Merge branch 'release/17.0.6.0'

.github/workflows/publish.yml

@@ -30,7 +30,7 @@ jobs:
 
       # Build Docker image with Buildx
       - name: Build Docker image
-        uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 # v3.3.0
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
         with:
           context: .
           push: false
@@ -49,7 +49,7 @@ jobs:
       # Publish scan report to GitHub
       - name: Publish scan report to GitHub
         if: ${{ github.event_name != 'release' && always() }}
-        uses: github/codeql-action/upload-sarif@a34ca99b4610d924e04c68db79e503e1f79f9f02 # v2.1.39
+        uses: github/codeql-action/upload-sarif@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2.2.1
         with:
           sarif_file: trivy-results.sarif
 
@@ -63,7 +63,7 @@ jobs:
 
       # Publish Docker image for CI builds if not PR build
       - name: Push container image
-        uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 # v3.3.0
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
         if: github.event_name != 'pull_request'
         with:
           context: .

Dockerfile

@@ -1,37 +1,69 @@
-FROM debian:11.6-slim
-
-LABEL org.opencontainers.image.vendor="Swiss GRC AG"
-LABEL org.opencontainers.image.authors="Swiss GRC AG <[email protected]>"
-LABEL org.opencontainers.image.title="azure-pipelines-openjdk"
-LABEL org.opencontainers.image.documentation="https://github.com/swissgrc/docker-azure-pipelines-openjdk"
+# Base image containing dependencies used in builder and final image
+FROM debian:11.6-slim AS base
 
 # Make sure to fail due to an error at any stage in shell pipes
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# Install Docker CLI
-
-# renovate: datasource=github-tags depName=docker/cli extractVersion=^v(?<version>.*)$
-ENV DOCKERCLI_VERSION=20.10.23
-#Disabled renovate: datasource=repology depName=debian_11/curl versioning=loose
-ENV CURL_VERSION=7.74.0-1.3+deb11u3
 #Disabled renovate: datasource=repology depName=debian_11/ca-certificates versioning=loose
 ENV CACERTIFICATES_VERSION=20210119
+
+RUN apt-get update -y && \
+  # Install necessary dependencies
+  apt-get install -y --no-install-recommends ca-certificates=${CACERTIFICATES_VERSION} && \
+  # Clean up
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists/*
+
+
+# Builder image
+FROM base AS build
+
+# Make sure to fail due to an error at any stage in shell pipes
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+#Disabled renovate: datasource=repology depName=debian_11/curl versioning=loose
+ENV CURL_VERSION=7.74.0-1.3+deb11u5
 #Disabled renovate: datasource=repology depName=debian_11/lsb-release versioning=loose
 ENV LSBRELEASE_VERSION=11.1.0
 #Disabled renovate: datasource=repology depName=debian_11/gnupg2 versioning=loose
 ENV GNUPG_VERSION=2.2.27-2+deb11u2
 
 RUN apt-get update -y && \
   # Install necessary dependencies
-  apt-get install -y --no-install-recommends ca-certificates=${CACERTIFICATES_VERSION} curl=${CURL_VERSION} lsb-release=${LSBRELEASE_VERSION} gnupg=${GNUPG_VERSION} && \
+  apt-get install -y --no-install-recommends curl=${CURL_VERSION} lsb-release=${LSBRELEASE_VERSION} gnupg=${GNUPG_VERSION} && \
   # Add Dockers public key
   mkdir -p /etc/apt/keyrings && \
   curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
   # Add Dockers APT repository to the list of sources
   echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
-  # Update the package sources
-  apt-get update -y && \
-  # Install Docker CLI
+  # Add Eclipse Adoptium public key
+  curl -fsSL https://packages.adoptium.net/artifactory/api/gpg/key/public | tee /etc/apt/keyrings/adoptium.asc && \
+  # Add Eclipse Adoptium APT repository to the list of sources
+  echo "deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list > /dev/null
+
+
+# Final image
+FROM base AS final
+
+LABEL org.opencontainers.image.vendor="Swiss GRC AG"
+LABEL org.opencontainers.image.authors="Swiss GRC AG <[email protected]>"
+LABEL org.opencontainers.image.title="azure-pipelines-openjdk"
+LABEL org.opencontainers.image.documentation="https://github.com/swissgrc/docker-azure-pipelines-openjdk"
+
+# Make sure to fail due to an error at any stage in shell pipes
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+WORKDIR /
+COPY --from=build /etc/apt/keyrings/ /etc/apt/keyrings
+COPY --from=build /etc/apt/sources.list.d/ /etc/apt/sources.list.d
+
+# Install Docker CLI
+
+# renovate: datasource=github-tags depName=docker/cli extractVersion=^v(?<version>.*)$
+ENV DOCKERCLI_VERSION=20.10.23
+
+# Install Docker CLI
+RUN apt-get update -y && \
   apt-get install -y --no-install-recommends docker-ce-cli=5:${DOCKERCLI_VERSION}~3-0~debian-bullseye && \
   # Clean up
   apt-get clean && \
@@ -42,20 +74,13 @@ RUN apt-get update -y && \
 # Install OpenJDK
 
