From 06803265d7369b5ed2968a01bd0e0cb591f166b1 Mon Sep 17 00:00:00 2001 From: Tommy Ludwig <8924140+shakuzen@users.noreply.github.com> Date: Wed, 27 Nov 2024 17:54:43 +0900 Subject: [PATCH] Apply infra updates from docker-java repo Bumps the version of the Zipkin Docker Java image and OS used by GH Action runners and applies the same conventions to Dockerfile. Fixes the trivy intermittent issue; See https://github.com/aquasecurity/trivy/discussions/7668 --- .github/workflows/create_release.yml | 2 +- .github/workflows/deploy.yml | 2 +- .github/workflows/docker_push.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/security.yml | 5 ++++- .github/workflows/test.yml | 2 +- docker/Dockerfile | 8 ++++---- 7 files changed, 13 insertions(+), 10 deletions(-) diff --git a/.github/workflows/create_release.yml b/.github/workflows/create_release.yml index 39878e4..db2c82c 100644 --- a/.github/workflows/create_release.yml +++ b/.github/workflows/create_release.yml @@ -10,7 +10,7 @@ on: # yamllint disable-line rule:truthy jobs: create_release: - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat steps: - name: Checkout Repository uses: actions/checkout@v4 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index ed6b77b..37532bb 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -15,7 +15,7 @@ on: # yamllint disable-line rule:truthy jobs: deploy: - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat steps: - name: Checkout Repository uses: actions/checkout@v4 diff --git a/.github/workflows/docker_push.yml b/.github/workflows/docker_push.yml index 0943939..41e7ee3 100644 --- a/.github/workflows/docker_push.yml +++ b/.github/workflows/docker_push.yml @@ -10,7 +10,7 @@ on: # yamllint disable-line rule:truthy jobs: docker_push: - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat steps: - name: Checkout Repository uses: actions/checkout@v4 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fe58404..1dbdbc4 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -24,7 +24,7 @@ on: # yamllint disable-line rule:truthy jobs: lint: name: lint - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat # skip commits made by the release plugin if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" steps: diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index a7847fc..c7642a7 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -23,7 +23,7 @@ on: # yamllint disable-line rule:truthy jobs: security: name: security - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat # skip commits made by the release plugin if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" steps: @@ -38,6 +38,9 @@ jobs: - name: Run Trivy vulnerability and secret scanner uses: aquasecurity/trivy-action@master id: trivy + env: # See https://github.com/aquasecurity/trivy/discussions/7668 + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db with: scan-type: 'fs' scan-ref: '.' # scan the entire repository diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b5155a5..4f5562a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,7 +23,7 @@ on: # yamllint disable-line rule:truthy jobs: test: name: test (JDK ${{ matrix.java_version }}) - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" strategy: fail-fast: false # don't fail fast as some failures are LTS specific diff --git a/docker/Dockerfile b/docker/Dockerfile index 11c9d4a..1c551d5 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -11,18 +11,18 @@ ARG zipkin_version=3.4.2 # Use latest version here: https://github.com/orgs/openzipkin/packages/container/package/java # This is defined in many places because Docker has no "env" script functionality unless you use # docker-compose: When updating, update everywhere. -ARG java_version=21.0.4_p7 +ARG java_version=21.0.5_p11 # We copy files from the context into a scratch container first to avoid a problem where docker and # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally. # COPY --from= works around the issue. -FROM scratch as scratch +FROM scratch AS scratch COPY . /code/ # This version is only used during the install process. Try to be consistent as it reduces layers, # which reduces downloads. -FROM ghcr.io/openzipkin/java:${java_version} as install +FROM ghcr.io/openzipkin/java:${java_version} AS install WORKDIR /code # Conditions aren't supported in Dockerfile instructions, so we copy source even if it isn't used. @@ -41,7 +41,7 @@ ENV MAVEN_PROJECT_BASEDIR=/code RUN /code/build-bin/maven/maven_build_or_unjar io.zipkin.gcp zipkin-module-gcp ${VERSION} module # zipkin version should match zipkin.version in /code/pom.xml -FROM ghcr.io/openzipkin/zipkin:$zipkin_version as zipkin-gcp +FROM ghcr.io/openzipkin/zipkin:$zipkin_version AS zipkin-gcp LABEL org.opencontainers.image.description="Zipkin with Google Cloud on OpenJDK and Alpine Linux" LABEL org.opencontainers.image.source=https://github.com/openzipkin/zipkin-gcp