diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 465af3e..fa60ac9 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -11,7 +11,7 @@ on: jobs: deploy: - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat steps: - name: Checkout Repository uses: actions/checkout@v4 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..511e35a --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,59 @@ +--- +name: security + +# We don't scan documentation-only commits. +on: # yamllint disable-line rule:truthy + push: # non-tagged pushes to master + branches: + - master + tags-ignore: + - '*' + paths-ignore: + - '**/*.md' + - './build-bin/*lint' + - ./build-bin/mlc_config.json + pull_request: # pull requests targeted at the master branch. + branches: + - master + paths-ignore: + - '**/*.md' + - './build-bin/*lint' + - ./build-bin/mlc_config.json + +jobs: + security: + name: security + runs-on: ubuntu-24.04 # newest available distribution, aka numbat + # skip commits made by the release plugin + if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + - uses: actions/cache@v4 + name: Cache Trivy Database + with: + path: .trivy + key: ${{ runner.os }}-trivy + restore-keys: ${{ runner.os }}-trivy + - name: Run Trivy vulnerability and secret scanner + uses: aquasecurity/trivy-action@master + id: trivy + env: # See https://github.com/aquasecurity/trivy/discussions/7668 + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db + with: + scan-type: 'fs' + scan-ref: '.' # scan the entire repository + scanners: vuln,secret + exit-code: '1' + severity: HIGH,CRITICAL + output: trivy-report.md + cache-dir: .trivy + - name: Set Summary + shell: bash + if: ${{ failure() && steps.trivy.conclusion == 'failure' }} + # Add the Trivy report to the summary + # + # Note: This will cause a workflow error if trivy-report.md > the step + # limit 1MiB. If this was due to too many CVEs, consider fixing them ;) + run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8243766..d80d854 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,7 +16,7 @@ on: jobs: test: - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat steps: - name: Checkout Repository uses: actions/checkout@v4 diff --git a/Dockerfile b/Dockerfile index e6eba06..dfe3afa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,11 +11,11 @@ ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.2 # We copy files from the context into a scratch container first to avoid a problem where docker and # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally. # COPY --from= works around the issue. -FROM scratch as code +FROM scratch AS code COPY . /code/ -FROM $docker_parent_image as base +FROM $docker_parent_image AS base # java_version is hard-coded here to allow the following to work: # * `docker build https://github.com/openzipkin/docker-java.git` @@ -24,7 +24,7 @@ FROM $docker_parent_image as base # * Use current version from https://pkgs.alpinelinux.org/packages?name=openjdk8 # This is defined in many places because Docker has no "env" script functionality unless you use # docker-compose: When updating, update everywhere. -ARG java_version=8.402.06 +ARG java_version=8.422.05 ARG java_home=/usr/lib/jvm/java-1.8-openjdk LABEL java-version=$java_version LABEL java-home=$java_home @@ -39,17 +39,17 @@ WORKDIR /java ENTRYPOINT ["java", "-jar"] # The JDK image includes a few build utilities and Maven -FROM base as jdk +FROM base AS jdk LABEL org.opencontainers.image.description="OpenJDK on Alpine Linux" -ARG java_version=8.402.06 -ARG maven_version=3.9.8 +ARG java_version=8.422.05 +ARG maven_version=3.9.9 LABEL maven-version=$maven_version COPY --from=code /code/install.sh . RUN ./install.sh $java_version $maven_version && rm install.sh # Our JRE image is minimal: Only Alpine, libc6-compat and a JRE -FROM base as jre +FROM base AS jre LABEL org.opencontainers.image.description="OpenJDK JRE provided by IcedTea on Alpine Linux" # Finalize JRE install: diff --git a/README.md b/README.md index 7b813de..a595696 100644 --- a/README.md +++ b/README.md @@ -15,27 +15,25 @@ This is an internal base layer primarily used in [zipkin](https://github.com/ope To try the image, run the `java -version` command: ```bash -docker run --rm ghcr.io/openzipkin/java:8.402.06 -version -openjdk version "1.8.0_402" -OpenJDK Runtime Environment (IcedTea 3.30.0) (Alpine 8.402.06-r0) -OpenJDK 64-Bit Server VM (build 25.402-b06, mixed mode) +openjdk version "1.8.0_422" +OpenJDK Runtime Environment (IcedTea 3.32.0) (Alpine 8.422.05-r0) +OpenJDK 64-Bit Server VM (build 25.422-b05, mixed mode) ``` ## Release process Build the `Dockerfile` using the current version without the revision classifier from here: * https://pkgs.alpinelinux.org/packages?name=openjdk8 ```bash -# Note 8.402.06 not 8.402.06-r1! -./build-bin/build 8.402.06 +# Note 8.422.05 not 8.422.05-r1! +./build-bin/build 8.422.05 ``` Next, verify the built image matches that version: ```bash -docker run --rm openzipkin/java:test -version -openjdk version "1.8.0_402" -OpenJDK Runtime Environment (IcedTea 3.30.0) (Alpine 8.402.06-r0) -OpenJDK 64-Bit Server VM (build 25.402-b06, mixed mode) +openjdk version "1.8.0_422" +OpenJDK Runtime Environment (IcedTea 3.32.0) (Alpine 8.422.05-r0) +OpenJDK 64-Bit Server VM (build 25.422-b05, mixed mode) ``` -To release the image, push a tag matching the arg to `build-bin/build` (ex `8.402.06`). +To release the image, push a tag matching the arg to `build-bin/build` (ex `8.422.05`). This triggers a [GitHub Actions](https://github.com/openzipkin/docker-java/actions) job to push the image. diff --git a/install.sh b/install.sh index c6d4f0a..9c3f1a7 100755 --- a/install.sh +++ b/install.sh @@ -49,5 +49,5 @@ apache_backup_mirror=https://downloads.apache.org/ (wget ${apache_mirror}${maven_dist_path} || wget ${apache_backup_mirror}${maven_dist_path}) | tar xz --strip=1 -C maven ln -s ${PWD}/maven/bin/mvn /usr/bin/mvn -mvn -q --batch-mode org.apache.maven.plugins:maven-help-plugin:3.4.1:evaluate -Dexpression=maven.version -q -DforceStdout || maybe_log_crash -mvn -q --batch-mode org.apache.maven.plugins:maven-dependency-plugin:3.7.1:get -Dmdep.skip +mvn -q --batch-mode org.apache.maven.plugins:maven-help-plugin:3.5.1:evaluate -Dexpression=maven.version -q -DforceStdout || maybe_log_crash +mvn -q --batch-mode org.apache.maven.plugins:maven-dependency-plugin:3.8.1:get -Dmdep.skip