From ae9622e9cc2f309e07aec394a509de4e5b46a111 Mon Sep 17 00:00:00 2001
From: Andrew Lindesay <apl@lindesay.co.nz>
Date: Thu, 16 Nov 2023 21:29:48 +1300
Subject: [PATCH] upgrade to java 21 (temurin) and bump debian - ring-fence
 public key to adoptium

---
 Dockerfile                                    | 29 +++++++++----------
 .../deb-adoptium-sources-template.txt         |  5 ++++
 2 files changed, 19 insertions(+), 15 deletions(-)
 create mode 100644 support/deployment/deb-adoptium-sources-template.txt

diff --git a/Dockerfile b/Dockerfile
index 8a6f9d9f..b1242ecd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,18 +8,25 @@
 # a deployable stage.
 
 # -------------------------------------
-# Assemble the build image with the dependencies
+# Base image with the Eclipse Temurin repository setup.
 
-FROM debian:12.2-slim as build
+FROM debian:12.2-slim as base
 
 RUN apt-get update && \
     apt-get -y install wget apt-transport-https gnupg
 
-RUN wget -O - "https://packages.adoptium.net/artifactory/api/gpg/key/public" | apt-key add - && \
-    echo "deb https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list
+RUN mkdir /adoptium
+
+RUN wget -O - "https://packages.adoptium.net/artifactory/api/gpg/key/public" | gpg --dearmour | dd of=/adoptium/apt-keyring.gpg
+COPY support/deployment/deb-adoptium-sources-template.txt /adoptium/deb-adoptium-sources-template.txt
+RUN OS_VERSION_CODENAME="$(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release)" && \
+    cat /adoptium/deb-adoptium-sources-template.txt | sed -e "s/SUITE/${OS_VERSION_CODENAME}/g" | dd of=/etc/apt/sources.list.d/adoptium.sources
+
+# -------------------------------------
+# Assemble the build image with the dependencies
+
+FROM base as build
 
-# the handling here for `ca-certificates-java` is to get around a sequencing
-# problem that comes up with GitHub actions.
 RUN apt-get update && \
     apt-get -y install temurin-21-jdk && \
     apt-get -y install wget python3 fontconfig fonts-dejavu-core lsb-release gnupg2 && \
@@ -75,16 +82,8 @@ RUN ./mvnw clean install
 # -------------------------------------
 # Create the container that will eventually run HDS
 
-FROM debian:12.2-slim AS runtime
-
-RUN apt-get update && \
-    apt-get -y install wget apt-transport-https gnupg
-
-RUN wget -O - "https://packages.adoptium.net/artifactory/api/gpg/key/public" | apt-key add - && \
-    echo "deb https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list
+FROM base AS runtime
 
-# the handling here for `ca-certificates-java` is to get around a sequencing
-# problem that comes up with GitHub actions.
 RUN apt-get update && \
     apt-get -y install temurin-21-jre && \
     apt-get -y install optipng libpng16-16 curl fontconfig fonts-dejavu-core
diff --git a/support/deployment/deb-adoptium-sources-template.txt b/support/deployment/deb-adoptium-sources-template.txt
new file mode 100644
index 00000000..82752cb2
--- /dev/null
+++ b/support/deployment/deb-adoptium-sources-template.txt
@@ -0,0 +1,5 @@
+Types: deb
+URIs: https://packages.adoptium.net/artifactory/deb
+Suites: SUITE
+Components: main
+Signed-By: /adoptium/apt-keyring.gpg
\ No newline at end of file