openzipkin · codefromthecrypt · Nov 19, 2024 · Nov 19, 2024 · Nov 19, 2024
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -23,7 +23,7 @@ on:  # yamllint disable-line rule:truthy
 jobs:
   security:
     name: security
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     # skip commits made by the release plugin
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
     steps:
@@ -38,6 +38,9 @@ jobs:
       - name: Run Trivy vulnerability and secret scanner
         uses: aquasecurity/trivy-action@master
         id: trivy
+        env:  # See https://github.com/aquasecurity/trivy/discussions/7668
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
         with:
           scan-type: 'fs'
           scan-ref: '.'  # scan the entire repository

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -16,7 +16,7 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4

diff --git a/Dockerfile b/Dockerfile
@@ -18,7 +18,7 @@
 # When updating, update the README and the alpine_version ARG
 #  * Use current version from https://alpinelinux.org/downloads/
 #  * ARGs repeat because Dockerfile ARGs are layer specific but will reuse the value defined here.
-ARG alpine_version=3.20.2
+ARG alpine_version=3.20.3
 
 # We copy files from the context into a scratch container first to avoid a problem where docker and
 # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally.
@@ -29,7 +29,7 @@ COPY . /code/
 
 # See from a previously published version to avoid pulling from Docker Hub (docker.io)
 # This version is only used to install the real version
-FROM ghcr.io/openzipkin/alpine:3.20.0 as install
+FROM ghcr.io/openzipkin/alpine:3.20.2 as install
 
 WORKDIR /code
 # Conditions aren't supported in Dockerfile instructions, so we copy source even if it isn't used.

diff --git a/README.md b/README.md
@@ -13,22 +13,22 @@ This is an internal base layer primarily used in [docker-java](https://github.co
 
 To browse the image, run it in interactive mode with TTY enabled like so:
 ```bash
-docker run -ti --rm ghcr.io/openzipkin/alpine:3.20.2
+docker run -ti --rm ghcr.io/openzipkin/alpine:3.20.3
 / #
 ```
 
 ## Release process
 Build the `Dockerfile` using the current version from https://alpinelinux.org/downloads/:
 ```bash
-# Note 3.20.2 not 3.19!
-./build-bin/build 3.20.2
+# Note 3.20.3 not 3.20!
+./build-bin/build 3.20.3
 ```
 
 Next, verify the built image matches that version:
 ```bash
 docker run --rm openzipkin/alpine:test -c 'cat /etc/alpine-release'
-3.20.2
+3.20.3
 ```
 
-To release the image, push a tag matching the arg to `build-bin/build` (ex `3.20.2`).
+To release the image, push a tag matching the arg to `build-bin/build` (ex `3.20.3`).
 This triggers a [GitHub Actions](https://github.com/openzipkin/docker-alpine/actions) job to push the image.