From 55e15b593bf791dd7b0d9ba92e6758bb8514961a Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Tue, 13 May 2025 16:02:47 -0400
Subject: [PATCH 01/11] Replace cimg base image with ubuntu:24.04

---
 Dockerfile | 71 +++++++++++++++++++++++++++++-------------------------
 1 file changed, 38 insertions(+), 33 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 96397ea..4226cf5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1.6
 
 # Intermediate image used to prune cruft from JDKs and squash them all.
-FROM cimg/base:current-22.04 AS all-jdk
+FROM ubuntu:24.04 AS all-jdk
 
 COPY --from=eclipse-temurin:8-jdk-jammy /opt/java/openjdk /usr/lib/jvm/8
 COPY --from=eclipse-temurin:11-jdk-jammy /opt/java/openjdk /usr/lib/jvm/11
@@ -21,28 +21,34 @@ COPY --from=ibm-semeru-runtimes:open-17-jdk-jammy /opt/java/openjdk /usr/lib/jvm
 COPY --from=ghcr.io/graalvm/native-image-community:17-ol9 /usr/lib64/graalvm/graalvm-community-java17 /usr/lib/jvm/graalvm17
 COPY --from=ghcr.io/graalvm/native-image-community:21-ol9 /usr/lib64/graalvm/graalvm-community-java21 /usr/lib/jvm/graalvm21
 
-RUN sudo apt-get -y update && sudo apt-get -y install curl
+RUN apt-get update && \
+    apt-get install -y curl tar apt-transport-https ca-certificates gnupg wget && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
 # See: https://gist.github.com/wavezhang/ba8425f24a968ec9b2a8619d7c2d86a6
 RUN <<-EOT
 	set -eux
-	sudo mkdir -p /usr/lib/jvm/oracle8
-	curl -L --fail "https://javadl.oracle.com/webapps/download/AutoDL?BundleId=246284_165374ff4ea84ef0bbd821706e29b123" | sudo tar -xvzf - -C /usr/lib/jvm/oracle8 --strip-components 1
+	mkdir -p /usr/lib/jvm/oracle8
+	curl -L --fail "https://javadl.oracle.com/webapps/download/AutoDL?BundleId=246284_165374ff4ea84ef0bbd821706e29b123" | tar -xvzf - -C /usr/lib/jvm/oracle8 --strip-components 1
 EOT
 
 # Install Ubuntu's OpenJDK 17 and fix broken symlinks:
 # some files in /usr/lib/jvm/ubuntu17 are symlinks to /etc/java-17-openjdk/, so we just copy all symlinks targets.
 RUN <<-EOT
 	set -eux
-	sudo apt-get install openjdk-17-jdk
-	sudo mv /usr/lib/jvm/java-17-openjdk-amd64 /usr/lib/jvm/ubuntu17
-	sudo cp -rf --remove-destination /etc/java-17-openjdk/* /usr/lib/jvm/ubuntu17/conf/
-	sudo cp -rf --remove-destination /etc/java-17-openjdk/* /usr/lib/jvm/ubuntu17/lib/
-	sudo cp -f --remove-destination /etc/java-17-openjdk/jvm-amd64.cfg /usr/lib/jvm/ubuntu17/lib/
+	apt-get update
+	apt-get install -y openjdk-17-jdk
+	mv /usr/lib/jvm/java-17-openjdk-amd64 /usr/lib/jvm/ubuntu17
+	mkdir -p /usr/lib/jvm/ubuntu17/conf/ /usr/lib/jvm/ubuntu17/lib/
+	cp -rf --remove-destination /etc/java-17-openjdk/* /usr/lib/jvm/ubuntu17/conf/
+	cp -rf --remove-destination /etc/java-17-openjdk/* /usr/lib/jvm/ubuntu17/lib/
+	cp -f --remove-destination /etc/java-17-openjdk/jvm-amd64.cfg /usr/lib/jvm/ubuntu17/lib/
 EOT
 
 # Remove cruft from JDKs that is not used in the build process.
 RUN <<-EOT
-	sudo rm -rf \
+	rm -rf \
 	  /usr/lib/jvm/*/man \
 	  /usr/lib/jvm/*/lib/src.zip \
 	  /usr/lib/jvm/*/demo \
@@ -59,23 +65,28 @@ COPY --from=all-jdk /usr/lib/jvm/21 /usr/lib/jvm/21
 
