Merge branch 'main' into 532-add-noble

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
   CI:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:

.github/workflows/code-freeze.yml

@@ -0,0 +1,38 @@
+# ********************************************************************************
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made
+# available under the terms of the Apache Software License 2.0
+# which is available at https://www.apache.org/licenses/LICENSE-2.0.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ********************************************************************************
+
+name: Code Freeze Bot
+
+# Controls when the workflow will run
+on:
+  pull_request_target:
+  issue_comment:
+    types: [created]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  # Check if the pull request target branch matches the required branch-regex?
+  codefreeze_branch_check:
+    uses: adoptium/.github/.github/workflows/code-freeze-regex-branch.yml@main
+    with:
+      branch-regex: "^main$"
+
+  # Code freeze if branch-regex matches
+  codefreeze_if_branch_match:
+    needs: codefreeze_branch_check
+    uses: adoptium/.github/.github/workflows/code-freeze.yml@main
+    if: (github.event_name == 'pull_request_target' || (github.event_name == 'issue_comment' && github.event.issue.pull_request)) && needs.codefreeze_branch_check.outputs.regex-matches == 'true'
+    secrets: inherit

.github/workflows/codeql.yml

@@ -41,11 +41,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+        uses: github/codeql-action/init@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,7 +55,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+        uses: github/codeql-action/autobuild@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -68,6 +68,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+        uses: github/codeql-action/analyze@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/sanity.yml

@@ -11,7 +11,7 @@ jobs:
     name: Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Run Sanity Check Script
         run: "bash sanity.sh"

.github/workflows/scorecards.yml

@@ -31,12 +31,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -66,6 +66,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
         with:
           sarif_file: results.sarif

.github/workflows/test-pr.yml

@@ -18,7 +18,7 @@ jobs:
     outputs:
       strategy: ${{ steps.generate-jobs.outputs.strategy }}
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - uses: docker-library/bashbrew@d23b94357ef16d21a8d14578d5338152e4460c91 # v0.1.12
       - id: generate-jobs
         name: Generate Jobs
@@ -34,7 +34,7 @@ jobs:
     name: ${{ matrix.name }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Prepare Environment
         run: ${{ matrix.runs.prepare }}
       - name: Pull Dependencies

.github/workflows/updater.yml

@@ -13,7 +13,7 @@ jobs:
     if: startsWith(github.repository, 'adoptium/')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
 
@@ -27,7 +27,7 @@ jobs:
       - name: Run updater
         run: "python3 generate_dockerfiles.py"
 
-      - uses: gr2m/create-or-update-pull-request-action@73b5860c078571041abd2e438b8377a24dbc2465 # v1
+      - uses: gr2m/create-or-update-pull-request-action@86ec1766034c8173518f61d2075cc2a173fb8c97 # v1.9.4
         env:
           GITHUB_TOKEN: ${{ secrets.ADOPTIUM_TEMURIN_BOT_TOKEN }}
         with:

.test/tests/java-ca-certificates-update/certs/README.md

@@ -1 +1 @@
-This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/server.key -out certs/server.crt` and is only used for testing
+This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt` and is only used for testing

.test/tests/java-ca-certificates-update/certs_symlink/.dockerbuilder.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL
+BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1
+aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ
+kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s
+N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI
+hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy
+Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw
+me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR
+w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB
+o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU
+r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d
+kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT
+DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb
+WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ
+CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU
+ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg==
+-----END CERTIFICATE-----

