DataDog · sarahchen6 · May 13, 2025 · May 14, 2025 · May 14, 2025 · May 14, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,9 +7,7 @@ on:
     branches:
       - master
   schedule:
-    # Tuesday at 10. One day after the CircleCI scheduled upddate
-    # See: https://github.com/CircleCI-Public/cimg-base/blob/main/.circleci/schedule.json
-    - cron: '0 10 * * 2' 
+    - cron: '0 0 * * 0' 
   workflow_dispatch:
 
 jobs:

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1.6
 
 # Intermediate image used to prune cruft from JDKs and squash them all.
-FROM cimg/base:current-22.04 AS all-jdk
+FROM ubuntu:latest AS all-jdk
 
 COPY --from=eclipse-temurin:8-jdk-jammy /opt/java/openjdk /usr/lib/jvm/8
 COPY --from=eclipse-temurin:11-jdk-jammy /opt/java/openjdk /usr/lib/jvm/11
@@ -21,35 +21,58 @@ COPY --from=ibm-semeru-runtimes:open-17-jdk-jammy /opt/java/openjdk /usr/lib/jvm
 COPY --from=ghcr.io/graalvm/native-image-community:17-ol9 /usr/lib64/graalvm/graalvm-community-java17 /usr/lib/jvm/graalvm17
 COPY --from=ghcr.io/graalvm/native-image-community:21-ol9 /usr/lib64/graalvm/graalvm-community-java21 /usr/lib/jvm/graalvm21
 
-RUN sudo apt-get -y update && sudo apt-get -y install curl
+RUN <<-EOT
+	set -eux
+	apt-get update
+	apt-get install -y curl tar apt-transport-https ca-certificates gnupg locales jq git gh
+	locale-gen en_US.UTF-8
+	groupadd --gid 1001 non-root-group
+	useradd --uid 1001 --gid non-root-group -m non-root-group
+	mkdir -p /home/non-root-group/.config
+  git config --system --add safe.directory '*'
+  chown -R non-root-group:non-root-group /home/non-root-group/.config
+	apt-get clean
+	rm -rf /var/lib/apt/lists/*
+EOT
+
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
 # See: https://gist.github.com/wavezhang/ba8425f24a968ec9b2a8619d7c2d86a6
 RUN <<-EOT
 	set -eux
-	sudo mkdir -p /usr/lib/jvm/oracle8
-	curl -L --fail "https://javadl.oracle.com/webapps/download/AutoDL?BundleId=246284_165374ff4ea84ef0bbd821706e29b123" | sudo tar -xvzf - -C /usr/lib/jvm/oracle8 --strip-components 1
+	mkdir -p /usr/lib/jvm/oracle8
+	curl -L --fail "https://javadl.oracle.com/webapps/download/AutoDL?BundleId=252034_8a1589aa0fe24566b4337beee47c2d29" | tar -xvzf - -C /usr/lib/jvm/oracle8 --strip-components 1
 EOT
 
 # Install Ubuntu's OpenJDK 17 and fix broken symlinks:
 # some files in /usr/lib/jvm/ubuntu17 are symlinks to /etc/java-17-openjdk/, so we just copy all symlinks targets.
 RUN <<-EOT
 	set -eux
-	sudo apt-get install openjdk-17-jdk
-	sudo mv /usr/lib/jvm/java-17-openjdk-amd64 /usr/lib/jvm/ubuntu17
-	sudo cp -rf --remove-destination /etc/java-17-openjdk/* /usr/lib/jvm/ubuntu17/conf/
-	sudo cp -rf --remove-destination /etc/java-17-openjdk/* /usr/lib/jvm/ubuntu17/lib/
-	sudo cp -f --remove-destination /etc/java-17-openjdk/jvm-amd64.cfg /usr/lib/jvm/ubuntu17/lib/
+	apt-get update
+	apt-get install -y openjdk-17-jdk
+	mv /usr/lib/jvm/java-17-openjdk-amd64 /usr/lib/jvm/ubuntu17
+	mkdir -p /usr/lib/jvm/ubuntu17/conf/ /usr/lib/jvm/ubuntu17/lib/
+	cp -rf --remove-destination /etc/java-17-openjdk/* /usr/lib/jvm/ubuntu17/conf/
+	cp -rf --remove-destination /etc/java-17-openjdk/* /usr/lib/jvm/ubuntu17/lib/
+	cp -f --remove-destination /etc/java-17-openjdk/jvm-amd64.cfg /usr/lib/jvm/ubuntu17/lib/
+	apt-get clean
+	rm -rf /var/lib/apt/lists/*
 EOT
 
 # Remove cruft from JDKs that is not used in the build process.
 RUN <<-EOT
-	sudo rm -rf \
+	rm -rf \
 	  /usr/lib/jvm/*/man \
 	  /usr/lib/jvm/*/lib/src.zip \
 	  /usr/lib/jvm/*/demo \
 	  /usr/lib/jvm/*/sample \
 	  /usr/lib/jvm/graalvm*/lib/installer
 EOT
 
+# Switch to non-root group during runtime for security
+USER non-root-group
+WORKDIR /home/non-root-group
+
 FROM scratch AS default-jdk
 
 COPY --from=all-jdk /usr/lib/jvm/8 /usr/lib/jvm/8
@@ -58,24 +81,42 @@ COPY --from=all-jdk /usr/lib/jvm/17 /usr/lib/jvm/17
 COPY --from=all-jdk /usr/lib/jvm/21 /usr/lib/jvm/21
 