 # Base image with minimunm requirenents to build the project.
 # Based on CircleCI Base Image with Ubuntu 22.04.3 LTS, present in most runners.
-FROM cimg/base:current-22.04 AS base
+FROM ubuntu:24.04 AS base
 
 # https://docs.github.com/en/packages/learn-github-packages/connecting-a-repository-to-a-package
 LABEL org.opencontainers.image.source=https://github.com/DataDog/dd-trace-java-docker-build
 
-# Replace Docker Compose and yq versions by latest and remove docker-switch from CircleCI Base Image for security purposes
+RUN apt-get update && \
+    apt-get install -y curl apt-transport-https ca-certificates gnupg \
+    socat less debian-goodies autossh ca-certificates-java python3-pip && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    mkdir -p /usr/local/lib/docker/cli-plugins /usr/local/bin
+
+# Install Docker Compose plugin and yq YAML processor
 RUN <<-EOT
 	set -eu
 	dockerPluginDir=/usr/local/lib/docker/cli-plugins
-	sudo curl -sSL "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m)" -o $dockerPluginDir/docker-compose
-	sudo chmod +x $dockerPluginDir/docker-compose
-	sudo sudo update-alternatives --remove docker-compose /usr/local/bin/compose-switch
-	sudo rm -f /usr/local/bin/compose-switch
-	sudo rm /usr/local/bin/{install-man-page.sh,yq*}
-	curl -sSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_$(dpkg --print-architecture).tar.gz" | sudo tar -xz -C /usr/local/bin --wildcards --no-anchored 'yq_linux_*'
-	sudo mv /usr/local/bin/yq{_linux_*,}
-	sudo chown root:root /usr/local/bin/yq
+	curl -sSL "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m)" -o $dockerPluginDir/docker-compose
+	chmod +x $dockerPluginDir/docker-compose
+	curl -sSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_$(dpkg --print-architecture).tar.gz" | tar -xz -C /usr/local/bin --wildcards --no-anchored 'yq_linux_*'
+	YQ_PATH=$(find /usr/local/bin -name 'yq_linux_*')
+	mv "$YQ_PATH" /usr/local/bin/yq
+	chown root:root /usr/local/bin/yq
 EOT
 
 COPY --from=default-jdk /usr/lib/jvm /usr/lib/jvm
@@ -88,20 +99,14 @@ COPY autoforward.py /usr/local/bin/autoforward
 # - datadog-ci: Datadog CI tool
 RUN <<-EOT
 	set -eux
-	sudo apt-get update
-	sudo apt-get install --no-install-recommends apt-transport-https socat
-	sudo apt-get install --no-install-recommends vim less debian-goodies
-	sudo apt-get install --no-install-recommends autossh
-	sudo apt-get install ca-certificates-java
-	sudo apt install python3-pip
-	sudo apt-get -y clean
-	sudo rm -rf /var/lib/apt/lists/*
-	pip3 install awscli
-	pip3 install requests requests-unixsocket2
+	apt-get update
+	pip3 install --break-system-packages awscli requests requests-unixsocket2
 	pip3 cache purge
-	sudo chmod +x /usr/local/bin/autoforward
-	sudo curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
-	sudo chmod +x /usr/local/bin/datadog-ci
+	chmod +x /usr/local/bin/autoforward
+	curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
+	chmod +x /usr/local/bin/datadog-ci
+	apt-get clean
+	rm -rf /var/lib/apt/lists/*
 EOT
 
 # IBM specific env variables

From 9b8d97ed8f129e9eaba3088586320cc794bb1067 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Wed, 14 May 2025 13:30:40 -0400
Subject: [PATCH 02/11] Clean a few lines

---
 Dockerfile | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 4226cf5..a06cb49 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,7 +22,7 @@ COPY --from=ghcr.io/graalvm/native-image-community:17-ol9 /usr/lib64/graalvm/gra
 COPY --from=ghcr.io/graalvm/native-image-community:21-ol9 /usr/lib64/graalvm/graalvm-community-java21 /usr/lib/jvm/graalvm21
 
 RUN apt-get update && \
-    apt-get install -y curl tar apt-transport-https ca-certificates gnupg wget && \
+    apt-get install -y curl tar apt-transport-https ca-certificates gnupg && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
@@ -71,7 +71,7 @@ FROM ubuntu:24.04 AS base
 LABEL org.opencontainers.image.source=https://github.com/DataDog/dd-trace-java-docker-build
 
