Apply infra updates from docker-java repo

Bumps the version of the Zipkin Docker Java image and OS used by GH Action runners and applies the same conventions to Dockerfile. Fixes the trivy intermittent issue; See aquasecurity/trivy#7668
openzipkin · Nov 27, 2024 · 46a4266 · 46a4266
1 parent b3bca5a
commit 46a4266
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 10 deletions.
diff --git a/.github/workflows/create_release.yml b/.github/workflows/create_release.yml
@@ -10,7 +10,7 @@ on:  # yamllint disable-line rule:truthy
 
 jobs:
   create_release:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -15,7 +15,7 @@ on:  # yamllint disable-line rule:truthy
 
 jobs:
   deploy:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4

diff --git a/.github/workflows/docker_push.yml b/.github/workflows/docker_push.yml
@@ -10,7 +10,7 @@ on:  # yamllint disable-line rule:truthy
 
 jobs:
   docker_push:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -24,7 +24,7 @@ on:  # yamllint disable-line rule:truthy
 jobs:
   lint:
     name: lint
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     # skip commits made by the release plugin
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
     steps:

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -23,7 +23,7 @@ on:  # yamllint disable-line rule:truthy
 jobs:
   security:
     name: security
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     # skip commits made by the release plugin
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
     steps:
@@ -38,6 +38,9 @@ jobs:
       - name: Run Trivy vulnerability and secret scanner
         uses: aquasecurity/trivy-action@master
         id: trivy
+        env:  # See https://github.com/aquasecurity/trivy/discussions/7668
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
         with:
           scan-type: 'fs'
           scan-ref: '.'  # scan the entire repository

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ on:  # yamllint disable-line rule:truthy
 jobs:
   test:
     name: test (JDK ${{ matrix.java_version }})
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
     strategy:
       fail-fast: false  # don't fail fast as some failures are LTS specific

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -11,18 +11,18 @@ ARG zipkin_version=3.4.2
 # Use latest version here: https://github.com/orgs/openzipkin/packages/container/package/java
 # This is defined in many places because Docker has no "env" script functionality unless you use
 # docker-compose: When updating, update everywhere.
-ARG java_version=21.0.4_p7
+ARG java_version=21.0.5_p11
 
 # We copy files from the context into a scratch container first to avoid a problem where docker and
 # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally.
 # COPY --from= works around the issue.
-FROM scratch as scratch
+FROM scratch AS scratch
 
 COPY . /code/
 
 # This version is only used during the install process. Try to be consistent as it reduces layers,
 # which reduces downloads.
-FROM ghcr.io/openzipkin/java:${java_version} as install
+FROM ghcr.io/openzipkin/java:${java_version} AS install
 
 WORKDIR /code
 # Conditions aren't supported in Dockerfile instructions, so we copy source even if it isn't used.
@@ -41,7 +41,7 @@ ENV MAVEN_PROJECT_BASEDIR=/code
 RUN /code/build-bin/maven/maven_build_or_unjar io.zipkin.gcp zipkin-module-gcp ${VERSION} module
 
 # zipkin version should match zipkin.version in /code/pom.xml
-FROM ghcr.io/openzipkin/zipkin:$zipkin_version as zipkin-gcp
+FROM ghcr.io/openzipkin/zipkin:$zipkin_version AS zipkin-gcp
 LABEL org.opencontainers.image.description="Zipkin with Google Cloud on OpenJDK and Alpine Linux"
 LABEL org.opencontainers.image.source=https://github.com/openzipkin/zipkin-gcp