diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2058961..86ffdad 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -11,7 +11,7 @@ on: jobs: deploy: - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat steps: - name: Checkout Repository uses: actions/checkout@v4 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index a7847fc..511e35a 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -23,7 +23,7 @@ on: # yamllint disable-line rule:truthy jobs: security: name: security - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat # skip commits made by the release plugin if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" steps: @@ -38,6 +38,9 @@ jobs: - name: Run Trivy vulnerability and secret scanner uses: aquasecurity/trivy-action@master id: trivy + env: # See https://github.com/aquasecurity/trivy/discussions/7668 + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db with: scan-type: 'fs' scan-ref: '.' # scan the entire repository diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8243766..d80d854 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,7 +16,7 @@ on: jobs: test: - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat steps: - name: Checkout Repository uses: actions/checkout@v4 diff --git a/Dockerfile b/Dockerfile index ef46924..7878b14 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,7 +18,7 @@ # When updating, update the README and the alpine_version ARG # * Use current version from https://alpinelinux.org/downloads/ # * ARGs repeat because Dockerfile ARGs are layer specific but will reuse the value defined here. -ARG alpine_version=3.20.2 +ARG alpine_version=3.20.3 # We copy files from the context into a scratch container first to avoid a problem where docker and # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally. @@ -29,7 +29,7 @@ COPY . /code/ # See from a previously published version to avoid pulling from Docker Hub (docker.io) # This version is only used to install the real version -FROM ghcr.io/openzipkin/alpine:3.20.0 as install +FROM ghcr.io/openzipkin/alpine:3.20.2 as install WORKDIR /code # Conditions aren't supported in Dockerfile instructions, so we copy source even if it isn't used. diff --git a/README.md b/README.md index e6aa79c..b4e6db1 100644 --- a/README.md +++ b/README.md @@ -13,22 +13,22 @@ This is an internal base layer primarily used in [docker-java](https://github.co To browse the image, run it in interactive mode with TTY enabled like so: ```bash -docker run -ti --rm ghcr.io/openzipkin/alpine:3.20.2 +docker run -ti --rm ghcr.io/openzipkin/alpine:3.20.3 / # ``` ## Release process Build the `Dockerfile` using the current version from https://alpinelinux.org/downloads/: ```bash -# Note 3.20.2 not 3.19! -./build-bin/build 3.20.2 +# Note 3.20.3 not 3.20! +./build-bin/build 3.20.3 ``` Next, verify the built image matches that version: ```bash docker run --rm openzipkin/alpine:test -c 'cat /etc/alpine-release' -3.20.2 +3.20.3 ``` -To release the image, push a tag matching the arg to `build-bin/build` (ex `3.20.2`). +To release the image, push a tag matching the arg to `build-bin/build` (ex `3.20.3`). This triggers a [GitHub Actions](https://github.com/openzipkin/docker-alpine/actions) job to push the image.