 RUN apt-get update && \
-    apt-get install -y curl apt-transport-https ca-certificates gnupg \
+    apt-get install -y curl tar apt-transport-https ca-certificates gnupg \
     socat less debian-goodies autossh ca-certificates-java python3-pip && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* && \
@@ -83,6 +83,8 @@ RUN <<-EOT
 	dockerPluginDir=/usr/local/lib/docker/cli-plugins
 	curl -sSL "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m)" -o $dockerPluginDir/docker-compose
 	chmod +x $dockerPluginDir/docker-compose
+	update-alternatives --remove docker-compose /usr/local/bin/compose-switch
+	rm -f /usr/local/bin/compose-switch
 	curl -sSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_$(dpkg --print-architecture).tar.gz" | tar -xz -C /usr/local/bin --wildcards --no-anchored 'yq_linux_*'
 	YQ_PATH=$(find /usr/local/bin -name 'yq_linux_*')
 	mv "$YQ_PATH" /usr/local/bin/yq

From a6eb566d110e3246500deff6319b9b8516ecf58e Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Wed, 14 May 2025 17:50:57 -0400
Subject: [PATCH 03/11] Change run commands to heredoc formatting

---
 Dockerfile | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a06cb49..0c0e40e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,10 +21,13 @@ COPY --from=ibm-semeru-runtimes:open-17-jdk-jammy /opt/java/openjdk /usr/lib/jvm
 COPY --from=ghcr.io/graalvm/native-image-community:17-ol9 /usr/lib64/graalvm/graalvm-community-java17 /usr/lib/jvm/graalvm17
 COPY --from=ghcr.io/graalvm/native-image-community:21-ol9 /usr/lib64/graalvm/graalvm-community-java21 /usr/lib/jvm/graalvm21
 
-RUN apt-get update && \
-    apt-get install -y curl tar apt-transport-https ca-certificates gnupg && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+RUN <<-EOT
+	set -eux
+	apt-get update
+	apt-get install -y curl tar apt-transport-https ca-certificates gnupg
+	apt-get clean
+	rm -rf /var/lib/apt/lists/*
+EOT
 
 # See: https://gist.github.com/wavezhang/ba8425f24a968ec9b2a8619d7c2d86a6
 RUN <<-EOT
@@ -70,12 +73,15 @@ FROM ubuntu:24.04 AS base
 # https://docs.github.com/en/packages/learn-github-packages/connecting-a-repository-to-a-package
 LABEL org.opencontainers.image.source=https://github.com/DataDog/dd-trace-java-docker-build
 
-RUN apt-get update && \
-    apt-get install -y curl tar apt-transport-https ca-certificates gnupg \
-    socat less debian-goodies autossh ca-certificates-java python3-pip && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    mkdir -p /usr/local/lib/docker/cli-plugins /usr/local/bin
+RUN <<-EOT
+	set -eux
+	apt-get update
+	apt-get install -y curl tar apt-transport-https ca-certificates gnupg \
+	socat less debian-goodies autossh ca-certificates-java python3-pip
+	apt-get clean
+	rm -rf /var/lib/apt/lists/*
+	mkdir -p /usr/local/lib/docker/cli-plugins /usr/local/bin
+EOT
 
 # Install Docker Compose plugin and yq YAML processor
 RUN <<-EOT

From bdee917c45235febefe4f701f6f300f547650f05 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Wed, 14 May 2025 18:07:47 -0400
Subject: [PATCH 04/11] Update to 8u451

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 0c0e40e..805a664 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -33,7 +33,7 @@ EOT
 RUN <<-EOT
 	set -eux
 	mkdir -p /usr/lib/jvm/oracle8
-	curl -L --fail "https://javadl.oracle.com/webapps/download/AutoDL?BundleId=246284_165374ff4ea84ef0bbd821706e29b123" | tar -xvzf - -C /usr/lib/jvm/oracle8 --strip-components 1
+	curl -L --fail "https://javadl.oracle.com/webapps/download/AutoDL?BundleId=252034_8a1589aa0fe24566b4337beee47c2d29" | tar -xvzf - -C /usr/lib/jvm/oracle8 --strip-components 1
 EOT
 
 # Install Ubuntu's OpenJDK 17 and fix broken symlinks:

From 4b52e2cc4feb47c9ccbe6a216a9fe5ef70cbc2fb Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Wed, 14 May 2025 20:53:34 -0400
Subject: [PATCH 05/11] Add non-root user