.test/tests/java-ca-certificates-update/certs_symlink/.dockerbuilder.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt86CaW41cQgTs
+Fa+3uMaB1lb/Lmw3vwVyll0zxnYVq2+Mkq82Yn06SSQ5I0GEYoBakefX0kw11Dac
+SZMcx62DSGJKpEiEFx4BjiUN87PEDJkYalXMv1TUH2Y6tfk7cR50XkBW+XQ1lWMT
+CzC4ZpRrfNkEArJnlW//PwvDa5giz923DyVykQBvvwFnxsCGGGX5f61MYrxqCJss
+ZAlP2X8nFLelfLCZ7hhopBBGC+6o5MS37H7RoDkTYRRM4arQuL6LWtqd/qi7kPP9
+jou1fBP+PZt/hlHDZgelhkvnhQS0xYRLYoCOxne7gMLFQgR9bwSDFQiFx6kgM/WH
+TkDd9KJZAgMBAAECggEAAi4knsKpKn/xAATZO2LaFBcGZ0ji64Od/cduMB+w67PG
+yxAsmNsnqX3GBzROq3+GOdG3LPCSastNNZduJq/HAuH69Ly15E1GNOvzQXHtmHZg
+SzAhVqwK6WS3sI0xgZdOSSmZl1glkXqyRPMV333OUZbn68GykD331c8UZpTi5tlx
+qdOSEWwXQyVXh2mTT8uWWvqJm8OVaSUEo0KPNhsfWliINAXaDvlFle18wb0sQvAK
+d/49VMmEoQMocHcXas5jVHZZzxwQ8gV+cA1nFOzOEOYX1IyHjJdfEUWT7Pa3LEjg
+rPjEe/KiA3X9mVmofRG0Gvl8YjMiUEOBF/p9hgUxfQKBgQDY3oBUpkwhy3lRw2nu
+PublbozVZi12hrEPIlqLSIda6i0hbCA2E5VBykuP7z0VnQOiHQWQPJ77BYEzR6xw
+Z/PoJJL8knxtqVg9FsQlcsseDNW2THp53vf/Fiy4t+GoJZ7yezVyYI7RzngDPnCw
+buiYUsd9+uKo8+Gs0fnZGSuRvQKBgQDNVrS2/A8NKRv/3cddNqEN4m16pVmAJg8G
+Ww7t40W9c/lPW2SBH7wpEUW37N3b8lv1A8L24nJSbqiMjIkFxWroeOeFFEzKWp9r
+BlFUu0kn5oAOI1NJOEOmjR9+SslDXetKDJpon60GYWJ8ke5jfaYUTEWIxUXRYOsX
+mg8+L2iGzQKBgQCrzWiAptU9GIJdoZ8znCUysKdlDvMJKJ7vzFlKagTAoy9pgMzr
+ygu9+NJvjikoDCEqti8IGt4fIjc+NpOG4PM6fm7rI+jqvvMmQfjVaeE7RxOuvVtx
+XI++RwTauOFNYbBPjAfFOnUqBJTSjQ6c1t/we/OJ+8y/56RqUlXKBMSdSQKBgQDD
+Wz2dZduwCq9/0/FL5qB9hDHiYJPxDsR2qIVgoDyGjWLhNDM/ggDTFYK+BNXi3wbL
+6aNAnZpkgLFM3puyaOtYd0bVXsXcMzG+cglI0tI76tlkGgmv/J6oQ1V2IxKuTBmB
+ntH8vgWwr1Ay8efasf0jDJmPERhmpo2kK8daw2Hv9QKBgAaxusMUdCSBu5YwI6u4
+6d0nN6WdY2aVcgQXbhJEpsaxT9KqN+LP5wZNf08hyUiO4zSrfVOapOS+10Ng1EYi
+YQi8SjQd5deIc/jKKT5k9lCRcfhDq7YQo5pZbUgzDDuxod0WduvBnrf4zAl+K32V
+1HI3wrgh88qBEGASVY8y6rDH
+-----END PRIVATE KEY-----

.test/tests/java-ca-certificates-update/certs_symlink/README.md

@@ -0,0 +1 @@
+This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt` and is only used for testing

.test/tests/java-ca-certificates-update/certs_symlink/dockerbuilder.crt

@@ -0,0 +1 @@
+.dockerbuilder.crt

.test/tests/java-ca-certificates-update/expected-std-out.txt

@@ -1 +1 @@
-0101010001
+010101000001010101000001

.test/tests/java-ca-certificates-update/run.sh

@@ -1,40 +1,38 @@
 #!/bin/bash
 
-set -o pipefail 
+set -o pipefail
 
 testDir="$(readlink -f "$(dirname "$BASH_SOURCE")")"
 runDir="$(dirname "$(readlink -f "$BASH_SOURCE")")"
 
-# Find Java major/minor/build/patch version
-# 
-# https://stackoverflow.com/a/74459237/6460
-IFS='"' read -r _ java_version_string _ < <(docker run "$1" java -version 2>&1)
-IFS='._' read -r \
-    java_version_major \
-    java_version_minor \
-    java_version_build \
-    java_version_patch \
-    <<<"$java_version_string"
-
 # CMD1 in each run is just a `date` to make sure nothing is broken with or without the entrypoint
 CMD1=date
 
-# CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore
-if [ "$java_version_major" -lt 11 ]; then
-    # We are working with JDK/JRE 8
-    #
-    # `keytool` from JDK/JRE 8 does not have the `-cacerts` option and also does not have standardized location for the
-    # `cacerts` file between the JDK and JRE, so we'd want to check both possible locations.
-    CACERTS=/opt/java/openjdk/lib/security/cacerts
-    CACERTS2=/opt/java/openjdk/jre/lib/security/cacerts
-
-    CMD2=(sh -c "keytool -list -keystore $CACERTS -storepass changeit -alias dockerbuilder || keytool -list -keystore $CACERTS2 -storepass changeit -alias dockerbuilder")
-else
-    CMD2=(keytool -list -cacerts -storepass changeit -alias dockerbuilder)
-fi
-
-# 
-# We need to use `docker run`, since `run-in-container.sh` overwrites the entrypoint
+# CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore. Entrypoint export $CACERT to
+# point to the Java keystore.
+CMD2=(sh -c "keytool -list -keystore \$CACERT -storepass changeit -alias dockerbuilder")
+
+# For a custom entrypoint test, we need to create a new image. This image will get cleaned up at the end of the script
+# by the `finish` trap function.
+TESTIMAGE=$1.test
+
+function finish {
+    docker rmi "$TESTIMAGE" >&/dev/null
+}
+trap finish EXIT HUP INT TERM
+
+# But first, we need to create an image with an overridden entrypoint
+docker build -t "$1.test" "$runDir" -f - <<EOF >&/dev/null
+FROM $1
+COPY custom-entrypoint.sh /
+ENTRYPOINT ["/custom-entrypoint.sh"]
+EOF
+
+# NB: In this script, we need to use `docker run` explicitly, since the normally used `run-in-container.sh` overwrites
+# the entrypoint.
+
+#
+# PHASE 1: Root containers
 #
 
 # Test run 1: No added certificates and environment variable is not set. We expect CMD1 to succeed and CMD2 to fail.
@@ -63,24 +61,61 @@ echo -n $?
 docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
 echo -n $?
 
-TESTIMAGE=$1.test
-
-function finish {
-    docker rmi "$TESTIMAGE" >&/dev/null
-}
-trap finish EXIT HUP INT TERM
+# Test run 5: Certificates are mounted and are symlinks (e.g. in Kubernetes as `Secret`s or `ConfigMap`s) and the
+# environment variable is set. We expect both CMD1 and CMD2 to succeed.
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
 
-# Test run 5: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
+# Test run 6: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
 # CMD1 to succeed and CMD2 to fail.
-#
-# But first, we need to create an image with an overridden entrypoint
-docker build -t "$1.test" "$runDir" -f - <<EOF >&/dev/null 
-FROM $1
-COPY custom-entrypoint.sh /
-ENTRYPOINT ["/custom-entrypoint.sh"]
-EOF
-
 docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" $CMD1 >&/dev/null
 echo -n $?
 docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" "${CMD2[@]}" >&/dev/null
 echo -n $?
+
+#
+# PHASE 2: Non-root containers
+#
+
+# Test run 1: No added certificates and environment variable is not set. We expect CMD1 to succeed and CMD2 to fail.
+docker run --read-only --user 1000:1000 --rm "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --read-only --user 1000:1000 --rm "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 2: No added certificates, but the environment variable is set. Since there are no certificates, we still
+# expect CMD1 to succeed and CMD2 to fail.
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 3: Certificates are mounted, but the environment variable is not set, i.e. certificate importing should not
+# be activated. We expect CMD1 to succeed and CMD2 to fail.
+docker run --read-only --user 1000:1000 --rm --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --read-only --user 1000:1000 --rm --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 4: Certificates are mounted and the environment variable is set. We expect both CMD1 and CMD2 to succeed.
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 5: Certificates are mounted and are symlinks (e.g. in Kubernetes as `Secret`s or `ConfigMap`s) and the
+# environment variable is set. We expect both CMD1 and CMD2 to succeed.
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 6: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
+# CMD1 to succeed and CMD2 to fail.
+#
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" $CMD1 >&/dev/null
+echo -n $?
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" "${CMD2[@]}" >&/dev/null
+echo -n $?

11/jdk/alpine/Dockerfile

@@ -45,7 +45,7 @@ ENV JAVA_VERSION jdk-11.0.23+9
 RUN set -eux; \
     ARCH="$(apk --print-arch)"; \
     case "${ARCH}" in \
-       amd64|x86_64) \
+       x86_64) \
          ESUM='b45c467be52fe11ffd9bf69b3a035068134b305053874de4f3b3c5e5e1419659'; \
          BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jdk_x64_alpine-linux_hotspot_11.0.23_9.tar.gz'; \
          ;; \