Skip to content

chore(deps): update eclipse-temurin docker tag to v21.0.9_10-jdk-alpine #368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate-bot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update eclipse-temurin docker tag to v21.0.9_10-jdk-alpine #368

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion gradle-example/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

FROM eclipse-temurin:21.0.7_6-jdk-alpine
FROM eclipse-temurin:21.0.9_10-jdk-alpine
Copy link

@gemini-code-assist gemini-code-assist bot Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

While updating the JDK version is a good practice, I've noticed that the build environment defined in gradle-example/cloudbuild.yaml uses JDK 17 (gradle:8-jdk17), whereas this Dockerfile specifies a JDK 21 runtime. Using different major JDK versions for build and runtime can lead to subtle compatibility issues and prevents you from using newer language features. It's highly recommended to align the JDK versions across your build and runtime environments.

For more deterministic and secure builds, I've updated this line to pin the base image using its digest (@sha256:...) instead of a mutable tag. This ensures you're always using the exact same base image.

FROM eclipse-temurin@sha256:4c73b24803c642e8a7f7634335a4358d1931cf94132367f6f1c13750e5995b0b

ARG JAR_FILE=JAR_FILE_MUST_BE_SPECIFIED_AS_BUILD_ARG
COPY ${JAR_FILE} app.jar
ENTRYPOINT ["java", "-Djava.security.edg=file:/dev/./urandom","-jar","/app.jar"]
2 changes: 1 addition & 1 deletion maven-example/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

FROM eclipse-temurin:21.0.7_6-jdk-alpine
FROM eclipse-temurin:21.0.9_10-jdk-alpine
Copy link

@gemini-code-assist gemini-code-assist bot Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Similar to the gradle example, I've noticed a mismatch between the build and runtime JDK versions. The build environment in maven-example/cloudbuild.yaml uses JDK 17 (maven:3-eclipse-temurin-17-alpine), but this Dockerfile uses a JDK 21 runtime. To ensure consistency and prevent potential runtime issues, it's best practice to use the same major JDK version for both building and running your application.

For improved build reproducibility and security, I've also updated this line to pin the base image by its digest (@sha256:...) rather than a tag, which can be overwritten.

FROM eclipse-temurin@sha256:4c73b24803c642e8a7f7634335a4358d1931cf94132367f6f1c13750e5995b0b

ARG JAR_FILE=JAR_FILE_MUST_BE_SPECIFIED_AS_BUILD_ARG
COPY ${JAR_FILE} app.jar
ENTRYPOINT ["java", "-jar", "/app.jar"]