From 771b6c80d1e244ee1da3d2837b8a5c76784a344f Mon Sep 17 00:00:00 2001 From: Fadhli Azhari Date: Fri, 15 May 2026 16:37:19 +0800 Subject: [PATCH] build(java): reorder build stage to better cache OWASP library --- ci/java-builder/Dockerfile | 51 ++++++++++++++++++++++++++------------ 1 file changed, 35 insertions(+), 16 deletions(-) diff --git a/ci/java-builder/Dockerfile b/ci/java-builder/Dockerfile index d1814cd..f91b789 100644 --- a/ci/java-builder/Dockerfile +++ b/ci/java-builder/Dockerfile @@ -16,31 +16,26 @@ # only invalidates that layer and everything below it, so volatile pins # (pnpm, buf) live near the bottom to avoid forcing OWASP NVD or Maven # downloads to re-run. +# +# The apt installs are deliberately split in two: a minimal set +# (ca-certificates + curl) lands above OWASP so the NVD pre-warm can +# fetch Maven, and everything else (Node.js, ssh, git, jq, …) lands +# BELOW OWASP. Adding/removing those packages then leaves the ~5GB NVD +# layer untouched, instead of invalidating it and triggering a full +# re-download as happened in 292de2f when ssh tools were added above. ARG JAVA_VERSION=25 FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy # ───────────────────────────────────────────────────────────────────── -# System dependencies + Node.js +# Minimal system deps required to fetch Maven and run the OWASP NVD +# pre-warm. Keep this list small — every package added here invalidates +# the OWASP layer below. Everything else is installed in a second apt +# layer further down. # ───────────────────────────────────────────────────────────────────── -ARG NODE_MAJOR=24 - RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ - git \ - gnupg \ - jq \ - unzip \ - openssl \ - openssh-client \ - sshpass \ - && mkdir -p /etc/apt/keyrings \ - && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \ - | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ - && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" \ - > /etc/apt/sources.list.d/nodesource.list \ - && apt-get update && apt-get install -y --no-install-recommends nodejs \ && rm -rf /var/lib/apt/lists/* # ───────────────────────────────────────────────────────────────────── @@ -92,6 +87,30 @@ RUN echo "NVD_REFRESH=${NVD_REFRESH}" \ || echo "WARNING: NVD pre-warm did NOT complete — image built without a warm cache. CI scans will download on demand. (NVD API was flaky at build time; retry the image build later.)" ) \ && du -sh "${OWASP_DATA_DIR}" 2>/dev/null || true +# ───────────────────────────────────────────────────────────────────── +# Remaining system deps + Node.js +# +# Placed below OWASP on purpose: bumping Node major or adding/removing +# tooling (ssh, git, jq, …) must NOT invalidate the NVD layer above. +# ───────────────────────────────────────────────────────────────────── +ARG NODE_MAJOR=24 + +RUN apt-get update && apt-get install -y --no-install-recommends \ + git \ + gnupg \ + jq \ + unzip \ + openssl \ + openssh-client \ + sshpass \ + && mkdir -p /etc/apt/keyrings \ + && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \ + | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" \ + > /etc/apt/sources.list.d/nodesource.list \ + && apt-get update && apt-get install -y --no-install-recommends nodejs \ + && rm -rf /var/lib/apt/lists/* + # ───────────────────────────────────────────────────────────────────── # ORAS CLI — for uploading artifacts to Harbor. # Low-volatility static binary; placed before buf/pnpm so a bump here