---
 Dockerfile | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 805a664..817eeb9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -25,6 +25,8 @@ RUN <<-EOT
 	set -eux
 	apt-get update
 	apt-get install -y curl tar apt-transport-https ca-certificates gnupg
+	groupadd --gid 1001 non-root-user
+	useradd --uid 1001 --gid 1001 -m non-root-user
 	apt-get clean
 	rm -rf /var/lib/apt/lists/*
 EOT
@@ -59,6 +61,9 @@ RUN <<-EOT
 	  /usr/lib/jvm/graalvm*/lib/installer
 EOT
 
+# Switch to non-root user during runtime for security
+USER non-root-user
+
 FROM scratch AS default-jdk
 
 COPY --from=all-jdk /usr/lib/jvm/8 /usr/lib/jvm/8
@@ -78,6 +83,8 @@ RUN <<-EOT
 	apt-get update
 	apt-get install -y curl tar apt-transport-https ca-certificates gnupg \
 	socat less debian-goodies autossh ca-certificates-java python3-pip
+	groupadd --gid 1001 non-root-user
+	useradd --uid 1001 --gid 1001 -m non-root-user
 	apt-get clean
 	rm -rf /var/lib/apt/lists/*
 	mkdir -p /usr/local/lib/docker/cli-plugins /usr/local/bin
@@ -117,6 +124,9 @@ RUN <<-EOT
 	rm -rf /var/lib/apt/lists/*
 EOT
 
+# Switch to non-root user during runtime for security
+USER non-root-user
+
 # IBM specific env variables
 ENV IBM_JAVA_OPTIONS="-XX:+UseContainerSupport"
 
@@ -141,6 +151,9 @@ COPY --from=all-jdk /usr/lib/jvm/${VARIANT_LOWER} /usr/lib/jvm/${VARIANT_LOWER}
 ENV JAVA_${VARIANT_UPPER}_HOME=/usr/lib/jvm/${VARIANT_LOWER}
 ENV JAVA_${VARIANT_LOWER}_HOME=/usr/lib/jvm/${VARIANT_LOWER}
 
+# Switch to non-root user during runtime for security
+USER non-root-user
+
 # Full image for debugging, contains all JDKs.
 FROM base AS full
 
@@ -156,6 +169,9 @@ COPY --from=all-jdk /usr/lib/jvm/ubuntu17 /usr/lib/jvm/ubuntu17
 COPY --from=all-jdk /usr/lib/jvm/graalvm17 /usr/lib/jvm/graalvm17
 COPY --from=all-jdk /usr/lib/jvm/graalvm21 /usr/lib/jvm/graalvm21
 
+# Switch to non-root user during runtime for security
+USER non-root-user
+
 ENV JAVA_7_HOME=/usr/lib/jvm/7
 
 ENV JAVA_ZULU7_HOME=/usr/lib/jvm/7

From fdb4d6ba044b69766e516463fb294cf0b9032a1c Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Wed, 14 May 2025 21:12:06 -0400
Subject: [PATCH 06/11] Add locale variables

---
 Dockerfile | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 817eeb9..73a048b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,13 +24,16 @@ COPY --from=ghcr.io/graalvm/native-image-community:21-ol9 /usr/lib64/graalvm/gra
 RUN <<-EOT
 	set -eux
 	apt-get update
-	apt-get install -y curl tar apt-transport-https ca-certificates gnupg
+	apt-get install -y curl tar apt-transport-https ca-certificates gnupg locales
+	locale-gen en_US.UTF-8
 	groupadd --gid 1001 non-root-user
 	useradd --uid 1001 --gid 1001 -m non-root-user
 	apt-get clean
 	rm -rf /var/lib/apt/lists/*
 EOT
 
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
 # See: https://gist.github.com/wavezhang/ba8425f24a968ec9b2a8619d7c2d86a6
 RUN <<-EOT
 	set -eux
@@ -82,7 +85,8 @@ RUN <<-EOT
 	set -eux
 	apt-get update
 	apt-get install -y curl tar apt-transport-https ca-certificates gnupg \
-	socat less debian-goodies autossh ca-certificates-java python3-pip
+	socat less debian-goodies autossh ca-certificates-java python3-pip locales
+	locale-gen en_US.UTF-8
 	groupadd --gid 1001 non-root-user
 	useradd --uid 1001 --gid 1001 -m non-root-user
 	apt-get clean
@@ -90,6 +94,8 @@ RUN <<-EOT
 	mkdir -p /usr/local/lib/docker/cli-plugins /usr/local/bin
 EOT
 
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
 # Install Docker Compose plugin and yq YAML processor
 RUN <<-EOT
 	set -eu

