files
• Breaking Change: No breaking changes (no schema, spec, stream, state, or PK/cursor changes)
• Reversibility: Can be safely downgraded to v1.0.8

Detailed Evidence Log

2026-02-27 06:04 UTC — Regression tests triggered (comparison mode: v1.0.8 vs PR build)
2026-02-27 06:11 UTC — Regression tests completed successfully:

• SPEC: success
• CHECK: success
• DISCOVER: success
• READ: success (skip_read=false)
• Internal failure: false
• All tests passed: true

2026-02-27 06:09 UTC — Pre-release publish triggered (retry after initial Docker Hub login failure)
2026-02-27 ~06:16 UTC — Pre-release image airbyte/source-snowflake:1.0.9-preview.7fa963f published successfully

Note: Detailed connection information recorded in the linked private oncall issue.

---

Devin session

[github-actions]

Deploy preview for airbyte-docs ready!

✅ Preview
https://airbyte-docs-9hgreoamq-airbyte-growth.vercel.app

Built with commit da656ff.
This pull request is being automatically deployed with vercel-action

[github-actions]

Pre-release Connector Publish Started

Publishing pre-release build for connector source-snowflake.
PR: #74081

Pre-release versions will be tagged as {version}-preview.7fa963f
and are available for version pinning via the scoped_configuration API.

View workflow run

[github-actions]

Pre-release Connector Publish Started

Publishing pre-release build for connector source-snowflake.
PR: #74081

Pre-release versions will be tagged as {version}-preview.7fa963f
and are available for version pinning via the scoped_configuration API.

View workflow run
Pre-release Publish: SUCCESS ✅

Docker image (pre-release):
airbyte/source-snowflake:1.0.9-preview.7fa963f

Docker Hub: https://hub.docker.com/layers/airbyte/source-snowflake/1.0.9-preview.7fa963f

Registry JSON:

• OSS Registry
• Cloud Registry

[Rodi Reich Zilberman (rodireich)]

Pin preview to connection eb06e735-6192-4426-ae9c-8f32ce829ee1

[github-actions]

Pre-release Connector Publish Started

Publishing pre-release build for connector source-snowflake.
PR: #74081

Pre-release versions will be tagged as {version}-preview.da656ff
and are available for version pinning via the scoped_configuration API.

View workflow run
Pre-release Publish: SUCCESS ✅

Docker image (pre-release):
airbyte/source-snowflake:1.0.9-preview.da656ff

Docker Hub: https://hub.docker.com/layers/airbyte/source-snowflake/1.0.9-preview.da656ff

Registry JSON:

• OSS Registry
• Cloud Registry

[Matt Bayley (mwbayley)]

Wondering if we can reduce scope here or maybe I'm missing something.

[Matt Bayley (mwbayley)]

Does this source really support speed? How did we test it? Should we maybe decouple the security patching from the speed feature?

[Rodi Reich Zilberman (rodireich)]

Tested on a live connection.
Everything seems to be working.

[Matt Bayley (mwbayley)]

Now I see that we already sent the preview build to the customer, so these changes together are good with me

[Rodi Reich Zilberman (rodireich)]

🙏

[Matt Bayley (mwbayley)]

👍