 # Base image with minimunm requirenents to build the project.
-# Based on CircleCI Base Image with Ubuntu 22.04.3 LTS, present in most runners.
-FROM cimg/base:current-22.04 AS base
+# Based on the latest Ubuntu LTS image.
+FROM ubuntu:latest AS base
 
 # https://docs.github.com/en/packages/learn-github-packages/connecting-a-repository-to-a-package
 LABEL org.opencontainers.image.source=https://github.com/DataDog/dd-trace-java-docker-build
 
-# Replace Docker Compose and yq versions by latest and remove docker-switch from CircleCI Base Image for security purposes
+RUN <<-EOT
+	set -eux
+	apt-get update
+	apt-get install -y curl tar apt-transport-https ca-certificates gnupg \
+	socat less debian-goodies autossh ca-certificates-java python3-pip locales jq git gh
+	locale-gen en_US.UTF-8
+	groupadd --gid 1001 non-root-group
+	useradd --uid 1001 --gid non-root-group -m non-root-group
+	mkdir -p /home/non-root-group/.config
+  git config --system --add safe.directory '*'
+  chown -R non-root-group:non-root-group /home/non-root-group/.config
+	apt-get clean
+	rm -rf /var/lib/apt/lists/*
+	mkdir -p /usr/local/lib/docker/cli-plugins /usr/local/bin
+EOT
+
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+# Install Docker Compose plugin and yq YAML processor
 RUN <<-EOT
 	set -eu
 	dockerPluginDir=/usr/local/lib/docker/cli-plugins
-	sudo curl -sSL "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m)" -o $dockerPluginDir/docker-compose
-	sudo chmod +x $dockerPluginDir/docker-compose
-	sudo sudo update-alternatives --remove docker-compose /usr/local/bin/compose-switch
-	sudo rm -f /usr/local/bin/compose-switch
-	sudo rm /usr/local/bin/{install-man-page.sh,yq*}
-	curl -sSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_$(dpkg --print-architecture).tar.gz" | sudo tar -xz -C /usr/local/bin --wildcards --no-anchored 'yq_linux_*'
-	sudo mv /usr/local/bin/yq{_linux_*,}
-	sudo chown root:root /usr/local/bin/yq
+	curl -sSL "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m)" -o $dockerPluginDir/docker-compose
+	chmod +x $dockerPluginDir/docker-compose
+	update-alternatives --remove docker-compose /usr/local/bin/compose-switch
+	rm -f /usr/local/bin/compose-switch
+	curl -sSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_$(dpkg --print-architecture).tar.gz" | tar -xz -C /usr/local/bin --wildcards --no-anchored 'yq_linux_*'
+	YQ_PATH=$(find /usr/local/bin -name 'yq_linux_*')
+	mv "$YQ_PATH" /usr/local/bin/yq
+	chown root:root /usr/local/bin/yq
 EOT
 
 COPY --from=default-jdk /usr/lib/jvm /usr/lib/jvm
@@ -88,22 +129,20 @@ COPY autoforward.py /usr/local/bin/autoforward
 # - datadog-ci: Datadog CI tool
 RUN <<-EOT
 	set -eux
-	sudo apt-get update
-	sudo apt-get install --no-install-recommends apt-transport-https socat
-	sudo apt-get install --no-install-recommends vim less debian-goodies
-	sudo apt-get install --no-install-recommends autossh
-	sudo apt-get install ca-certificates-java
-	sudo apt install python3-pip
-	sudo apt-get -y clean
-	sudo rm -rf /var/lib/apt/lists/*
-	pip3 install awscli
-	pip3 install requests requests-unixsocket2
+	apt-get update
+	pip3 install --break-system-packages awscli requests requests-unixsocket2
 	pip3 cache purge
-	sudo chmod +x /usr/local/bin/autoforward
-	sudo curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
-	sudo chmod +x /usr/local/bin/datadog-ci
+	chmod +x /usr/local/bin/autoforward
+	curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
+	chmod +x /usr/local/bin/datadog-ci
+	apt-get clean
+	rm -rf /var/lib/apt/lists/*
 EOT
 
+# Switch to non-root group during runtime for security
+USER non-root-group
+WORKDIR /home/non-root-group
+
 # IBM specific env variables
 ENV IBM_JAVA_OPTIONS="-XX:+UseContainerSupport"
 
@@ -128,6 +167,10 @@ COPY --from=all-jdk /usr/lib/jvm/${VARIANT_LOWER} /usr/lib/jvm/${VARIANT_LOWER}
 ENV JAVA_${VARIANT_UPPER}_HOME=/usr/lib/jvm/${VARIANT_LOWER}
 ENV JAVA_${VARIANT_LOWER}_HOME=/usr/lib/jvm/${VARIANT_LOWER}
 
+# Switch to non-root group during runtime for security
+USER non-root-group
+WORKDIR /home/non-root-group
+
 # Full image for debugging, contains all JDKs.
 FROM base AS full
 
@@ -143,6 +186,10 @@ COPY --from=all-jdk /usr/lib/jvm/ubuntu17 /usr/lib/jvm/ubuntu17
 COPY --from=all-jdk /usr/lib/jvm/graalvm17 /usr/lib/jvm/graalvm17
 COPY --from=all-jdk /usr/lib/jvm/graalvm21 /usr/lib/jvm/graalvm21
 
+# Switch to non-root group during runtime for security
+USER non-root-group
+WORKDIR /home/non-root-group
+
 ENV JAVA_7_HOME=/usr/lib/jvm/7
 
 ENV JAVA_ZULU7_HOME=/usr/lib/jvm/7