Updates to Alpine 3.20.3, Java 21.0.5_p11 and latest maven deps (#92)

Signed-off-by: Adrian Cole <[email protected]>
openzipkin · Nov 19, 2024 · 38e58d4 · 38e58d4
1 parent 8fa51a7
commit 38e58d4
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 23 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -23,7 +23,7 @@ on:  # yamllint disable-line rule:truthy
 jobs:
   security:
     name: security
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     # skip commits made by the release plugin
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
     steps:
@@ -38,6 +38,9 @@ jobs:
       - name: Run Trivy vulnerability and secret scanner
         uses: aquasecurity/trivy-action@master
         id: trivy
+        env:  # See https://github.com/aquasecurity/trivy/discussions/7668
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
         with:
           scan-type: 'fs'
           scan-ref: '.'  # scan the entire repository

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -17,13 +17,13 @@ on:
 jobs:
   test:
     name: test (${{ matrix.name }})
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     strategy:
       fail-fast: false  # don't fail fast as some failures are LTS specific
       matrix: # match with maven-enforcer-plugin rules in pom.xml
         include:
           - name: build-arg
-            version: 21.0.4_p7
+            version: 21.0.5_p11
           - name: implicit
             version: master
     steps:

diff --git a/Dockerfile b/Dockerfile
@@ -6,7 +6,7 @@
 # docker_parent_image is the base layer of full and jre image
 #
 # Use latest version here: https://github.com/orgs/openzipkin/packages/container/package/alpine
-ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.2
+ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.3
 
 # java_version and java_home are hard-coded here to allow the following:
 #  * `docker build https://github.com/openzipkin/docker-java.git`
@@ -17,17 +17,17 @@ ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.2
 # When updating, also update the README
 #  * Use current version from https://pkgs.alpinelinux.org/packages?name=openjdk21, stripping
 #    the `-rX` at the end.
-ARG java_version=21.0.4_p7
+ARG java_version=21.0.5_p11
 ARG java_home=/usr/lib/jvm/java-21-openjdk
 
 # We copy files from the context into a scratch container first to avoid a problem where docker and
 # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally.
 # COPY --from= works around the issue.
-FROM scratch as code
+FROM scratch AS code
 
 COPY . /code/
 
-FROM $docker_parent_image as base
+FROM $docker_parent_image AS base
 
 # java_version is hard-coded here to allow the following to work:
 #  * `docker build https://github.com/openzipkin/docker-java.git`
@@ -51,17 +51,17 @@ WORKDIR /java
 ENTRYPOINT ["java", "-jar"]
 
 # The JDK image includes a few build utilities and Maven
-FROM base as jdk
+FROM base AS jdk
 LABEL org.opencontainers.image.description="OpenJDK on Alpine Linux"
 ARG java_version
-ARG maven_version=3.9.8
+ARG maven_version=3.9.9
 LABEL maven-version=$maven_version
 
 COPY --from=code /code/install.sh .
 RUN ./install.sh $java_version $maven_version && rm install.sh
 
 # Use a temporary target to build a JRE using the JDK we just built
-FROM jdk as install
+FROM jdk AS install
 
 WORKDIR /install
 
@@ -92,7 +92,7 @@ jdk.localedata --include-locales en \
 --output jre
 
 # Our JRE image is minimal: Only Alpine, gcompat and a stripped down JRE
-FROM base as jre
+FROM base AS jre
 LABEL org.opencontainers.image.description="Minimal OpenJDK JRE on Alpine Linux"
 
 COPY --from=install /install/jre/ ${JAVA_HOME}/

diff --git a/README.md b/README.md
@@ -15,7 +15,7 @@ This is an internal base layer primarily used in [zipkin](https://github.com/ope
 
 To try the image, run the `java -version` command:
 ```bash
-$ docker run --rm ghcr.io/openzipkin/java:21.0.4_p7 -version
+$ docker run --rm ghcr.io/openzipkin/java:21.0.5_p11 -version
 openjdk version "21.0.4" 2024-07-16
 OpenJDK Runtime Environment (build 21.0.4+7-alpine-r0)
 OpenJDK 64-Bit Server VM (build 21.0.4+7-alpine-r0, mixed mode, sharing)
@@ -39,26 +39,26 @@ Build the [Dockerfile](Dockerfile) using the current version without the
 revision classifier from here:
  * https://pkgs.alpinelinux.org/packages?name=openjdk21
 ```bash
-# Note 21.0.4_p7 not 21.0.4_p7-r2!
-./build-bin/build 21.0.4_p7
+# Note 21.0.5_p11 not 21.0.5_p11-r2!
+./build-bin/build 21.0.5_p11
 ```
 
 Next, verify the built image matches that version:
 ```bash
 $ docker run --rm openzipkin/java:test -version
-openjdk version "21.0.4" 2024-07-16
-OpenJDK Runtime Environment (build 21.0.4+7-alpine-r0)
-OpenJDK 64-Bit Server VM (build 21.0.4+7-alpine-r0, mixed mode, sharing)
+openjdk version "21.0.5" 2024-10-15
+OpenJDK Runtime Environment (build 21.0.5+11-alpine-r0)
+OpenJDK 64-Bit Server VM (build 21.0.5+11-alpine-r0, mixed mode, sharing)
 ```
 
-To release the image, push a tag matching the arg to `build-bin/build` (ex `21.0.4_p7`).
+To release the image, push a tag matching the arg to `build-bin/build` (ex `21.0.5_p11`).
 This triggers a [GitHub Actions](https://github.com/openzipkin/docker-java/actions) job to push the image.
 
 ## java.lang.ClassNotFoundException
 
 The image ending in `-jre` is stripped to only retain the minimal modules needed by Zipkin. This is
 to make it as small as possible. If the `zipkin` or `zipkin-slim` images fail with a
-`java.lang.ClassNotFoundException`, it may be related to the modules linked in the [Dockerfile][Dockerfile].
+`java.lang.ClassNotFoundException`, it may be related to the modules linked in the [Dockerfile](Dockerfile).
 
 If the package begins with `java.`, `sun.` or `com.sun.`, it is likely a JRE module. To verify, use
 `javap` without any other options. If a result is printed, you need to link a corresponding module.

diff --git a/install.sh b/install.sh
@@ -19,7 +19,7 @@ maybe_log_crash() {
 }
 
 java_version=${1?java_version is required. ex --strip-debug}
-maven_version=${2?maven_version is required. ex 3.9.8}
+maven_version=${2?maven_version is required. ex 3.9.9}
 java_major_version=$(echo ${java_version}| cut -f1 -d .)
 package=openjdk${java_major_version}
 
@@ -43,5 +43,5 @@ apache_backup_mirror=https://downloads.apache.org/
 (wget ${apache_mirror}${maven_dist_path} || wget ${apache_backup_mirror}${maven_dist_path}) | tar xz --strip=1 -C maven
 ln -s ${PWD}/maven/bin/mvn /usr/bin/mvn
 
-mvn -q --batch-mode org.apache.maven.plugins:maven-help-plugin:3.4.1:evaluate -Dexpression=maven.version -q -DforceStdout || maybe_log_crash
-mvn -q --batch-mode org.apache.maven.plugins:maven-dependency-plugin:3.7.1:get -Dmdep.skip
+mvn -q --batch-mode org.apache.maven.plugins:maven-help-plugin:3.5.1:evaluate -Dexpression=maven.version -q -DforceStdout || maybe_log_crash
+mvn -q --batch-mode org.apache.maven.plugins:maven-dependency-plugin:3.8.1:get -Dmdep.skip