 # renovate: datasource=adoptium-java depName=java-jdk versioning=loose
-ENV OPENJDK_VERSION=17.0.5.0.0+8
+ENV OPENJDK_VERSION=17.0.6.0.0+10
 
+# Install OpenJDK
 RUN apt-get update -y && \
-  # Add Eclipse Adoptium public key
-  mkdir -p /etc/apt/keyrings && \
-  curl -fsSL https://packages.adoptium.net/artifactory/api/gpg/key/public | tee /etc/apt/keyrings/adoptium.asc && \
-  # Add Eclipse Adoptium APT repository to the list of sources
-  echo "deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list > /dev/null && \
-  # Update the package sources
-  apt-get update -y && \
-  # Install OpenJDK
   apt-get install -y --no-install-recommends temurin-17-jdk=${OPENJDK_VERSION} && \
   # Clean up
   apt-get clean && \
   rm -rf /var/lib/apt/lists/* && \
   # Smoke test
-  java -version
+  java -version

README.md

@@ -35,11 +35,12 @@ The following example shows the container used for a deployment step which shows
 
 | Tag        | Description                                                                                   | Base Image       | Docker CLI | OpenJDK  | Size                                                                                                                             |
 |------------|-----------------------------------------------------------------------------------------------|------------------|------------|----------|----------------------------------------------------------------------------------------------------------------------------------|
-| latest     | Latest stable release (from `main` branch)                                                    | debian:11.6-slim | 20.10.23   | 17.0.5.0 | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/swissgrc/azure-pipelines-openjdk/latest?style=flat-square)   |
-| unstable   | Latest unstable release (from `develop` branch)                                               | debian:11.6-slim | 20.10.23   | 17.0.5.0 | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/swissgrc/azure-pipelines-openjdk/unstable?style=flat-square) |
+| latest     | Latest stable release (from `main` branch)                                                    | debian:11.6-slim | 20.10.23   | 17.0.6.0 | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/swissgrc/azure-pipelines-openjdk/latest?style=flat-square)   |
+| unstable   | Latest unstable release (from `develop` branch)                                               | debian:11.6-slim | 20.10.23   | 17.0.6.0 | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/swissgrc/azure-pipelines-openjdk/unstable?style=flat-square) |
 | 17.0.4.0   | [OpenJDK 17.0.4](https://foojay.io/java-17/?tab=component&version=17.0.4&quarter=072022)      | debian:11.3-slim | 20.10.17   | 17.0.4.0 | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/swissgrc/azure-pipelines-openjdk/17.0.4.0?style=flat-square) |
 | 17.0.4.1   | [OpenJDK 17.0.4](https://foojay.io/java-17/?tab=component&version=17.0.4&quarter=072022)      | debian:11.5-slim | 20.10.21   | 17.0.4.1 | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/swissgrc/azure-pipelines-openjdk/17.0.4.1?style=flat-square) |
 | 17.0.5.0   | [OpenJDK 17.0.5](https://foojay.io/java-17/?tab=component&version=17.0.5&quarter=102022)      | debian:11.6-slim | 20.10.23   | 17.0.5.0 | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/swissgrc/azure-pipelines-openjdk/17.0.5.0?style=flat-square) |
+| 17.0.6.0   | [OpenJDK 17.0.6](https://foojay.io/java-17/?tab=component&version=17.0.6&quarter=012023)      | debian:11.6-slim | 20.10.23   | 17.0.6.0 | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/swissgrc/azure-pipelines-openjdk/17.0.6.0?style=flat-square) |
 
 ### Configuration
 
@@ -48,11 +49,8 @@ These environment variables are supported:
 | Environment variable   | Default value        | Description                                                      |
 |------------------------|----------------------|------------------------------------------------------------------|
 | DOCKERCLI_VERSION      | `20.10.23`           | Version of Docker CLI installed in the image.                    |
-| OPENJDK_VERSION        | `17.0.5.0.0+8`       | Version of Eclipse Temurin OpenJDK installed in the image.       |
+| OPENJDK_VERSION        | `17.0.6.0.0+10`      | Version of Eclipse Temurin OpenJDK installed in the image.       |
 | CACERTIFICATES_VERSION | `20210119`           | Version of `ca-certificates` package used to install components. |
-| CURL_VERSION           | `7.74.0-1.3+deb11u3` | Version of `curl` package used to install components.            |
-| LSBRELEASE_VERSION     | `11.1.0`             | Version of `lsb-release` package used to install components.     |
-| GNUPG_VERSION          | `2.2.27-2+deb11u2`   | Version of `gnupg` package used to install components.           |
 
 [Eclipse Temurin OpenJDK]: https://adoptium.net/temurin/
 [Azure Pipelines container jobs]: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases