canonical · Copilot · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/.github/workflows/update-ci-dependencies.yaml b/.github/workflows/update-ci-dependencies.yaml
@@ -59,7 +59,7 @@ jobs:
           python-version: "3.12"
 
       - name: Install pip-tools
-        run: pip install "pip-tools==8.3.0" "requests==2.33.1"
+        run: pip install "pip-tools==7.5.3" "requests==2.33.1"
 
       - name: Update pip lock files
         id: check

diff --git a/build-scripts/hack/patchelf.py b/build-scripts/hack/patchelf.py
@@ -62,6 +62,18 @@ def main():
         print(f"Failed to parse ELF: {e}")
         sys.exit(1)
 
+    # Skip patching if the binary has no PT_DYNAMIC segment.
+    # Attempting to add rpath or interpreter to such a binary (e.g. a statically
+    # linked binary) creates an inconsistent ELF (has PT_INTERP but no PT_DYNAMIC),
+    # which breaks the snap classic linter and may cause runtime issues.
+    if (args.set_rpath or args.set_interpreter) and not binary.has(
+        lief.ELF.Segment.TYPE.DYNAMIC
+    ):
+        print(
+            f"Binary {args.elf_path} has no PT_DYNAMIC segment, skipping RPATH/interpreter patching."
+        )
+        sys.exit(0)
+
     did_modify = False
 
     if args.set_rpath:

diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
@@ -26,6 +26,14 @@ architectures:
   - build-on: [ppc64el]
   - build-on: [s390x]
 
+lint:
+  ignore:
+    - classic:
+        # containerd-shim-runc-v2 may be statically linked (e.g. when built with
+        # Go FIPS that provides static OpenSSL). Static binaries have no .dynamic
+        # section, so the classic linter's patchelf rpath check is not applicable.
+        - bin/containerd-shim-runc-v2
+
 parts:
   build-deps:
     plugin: nil