From 6a28a556e0dcc3a93b0767ac5714872a7c6bbbfc Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Fri, 16 May 2025 10:06:32 -0400
Subject: [PATCH 07/11] Change to ubuntu:latest and clean up

---
 .github/workflows/ci.yml | 4 +---
 Dockerfile               | 6 +++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ae203bd..f4fa346 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,9 +7,7 @@ on:
     branches:
       - master
   schedule:
-    # Tuesday at 10. One day after the CircleCI scheduled upddate
-    # See: https://github.com/CircleCI-Public/cimg-base/blob/main/.circleci/schedule.json
-    - cron: '0 10 * * 2' 
+    - cron: '0 0 * * 0' 
   workflow_dispatch:
 
 jobs:
diff --git a/Dockerfile b/Dockerfile
index 73a048b..98c0f98 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1.6
 
 # Intermediate image used to prune cruft from JDKs and squash them all.
-FROM ubuntu:24.04 AS all-jdk
+FROM ubuntu:latest AS all-jdk
 
 COPY --from=eclipse-temurin:8-jdk-jammy /opt/java/openjdk /usr/lib/jvm/8
 COPY --from=eclipse-temurin:11-jdk-jammy /opt/java/openjdk /usr/lib/jvm/11
@@ -75,8 +75,8 @@ COPY --from=all-jdk /usr/lib/jvm/17 /usr/lib/jvm/17
 COPY --from=all-jdk /usr/lib/jvm/21 /usr/lib/jvm/21
 
 # Base image with minimunm requirenents to build the project.
-# Based on CircleCI Base Image with Ubuntu 22.04.3 LTS, present in most runners.
-FROM ubuntu:24.04 AS base
+# Based on the latest Ubuntu LTS image.
+FROM ubuntu:latest AS base
 
 # https://docs.github.com/en/packages/learn-github-packages/connecting-a-repository-to-a-package
 LABEL org.opencontainers.image.source=https://github.com/DataDog/dd-trace-java-docker-build

From 0b8f7595236fc00f7d930bc2a9c49d20d71ff0b9 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Fri, 16 May 2025 12:35:23 -0400
Subject: [PATCH 08/11] Add missing clean

---
 Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 98c0f98..3445d83 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -52,6 +52,8 @@ RUN <<-EOT
 	cp -rf --remove-destination /etc/java-17-openjdk/* /usr/lib/jvm/ubuntu17/conf/
 	cp -rf --remove-destination /etc/java-17-openjdk/* /usr/lib/jvm/ubuntu17/lib/
 	cp -f --remove-destination /etc/java-17-openjdk/jvm-amd64.cfg /usr/lib/jvm/ubuntu17/lib/
+	apt-get clean
+	rm -rf /var/lib/apt/lists/*
 EOT
 
 # Remove cruft from JDKs that is not used in the build process.

From 9e570fc5e95edb807b1b550eed8657b54319967f Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Fri, 16 May 2025 12:45:11 -0400
Subject: [PATCH 09/11] Update non-root-group

---
 Dockerfile | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3445d83..6252cce 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,8 +26,8 @@ RUN <<-EOT
 	apt-get update
 	apt-get install -y curl tar apt-transport-https ca-certificates gnupg locales
 	locale-gen en_US.UTF-8
-	groupadd --gid 1001 non-root-user
-	useradd --uid 1001 --gid 1001 -m non-root-user
+	groupadd --gid 1001 non-root-group
+	useradd --uid 1001 --gid non-root-group -m non-root-group
 	apt-get clean
 	rm -rf /var/lib/apt/lists/*
 EOT
@@ -66,8 +66,9 @@ RUN <<-EOT
 	  /usr/lib/jvm/graalvm*/lib/installer
 EOT
 
-# Switch to non-root user during runtime for security
-USER non-root-user
+# Switch to non-root group during runtime for security
+USER non-root-group
+WORKDIR /home/non-root-group
 
 FROM scratch AS default-jdk
 
@@ -89,8 +90,8 @@ RUN <<-EOT
 	apt-get install -y curl tar apt-transport-https ca-certificates gnupg \
 	socat less debian-goodies autossh ca-certificates-java python3-pip locales
 	locale-gen en_US.UTF-8
-	groupadd --gid 1001 non-root-user
-	useradd --uid 1001 --gid 1001 -m non-root-user
+	groupadd --gid 1001 non-root-group
+	useradd --uid 1001 --gid non-root-group -m non-root-group
 	apt-get clean
 	rm -rf /var/lib/apt/lists/*
 	mkdir -p /usr/local/lib/docker/cli-plugins /usr/local/bin
@@ -132,8 +133,9 @@ RUN <<-EOT
 	rm -rf /var/lib/apt/lists/*
 EOT
 
-# Switch to non-root user during runtime for security
-USER non-root-user
+# Switch to non-root group during runtime for security
+USER non-root-group
+WORKDIR /home/non-root-group
 
 # IBM specific env variables
 ENV IBM_JAVA_OPTIONS="-XX:+UseContainerSupport"
@@ -159,8 +161,9 @@ COPY --from=all-jdk /usr/lib/jvm/${VARIANT_LOWER} /usr/lib/jvm/${VARIANT_LOWER}
 ENV JAVA_${VARIANT_UPPER}_HOME=/usr/lib/jvm/${VARIANT_LOWER}
 ENV JAVA_${VARIANT_LOWER}_HOME=/usr/lib/jvm/${VARIANT_LOWER}
 
-# Switch to non-root user during runtime for security
-USER non-root-user
+# Switch to non-root group during runtime for security
+USER non-root-group
+WORKDIR /home/non-root-group
 
 # Full image for debugging, contains all JDKs.
 FROM base AS full
@@ -177,8 +180,9 @@ COPY --from=all-jdk /usr/lib/jvm/ubuntu17 /usr/lib/jvm/ubuntu17
 COPY --from=all-jdk /usr/lib/jvm/graalvm17 /usr/lib/jvm/graalvm17
 COPY --from=all-jdk /usr/lib/jvm/graalvm21 /usr/lib/jvm/graalvm21
 
-# Switch to non-root user during runtime for security
-USER non-root-user
+# Switch to non-root group during runtime for security
+USER non-root-group
+WORKDIR /home/non-root-group
 
 ENV JAVA_7_HOME=/usr/lib/jvm/7
 

From 0ff404e41ff4dc87d8b8947ce04e69cc96c2e0ce Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Fri, 16 May 2025 14:49:55 -0400
Subject: [PATCH 10/11] Add dependencies

---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6252cce..55b6858 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,7 +24,7 @@ COPY --from=ghcr.io/graalvm/native-image-community:21-ol9 /usr/lib64/graalvm/gra
 RUN <<-EOT
 	set -eux
 	apt-get update
-	apt-get install -y curl tar apt-transport-https ca-certificates gnupg locales
+	apt-get install -y curl tar apt-transport-https ca-certificates gnupg locales jq git gh
 	locale-gen en_US.UTF-8
 	groupadd --gid 1001 non-root-group
 	useradd --uid 1001 --gid non-root-group -m non-root-group
@@ -88,7 +88,7 @@ RUN <<-EOT
 	set -eux
 	apt-get update
 	apt-get install -y curl tar apt-transport-https ca-certificates gnupg \
-	socat less debian-goodies autossh ca-certificates-java python3-pip locales
+	socat less debian-goodies autossh ca-certificates-java python3-pip locales jq git gh
 	locale-gen en_US.UTF-8
 	groupadd --gid 1001 non-root-group
 	useradd --uid 1001 --gid non-root-group -m non-root-group

From 0144d54944bad72cde710aa5f15bb7545f0442ba Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Fri, 16 May 2025 15:54:35 -0400
Subject: [PATCH 11/11] Adjust non-root-group folder permissions

---
 Dockerfile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 55b6858..499d65f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,6 +28,9 @@ RUN <<-EOT
 	locale-gen en_US.UTF-8
 	groupadd --gid 1001 non-root-group
 	useradd --uid 1001 --gid non-root-group -m non-root-group
+	mkdir -p /home/non-root-group/.config
+  git config --system --add safe.directory '*'
+  chown -R non-root-group:non-root-group /home/non-root-group/.config
 	apt-get clean
 	rm -rf /var/lib/apt/lists/*
 EOT
@@ -92,6 +95,9 @@ RUN <<-EOT
 	locale-gen en_US.UTF-8
 	groupadd --gid 1001 non-root-group
 	useradd --uid 1001 --gid non-root-group -m non-root-group
+	mkdir -p /home/non-root-group/.config
+  git config --system --add safe.directory '*'
+  chown -R non-root-group:non-root-group /home/non-root-group/.config
 	apt-get clean
 	rm -rf /var/lib/apt/lists/*
 	mkdir -p /usr/local/lib/docker/cli-plugins /usr/local/bin